Samba 4.17 Features added/changed: Difference between revisions

From SambaWiki
(11 intermediate revisions by the same user not shown)
Line 1: Line 1:
Samba 4.17 is [[Samba_Release_Planning#Upcoming_Release|'''Upcoming Release''']].
Samba 4.17 is [[Samba_Release_Planning#Maintenance_Mode|'''Maintenance Mode''']].
==Samba 4.17.0rc5 ==
==Samba 4.17.8==
:Release Notes for Samba 4.17.8
:May 11, 2023

===This is the latest stable release of the Samba 4.17 release series.===

===Changes since 4.17.7===
* Jeremy Allison <jra@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=15302 BUG 15302]: log flood: smbd_calculate_access_mask_fsp: Access denied: message level should be lower.
:* [https://bugzilla.samba.org/show_bug.cgi?id=15306 BUG 15306]: Floating point exception (FPE) via cli_pull_send at source3/libsmb/clireadwrite.c.
* Andrew Bartlett <abartlet@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=15328 BUG 15328]: test_tstream_more_tcp_user_timeout_spin fails intermittently on Rackspace GitLab runners.
:* [https://bugzilla.samba.org/show_bug.cgi?id=15270 BUG 15270]: Reduce flapping of ridalloc test.
:* [https://bugzilla.samba.org/show_bug.cgi?id=15270 BUG 15270]: large_ldap test is unreliable.
* Ralph Boehme <slow@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=15329 BUG 15329]: New filename parser doesn't check veto files smb.conf parameter.
:* [https://bugzilla.samba.org/show_bug.cgi?id=15354 BUG 15354]: mdssvc may crash when initializing.
* Volker Lendecke <vl@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=15313 BUG 15313]: Large directory optimization broken for non-lcomp path elements.
:* [https://bugzilla.samba.org/show_bug.cgi?id=15357 BUG 15357]: streams_depot fails to create streams.
:* [https://bugzilla.samba.org/show_bug.cgi?id=15358 BUG 15358]: shadow_copy2 and streams_depot don't play well together.
:* [https://bugzilla.samba.org/show_bug.cgi?id=15366 BUG 15366]: wbinfo -u fails on ad dc with >1000 users.
* Stefan Metzmacher <metze@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=15317 BUG 15317]: winbindd idmap child contacts the domain controller without a need.
:* [https://bugzilla.samba.org/show_bug.cgi?id=15318 BUG 15318]: idmap_autorid may fail to map sids of trusted domains for the first time.
:* [https://bugzilla.samba.org/show_bug.cgi?id=15319 BUG 15319]: idmap_hash doesn't use ID_TYPE_BOTH for reverse mappings.
:* [https://bugzilla.samba.org/show_bug.cgi?id=15323 BUG 15323]: net ads search -P doesn't work against servers in other domains.
:* [https://bugzilla.samba.org/show_bug.cgi?id=15338 BUG 15338]: DS ACEs might be inherited to unrelated object classes.
:* [https://bugzilla.samba.org/show_bug.cgi?id=15353 BUG 15353]: Temporary smbXsrv_tcon_global.tdb can't be parsed.
* Andreas Schneider <asn@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=15360 BUG 15360]: Setting veto files = /.*/ break listing directories.
* Joseph Sutton <josephsutton@catalyst.net.nz>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14810 BUG 14810]: [https://www.samba.org/samba/security/CVE-2020-25720.html CVE-2020-25720] [SECURITY] Create Child permission should not allow full write to all attributes (additional changes).
:* [https://bugzilla.samba.org/show_bug.cgi?id=15329 BUG 15329]: Reduce flapping of ridalloc test.
* Nathaniel W. Turner <nturner@exagrid.com>
:* [https://bugzilla.samba.org/show_bug.cgi?id=15325 BUG 15325]: dsgetdcname: assumes local system uses IPv4.

[https://www.samba.org/samba/history/samba-4.17.8.html Release Notes Samba 4.17.8]

==Samba 4.17.7==
:Release Notes for Samba 4.17.7
:March 29, 2023

===This is a security release in order to address the following defects:===

* [https://www.samba.org/samba/security/CVE-2023-0922.html CVE-2023-0922]
:The Samba AD DC administration tool, when operating against a remote LDAP server, will by default send new or reset passwords over a signed-only connection.
* [https://www.samba.org/samba/security/CVE-2023-0614.html CVE-2023-0614]
:The fix in 4.6.16, 4.7.9, 4.8.4 and 4.9.7 for CVE-2018-10919 Confidential attribute disclosure via LDAP filters was insufficient and an attacker may be able to obtain confidential BitLocker recovery keys from a Samba AD DC. Installations with such secrets in their Samba AD should assume they have been obtained and need replacing.

===Changes since 4.17.6===

* Andrew Bartlett <abartlet@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=15270 BUG 15270]: [https://www.samba.org/samba/security/CVE-2023-0614.html CVE-2023-0614].
:* [https://bugzilla.samba.org/show_bug.cgi?id=15331 BUG 15331]: ldb wildcard matching makes excessive allocations.
:* [https://bugzilla.samba.org/show_bug.cgi?id=15332 BUG 15332]: large_ldap test is inefficient.
* Rob van der Linde <rob@catalyst.net.nz>
:* [https://bugzilla.samba.org/show_bug.cgi?id=15315 BUG 15315]: [https://www.samba.org/samba/security/CVE-2023-0922.html CVE-2023-0922].
* Joseph Sutton <josephsutton@catalyst.net.nz>
:* [https://bugzilla.samba.org/show_bug.cgi?id=15270 BUG 15270]: [https://www.samba.org/samba/security/CVE-2023-0614.html CVE-2023-0614]
:* [https://bugzilla.samba.org/show_bug.cgi?id=15276 BUG 15276]: [https://www.samba.org/samba/security/CVE-2023-0922.html CVE-2023-0922]

[https://www.samba.org/samba/history/samba-4.17.7.html Release Notes Samba 4.17.7]

==Samba 4.17.6==
:Release Notes for Samba 4.17.6
:March 09, 2023

This is the latest stable release of the Samba 4.17 release series.

===Changes since 4.17.5===

* Jeremy Allison <jra@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=15314 BUG 15314]: streams_xattr is creating unexpected locks on folders.
* Andrew Bartlett <abartlet@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=10635 BUG 10635]: Use of the Azure AD Connect cloud sync tool is now supported for password hash synchronisation, allowing Samba AD Domains to synchronise passwords with this popular cloud environment.
* Ralph Boehme <slow@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=15299 BUG 15299]: Spotlight doesn't work with latest macOS Ventura.
* Volker Lendecke <vl@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=15310 BUG 15310]: New samba-dcerpc architecture does not scale gracefully.
* John Mulligan <jmulligan@redhat.com>
:* [https://bugzilla.samba.org/show_bug.cgi?id=15307 BUG 15307]: vfs_ceph incorrectly uses fsp_get_io_fd() instead of fsp_get_pathref_fd() in close and fstat.
* Noel Power <noel.power@suse.com>
:* [https://bugzilla.samba.org/show_bug.cgi?id=15293 BUG 15293]: With clustering enabled samba-bgqd can core dump due to use after free.
* baixiangcpp <baixiangcpp@gmail.com>
:* [https://bugzilla.samba.org/show_bug.cgi?id=15311 BUG 15311]: fd_load() function implicitly closes the fd where it should not.

[https://www.samba.org/samba/history/samba-4.17.6.html Release Notes Samba 4.17.6]

==Samba 4.17.5==
:Release Notes for Samba 4.17.5
:January 26, 2023

===This is the latest stable release of the Samba 4.17 release series.===

===Changes since 4.17.4===

* Jeremy Allison <jra@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14808 BUG 14808]: smbc_getxattr() return value is incorrect.
:* [https://bugzilla.samba.org/show_bug.cgi?id=15172 BUG 15172]: Compound SMB2 FLUSH+CLOSE requests from MacOSX are not handled correctly.
:* [https://bugzilla.samba.org/show_bug.cgi?id=15210 BUG 15210]: synthetic_pathref AFP_AfpInfo failed errors.
:* [https://bugzilla.samba.org/show_bug.cgi?id=15226 BUG 15226]: samba-tool gpo listall fails IPv6 only - finddcs() fails to find DC when there is only an AAAA record for the DC in DNS.
:* [https://bugzilla.samba.org/show_bug.cgi?id=15236 BUG 15236]: smbd crashes if an FSCTL request is done on a stream handle.
:* [https://bugzilla.samba.org/show_bug.cgi?id=15277 BUG 15277]: DFS links don't work anymore on Mac clients since 4.17.
:* [https://bugzilla.samba.org/show_bug.cgi?id=15283 BUG 15283]: vfs_virusfilter segfault on access, directory edgecase (accessing NULL value).
* Samuel Cabrero <scabrero@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=15240 BUG 15240]: [https://www.samba.org/samba/security/CVE-2022-38023.html CVE-2022-38023] [SECURITY] Samba should refuse RC4 (aka md5) based SChannel on NETLOGON (additional changes).
* Volker Lendecke <vl@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=15243 BUG 15243]: %U for include directive doesn't work for share listing (netshareenum).
:* [https://bugzilla.samba.org/show_bug.cgi?id=15266 BUG 15266]: Shares missing from netshareenum response in samba 4.17.4.
:* [https://bugzilla.samba.org/show_bug.cgi?id=15269 BUG 15269]: ctdb: use-after-free in run_proc.
* Stefan Metzmacher <metze@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=15243 BUG 15243]: %U for include directive doesn't work for share listing (netshareenum).
:* [https://bugzilla.samba.org/show_bug.cgi?id=15266 BUG 15266]: Shares missing from netshareenum response in samba 4.17.4.
:* [https://bugzilla.samba.org/show_bug.cgi?id=15280 BUG 15280]: irpc_destructor may crash during shutdown.
:* [https://bugzilla.samba.org/show_bug.cgi?id=15286 BUG 15286]: auth3_generate_session_info_pac leaks wbcAuthUserInfo.
* Andreas Schneider <asn@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=15268 BUG 15268]: smbclient segfaults with use after free on an optimized build.
* Jones Syue <jonessyue@qnap.com>
:* [https://bugzilla.samba.org/show_bug.cgi?id=15282 BUG 15282]: smbstatus leaking files in msg.sock and msg.lock.
* Andrew Walker <awalker@ixsystems.com>
:* [https://bugzilla.samba.org/show_bug.cgi?id=15164 BUG 15164]: Leak in wbcCtxPingDc2.
:* [https://bugzilla.samba.org/show_bug.cgi?id=15265 BUG 15265]: Access based share enum does not work in Samba 4.16+.
:* [https://bugzilla.samba.org/show_bug.cgi?id=15267 BUG 15267]: Crash during share enumeration.
:* [https://bugzilla.samba.org/show_bug.cgi?id=15271 BUG 15271]: rep_listxattr on FreeBSD does not properly check for reads off end of returned buffer.
* Florian Weimer <fweimer@redhat.com>
:* [https://bugzilla.samba.org/show_bug.cgi?id=15281 BUG 15281]: Avoid relying on C89 features in a few places.

[https://www.samba.org/samba/history/samba-4.17.5.html Release Notes Samba 4.17.5]

==Samba 4.17.4==
:Release Notes for Samba 4.17.4
:December 15, 2022

===This is the latest stable release of the Samba 4.17 release series.===
It also contains security changes in order to address the following defects:


* [https://www.samba.org/samba/security/CVE-2022-37966.html CVE-2022-37966]
:: This is the Samba CVE for the Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability disclosed by Microsoft on Nov 8 2022.

::A Samba Active Directory DC will issue weak rc4-hmac session keys for use between modern clients and servers despite all modern Kerberos implementations supporting the aes256-cts-hmac-sha1-96 cipher.

::On Samba Active Directory DCs and members 'kerberos encryption types = legacy' would force rc4-hmac as a client even if the server supports aes128-cts-hmac-sha1-96 and/or aes256-cts-hmac-sha1-96.

* [https://www.samba.org/samba/security/CVE-2022-37967.html CVE-2022-37967]
::This is the Samba CVE for the Windows Kerberos Elevation of Privilege Vulnerability disclosed by Microsoft on Nov 8 2022.

::A service account with the special constrained delegation permission could forge a more powerful ticket than the one it was presented with.

* [https://www.samba.org/samba/security/CVE-2022-38023.html CVE-2022-38023]
:: The "RC4" protection of the NetLogon Secure channel uses the same algorithms as rc4-hmac cryptography in Kerberos, and so must also be assumed to be weak.

Note that there are several important behavior changes included in this release, which may cause compatibility problems interacting with system still expecting the former behavior. Please read the advisories of [https://www.samba.org/samba/security/CVE-2022-37966.html CVE-2022-37966], [https://www.samba.org/samba/security/CVE-2022-38023.html CVE-2022-38023], [https://www.samba.org/samba/security/CVE-2022-37967.html CVE-2022-37967] and [https://www.samba.org/samba/security/CVE-2022-38023.html CVE-2022-38023] carefully!

===samba-tool got a new 'domain trust modify' subcommand===

This allows "msDS-SupportedEncryptionTypes" to be changed on trustedDomain objects. Even against remote DCs (including Windows) using the --local-dc-ipaddress= (and other --local-dc-* options).
:See 'samba-tool domain trust modify --help' for further details.

===smb.conf changes===

Parameter Name Description Default
-------------- ----------- -------
allow nt4 crypto Deprecated no
allow nt4 crypto:COMPUTERACCOUNT New
kdc default domain supported enctypes New (see manpage)
kdc supported enctypes New (see manpage)
kdc force enable rc4 weak session keys New No
reject md5 clients New Default, Deprecated Yes
reject md5 servers New Default, Deprecated Yes
server schannel Deprecated Yes
server schannel require seal New, Deprecated Yes
server schannel require seal:COMPUTERACCOUNT New
winbind sealed pipes Deprecated Yes

===Changes since 4.17.3===

* Jeremy Allison <jra@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=15224 BUG 15224]: pam_winbind uses time_t and pointers assuming they are of the same size.

* Andrew Bartlett <abartlet@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14929 BUG 14929]: [https://www.samba.org/samba/security/CVE-2022-44640.html CVE-2022-44640] [SECURITY] Upstream Heimdal free of user-controlled pointer in FAST.
:* [https://bugzilla.samba.org/show_bug.cgi?id=15219 BUG 15219]: Heimdal session key selection in AS-REQ examines wrong entry.
:* [https://bugzilla.samba.org/show_bug.cgi?id=15237 BUG 15237]: [https://www.samba.org/samba/security/CVE-2022-37966.html CVE-2022-37966].
:* [https://bugzilla.samba.org/show_bug.cgi?id=15258 BUG 15258]: filter-subunit is inefficient with large numbers of knownfails.
* Ralph Boehme <slow@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=15240 BUG 15240]: [https://www.samba.org/samba/security/CVE-2022-38023.html CVE-2022-38023].
:* [https://bugzilla.samba.org/show_bug.cgi?id=15252 BUG 15252]: smbd allows setting FILE_ATTRIBUTE_TEMPORARY on directories.
* Stefan Metzmacher <metze@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=13135 BUG 13135]: The KDC logic arround msDs-supportedEncryptionTypes differs from Windows.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14611 BUG 14611]: [https://www.samba.org/samba/security/CVE-2021-20251.html CVE-2021-20251] [SECURITY] Bad password count not incremented atomically.
:* [https://bugzilla.samba.org/show_bug.cgi?id=15203 BUG 15203]: [https://www.samba.org/samba/security/CVE-2022-42898.html CVE-2022-42898]] [SECURITY] krb5_pac_parse() buffer parsing vulnerability.
:* [https://bugzilla.samba.org/show_bug.cgi?id=15206 BUG 15206]: libnet: change_password() doesn't work with dcerpc_samr_ChangePasswordUser4().
:* [https://bugzilla.samba.org/show_bug.cgi?id=15219 BUG 15219]: Heimdal session key selection in AS-REQ examines wrong entry.
:* [https://bugzilla.samba.org/show_bug.cgi?id=15230 BUG 15230]: Memory leak in snprintf replacement functions.
:* [https://bugzilla.samba.org/show_bug.cgi?id=15237 BUG 15237]: [https://www.samba.org/samba/security/CVE-2022-37966.html CVE-2022-37966].
:* [https://bugzilla.samba.org/show_bug.cgi?id=15240 BUG 15240]: [https://www.samba.org/samba/security/CVE-2022-38023.html CVE-2022-38023].
:* [https://bugzilla.samba.org/show_bug.cgi?id=15253 BUG 15253]: RODC doesn't reset badPwdCount reliable via an RWDC (CVE-2021-20251 regression).
* Noel Power <noel.power@suse.com>
:* [https://bugzilla.samba.org/show_bug.cgi?id=15224 BUG 15224]: pam_winbind uses time_t and pointers assuming they are of the same size.
* Anoop C S <anoopcs@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=15198 BUG 15198]: Prevent EBADF errors with vfs_glusterfs.
* Andreas Schneider <asn@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=15237 BUG 15237]: [https://www.samba.org/samba/security/CVE-2022-37966.html CVE-2022-37966].
:* [https://bugzilla.samba.org/show_bug.cgi?id=15243 BUG 15243]: %U for include directive doesn't work for share listing (netshareenum).
:* [https://bugzilla.samba.org/show_bug.cgi?id=15257 BUG 15257]: Stack smashing in net offlinejoin requestodj.
* Joseph Sutton <josephsutton@catalyst.net.nz>
:* [https://bugzilla.samba.org/show_bug.cgi?id=15197 BUG 15197]: Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue.
:* [https://bugzilla.samba.org/show_bug.cgi?id=15219 BUG 15219]: Heimdal session key selection in AS-REQ examines wrong entry.
:* [https://bugzilla.samba.org/show_bug.cgi?id=15231 BUG 15231]: [https://www.samba.org/samba/security/CVE-2022-37967.html CVE-2022-37967].
:* [https://bugzilla.samba.org/show_bug.cgi?id=15237 BUG 15237]: [https://www.samba.org/samba/security/CVE-2022-37966.html CVE-2022-37966].
* Nicolas Williams <nico@twosigma.com>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14929 BUG 14929]: [https://www.samba.org/samba/security/CVE-2022-44640.html CVE-2022-44640] [SECURITY] Upstream Heimdal free of user-controlled pointer in FAST.

[https://www.samba.org/samba/history/samba-4.17.4.html Release Notes Samba 4.17.4]

==Samba 4.17.3==
:Release Notes for Samba 4.17.3
:November 15, 2022

===This is a security release in order to address the following defects:===
* [https://www.samba.org/samba/security/CVE-2022-42898.html CVE-2022-42898]
:: Samba's Kerberos libraries and AD DC failed to guard against integer overflows when parsing a PAC on a 32-bit system, which allowed an attacker with a forged PAC to corrupt the heap.

===Changes since 4.17.2===
* Joseph Sutton <josephsutton@catalyst.net.nz>
:* [https://bugzilla.samba.org/show_bug.cgi?id=15203 BUG 15203]: [https://www.samba.org/samba/security/CVE-2022-42898.html CVE-2022-42898]
* Nicolas Williams <nico@twosigma.com>
:* [https://bugzilla.samba.org/show_bug.cgi?id=15203 BUG 15203]: [https://www.samba.org/samba/security/CVE-2022-42898.html CVE-2022-42898]

[https://www.samba.org/samba/history/samba-4.17.3.html Release Notes Samba 4.17.3]

==Samba 4.17.2==
:Release Notes for Samba 4.16.6
:October 25, 2022

===This is a security release in order to address the following defect:===

* [https://www.samba.org/samba/security/CVE-2022-3437.html CVE-2022-3437]: There is a limited write heap buffer overflow in the GSSAPI unwrap_des() and unwrap_des3() routines of Heimdal (included in Samba).
* [https://www.samba.org/samba/security/CVE-2022-3592.html CVE-2022-3592]: A malicious client can use a symlink to escape the exported directory.

===Changes since 4.17.2===
* Volker Lendecke <vl@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=15207 BUG 15207]: [https://www.samba.org/samba/security/CVE-2022-3592.html CVE-2022-3592].
* Joseph Sutton <josephsutton@catalyst.net.nz>
:* [https://bugzilla.samba.org/show_bug.cgi?id=15134 BUG 15134]: [https://www.samba.org/samba/security/CVE-2022-3437.html CVE-2022-3437].

[https://www.samba.org/samba/history/samba-4.17.2.html Release Notes Samba 4.17.2]

==Samba 4.17.1==
:Release Notes for Samba 4.17.1
:October 19, 2022

===This is the latest stable release of the Samba 4.17 release series.===

===Changes since 4.17.0===
* Jeremy Allison <jra@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14611 BUG #14611]: [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20251 CVE-2021-20251][SECURITY] Bad password count not incremented atomically.
:* [https://bugzilla.samba.org/show_bug.cgi?id=15174 BUG #15174]: smbXsrv_connection_shutdown_send result leaked.
:* [https://bugzilla.samba.org/show_bug.cgi?id=15182 BUG #15182]: Flush on a named stream never completes.
:* [https://bugzilla.samba.org/show_bug.cgi?id=15195 BUG #15195]: Permission denied calling SMBC_getatr when file not exists.
* Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
:* [https://bugzilla.samba.org/show_bug.cgi?id=15189 BUG #15189]: Samba 4.5 sometimes cannot be upgraded to Samba 4.6 or later over DRS: WERROR_DS_DRA_MISSING_PARENT due to faulty GET_ANC.
:* [https://bugzilla.samba.org/show_bug.cgi?id=15191 BUG #15191]: pytest: add file removal helpers for TestCaseInTempDir.
* Andrew Bartlett <abartlet@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14611 BUG #14611]: [[https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20251 CVE-2021-20251][SECURITY] Bad password count not incremented atomically.
:* [https://bugzilla.samba.org/show_bug.cgi?id=15182 BUG #15182]: Samba 4.5 sometimes cannot be upgraded to Samba 4.6 or later. over DRS: WERROR_DS_DRA_MISSING_PARENT due to faulty GET_ANC.
* Ralph Boehme <slow@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=15126 BUG #15182]: Flush on a named stream never completes.
* Volker Lendecke <vl@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=15151 BUG #15151]: vfs_gpfs silently garbles timestamps > year 2106.
* Gary Lockyer <gary@catalyst.net.nz>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14611 BUG #14611]: [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20251 CVE-2021-20251][SECURITY] Bad password count not incremented atomically.
* Stefan Metzmacher <metze@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=15200 BUG #15200]: multi-channel socket passing may hit a race if one of the involved processes already existed.
:* [https://bugzilla.samba.org/show_bug.cgi?id=15201 BUG #15201]: memory leak on temporary of struct imessaging_post_state and struct tevent_immediate on struct imessaging_context (in rpcd_spoolss and maybe others).
* Noel Power <noel.power@suse.com>
:* [https://bugzilla.samba.org/show_bug.cgi?id=15205 BUG #15205]: Since popt1.19 various use after free errors using result of poptGetArg are now exposed.
* Anoop C S <anoopcs@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=15192 BUG #15192]: Remove special case for O_CREAT in SMB_VFS_OPENAT from vfs_glusterfs.
* Andreas Schneider <asn@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=15169 BUG #15169]: GETPWSID in memory cache grows indefinetly with each NTLM auth.
* Joseph Sutton <josephsutton@catalyst.net.nz>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14611 BUG #14611]: [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20251 CVE-2021-20251][SECURITY] Bad password count not incremented atomically.

[https://www.samba.org/samba/history/samba-4.17.1.html Release Notes Samba 4.17.1]

==Samba 4.17.0 ==
<onlyinclude>
<onlyinclude>
===Release Announcements===
===Release Announcements===
:Release Notes for 4.17.0rc5
:Release Notes for 4.17.0
:September 6, 2022
:September 13, 2022

This is the fifth release candidate of Samba 4.17. This is *not* intended for production environments and is designed for testing purposes only. Please report any defects via the Samba bug reporting system at https://bugzilla.samba.org/.


Samba 4.17 will be the next version of the Samba suite.
This is the first stable release of the Samba 4.17 release series.


Please read the release notes carefully before upgrading.
===UPGRADING===


===NEW FEATURES/CHANGES===
===NEW FEATURES/CHANGES===
Line 187: Line 475:
[[Release_Planning_for_Samba_4.17#Release_blocking_bugs]]
[[Release_Planning_for_Samba_4.17#Release_blocking_bugs]]


https://download.samba.org/pub/samba/rc/samba-4.17.0rc3.WHATSNEW.txt
https://www.samba.org/samba/history/samba-4.17.0.html

Revision as of 09:57, 15 May 2023

Samba 4.17 is Maintenance Mode.

Samba 4.17.8

Release Notes for Samba 4.17.8
May 11, 2023

This is the latest stable release of the Samba 4.17 release series.

Changes since 4.17.7

  • Jeremy Allison <jra@samba.org>
  • BUG 15302: log flood: smbd_calculate_access_mask_fsp: Access denied: message level should be lower.
  • BUG 15306: Floating point exception (FPE) via cli_pull_send at source3/libsmb/clireadwrite.c.
  • Andrew Bartlett <abartlet@samba.org>
  • BUG 15328: test_tstream_more_tcp_user_timeout_spin fails intermittently on Rackspace GitLab runners.
  • BUG 15270: Reduce flapping of ridalloc test.
  • BUG 15270: large_ldap test is unreliable.
  • Ralph Boehme <slow@samba.org>
  • BUG 15329: New filename parser doesn't check veto files smb.conf parameter.
  • BUG 15354: mdssvc may crash when initializing.
  • Volker Lendecke <vl@samba.org>
  • BUG 15313: Large directory optimization broken for non-lcomp path elements.
  • BUG 15357: streams_depot fails to create streams.
  • BUG 15358: shadow_copy2 and streams_depot don't play well together.
  • BUG 15366: wbinfo -u fails on ad dc with >1000 users.
  • Stefan Metzmacher <metze@samba.org>
  • BUG 15317: winbindd idmap child contacts the domain controller without a need.
  • BUG 15318: idmap_autorid may fail to map sids of trusted domains for the first time.
  • BUG 15319: idmap_hash doesn't use ID_TYPE_BOTH for reverse mappings.
  • BUG 15323: net ads search -P doesn't work against servers in other domains.
  • BUG 15338: DS ACEs might be inherited to unrelated object classes.
  • BUG 15353: Temporary smbXsrv_tcon_global.tdb can't be parsed.
  • Andreas Schneider <asn@samba.org>
  • BUG 15360: Setting veto files = /.*/ break listing directories.
  • Joseph Sutton <josephsutton@catalyst.net.nz>
  • BUG 14810: CVE-2020-25720 [SECURITY] Create Child permission should not allow full write to all attributes (additional changes).
  • BUG 15329: Reduce flapping of ridalloc test.
  • Nathaniel W. Turner <nturner@exagrid.com>
  • BUG 15325: dsgetdcname: assumes local system uses IPv4.
 Release Notes Samba 4.17.8

Samba 4.17.7

Release Notes for Samba 4.17.7
March 29, 2023

This is a security release in order to address the following defects:

The Samba AD DC administration tool, when operating against a remote LDAP server, will by default send new or reset passwords over a signed-only connection.
The fix in 4.6.16, 4.7.9, 4.8.4 and 4.9.7 for CVE-2018-10919 Confidential attribute disclosure via LDAP filters was insufficient and an attacker may be able to obtain confidential BitLocker recovery keys from a Samba AD DC. Installations with such secrets in their Samba AD should assume they have been obtained and need replacing.


Changes since 4.17.6

  • Andrew Bartlett <abartlet@samba.org>
  • Rob van der Linde <rob@catalyst.net.nz>
  • Joseph Sutton <josephsutton@catalyst.net.nz>
 Release Notes Samba 4.17.7

Samba 4.17.6

Release Notes for Samba 4.17.6
March 09, 2023

This is the latest stable release of the Samba 4.17 release series.

Changes since 4.17.5

  • Jeremy Allison <jra@samba.org>
  • BUG 15314: streams_xattr is creating unexpected locks on folders.
  • Andrew Bartlett <abartlet@samba.org>
  • BUG 10635: Use of the Azure AD Connect cloud sync tool is now supported for password hash synchronisation, allowing Samba AD Domains to synchronise passwords with this popular cloud environment.
  • Ralph Boehme <slow@samba.org>
  • BUG 15299: Spotlight doesn't work with latest macOS Ventura.
  • Volker Lendecke <vl@samba.org>
  • BUG 15310: New samba-dcerpc architecture does not scale gracefully.
  • John Mulligan <jmulligan@redhat.com>
  • BUG 15307: vfs_ceph incorrectly uses fsp_get_io_fd() instead of fsp_get_pathref_fd() in close and fstat.
  • Noel Power <noel.power@suse.com>
  • BUG 15293: With clustering enabled samba-bgqd can core dump due to use after free.
  • baixiangcpp <baixiangcpp@gmail.com>
  • BUG 15311: fd_load() function implicitly closes the fd where it should not.
Release Notes Samba 4.17.6

Samba 4.17.5

Release Notes for Samba 4.17.5
January 26, 2023

This is the latest stable release of the Samba 4.17 release series.

Changes since 4.17.4

  • Jeremy Allison <jra@samba.org>
  • BUG 14808: smbc_getxattr() return value is incorrect.
  • BUG 15172: Compound SMB2 FLUSH+CLOSE requests from MacOSX are not handled correctly.
  • BUG 15210: synthetic_pathref AFP_AfpInfo failed errors.
  • BUG 15226: samba-tool gpo listall fails IPv6 only - finddcs() fails to find DC when there is only an AAAA record for the DC in DNS.
  • BUG 15236: smbd crashes if an FSCTL request is done on a stream handle.
  • BUG 15277: DFS links don't work anymore on Mac clients since 4.17.
  • BUG 15283: vfs_virusfilter segfault on access, directory edgecase (accessing NULL value).
  • Samuel Cabrero <scabrero@samba.org>
  • BUG 15240: CVE-2022-38023 [SECURITY] Samba should refuse RC4 (aka md5) based SChannel on NETLOGON (additional changes).
  • Volker Lendecke <vl@samba.org>
  • BUG 15243: %U for include directive doesn't work for share listing (netshareenum).
  • BUG 15266: Shares missing from netshareenum response in samba 4.17.4.
  • BUG 15269: ctdb: use-after-free in run_proc.
  • Stefan Metzmacher <metze@samba.org>
  • BUG 15243: %U for include directive doesn't work for share listing (netshareenum).
  • BUG 15266: Shares missing from netshareenum response in samba 4.17.4.
  • BUG 15280: irpc_destructor may crash during shutdown.
  • BUG 15286: auth3_generate_session_info_pac leaks wbcAuthUserInfo.
  • Andreas Schneider <asn@samba.org>
  • BUG 15268: smbclient segfaults with use after free on an optimized build.
  • Jones Syue <jonessyue@qnap.com>
  • BUG 15282: smbstatus leaking files in msg.sock and msg.lock.
  • Andrew Walker <awalker@ixsystems.com>
  • BUG 15164: Leak in wbcCtxPingDc2.
  • BUG 15265: Access based share enum does not work in Samba 4.16+.
  • BUG 15267: Crash during share enumeration.
  • BUG 15271: rep_listxattr on FreeBSD does not properly check for reads off end of returned buffer.
  • Florian Weimer <fweimer@redhat.com>
  • BUG 15281: Avoid relying on C89 features in a few places.
Release Notes Samba 4.17.5

Samba 4.17.4

Release Notes for Samba 4.17.4
December 15, 2022

This is the latest stable release of the Samba 4.17 release series.

It also contains security changes in order to address the following defects:


This is the Samba CVE for the Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability disclosed by Microsoft on Nov 8 2022.
A Samba Active Directory DC will issue weak rc4-hmac session keys for use between modern clients and servers despite all modern Kerberos implementations supporting the aes256-cts-hmac-sha1-96 cipher.
On Samba Active Directory DCs and members 'kerberos encryption types = legacy' would force rc4-hmac as a client even if the server supports aes128-cts-hmac-sha1-96 and/or aes256-cts-hmac-sha1-96.
This is the Samba CVE for the Windows Kerberos Elevation of Privilege Vulnerability disclosed by Microsoft on Nov 8 2022.
A service account with the special constrained delegation permission could forge a more powerful ticket than the one it was presented with.
The "RC4" protection of the NetLogon Secure channel uses the same algorithms as rc4-hmac cryptography in Kerberos, and so must also be assumed to be weak.

Note that there are several important behavior changes included in this release, which may cause compatibility problems interacting with system still expecting the former behavior. Please read the advisories of CVE-2022-37966, CVE-2022-38023, CVE-2022-37967 and CVE-2022-38023 carefully!

samba-tool got a new 'domain trust modify' subcommand

This allows "msDS-SupportedEncryptionTypes" to be changed on trustedDomain objects. Even against remote DCs (including Windows) using the --local-dc-ipaddress= (and other --local-dc-* options).

See 'samba-tool domain trust modify --help' for further details.

smb.conf changes

 Parameter Name                               Description             Default
 --------------                               -----------             -------
 allow nt4 crypto                             Deprecated              no
 allow nt4 crypto:COMPUTERACCOUNT             New
 kdc default domain supported enctypes        New (see manpage)
 kdc supported enctypes                       New (see manpage)
 kdc force enable rc4 weak session keys       New                     No
 reject md5 clients                           New Default, Deprecated Yes
 reject md5 servers                           New Default, Deprecated Yes
 server schannel                              Deprecated              Yes
 server schannel require seal                 New, Deprecated         Yes
 server schannel require seal:COMPUTERACCOUNT New
 winbind sealed pipes                         Deprecated              Yes

Changes since 4.17.3

  • Jeremy Allison <jra@samba.org>
  • BUG 15224: pam_winbind uses time_t and pointers assuming they are of the same size.
  • Andrew Bartlett <abartlet@samba.org>
  • Ralph Boehme <slow@samba.org>
  • Stefan Metzmacher <metze@samba.org>
  • Noel Power <noel.power@suse.com>
  • BUG 15224: pam_winbind uses time_t and pointers assuming they are of the same size.
  • Anoop C S <anoopcs@samba.org>
  • BUG 15198: Prevent EBADF errors with vfs_glusterfs.
  • Andreas Schneider <asn@samba.org>
  • Joseph Sutton <josephsutton@catalyst.net.nz>
  • Nicolas Williams <nico@twosigma.com>
Release Notes Samba 4.17.4

Samba 4.17.3

Release Notes for Samba 4.17.3
November 15, 2022

This is a security release in order to address the following defects:

Samba's Kerberos libraries and AD DC failed to guard against integer overflows when parsing a PAC on a 32-bit system, which allowed an attacker with a forged PAC to corrupt the heap.

Changes since 4.17.2

  • Joseph Sutton <josephsutton@catalyst.net.nz>
  • Nicolas Williams <nico@twosigma.com>
Release Notes Samba 4.17.3

Samba 4.17.2

Release Notes for Samba 4.16.6
October 25, 2022

This is a security release in order to address the following defect:

  • CVE-2022-3437: There is a limited write heap buffer overflow in the GSSAPI unwrap_des() and unwrap_des3() routines of Heimdal (included in Samba).
  • CVE-2022-3592: A malicious client can use a symlink to escape the exported directory.

Changes since 4.17.2

  • Volker Lendecke <vl@samba.org>
  • Joseph Sutton <josephsutton@catalyst.net.nz>
 Release Notes Samba 4.17.2

Samba 4.17.1

Release Notes for Samba 4.17.1
October 19, 2022

This is the latest stable release of the Samba 4.17 release series.

Changes since 4.17.0

  • Jeremy Allison <jra@samba.org>
  • Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
  • BUG #15189: Samba 4.5 sometimes cannot be upgraded to Samba 4.6 or later over DRS: WERROR_DS_DRA_MISSING_PARENT due to faulty GET_ANC.
  • BUG #15191: pytest: add file removal helpers for TestCaseInTempDir.
  • Andrew Bartlett <abartlet@samba.org>
  • BUG #14611: [CVE-2021-20251[SECURITY] Bad password count not incremented atomically.
  • BUG #15182: Samba 4.5 sometimes cannot be upgraded to Samba 4.6 or later. over DRS: WERROR_DS_DRA_MISSING_PARENT due to faulty GET_ANC.
  • Ralph Boehme <slow@samba.org>
  • BUG #15182: Flush on a named stream never completes.
  • Volker Lendecke <vl@samba.org>
  • BUG #15151: vfs_gpfs silently garbles timestamps > year 2106.
  • Gary Lockyer <gary@catalyst.net.nz>
  • Stefan Metzmacher <metze@samba.org>
  • BUG #15200: multi-channel socket passing may hit a race if one of the involved processes already existed.
  • BUG #15201: memory leak on temporary of struct imessaging_post_state and struct tevent_immediate on struct imessaging_context (in rpcd_spoolss and maybe others).
  • Noel Power <noel.power@suse.com>
  • BUG #15205: Since popt1.19 various use after free errors using result of poptGetArg are now exposed.
  • Anoop C S <anoopcs@samba.org>
  • BUG #15192: Remove special case for O_CREAT in SMB_VFS_OPENAT from vfs_glusterfs.
  • Andreas Schneider <asn@samba.org>
  • BUG #15169: GETPWSID in memory cache grows indefinetly with each NTLM auth.
  • Joseph Sutton <josephsutton@catalyst.net.nz>
   Release Notes Samba 4.17.1

Samba 4.17.0

Release Announcements

Release Notes for 4.17.0
September 13, 2022

This is the first stable release of the Samba 4.17 release series.

Please read the release notes carefully before upgrading.

NEW FEATURES/CHANGES

SMB Server performance improvements

The security improvements in recent releases (4.13, 4.14, 4.15, 4.16), mainly as protection against symlink races, caused performance regressions for meta data heavy workloads.

With 4.17 the situation improved a lot again:

  • Pathnames given by a client are devided into dirname and basename. The amount of syscalls to validate dirnames is reduced to 2 syscalls (openat, close) per component. On modern Linux kernels (>= 5.6) smbd makes use of the openat2() syscall with SOLVE_NO_SYMLINKS, in order to just use 2 syscalls (openat2, close) for the whole dirname.
  • Contended path based operations used to generate a lot of unsolicited wakeup events causing thundering herd problems, which lead to masive latencies for some clients. These events are now avoided in order to provide stable latencies and much higher throughput of open/close operations.

Configure without the SMB1 Server

It is now possible to configure Samba without support for the SMB1 protocol in smbd. This can be selected at configure time with either of the options:

--with-smb1-server
--without-smb1-server

By default (without either of these options set) Samba is configured to include SMB1 support (i.e. --with-smb1-server is the default). When Samba is configured without SMB1 support, none of the SMB1 code is included inside smbd except the minimal stub code needed to allow a client to connect as SMB1 and immediately negotiate the selected protocol into SMB2 (as a Windows server also allows).

None of the SMB1-only smb.conf parameters are removed when configured without SMB1, but these parameters are ignored by the smbd server. This allows deployment without having to change an existing smb.conf file.

This option allows sites, OEMs and integrators to configure Samba to remove the old and insecure SMB1 protocol from their products.

Note: that the Samba client libraries still support SMB1 connections even when Samba is configured as --without-smb1-server. This is to ensure maximum compatibility with environments containing old SMB1 servers.

Bronze bit and S4U support now also with MIT Kerberos 1.20

In 2020 Microsoft Security Response Team received another Kerberos-related report. Eventually, that led to a security update of the CVE-2020-17049, Kerberos KDC Security Feature Bypass Vulnerability, also known as a 'Bronze Bit'. With this vulnerability, a compromised service that is configured to use Kerberos constrained delegation feature could tamper with a service ticket that is not valid for delegation to force the KDC to accept it.

With the release of MIT Kerberos 1.20, Samba AD DC is able able to mitigate the 'Bronze Bit' attack. MIT Kerberos KDC's KDB (Kerberos Database Driver) API was changed to allow passing more details between KDC and KDB components. When built against MIT Kerberos, Samba AD DC supports MIT Kerberos 1.19 and 1.20 versions but 'Bronze Bit' mitigation is provided only with MIT Kerberos 1.20.

In addition to fixing the 'Bronze Bit' issue, Samba AD DC now fully supports S4U2Self and S4U2Proxy Kerberos extensions.

Note: the default (Heimdal-based) KDC was already fixed in 2021, see BUG #14642

Resource Based Constrained Delegation (RBCD) support

Samba AD DC built with MIT Kerberos 1.20 offers RBCD support now. With MIT Kerberos 1.20 we have complete RBCD support passing Sambas S4U testsuite.

samba-tool delegation got the 'add-principal' and 'del-principal' subcommands in order to manage RBCD.

To complete RBCD support and make it useful to Administrators we added the Asserted Identity [1] SID into the PAC for constrained delegation. This is available for Samba AD compiled with MIT Kerberos 1.20.

Note: the default (Heimdal-based) KDC does not support RBCD yet.
Kerberos Constrained Delegation Overview

Customizable DNS listening port

It is now possible to set a custom listening port for the builtin DNS service, making easy to host another DNS on the same system that would bind to the default port and forward the domain-specific queries to Samba using the custom port. This is the opposite configuration of setting a forwarder in Samba.

It makes possible to use another DNS server as a front and forward to Samba.

Dynamic DNS updates may not be proxied by the front DNS server when forwarding to Samba. Dynamic DNS update proxying depends on the features of the other DNS server used as a front.

CTDB changes

  • When Samba is configured with both --with-cluster-support and --systemd-install-services then a systemd service file for CTDB will be installed.
  • ctdbd_wrapper has been removed. ctdbd is now started directly from a systemd service file or init script.
  • The syntax for the ctdb.tunables configuration file has been relaxed. However, trailing garbage after the value, including comments, is no longer permitted. Please see ctdb-tunables(7) for more details.

Operation without the (unsalted) NT password hash

When Samba is configured with 'nt hash store = never' then Samba will no longer store the (unsalted) NT password hash for users in Active Directory. (Trust accounts, like computers, domain controllers and inter-domain trusts are not impacted).

In the next version of Samba the default for 'nt hash store' will change from 'always' to 'auto', where it will follow (behave as 'nt hash store = never' when 'ntlm auth = disabled' is set.

Security-focused deployments of Samba that have eliminated NTLM from their networks will find setting 'ntlm auth = disabled' with 'nt hash store = always' as a useful way to improve compliance with best-practice guidance on password storage (which is to always use an interated hash).

Note: that when 'nt hash store = never' is set, then arcfour-hmac-md5 Kerberos keys will not be available for users who subsequently change their password, as these keys derive their values from NT hashes. AES keys are stored by default for all deployments of Samba with Domain Functional Level 2008 or later, are supported by all modern clients, and are much more secure.

Finally, also note that password history in Active Directory is stored in nTPwdHistory using a series of NT hash values. Therefore the full password history feature is not available in this mode.

To provide some protection against password re-use previous Kerberos hash values (the current, old and older values are already stored) are used, providing a history length of 3.

There is one small limitation of this workaround: Changing the sAMAccountName, userAccountControl or userPrincipalName of an account can cause the Kerberos password salt to change. This means that after *both* an account rename and a password change, only the current password will be recognised for password history purposes.

Python API for smbconf

Samba's smbconf library provides a generic frontend to various configuration backends (plain text file, registry) as a C library. A new Python wrapper, importable as 'samba.smbconf' is available. An additional module, 'samba.samba3.smbconf', is also available to enable registry backend support. These libraries allow Python programs to read, and optionally write, Samba configuration natively.

JSON support for smbstatus

It is now possible to print detailed information in JSON format in the smbstatus program using the new option --json. The JSON output covers all the existing text output including sessions, connections, open files, byte-range locks, notifies and profile data with all low-level information maintained by Samba in the respective databases.

Protected Users security group

Samba AD DC now includes support for the Protected Users security group introduced in Windows Server 2012 R2. The feature reduces the attack surface of user accounts by preventing the use of weak encryption types. It also mitigates the effects of credential theft by limiting credential lifetime and scope.

The protections are intended for user accounts only, and service or computer accounts should not be added to the Protected Users group. User accounts added to the group are granted the following security protections:

  • NTLM authentication is disabled.
  • Kerberos ticket-granting tickets (TGTs) encrypted with RC4 are not issued to or accepted from affected principals. Tickets encrypted with AES, and service tickets encrypted with RC4, are not affected by this restriction.
  • The lifetime of Kerberos TGTs is restricted to a maximum of four hours.
  • Kerberos constrained and unconstrained delegation is disabled.

If the Protected Users group is not already present in the domain, it can be created with 'samba-tool group add'. The new '--special' parameter must be specified, with 'Protected Users' as the name of the group. An example command invocation is:

samba-tool group add 'Protected Users' --special

or against a remote server:

samba-tool group add 'Protected Users' --special -H ldap://dc1.example.com -U Administrator

The Protected Users group is identified in the domain by its having a RID of 525. Thus, it should only be created with samba-tool and the '--special' parameter, as above, so that it has the required RID to function correctly.

REMOVED FEATURES

LanMan Authentication and password storage removed from the AD DC

The storage and authentication with LanMan passwords has been entirely removed from the Samba AD DC, even when "lanman auth = yes" is set.

smb.conf changes

 Parameter Name                          Description     Default
 --------------                          -----------     -------
 dns port                                New default     53
 fruit:zero_file_id                      New default     yes
 nt hash store                           New parameter   always
 smb1 unix extensions                    Replaces "unix extensions"
 volume serial number                    New parameter   -1
 winbind debug traceid                   New parameter   no


CHANGES SINCE 4.17.0rc4

  • Ralph Boehme <slow@samba.org>
  • BUG #15126: acl_xattr VFS module may unintentionally use filesystem permissions instead of ACL from xattr.
  • BUG #15153: Missing SMB2-GETINFO access checks from MS-SMB2 3.3.5.20.1.
  • BUG #15161: assert failed: !is_named_stream(smb_fname)") at ../../lib/util/fault.c:197.
  • Volker Lendecke <vl@samba.org>
  • BUG #15126: acl_xattr VFS module may unintentionally use filesystem permissions instead of ACL from xattr.
  • BUG #15161: assert failed: !is_named_stream(smb_fname)") at ../../lib/util/fault.c:197.
  • Stefan Metzmacher <metze@samba.org>
  • BUG #15159: Cross-node multi-channel reconnects result in SMB2 Negotiate returning NT_STATUS_NOT_SUPPORTED.
  • Noel Power <noel.power@suse.com>
  • BUG #15160: winbind at info level debug can coredump when processing
    wb_lookupusergroups.

CHANGES SINCE 4.17.0rc3

  • Anoop C S <anoopcs@samba.org>
  • BUG #15157: Make use of glfs_*at() API calls in vfs_glusterfs.

CHANGES SINCE 4.17.0rc2

  • Jeremy Allison <jra@samba.org>
  • BUG #15128: Possible use after free of connection_struct when iterating smbd_server_connection->connections.
  • Christian Ambach <ambi@samba.org>
  • BUG #15145: `net usershare add` fails with flag works with --long but fails with -l.
  • Ralph Boehme <slow@samba.org>
  • BUG #15126: acl_xattr VFS module may unintentionally use filesystem permissions instead of ACL from xattr.
  • Stefan Metzmacher <metze@samba.org>
  • BUG #15125: Performance regression on contended path based operations.
  • BUG #15148: Missing READ_LEASE break could cause data corruption.
  • Andreas Schneider <asn@samba.org>
  • BUG #15141: libsamba-errors uses a wrong version number.
  • Joseph Sutton <josephsutton@catalyst.net.nz>
  • BUG #15152: SMB1 negotiation can fail to handle connection errors.

CHANGES SINCE 4.17.0rc1

  • Jeremy Allison <jra@samba.org>
  • BUG #15143: New filename parser doesn't check veto files smb.conf parameter.
  • BUG #15144: 4.17.rc1 still uses symlink-race prone unix_convert()
  • BUG #15146: Backport fileserver related changed to 4.17.0rc2
  • Jule Anger <janger@samba.org>
  • Volker Lendecke <vl@samba.org>
  • BUG #15146: Backport fileserver related changed to 4.17.0rc2
  • Stefan Metzmacher <metze@samba.org>
  • BUG #15125: Performance regression on contended path based operations
  • BUG #15146: Backport fileserver related changed to 4.17.0rc2
  • Andreas Schneider <asn@samba.org>
  • BUG #15140: Fix issues found by coverity in smbstatus json code
  • BUG #15146: Backport fileserver related changed to 4.17.0rc2

KNOWN ISSUES

Release_Planning_for_Samba_4.17#Release_blocking_bugs

https://www.samba.org/samba/history/samba-4.17.0.html