Samba 4.14 Features added/changed: Difference between revisions

From SambaWiki
 
(18 intermediate revisions by the same user not shown)
Line 1: Line 1:
Samba 4.14 is [[Samba_Release_Planning#Current_Stable_Release|'''Current Stable Release''']].
Samba 4.14 is [[Samba_Release_Planning#Discontinued_.28End_of_Life.29|'''Discontinued (End of Life)''']].
==Samba 4.14.14==
:Release Notes for Samba 4.14.14
:July 27, 2022

===This is a security release in order to address the following defects:===
* [https://www.samba.org/samba/security/CVE-2022-2031.html CVE-2022-2031]
:: Samba AD users can bypass certain restrictions associated with changing passwords.
* [https://www.samba.org/samba/security/CVE-2022-32744.html CVE-2022-32744]
::Samba AD users can forge password change requests for any user.
* [https://www.samba.org/samba/security/CVE-2022-32745.html CVE-2022-32745]
::Samba AD users can crash the server process with an LDAP add or modify request.
* [https://www.samba.org/samba/security/CVE-2022-32746.html CVE-2022-32746]
:: Samba AD users can induce a use-after-free in the server process with an LDAP add or modify request.
* [https://www.samba.org/samba/security/CVE-2022-32742.html CVE-2022-32742]
:: Server memory information leak via SMB1.


===Changes since 4.14.13===

* Jeremy Allison <jra@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=15085 BUG 15085]: [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32742 CVE-2022-32742].
* Andrew Bartlett <abartlet@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=15009 BUG 15009]: [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32746 CVE-2022-32746].
* Isaac Boukris <iboukris@gmail.com>
:* [https://bugzilla.samba.org/show_bug.cgi?id=15047 BUG 15047]: [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2031 CVE-2022-2031].
* Andreas Schneider <asn@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=15047 BUG 15047]: [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2031 CVE-2022-2031].
* Joseph Sutton <josephsutton@catalyst.net.nz>
:* [https://bugzilla.samba.org/show_bug.cgi?id=15008 BUG 15008]: [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32745 CVE-2022-32745].
:* [https://bugzilla.samba.org/show_bug.cgi?id=15009 BUG 15009]: [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32746 CVE-2022-32746].
:* [https://bugzilla.samba.org/show_bug.cgi?id=15047 BUG 15047]: [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2031 CVE-2022-2031].
:* [https://bugzilla.samba.org/show_bug.cgi?id=15074 BUG 15074]: [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32744 CVE-2022-32744].

[https://www.samba.org/samba/history/samba-4.14.14.html Release Notes Samba 4.14.14]

==Samba 4.14.13==
:Release Notes for Samba 4.14.13
:April 04, 2022

This is the last bugfix release of the Samba 4.14 release series. There will besecurity releases only beyond this point.

===Changes since 4.14.12===

*o Jeremy Allison <jra@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14169 BUG 14169]: Renaming file on DFS root fails with NT_STATUS_OBJECT_PATH_NOT_FOUND.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14737 BUG 14737]: Samba does not response STATUS_INVALID_PARAMETER when opening 2 objects with same lease key.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14938 BUG 14938]: NT error code is not set when overwriting a file during rename in libsmbclient.
* Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14996 BUG 14996]: Fix ldap simple bind with TLS auditing.
* Ralph Boehme <slow@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14674 BUG 14674]: net ads info shows LDAP Server: 0.0.0.0 depending on contacted server.
* Samuel Cabrero <scabrero@suse.de>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14979 BUG 14979]: Problem when winbind renews Kerberos.
* Pavel Filipenský <pfilipen@redhat.com>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14971 BUG 14971]: virusfilter_vfs_openat: Not scanned: Directory or special file.
* Elia Geretto <elia.f.geretto@gmail.com>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14983 BUG 14983]: NT_STATUS_ACCESS_DENIED translates into EPERM instead of EACCES in SMBC_server_internal.
* Björn Jacke <bj@sernet.de>
:* [https://bugzilla.samba.org/show_bug.cgi?id=13631 BUG 13631]: DFS fix for AIX broken.
* Stefan Metzmacher <metze@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=13879 BUG 13879]: Simple bind doesn't work against an RODC (with non-preloaded users).
:* [https://bugzilla.samba.org/show_bug.cgi?id=14641 BUG 14641]: Crash of winbind on RODC.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14865 BUG 14865]: Uncached logon on RODC always fails once.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14951 BUG 14951]: KVNO off by 100000.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14968 BUG 14968]: smb2_signing_decrypt_pdu() may not decrypt with gnutls_aead_cipher_decrypt() from gnutls before 3.5.2.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14984 BUG 14984]: Changing the machine password against an RODC likely destroys the domain join.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14993 BUG 14993]: authsam_make_user_info_dc() steals memory from its struct ldb_message *msg argument.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14995 BUG 14995]: Use Heimdal 8.0 (pre) rather than an earlier snapshot.
:* [https://bugzilla.samba.org/show_bug.cgi?id=15001 BUG 15001]: LDAP simple binds should honour "old password allowed period".
:* [https://bugzilla.samba.org/show_bug.cgi?id=15003 BUG 15003]: wbinfo -a doesn't work reliable with upn names.
* Garming Sam <garming@catalyst.net.nz>
:* [https://bugzilla.samba.org/show_bug.cgi?id=13879 BUG 13879]: Simple bind doesn't work against an RODC (with non-preloaded users).
* Joseph Sutton <josephsutton@catalyst.net.nz>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14621 BUG 14621]: "password hash userPassword schemes = CryptSHA256" does not seem to work with samba-tool.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14984 BUG 14984]: Changing the machine password against an RODC likely destroys the domain join.

[https://www.samba.org/samba/history/samba-4.14.13.html Release Notes Samba 4.14.13]

==Samba 4.14.12==
:Release Notes for Samba 4.14.12
:January 31, 2022

===This is a security release in order to address the following defects:===

* [https://www.samba.org/samba/security/CVE-2021-44142.html CVE-2021-44142]: Out-of-Bound Read/Write on Samba vfs_fruit module.
* [https://www.samba.org/samba/security/CVE-2022-0336.html CVE-2022-0336]: Re-adding an SPN skips subsequent SPN conflict checks.

===Changes since 4.14.11===

* Ralph Boehme <slow@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14914 BUG 14914]: [https://www.samba.org/samba/security/CVE-2021-44142.html CVE-2021-44142]: Out-of-Bound Read/Write on Samba vfs_fruit module.
* Joseph Sutton <josephsutton@catalyst.net.nz>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14950 BUG 14950]: [https://www.samba.org/samba/security/CVE-2022-0336.html CVE-2022-0336]: Re-adding an SPN skips subsequent SPN conflict checks.

[https://www.samba.org/samba/history/samba-4.14.12.html Release Notes Samba 4.14.12]

==Samba 4.14.11==
:Release Notes for Samba 4.14.11
:December 15, 2021

===This is the latest stable release of the Samba 4.14 release series.===

===Important Notes===

There have been a few regressions in the security release 4.14.10:

* [https://www.samba.org/samba/security/CVE-2020-25717.html CVE-2020-25717]: A user on the domain can become root on domain members.
::PLEASE [RE-]READ!
::The instructions have been updated and some workarounds initially adviced for 4.14.10 are no longer required and should be reverted in most cases.

* [https://bugzilla.samba.org/show_bug.cgi?id=14902 BUG #14902]: User with multiple spaces (eg Fred<space><space>Nurk) become un-deletable.
::While this release should fix this bug, it is adviced to have a look at the bug report for more detailed information,.

===Changes since 4.14.10===

* Jeremy Allison <jra@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14878 BUG #14878]: Recursive directory delete with veto files is broken.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14879 BUG #14879]: A directory containing dangling symlinks cannot be deleted by SMB2 alone when they are the only entry in the directory.
* Andrew Bartlett <abartlet@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14656 BUG #14656]: Spaces incorrectly collapsed in ldb attributes.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14694 BUG #14694]: Ensure that the LDB request has not timed out during filter processing as the LDAP server MaxQueryDuration is otherwise not honoured.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14902 BUG #14902]: The [https://www.samba.org/samba/security/CVE-2020-25717.html CVE-2020-25717] username map [script] advice has undesired side effects for the local nt token.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14902 BUG #14902]: User with multiple spaces (eg Fred<space><space>Nurk) become un-deletable.
* Ralph Boehme <slow@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14127 BUG #14127]: Avoid storing NTTIME_THAW (-2) as value on disk
:* [https://bugzilla.samba.org/show_bug.cgi?id=14922 BUG #14922]: Kerberos authentication on standalone server in MIT realm broken.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14923 BUG #14923]: Segmentation fault when joining the domain.
* Alexander Bokovoy <ab@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14903 BUG #14903]: Support for ROLE_IPA_DC is incomplete.
* Stefan Metzmacher <metze@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14788 BUG #14788]: Memory leak if ioctl(FSCTL_VALIDATE_NEGOTIATE_INFO) fails before smbd_smb2_ioctl_send.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14899 BUG #14899]: winbindd doesn't start when "allow trusted domains" is off.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14901 BUG #14901]: The [https://www.samba.org/samba/security/CVE-2020-25717.html CVE-2020-25717] username map [script] advice has undesired side effects for the local nt token.
* Joseph Sutton <josephsutton@catalyst.net.nz>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14694 BUG #14694]: Ensure that the LDB request has not timed out during filter processing as the LDAP server MaxQueryDuration is otherwise not honoured.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14901 BUG #14901]: The [https://www.samba.org/samba/security/CVE-2020-25717.html CVE-2020-25717] username map [script] advice has undesired side effects for the local nt token.

[https://www.samba.org/samba/history/samba-4.14.11.html Release Notes Samba 4.14.11]

== Samba 4.14.10 ==
:Release Notes for Samba 4.14.10
:November 9, 2021

===This is a security release in order to address the following defects:===

* [https://www.samba.org/samba/security/CVE-2016-2124.html CVE-2016-2124] (SMB1 client connections can be downgraded to plaintext authentication)
* [https://www.samba.org/samba/security/CVE-2020-25717.html CVE-2020-25717] (A user in an AD Domain could become root on domain members)
::PLEASE READ! There are important behaviour changes described
* [https://www.samba.org/samba/security/CVE-2020-25718.html CVE-2020-25718] (Samba AD DC did not correctly sandbox Kerberos tickets issued by an RODC)
* [https://www.samba.org/samba/security/CVE-2020-25719.html CVE-2020-25719] (Samba AD DC did not always rely on the SID and PAC in Kerberos tickets)
* [https://www.samba.org/samba/security/CVE-2020-25721.html CVE-2020-25721] (Kerberos acceptors need easy access to stable AD identifiers (eg objectSid))
* [https://www.samba.org/samba/security/CVE-2020-25722.html CVE-2020-25722] (Samba AD DC did not do sufficient access and conformance checking of data stored)
* [https://www.samba.org/samba/security/CVE-2021-3738.html CVE-2021-3738] (Use after free in Samba AD DC RPC server)
* [https://www.samba.org/samba/security/CVE-2021-23192.html CVE-2021-23192] (Subsequent DCE/RPC fragment injection vulnerability)

===Changes since 4.13.13===
* Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
:* [https://www.samba.org/samba/security/CVE-2020-25722.html CVE-2020-25722]
* Andrew Bartlett <abartlet@samba.org>
:* [https://www.samba.org/samba/security/CVE-2020-25718.html CVE-2020-25718]
:* [https://www.samba.org/samba/security/CVE-2020-25719.html CVE-2020-25719]
:* [https://www.samba.org/samba/security/CVE-2020-25721.html CVE-2020-25721]
:* [https://www.samba.org/samba/security/CVE-2020-25722.html CVE-2020-25722]
* Ralph Boehme <slow@samba.org>
:* [https://www.samba.org/samba/security/CVE-2020-25717.html CVE-2020-25717]
* Alexander Bokovoy <ab@samba.org>
:* [https://www.samba.org/samba/security/CVE-2020-25717.html CVE-2020-25717]
* Samuel Cabrero <scabrero@samba.org>
:* [https://www.samba.org/samba/security/CVE-2020-25717.html CVE-2020-25717]
* Nadezhda Ivanova <nivanova@symas.com>
:* [https://www.samba.org/samba/security/CVE-2020-25722.html CVE-2020-25722]
* Stefan Metzmacher <metze@samba.org>
:* [https://www.samba.org/samba/security/CVE-2016-2124.html CVE-2016-2124]
:* [https://www.samba.org/samba/security/CVE-2020-25717.html CVE-2020-25717]
:* [https://www.samba.org/samba/security/CVE-2020-25719.html CVE-2020-25719]
:* [https://www.samba.org/samba/security/CVE-2020-25722.html CVE-2020-25722]
:* [https://www.samba.org/samba/security/CVE-2021-23192.html CVE-2021-23192]
:* [https://www.samba.org/samba/security/CVE-2021-3738.html CVE-2021-3738]
:* ldb: version 2.2.3
* Andreas Schneider <asn@samba.org>
:* [https://www.samba.org/samba/security/CVE-2020-25719.html CVE-2020-25719]
* Joseph Sutton <josephsutton@catalyst.net.nz>
:* [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17049 CVE-2020-17049]
:* [https://www.samba.org/samba/security/CVE-2020-25718.html CVE-2020-25718]
:* [https://www.samba.org/samba/security/CVE-2020-25719.html CVE-2020-25719]
:* [https://www.samba.org/samba/security/CVE-2020-25721.html CVE-2020-25721]
:* [https://www.samba.org/samba/security/CVE-2020-25722.html CVE-2020-25722]
[https://www.samba.org/samba/history/samba-4.14.10.html Release Notes Samba 4.14.10]

==Samba 4.14.9==
:Release Notes for Samba 4.14.9
:October 27, 2021

===This is the latest stable release of the Samba 4.14 release series.===

===Changes since 4.14.8===

* Jeremy Allison <jra@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14682 BUG #14682]: vfs_shadow_copy2: core dump in make_relative_path.
* Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14868 BUG #14868]: rodc_rwdc test flaps.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14881 BUG #14881]: Backport bronze bit fixes, tests, and selftest improvements.
* Andrew Bartlett <abartlet@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14836 BUG #14836]: Python ldb.msg_diff() memory handling failure.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14642 BUG #14642]: Provide a fix for MS [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17049 CVE-2020-17049] in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14845 BUG #14845]: "in" operator on ldb.Message is case sensitive.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14848 BUG #14848]: Release LDB 2.3.1 for Samba 4.14.9.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14870 BUG #14870]: Prepare to operate with MIT krb5 >= 1.20.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14871 BUG #14871]: Fix Samba support for UF_NO_AUTH_DATA_REQUIRED.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14874 BUG #14874]: Allow special chars like "@" in samAccountName when generating the salt.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14881 BUG #14881]: Backport bronze bit fixes, tests, and selftest improvements.

* Ralph Boehme <slow@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14826 BUG #14826]: Correctly ignore comments in CTDB public addresses file.
* Isaac Boukris <iboukris@gmail.com>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14642 BUG #14642]: Provide a fix for MS [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17049 CVE-2020-17049] in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14881 BUG #14881]: Backport bronze bit fixes, tests, and selftest improvements.
* Viktor Dukhovni <viktor@twosigma.com>
:* [https://bugzilla.samba.org/show_bug.cgi?id=12998 BUG #12998]: Fix transit path validation.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14881 BUG #14881]: Backport bronze bit fixes, tests, and selftest improvements.
* Luke Howard <lukeh@padl.com>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14642 BUG #14642]: Provide a fix for MS [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17049 CVE-2020-17049] in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14881 BUG #14881]: Backport bronze bit fixes, tests, and selftest improvements.
* Stefan Metzmacher <metze@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14881 BUG #14881]: Backport bronze bit fixes, tests, and selftest improvements.
* Andreas Schneider <asn@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14870 BUG #14870]: Prepare to operate with MIT krb5 >= 1.20.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14881 BUG #14881]: Backport bronze bit fixes, tests, and selftest improvements.
* Martin Schwenke <martin@meltin.net>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14826 BUG #14826]: Correctly ignore comments in CTDB public addresses file.
* Joseph Sutton <josephsutton@catalyst.net.nz>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14642 BUG #14642]: Provide a fix for MS [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17049 CVE-2020-17049] in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14845 BUG #14845]: "in" operator on ldb.Message is case sensitive.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14868 BUG #14868]: rodc_rwdc test flaps.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14871 BUG #14871]: Fix Samba support for UF_NO_AUTH_DATA_REQUIRED.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14874 BUG #14874]: Allow special chars like "@" in samAccountName when generating the salt.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14881 BUG #14881]: Backport bronze bit fixes, tests, and selftest improvements.
* Nicolas Williams <nico@twosigma.com>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14642 BUG #14642]: Provide a fix for MS [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17049 CVE-2020-17049] in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14742 BUG #14881]: Backport bronze bit fixes, tests, and selftest improvements.

[https://www.samba.org/samba/history/samba-4.14.9.html Release Notes Samba 4.14.9].

==Samba 4.14.8==
:Release Notes for Samba 4.14.8
:October 05, 2021

===This is the latest stable release of the Samba 4.14 release series.===

===Changes since 4.14.7===

* Jeremy Allison <jra@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14742 BUG #14742]: Python ldb.msg_diff() memory handling failure.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14805 BUG #14805]: OpenDir() loses the correct errno return.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14809 BUG #14809]: Shares with variable substitutions cause core dump upon connection from MacOS Big Sur 11.5.2.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14816 BUG #14816]: Fix pathref open of a filesystem fifo in the DISABLE_OPATH build.
* Andrew Bartlett <abartlet@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14806 BUG #14806]: Address a signifcant performance regression in database access in the AD DC since Samba 4.12.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14807 BUG #14807]: Fix performance regression in lsa_LookupSids3/LookupNames4 since Samba 4.9 by using an explicit database handle cache.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14817 BUG #14817]: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14818 BUG #14818]: Address flapping samba_tool_drs_showrepl test.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14819 BUG #14819]: Address flapping dsdb_schema_attributes test.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14841 BUG #14841]: Samba CI runs can now continue past the first error if AUTOBUILD_FAIL_IMMEDIATELY=0 is set.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14854 BUG #14854]: samldb_krbtgtnumber_available() looks for incorrect string.
* Ralph Boehme <slow@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14771 BUG #14771]: Some VFS operations on pathref (O_PATH) handles fail on GPFS.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14783 BUG #14783]: smbd "deadtime" parameter doesn't work anymore.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14787 BUG #14787]: net conf list crashes when run as normal user.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14790 BUG #14790]: vfs_btrfs compression support broken.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14804 BUG #14804]: winbindd can crash because idmap child state is not fully initialized.
* Luke Howard <lukeh@padl.com>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14817 BUG #14817]: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ.
* Volker Lendecke <vl@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14817 BUG #14817]: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ.
* Gary Lockyer <gary@catalyst.net.nz>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14817 BUG #14817]: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ.
* Stefan Metzmacher <metze@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14771 BUG #14771]: Some VFS operations on pathref (O_PATH) handles fail on GPFS.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14817 BUG #14817]: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ.
* Andreas Schneider <asn@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14817 BUG #14817]: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ.
* Martin Schwenke <martin@meltin.net>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14784 BUG #14784]: Fix CTDB flag/status update race conditions.
* Joseph Sutton <josephsutton@catalyst.net.nz>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14817 BUG #14817]: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14836 BUG #14836]: Python ldb.msg_diff() memory handling failure.

[https://www.samba.org/samba/history/samba-4.14.8.html Release Notes Samba 4.14.8].

==Samba 4.14.7==
:Release Notes for Samba 4.14.7
:August 24, 2021

===This is the latest stable release of the Samba 4.14 release series.===

===Changes since 4.14.6===

* Jeremy Allison <jra@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14769 BUG #14769]: smbd panic on force-close share during offload write.
* Ralph Boehme <slow@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=12033 BUG #12033]: smbd should support copy_file_range() for FSCTL_SRV_COPYCHUNK.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14731 BUG #14731]: Fix returned attributes on fake quota file handle and avoid hitting the VFS.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14756 BUG #14756]: vfs_shadow_copy2 fix inodes not correctly updating inode numbers.
* David Gajewski <dgajews@math.utoledo.edu>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14774 BUG #14774]: Fix build on Solaris.
* Björn Jacke <bj@sernet.de>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14654 BUG #14654]: Make dos attributes available for unreadable files.
* Stefan Metzmacher <metze@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14607 BUG #14607]: Work around special SMB2 READ response behavior of NetApp Ontap 7.3.7.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14793 BUG #14793]: Start the SMB encryption as soon as possible.

[https://www.samba.org/samba/history/samba-4.14.7.html Release Notes Samba 4.14.7].

==Samba 4.14.6==
:Release Notes for Samba 4.14.6
:July 13, 2021

===This is the latest stable release of the Samba 4.14 release series.===

===Changes since 4.14.5===

* Jeremy Allison <jra@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14722 BUG #14722]: s3: lib: Fix talloc heirarcy error in parent_smb_fname().
:* [https://bugzilla.samba.org/show_bug.cgi?id=14732 BUG #14732]: smbd: Fix pathref unlinking in create_file_unixpath().
:* [https://bugzilla.samba.org/show_bug.cgi?id=14734 BUG #14734]: s3: VFS: default: Add proc_fd's fallback for vfswrap_fchown().
:* [https://bugzilla.samba.org/show_bug.cgi?id=14736 BUG #14736]: s3: smbd: Remove erroneous TALLOC_FREE(smb_fname_parent) in change_file_owner_to_parent() error path.
* Ralph Boehme <slow@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14730 BUG #14730]: NT_STATUS_FILE_IS_A_DIRECTORY error messages when using glusterfs VFS module.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14734 BUG #14734]: s3/modules: fchmod: Fallback to path based chmod if pathref.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14740 BUG #14740]: Spotlight RPC service doesn't work with vfs_glusterfs.
* Stefan Metzmacher <metze@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14750 BUG #14750]: gensec_krb5: Restore ipv6 support for kpasswd.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14752 BUG #14752]: smbXsrv_{open,session,tcon}: protect smbXsrv_{open,session,tcon}_global_traverse_fn against invalid records.
* Joseph Sutton <josephsutton@catalyst.net.nz>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14027 BUG #14027]: samba-tool domain backup offline doesn't work against bind DLZ backend.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14669 BUG #14669]: netcmd: Use next_free_rid() function to calculate a SID for restoring a backup.
[https://www.samba.org/samba/history/samba-4.14.6.html Release Notes Samba 4.14.6].

==Samba 4.14.5==

===This is the latest stable release of the Samba 4.14 release series.===

===Changes since 4.14.4===

* Jeremy Allison <jra@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14696 BUG #14696]: s3: smbd: SMB1 SMBsplwr doesn't send a reply packet on success.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14708 BUG #14708]: s3: smbd: Ensure POSIX default ACL is mapped into returned Windows ACL for directory handles.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14721 BUG #14721]: s3: smbd: Fix uninitialized memory read in process_symlink_open() when used with vfs_shadow_copy2().
* Andrew Bartlett <abartlet@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14689 BUG #14689]: docs: Expand the "log level" docs on audit logging.
* Ralph Boehme <slow@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14714 BUG #14714]: smbd: Correctly initialize close timestamp fields.
* Günther Deschner <gd@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14699 BUG #14699]: Fix gcc11 compiler issues.
* Pavel Filipenský <pfilipen@redhat.com>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14718 BUG #14718]: docs-xml: Update smbcacls manpage.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14719 BUG #14719]: docs: Update list of available commands in rpcclient.
* Volker Lendecke <vl@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14475 BUG #14475]: ctdb: Fix a crash in run_proc_signal_handler().
* Andreas Schneider <asn@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14695 BUG #14695]: s3:winbind: For 'security = ADS' require realm/workgroup to be set.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14699 BUG #14699]: lib:replace: Do not build strndup test with gcc 11 or newer.

[https://www.samba.org/samba/history/samba-4.14.5.html Release Notes Samba 4.14.5].

==Samba 4.14.4==
==Samba 4.14.4==
:Release Notes for Samba 4.14.4
:Release Notes for Samba 4.14.4
Line 152: Line 520:


===Client Group Policy===
===Client Group Policy===
This release extends Samba to support Group Policy functionality for Winbind clients. Active Directory Administrators can set policies that apply Sudoers configuration, and cron jobs to run hourly, daily, weekly or monthly.
This release extends Samba to support [[Group Policy]] functionality for Winbind clients. Active Directory Administrators can set policies that apply Sudoers configuration, and cron jobs to run hourly, daily, weekly or monthly.


To enable the application of Group Policies on a client, set the global smb.conf option 'apply group policies' to 'yes'. Policies are applied on an interval of every 90 minutes, plus a random offset between 0 and 30 minutes.
To enable the application of Group Policies on a client, set the global smb.conf option 'apply group policies' to 'yes'. Policies are applied on an interval of every 90 minutes, plus a random offset between 0 and 30 minutes.
Line 159: Line 527:


Administration of Samba policy requires that a Samba ADMX template be uploaded to the SYSVOL share. The samba-tool command `samba-tool gpo admxload` is provided as a convenient method for adding this policy. Once uploaded, policies can be modified in the Group Policy Management Editor under Computer Configuration/Policies/Administrative Templates. Alternatively, Samba policy may be managed using the `samba-tool gpo manage` command. This tool does not require the admx templates to be installed.
Administration of Samba policy requires that a Samba ADMX template be uploaded to the SYSVOL share. The samba-tool command `samba-tool gpo admxload` is provided as a convenient method for adding this policy. Once uploaded, policies can be modified in the Group Policy Management Editor under Computer Configuration/Policies/Administrative Templates. Alternatively, Samba policy may be managed using the `samba-tool gpo manage` command. This tool does not require the admx templates to be installed.



===Python 3.6 or later required===
===Python 3.6 or later required===

Latest revision as of 19:33, 13 September 2022

Samba 4.14 is Discontinued (End of Life).

Samba 4.14.14

Release Notes for Samba 4.14.14
July 27, 2022

This is a security release in order to address the following defects:

Samba AD users can bypass certain restrictions associated with changing passwords.
Samba AD users can forge password change requests for any user.
Samba AD users can crash the server process with an LDAP add or modify request.
Samba AD users can induce a use-after-free in the server process with an LDAP add or modify request.
Server memory information leak via SMB1.


Changes since 4.14.13

  • Jeremy Allison <jra@samba.org>
  • Andrew Bartlett <abartlet@samba.org>
  • Isaac Boukris <iboukris@gmail.com>
  • Andreas Schneider <asn@samba.org>
  • Joseph Sutton <josephsutton@catalyst.net.nz>
 Release Notes Samba 4.14.14

Samba 4.14.13

Release Notes for Samba 4.14.13
April 04, 2022

This is the last bugfix release of the Samba 4.14 release series. There will besecurity releases only beyond this point.

Changes since 4.14.12

  • o Jeremy Allison <jra@samba.org>
  • BUG 14169: Renaming file on DFS root fails with NT_STATUS_OBJECT_PATH_NOT_FOUND.
  • BUG 14737: Samba does not response STATUS_INVALID_PARAMETER when opening 2 objects with same lease key.
  • BUG 14938: NT error code is not set when overwriting a file during rename in libsmbclient.
  • Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
  • BUG 14996: Fix ldap simple bind with TLS auditing.
  • Ralph Boehme <slow@samba.org>
  • BUG 14674: net ads info shows LDAP Server: 0.0.0.0 depending on contacted server.
  • Samuel Cabrero <scabrero@suse.de>
  • BUG 14979: Problem when winbind renews Kerberos.
  • Pavel Filipenský <pfilipen@redhat.com>
  • BUG 14971: virusfilter_vfs_openat: Not scanned: Directory or special file.
  • Elia Geretto <elia.f.geretto@gmail.com>
  • BUG 14983: NT_STATUS_ACCESS_DENIED translates into EPERM instead of EACCES in SMBC_server_internal.
  • Björn Jacke <bj@sernet.de>
  • Stefan Metzmacher <metze@samba.org>
  • BUG 13879: Simple bind doesn't work against an RODC (with non-preloaded users).
  • BUG 14641: Crash of winbind on RODC.
  • BUG 14865: Uncached logon on RODC always fails once.
  • BUG 14951: KVNO off by 100000.
  • BUG 14968: smb2_signing_decrypt_pdu() may not decrypt with gnutls_aead_cipher_decrypt() from gnutls before 3.5.2.
  • BUG 14984: Changing the machine password against an RODC likely destroys the domain join.
  • BUG 14993: authsam_make_user_info_dc() steals memory from its struct ldb_message *msg argument.
  • BUG 14995: Use Heimdal 8.0 (pre) rather than an earlier snapshot.
  • BUG 15001: LDAP simple binds should honour "old password allowed period".
  • BUG 15003: wbinfo -a doesn't work reliable with upn names.
  • Garming Sam <garming@catalyst.net.nz>
  • BUG 13879: Simple bind doesn't work against an RODC (with non-preloaded users).
  • Joseph Sutton <josephsutton@catalyst.net.nz>
  • BUG 14621: "password hash userPassword schemes = CryptSHA256" does not seem to work with samba-tool.
  • BUG 14984: Changing the machine password against an RODC likely destroys the domain join.
  Release Notes Samba 4.14.13

Samba 4.14.12

Release Notes for Samba 4.14.12
January 31, 2022

This is a security release in order to address the following defects:

  • CVE-2021-44142: Out-of-Bound Read/Write on Samba vfs_fruit module.
  • CVE-2022-0336: Re-adding an SPN skips subsequent SPN conflict checks.

Changes since 4.14.11

  • Ralph Boehme <slow@samba.org>
  • Joseph Sutton <josephsutton@catalyst.net.nz>
  Release Notes Samba 4.14.12

Samba 4.14.11

Release Notes for Samba 4.14.11
December 15, 2021

This is the latest stable release of the Samba 4.14 release series.

Important Notes

There have been a few regressions in the security release 4.14.10:

  • CVE-2020-25717: A user on the domain can become root on domain members.
PLEASE [RE-]READ!
The instructions have been updated and some workarounds initially adviced for 4.14.10 are no longer required and should be reverted in most cases.
  • BUG #14902: User with multiple spaces (eg Fred<space><space>Nurk) become un-deletable.
While this release should fix this bug, it is adviced to have a look at the bug report for more detailed information,.

Changes since 4.14.10

  • Jeremy Allison <jra@samba.org>
  • BUG #14878: Recursive directory delete with veto files is broken.
  • BUG #14879: A directory containing dangling symlinks cannot be deleted by SMB2 alone when they are the only entry in the directory.
  • Andrew Bartlett <abartlet@samba.org>
  • BUG #14656: Spaces incorrectly collapsed in ldb attributes.
  • BUG #14694: Ensure that the LDB request has not timed out during filter processing as the LDAP server MaxQueryDuration is otherwise not honoured.
  • BUG #14902: The CVE-2020-25717 username map [script] advice has undesired side effects for the local nt token.
  • BUG #14902: User with multiple spaces (eg Fred<space><space>Nurk) become un-deletable.
  • Ralph Boehme <slow@samba.org>
  • BUG #14127: Avoid storing NTTIME_THAW (-2) as value on disk
  • BUG #14922: Kerberos authentication on standalone server in MIT realm broken.
  • BUG #14923: Segmentation fault when joining the domain.
  • Alexander Bokovoy <ab@samba.org>
  • BUG #14903: Support for ROLE_IPA_DC is incomplete.
  • Stefan Metzmacher <metze@samba.org>
  • BUG #14788: Memory leak if ioctl(FSCTL_VALIDATE_NEGOTIATE_INFO) fails before smbd_smb2_ioctl_send.
  • BUG #14899: winbindd doesn't start when "allow trusted domains" is off.
  • BUG #14901: The CVE-2020-25717 username map [script] advice has undesired side effects for the local nt token.
  • Joseph Sutton <josephsutton@catalyst.net.nz>
  • BUG #14694: Ensure that the LDB request has not timed out during filter processing as the LDAP server MaxQueryDuration is otherwise not honoured.
  • BUG #14901: The CVE-2020-25717 username map [script] advice has undesired side effects for the local nt token.
   Release Notes Samba 4.14.11

Samba 4.14.10

Release Notes for Samba 4.14.10
November 9, 2021

This is a security release in order to address the following defects:

  • CVE-2016-2124 (SMB1 client connections can be downgraded to plaintext authentication)
  • CVE-2020-25717 (A user in an AD Domain could become root on domain members)
PLEASE READ! There are important behaviour changes described
  • CVE-2020-25718 (Samba AD DC did not correctly sandbox Kerberos tickets issued by an RODC)
  • CVE-2020-25719 (Samba AD DC did not always rely on the SID and PAC in Kerberos tickets)
  • CVE-2020-25721 (Kerberos acceptors need easy access to stable AD identifiers (eg objectSid))
  • CVE-2020-25722 (Samba AD DC did not do sufficient access and conformance checking of data stored)
  • CVE-2021-3738 (Use after free in Samba AD DC RPC server)
  • CVE-2021-23192 (Subsequent DCE/RPC fragment injection vulnerability)

Changes since 4.13.13

  • Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
  • Andrew Bartlett <abartlet@samba.org>
  • Ralph Boehme <slow@samba.org>
  • Alexander Bokovoy <ab@samba.org>
  • Samuel Cabrero <scabrero@samba.org>
  • Nadezhda Ivanova <nivanova@symas.com>
  • Stefan Metzmacher <metze@samba.org>
  • Andreas Schneider <asn@samba.org>
  • Joseph Sutton <josephsutton@catalyst.net.nz>
   Release Notes Samba 4.14.10

Samba 4.14.9

Release Notes for Samba 4.14.9
October 27, 2021

This is the latest stable release of the Samba 4.14 release series.

Changes since 4.14.8

  • Jeremy Allison <jra@samba.org>
  • BUG #14682: vfs_shadow_copy2: core dump in make_relative_path.
  • Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
  • BUG #14868: rodc_rwdc test flaps.
  • BUG #14881: Backport bronze bit fixes, tests, and selftest improvements.
  • Andrew Bartlett <abartlet@samba.org>
  • BUG #14836: Python ldb.msg_diff() memory handling failure.
  • BUG #14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal.
  • BUG #14845: "in" operator on ldb.Message is case sensitive.
  • BUG #14848: Release LDB 2.3.1 for Samba 4.14.9.
  • BUG #14870: Prepare to operate with MIT krb5 >= 1.20.
  • BUG #14871: Fix Samba support for UF_NO_AUTH_DATA_REQUIRED.
  • BUG #14874: Allow special chars like "@" in samAccountName when generating the salt.
  • BUG #14881: Backport bronze bit fixes, tests, and selftest improvements.
  • Ralph Boehme <slow@samba.org>
  • BUG #14826: Correctly ignore comments in CTDB public addresses file.
  • Isaac Boukris <iboukris@gmail.com>
  • BUG #14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal.
  • BUG #14881: Backport bronze bit fixes, tests, and selftest improvements.
  • Viktor Dukhovni <viktor@twosigma.com>
  • BUG #12998: Fix transit path validation.
  • BUG #14881: Backport bronze bit fixes, tests, and selftest improvements.
  • Luke Howard <lukeh@padl.com>
  • BUG #14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal.
  • BUG #14881: Backport bronze bit fixes, tests, and selftest improvements.
  • Stefan Metzmacher <metze@samba.org>
  • BUG #14881: Backport bronze bit fixes, tests, and selftest improvements.
  • Andreas Schneider <asn@samba.org>
  • BUG #14870: Prepare to operate with MIT krb5 >= 1.20.
  • BUG #14881: Backport bronze bit fixes, tests, and selftest improvements.
  • Martin Schwenke <martin@meltin.net>
  • BUG #14826: Correctly ignore comments in CTDB public addresses file.
  • Joseph Sutton <josephsutton@catalyst.net.nz>
  • BUG #14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal.
  • BUG #14845: "in" operator on ldb.Message is case sensitive.
  • BUG #14868: rodc_rwdc test flaps.
  • BUG #14871: Fix Samba support for UF_NO_AUTH_DATA_REQUIRED.
  • BUG #14874: Allow special chars like "@" in samAccountName when generating the salt.
  • BUG #14881: Backport bronze bit fixes, tests, and selftest improvements.
  • Nicolas Williams <nico@twosigma.com>
  • BUG #14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal.
  • BUG #14881: Backport bronze bit fixes, tests, and selftest improvements.
Release Notes Samba 4.14.9.

Samba 4.14.8

Release Notes for Samba 4.14.8
October 05, 2021

This is the latest stable release of the Samba 4.14 release series.

Changes since 4.14.7

  • Jeremy Allison <jra@samba.org>
  • BUG #14742: Python ldb.msg_diff() memory handling failure.
  • BUG #14805: OpenDir() loses the correct errno return.
  • BUG #14809: Shares with variable substitutions cause core dump upon connection from MacOS Big Sur 11.5.2.
  • BUG #14816: Fix pathref open of a filesystem fifo in the DISABLE_OPATH build.
  • Andrew Bartlett <abartlet@samba.org>
  • BUG #14806: Address a signifcant performance regression in database access in the AD DC since Samba 4.12.
  • BUG #14807: Fix performance regression in lsa_LookupSids3/LookupNames4 since Samba 4.9 by using an explicit database handle cache.
  • BUG #14817: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ.
  • BUG #14818: Address flapping samba_tool_drs_showrepl test.
  • BUG #14819: Address flapping dsdb_schema_attributes test.
  • BUG #14841: Samba CI runs can now continue past the first error if AUTOBUILD_FAIL_IMMEDIATELY=0 is set.
  • BUG #14854: samldb_krbtgtnumber_available() looks for incorrect string.
  • Ralph Boehme <slow@samba.org>
  • BUG #14771: Some VFS operations on pathref (O_PATH) handles fail on GPFS.
  • BUG #14783: smbd "deadtime" parameter doesn't work anymore.
  • BUG #14787: net conf list crashes when run as normal user.
  • BUG #14790: vfs_btrfs compression support broken.
  • BUG #14804: winbindd can crash because idmap child state is not fully initialized.
  • Luke Howard <lukeh@padl.com>
  • BUG #14817: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ.
  • Volker Lendecke <vl@samba.org>
  • BUG #14817: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ.
  • Gary Lockyer <gary@catalyst.net.nz>
  • BUG #14817: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ.
  • Stefan Metzmacher <metze@samba.org>
  • BUG #14771: Some VFS operations on pathref (O_PATH) handles fail on GPFS.
  • BUG #14817: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ.
  • Andreas Schneider <asn@samba.org>
  • BUG #14817: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ.
  • Martin Schwenke <martin@meltin.net>
  • BUG #14784: Fix CTDB flag/status update race conditions.
  • Joseph Sutton <josephsutton@catalyst.net.nz>
  • BUG #14817: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ.
  • BUG #14836: Python ldb.msg_diff() memory handling failure.
Release Notes Samba 4.14.8.

Samba 4.14.7

Release Notes for Samba 4.14.7
August 24, 2021

This is the latest stable release of the Samba 4.14 release series.

Changes since 4.14.6

  • Jeremy Allison <jra@samba.org>
  • BUG #14769: smbd panic on force-close share during offload write.
  • Ralph Boehme <slow@samba.org>
  • BUG #12033: smbd should support copy_file_range() for FSCTL_SRV_COPYCHUNK.
  • BUG #14731: Fix returned attributes on fake quota file handle and avoid hitting the VFS.
  • BUG #14756: vfs_shadow_copy2 fix inodes not correctly updating inode numbers.
  • David Gajewski <dgajews@math.utoledo.edu>
  • Björn Jacke <bj@sernet.de>
  • BUG #14654: Make dos attributes available for unreadable files.
  • Stefan Metzmacher <metze@samba.org>
  • BUG #14607: Work around special SMB2 READ response behavior of NetApp Ontap 7.3.7.
  • BUG #14793: Start the SMB encryption as soon as possible.
Release Notes Samba 4.14.7.

Samba 4.14.6

Release Notes for Samba 4.14.6
July 13, 2021

This is the latest stable release of the Samba 4.14 release series.

Changes since 4.14.5

  • Jeremy Allison <jra@samba.org>
  • BUG #14722: s3: lib: Fix talloc heirarcy error in parent_smb_fname().
  • BUG #14732: smbd: Fix pathref unlinking in create_file_unixpath().
  • BUG #14734: s3: VFS: default: Add proc_fd's fallback for vfswrap_fchown().
  • BUG #14736: s3: smbd: Remove erroneous TALLOC_FREE(smb_fname_parent) in change_file_owner_to_parent() error path.
  • Ralph Boehme <slow@samba.org>
  • BUG #14730: NT_STATUS_FILE_IS_A_DIRECTORY error messages when using glusterfs VFS module.
  • BUG #14734: s3/modules: fchmod: Fallback to path based chmod if pathref.
  • BUG #14740: Spotlight RPC service doesn't work with vfs_glusterfs.
  • Stefan Metzmacher <metze@samba.org>
  • BUG #14750: gensec_krb5: Restore ipv6 support for kpasswd.
  • BUG #14752: smbXsrv_{open,session,tcon}: protect smbXsrv_{open,session,tcon}_global_traverse_fn against invalid records.
  • Joseph Sutton <josephsutton@catalyst.net.nz>
  • BUG #14027: samba-tool domain backup offline doesn't work against bind DLZ backend.
  • BUG #14669: netcmd: Use next_free_rid() function to calculate a SID for restoring a backup.
  Release Notes Samba 4.14.6.

Samba 4.14.5

This is the latest stable release of the Samba 4.14 release series.

Changes since 4.14.4

  • Jeremy Allison <jra@samba.org>
  • BUG #14696: s3: smbd: SMB1 SMBsplwr doesn't send a reply packet on success.
  • BUG #14708: s3: smbd: Ensure POSIX default ACL is mapped into returned Windows ACL for directory handles.
  • BUG #14721: s3: smbd: Fix uninitialized memory read in process_symlink_open() when used with vfs_shadow_copy2().
  • Andrew Bartlett <abartlet@samba.org>
  • BUG #14689: docs: Expand the "log level" docs on audit logging.
  • Ralph Boehme <slow@samba.org>
  • BUG #14714: smbd: Correctly initialize close timestamp fields.
  • Günther Deschner <gd@samba.org>
  • Pavel Filipenský <pfilipen@redhat.com>
  • BUG #14718: docs-xml: Update smbcacls manpage.
  • BUG #14719: docs: Update list of available commands in rpcclient.
  • Volker Lendecke <vl@samba.org>
  • BUG #14475: ctdb: Fix a crash in run_proc_signal_handler().
  • Andreas Schneider <asn@samba.org>
  • BUG #14695: s3:winbind: For 'security = ADS' require realm/workgroup to be set.
  • BUG #14699: lib:replace: Do not build strndup test with gcc 11 or newer.
  Release Notes Samba 4.14.5.

Samba 4.14.4

Release Notes for Samba 4.14.4
April 29, 2021

This is a security release in order to address the following defect:

  • CVE-2021-20254: Negative idmap cache entries can cause incorrect group entries in the Samba file server process token.

Details

The Samba smbd file server must map Windows group identities (SIDs) into unix group ids (gids). The code that performs this had a flaw that could allow it to read data beyond the end of the array in the case where a negative cache entry had been added to the mapping cache. This could cause the calling code to return those values into the process token that stores the group membership for a user.
Most commonly this flaw caused the calling code to crash, but an alert user (Peter Eriksson, IT Department, Linköping University) found this flaw by noticing an unprivileged user was able to delete a file within a network share that they should have been disallowed access to.
Analysis of the code paths has not allowed us to discover a way for a remote user to be able to trigger this flaw reproducibly or on demand, but this CVE has been issued out of an abundance of caution.

Changes since 4.14.3

  • Volker Lendecke <vl@samba.org>
  • BUG #14571: CVE-2021-20254: Fix buffer overrun in sids_to_unixids().
  Release Notes Samba 4.14.4.

Samba 4.14.3

Release Notes for Samba 4.14.3
April 20, 2021

This is the latest stable release of the Samba 4.14 release series.

Changes since 4.14.2

  • o Trever L. Adams <trever.adams@gmail.com>
  • BUG #14671: s3:modules:vfs_virusfilter: Recent New_VFS changes break vfs_virusfilter_openat.
  • Andrew Bartlett <abartlet@samba.org>
  • BUG #14586: build: Notice if flex is missing at configure time.
  • Ralph Boehme <slow@samba.org>
  • BUG #14672: Fix smbd panic when two clients open same file.
  • BUG #14675: Fix memory leak in the RPC server.
  • BUG #14679: s3: smbd: fix deferred renames.
  • Samuel Cabrero <scabrero@samba.org>
  • BUG #14675: s3-iremotewinspool: Set the per-request memory context.
  • Volker Lendecke <vl@samba.org>
  • Stefan Metzmacher <metze@samba.org>
  • BUG #11899: third_party: Update socket_wrapper to version 1.3.2.
  • BUG #14640: third_party: Update socket_wrapper to version 1.3.3.
  • David Mulder <dmulder@suse.com>
  • BUG #14665: samba-gpupdate: Test that sysvol paths download in case-insensitive way.
  • Sachin Prabhu <sprabhu@redhat.com>
  • BUG #14662: smbd: Ensure errno is preserved across fsp destructor.
  • Christof Schmitt <cs@samba.org>
  • BUG #14663: idmap_rfc2307 and idmap_nss return wrong mapping for uid/gid conflict.
  • Martin Schwenke <martin@meltin.net>
  • BUG #14288: build: Only add -Wl,--as-needed when supported.


  Release Notes Samba 4.14.3.

Samba 4.14.2

Release Notes for Samba 4.14.2
March 24, 2021

This is a security release in order to address the following defects:

Details

An anonymous attacker can crash the Samba AD DC LDAP server by sending easily crafted DNs as part of a bind request. More serious heap corruption is likely also possible.
User-controlled LDAP filter strings against the AD DC LDAP server may crash the LDAP server.

For more details, please refer to the security advisories.

Changes since 4.14.0

  • Release with dependency on ldb version 2.3.0
  • Andrew Bartlett <abartlet@samba.org>
  • Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
  Release Notes Samba 4.14.2.

Samba 4.14.0

Release Notes for Samba 4.14.0
March 9, 2021

Release Announcements

This is the first stable release of the Samba 4.14 release series. Please read the release notes carefully before upgrading.

New GPG key

The GPG release key for Samba releases changed from:

pub   dsa1024/6F33915B6568B7EA 2007-02-04 [SC] [expires: 2021-02-05]
      Key fingerprint = 52FB C0B8 6D95 4B08 4332  4CDC 6F33 915B 6568 B7EA
uid                 [  full  ] Samba Distribution Verification Key <samba-bugs@samba.org>
sub   elg2048/9C6ED163DA6DFB44 2007-02-04 [E] [expires: 2021-02-05]

to the following new key:

pub   rsa4096/AA99442FB680B620 2020-12-21 [SC] [expires: 2022-12-21]
      Key fingerprint = 81F5 E283 2BD2 545A 1897  B713 AA99 442F B680 B620
uid                 [ultimate] Samba Distribution Verification Key <samba-bugs@samba.org>
sub   rsa4096/97EF9386FBFD4002 2020-12-21 [E] [expires: 2022-12-21]
 

Starting from Jan 21th 2021, all Samba releases will be signed with the new key.

See also GPG_AA99442FB680B620_replaces_6F33915B6568B7EA.txt

NEW FEATURES/CHANGES

Here is a copy of a clarification note added to the Samba code in the file: VFS-License-clarification.txt.

A clarification of our GNU GPL License enforcement boundary within the Samba
Virtual File System (VFS) layer.

Samba is licensed under the GNU GPL. All code committed to the Samba
project or that creates a "modified version" or software "based on" Samba must
be either licensed under the GNU GPL or a compatible license.

Samba has several plug-in interfaces where external code may be called
from Samba GNU GPL licensed code. The most important of these is the
Samba VFS layer.

Samba VFS modules are intimately connected by header files and API
definitions to the part of the Samba code that provides file services,
and as such, code that implements a plug-in Samba VFS module must be
licensed under the GNU GPL or a compatible license.
However, Samba VFS modules may themselves call third-party external
libraries that are not part of the Samba project and are externally
developed and maintained.

As long as these third-party external libraries do not use any of the
Samba internal structure, APIs or interface definitions created by the
Samba project (to the extent that they would be considered subject to the GNU
GPL), then the Samba Team will not consider such third-party external
libraries called from Samba VFS modules as "based on" and/or creating a
"modified version" of the Samba code for the purposes of GNU GPL.
Accordingly, we do not require such libraries be licensed under the GNU GPL
or a GNU GPL compatible license.

VFS

The effort to modernize Samba's VFS interface has reached a major milestone with the next release Samba 4.14.

For details please refer to the documentation at source3/modules/The_New_VFS.txt or visit the The_New_VFS.

Printing

Publishing printers in AD is more reliable and more printer features are added to the published information in AD. Samba now also supports Windows drivers for the ARM64 architecture.

Client Group Policy

This release extends Samba to support Group Policy functionality for Winbind clients. Active Directory Administrators can set policies that apply Sudoers configuration, and cron jobs to run hourly, daily, weekly or monthly.

To enable the application of Group Policies on a client, set the global smb.conf option 'apply group policies' to 'yes'. Policies are applied on an interval of every 90 minutes, plus a random offset between 0 and 30 minutes.

Policies applied by Samba are 'non-tattooing', meaning that changes can be reverted by executing the `samba-gpupdate --unapply` command. Policies can be re-applied using the `samba-gpupdate --force` command. To view what policies have been or will be applied to a system, use the `samba-gpupdate --rsop` command.

Administration of Samba policy requires that a Samba ADMX template be uploaded to the SYSVOL share. The samba-tool command `samba-tool gpo admxload` is provided as a convenient method for adding this policy. Once uploaded, policies can be modified in the Group Policy Management Editor under Computer Configuration/Policies/Administrative Templates. Alternatively, Samba policy may be managed using the `samba-tool gpo manage` command. This tool does not require the admx templates to be installed.

Python 3.6 or later required

Samba's minimum runtime requirement for python was raised to Python 3.6 with samba 4.13. Samba 4.14 raises this minimum version to Python 3.6 also to build Samba. It is no longer possible to build Samba (even just the file server) with Python versions 2.6 and 2.7.

As Python 2.7 has been End Of Life upstream since April 2020, Samba is dropping ALL Python 2.x support in this release.

Miscellaneous samba-tool changes

The 'samba-tool' subcommands to manage AD objects (e.g. users, computers and groups) now consistently use the "add" command when adding a new object to the AD. The previous deprecation warnings when using the 'add' commands have been removed. For compatibility reasons, both the 'add' and 'create' commands can be used now.

Users, groups and contacts can now be renamed with the respective rename commands.

Locked users can be unlocked with the new 'samba-tool user unlock' command.

The 'samba-tool user list' and 'samba-tool group listmembers' commands provide additional options to hide expired and disabled user accounts (--hide-expired and --hide-disabled).

CTDB CHANGES

  • The NAT gateway and LVS features now uses the term "leader" to refer to the main node in a group through which traffic is routed and "follower" for other members of a group. The command for determining the leader has changed to "ctdb natgw leader" (from "ctdb natgw master"). The configuration keyword for indicating that a node can not be the leader of a group has changed to "follower-only" (from "slave-only"). Identical changes were made for LVS.
  • Remove "ctdb isnotrecmaster" command. It isn't used by CTDB's scripts and can be checked by users with "ctdb pnn" and "ctdb recmaster".

smb.conf changes

 Parameter Name                     Description                Default
 --------------                     -----------                -------
 smb encrypt                        Removed
 async dns timeout                  New                        10
 client smb encrypt                 New                        default
 honor change notify privilege      New                        No
 smbd force process locks           New                        No
 server smb encrypt                 New                        default

CHANGES SINCE 4.14.0rc4

  • Trever L. Adams <trever.adams@gmail.com>
  • BUG #14634: s3:modules:vfs_virusfilter: Recent talloc changes cause infinite start-up failure.
  • Peter Eriksson <pen@lysator.liu.se>
  • BUG #14648: s3: VFS: nfs4_acls. Add missing TALLOC_FREE(frame) in error path.
  • Volker Lendecke <vl@samba.org>
  • BUG #14636: g_lock: Fix uninitalized variable reads.

CHANGES SINCE 4.14.0rc3

  • Jeremy Allison <jra@samba.org>
  • BUG #14604: smbd: In conn_force_tdis_done() when forcing a connection closed force a full reload of services.
  • Andrew Bartlett <abartlet@samba.org>
  • BUG #14593: dbcheck: Check Deleted Objects and reduce noise in reports about expired tombstones.
  • Ralph Boehme <slow@samba.org>
  • BUG #14619: vfs: Restore platform specific POSIX sys_acl_set_file() functions.
  • BUG #14620: Fix the build on AIX.
  • BUG #14629: smbd: Don't overwrite _mode if neither a msdfs symlink nor get_dosmode is requested.
  • BUG #14635: Fix printer driver upload.

CHANGES SINCE 4.14.0rc2

  • Björn Jacke <bj@sernet.de>
  • BUG #14624: classicupgrade: Treat old never expires value right.
  • Stefan Metzmacher <metze@samba.org>
  • BUG #13898: s3:pysmbd: fix fd leak in py_smbd_create_file().
  • Andreas Schneider <asn@samba.org>
  • BUG #14625: Fix smbd share mode double free crash.
  • Paul Wise <pabs3@bonedaddy.net>
  • BUG #12505: HEIMDAL: krb5_storage_free(NULL) should work.

CHANGES SINCE 4.14.0rc1

  • Jeremy Allison <jra@samba.org>
  • Ralph Boehme <slow@samba.org>
  • BUG #14602: "winbind:ignore domains" doesn't prevent user login from trusted domain.
  • BUG #14617: smbd tries to delete files with wrong permissions (uses guest instead of user from force user =).
  • Stefan Metzmacher <metze@samba.org>
  • BUG #14539: s3:idmap_hash: Reliably return ID_TYPE_BOTH.
  • Andreas Schneider <asn@samba.org>
  • BUG #14627: s3:smbd: Fix invalid memory access in posix_sys_acl_blob_get_fd().

KNOWN ISSUES

Release_Planning_for_Samba_4.14#Release_blocking_bugs

 Release Notes Samba 4.14.0.