Difference between revisions of "Samba 4.15 Features added/changed"

From SambaWiki
 
 
(7 intermediate revisions by the same user not shown)
Line 1: Line 1:
  +
Samba 4.15 is [[Samba_Release_Planning#Upcoming_Release|'''next upcoming release series''']].
==Samba 4.15.0rc1==
 
  +
==Samba 4.15.0rc7==
 
<onlyinclude>
 
<onlyinclude>
:Release Notes for Samba 4.15.0rc1
+
:Release Notes for Samba 4.15.0rc7
:July 15, 2021
+
:September 13, 2021
 
===Release Announcements===
 
===Release Announcements===
   
This is the first release candidate of Samba 4.15. This is *not* intended for production environments and is designed for testing purposes only. Please report any defects via the Samba bug reporting system at https://bugzilla.samba.org/.
+
This is the seventh release candidate of Samba 4.15. This is *not* intended for production environments and is designed for testing purposes only. Please report any defects via the Samba bug reporting system at https://bugzilla.samba.org/.
   
 
Samba 4.15 will be the next version of the Samba suite.
 
Samba 4.15 will be the next version of the Samba suite.
 
   
 
===UPGRADING===
 
===UPGRADING===
Line 39: Line 39:
   
 
See also [https://ftp.samba.org/pub/unpacked/standalone_projects/GPG_AA99442FB680B620_replaces_6F33915B6568B7EA.txt GPG_AA99442FB680B620_replaces_6F33915B6568B7EA.txt]
 
See also [https://ftp.samba.org/pub/unpacked/standalone_projects/GPG_AA99442FB680B620_replaces_6F33915B6568B7EA.txt GPG_AA99442FB680B620_replaces_6F33915B6568B7EA.txt]
  +
  +
====New minimum version for the experimental MIT KDC====
  +
  +
The build of the AD DC using the system MIT Kerberos, an experimental feature, now requires MIT Kerberos 1.19. An up-to-date Fedora 34 has this version and has backported fixes for the KDC crash bugs [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37750 CVE-2021-37750] and [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2021-36222 CVE-2021-36222].
   
 
===NEW FEATURES/CHANGES===
 
===NEW FEATURES/CHANGES===
  +
====VFS====
* bind DLZ: Added the ability to set allow/deny lists for zone transfer clients.
 
:Up to now, any client could use a DNS zone transfer request to the bind server, and get an answer from Samba. Now the default behaviour will be to deny those request. Two new options have been added to manage the list of authorized/denied clients for zone transfer requests. In order to be accepted, the request must be issued by a client that is in the allow list and NOT in the deny list.
 
   
  +
The effort to modernize Samba's VFS interface is complete and Samba 4.15.0 ships with a modernized VFS designed for the post SMB1 world.
==="server multi channel support" no longer experimental===
 
   
  +
For details please refer to the documentation at source3/modules/The_New_VFS.txt or visit the [[The_New_VFS]].
This option is enabled by default starting with to 4.15 (on Linux and FreeBSD). Due to dependencies on kernel APIs of Linux or FreeBSD, it's only possible to use this feature on Linux and FreeBSD for now.
 
   
  +
==== Bind DLZ: Added the ability to set allow/deny lists for zone transfer clients====
===samba-tool available without the ad-dc===
 
  +
Up to now, any client could use a DNS zone transfer request to the bind server, and get an answer from Samba. Now the default behaviour will be to deny those request. Two new options have been added to manage the list of authorized/denied clients for zone transfer requests. In order to be accepted, the request must be issued by a client that is in the allow list and NOT in the deny list.
   
  +
===="server multi channel support" no longer experimental====
The samba-tool command is now available when samba is configured --without-ad-dc. Not all features will work, and some ad-dc specific options have been disabled. The samba-tool domain options, for example, are limited when no ad-dc is present. Samba must still be built with ads in order to enable samba-tool.
 
   
  +
This option is enabled by default starting with 4.15 (on Linux and FreeBSD). Due to dependencies on kernel APIs of Linux or FreeBSD, it's only possible to use this feature on Linux and FreeBSD for now.
===Improved command line user experience===
 
  +
  +
====samba-tool available without the ad-dc====
  +
  +
The *samba-tool' command is now available when samba is configured "--without-ad-dc". Not all features will work, and some ad-dc specific options have been disabled. The 'samba-tool domain' options, for example, are limited when no ad-dc is present. Samba must still be built with ads in order to enable samba-tool.
  +
  +
====Improved command line user experience====
   
 
Samba utilities did not consistently implement their command line interface. A number of options were requiring to specify values in one tool and not in the other, some options meant different in different tools.
 
Samba utilities did not consistently implement their command line interface. A number of options were requiring to specify values in one tool and not in the other, some options meant different in different tools.
   
These should be stories of the past now. A new command line parser has been implemented with sanity checking. Also the command line interface has been simplified and provides better control for encryption, singing and kerberos.
+
These should be stories of the past now. A new command line parser has been implemented with sanity checking. Also the command line interface has been simplified and provides better control for encryption, signing and kerberos.
  +
  +
Previously many tools silently ignored unknown options. To prevent unexpected behaviour all tools will now consistently reject unknown options.
   
 
Also several command line options have a smb.conf variable to control the default now.
 
Also several command line options have a smb.conf variable to control the default now.
   
All tools are logging to stderr by default. You can use --debug-stdout to change the behavior.
+
All tools are logging to stderr by default. You can use "--debug-stdout" to change the behavior. All servers will log to stderr at early startup until logging is setup to go to a file by default.
   
====Common parser:====
+
=====Common parser:=====
   
 
Options added:
 
Options added:
Line 79: Line 91:
 
-S|--signing
 
-S|--signing
   
====Duplicates in command line utils====
+
=====Duplicates in command line utils=====
   
ldbadd/ldbsearch/ldbdel/ldbmodify/ldbrename:
+
ldbadd/ldbdel/ldbedit/ldbmodify/ldbrename/ldbsearch:
-e is not available for --editor anymore
+
-e is still available as an alias for --editor, as it used to be.
-s is not used for --configfile anymore
+
-s is no longer reported as an alias for --configfile, it never worked that way as it was shadowed by '-s' for '--scope'.
   
 
ndrdump:
 
ndrdump:
Line 110: Line 122:
 
As an artifact from the NT4 times, we still scanned the list of trusted domains on winbindd startup. This is wrong as we never can get a full picture in Active Directory. It is time to change the default value to "No". Also with this change we always use enterprise principals for Kerberos so that the DC will be able to redirect ticket requests to the right DC. This is e.g. needed for one way trusts. The options `winbind use krb5 enterprise principals` and `winbind scan trusted domains` will be deprecated in one of the next releases.
 
As an artifact from the NT4 times, we still scanned the list of trusted domains on winbindd startup. This is wrong as we never can get a full picture in Active Directory. It is time to change the default value to "No". Also with this change we always use enterprise principals for Kerberos so that the DC will be able to redirect ticket requests to the right DC. This is e.g. needed for one way trusts. The options `winbind use krb5 enterprise principals` and `winbind scan trusted domains` will be deprecated in one of the next releases.
   
  +
====Support for Offline Domain Join (ODJ)====
  +
  +
The net utility is now able to support the offline domain join feature as known from the Windows djoin.exe command for many years. Samba's implementation is accessible via the 'net offlinejoin' subcommand. It can provision computers and request offline joining for both Windows and Unix machines. It is also possible to provision computers from Windows (using djoin.exe) and use the generated data in Samba's 'net' utility. The existing options for the provisioning and joining steps are documented in the net(8) manpage.
  +
  +
===='samba-tool dns zoneoptions' for aging control====
  +
  +
The 'samba-tool dns zoneoptions' command can be used to turn aging on and off, alter the refresh and no-refresh periods, and manipulate the timestamps of existing records.
  +
  +
To turn aging on for a zone, you can use something like this:
  +
  +
samba-tool dns zoneoptions --aging=1 --refreshinterval=306600
  +
  +
which turns on aging and ensures no records less than five years old are aged out and scavenged. After aging has been on for sufficient time for records to be renewed, the command
  +
  +
samba-tool dns zoneoptions --refreshinterval=168
  +
  +
will set the refresh period to the standard seven days. Using this two step process will help prevent the temporary loss of dynamic records if scavenging happens before their first renewal.
  +
  +
  +
====Marking old records as static or dynamic with 'samba-tool'====
  +
  +
A bug in Samba versions prior to 4.9 meant records that were meant to be static were marked as dynamic and vice versa. To fix the timestamps in these domains, it is possible to use the following options, preferably before turning aging on.
  +
  +
--mark-old-records-static
  +
--mark-records-dynamic-regex
  +
--mark-records-static-regex
  +
  +
The "--mark-old-records-static" option will make records older than the specified date static (that is, with a zero timestamp). For example, if you upgraded to Samba 4.9 in November 2018, you could use ensure no old records will be mistakenly interpreted as dynamic using the following option:
  +
  +
samba-tool dns zoneoptions --mark-old-records-static=2018-11-30
  +
  +
Then, if you know that that will have marked some records as static that should be dynamic, and you know which those are due to your naming scheme, you can use commands like:
  +
  +
samba-tool dns zoneoptions --mark-records-dynamic-regex='\w+-desktop'
  +
  +
where '\w+-desktop' is a perl-compatible regular expression that will match 'bob-desktop', 'alice-desktop', and so on.
  +
  +
These options are deliberately long and cumbersome to type, so people have a chance to think before they get to the end. You can make a mess if you get it wrong.
  +
  +
All 'samba-tool dns zoneoptions' modes can be given a "--dry-run/-n" argument that allows you to inspect the likely results before going ahead.
  +
  +
:NOTE: for aging to work, you need to have "dns zone scavenging = yes" set in the smb.conf of at least one server.
  +
  +
====DNS tombstones are now deleted as appropriate====
  +
  +
When all the records for a DNS name have been deleted, the node is put in a tombstoned state (separate from general AD object tombstoning, which deleted nodes also go through). These tombstones should be cleaned up periodically. Due to a conflation of scavenging and tombstoning, we have only been deleting tombstones when aging is enabled.
  +
  +
If you have a lot of tombstoned DNS nodes (that is, DNS names for which you have removed all the records), cleaning up these DNS tombstones may take a noticeable time.
  +
  +
====DNS tombstones use a consistent timestamp format====
  +
  +
DNS records use an hours-since-1601 timestamp format except for in the case of tombstone records where a 100-nanosecond-intervals-since-1601 format is used (this latter format being the most common in Windows). We had mixed that up, which might have had strange effects in zones where aging was enabled (and hence tombstone timestamps were used).
  +
  +
====samba-tool dns update and RPC changes====
  +
  +
The dnsserver DCERPC pipe can be used by 'samba-tool' and Windows tools to manipulate dns records on the remote server. A bug in Samba meant it was not possible to update an existing DNS record to change the TTL. The general behaviour of RPC updates is now closer to that of Windows.
  +
  +
'samba-tool dns update' is now a bit more careful in rejecting and warning you about malformed IPv4 and IPv6 addresses.
  +
  +
====[https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3671 CVE-2021-3671]: Crash in Heimdal KDC and updated security release policy====
  +
  +
An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ. Per Samba's updated security process a specific security release was not made for this issue as it is a recoverable Denial Of Service.
  +
See [[Samba_Security_Process]]
  +
  +
====samba-tool domain backup offline with the LMDB backend====
  +
  +
'samba-tool domain backup offline', when operating with the LMDB backend now correctly takes out locks against concurrent modification of the database during the backup. If you use this tool on a Samba AD DC using LMDB, you should upgrade to this release for safer backups.
   
 
===REMOVED FEATURES===
 
===REMOVED FEATURES===
Line 144: Line 223:
 
winbind scan trusted domains Changed No
 
winbind scan trusted domains Changed No
 
</onlyinclude>
 
</onlyinclude>
  +
  +
===CHANGES SINCE 4.15.0rc6===
  +
* Andrew Bartlett <abartlet@samba.org>
  +
:* [https://bugzilla.samba.org/show_bug.cgi?id=14791 BUG #14791]: All the ways to specify a password are not documented.
  +
* Ralph Boehme <slow@samba.org>
  +
:* [https://bugzilla.samba.org/show_bug.cgi?id=14790 BUG #14790]: vfs_btrfs compression support broken.
  +
:* [https://bugzilla.samba.org/show_bug.cgi?id=14828 BUG #14828]: Problems with commandline parsing.
  +
:* [https://bugzilla.samba.org/show_bug.cgi?id=14829 BUG #14829]: smbd crashes when "ea support" is set to no.
  +
* Stefan Metzmacher <metze@samba.org>
  +
:* [https://bugzilla.samba.org/show_bug.cgi?id=14825 BUG #14825]: "{client,server} smb3 {signing,encryption} algorithms" should use the same strings as smbstatus output.
  +
:* [https://bugzilla.samba.org/show_bug.cgi?id=14828 BUG #14828]: Problems with commandline parsing.
  +
* Alex Richardson <Alexander.Richardson@cl.cam.ac.uk>
  +
:* [https://bugzilla.samba.org/show_bug.cgi?id=8773 BUG #8773]: smbd fails to run as root because it belongs to more than 16 groups on MacOS X.
  +
* Martin Schwenke <martin@meltin.net>
  +
:* [https://bugzilla.samba.org/show_bug.cgi?id=14784 BUG #14784]: Fix CTDB flag/status update race conditions.
  +
  +
===CHANGES SINCE 4.15.0rc5===
  +
* Andrew Bartlett <abartlet@samba.org>
  +
:* [https://bugzilla.samba.org/show_bug.cgi?id=14806 BUG #14806]: Address a signifcant performance regression in database access in the AD DC since Samba 4.12.
  +
:* [https://bugzilla.samba.org/show_bug.cgi?id=14807 BUG #14807]: Fix performance regression in lsa_LookupSids3/LookupNames4 since Samba 4.9 by using an explicit database handle cache.
  +
:* [https://bugzilla.samba.org/show_bug.cgi?id=14817 BUG #14817]: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ.
  +
:* [https://bugzilla.samba.org/show_bug.cgi?id=14818 BUG #14818]: Address flapping samba_tool_drs_showrepl test.
  +
:* [https://bugzilla.samba.org/show_bug.cgi?id=14819 BUG #14819]: Address flapping dsdb_schema_attributes test.
  +
* Luke Howard <lukeh@padl.com>
  +
:* [https://bugzilla.samba.org/show_bug.cgi?id=14817 BUG #14817]: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ.
  +
* Gary Lockyer <gary@catalyst.net.nz>
  +
:* [https://bugzilla.samba.org/show_bug.cgi?id=14817 BUG #14817]: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ.
  +
* Andreas Schneider <asn@samba.org>
  +
:* [https://bugzilla.samba.org/show_bug.cgi?id=14817 BUG #14817]: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ.
  +
* Joseph Sutton <josephsutton@catalyst.net.nz>
  +
:* [https://bugzilla.samba.org/show_bug.cgi?id=14817 BUG #14817]: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ.
  +
  +
===CHANGES SINCE 4.15.0rc4===
  +
* Jeremy Allison <jra@samba.org>
  +
:* [https://bugzilla.samba.org/show_bug.cgi?id=14809 BUG #14809]: Shares with variable substitutions cause core dump upon connection from MacOS Big Sur 11.5.2.
  +
:* [https://bugzilla.samba.org/show_bug.cgi?id=14816 BUG #14816]: Fix pathref open of a filesystem fifo in the DISABLE_OPATH build.
  +
* Andrew Bartlett <abartlet@samba.org>
  +
:* [https://bugzilla.samba.org/show_bug.cgi?id=14815 BUG #14815]: A subset of tests from Samba's selftest system were not being run, while others were run twice.
  +
* Ralph Boehme <slow@samba.org>
  +
:* [https://bugzilla.samba.org/show_bug.cgi?id=14771 BUG #14771]: Some VFS operations on pathref (O_PATH) handles fail on GPFS.
  +
:* [https://bugzilla.samba.org/show_bug.cgi?id=14787 BUG #14787]: net conf list crashes when run as normal user,
  +
:* [https://bugzilla.samba.org/show_bug.cgi?id=14803 BUG #14803]: smbd/winbindd started in daemon mode generate output on stderr/stdout.
  +
:* [https://bugzilla.samba.org/show_bug.cgi?id=14804 BUG #14804]: winbindd can crash because idmap child state is not fully initialized.
  +
* Stefan Metzmacher <metze@samba.org>
  +
:* [https://bugzilla.samba.org/show_bug.cgi?id=14771 BUG #14771]: Some VFS operations on pathref (O_PATH) handles fail on GPFS.
  +
  +
===CHANGES SINCE 4.15.0rc3===
  +
* Bjoern Jacke <bj@sernet.de>
  +
:* [https://bugzilla.samba.org/show_bug.cgi?id=14800 BUG #14800]: util_sock: fix assignment of sa_socklen.
  +
  +
===CHANGES SINCE 4.15.0rc2===
  +
* Jeremy Allison <jra@samba.org>
  +
:* [https://bugzilla.samba.org/show_bug.cgi?id=14760 BUG #14760]: vfs_streams_depot directory creation permissions and store location problems.
  +
:* [https://bugzilla.samba.org/show_bug.cgi?id=14766 BUG #14766]: vfs_ceph openat() doesn't cope with dirfsp != AT_FDCW.
  +
:* [https://bugzilla.samba.org/show_bug.cgi?id=14769 BUG #14769]: smbd panic on force-close share during offload write.
  +
:* [https://bugzilla.samba.org/show_bug.cgi?id=14805 BUG #14805]: OpenDir() loses the correct errno return.
  +
* Ralph Boehme <slow@samba.org>
  +
:* [https://bugzilla.samba.org/show_bug.cgi?id=14795 BUG #14795]: copy_file_range() may fail with EOPNOTSUPP.
  +
* Stefan Metzmacher <metze@samba.org>
  +
:* [https://bugzilla.samba.org/show_bug.cgi?id=14793 BUG #14793]: Start the SMB encryption as soon as possible.
  +
* Andreas Schneider <asn@samba.org>
  +
:* [https://bugzilla.samba.org/show_bug.cgi?id=14779 BUG #14779]: Winbind should not start if the socket path is too long.
  +
* Noel Power <noel.power@suse.com>
  +
:* [https://bugzilla.samba.org/show_bug.cgi?id=14760 BUG #14760]: vfs_streams_depot directory creation permissions and store location problems.
  +
  +
===CHANGES SINCE 4.15.0rc1===
  +
  +
* Andreas Schneider <asn@samba.org>
  +
:* [https://bugzilla.samba.org/show_bug.cgi?id=14768 BUG #14768]: smbd/winbind should load the registry if configured
  +
:* [https://bugzilla.samba.org/show_bug.cgi?id=14777 BUG #14777]: do not quote passed argument of configure script
  +
:* [https://bugzilla.samba.org/show_bug.cgi?id=14779 BUG #14779]: Winbind should not start if the socket path is too long
  +
* Stefan Metzmacher <metze@samba.org>
  +
:* [https://bugzilla.samba.org/show_bug.cgi?id=14607 BUG #14607]: tree connect failed: NT_STATUS_INVALID_PARAMETER
  +
:* [https://bugzilla.samba.org/show_bug.cgi?id=14764 BUG #14764]: aes-256-gcm and aes-256-ccm doesn't work in the server
  +
* Ralph Boehme <slow@samba.org>
  +
:* [https://bugzilla.samba.org/show_bug.cgi?id=14700 BUG #14700]: file owner not available when file unredable
  +
* Jeremy Allison <jra@samba.org>
  +
:* [https://bugzilla.samba.org/show_bug.cgi?id=14607 BUG #14607]: tree connect failed: NT_STATUS_INVALID_PARAMETER
  +
:* [https://bugzilla.samba.org/show_bug.cgi?id=14759 BUG #14759]: 4.15rc can leak meta-data about the directory containing the share path
   
 
===KNOWN ISSUES===
 
===KNOWN ISSUES===
 
[[Release_Planning_for_Samba_4.15#Release_blocking_bugs]]
 
[[Release_Planning_for_Samba_4.15#Release_blocking_bugs]]
   
[https://download.samba.org/pub/samba/rc/samba-4.15.0rc1.WHATSNEW.txt Release Notes Samba 4.15.0rc1].
+
[https://download.samba.org/pub/samba/rc/samba-4.15.0rc7.WHATSNEW.txt Release Notes Samba 4.15.0rc7].
   
 
----
 
----

Latest revision as of 17:09, 14 September 2021

Samba 4.15 is next upcoming release series.

Samba 4.15.0rc7

Release Notes for Samba 4.15.0rc7
September 13, 2021

Release Announcements

This is the seventh release candidate of Samba 4.15. This is *not* intended for production environments and is designed for testing purposes only. Please report any defects via the Samba bug reporting system at https://bugzilla.samba.org/.

Samba 4.15 will be the next version of the Samba suite.

UPGRADING

Removed SMB (development) dialects

The following SMB (development) dialects are no longer supported: SMB2_22, SMB2_24 and SMB3_10. They are were only supported by Windows technical preview builds. They used to be useful in order to test against the latest Windows versions, but it's no longer useful to have them. If you have them explicitly specified in your smb.conf or an the command line, you need to replace them like this:

  • SMB2_22 => SMB3_00
  • SMB2_24 => SMB3_00
  • SMB3_10 => SMB3_11
Note: that it's typically not useful to specify "client max protocol" or "server max protocol" explicitly to a specific dialect, just leave them unspecified or specify the value "default".

New GPG key

The GPG release key for Samba releases changed from:

pub   dsa1024/6F33915B6568B7EA 2007-02-04 [SC] [expires: 2021-02-05]
      Key fingerprint = 52FB C0B8 6D95 4B08 4332  4CDC 6F33 915B 6568 B7EA
uid                 [  full  ] Samba Distribution Verification Key <samba-bugs@samba.org>
sub   elg2048/9C6ED163DA6DFB44 2007-02-04 [E] [expires: 2021-02-05]

to the following new key:

pub   rsa4096/AA99442FB680B620 2020-12-21 [SC] [expires: 2022-12-21]
      Key fingerprint = 81F5 E283 2BD2 545A 1897  B713 AA99 442F B680 B620
uid                 [ultimate] Samba Distribution Verification Key <samba-bugs@samba.org>
sub   rsa4096/97EF9386FBFD4002 2020-12-21 [E] [expires: 2022-12-21]
 

Starting from Jan 21th 2021, all Samba releases will be signed with the new key.

See also GPG_AA99442FB680B620_replaces_6F33915B6568B7EA.txt

New minimum version for the experimental MIT KDC

The build of the AD DC using the system MIT Kerberos, an experimental feature, now requires MIT Kerberos 1.19. An up-to-date Fedora 34 has this version and has backported fixes for the KDC crash bugs CVE-2021-37750 and CVE-2021-36222.

NEW FEATURES/CHANGES

VFS

The effort to modernize Samba's VFS interface is complete and Samba 4.15.0 ships with a modernized VFS designed for the post SMB1 world.

For details please refer to the documentation at source3/modules/The_New_VFS.txt or visit the The_New_VFS.

Bind DLZ: Added the ability to set allow/deny lists for zone transfer clients

Up to now, any client could use a DNS zone transfer request to the bind server, and get an answer from Samba. Now the default behaviour will be to deny those request. Two new options have been added to manage the list of authorized/denied clients for zone transfer requests. In order to be accepted, the request must be issued by a client that is in the allow list and NOT in the deny list.

"server multi channel support" no longer experimental

This option is enabled by default starting with 4.15 (on Linux and FreeBSD). Due to dependencies on kernel APIs of Linux or FreeBSD, it's only possible to use this feature on Linux and FreeBSD for now.

samba-tool available without the ad-dc

The *samba-tool' command is now available when samba is configured "--without-ad-dc". Not all features will work, and some ad-dc specific options have been disabled. The 'samba-tool domain' options, for example, are limited when no ad-dc is present. Samba must still be built with ads in order to enable samba-tool.

Improved command line user experience

Samba utilities did not consistently implement their command line interface. A number of options were requiring to specify values in one tool and not in the other, some options meant different in different tools.

These should be stories of the past now. A new command line parser has been implemented with sanity checking. Also the command line interface has been simplified and provides better control for encryption, signing and kerberos.

Previously many tools silently ignored unknown options. To prevent unexpected behaviour all tools will now consistently reject unknown options.

Also several command line options have a smb.conf variable to control the default now.

All tools are logging to stderr by default. You can use "--debug-stdout" to change the behavior. All servers will log to stderr at early startup until logging is setup to go to a file by default.

Common parser:

Options added:

--client-protection=off|sign|encrypt

Options renamed:

--kerberos       ->    --use-kerberos=required|desired|off
--krb5-ccache    ->    --use-krb5-ccache=CCACHE
--scope          ->    --netbios-scope=SCOPE
--use-ccache     ->    --use-winbind-ccache

Options removed:

-e|--encrypt
-C removed from --use-winbind-ccache
-i removed from --netbios-scope
-S|--signing
Duplicates in command line utils

ldbadd/ldbdel/ldbedit/ldbmodify/ldbrename/ldbsearch:

-e is still available as an alias for --editor, as it used to be.
-s is no longer reported as an alias for --configfile, it never worked that way as it was shadowed by '-s' for '--scope'.

ndrdump:

-l is not available for --load-dso anymore

net:

-l is not available for --long anymore

sharesec:

-V is not available for --viewsddl anymore

smbcquotas:

--user        ->    --quota-user

nmbd:

--log-stdout  ->    --debug-stdout

smbd:

--log-stdout  ->    --debug-stdout

winbindd:

--log-stdout  ->    --debug-stdout

Scanning of trusted domains and enterprise principals

As an artifact from the NT4 times, we still scanned the list of trusted domains on winbindd startup. This is wrong as we never can get a full picture in Active Directory. It is time to change the default value to "No". Also with this change we always use enterprise principals for Kerberos so that the DC will be able to redirect ticket requests to the right DC. This is e.g. needed for one way trusts. The options `winbind use krb5 enterprise principals` and `winbind scan trusted domains` will be deprecated in one of the next releases.

Support for Offline Domain Join (ODJ)

The net utility is now able to support the offline domain join feature as known from the Windows djoin.exe command for many years. Samba's implementation is accessible via the 'net offlinejoin' subcommand. It can provision computers and request offline joining for both Windows and Unix machines. It is also possible to provision computers from Windows (using djoin.exe) and use the generated data in Samba's 'net' utility. The existing options for the provisioning and joining steps are documented in the net(8) manpage.

'samba-tool dns zoneoptions' for aging control

The 'samba-tool dns zoneoptions' command can be used to turn aging on and off, alter the refresh and no-refresh periods, and manipulate the timestamps of existing records.

To turn aging on for a zone, you can use something like this:

 samba-tool dns zoneoptions --aging=1 --refreshinterval=306600

which turns on aging and ensures no records less than five years old are aged out and scavenged. After aging has been on for sufficient time for records to be renewed, the command

 samba-tool dns zoneoptions --refreshinterval=168

will set the refresh period to the standard seven days. Using this two step process will help prevent the temporary loss of dynamic records if scavenging happens before their first renewal.


Marking old records as static or dynamic with 'samba-tool'

A bug in Samba versions prior to 4.9 meant records that were meant to be static were marked as dynamic and vice versa. To fix the timestamps in these domains, it is possible to use the following options, preferably before turning aging on.

  --mark-old-records-static
  --mark-records-dynamic-regex
  --mark-records-static-regex

The "--mark-old-records-static" option will make records older than the specified date static (that is, with a zero timestamp). For example, if you upgraded to Samba 4.9 in November 2018, you could use ensure no old records will be mistakenly interpreted as dynamic using the following option:

 samba-tool dns zoneoptions --mark-old-records-static=2018-11-30

Then, if you know that that will have marked some records as static that should be dynamic, and you know which those are due to your naming scheme, you can use commands like:

 samba-tool dns zoneoptions --mark-records-dynamic-regex='\w+-desktop'

where '\w+-desktop' is a perl-compatible regular expression that will match 'bob-desktop', 'alice-desktop', and so on.

These options are deliberately long and cumbersome to type, so people have a chance to think before they get to the end. You can make a mess if you get it wrong.

All 'samba-tool dns zoneoptions' modes can be given a "--dry-run/-n" argument that allows you to inspect the likely results before going ahead.

NOTE: for aging to work, you need to have "dns zone scavenging = yes" set in the smb.conf of at least one server.

DNS tombstones are now deleted as appropriate

When all the records for a DNS name have been deleted, the node is put in a tombstoned state (separate from general AD object tombstoning, which deleted nodes also go through). These tombstones should be cleaned up periodically. Due to a conflation of scavenging and tombstoning, we have only been deleting tombstones when aging is enabled.

If you have a lot of tombstoned DNS nodes (that is, DNS names for which you have removed all the records), cleaning up these DNS tombstones may take a noticeable time.

DNS tombstones use a consistent timestamp format

DNS records use an hours-since-1601 timestamp format except for in the case of tombstone records where a 100-nanosecond-intervals-since-1601 format is used (this latter format being the most common in Windows). We had mixed that up, which might have had strange effects in zones where aging was enabled (and hence tombstone timestamps were used).

samba-tool dns update and RPC changes

The dnsserver DCERPC pipe can be used by 'samba-tool' and Windows tools to manipulate dns records on the remote server. A bug in Samba meant it was not possible to update an existing DNS record to change the TTL. The general behaviour of RPC updates is now closer to that of Windows.

'samba-tool dns update' is now a bit more careful in rejecting and warning you about malformed IPv4 and IPv6 addresses.

CVE-2021-3671: Crash in Heimdal KDC and updated security release policy

An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ. Per Samba's updated security process a specific security release was not made for this issue as it is a recoverable Denial Of Service. See Samba_Security_Process

samba-tool domain backup offline with the LMDB backend

'samba-tool domain backup offline', when operating with the LMDB backend now correctly takes out locks against concurrent modification of the database during the backup. If you use this tool on a Samba AD DC using LMDB, you should upgrade to this release for safer backups.

REMOVED FEATURES

  • Tru64 ACL support has been removed from this release. The last supported release of Tru64 UNIX was in 2012.
  • NIS support has been removed from this release. This is not available in Linux distributions anymore.
  • The DLZ DNS plugin is no longer built for Bind versions 9.8 and 9.9, which have been out of support since 2018.


smb.conf changes

 Parameter Name                          Description     Default
 --------------                          -----------     -------
 client use kerberos                     New             desired
 client max protocol                     Values Removed
 client min protocol                     Values Removed
 client protection                       New             default
 client smb3 signing algorithms          New             see man smb.conf
 client smb3 encryption algorithms       New             see man smb.conf
 preopen:posix-basic-regex               New             No
 preopen:nomatch_log_level               New             5
 preopen:match_log_level                 New             5
 preopen:nodigits_log_level              New             1
 preopen:founddigits_log_level           New             3
 preopen:reset_log_level                 New             5
 preopen:push_log_level                  New             3
 preopen:queue_log_level                 New             10
 server max protocol                     Values Removed
 server min protocol                     Values Removed
 server multi channel support            Changed         Yes (on Linux and FreeBSD)
 server smb3 signing algorithms          New             see man smb.conf
 server smb3 encryption algorithms       New             see man smb.conf
 winbind use krb5 enterprise principals  Changed         Yes
 winbind scan trusted domains            Changed         No


CHANGES SINCE 4.15.0rc6

  • Andrew Bartlett <abartlet@samba.org>
  • BUG #14791: All the ways to specify a password are not documented.
  • Ralph Boehme <slow@samba.org>
  • BUG #14790: vfs_btrfs compression support broken.
  • BUG #14828: Problems with commandline parsing.
  • BUG #14829: smbd crashes when "ea support" is set to no.
  • Stefan Metzmacher <metze@samba.org>
  • BUG #14825: "{client,server} smb3 {signing,encryption} algorithms" should use the same strings as smbstatus output.
  • BUG #14828: Problems with commandline parsing.
  • Alex Richardson <Alexander.Richardson@cl.cam.ac.uk>
  • BUG #8773: smbd fails to run as root because it belongs to more than 16 groups on MacOS X.
  • Martin Schwenke <martin@meltin.net>
  • BUG #14784: Fix CTDB flag/status update race conditions.

CHANGES SINCE 4.15.0rc5

  • Andrew Bartlett <abartlet@samba.org>
  • BUG #14806: Address a signifcant performance regression in database access in the AD DC since Samba 4.12.
  • BUG #14807: Fix performance regression in lsa_LookupSids3/LookupNames4 since Samba 4.9 by using an explicit database handle cache.
  • BUG #14817: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ.
  • BUG #14818: Address flapping samba_tool_drs_showrepl test.
  • BUG #14819: Address flapping dsdb_schema_attributes test.
  • Luke Howard <lukeh@padl.com>
  • BUG #14817: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ.
  • Gary Lockyer <gary@catalyst.net.nz>
  • BUG #14817: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ.
  • Andreas Schneider <asn@samba.org>
  • BUG #14817: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ.
  • Joseph Sutton <josephsutton@catalyst.net.nz>
  • BUG #14817: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ.

CHANGES SINCE 4.15.0rc4

  • Jeremy Allison <jra@samba.org>
  • BUG #14809: Shares with variable substitutions cause core dump upon connection from MacOS Big Sur 11.5.2.
  • BUG #14816: Fix pathref open of a filesystem fifo in the DISABLE_OPATH build.
  • Andrew Bartlett <abartlet@samba.org>
  • BUG #14815: A subset of tests from Samba's selftest system were not being run, while others were run twice.
  • Ralph Boehme <slow@samba.org>
  • BUG #14771: Some VFS operations on pathref (O_PATH) handles fail on GPFS.
  • BUG #14787: net conf list crashes when run as normal user,
  • BUG #14803: smbd/winbindd started in daemon mode generate output on stderr/stdout.
  • BUG #14804: winbindd can crash because idmap child state is not fully initialized.
  • Stefan Metzmacher <metze@samba.org>
  • BUG #14771: Some VFS operations on pathref (O_PATH) handles fail on GPFS.

CHANGES SINCE 4.15.0rc3

  • Bjoern Jacke <bj@sernet.de>
  • BUG #14800: util_sock: fix assignment of sa_socklen.

CHANGES SINCE 4.15.0rc2

  • Jeremy Allison <jra@samba.org>
  • BUG #14760: vfs_streams_depot directory creation permissions and store location problems.
  • BUG #14766: vfs_ceph openat() doesn't cope with dirfsp != AT_FDCW.
  • BUG #14769: smbd panic on force-close share during offload write.
  • BUG #14805: OpenDir() loses the correct errno return.
  • Ralph Boehme <slow@samba.org>
  • BUG #14795: copy_file_range() may fail with EOPNOTSUPP.
  • Stefan Metzmacher <metze@samba.org>
  • BUG #14793: Start the SMB encryption as soon as possible.
  • Andreas Schneider <asn@samba.org>
  • BUG #14779: Winbind should not start if the socket path is too long.
  • Noel Power <noel.power@suse.com>
  • BUG #14760: vfs_streams_depot directory creation permissions and store location problems.

CHANGES SINCE 4.15.0rc1

  • Andreas Schneider <asn@samba.org>
  • BUG #14768: smbd/winbind should load the registry if configured
  • BUG #14777: do not quote passed argument of configure script
  • BUG #14779: Winbind should not start if the socket path is too long
  • Stefan Metzmacher <metze@samba.org>
  • BUG #14607: tree connect failed: NT_STATUS_INVALID_PARAMETER
  • BUG #14764: aes-256-gcm and aes-256-ccm doesn't work in the server
  • Ralph Boehme <slow@samba.org>
  • BUG #14700: file owner not available when file unredable
  • Jeremy Allison <jra@samba.org>
  • BUG #14607: tree connect failed: NT_STATUS_INVALID_PARAMETER
  • BUG #14759: 4.15rc can leak meta-data about the directory containing the share path

KNOWN ISSUES

Release_Planning_for_Samba_4.15#Release_blocking_bugs

Release Notes Samba 4.15.0rc7.