Samba 4.15 Features added/changed: Difference between revisions

From SambaWiki
 
(21 intermediate revisions by the same user not shown)
Line 1: Line 1:
Samba 4.15 is [[Samba_Release_Planning#Upcoming_Release|'''next upcoming release series''']].
Samba 4.15 is [[Samba_Release_Planning#Discontinued_.28End_of_Life.29|'''Discontinued (End of Life)''']].
==Samba 4.15.0rc7==
==Samba 4.15.13==
:Release Notes for Samba 4.15.13
<onlyinclude>
:December 15, 2022
:Release Notes for Samba 4.15.0rc7
:September 13, 2021
===Release Announcements===


===This is the latest stable release of the Samba 4.15 release series.===
This is the seventh release candidate of Samba 4.15. This is *not* intended for production environments and is designed for testing purposes only. Please report any defects via the Samba bug reporting system at https://bugzilla.samba.org/.
It also contains security changes in order to address the following defects:


Samba 4.15 will be the next version of the Samba suite.


* [https://www.samba.org/samba/security/CVE-2022-37966.html CVE-2022-37966]
===UPGRADING===
:: This is the Samba CVE for the Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability disclosed by Microsoft on Nov 8 2022.

::A Samba Active Directory DC will issue weak rc4-hmac session keys for use between modern clients and servers despite all modern Kerberos implementations supporting the aes256-cts-hmac-sha1-96 cipher.

::On Samba Active Directory DCs and members 'kerberos encryption types = legacy' would force rc4-hmac as a client even if the server supports aes128-cts-hmac-sha1-96 and/or aes256-cts-hmac-sha1-96.

* [https://www.samba.org/samba/security/CVE-2022-37967.html CVE-2022-37967]
::This is the Samba CVE for the Windows Kerberos Elevation of Privilege Vulnerability disclosed by Microsoft on Nov 8 2022.

::A service account with the special constrained delegation permission could forge a more powerful ticket than the one it was presented with.

* [https://www.samba.org/samba/security/CVE-2022-38023.html CVE-2022-38023]
:: The "RC4" protection of the NetLogon Secure channel uses the same algorithms as rc4-hmac cryptography in Kerberos, and so must also be assumed to be weak.


* [https://www.samba.org/samba/security/CVE-2022-45141.html CVE-2022-45141]
:: Since the Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability was disclosed by Microsoft on Nov 8 2022 and per RFC8429 it is assumed that rc4-hmac is weak,

::Vulnerable Samba Active Directory DCs will issue rc4-hmac encrypted tickets despite the target server supporting better encryption (eg aes256-cts-hmac-sha1-96).

Note that there are several important behavior changes included in this release, which may cause compatibility problems interacting with system still expecting the former behavior. Please read the advisories of [https://www.samba.org/samba/security/CVE-2022-37966.html CVE-2022-37966] [https://www.samba.org/samba/security/CVE-2022-38023.html CVE-2022-38023]], [https://www.samba.org/samba/security/CVE-2022-37967.html CVE-2022-37967] and [https://www.samba.org/samba/security/CVE-2022-38023.html CVE-2022-38023] carefully!


===samba-tool got a new 'domain trust modify' subcommand===

This allows "msDS-SupportedEncryptionTypes" to be changed on trustedDomain objects. Even against remote DCs (including Windows) using the --local-dc-ipaddress= (and other --local-dc-* options).
:See 'samba-tool domain trust modify --help' for further details.

===smb.conf changes===

Parameter Name Description Default
-------------- ----------- -------
allow nt4 crypto Deprecated no
allow nt4 crypto:COMPUTERACCOUNT New
kdc default domain supported enctypes New (see manpage)
kdc supported enctypes New (see manpage)
kdc force enable rc4 weak session keys New No
reject md5 clients New Default, Deprecated Yes
reject md5 servers New Default, Deprecated Yes
server schannel Deprecated Yes
server schannel require seal New, Deprecated Yes
server schannel require seal:COMPUTERACCOUNT New
winbind sealed pipes Deprecated Yes

===Changes since 4.15.12===
---------------------
* Andrew Bartlett <abartlet@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=15219 BUG 15219]: Heimdal session key selection in AS-REQ examines wrong entry.
:* [https://bugzilla.samba.org/show_bug.cgi?id=15237 BUG 15237]: [https://www.samba.org/samba/security/CVE-2022-37966.html CVE-2022-37966].
:* [https://bugzilla.samba.org/show_bug.cgi?id=15258 BUG 15258]: filter-subunit is inefficient with large numbers of knownfails.
* Ralph Boehme <slow@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=15240 BUG 15240]: [https://www.samba.org/samba/security/CVE-2022-38023.html CVE-2022-38023].
* Luke Howard <lukeh@padl.com>
:* [https://bugzilla.samba.org/show_bug.cgi?id=15197 BUG 15197]: Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue.
* Stefan Metzmacher <metze@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=13135 BUG 13135]: The KDC logic arround msDs-supportedEncryptionTypes differs from Windows.
:* [https://bugzilla.samba.org/show_bug.cgi?id=15203 BUG 15203]: [https://www.samba.org/samba/security/CVE-2022-42898.html CVE-2022-42898]] [SECURITY] krb5_pac_parse() buffer parsing vulnerability.
:* [https://bugzilla.samba.org/show_bug.cgi?id=15219 BUG 15219]: Heimdal session key selection in AS-REQ examines wrong entry.
:* [https://bugzilla.samba.org/show_bug.cgi?id=15237 BUG 15237]: [https://www.samba.org/samba/security/CVE-2022-37966.html CVE-2022-37966].
:* [https://bugzilla.samba.org/show_bug.cgi?id=15240 BUG 15240]: [https://www.samba.org/samba/security/CVE-2022-38023.html CVE-2022-38023].
* Andreas Schneider <asn@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=15237 BUG 15237]: [https://www.samba.org/samba/security/CVE-2022-37966.html CVE-2022-37966].
* Joseph Sutton <josephsutton@catalyst.net.nz>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14929 BUG 14929]: [https://www.samba.org/samba/security/CVE-2022-44640.html CVE-2022-44640] [SECURITY] Upstream Heimdal free of user-controlled pointer in FAST.
:* [https://bugzilla.samba.org/show_bug.cgi?id=15197 BUG 15197]: Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue.
:* [https://bugzilla.samba.org/show_bug.cgi?id=15219 BUG 15219]: Heimdal session key selection in AS-REQ examines wrong entry.
:* [https://bugzilla.samba.org/show_bug.cgi?id=15231 BUG 15231]: [https://www.samba.org/samba/security/CVE-2022-37967.html CVE-2022-37967].
:* [https://bugzilla.samba.org/show_bug.cgi?id=15237 BUG 15237]: [https://www.samba.org/samba/security/CVE-2022-37966.html CVE-2022-37966].
* Nicolas Williams <nico@cryptonector.com>
:* [https://bugzilla.samba.org/show_bug.cgi?id=15231 BUG 15231]: [https://www.samba.org/samba/security/CVE-2022-37967.html CVE-2022-37967].
:* [https://bugzilla.samba.org/show_bug.cgi?id=15237 BUG 15237]: [https://www.samba.org/samba/security/CVE-2022-37966.html CVE-2022-37966].
* Nicolas Williams <nico@twosigma.com>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14929 BUG 14929]: [https://www.samba.org/samba/security/CVE-2022-44640.html CVE-2022-44640] [SECURITY] Upstream Heimdal free of user-controlled pointer in FAST.

==Samba 4.15.12==
:Release Notes for Samba 4.15.12
:November 15, 2022

===This is a security release in order to address the following defects:===
* [https://www.samba.org/samba/security/CVE-2022-42898.html CVE-2022-42898]
:: Samba's Kerberos libraries and AD DC failed to guard against integer overflows when parsing a PAC on a 32-bit system, which allowed an attacker with a forged PAC to corrupt the heap.

===Changes since 4.15.11===
* Joseph Sutton <josephsutton@catalyst.net.nz>
:* [https://bugzilla.samba.org/show_bug.cgi?id=15203 BUG 15203]: [https://www.samba.org/samba/security/CVE-2022-42898.html CVE-2022-42898]
* Nicolas Williams <nico@twosigma.com>
:* [https://bugzilla.samba.org/show_bug.cgi?id=15203 BUG 15203]: [https://www.samba.org/samba/security/CVE-2022-42898.html CVE-2022-42898]

[https://www.samba.org/samba/history/samba-4.15.12.html Release Notes Samba 4.15.12]

==Samba 4.15.11==
:Release Notes for Samba 4.15.11
:October 25, 2022

===This is a security release in order to address the following defect:===

* [https://www.samba.org/samba/security/CVE-2022-3437.html CVE-2022-3437]: There is a limited write heap buffer overflow in the GSSAPI unwrap_des() and unwrap_des3() routines of Heimdal (included in Samba).
===Changes since 4.15.10===
* Andrew Bartlett <abartlet@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=15193 BUG 15193]: Allow rebuild of Centos 8 images after move to vault for Samba 4.15.
* Andreas Schneider <asn@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=15193 BUG 15193]: Allow rebuild of Centos 8 images after move to vault for Samba 4.15.
* Joseph Sutton <josephsutton@catalyst.net.nz>
:* [https://bugzilla.samba.org/show_bug.cgi?id=15134 BUG 15134]: [https://www.samba.org/samba/security/CVE-2022-3437.html CVE-2022-3437].

[https://www.samba.org/samba/history/samba-4.15.11.html Release Notes Samba 4.15.11]

==Samba 4.15.10==
:Release Notes for Samba 4.15.10
:September 28, 2022

===This is the latest stable release of the Samba 4.15 release series.===

===Changes since 4.15.9===
* Jeremy Allison <jra@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=15128 BUG 15128]: Possible use after free of connection_struct when iterating smbd_server_connection->connections.
:* [https://bugzilla.samba.org/show_bug.cgi?id=15174 BUG 15174]: smbXsrv_connection_shutdown_send result leaked.
* Ralph Boehme <slow@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=15086 BUG 15086]: Spotlight RPC service returns wrong response when Spotlight is disabled on a share.
:* [https://bugzilla.samba.org/show_bug.cgi?id=15126 BUG 15126]: acl_xattr VFS module may unintentionally use filesystem permissions instead of ACL from xattr.
:* [https://bugzilla.samba.org/show_bug.cgi?id=15153 BUG 15153]: Missing SMB2-GETINFO access checks from MS-SMB2 3.3.5.20.1.
:* [https://bugzilla.samba.org/show_bug.cgi?id=15161 BUG 15161]: assert failed: !is_named_stream(smb_fname)") at ../../lib/util/fault.c:197.
* Stefan Metzmacher <metze@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=15148 BUG 15148]: Missing READ_LEASE break could cause data corruption.
* Andreas Schneider <asn@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=15124 BUG 15124]: rpcclient can crash using setuserinfo(2).
:* [https://bugzilla.samba.org/show_bug.cgi?id=15132 BUG 15132]: Samba fails to build with glibc 2.36 caused by including <sys/mount.h> in libreplace.
* Joseph Sutton <josephsutton@catalyst.net.nz>
:* [https://bugzilla.samba.org/show_bug.cgi?id=15152 BUG 15152]: SMB1 negotiation can fail to handle connection errors.
* Michael Tokarev <mjt@tls.msk.ru>
:* [https://bugzilla.samba.org/show_bug.cgi?id=15078 BUG 15078]: samba-tool domain join segfault when joining a samba ad domain.

[https://www.samba.org/samba/history/samba-4.15.10.html Release Notes Samba 4.15.10]

==Samba 4.15.9==
:Release Notes for Samba 4.15.9
:July 27, 2022

===This is a security release in order to address the following defects:===
* [https://www.samba.org/samba/security/CVE-2022-2031.html CVE-2022-2031]
:: Samba AD users can bypass certain restrictions associated with changing passwords.
* [https://www.samba.org/samba/security/CVE-2022-32744.html CVE-2022-32744]
::Samba AD users can forge password change requests for any user.
* [https://www.samba.org/samba/security/CVE-2022-32745.html CVE-2022-32745]
::Samba AD users can crash the server process with an LDAP add or modify request.
* [https://www.samba.org/samba/security/CVE-2022-32746.html CVE-2022-32746]
:: Samba AD users can induce a use-after-free in the server process with an LDAP add or modify request.
* [https://www.samba.org/samba/security/CVE-2022-32742.html CVE-2022-32742]
:: Server memory information leak via SMB1.

===Changes since 4.15.8===

* Jeremy Allison <jra@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=15085 BUG 15085]: [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32742 CVE-2022-32742].
* Andrew Bartlett <abartlet@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=15009 BUG 15009]: [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32746 CVE-2022-32746].
* Isaac Boukris <iboukris@gmail.com>
:* [https://bugzilla.samba.org/show_bug.cgi?id=15047 BUG 15047]: [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2031 CVE-2022-2031].
* Andreas Schneider <asn@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=15047 BUG 15047]: [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2031 CVE-2022-2031].
* Joseph Sutton <josephsutton@catalyst.net.nz>
:* [https://bugzilla.samba.org/show_bug.cgi?id=15008 BUG 15008]: [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32745 CVE-2022-32745].
:* [https://bugzilla.samba.org/show_bug.cgi?id=15009 BUG 15009]: [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32746 CVE-2022-32746].
:* [https://bugzilla.samba.org/show_bug.cgi?id=15047 BUG 15047]: [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2031 CVE-2022-2031].
:* [https://bugzilla.samba.org/show_bug.cgi?id=15074 BUG 15074]: [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32744 CVE-2022-32744].

[https://www.samba.org/samba/history/samba-4.15.9.html Release Notes Samba 4.15.9]

==Samba 4.15.8==
:Release Notes for Samba 4.15.8
:June 28, 2022

===This is the latest stable release of the Samba 4.15 release series.===

===Changes since 4.15.7===

* Jeremy Allison <jra@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=15042 BUG #15042]: Use pathref fd instead of io fd in vfs_default_durable_cookie.
:* [https://bugzilla.samba.org/show_bug.cgi?id=15099 BUG #15099]: Setting fruit:resource = stream in vfs_fruit causes a panic.
* Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14986 BUG #14986]: Add support for bind 9.18.
:* [https://bugzilla.samba.org/show_bug.cgi?id=15076 BUG #15076]: logging dsdb audit to specific files does not work.
* Ralph Boehme <slow@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=15069 BUG #15069]: vfs_gpfs with vfs_shadowcopy2 fail to restore file if original file had been deleted.
* Samuel Cabrero <scabrero@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=15087 BUG #15087]: netgroups support removed.
* Samuel Cabrero <scabrero@suse.de>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14674 BUG #14674]: net ads info shows LDAP Server: 0.0.0.0 depending on contacted server.
* Stefan Metzmacher <metze@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=15071 BUG #15071]: waf produces incorrect names for python extensions with Python 3.11.
* Noel Power <noel.power@suse.com>
:* [https://bugzilla.samba.org/show_bug.cgi?id=15100 BUG #15100]: smbclient commands del & deltree fail with NT_STATUS_OBJECT_PATH_NOT_FOUND with DFS.
* Christof Schmitt <cs@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=15055 BUG #15055]: vfs_gpfs recalls=no option prevents listing files.
* Andreas Schneider <asn@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=15071 BUG #15071]: waf produces incorrect names for python extensions with Python 3.11.
:* [https://bugzilla.samba.org/show_bug.cgi?id=15091 BUG #15091]: Compile error in source3/utils/regedit_hexedit.c.
:* [https://bugzilla.samba.org/show_bug.cgi?id=15108 BUG #15108]: ldconfig: /lib64/libsmbconf.so.0 is not a symbolic link.
* Andreas Schneider <asn@cryptomilk.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=15054 BUG #15054]: smbd doesn't handle UPNs for looking up names.
* Robert Sprowson <webpages@sprow.co.uk>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14443 BUG #14443]: Out-by-4 error in smbd read reply max_send clamp.

[https://www.samba.org/samba/history/samba-4.15.8.html Release Notes Samba 4.15.8]

==Samba 4.15.7==
:Release Notes for Samba 4.15.7
:April 26, 2022

===This is the latest stable release of the Samba 4.15 release series.===

===Changes since 4.15.6===
* Jeremy Allison <jra at samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14831 BUG #14831]: Share and server swapped in smbget password prompt.
:* [https://bugzilla.samba.org/show_bug.cgi?id=15022 BUG #15022]: Durable handles won't reconnect if the leased file is written to.
:* [https://bugzilla.samba.org/show_bug.cgi?id=15023 BUG #15023] rmdir silently fails if directory contains unreadable files and hide unreadable is yes.
:* [https://bugzilla.samba.org/show_bug.cgi?id=15038 BUG #15038]: SMB2_CLOSE_FLAGS_FULL_INFORMATION fails to return information on renamed file handle.
* Ralph Boehme <slow at samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14957 BUG #14957]: vfs_shadow_copy2 breaks "smbd async dosmode" sync fallback.
:* [https://bugzilla.samba.org/show_bug.cgi?id=15035 BUG #15035]: shadow_copy2 fails listing snapshotted dirs with shadow:fixinodes.
* Samuel Cabrero <scabrero at samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=15046 BUG #15046]: PAM Kerberos authentication incorrectly fails with a clock skew error.
* Pavel Filipenský <pfilipen at redhat.com>
:* [https://bugzilla.samba.org/show_bug.cgi?id=15041 BUG #15041]: username map - samba erroneously applies unix group memberships to user account entries.
* Elia Geretto <elia.f.geretto at gmail.com>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14983 BUG #14983]: NT_STATUS_ACCESS_DENIED translates into EPERM instead of EACCES in SMBC_server_internal.
* Stefan Metzmacher <metze at samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=13879 BUG #13879]: Simple bind doesn't work against an RODC (with non-preloaded users).
:* [https://bugzilla.samba.org/show_bug.cgi?id=14641 BUG #14641]: Crash of winbind on RODC.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14865 BUG #14865]: uncached logon on RODC always fails once.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14951 BUG #14951]: KVNO off by 100000.
:* [https://bugzilla.samba.org/show_bug.cgi?id=15001 BUG #15001]: LDAP simple binds should honour "old password allowed period".
:* [https://bugzilla.samba.org/show_bug.cgi?id=15003 BUG #15003]: wbinfo -a doesn't work reliable with upn names.
* Garming Sam <garming at catalyst.net.nz>
:* [https://bugzilla.samba.org/show_bug.cgi?id=13879 BUG #13879]: Simple bind doesn't work against an RODC (with non-preloaded users).
* Christof Schmitt <cs at samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=15027 BUG #15027]: Uninitialized litemask in variable in vfs_gpfs module.
* Andreas Schneider <asn at samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=15016 BUG #15016]: Regression: create krb5 conf = yes doesn't work with a single KDC.

[https://www.samba.org/samba/history/samba-4.15.7.html Release Notes Samba 4.15.7]

==Samba 4.15.6==
:Release Notes for Samba 4.15.6
:March 15, 2022

===This is the latest stable release of the Samba 4.15 release series.===

===Changes since 4.15.5===

* Jeremy Allison <jra@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14169 BUG #14169]: Renaming file on DFS root fails with NT_STATUS_OBJECT_PATH_NOT_FOUND.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14737 BUG #14737]: Samba does not response STATUS_INVALID_PARAMETER when opening 2 objects with same lease key.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14938 BUG #14938]: NT error code is not set when overwriting a file during rename in libsmbclient.
* Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14996 BUG #14996]: Fix ldap simple bind with TLS auditing.
* Ralph Boehme <slow@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14674 BUG #14674]: net ads info shows LDAP Server: 0.0.0.0 depending on contacted server.
* Samuel Cabrero <scabrero@suse.de>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14979 BUG #14979]: Problem when winbind renews Kerberos.
* Günther Deschner <gd@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=8691 BUG #8691]: pam_winbind will not allow gdm login if password about to expire.
* Pavel Filipenský <pfilipen@redhat.com>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14971 BUG #14971] : virusfilter_vfs_openat: Not scanned: Directory or special file.
* Björn Jacke <bj@sernet.de>
:* [https://bugzilla.samba.org/show_bug.cgi?id=13631 BUG #13631]: DFS fix for AIX broken.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14974 BUG #14974]: Solaris and AIX acl modules: wrong function arguments.
:* [https://bugzilla.samba.org/show_bug.cgi?id=7239 BUG #7239]: Function aixacl_sys_acl_get_file not declared / coredump.
* Volker Lendecke <vl@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14900 BUG #14900]: Regression: Samba 4.15.2 on macOS segfaults intermittently during strcpy in tdbsam_getsampwnam.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14989 BUG #14989]: Fix a use-after-free in SMB1 server.
* Stefan Metzmacher <metze@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14968 BUG #14968]: smb2_signing_decrypt_pdu() may not decrypt with gnutls_aead_cipher_decrypt() from gnutls before 3.5.2.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14984 BUG #14984]: changing the machine password against an RODC likely destroys the domain join.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14993 BUG #14993]: authsam_make_user_info_dc() steals memory from its struct ldb_message *msg argument.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14995 BUG #14995]: Use Heimdal 8.0 (pre) rather than an earlier snapshot.
* Andreas Schneider <asn@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14967 BUG #14967]: Samba autorid fails to map AD users if id rangesize fits in the id range only once.

[https://www.samba.org/samba/history/samba-4.15.6.html Release Notes Samba 4.15.6]

==Samba 4.15.5==
:Release Notes for Samba 4.15.5
:January 31, 2022

===This is a security release in order to address the following defects:===

* [https://www.samba.org/samba/security/CVE-2021-44141.html CVE-2021-44141]: UNIX extensions in SMB1 disclose whether the outside target of a symlink exists.
* [https://www.samba.org/samba/security/CVE-2021-44142.html CVE-2021-44142]: Out-of-Bound Read/Write on Samba vfs_fruit module.
* [https://www.samba.org/samba/security/CVE-2022-0336.html CVE-2022-0336]: Re-adding an SPN skips subsequent SPN conflict checks.

===Changes since 4.15.4===
* Jeremy Allison <jra@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14911 BUG 14911]: [https://www.samba.org/samba/security/CVE-2021-44141.html CVE-2021-44141]: UNIX extensions in SMB1 disclose whether the outside target of a symlink exists.
* Ralph Boehme <slow@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14914 BUG 14914]: [https://www.samba.org/samba/security/CVE-2021-44142.html CVE-2021-44142]: Out-of-Bound Read/Write on Samba vfs_fruit module.
* Joseph Sutton <josephsutton@catalyst.net.nz>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14950 BUG 14950]: [https://www.samba.org/samba/security/CVE-2022-0336.html CVE-2022-0336]: Re-adding an SPN skips subsequent SPN conflict checks.

[https://www.samba.org/samba/history/samba-4.15.5.html Release Notes Samba 4.15.5]

==Samba 4.15.4==
:Release Notes for Samba 4.15.4
:January 19, 2022

===This is the latest stable release of the Samba 4.15 release series.===

===Changes since 4.15.3===

* Jeremy Allison <jra@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14928 BUG #14928]: Duplicate SMB file_ids leading to Windows client cache poisoning.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14939 BUG #14939]: smbclient -L doesn't set "client max protocol" to NT1 before calling the "Reconnecting with SMB1 for workgroup listing" path.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14944 BUG #14944]: Missing pop_sec_ctx() in error path inside close_directory().
* Pavel Filipenský <pfilipen@redhat.com>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14940 BUG #14940]: Cross device copy of the crossrename module always fails.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14941 BUG #14941]: symlinkat function from VFS cap module always fails with an error.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14942 BUG #14942]: Fix possible fsp pointer deference.
* Volker Lendecke <vl@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14934 BUG #14934]: kill_tcp_connections does not work.
* Stefan Metzmacher <metze@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14932 BUG #14932]: Failed to parse NTLMv2_RESPONSE length 95 - Buffer Size Error - NT_STATUS_BUFFER_TOO_SMALL.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14935 BUG #14935]: Can't connect to Windows shares not requiring authentication using KDE/Gnome.
* Andreas Schneider <asn@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14945 BUG #14945]: "smbd --build-options" no longer works without an smb.conf file.
* Jones Syue <jonessyue@qnap.com>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14928 BUG #14928]: Duplicate SMB file_ids leading to Windows client cache poisoning.

[https://www.samba.org/samba/history/samba-4.15.4.html Release Notes Samba 4.15.4]

==Samba 4.15.3==
:Release Notes for Samba 4.15.3
:December 08, 2021

===This is the latest stable release of the Samba 4.15 release series.===

===Important Notes===

===There have been a few regressions in the security release 4.15.2:===

* [https://www.samba.org/samba/security/CVE-2020-25717.html CVE-2020-25717]: A user on the domain can become root on domain members.
::PLEASE [RE-]READ!
::The instructions have been updated and some workarounds initially adviced for 4.15.2 are no longer required and should be reverted in most cases.

* [https://bugzilla.samba.org/show_bug.cgi?id=14902 BUG #14902]: User with multiple spaces (eg Fred<space><space>Nurk) become un-deletable.
::While this release should fix this bug, it is adviced to have a look at the bug report for more detailed information, see https://bugzilla.samba.org/show_bug.cgi?id=14902.

===Changes since 4.15.2===

* Jeremy Allison <jra@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14878 BUG #14878]: Recursive directory delete with veto files is broken in 4.15.0.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14879 BUG #14879]: A directory containing dangling symlinks cannot be deleted by SMB2 alone when they are the only entry in the directory.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14892 BUG #14892]: SIGSEGV in rmdir_internals/synthetic_pathref - dirfsp is used uninitialized in rmdir_internals().
* Andrew Bartlett <abartlet@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14694 BUG #14694]: MaxQueryDuration not honoured in Samba AD DC LDAP.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14901 BUG #14901]: The [https://www.samba.org/samba/security/CVE-2020-25717.html CVE-2020-25717] username map [script] advice has undesired side effects for the local nt token.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14902 BUG #14902]: User with multiple spaces (eg Fred<space><space>Nurk) become un-deletable.
* Ralph Boehme <slow@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14127 BUG #14127]: Avoid storing NTTIME_THAW (-2) as value on disk.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14882 BUG #14882]: smbXsrv_client_global record validation leads to crash if existing record points at non-existing process.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14890 BUG #14890]: Crash in vfs_fruit asking for fsp_get_io_fd() for an XATTR call.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14897 BUG #14897]: Samba process doesn't log to logfile.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14907 BUG #14907]: set_ea_dos_attribute() fallback calling get_file_handle_for_metadata() triggers locking.tdb assert.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14922 BUG #14922]: Kerberos authentication on standalone server in MIT realm broken.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14923 BUG #14923]: Segmentation fault when joining the domain.
* Alexander Bokovoy <ab@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14903 BUG #14903]: Support for ROLE_IPA_DC is incomplete.
* Günther Deschner <gd@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14767 BUG #14767]: rpcclient cannot connect to ncacn_ip_tcp services anymore
:* [https://bugzilla.samba.org/show_bug.cgi?id=14893 BUG #14893]: winexe crashes since 4.15.0 after popt parsing.
* Volker Lendecke <vl@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14908 BUG #14908]: net ads status -P broken in a clustered environment.
* Stefan Metzmacher <metze@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14788 BUG #14788]: Memory leak if ioctl(FSCTL_VALIDATE_NEGOTIATE_INFO) fails before smbd_smb2_ioctl_send.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14882 BUG #14882]: smbXsrv_client_global record validation leads to crash if existing record points at non-existing process.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14899 BUG #14899]: winbindd doesn't start when "allow trusted domains" is off.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14901 BUG #14901]: The [https://www.samba.org/samba/security/CVE-2020-25717.html CVE-2020-25717] username map [script] advice has undesired side effects for the local nt token.
* Andreas Schneider <asn@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14767 BUG #14767]: rpcclient cannot connect to ncacn_ip_tcp services anymore.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14883 BUG #14883]: smbclient login without password using '-N' fails with NT_STATUS_INVALID_PARAMETER on Samba AD DC.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14912 BUG #14912]: A schannel client incorrectly detects a downgrade connecting to an AES only server.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14921 BUG #14921]: Possible null pointer dereference in winbind.
* Andreas Schneider <asn@cryptomilk.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14846 BUG #14846]: Fix -k legacy option for client tools like smbclient, rpcclient, net, etc.
* Martin Schwenke <martin@meltin.net>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14872 BUG #14872]: Add Debian 11 CI bootstrap support.
* Joseph Sutton <josephsutton@catalyst.net.nz>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14694 BUG #14694]: MaxQueryDuration not honoured in Samba AD DC LDAP.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14901 BUG #14901]: The [https://www.samba.org/samba/security/CVE-2020-25717.html CVE-2020-25717] username map [script] advice has undesired side effects for the local nt token.
* Andrew Walker <awalker@ixsystems.com>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14888 BUG #14888]: Crash in recycle_unlink_internal().

[https://www.samba.org/samba/history/samba-4.15.3.html Release Notes Samba 4.15.3]

== Samba 4.15.2 ==
:Release Notes for Samba 4.15.2
:November 9, 2021

===This is a security release in order to address the following defects:===

* [https://www.samba.org/samba/security/CVE-2016-2124.html CVE-2016-2124] (SMB1 client connections can be downgraded to plaintext authentication)
* [[CVE-2020-25717]] (A user in an AD Domain could become root on domain members)
::PLEASE READ! There are important behaviour changes described
* [https://www.samba.org/samba/security/CVE-2020-25718.html CVE-2020-25718] (Samba AD DC did not correctly sandbox Kerberos tickets issued by an RODC)
* [https://www.samba.org/samba/security/CVE-2020-25719.html CVE-2020-25719] (Samba AD DC did not always rely on the SID and PAC in Kerberos tickets)
* [https://www.samba.org/samba/security/CVE-2020-25721.html CVE-2020-25721] (Kerberos acceptors need easy access to stable AD identifiers (eg objectSid))
* [https://www.samba.org/samba/security/CVE-2020-25722.html CVE-2020-25722] (Samba AD DC did not do sufficient access and conformance checking of data stored)
* [https://www.samba.org/samba/security/CVE-2021-3738.html CVE-2021-3738] (Use after free in Samba AD DC RPC server)
* [https://www.samba.org/samba/security/CVE-2021-23192.html CVE-2021-23192] (Subsequent DCE/RPC fragment injection vulnerability)

===Changes since 4.13.13===
* Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
:* [https://www.samba.org/samba/security/CVE-2020-25722.html CVE-2020-25722]
* Andrew Bartlett <abartlet@samba.org>
:* [https://www.samba.org/samba/security/CVE-2020-25718.html CVE-2020-25718]
:* [https://www.samba.org/samba/security/CVE-2020-25719.html CVE-2020-25719]
:* [https://www.samba.org/samba/security/CVE-2020-25721.html CVE-2020-25721]
:* [https://www.samba.org/samba/security/CVE-2020-25722.html CVE-2020-25722]
* Ralph Boehme <slow@samba.org>
:* [https://www.samba.org/samba/security/CVE-2020-25717.html CVE-2020-25717]
* Alexander Bokovoy <ab@samba.org>
:* [https://www.samba.org/samba/security/CVE-2020-25717.html CVE-2020-25717]
* Samuel Cabrero <scabrero@samba.org>
:* [https://www.samba.org/samba/security/CVE-2020-25717.html CVE-2020-25717]
* Nadezhda Ivanova <nivanova@symas.com>
:* [https://www.samba.org/samba/security/CVE-2020-25722.html CVE-2020-25722]
* Stefan Metzmacher <metze@samba.org>
:* [https://www.samba.org/samba/security/CVE-2016-2124.html CVE-2016-2124]
:* [https://www.samba.org/samba/security/CVE-2020-25717.html CVE-2020-25717]
:* [https://www.samba.org/samba/security/CVE-2020-25719.html CVE-2020-25719]
:* [https://www.samba.org/samba/security/CVE-2020-25722.html CVE-2020-25722]
:* [https://www.samba.org/samba/security/CVE-2021-23192.html CVE-2021-23192]
:* [https://www.samba.org/samba/security/CVE-2021-3738.html CVE-2021-3738]
:* ldb: version 2.2.3
* Andreas Schneider <asn@samba.org>
:* [https://www.samba.org/samba/security/CVE-2020-25719.html CVE-2020-25719]
* Joseph Sutton <josephsutton@catalyst.net.nz>
:* [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17049 CVE-2020-17049]
:* [https://www.samba.org/samba/security/CVE-2020-25718.html CVE-2020-25718]
:* [https://www.samba.org/samba/security/CVE-2020-25719.html CVE-2020-25719]
:* [https://www.samba.org/samba/security/CVE-2020-25721.html CVE-2020-25721]
:* [https://www.samba.org/samba/security/CVE-2020-25722.html CVE-2020-25722]
[https://www.samba.org/samba/history/samba-4.15.2.html Release Notes Samba 4.15.2]

==Samba 4.15.1==
:Release Notes for Samba 4.15.1
:October 27, 2021

===This is the latest stable release of the Samba 4.15 release series.===

===Changes since 4.15.0===

* Jeremy Allison <jra@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14682 BUG #14682]: vfs_shadow_copy2: core dump in make_relative_path.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14685 BUG #14685]: Log clutter from filename_convert_internal.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14862 BUG #14862]: MacOSX compilation fixes.
* Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14868 BUG #14868]: rodc_rwdc test flaps.
* Andrew Bartlett <abartlet@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14642 BUG #14642]: Provide a fix for MS [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17049 CVE-2020-17049] in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14836 BUG #14836]: Python ldb.msg_diff() memory handling failure.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14845 BUG #14845]: "in" operator on ldb.Message is case sensitive.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14848 BUG #14848]: Release LDB 2.4.1 for Samba 4.15.1.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14854 BUG #14854]: samldb_krbtgtnumber_available() looks for incorrect string.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14871 BUG #14871]: Fix Samba support for UF_NO_AUTH_DATA_REQUIRED.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14874 BUG #14874]: Allow special chars like "@" in samAccountName when generating the salt.
* Ralph Boehme <slow@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14826 BUG #14826]: Correctly ignore comments in CTDB public addresses file.
* Isaac Boukris <iboukris@gmail.com>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14642 BUG #14642]: Provide a fix for MS [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17049 CVE-2020-17049] in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal.
* Viktor Dukhovni <viktor@twosigma.com>
:* [https://bugzilla.samba.org/show_bug.cgi?id=12998 BUG #12998]: Fix transit path validation.
* Pavel Filipenský <pfilipen@redhat.com>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14852 BUG #14852]: Fix that child winbindd logs to log.winbindd instead of log.wb-<DOMAIN>.
* Luke Howard <lukeh@padl.com>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14642 BUG #14642]: Provide a fix for MS [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17049 CVE-2020-17049] in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal.
* Stefan Metzmacher <metze@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14855 BUG #14855]: SMB3 cancel requests should only include the MID together with AsyncID when AES-128-GMAC is used.
* Alex Richardson <Alexander.Richardson@cl.cam.ac.uk>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14862 BUG #14862]BUG 14862: MacOSX compilation fixes.
* Andreas Schneider <asn@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14870 BUG #14870]: Prepare to operate with MIT krb5 >= 1.20.
* Martin Schwenke <martin@meltin.net>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14826 BUG #14826]: Correctly ignore comments in CTDB public addresses file.
* Joseph Sutton <josephsutton@catalyst.net.nz>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14642 BUG #14642]: Provide a fix for MS [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17049 CVE-2020-17049] in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14836 BUG #14836]: Python ldb.msg_diff() memory handling failure.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14845 BUG #14845]: "in" operator on ldb.Message is case sensitive.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14864 BUG #14864]: Heimdal prefers RC4 over AES for machine accounts.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14868 BUG #14868]: rodc_rwdc test flaps.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14871 BUG #14871]: Fix Samba support for UF_NO_AUTH_DATA_REQUIRED.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14874 BUG #14874]: Allow special chars like "@" in samAccountName when generating the salt.
* Nicolas Williams <nico@twosigma.com>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14760 BUG #14642]: Provide a fix for MS [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17049 CVE-2020-17049] in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal.

[https://www.samba.org/samba/history/samba-4.15.1.html Release Notes Samba 4.15.1].

==Samba 4.15.0==
<onlyinclude>
:Release Notes for Samba 4.15.0
:September 20, 2021
===Release Announcements===

This is the first stable release of the Samba 4.15 release series. Please read the release notes carefully before upgrading.


====Removed SMB (development) dialects====
===Removed SMB (development) dialects===


The following SMB (development) dialects are no longer supported: SMB2_22, SMB2_24 and SMB3_10. They are were only supported by Windows technical preview builds. They used to be useful in order to test against the latest Windows versions, but it's no longer useful to have them. If you have them explicitly specified in your smb.conf or an the command line, you need to replace them like this:
The following SMB (development) dialects are no longer supported: SMB2_22, SMB2_24 and SMB3_10. They are were only supported by Windows technical preview builds. They used to be useful in order to test against the latest Windows versions, but it's no longer useful to have them. If you have them explicitly specified in your smb.conf or an the command line, you need to replace them like this:
Line 20: Line 524:
:Note: that it's typically not useful to specify "client max protocol" or "server max protocol" explicitly to a specific dialect, just leave them unspecified or specify the value "default".
:Note: that it's typically not useful to specify "client max protocol" or "server max protocol" explicitly to a specific dialect, just leave them unspecified or specify the value "default".


====New GPG key====
===New GPG key===


The GPG release key for Samba releases changed from:
The GPG release key for Samba releases changed from:
Line 40: Line 544:
See also [https://ftp.samba.org/pub/unpacked/standalone_projects/GPG_AA99442FB680B620_replaces_6F33915B6568B7EA.txt GPG_AA99442FB680B620_replaces_6F33915B6568B7EA.txt]
See also [https://ftp.samba.org/pub/unpacked/standalone_projects/GPG_AA99442FB680B620_replaces_6F33915B6568B7EA.txt GPG_AA99442FB680B620_replaces_6F33915B6568B7EA.txt]


====New minimum version for the experimental MIT KDC====
===New minimum version for the experimental MIT KDC===


The build of the AD DC using the system MIT Kerberos, an experimental feature, now requires MIT Kerberos 1.19. An up-to-date Fedora 34 has this version and has backported fixes for the KDC crash bugs [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37750 CVE-2021-37750] and [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2021-36222 CVE-2021-36222].
The build of the AD DC using the system MIT Kerberos, an experimental feature, now requires MIT Kerberos 1.19. An up-to-date Fedora 34 has this version and has backported fixes for the KDC crash bugs [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37750 CVE-2021-37750] and [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2021-36222 CVE-2021-36222].
Line 94: Line 598:


ldbadd/ldbdel/ldbedit/ldbmodify/ldbrename/ldbsearch:
ldbadd/ldbdel/ldbedit/ldbmodify/ldbrename/ldbsearch:
-e is still available as an alias for --editor,
-e is still available as an alias for --editor, as it used to be.
-s is no longer reported as an alias for --configfile, it never worked that way as it was shadowed by '-s' for '--scope'.
as it used to be.
-s is no longer reported as an alias for --configfile,
it never worked that way as it was shadowed by '-s' for '--scope'.


ndrdump:
ndrdump:
Line 308: Line 810:
[[Release_Planning_for_Samba_4.15#Release_blocking_bugs]]
[[Release_Planning_for_Samba_4.15#Release_blocking_bugs]]


[https://download.samba.org/pub/samba/rc/samba-4.15.0rc7.WHATSNEW.txt Release Notes Samba 4.15.0rc7].
[https://www.samba.org/samba/history/samba-4.15.0.html Release Notes Samba 4.15.0.


----
----

Latest revision as of 16:59, 9 March 2023

Samba 4.15 is Discontinued (End of Life).

Samba 4.15.13

Release Notes for Samba 4.15.13
December 15, 2022

This is the latest stable release of the Samba 4.15 release series.

It also contains security changes in order to address the following defects:


This is the Samba CVE for the Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability disclosed by Microsoft on Nov 8 2022.
A Samba Active Directory DC will issue weak rc4-hmac session keys for use between modern clients and servers despite all modern Kerberos implementations supporting the aes256-cts-hmac-sha1-96 cipher.
On Samba Active Directory DCs and members 'kerberos encryption types = legacy' would force rc4-hmac as a client even if the server supports aes128-cts-hmac-sha1-96 and/or aes256-cts-hmac-sha1-96.
This is the Samba CVE for the Windows Kerberos Elevation of Privilege Vulnerability disclosed by Microsoft on Nov 8 2022.
A service account with the special constrained delegation permission could forge a more powerful ticket than the one it was presented with.
The "RC4" protection of the NetLogon Secure channel uses the same algorithms as rc4-hmac cryptography in Kerberos, and so must also be assumed to be weak.


Since the Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability was disclosed by Microsoft on Nov 8 2022 and per RFC8429 it is assumed that rc4-hmac is weak,
Vulnerable Samba Active Directory DCs will issue rc4-hmac encrypted tickets despite the target server supporting better encryption (eg aes256-cts-hmac-sha1-96).

Note that there are several important behavior changes included in this release, which may cause compatibility problems interacting with system still expecting the former behavior. Please read the advisories of CVE-2022-37966 CVE-2022-38023], CVE-2022-37967 and CVE-2022-38023 carefully!


samba-tool got a new 'domain trust modify' subcommand

This allows "msDS-SupportedEncryptionTypes" to be changed on trustedDomain objects. Even against remote DCs (including Windows) using the --local-dc-ipaddress= (and other --local-dc-* options).

See 'samba-tool domain trust modify --help' for further details.

smb.conf changes

 Parameter Name                               Description             Default
 --------------                               -----------             -------
 allow nt4 crypto                             Deprecated              no
 allow nt4 crypto:COMPUTERACCOUNT             New
 kdc default domain supported enctypes        New (see manpage)
 kdc supported enctypes                       New (see manpage)
 kdc force enable rc4 weak session keys       New                     No
 reject md5 clients                           New Default, Deprecated Yes
 reject md5 servers                           New Default, Deprecated Yes
 server schannel                              Deprecated              Yes
 server schannel require seal                 New, Deprecated         Yes
 server schannel require seal:COMPUTERACCOUNT New
 winbind sealed pipes                         Deprecated              Yes

Changes since 4.15.12


  • Andrew Bartlett <abartlet@samba.org>
  • Ralph Boehme <slow@samba.org>
  • Luke Howard <lukeh@padl.com>
  • BUG 15197: Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue.
  • Stefan Metzmacher <metze@samba.org>
  • Andreas Schneider <asn@samba.org>
  • Joseph Sutton <josephsutton@catalyst.net.nz>
  • Nicolas Williams <nico@cryptonector.com>
  • Nicolas Williams <nico@twosigma.com>

Samba 4.15.12

Release Notes for Samba 4.15.12
November 15, 2022

This is a security release in order to address the following defects:

Samba's Kerberos libraries and AD DC failed to guard against integer overflows when parsing a PAC on a 32-bit system, which allowed an attacker with a forged PAC to corrupt the heap.

Changes since 4.15.11

  • Joseph Sutton <josephsutton@catalyst.net.nz>
  • Nicolas Williams <nico@twosigma.com>
Release Notes Samba 4.15.12

Samba 4.15.11

Release Notes for Samba 4.15.11
October 25, 2022

This is a security release in order to address the following defect:

  • CVE-2022-3437: There is a limited write heap buffer overflow in the GSSAPI unwrap_des() and unwrap_des3() routines of Heimdal (included in Samba).

Changes since 4.15.10

  • Andrew Bartlett <abartlet@samba.org>
  • BUG 15193: Allow rebuild of Centos 8 images after move to vault for Samba 4.15.
  • Andreas Schneider <asn@samba.org>
  • BUG 15193: Allow rebuild of Centos 8 images after move to vault for Samba 4.15.
  • Joseph Sutton <josephsutton@catalyst.net.nz>
 Release Notes Samba 4.15.11

Samba 4.15.10

Release Notes for Samba 4.15.10
September 28, 2022

This is the latest stable release of the Samba 4.15 release series.

Changes since 4.15.9

  • Jeremy Allison <jra@samba.org>
  • BUG 15128: Possible use after free of connection_struct when iterating smbd_server_connection->connections.
  • BUG 15174: smbXsrv_connection_shutdown_send result leaked.
  • Ralph Boehme <slow@samba.org>
  • BUG 15086: Spotlight RPC service returns wrong response when Spotlight is disabled on a share.
  • BUG 15126: acl_xattr VFS module may unintentionally use filesystem permissions instead of ACL from xattr.
  • BUG 15153: Missing SMB2-GETINFO access checks from MS-SMB2 3.3.5.20.1.
  • BUG 15161: assert failed: !is_named_stream(smb_fname)") at ../../lib/util/fault.c:197.
  • Stefan Metzmacher <metze@samba.org>
  • BUG 15148: Missing READ_LEASE break could cause data corruption.
  • Andreas Schneider <asn@samba.org>
  • BUG 15124: rpcclient can crash using setuserinfo(2).
  • BUG 15132: Samba fails to build with glibc 2.36 caused by including <sys/mount.h> in libreplace.
  • Joseph Sutton <josephsutton@catalyst.net.nz>
  • BUG 15152: SMB1 negotiation can fail to handle connection errors.
  • Michael Tokarev <mjt@tls.msk.ru>
  • BUG 15078: samba-tool domain join segfault when joining a samba ad domain.
 Release Notes Samba 4.15.10

Samba 4.15.9

Release Notes for Samba 4.15.9
July 27, 2022

This is a security release in order to address the following defects:

Samba AD users can bypass certain restrictions associated with changing passwords.
Samba AD users can forge password change requests for any user.
Samba AD users can crash the server process with an LDAP add or modify request.
Samba AD users can induce a use-after-free in the server process with an LDAP add or modify request.
Server memory information leak via SMB1.

Changes since 4.15.8

  • Jeremy Allison <jra@samba.org>
  • Andrew Bartlett <abartlet@samba.org>
  • Isaac Boukris <iboukris@gmail.com>
  • Andreas Schneider <asn@samba.org>
  • Joseph Sutton <josephsutton@catalyst.net.nz>
 Release Notes Samba 4.15.9

Samba 4.15.8

Release Notes for Samba 4.15.8
June 28, 2022

This is the latest stable release of the Samba 4.15 release series.

Changes since 4.15.7

  • Jeremy Allison <jra@samba.org>
  • BUG #15042: Use pathref fd instead of io fd in vfs_default_durable_cookie.
  • BUG #15099: Setting fruit:resource = stream in vfs_fruit causes a panic.
  • Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
  • BUG #14986: Add support for bind 9.18.
  • BUG #15076: logging dsdb audit to specific files does not work.
  • Ralph Boehme <slow@samba.org>
  • BUG #15069: vfs_gpfs with vfs_shadowcopy2 fail to restore file if original file had been deleted.
  • Samuel Cabrero <scabrero@samba.org>
  • Samuel Cabrero <scabrero@suse.de>
  • BUG #14674: net ads info shows LDAP Server: 0.0.0.0 depending on contacted server.
  • Stefan Metzmacher <metze@samba.org>
  • BUG #15071: waf produces incorrect names for python extensions with Python 3.11.
  • Noel Power <noel.power@suse.com>
  • BUG #15100: smbclient commands del & deltree fail with NT_STATUS_OBJECT_PATH_NOT_FOUND with DFS.
  • Christof Schmitt <cs@samba.org>
  • BUG #15055: vfs_gpfs recalls=no option prevents listing files.
  • Andreas Schneider <asn@samba.org>
  • BUG #15071: waf produces incorrect names for python extensions with Python 3.11.
  • BUG #15091: Compile error in source3/utils/regedit_hexedit.c.
  • BUG #15108: ldconfig: /lib64/libsmbconf.so.0 is not a symbolic link.
  • Andreas Schneider <asn@cryptomilk.org>
  • BUG #15054: smbd doesn't handle UPNs for looking up names.
  • Robert Sprowson <webpages@sprow.co.uk>
  • BUG #14443: Out-by-4 error in smbd read reply max_send clamp.
Release Notes Samba 4.15.8

Samba 4.15.7

Release Notes for Samba 4.15.7
April 26, 2022

This is the latest stable release of the Samba 4.15 release series.

Changes since 4.15.6

  • Jeremy Allison <jra at samba.org>
  • BUG #14831: Share and server swapped in smbget password prompt.
  • BUG #15022: Durable handles won't reconnect if the leased file is written to.
  • BUG #15023 rmdir silently fails if directory contains unreadable files and hide unreadable is yes.
  • BUG #15038: SMB2_CLOSE_FLAGS_FULL_INFORMATION fails to return information on renamed file handle.
  • Ralph Boehme <slow at samba.org>
  • BUG #14957: vfs_shadow_copy2 breaks "smbd async dosmode" sync fallback.
  • BUG #15035: shadow_copy2 fails listing snapshotted dirs with shadow:fixinodes.
  • Samuel Cabrero <scabrero at samba.org>
  • BUG #15046: PAM Kerberos authentication incorrectly fails with a clock skew error.
  • Pavel Filipenský <pfilipen at redhat.com>
  • BUG #15041: username map - samba erroneously applies unix group memberships to user account entries.
  • Elia Geretto <elia.f.geretto at gmail.com>
  • BUG #14983: NT_STATUS_ACCESS_DENIED translates into EPERM instead of EACCES in SMBC_server_internal.
  • Stefan Metzmacher <metze at samba.org>
  • BUG #13879: Simple bind doesn't work against an RODC (with non-preloaded users).
  • BUG #14641: Crash of winbind on RODC.
  • BUG #14865: uncached logon on RODC always fails once.
  • BUG #14951: KVNO off by 100000.
  • BUG #15001: LDAP simple binds should honour "old password allowed period".
  • BUG #15003: wbinfo -a doesn't work reliable with upn names.
  • Garming Sam <garming at catalyst.net.nz>
  • BUG #13879: Simple bind doesn't work against an RODC (with non-preloaded users).
  • Christof Schmitt <cs at samba.org>
  • BUG #15027: Uninitialized litemask in variable in vfs_gpfs module.
  • Andreas Schneider <asn at samba.org>
  • BUG #15016: Regression: create krb5 conf = yes doesn't work with a single KDC.
Release Notes Samba 4.15.7

Samba 4.15.6

Release Notes for Samba 4.15.6
March 15, 2022

This is the latest stable release of the Samba 4.15 release series.

Changes since 4.15.5

  • Jeremy Allison <jra@samba.org>
  • BUG #14169: Renaming file on DFS root fails with NT_STATUS_OBJECT_PATH_NOT_FOUND.
  • BUG #14737: Samba does not response STATUS_INVALID_PARAMETER when opening 2 objects with same lease key.
  • BUG #14938: NT error code is not set when overwriting a file during rename in libsmbclient.
  • Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
  • BUG #14996: Fix ldap simple bind with TLS auditing.
  • Ralph Boehme <slow@samba.org>
  • BUG #14674: net ads info shows LDAP Server: 0.0.0.0 depending on contacted server.
  • Samuel Cabrero <scabrero@suse.de>
  • Günther Deschner <gd@samba.org>
  • BUG #8691: pam_winbind will not allow gdm login if password about to expire.
  • Pavel Filipenský <pfilipen@redhat.com>
  • BUG #14971 : virusfilter_vfs_openat: Not scanned: Directory or special file.
  • Björn Jacke <bj@sernet.de>
  • BUG #13631: DFS fix for AIX broken.
  • BUG #14974: Solaris and AIX acl modules: wrong function arguments.
  • BUG #7239: Function aixacl_sys_acl_get_file not declared / coredump.
  • Volker Lendecke <vl@samba.org>
  • BUG #14900: Regression: Samba 4.15.2 on macOS segfaults intermittently during strcpy in tdbsam_getsampwnam.
  • BUG #14989: Fix a use-after-free in SMB1 server.
  • Stefan Metzmacher <metze@samba.org>
  • BUG #14968: smb2_signing_decrypt_pdu() may not decrypt with gnutls_aead_cipher_decrypt() from gnutls before 3.5.2.
  • BUG #14984: changing the machine password against an RODC likely destroys the domain join.
  • BUG #14993: authsam_make_user_info_dc() steals memory from its struct ldb_message *msg argument.
  • BUG #14995: Use Heimdal 8.0 (pre) rather than an earlier snapshot.
  • Andreas Schneider <asn@samba.org>
  • BUG #14967: Samba autorid fails to map AD users if id rangesize fits in the id range only once.
Release Notes Samba 4.15.6

Samba 4.15.5

Release Notes for Samba 4.15.5
January 31, 2022

This is a security release in order to address the following defects:

  • CVE-2021-44141: UNIX extensions in SMB1 disclose whether the outside target of a symlink exists.
  • CVE-2021-44142: Out-of-Bound Read/Write on Samba vfs_fruit module.
  • CVE-2022-0336: Re-adding an SPN skips subsequent SPN conflict checks.

Changes since 4.15.4

  • Jeremy Allison <jra@samba.org>
  • Ralph Boehme <slow@samba.org>
  • Joseph Sutton <josephsutton@catalyst.net.nz>
  Release Notes Samba 4.15.5

Samba 4.15.4

Release Notes for Samba 4.15.4
January 19, 2022

This is the latest stable release of the Samba 4.15 release series.

Changes since 4.15.3

  • Jeremy Allison <jra@samba.org>
  • BUG #14928: Duplicate SMB file_ids leading to Windows client cache poisoning.
  • BUG #14939: smbclient -L doesn't set "client max protocol" to NT1 before calling the "Reconnecting with SMB1 for workgroup listing" path.
  • BUG #14944: Missing pop_sec_ctx() in error path inside close_directory().
  • Pavel Filipenský <pfilipen@redhat.com>
  • BUG #14940: Cross device copy of the crossrename module always fails.
  • BUG #14941: symlinkat function from VFS cap module always fails with an error.
  • BUG #14942: Fix possible fsp pointer deference.
  • Volker Lendecke <vl@samba.org>
  • Stefan Metzmacher <metze@samba.org>
  • BUG #14932: Failed to parse NTLMv2_RESPONSE length 95 - Buffer Size Error - NT_STATUS_BUFFER_TOO_SMALL.
  • BUG #14935: Can't connect to Windows shares not requiring authentication using KDE/Gnome.
  • Andreas Schneider <asn@samba.org>
  • BUG #14945: "smbd --build-options" no longer works without an smb.conf file.
  • Jones Syue <jonessyue@qnap.com>
  • BUG #14928: Duplicate SMB file_ids leading to Windows client cache poisoning.
Release Notes Samba 4.15.4

Samba 4.15.3

Release Notes for Samba 4.15.3
December 08, 2021

This is the latest stable release of the Samba 4.15 release series.

Important Notes

There have been a few regressions in the security release 4.15.2:

  • CVE-2020-25717: A user on the domain can become root on domain members.
PLEASE [RE-]READ!
The instructions have been updated and some workarounds initially adviced for 4.15.2 are no longer required and should be reverted in most cases.
  • BUG #14902: User with multiple spaces (eg Fred<space><space>Nurk) become un-deletable.
While this release should fix this bug, it is adviced to have a look at the bug report for more detailed information, see https://bugzilla.samba.org/show_bug.cgi?id=14902.

Changes since 4.15.2

  • Jeremy Allison <jra@samba.org>
  • BUG #14878: Recursive directory delete with veto files is broken in 4.15.0.
  • BUG #14879: A directory containing dangling symlinks cannot be deleted by SMB2 alone when they are the only entry in the directory.
  • BUG #14892: SIGSEGV in rmdir_internals/synthetic_pathref - dirfsp is used uninitialized in rmdir_internals().
  • Andrew Bartlett <abartlet@samba.org>
  • BUG #14694: MaxQueryDuration not honoured in Samba AD DC LDAP.
  • BUG #14901: The CVE-2020-25717 username map [script] advice has undesired side effects for the local nt token.
  • BUG #14902: User with multiple spaces (eg Fred<space><space>Nurk) become un-deletable.
  • Ralph Boehme <slow@samba.org>
  • BUG #14127: Avoid storing NTTIME_THAW (-2) as value on disk.
  • BUG #14882: smbXsrv_client_global record validation leads to crash if existing record points at non-existing process.
  • BUG #14890: Crash in vfs_fruit asking for fsp_get_io_fd() for an XATTR call.
  • BUG #14897: Samba process doesn't log to logfile.
  • BUG #14907: set_ea_dos_attribute() fallback calling get_file_handle_for_metadata() triggers locking.tdb assert.
  • BUG #14922: Kerberos authentication on standalone server in MIT realm broken.
  • BUG #14923: Segmentation fault when joining the domain.
  • Alexander Bokovoy <ab@samba.org>
  • BUG #14903: Support for ROLE_IPA_DC is incomplete.
  • Günther Deschner <gd@samba.org>
  • BUG #14767: rpcclient cannot connect to ncacn_ip_tcp services anymore
  • BUG #14893: winexe crashes since 4.15.0 after popt parsing.
  • Volker Lendecke <vl@samba.org>
  • BUG #14908: net ads status -P broken in a clustered environment.
  • Stefan Metzmacher <metze@samba.org>
  • BUG #14788: Memory leak if ioctl(FSCTL_VALIDATE_NEGOTIATE_INFO) fails before smbd_smb2_ioctl_send.
  • BUG #14882: smbXsrv_client_global record validation leads to crash if existing record points at non-existing process.
  • BUG #14899: winbindd doesn't start when "allow trusted domains" is off.
  • BUG #14901: The CVE-2020-25717 username map [script] advice has undesired side effects for the local nt token.
  • Andreas Schneider <asn@samba.org>
  • BUG #14767: rpcclient cannot connect to ncacn_ip_tcp services anymore.
  • BUG #14883: smbclient login without password using '-N' fails with NT_STATUS_INVALID_PARAMETER on Samba AD DC.
  • BUG #14912: A schannel client incorrectly detects a downgrade connecting to an AES only server.
  • BUG #14921: Possible null pointer dereference in winbind.
  • Andreas Schneider <asn@cryptomilk.org>
  • BUG #14846: Fix -k legacy option for client tools like smbclient, rpcclient, net, etc.
  • Martin Schwenke <martin@meltin.net>
  • Joseph Sutton <josephsutton@catalyst.net.nz>
  • BUG #14694: MaxQueryDuration not honoured in Samba AD DC LDAP.
  • BUG #14901: The CVE-2020-25717 username map [script] advice has undesired side effects for the local nt token.
  • Andrew Walker <awalker@ixsystems.com>
Release Notes Samba 4.15.3

Samba 4.15.2

Release Notes for Samba 4.15.2
November 9, 2021

This is a security release in order to address the following defects:

  • CVE-2016-2124 (SMB1 client connections can be downgraded to plaintext authentication)
  • CVE-2020-25717 (A user in an AD Domain could become root on domain members)
PLEASE READ! There are important behaviour changes described
  • CVE-2020-25718 (Samba AD DC did not correctly sandbox Kerberos tickets issued by an RODC)
  • CVE-2020-25719 (Samba AD DC did not always rely on the SID and PAC in Kerberos tickets)
  • CVE-2020-25721 (Kerberos acceptors need easy access to stable AD identifiers (eg objectSid))
  • CVE-2020-25722 (Samba AD DC did not do sufficient access and conformance checking of data stored)
  • CVE-2021-3738 (Use after free in Samba AD DC RPC server)
  • CVE-2021-23192 (Subsequent DCE/RPC fragment injection vulnerability)

Changes since 4.13.13

  • Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
  • Andrew Bartlett <abartlet@samba.org>
  • Ralph Boehme <slow@samba.org>
  • Alexander Bokovoy <ab@samba.org>
  • Samuel Cabrero <scabrero@samba.org>
  • Nadezhda Ivanova <nivanova@symas.com>
  • Stefan Metzmacher <metze@samba.org>
  • Andreas Schneider <asn@samba.org>
  • Joseph Sutton <josephsutton@catalyst.net.nz>
   Release Notes Samba 4.15.2

Samba 4.15.1

Release Notes for Samba 4.15.1
October 27, 2021

This is the latest stable release of the Samba 4.15 release series.

Changes since 4.15.0

  • Jeremy Allison <jra@samba.org>
  • BUG #14682: vfs_shadow_copy2: core dump in make_relative_path.
  • BUG #14685: Log clutter from filename_convert_internal.
  • BUG #14862: MacOSX compilation fixes.
  • Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
  • Andrew Bartlett <abartlet@samba.org>
  • BUG #14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal.
  • BUG #14836: Python ldb.msg_diff() memory handling failure.
  • BUG #14845: "in" operator on ldb.Message is case sensitive.
  • BUG #14848: Release LDB 2.4.1 for Samba 4.15.1.
  • BUG #14854: samldb_krbtgtnumber_available() looks for incorrect string.
  • BUG #14871: Fix Samba support for UF_NO_AUTH_DATA_REQUIRED.
  • BUG #14874: Allow special chars like "@" in samAccountName when generating the salt.
  • Ralph Boehme <slow@samba.org>
  • BUG #14826: Correctly ignore comments in CTDB public addresses file.
  • Isaac Boukris <iboukris@gmail.com>
  • BUG #14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal.
  • Viktor Dukhovni <viktor@twosigma.com>
  • Pavel Filipenský <pfilipen@redhat.com>
  • BUG #14852: Fix that child winbindd logs to log.winbindd instead of log.wb-<DOMAIN>.
  • Luke Howard <lukeh@padl.com>
  • BUG #14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal.
  • Stefan Metzmacher <metze@samba.org>
  • BUG #14855: SMB3 cancel requests should only include the MID together with AsyncID when AES-128-GMAC is used.
  • Alex Richardson <Alexander.Richardson@cl.cam.ac.uk>
  • Andreas Schneider <asn@samba.org>
  • BUG #14870: Prepare to operate with MIT krb5 >= 1.20.
  • Martin Schwenke <martin@meltin.net>
  • BUG #14826: Correctly ignore comments in CTDB public addresses file.
  • Joseph Sutton <josephsutton@catalyst.net.nz>
  • BUG #14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal.
  • BUG #14836: Python ldb.msg_diff() memory handling failure.
  • BUG #14845: "in" operator on ldb.Message is case sensitive.
  • BUG #14864: Heimdal prefers RC4 over AES for machine accounts.
  • BUG #14868: rodc_rwdc test flaps.
  • BUG #14871: Fix Samba support for UF_NO_AUTH_DATA_REQUIRED.
  • BUG #14874: Allow special chars like "@" in samAccountName when generating the salt.
  • Nicolas Williams <nico@twosigma.com>
  • BUG #14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal.
Release Notes Samba 4.15.1.

Samba 4.15.0

Release Notes for Samba 4.15.0
September 20, 2021

Release Announcements

This is the first stable release of the Samba 4.15 release series. Please read the release notes carefully before upgrading.

Removed SMB (development) dialects

The following SMB (development) dialects are no longer supported: SMB2_22, SMB2_24 and SMB3_10. They are were only supported by Windows technical preview builds. They used to be useful in order to test against the latest Windows versions, but it's no longer useful to have them. If you have them explicitly specified in your smb.conf or an the command line, you need to replace them like this:

  • SMB2_22 => SMB3_00
  • SMB2_24 => SMB3_00
  • SMB3_10 => SMB3_11
Note: that it's typically not useful to specify "client max protocol" or "server max protocol" explicitly to a specific dialect, just leave them unspecified or specify the value "default".

New GPG key

The GPG release key for Samba releases changed from:

pub   dsa1024/6F33915B6568B7EA 2007-02-04 [SC] [expires: 2021-02-05]
      Key fingerprint = 52FB C0B8 6D95 4B08 4332  4CDC 6F33 915B 6568 B7EA
uid                 [  full  ] Samba Distribution Verification Key <samba-bugs@samba.org>
sub   elg2048/9C6ED163DA6DFB44 2007-02-04 [E] [expires: 2021-02-05]

to the following new key:

pub   rsa4096/AA99442FB680B620 2020-12-21 [SC] [expires: 2022-12-21]
      Key fingerprint = 81F5 E283 2BD2 545A 1897  B713 AA99 442F B680 B620
uid                 [ultimate] Samba Distribution Verification Key <samba-bugs@samba.org>
sub   rsa4096/97EF9386FBFD4002 2020-12-21 [E] [expires: 2022-12-21]
 

Starting from Jan 21th 2021, all Samba releases will be signed with the new key.

See also GPG_AA99442FB680B620_replaces_6F33915B6568B7EA.txt

New minimum version for the experimental MIT KDC

The build of the AD DC using the system MIT Kerberos, an experimental feature, now requires MIT Kerberos 1.19. An up-to-date Fedora 34 has this version and has backported fixes for the KDC crash bugs CVE-2021-37750 and CVE-2021-36222.

NEW FEATURES/CHANGES

VFS

The effort to modernize Samba's VFS interface is complete and Samba 4.15.0 ships with a modernized VFS designed for the post SMB1 world.

For details please refer to the documentation at source3/modules/The_New_VFS.txt or visit the The_New_VFS.

Bind DLZ: Added the ability to set allow/deny lists for zone transfer clients

Up to now, any client could use a DNS zone transfer request to the bind server, and get an answer from Samba. Now the default behaviour will be to deny those request. Two new options have been added to manage the list of authorized/denied clients for zone transfer requests. In order to be accepted, the request must be issued by a client that is in the allow list and NOT in the deny list.

"server multi channel support" no longer experimental

This option is enabled by default starting with 4.15 (on Linux and FreeBSD). Due to dependencies on kernel APIs of Linux or FreeBSD, it's only possible to use this feature on Linux and FreeBSD for now.

samba-tool available without the ad-dc

The *samba-tool' command is now available when samba is configured "--without-ad-dc". Not all features will work, and some ad-dc specific options have been disabled. The 'samba-tool domain' options, for example, are limited when no ad-dc is present. Samba must still be built with ads in order to enable samba-tool.

Improved command line user experience

Samba utilities did not consistently implement their command line interface. A number of options were requiring to specify values in one tool and not in the other, some options meant different in different tools.

These should be stories of the past now. A new command line parser has been implemented with sanity checking. Also the command line interface has been simplified and provides better control for encryption, signing and kerberos.

Previously many tools silently ignored unknown options. To prevent unexpected behaviour all tools will now consistently reject unknown options.

Also several command line options have a smb.conf variable to control the default now.

All tools are logging to stderr by default. You can use "--debug-stdout" to change the behavior. All servers will log to stderr at early startup until logging is setup to go to a file by default.

Common parser:

Options added:

--client-protection=off|sign|encrypt

Options renamed:

--kerberos       ->    --use-kerberos=required|desired|off
--krb5-ccache    ->    --use-krb5-ccache=CCACHE
--scope          ->    --netbios-scope=SCOPE
--use-ccache     ->    --use-winbind-ccache

Options removed:

-e|--encrypt
-C removed from --use-winbind-ccache
-i removed from --netbios-scope
-S|--signing
Duplicates in command line utils

ldbadd/ldbdel/ldbedit/ldbmodify/ldbrename/ldbsearch:

-e is still available as an alias for --editor, as it used to be.
-s is no longer reported as an alias for --configfile, it never worked that way as it was shadowed by '-s' for '--scope'.

ndrdump:

-l is not available for --load-dso anymore

net:

-l is not available for --long anymore

sharesec:

-V is not available for --viewsddl anymore

smbcquotas:

--user        ->    --quota-user

nmbd:

--log-stdout  ->    --debug-stdout

smbd:

--log-stdout  ->    --debug-stdout

winbindd:

--log-stdout  ->    --debug-stdout

Scanning of trusted domains and enterprise principals

As an artifact from the NT4 times, we still scanned the list of trusted domains on winbindd startup. This is wrong as we never can get a full picture in Active Directory. It is time to change the default value to "No". Also with this change we always use enterprise principals for Kerberos so that the DC will be able to redirect ticket requests to the right DC. This is e.g. needed for one way trusts. The options `winbind use krb5 enterprise principals` and `winbind scan trusted domains` will be deprecated in one of the next releases.

Support for Offline Domain Join (ODJ)

The net utility is now able to support the offline domain join feature as known from the Windows djoin.exe command for many years. Samba's implementation is accessible via the 'net offlinejoin' subcommand. It can provision computers and request offline joining for both Windows and Unix machines. It is also possible to provision computers from Windows (using djoin.exe) and use the generated data in Samba's 'net' utility. The existing options for the provisioning and joining steps are documented in the net(8) manpage.

'samba-tool dns zoneoptions' for aging control

The 'samba-tool dns zoneoptions' command can be used to turn aging on and off, alter the refresh and no-refresh periods, and manipulate the timestamps of existing records.

To turn aging on for a zone, you can use something like this:

 samba-tool dns zoneoptions --aging=1 --refreshinterval=306600

which turns on aging and ensures no records less than five years old are aged out and scavenged. After aging has been on for sufficient time for records to be renewed, the command

 samba-tool dns zoneoptions --refreshinterval=168

will set the refresh period to the standard seven days. Using this two step process will help prevent the temporary loss of dynamic records if scavenging happens before their first renewal.


Marking old records as static or dynamic with 'samba-tool'

A bug in Samba versions prior to 4.9 meant records that were meant to be static were marked as dynamic and vice versa. To fix the timestamps in these domains, it is possible to use the following options, preferably before turning aging on.

  --mark-old-records-static
  --mark-records-dynamic-regex
  --mark-records-static-regex

The "--mark-old-records-static" option will make records older than the specified date static (that is, with a zero timestamp). For example, if you upgraded to Samba 4.9 in November 2018, you could use ensure no old records will be mistakenly interpreted as dynamic using the following option:

 samba-tool dns zoneoptions --mark-old-records-static=2018-11-30

Then, if you know that that will have marked some records as static that should be dynamic, and you know which those are due to your naming scheme, you can use commands like:

 samba-tool dns zoneoptions --mark-records-dynamic-regex='\w+-desktop'

where '\w+-desktop' is a perl-compatible regular expression that will match 'bob-desktop', 'alice-desktop', and so on.

These options are deliberately long and cumbersome to type, so people have a chance to think before they get to the end. You can make a mess if you get it wrong.

All 'samba-tool dns zoneoptions' modes can be given a "--dry-run/-n" argument that allows you to inspect the likely results before going ahead.

NOTE: for aging to work, you need to have "dns zone scavenging = yes" set in the smb.conf of at least one server.

DNS tombstones are now deleted as appropriate

When all the records for a DNS name have been deleted, the node is put in a tombstoned state (separate from general AD object tombstoning, which deleted nodes also go through). These tombstones should be cleaned up periodically. Due to a conflation of scavenging and tombstoning, we have only been deleting tombstones when aging is enabled.

If you have a lot of tombstoned DNS nodes (that is, DNS names for which you have removed all the records), cleaning up these DNS tombstones may take a noticeable time.

DNS tombstones use a consistent timestamp format

DNS records use an hours-since-1601 timestamp format except for in the case of tombstone records where a 100-nanosecond-intervals-since-1601 format is used (this latter format being the most common in Windows). We had mixed that up, which might have had strange effects in zones where aging was enabled (and hence tombstone timestamps were used).

samba-tool dns update and RPC changes

The dnsserver DCERPC pipe can be used by 'samba-tool' and Windows tools to manipulate dns records on the remote server. A bug in Samba meant it was not possible to update an existing DNS record to change the TTL. The general behaviour of RPC updates is now closer to that of Windows.

'samba-tool dns update' is now a bit more careful in rejecting and warning you about malformed IPv4 and IPv6 addresses.

CVE-2021-3671: Crash in Heimdal KDC and updated security release policy

An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ. Per Samba's updated security process a specific security release was not made for this issue as it is a recoverable Denial Of Service. See Samba_Security_Process

samba-tool domain backup offline with the LMDB backend

'samba-tool domain backup offline', when operating with the LMDB backend now correctly takes out locks against concurrent modification of the database during the backup. If you use this tool on a Samba AD DC using LMDB, you should upgrade to this release for safer backups.

REMOVED FEATURES

  • Tru64 ACL support has been removed from this release. The last supported release of Tru64 UNIX was in 2012.
  • NIS support has been removed from this release. This is not available in Linux distributions anymore.
  • The DLZ DNS plugin is no longer built for Bind versions 9.8 and 9.9, which have been out of support since 2018.


smb.conf changes

 Parameter Name                          Description     Default
 --------------                          -----------     -------
 client use kerberos                     New             desired
 client max protocol                     Values Removed
 client min protocol                     Values Removed
 client protection                       New             default
 client smb3 signing algorithms          New             see man smb.conf
 client smb3 encryption algorithms       New             see man smb.conf
 preopen:posix-basic-regex               New             No
 preopen:nomatch_log_level               New             5
 preopen:match_log_level                 New             5
 preopen:nodigits_log_level              New             1
 preopen:founddigits_log_level           New             3
 preopen:reset_log_level                 New             5
 preopen:push_log_level                  New             3
 preopen:queue_log_level                 New             10
 server max protocol                     Values Removed
 server min protocol                     Values Removed
 server multi channel support            Changed         Yes (on Linux and FreeBSD)
 server smb3 signing algorithms          New             see man smb.conf
 server smb3 encryption algorithms       New             see man smb.conf
 winbind use krb5 enterprise principals  Changed         Yes
 winbind scan trusted domains            Changed         No


CHANGES SINCE 4.15.0rc6

  • Andrew Bartlett <abartlet@samba.org>
  • BUG #14791: All the ways to specify a password are not documented.
  • Ralph Boehme <slow@samba.org>
  • BUG #14790: vfs_btrfs compression support broken.
  • BUG #14828: Problems with commandline parsing.
  • BUG #14829: smbd crashes when "ea support" is set to no.
  • Stefan Metzmacher <metze@samba.org>
  • BUG #14825: "{client,server} smb3 {signing,encryption} algorithms" should use the same strings as smbstatus output.
  • BUG #14828: Problems with commandline parsing.
  • Alex Richardson <Alexander.Richardson@cl.cam.ac.uk>
  • BUG #8773: smbd fails to run as root because it belongs to more than 16 groups on MacOS X.
  • Martin Schwenke <martin@meltin.net>
  • BUG #14784: Fix CTDB flag/status update race conditions.

CHANGES SINCE 4.15.0rc5

  • Andrew Bartlett <abartlet@samba.org>
  • BUG #14806: Address a signifcant performance regression in database access in the AD DC since Samba 4.12.
  • BUG #14807: Fix performance regression in lsa_LookupSids3/LookupNames4 since Samba 4.9 by using an explicit database handle cache.
  • BUG #14817: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ.
  • BUG #14818: Address flapping samba_tool_drs_showrepl test.
  • BUG #14819: Address flapping dsdb_schema_attributes test.
  • Luke Howard <lukeh@padl.com>
  • BUG #14817: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ.
  • Gary Lockyer <gary@catalyst.net.nz>
  • BUG #14817: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ.
  • Andreas Schneider <asn@samba.org>
  • BUG #14817: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ.
  • Joseph Sutton <josephsutton@catalyst.net.nz>
  • BUG #14817: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ.

CHANGES SINCE 4.15.0rc4

  • Jeremy Allison <jra@samba.org>
  • BUG #14809: Shares with variable substitutions cause core dump upon connection from MacOS Big Sur 11.5.2.
  • BUG #14816: Fix pathref open of a filesystem fifo in the DISABLE_OPATH build.
  • Andrew Bartlett <abartlet@samba.org>
  • BUG #14815: A subset of tests from Samba's selftest system were not being run, while others were run twice.
  • Ralph Boehme <slow@samba.org>
  • BUG #14771: Some VFS operations on pathref (O_PATH) handles fail on GPFS.
  • BUG #14787: net conf list crashes when run as normal user,
  • BUG #14803: smbd/winbindd started in daemon mode generate output on stderr/stdout.
  • BUG #14804: winbindd can crash because idmap child state is not fully initialized.
  • Stefan Metzmacher <metze@samba.org>
  • BUG #14771: Some VFS operations on pathref (O_PATH) handles fail on GPFS.

CHANGES SINCE 4.15.0rc3

  • Bjoern Jacke <bj@sernet.de>
  • BUG #14800: util_sock: fix assignment of sa_socklen.

CHANGES SINCE 4.15.0rc2

  • Jeremy Allison <jra@samba.org>
  • BUG #14760: vfs_streams_depot directory creation permissions and store location problems.
  • BUG #14766: vfs_ceph openat() doesn't cope with dirfsp != AT_FDCW.
  • BUG #14769: smbd panic on force-close share during offload write.
  • BUG #14805: OpenDir() loses the correct errno return.
  • Ralph Boehme <slow@samba.org>
  • BUG #14795: copy_file_range() may fail with EOPNOTSUPP.
  • Stefan Metzmacher <metze@samba.org>
  • BUG #14793: Start the SMB encryption as soon as possible.
  • Andreas Schneider <asn@samba.org>
  • BUG #14779: Winbind should not start if the socket path is too long.
  • Noel Power <noel.power@suse.com>
  • BUG #14760: vfs_streams_depot directory creation permissions and store location problems.

CHANGES SINCE 4.15.0rc1

  • Andreas Schneider <asn@samba.org>
  • BUG #14768: smbd/winbind should load the registry if configured
  • BUG #14777: do not quote passed argument of configure script
  • BUG #14779: Winbind should not start if the socket path is too long
  • Stefan Metzmacher <metze@samba.org>
  • BUG #14607: tree connect failed: NT_STATUS_INVALID_PARAMETER
  • BUG #14764: aes-256-gcm and aes-256-ccm doesn't work in the server
  • Ralph Boehme <slow@samba.org>
  • BUG #14700: file owner not available when file unredable
  • Jeremy Allison <jra@samba.org>
  • BUG #14607: tree connect failed: NT_STATUS_INVALID_PARAMETER
  • BUG #14759: 4.15rc can leak meta-data about the directory containing the share path

KNOWN ISSUES

Release_Planning_for_Samba_4.15#Release_blocking_bugs

 [https://www.samba.org/samba/history/samba-4.15.0.html Release Notes Samba 4.15.0.