Samba 4.2 Features added/changed

From SambaWiki
Revision as of 22:03, 17 September 2019 by Fraz (talk | contribs) (→‎Samba 4.2.0 moved onlyincluce)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Samba 4.2 is Discontinued (End of Life).

Samba 4.2.14

Release Notes for Samba 4.2.14
July 07, 2016

This is a security release in order to address the following defect:

  • CVE-2016-2119 (Client side SMB2/3 required signing can be downgraded)


It's possible for an attacker to downgrade the required signing for an SMB2/3 client connection, by injecting the SMB2_SESSION_FLAG_IS_GUEST or SMB2_SESSION_FLAG_IS_NULL flags.

This means that the attacker can impersonate a server being connected to by Samba, and return malicious results.

The primary concern is with winbindd, as it uses DCERPC over SMB2 when talking to domain controllers as a member server, and trusted domains as a domain controller. These DCE/RPC connections were intended to protected by the combination of "client ipc signing" and "client ipc max protocol" in their effective default settings ("mandatory" and "SMB3_11").

Additionally, management tools like net, samba-tool and rpcclient use DCERPC over SMB2/3 connections.

By default, other tools in Samba are unprotected, but rarely they are configured to use smb signing, via the "client signing" parameter (the default is "if_required"). Even more rarely the "client max protocol" is set to SMB2, rather than the NT1 default.

If both these conditions are met, then this issue would also apply to these other tools, including command line tools like smbcacls, smbcquota, smbclient, smbget and applications using libsmbclient.

Changes since 4.2.13:

  • Amitay Isaacs <>
  • BUG #11705: Fix sockets with htons(IPPROTO_RAW) and CVE-2015-8543 (Kernel).
  • BUG #11770: ctdb-common: For AF_PACKET socket types, protocol is in network order.
  • Stefan Metzmacher <>

Samba 4.2.13

Release Notes for Samba 4.2.13
June 17, 2016

This is a security release in order to address the following bug

Although Samba 4.2 is in the security only mode, the Samba Team decided to ship this very last bug fix release to address some important issues.

Changes since 4.2.12:

  • Jeremy Allison <>
  • BUG #10618: s3: auth: Move the declaration of struct dom_sid tmp_sid to function level scope.
  • BUG #11959: s3: krb5: keytab - The done label can be jumped to with context == NULL.
  • Volker Lendecke <>
  • Stefan Metzmacher <>
  • BUG #11910: s3:smbd: Fix anonymous authentication if signing is mandatory.
  • BUG #11912: libcli/auth: Let msrpc_parse() return talloc'ed empty strings.
  • BUG #11914: s3:ntlm_auth: Make ntlm_auth_generate_session_info() more complete.
  • BUG #11927: s3:rpcclient: Make use of SMB_SIGNING_IPC_DEFAULT.

Samba 4.2.12

Release Notes for Samba 4.2.12
May 02, 2016

This is the last bugfix release of Samba 4.2.

This is the last bugfix release of Samba 4.2. Please note that there will be security releases only beyond this point!

This release fixes some regressions introduced by the last security fixes. Please see bug for a list of bugs addressing these regressions and more information.

Changes since 4.2.11:

  • Jeremy Allison <>
  • BUG #10489: s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystem with no ACL support.
  • BUG #11703: s3: smbd: Fix timestamp rounding inside SMB2 create.
  • BUG #11742: lib: tevent: Fix memory leak when old signal action restored.
  • BUG #11771: lib: tevent: Fix memory leak when old signal action restored.
  • Christian Ambach <>
  • BUG #6482: s3:utils/smbget: Fix recursive download.
  • Andrew Bartlett <>
  • BUG #11780: smbd: Only check dev/inode in open_directory, not the full stat().
  • BUG #11789: build: Mark explicit dependencies on pytalloc-util.
  • Ralph Boehme <>
  • BUG #11714: lib/tsocket: Work around sockets not supporting FIONREAD.
  • Günther Deschner <>
  • BUG #11789: libsmb/pysmb: add pytalloc-util dependency to fix the build.
  • Berend De Schouwer <>
  • BUG #11643: docs: Add example for domain logins to smbspool man page.
  • Nathan Huff <>
  • BUG #11771: Fix ETIME handling for Solaris event ports.
  • Volker Lendecke <>
  • Justin Maggard <>
  • BUG #11773: s3:smbd: Add negprot remote arch detection for OSX.
  • Stefan Metzmacher <>
  • BUG #11742: tevent: version 0.9.28. Fix memory leak when old signal action restored.
  • BUG #11789: s3:wscript: pylibsmb depends on pycredentials.
  • BUG #11841: Fix NT_STATUS_ACCESS_DENIED when accessing Windows public share.
  • BUG #11847: Only validate MIC if "map to guest" is not being used.
  • BUG #11849: auth/ntlmssp: Add ntlmssp_{client,server}:force_old_spnego option for testing.
  • BUG #11850: NetAPP SMB servers don't negotiate NTLMSSP_SIGN.
  • BUG #11858: Allow anonymous smb connections.
  • BUG #11870: Fix ads_sasl_spnego_gensec_bind(KRB5).
  • BUG #11872: Fix 'wbinfo -u' and 'net ads search'.
  • Jose A. Rivera <>
  • BUG #11727: s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file.
  • Andreas Schneider <>
  • BUG #11690: docs: Add smbspool_krb5_wrapper manpage.
  • Jorge Schrauwen <>
  • BUG #11816: configure: Don't check for inotify on illumos.
  • Martin Schwenke <>
  • BUG #11719: ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ...".
  • Uri Simchoni <>
  • BUG #11852: libads: Record session expiry for spnego sasl binds.
  • Hemanth Thummala <>
  • BUG #11708: loadparm: Fix memory leak issue.
  • BUG #11740: Real memory leak(buildup) issue in loadparm.
  • Jelmer Vernooij <>
  • BUG #11771: tevent: Only set public headers field when installing as a public library.

Samba 4.2.11

Release Notes for Samba 4.2.11
April 12, 2016

This is a security release containing one additional regression fix for the security release 4.2.10.

This fixes a regression that prevents things like 'net ads join' from working against a Windows 2003 domain.

Changes since 4.2.10:

  • Stefan Metzmacher <>
  • BUG #11804 - prerequisite backports for the security release on April 12th, 2016

Samba 4.2.10

Release Notes for Samba 4.2.10
April 12, 2016

This is a security release in order to address the following CVEs:

The number of changes are rather huge for a security release, compared to typical security releases.

Given the number of problems and the fact that they are all related to man in the middle attacks we decided to fix them all at once instead of splitting them.

In order to prevent the man in the middle attacks it was required to change the (default) behavior for some protocols. Please see the "New smb.conf options" and "Behavior changes" sections below.



Versions of Samba from 3.6.0 to 4.4.0 inclusive are vulnerable to denial of service attacks (crashes and high cpu consumption) in the DCE-RPC client and server implementations. In addition, errors in validation of the DCE-RPC packets can lead to a downgrade of a secure connection to an insecure one.

While we think it is unlikely, there's a nonzero chance for a remote code execution attack against the client components, which are used by smbd, winbindd and tools like net, rpcclient and others. This may gain root access to the attacker.

The above applies all possible server roles Samba can operate in.

Note that versions before 3.6.0 had completely different marshalling functions for the generic DCE-RPC layer. It's quite possible that that code has similar problems!

The downgrade of a secure connection to an insecure one may allow an attacker to take control of Active Directory object handles created on a connection created from an Administrator account and re-use them on the now non-privileged connection, compromising the security of the Samba AD-DC.


There are several man in the middle attacks possible with NTLMSSP authentication.

E.g. NTLMSSP_NEGOTIATE_SIGN and NTLMSSP_NEGOTIATE_SEAL can be cleared by a man in the middle.

This was by protocol design in earlier Windows versions.

Windows Server 2003 RTM and Vista RTM introduced a way to protect against the trivial downgrade.

See MsvAvFlags and flag 0x00000002 in

This new feature also implies support for a mechlistMIC when used within SPNEGO, which may prevent downgrades from other SPNEGO mechs, e.g. Kerberos, if sign or seal is finally negotiated.

The Samba implementation doesn't enforce the existence of required flags, which were requested by the application layer, e.g. LDAP or SMB1 encryption (via the unix extensions). As a result a man in the middle can take over the connection. It is also possible to misguide client and/or server to send unencrypted traffic even if encryption was explicitly requested.

LDAP (with NTLMSSP authentication) is used as a client by various admin tools of the Samba project, e.g. "net", "samba-tool", "ldbsearch", "ldbedit", ...

As an active directory member server LDAP is also used by the winbindd service when connecting to domain controllers.

Samba also offers an LDAP server when running as active directory domain controller.

The NTLMSSP authentication used by the SMB1 encryption is protected by smb signing, see CVE-2015-5296.


It's basically the same as CVE-2015-0005 for Windows:

The NETLOGON service in Microsoft Windows Server 2003 SP2, Windows Server 2008 SP2 and R2 SP1, and Windows Server 2012 Gold and R2, when a Domain Controller is configured, allows remote attackers to spoof the computer name of a secure channel's endpoint, and obtain sensitive session information, by running a crafted application and leveraging the ability to sniff network traffic, aka "NETLOGON Spoofing Vulnerability".

The vulnerability in Samba is worse as it doesn't require credentials of a computer account in the domain.

This only applies to Samba running as classic primary domain controller, classic backup domain controller or active directory domain controller.

The security patches introduce a new option called "raw NTLMv2 auth" ("yes" or "no") for the [global] section in smb.conf. Samba (the smbd process) will reject client using raw NTLMv2 without using NTLMSSP.

Note that this option also applies to Samba running as standalone server and member server.

You should also consider using "lanman auth = no" (which is already the default) and "ntlm auth = no". Have a look at the smb.conf manpage for further details, as they might impact compatibility with older clients. These also apply for all server roles.


Samba uses various LDAP client libraries, a builtin one and/or the system ldap libraries (typically openldap).

As active directory domain controller Samba also provides an LDAP server.

Samba takes care of doing SASL (GSS-SPNEGO) authentication with Kerberos or NTLMSSP for LDAP connections, including possible integrity (sign) and privacy (seal) protection.

Samba has support for an option called "client ldap sasl wrapping" since version 3.2.0. Its default value has changed from "plain" to "sign" with version 4.2.0.

Tools using the builtin LDAP client library do not obey the "client ldap sasl wrapping" option. This applies to tools like: "samba-tool", "ldbsearch", "ldbedit" and more. Some of them have command line options like "--sign" and "--encrypt". With the security update they will also obey the "client ldap sasl wrapping" option as default.

In all cases, even if explicitly request via "client ldap sasl wrapping", "--sign" or "--encrypt", the protection can be downgraded by a man in the middle.

The LDAP server doesn't have an option to enforce strong authentication yet. The security patches will introduce a new option called "ldap server require strong auth", possible values are "no", "allow_sasl_over_tls" and "yes".

As the default behavior was as "no" before, you may have to explicitly change this option until all clients have been adjusted to handle LDAP_STRONG_AUTH_REQUIRED errors. Windows clients and Samba member servers already use integrity protection.


Samba has support for TLS/SSL for some protocols: ldap and http, but currently certificates are not validated at all. While we have a "tls cafile" option, the configured certificate is not used to validate the server certificate.

This applies to ldaps:// connections triggered by tools like: "ldbsearch", "ldbedit" and more. Note that it only applies to the ldb tools when they are built as part of Samba or with Samba extensions installed, which means the Samba builtin LDAP client library is used.

It also applies to dcerpc client connections using ncacn_http (with https://), which are only used by the openchange project. Support for ncacn_http was introduced in version 4.2.0.

The security patches will introduce a new option called "tls verify peer". Possible values are "no_check", "ca_only", "ca_and_name_if_available", "ca_and_name" and "as_strict_as_possible".

If you use the self-signed certificates which are auto-generated by Samba, you won't have a crl file and need to explicitly set "tls verify peer = ca_and_name".


Due to a regression introduced in Samba 4.0.0, an explicit "server signing = mandatory" in the [global] section of the smb.conf was not enforced for clients using the SMB1 protocol.

As a result it does not enforce smb signing and allows man in the middle attacks.

This problem applies to all possible server roles: standalone server, member server, classic primary domain controller, classic backup domain controller and active directory domain controller.

In addition, when Samba is configured with "server role = active directory domain controller" the effective default for the "server signing" option should be "mandatory".

During the early development of Samba 4 we had a new experimental file server located under source4/smb_server. But before the final 4.0.0 release we switched back to the file server under source3/smbd.

But the logic for the correct default of "server signing" was not ported correctly ported.

Note that the default for server roles other than active directory domain controller, is "off" because of performance reasons.


Samba has an option called "client signing", this is turned off by default for performance reasons on file transfers.

This option is also used when using DCERPC with ncacn_np.

In order to get integrity protection for ipc related communication by default the "client ipc signing" option is introduced. The effective default for this new option is "mandatory".

In order to be compatible with more SMB server implementations, the following additional options are introduced:

  • "client ipc min protocol" ("NT1" by default) and
  • "client ipc max protocol" (the highest support SMB2/3 dialect by default).
These options overwrite the "client min protocol" and "client max protocol" options, because the default for "client max protocol" is still "NT1". The reason for this is the fact that all SMB2/3 support SMB signing, while there are still SMB1 implementations which don't offer SMB signing by default (this includes Samba versions before 4.0.0).

Note that winbindd (in versions 4.2.0 and higher) enforces SMB signing against active directory domain controllers despite of the "client signing" and "client ipc signing" options.

CVE-2016-2118 (a.k.a. BADLOCK):

The Security Account Manager Remote Protocol [MS-SAMR] and the Local Security Authority (Domain Policy) Remote Protocol [MS-LSAD] are both vulnerable to man in the middle attacks. Both are application level protocols based on the generic DCE 1.1 Remote Procedure Call (DCERPC) protocol.

These protocols are typically available on all Windows installations as well as every Samba server. They are used to maintain the Security Account Manager Database. This applies to all roles, e.g. standalone, domain member, domain controller.

Any authenticated DCERPC connection a client initiates against a server can be used by a man in the middle to impersonate the authenticated user against the SAMR or LSAD service on the server.

The client chosen application protocol, auth type (e.g. Kerberos or NTLMSSP) and auth level (NONE, CONNECT, PKT_INTEGRITY, PKT_PRIVACY) do not matter in this case. A man in the middle can change auth level to CONNECT (which means authentication without message protection) and take over the connection.

As a result, a man in the middle is able to get read/write access to the Security Account Manager Database, which reveals all password sand any other potential sensitive information.

Samba running as an active directory domain controller is additionally missing checks to enforce PKT_PRIVACY for the Directory Replication Service Remote Protocol [MS-DRSR] (drsuapi) and the BackupKey Remote Protocol [MS-BKRP] (backupkey). The Domain Name Service Server Management Protocol [MS-DNSP] (dnsserver) is not enforcing at least PKT_INTEGRITY.

New smb.conf options

allow dcerpc auth level connect (G)

This option controls whether DCERPC services are allowed to be used with DCERPC_AUTH_LEVEL_CONNECT, which provides authentication, but no per message integrity nor privacy protection.

Some interfaces like samr, lsarpc and netlogon have a hard-coded default of no and epmapper, mgmt and rpcecho have a hard-coded default of yes.

The behavior can be overwritten per interface name (e.g. lsarpc, netlogon, samr, srvsvc, winreg, wkssvc ...) by using 'allow dcerpc auth level connect:interface = yes' as option.

This option yields precedence to the implementation specific restrictions. E.g. the drsuapi and backupkey protocols require DCERPC_AUTH_LEVEL_PRIVACY. The dnsserver protocol requires DCERPC_AUTH_LEVEL_INTEGRITY.

   Default: allow dcerpc auth level connect = no
   Example: allow dcerpc auth level connect = yes

client ipc signing (G)

This controls whether the client is allowed or required to use SMB signing for IPC$ connections as DCERPC transport. Possible values are auto, mandatory and disabled.

When set to mandatory or default, SMB signing is required. When set to auto, SMB signing is offered, but not enforced and if set to disabled, SMB signing is not offered either.

Connections from winbindd to Active Directory Domain Controllers always enforce signing.

   Default: client ipc signing = default

client ipc max protocol (G)

The value of the parameter (a string) is the highest protocol level that will be supported for IPC$ connections as DCERPC transport.

Normally this option should not be set as the automatic negotiation phase in the SMB protocol takes care of choosing the appropriate protocol.

The value default refers to the latest supported protocol, currently SMB3_11.

See client max protocol for a full list of available protocols. The values CORE, COREPLUS, LANMAN1, LANMAN2 are silently upgraded to NT1.

   Default: client ipc max protocol = default
   Example: client ipc max protocol = SMB2_10

client ipc min protocol (G)

This setting controls the minimum protocol version that the will be attempted to use for IPC$ connections as DCERPC transport.

Normally this option should not be set as the automatic negotiation phase in the SMB protocol takes care of choosing the appropriate protocol.

The value default refers to the higher value of NT1 and the effective value of "client min protocol".

See client max protocol for a full list of available protocols. The values CORE, COREPLUS, LANMAN1, LANMAN2 are silently upgraded to NT1.

   Default: client ipc min protocol = default
   Example: client ipc min protocol = SMB3_11

ldap server require strong auth (G)

The ldap server require strong auth defines whether the ldap server requires ldap traffic to be signed or signed and encrypted (sealed). Possible values are no, allow_sasl_over_tls and yes.

A value of no allows simple and sasl binds over all transports.

A value of allow_sasl_over_tls allows simple and sasl binds (without sign or seal) over TLS encrypted connections. Unencrypted connections only allow sasl binds with sign or seal.

A value of yes allows only simple binds over TLS encrypted connections. Unencrypted connections only allow sasl binds with sign or seal.

   Default: ldap server require strong auth = yes

raw NTLMv2 auth (G)

This parameter determines whether or not smbd(8) will allow SMB1 clients without extended security (without SPNEGO) to use NTLMv2 authentication.

If this option, lanman auth and ntlm auth are all disabled, then only clients with SPNEGO support will be permitted. That means NTLMv2 is only supported within NTLMSSP.

   Default: raw NTLMv2 auth = no

tls verify peer (G)

This controls if and how strict the client will verify the peer's certificate and name. Possible values are (in increasing order): no_check, ca_only, ca_and_name_if_available, ca_and_name and as_strict_as_possible.

When set to no_check the certificate is not verified at all, which allows trivial man in the middle attacks.

When set to ca_only the certificate is verified to be signed from a ca specified in the "tls ca file" option. Setting "tls ca file" to a valid file is required. The certificate lifetime is also verified. If the "tls crl file" option is configured, the certificate is also verified against the ca crl.

When set to ca_and_name_if_available all checks from ca_only are performed. In addition, the peer hostname is verified against the certificate's name, if it is provided by the application layer and not given as an ip address string.

When set to ca_and_name all checks from ca_and_name_if_available are performed. In addition the peer hostname needs to be provided and even an ip address is checked against the certificate's name.

When set to as_strict_as_possible all checks from ca_and_name are performed. In addition the "tls crl file" needs to be configured. Future versions of Samba may implement additional checks.

   Default: tls verify peer = as_strict_as_possible

tls priority (G) (backported from Samba 4.3 to Samba 4.2)

This option can be set to a string describing the TLS protocols to be supported in the parts of Samba that use GnuTLS, specifically the AD DC.

The default turns off SSLv3, as this protocol is no longer considered secure after CVE-2014-3566 (otherwise known as POODLE) impacted SSLv3 use in HTTPS applications.

The valid options are described in the GNUTLS Priority-Strings documentation at

   Default: tls priority = NORMAL:-VERS-SSL3.0

Behavior changes

  • The default auth level for authenticated binds has changed from DCERPC_AUTH_LEVEL_CONNECT to DCERPC_AUTH_LEVEL_INTEGRITY. That means ncacn_ip_tcp:server is now implicitly the same as ncacn_ip_tcp:server[sign] and offers a similar protection as ncacn_np:server, which relies on smb signing.
  • The following constraints are applied to SMB1 connections:
    • "client lanman auth = yes" is now consistently required for authenticated connections using the SMB1 LANMAN2 dialect.
    • "client ntlmv2 auth = yes" and "client use spnego = yes" (both the default values), require extended security (SPNEGO) support from the server. That means NTLMv2 is only used within NTLMSSP.
  • Tools like "samba-tool", "ldbsearch", "ldbedit" and more obey the default of "client ldap sasl wrapping = sign". Even with "client ldap sasl wrapping = plain" they will automatically upgrade to "sign" when getting LDAP_STRONG_AUTH_REQUIRED from the LDAP server.

Changes since 4.2.9:

  • Jeremy Allison <>
  • Christian Ambach <>
  • BUG #11804 - prerequisite backports for the security release on April 12th, 2016.
  • Andrew Bartlett <>
  • BUG #11804 - prerequisite backports for the security release on April 12th, 2016.
  • Ralph Boehme <>
  • Günther Deschner <>
  • Björn Jacke <>
  • BUG #11804 - prerequisite backports for the security release on April 12th, 2016.

o Volker Lendecke <>

  • BUG #11804 - prerequisite backports for the security release on April 12th, 2016.

o Kamen Mazdrashki <>

  • BUG #11804 - prerequisite backports for the security release on April 12th, 2016.

o Stefan Metzmacher <>

  • Richard Sharpe <>
  • BUG #11804 - prerequisite backports for the security release on April 12th, 2016.
  • Andreas Schneider <>
  • BUG #11804 - prerequisite backports for the security release on April 12th, 2016.
  • Jelmer Vernooij <>
  • BUG #11804 - prerequisite backports for the security release on April 12th, 2016.

Samba 4.2.9

Release Notes for Samba 4.2.9 March 8, 2016

This is a security release in order to address the following CVEs:


All versions of Samba from 3.2.0 to 4.4.0rc3 inclusive are vulnerable to a malicious client overwriting the ownership of ACLs using symlinks.
An authenticated malicious client can use SMB1 UNIX extensions to create a symlink to a file or directory, and then use non-UNIX SMB1 calls to overwrite the contents of the ACL on the file or directory linked to.
All versions of Samba from 4.0.0 to 4.4.0rc3 inclusive, when deployed as an AD DC and choose to run the internal DNS server, are vulnerable to an out-of-bounds read issue during DNS TXT record handling caused by users with permission to modify DNS records.
A malicious client can upload a specially constructed DNS TXT record, resulting in a remote denial-of-service attack. As long as the affected TXT record remains undisturbed in the Samba database, a targeted DNS query may continue to trigger this exploit.
While unlikely, the out-of-bounds read may bypass safety checks and allow leakage of memory from the server in the form of a DNS TXT reply.
By default only authenticated accounts can upload DNS records, as "allow dns updates = secure only" is the default. Any other value would allow anonymous clients to trigger this bug, which is a much higher risk.

Changes since 4.2.8:

  • Jeremy Allison <>
  • Garming Sam <>
  • Stefan Metzmacher <>

Samba 4.2.8

Release Notes for Samba 4.2.8
February 2, 2016

This is the latest stable release of Samba 4.2.

Changes since 4.2.7:

  • Michael Adam <>
  • BUG #11647: s3:smbd: Fix a corner case of the symlink verification.
  • Jeremy Allison <>
  • BUG #11624: s3: libsmb: Correctly initialize the list head when keeping a list of primary followed by DFS connections.
  • BUG #11625: Reduce the memory footprint of empty string options.
  • Christian Ambach <>
  • BUG #11400: s3:smbd/oplock: Obey kernel oplock setting when releasing oplocks.
  • Ralph Boehme <>
  • BUG #11065: vfs_fruit: Fix renaming directories with open files.
  • BUG #11347: Fix MacOS finder error 36 when copying folder to Samba.
  • BUG #11466: Fix copying files with vfs_fruit when using vfs_streams_xattr without stream prefix and type suffix.
  • BUG #11645: smbd: make "hide dot files" option work with "store dos attributes = yes".
  • BUG #11684: s3:smbd: Ignore initial allocation size for directory creation.
  • Günther Deschner <>
  • BUG #11639: lib/async_req: Do not install async_connect_send_test.
  • Karolin Seeger <>
  • Uri Simchoni <>

Samba 4.2.7

Release Notes for Samba 4.2.7
December 16, 2015

This is a security release in order to address the following CVEs:

  • CVE-2015-3223 (Denial of service in Samba Active Directory server)
  • CVE-2015-5252 (Insufficient symlink verification in smbd)
  • CVE-2015-5299 (Missing access control check in shadow copy code)
  • CVE-2015-5296 (Samba client requesting encryption vulnerable to downgrade attack)
  • CVE-2015-8467 (Denial of service attack against Windows Active Directory server)
  • CVE-2015-5330 (Remote memory read in Samba LDAP server)

Please note that if building against a system libldb, the required version has been bumped to ldb-1.1.24. This is needed to ensure we build against a system ldb library that contains the fixes for CVE-2015-5330 and CVE-2015-3223.


All versions of Samba from 4.0.0 to 4.3.2 inclusive (resp. all ldb versions up to 1.1.23 inclusive) are vulnerable to a denial of service attack in the samba daemon LDAP server.
A malicious client can send packets that cause the LDAP server in the samba daemon process to become unresponsive, preventing the server from servicing any other requests.
This flaw is not exploitable beyond causing the code to loop expending CPU resources.
All versions of Samba from 3.0.0 to 4.3.2 inclusive are vulnerable to a bug in symlink verification, which under certain circumstances could allow client access to files outside the exported share path.
If a Samba share is configured with a path that shares a common path prefix with another directory on the file system, the smbd daemon may allow the client to follow a symlink pointing to a file or directory in that other directory, even if the share parameter "wide links" is set to "no" (the default).
All versions of Samba from 3.2.0 to 4.3.2 inclusive are vulnerable to a missing access control check in the vfs_shadow_copy2 module. When looking for the shadow copy directory under the share path the current accessing user should have DIRECTORY_LIST access rights in order to view the current snapshots.
This was not being checked in the affected versions of Samba.
Versions of Samba from 3.2.0 to 4.3.2 inclusive do not ensure that signing is negotiated when creating an encrypted client connection to a server.
Without this a man-in-the-middle attack could downgrade the connection and connect using the supplied credentials as an unsigned, unencrypted connection.
Samba, operating as an AD DC, is sometimes operated in a domain with a mix of Samba and Windows Active Directory Domain Controllers.
All versions of Samba from 4.0.0 to 4.3.2 inclusive, when deployed as an AD DC in the same domain with Windows DCs, could be used to override the protection against the MS15-096 / CVE-2015-2535 security issue in Windows.
Prior to MS16-096 it was possible to bypass the quota of machine accounts a non-administrative user could create. Pure Samba domains are not impacted, as Samba does not implement the SeMachineAccountPrivilege functionality to allow non-administrator users to create new computer objects.
All versions of Samba from 4.0.0 to 4.3.2 inclusive (resp. all ldb versions up to 1.1.23 inclusive) are vulnerable to a remote memory read attack in the samba daemon LDAP server.
A malicious client can send packets that cause the LDAP server in the samba daemon process to return heap memory beyond the length of the requested value.
This memory may contain data that the client should not be allowed to see, allowing compromise of the server.
The memory may either be returned to the client in an error string, or stored in the database by a suitabily privileged user. If untrusted users can create objects in your database, please confirm that all DN and name attributes are reasonable.

Changes since 4.2.6:

  • Andrew Bartlett <>
  • Jeremy Allison <>
  • Douglas Bagnall <>
  • Stefan Metzmacher <>

Samba 4.2.6

Release Notes for Samba 4.2.6
December 08, 2015

This is the latest stable release of Samba 4.2.

Changes since 4.2.5:

  • Michael Adam <>
  • BUG #11365: ctdb: Strip trailing spaces from nodes file.
  • BUG #11577: ctdb: Open the RO tracking db with perms 0600 instead of 0000.
  • BUG #11619: doc: Fix a typo in the smb.conf manpage.
  • Jeremy Allison <>
  • BUG #11452: s3-smbd: Fix old DOS client doing wildcard delete - gives a attribute type of zero.
  • BUG #11565: auth: gensec: Fix a memory leak.
  • BUG #11566: lib: util: Make non-critical message a warning.
  • BUG #11589: s3: smbd: If EA's are turned off on a share don't allow an SMB2 create containing them.
  • BUG #11615: s3: smbd: have_file_open_below() fails to enumerate open files below an open directory handle.
  • Ralph Boehme <>
  • BUG #11564: async_req: Fix non-blocking connect().
  • Volker Lendecke <>
  • YvanM <>
  • Marc Muehlfeld <>
  • BUG #9912: Changing log level of two entries to from 1 to 3.
  • Andreas Schneider <>
  • BUG #11346: wafsamba: Also build libraries with RELRO protection.
  • BUG #11563: nss_wins: Do not run into use after free issues when we access memory allocated on the globals and the global being reinitialized.
  • Karolin Seeger <>
  • BUG #11619: docs: Fix some typos in the idmap config section of man 5 smb.conf.
  • Noel Power <>
  • BUG #11569: Fix winbindd crashes with samlogon for trusted domain user.
  • BUG #11597: Backport some valgrind fixes from upstream master.

Samba 4.2.5

Release Notes for Samba 4.2.5
October 27, 2015

This is the latest stable release of Samba 4.2.

Changes since 4.2.4:

  • Jeremy Allison <>
  • BUG #10252: s3: smbd: Fix our access-based enumeration on "hide unreadable" to match Windows.
  • BUG #10634: smbd: Fix file name buflen and padding in notify repsonse.
  • BUG #11486: s3: smbd: Fix mkdir race condition.
  • BUG #11522: s3: smbd: Fix opening/creating :stream files on the root share directory.
  • BUG #11535: s3: smbd: Fix NULL pointer bug introduced by previous 'raw' stream fix (bug #11522).
  • BUG #11555: s3: lsa: lookup_name() logic for unqualified (no DOMAIN\ component) names is incorrect.
  • Ralph Boehme <>
  • BUG #11535: s3: smbd: Fix a crash in unix_convert().
  • BUG #11543: vfs_fruit: Return value of ad_pack in vfs_fruit.c.
  • BUG #11549: Fix bug in smbstatus where the lease info is not printed.
  • BUG #11550: s3:smbstatus: Add stream name to share_entry_forall().
  • BUG #11555: s3:lib: validate domain name in lookup_wellknown_name().
  • Günther Deschner <>
  • BUG #11038: kerberos: Make sure we only use prompter type when available.
  • Björn Jacke <>
  • BUG #10365: nss_winbind: Fix hang on Solaris on big groups.
  • BUG #11355: build: Use as-needed linker flag also on OpenBSD.
  • Volker Lendecke <>
  • Stefan Metzmacher <>
  • BUG #11316: s3:ctdbd_conn: Make sure we destroy tevent_fd before closing the socket.
  • BUG #11327: dcerpc.idl: accept invalid dcerpc_bind_nak pdus.
  • Har Gagan Sahai <>
  • BUG #11509: s3: dfs: Fix a crash when the dfs targets are disabled.
  • Andreas Schneider <>
  • BUG #11502: pam_winbind: Fix a segfault if initialization fails.
  • Uri Simchoni <>
  • BUG #11528: net: Fix a crash with 'net ads keytab create'.
  • BUG #11547: vfs_commit: Set the fd on open before calling SMB_VFS_FSTAT.

Samba 4.2.4

Release Notes for Samba 4.2.4
September 8, 2015

This is the latest stable release of Samba 4.2.

Changes since 4.2.3:

  • Michael Adam <>
  • BUG #11372: smbd: Fix SMB3 functionality of "smb encrypt".
  • Jeremy Allison <>
  • BUG #11359: lib: replace: Add strsep function (missing on Solaris).
  • Ralph Boehme <>
  • BUG #11278: Fix stream names with colon with "fruit:encoding = native".
  • BUG #11317: vfs:fruit: Implement copyfile style copy_chunk.
  • BUG #11426: s3-net: Use talloc array in share allowedusers.
  • BUG #11467: vfs_fruit: Handling of empty resource fork.
  • Alexander Bokovoy <>
  • BUG #11265: auth/credentials: If credentials have principal set, they are not anonymous anymore.
  • Günther Deschner <>
  • BUG #11373: s3-smbd: Reset protocol in smbXsrv_connection_init_tables failure paths.
  • Amitay Isaacs <>
  • BUG #11398: ctdb-daemon: Return correct sequence number for CONTROL_GET_DB_SEQNUM.
  • BUG #11431: ctdb-daemon: Improve error handling for running event scripts.
  • Volker Lendecke <>
  • BUG #11316: lib: Fix rundown of open_socket_out().
  • BUG #11488: Avoid quoting problems in user's DNs.
  • Justin Maggard <>
  • BUG #11320: s3-passdb: Respect LOOKUP_NAME_GROUP flag in sid lookup.
  • Roel van Meer <>
  • BUG #11427: s3-util: Compare the maximum allowed length of a NetBIOS name.
  • Stefan Metzmacher <>
  • BUG #11316: s3:lib: Fix some corner cases of open_socket_out_cleanup().
  • BUG #11454: Backport dcesrv_netr_DsRGetDCNameEx2 fixes.
  • Anubhav Rakshit <>
  • BUG #11361: s3:libsmb: Fix a bug in conversion of ea list to ea array.
  • Arvid Requate <>
  • BUG #11291: s4:rpc_server/netlogon: Fix for NetApp.
  • Andreas Schneider <>
  • BUG #9862: s3-auth: Fix "map to guest = Bad uid".
  • BUG #11403: s3-smbd: Leave sys_disk_free() if dfree command is used.
  • BUG #11404: s3-auth: Fix a possible null pointer dereference.
  • Martin Schwenke <>
  • BUG #11399: ctdb-scripts: Support monitoring of interestingly named VLANs on bonds.
  • BUG #11432: ctdb-daemon: Check if updates are in flight when releasing all IPs.
  • BUG #11435: ctdb-build: Fix building of PCP PMDA module.
  • Wei Zhong <>
  • BUG #10823: s3: winbindd: Fix TALLOC_FREE of uninitialized groups variable.

Samba 4.2.3

Release Notes for Samba 4.2.3
July 14, 2015

This is the latest stable release of Samba 4.2.

Changes since 4.2.2:

  • Michael Adam <>
  • BUG #11366: docs: Overhaul the description of "smb encrypt" to include SMB encryption.

o Jeremy Allison <>

  • BUG #11068: s3: lib: util: Ensure we read a hex number as %x, not %u.
  • BUG #11295: Excessive cli_resolve_path() usage can slow down transmission.
  • BUG #11328: winbindd: winbindd_raw_kerberos_login - ensure logon_info exists in PAC.
  • BUG #11339: s3: smbd: Use separate flag to track become_root()/unbecome_root() state.
  • BUG #11342: s3: smbd: Codenomicon crash in do_smb_load_module().
  • Christian Ambach <>
  • BUG #11170: s3:param/loadparm: Fix 'testparm --show-all-parameters'.
  • Andrew Bartlett <>
  • BUG #10991BUG 10991: winbindd: Sync secrets.ldb into secrets.tdb on startup.
  • Ralph Boehme <>
  • BUG #11277BUG 11277: s3:smb2: Add padding to last command in compound requests.
  • BUG #11305BUG 11305: vfs_fruit: Add option "veto_appledouble".
  • BUG #11323BUG 11323: smbd/trans2: Add a useful diagnostic for files with bad encoding.
  • BUG #11363BUG 11363: vfs_fruit: Check offset and length for AFP_AfpInfo read requests.
  • BUG #11371BUG 11371: ncacn_http: Fix GNUism.
  • Günther Deschner <>
  • BUG #11245BUG 11245: s3-rpc_server: Fix rpc_create_tcpip_sockets() processing of interfaces.
  • Alexander Drozdov <>
  • BUG #11331BUG 11331: tdb: version 1.3.5: ABI change: tdb_chainlock_read_nonblock() has been added.
  • Evangelos Foutras <>
  • BUG #8780BUG 8780: s4:lib/tls: Fix build with gnutls 3.4.
  • David Holder <>
  • BUG #11281BUG 11281: Add IPv6 support to ADS client side LDAP connects.
  • BUG #11282BUG 11282: Add IPv6 support for determining FQDN during ADS join.
  • BUG #11283BUG 11283: s3: IPv6 enabled DNS connections for ADS client.
  • Steve Howells <>
  • BUG #10924BUG 10924: s4.2/ Fixed fsmo transfer exception.
  • Amitay Isaacs <>
  • BUG #11293: Fix invalid write in ctdb_lock_context_destructor.
  • Volker Lendecke <>
  • BUG #11218: smbd: Fix a use-after-free.
  • BUG #11312: tstream: Make socketpair nonblocking.
  • BUG #11330: tevent: Fix CID 1035381 Unchecked return value.
  • BUG #11331: tdb: Fix CID 1034842 and 1034841 Resource leaks.
  • Stefan Metzmacher <>
  • BUG #11061: Logon via MS Remote Desktop hangs.
  • BUG #11141: tevent: Add a note to tevent_add_fd().
  • BUG #11293: Fix invalid write in ctdb_lock_context_destructor.
  • BUG #11316: tevent_fd needs to be destroyed before closing the fd.
  • BUG #11319: Build fails on Solaris 11 with "‘PTHREAD_MUTEX_ROBUST’ undeclared".
  • BUG #11326: Robust mutex support broken in 1.3.5.
  • BUG #11329: s3:smb2_setinfo: Fix memory leak in the defer_rename case.
  • BUG #11330: Backport tevent-0.9.25.
  • BUG #11331: Backport tdb-1.3.6.
  • BUG #11367: s3:auth_domain: Fix talloc problem in connect_to_domain_password_server().
  • Marc Muehlfeld <>
  • BUG #11315: Group creation: Add msSFU30Name only when --nis-domain was given.
  • Matthieu Patou <>
  • BUG #11356: pidl: Make the compilation of PIDL producing the same results if the content hasn't change.
  • Noel Power <>
  • BUG #11328: Kerberos auth info3 should contain resource group ids available from pac_logon.
  • Gordon Ross <>
  • BUG #11330: lib: tevent: Fix compile error in Solaris ports backend.
  • Christof Schmitt <>
  • BUG #11313: idmap_rfc2307: Fix wbinfo '--gid-to-sid' query.
  • BUG #11324: Change sharesec output back to previous format.
  • Uri Simchoni <>
  • BUG #11358: winbindd: Disconnect child process if request is cancelled at main process.
  • Petr Viktorin <>
  • Youzhong Yang <>
  • BUG #11217: s3-unix_msg: Remove socket file after closing socket fd.

Samba 4.2.2

Release Notes for Samba 4.2.2
May 27, 2015

This is the latest stable release of Samba 4.2.

Changes since 4.2.1:

  • Michael Adam <>
  • BUG #11182: s3:smbXsrv: refactor duplicate code into smbXsrv_session_clear_and_logoff().
  • BUG #11260: gencache: don't fail gencache_stabilize if there were records to delete.
  • Jeremy Allison <>
  • BUG #11186: s3: libsmbclient: After getting attribute server, ensure main srv pointer is still valid.
  • BUG #11236: s4: rpc: Refactor dcesrv_alter() function into setup and send steps.
  • BUG #11240: s3: smbd: Incorrect file size returned in the response of "FILE_SUPERSEDE Create".
  • BUG #11249: Mangled names do not work with acl_xattr.
  • BUG #11254: nmbd rewrites browse.dat when not required.
  • Ralph Boehme <>
  • BUG #11213: vfs_fruit: add option "nfs_aces" that controls the NFS ACEs stuff.
  • BUG #11224: s3:smbd: Add missing tevent_req_nterror.
  • BUG #11243: vfs: kernel_flock and named streams.
  • BUG #11244: vfs_gpfs: Error code path doesn't call END_PROFILE.
  • Alexander Bokovoy <>
  • BUG #11284: s4: libcli/finddcs_cldap: continue processing CLDAP until all addresses are used.
  • David Disseldorp <>
  • BUG #11201: ctdb: check for talloc_asprintf() failure.:w
  • BUG #11210: spoolss: purge the printer name cache on name change.
  • Amitay Isaacs <>
  • Björn Jacke <>
  • BUG #11221: vfs_fruit: also map characters below 0x20.
  • Rajesh Joseph <>
  • Julien Kerihuel <>
  • BUG #11225: Multiplexed RPC connections are not handled by DCERPC server.
  • BUG #11226: Fix terminate connection behavior for asynchronous endpoint with PUSH notification flavors.
  • Led <>
  • BUG #11007: ctdb-scripts: Fix bashism in ctdbd_wrapper script.
  • Volker Lendecke <>
  • BUG #11201: ctdb: Fix CIDs 1125615, 1125634, 1125613, 1288201 and 1125553.
  • BUG #11257: SMB2 should cancel pending NOTIFY calls with DELETE_PENDING if the directory is deleted.
  • Stefan Metzmacher <>
  • BUG #11141: s3:winbindd: make sure we remove pending io requests before closing client sockets.
  • BUG #11182: Fix panic triggered by smbd_smb2_request_notify_done() -> smbXsrv_session_find_channel() in smbd.
  • Christof Schmitt <>
  • BUG #11237: 'sharesec' output no longer matches input format.
  • Andreas Schneider <>
  • Martin Schwenke <>
  • Richard Sharpe <>
  • BUG #11234: 'net ads dns gethostbyname' crashes with an error in TALLOC_FREE if you enter invalid values.
  • Uri Simchoni <>
  • BUG #11267: libads: record service ticket endtime for sealed ldap connections.
  • Lukas Slebodnik <>
  • BUG #11033: lib/util: Include DEBUG macro in internal header files before samba_util.h.

Samba 4.2.1

Release Notes for Samba 4.2.1
April 15, 2015

This is the latest stable release of Samba 4.2.

Changes since 4.2.0:

  • Michael Adam <>
  • BUG #8905: s3:winbind:grent: Don't stop group enumeration when a group has no gid.
  • BUG #10476: build:wafadmin: Fix use of spaces instead of tabs.
  • BUG #11143: s3-winbind: Fix cached user group lookup of trusted domains.
  • Jeremy Allison <>
  • BUG #10016: s3: lib: ntlmssp: If NTLMSSP_NEGOTIATE_TARGET_INFO isn't set, cope with servers that don't send the 2 unused fields.
  • BUG #10888: s3: client: "client use spnego principal = yes" code checks wrong name.
  • BUG #11079: s3: lib: libsmbclient: If reusing a server struct, check every cli->timout miliseconds if it's still valid before use.
  • BUG #11173: s3: libcli: smb1: Ensure we correctly finish a tevent req if the writev fails in the SMB1 case.
  • BUG #11175: Fix lots of winbindd zombie processes on Solaris platform.
  • BUG #11177: s3: libsmbclient: Add missing talloc stackframe.
  • Andrew Bartlett <>
  • BUG #11135: backupkey: Explicitly link to gnutls and gcrypt.
  • BUG #11174: backupkey: Use ndr_pull_struct_blob_all().
  • Ralph Boehme <>
  • BUG #11125: vfs_fruit: Enhance handling of malformed AppleDouble files.
  • Samuel Cabrero <>
  • BUG #9791: Initialize dwFlags field of DNS_RPC_NODE structure.
  • David Disseldorp <>
  • BUG #11169: docs/idmap_rid: Remove deprecated base_rid from example.
  • Volker Lendecke <>
  • Stefan Metzmacher <>
  • BUG #11144: talloc: Version 2.1.2.
  • BUG #11164: s4:auth/gensec_gssapi: Let gensec_gssapi_update() return NT_STATUS_LOGON_FAILURE for unknown errors.
  • Matthew Newton <>
  • Andreas Schneider <>
  • BUG #11018: spoolss: Retrieve published printer GUID if not in registry.
  • BUG #11135: replace: Remove superfluous check for gcrypt header.
  • BUG #11180: s4-process_model: Do not close random fds while forking.
  • BUG #11185: s3-passdb: Fix 'force user' with winbind default domain.
  • Christof Schmitt <>
  • BUG #11153: brlock: Use 0 instead of empty initializer list.
  • Thomas Schulz <>
  • BUG #11092: lib: texpect: Fix the build on Solaris.
  • BUG #11140: libcli/auth: Match Declaration of netlogon_creds_cli_context_tmp with implementation.
  • Jelmer Vernooij <>

Samba 4.2.0

Release Notes for Samba 4.2.0
March 4, 2015

This is is the first stable release of Samba 4.2.

Samba 4.2 will be the next version of the Samba suite.


With the final release of Samba 4.2, the last series of Samba 3 has been discontinued! People still running 3.6.x or earlier, should consider moving to a more recent and maintained version (4.0 - 4.2). One of the common misconceptions is that Samba 4.x automatically means "Active Directory only": This is wrong!

Acting as an Active Directory Domain Controller is just one of the enhancements included in Samba 4.0 and later. Version 4.0 was just the next release after the 3.6 series and contains all the features of the previous ones - including the NT4-style (classic) domain support. This means you can update a Samba 3.x NT4-style PDC to 4.x, just as you've updated in the past (e.g. from 3.4.x to 3.5.x). You don't have to move your NT4-style domain to an Active Directory!

And of course the possibility remains unchanged, to setup a new NT4-style PDC with Samba 4.x, like done in the past (e.g. with openLDAP backend). Active Directory support in Samba 4 is additional and does not replace any of these features. We do understand the difficulty presented by existing LDAP structures and for that reason there isn't a plan to decommission the classic PDC support. It remains tested by the continuous integration system.

The code that supports the classic Domain Controller is also the same code that supports the internal 'Domain' of standalone servers and Domain Member Servers. This means that we still use this code, even when not acting as an AD Domain Controller. It is also the basis for some of the features of FreeIPA and so it gets development attention from that direction as well.


Read the "Winbindd/Netlogon improvements" section (below) carefully!


Transparent File Compression

Samba 4.2.0 adds support for the manipulation of file and folder compression flags on the Btrfs filesystem. With the Btrfs Samba VFS module enabled, SMB2+ compression flags can be set remotely from the Windows Explorer File->Properties->Advanced dialog. Files flagged for compression are transparently compressed and uncompressed when accessed or modified.

Previous File Versions with Snapper

The newly added Snapper VFS module exposes snapshots managed by Snapper for use by Samba. This provides the ability for remote clients to access shadow-copies via Windows Explorer using the "previous versions" dialog.

Winbindd/Netlogon improvements

The whole concept of maintaining the netlogon secure channel to (other) domain controllers was rewritten in order to maintain global state in a netlogon_creds_cli.tdb. This is the proper fix for a large number of bugs:

In addition a strong session key is now required by default, which means that communication to older servers or clients might be rejected by default.

  • For the client side we have the following new options:
"require strong key" (yes by default), "reject md5 servers" (no by default). E.g. for Samba 3.0.37 you need "require strong key = no" and

for NT4 DCs you need "require strong key = no" and "client NTLMv2 auth = no",

  • On the server side (as domain controller) we have the following new options:
"allow nt4 crypto" (no by default), "reject md5 client" (no by default). E.g. in order to allow Samba < 3.0.27 or NT4 members to work you need "allow nt4 crypto = yes"
  • winbindd does not list group memberships for display purposes (e.g. getent group <domain\<group>) anymore by default.
The new default is "winbind expand groups = 0" now, the reason for this is the same as for "winbind enum users = no" and "winbind enum groups = no". Providing this information is not always reliably possible, e.g. if there are trusted domains.

Please consult the smb.conf manpage for more details on these new options.

Winbindd use on the Samba AD DC

Winbindd is now used on the Samba AD DC by default, replacing the partial rewrite used for winbind operations in Samba 4.0 and 4.1.

This allows more code to be shared, more options to be honoured, and paves the way for support for trusted domains in the AD DC.

If required the old internal winbind can be activated by setting 'server services = +winbind -winbindd'. Upgrading users with a server services parameter specified should ensure they change 'winbind' to 'winbindd' to obtain the new functionality.

The 'samba' binary still manages the starting of this service, there is no need to start the winbindd binary manually.

Winbind now requires secured connections

To improve protection against rogue domain controllers we now require that when we connect to an AD DC in our forest, that the connection be signed using SMB Signing. Set 'client signing = off' in the smb.conf to disable.

Also and DCE/RPC pipes must be sealed, set 'require strong key = false' and 'winbind sealed pipes = false' to disable.

Finally, the default for 'client ldap sasl wrapping' has been set to 'sign', to ensure the integrity of LDAP connections. Set 'client ldap sasl wrapping = plain' to disable.

Larger IO sizes for SMB2/3 by default

The default values for "smb2 max read", "smb2 max write" and "smb2 max trans" have been changed to 8388608 (8MiB) in order to match the default of Windows 2012R2.

SMB2 leases

The SMB2 protocol allows clients to aggressively cache files locally above and beyond the caching allowed by SMB1 and SMB2 oplocks.

Called SMB2 leases, this can greatly reduce traffic on an SMB2 connection. Samba 4.2 now implements SMB2 leases.

It can be turned on by setting the parameter "smb2 leases = yes" in the [global] section of your smb.conf. This parameter is set to off by default until the SMB2 leasing code is declared fully stable.

Improved DCERPC man in the middle detection

The DCERPC header signing has been implemented in addition to the dcerpc_sec_verification_trailer protection.

Overhauled "net idmap" command

The command line interface of the "net idmap" command has been made systematic, and subcommands for reading and writing the autorid idmap database have been added. Note that the writing commands should be used with great care. See the net(8) manual page for details.

tdb improvements

The tdb library, our core mechanism to store Samba-specific data on disk and share it between processes, has been improved to support process shared robust mutexes on Linux. These mutexes are available on Linux and Solaris and significantly reduce the overhead involved with tdb. To enable mutexes for tdb, set

dbwrap_tdb_mutexes:* = yes

in the [global] section of your smb.conf.

Tdb file space management has also been made more efficient. This will lead to smaller and less fragmented databases.

Messaging improvements

Our internal messaging subsystem, used for example for things like oplock break messages between smbds or setting a process debug level dynamically, has been rewritten to use unix domain datagram messages.

Clustering support

Samba's file server clustering component CTDB is now integrated in the Samba tree. This avoids the confusion of compatibility of Samba and CTDB versions as existed previously.

To build the Samba file server with cluster support, use the configure command line option --with-cluster-support. This will build clustered file server against the in-tree ctdb. Building clustered samba with previous versions of CTDB is no longer supported.

Samba Registry Editor

The utitlity to browse the samba registry has been overhauled by our Google Summer of Code student Chris Davis. Now samba-regedit has a Midnight-Commander-like theme and UI experience. You can browse keys and edit the diffent value types. For a data value type a hexeditor has been implemented.

Bad Password Lockout in the AD DC

Samba's AD DC now implements bad password lockout (on a per-DC basis).

That is, incorrect password attempts are tracked, and accounts locked out if too many bad passwords are submitted. There is also a grace period of 60 minutes on the previous password when used for NTLM authentication (matching Windows 2003 SP1:

The relevant settings can be seen using 'samba-tool domain passwordsettings show' (the new settings being highlighted):

Password informations for domain 'DC=samba,DC=example,DC=com'

Password complexity: on
Store plaintext passwords: off
Password history length: 24
Minimum password length: 7
Minimum password age (days): 1
Maximum password age (days): 42
Account lockout duration (mins): 30
Account lockout threshold (attempts): 0
Reset account lockout after (mins): 30

These values can be set using 'samba-tool domain passwordsettings set'.

Correct defaults in the smb.conf manpages

The default values for smb.conf parameters are now correctly specified in the smb.conf manpage, even when they refer to build-time specified paths. Provided Samba is built on a system with the right tools (xsltproc in particular) required to generate our man pages, then these will be built with the exact same embedded paths as used by the configuration parser at runtime. Additionally, the default values read from the smb.conf manpage are checked by our test suite to match the values seen in testparm and used by the running binaries.

Consistent behaviour between samba-tool testparm and testparm

With the exception of the registry backend, which remains only available in the file server, the behaviour of the smb.conf parser and the tools 'samba-tool testparm' and 'testparm' is now consistent, particularly with regard to default values. Except with regard to registry shares, it is no longer needed to use one tool on the AD DC, and another on the file server.

VFS WORM module

A VFS module for basic WORM (Write once read many) support has been added. It allows an additional layer on top of a Samba share, that provides a basic set of WORM functionality on the client side, to control the writeability of files and folders.

As the module is simply an additional layer, share access and permissions work like expected - only WORM functionality is added on top. Removing the module from the share configuration, removes this layer again. The filesystem ACLs are not affected in any way from the module and treated as usual.

The module does not provide complete WORM functions, like some archiving products do! It is not audit-proof, because the WORM function is only available on the client side, when accessing a share through SMB! If the same folder is shared by other services like NFS, the access only depents on the underlaying filesystem ACLs. Equally if you access the content directly on the server.

For additional information, see

vfs_fruit, a VFS module for OS X clients

A new VFS module that provides enhanced compatibility with Apple SMB clients and interoperability with a Netatalk 3 AFP fileserver.

The module features enhanced performance with reliable named streams support, interoperability with special characters commonly used by OS X client (eg '*', '/'), integrated file locking and Mac metadata access with Netatalk 3 and enhanced performance by implementing Apple's SMB2 extension codenamed "AAPL".

The modules behaviour is fully configurable, please refer to the manpage vfs_fruit for further details.

smbclient archival improvements

Archive creation and extraction support in smbclient has been rewritten to use libarchive. This fixes a number of outstanding bugs in Samba's previous custom tar implementation and also adds support for the extraction of zipped archives.

smbclient archive support can be enabled or disabled at build time with corresponding --with[out]-libarchive configure parameters.


smb.conf changes

  Parameter Name			Description	Default
  allow nt4 crypto                     New             no
  neutralize nt4 emulation             New             no
  reject md5 client                    New             no
  reject md5 servers                   New             no
  require strong key                   New             yes
  smb2 max read                        Changed default 8388608
  smb2 max write                       Changed default 8388608
  smb2 max trans                       Changed default 8388608
  winbind expand groups                Changed default 0


  • Michael Adam <obnox at>
  • BUG #11117: doc:man:vfs_glusterfs: improve the configuration section.
  • Jeremy Allison <jra at>
  • BUG #11118: tevent: Ignore unexpected signal events in the same way the epoll backend does.
  • Andrew Bartlett <abartlet at>
  • BUG #11100: debug: Set close-on-exec for the main log file FD.
  • BUG #11097: Fix Win8.1 Credentials Manager issue after KB2992611 on Samba domain.
  • Ira Cooper <ira at>
  • BUG #1115: smbd: Stop using vfs_Chdir after SMB_VFS_DISCONNECT.
  • Günther Deschner <gd at>
  • David Disseldorp <ddiss at>
  • Amitay Isaacs <amitay at>
  • BUG #11124: ctdb-io: Do not use sys_write to write to client sockets.
  • Volker Lendecke <vl at>
  • Garming Sam <garming at>
  • BUG #11097: Fix Win8.1 Credentials Manager issue after KB2992611 on Samba domain.
  • Andreas Schneider <asn at>
  • BUG #11127: doc-xml: Add 'sharesec' reference to 'access based share enum'.


  • Michael Adam <>
  • BUG #11032: Enable mutexes in gencache_notrans.tdb.
  • BUG #11058: cli_connect_nb_send: Don't segfault on host == NULL.
  • Jeremy Allison <>
  • BUG #10849: s3: lib, s3: modules: Fix compilation on Solaris.
  • BUG #11044: Fix authentication using Kerberos (not AD).
  • BUG #11077: CVE-2015-0240: s3: netlogon: Ensure we don't call talloc_free on an uninitialized pointer.
  • BUG #11094: s3: smbclient: Allinfo leaves the file handle open.
  • BUG #11102: s3: smbd: leases - losen paranoia check. Stat opens can grant leases.
  • BUG #11104: s3: smbd: SMB2 close. If a file has delete on close, store the return info before deleting.
  • Ira Cooper <>
  • BUG #11069: vfs_glusterfs: Add comments to the pipe(2) code.
  • Günther Deschner <>
  • BUG #11070: s3-vfs: Fix developer build of vfs_ceph module.
  • David Disseldorp <>
  • BUG #10808: printing/cups: Pack requested-attributes with IPP_TAG_KEYWORD.
  • BUG #11055: vfs_snapper: Correctly handles multi-byte DBus strings.
  • BUG #11059: libsmb: Provide authinfo domain for encrypted session referrals.
  • Poornima G <>
  • Volker Lendecke <>
  • BUG #11032: Enable mutexes in gencache_notrans.tdb.
  • Stefan Metzmacher <>
  • BUG #9299: nsswitch: Fix soname of linux nss_*.so.2 modules.
  • BUG #9702: s3:smb2_server: protect against integer wrap with "smb2 max credits = 65535".
  • BUG #9810: Make validate_ldb of String(Generalized-Time) accept millisecond format ".000Z".
  • BUG #10112: Use -R linker flag on Solaris, not -rpath.
  • Marc Muehlfeld <>
  • BUG #10909: samba-tool: Create NIS enabled users and unixHomeDirectory attribute.
  • Garming Sam <>
  • BUG #11022: Make Sharepoint search show user documents.
  • Christof Schmitt <>
  • BUG #11032: Enable mutexes in gencache_notrans.tdb.
  • Andreas Schneider <>
  • BUG #11058: utils: Fix 'net time' segfault.
  • BUG #11066: s3-pam_smbpass: Fix memory leak in pam_sm_authenticate().
  • BUG #11077: CVE-2015-0240: s3-netlogon: Make sure we do not deference a NULL pointer.
  • Raghavendra Talur <>
  • BUG #11069B: vfs/glusterfs: Change xattr key to match gluster key.


  • Andrew Bartlett <>
  • BUG #10892: CVE-2014-8143: dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl.
  • Günther Deschner <>
  • David Disseldorp <>
  • BUG #10984: Fix spoolss IDL response marshalling when returning error without clearing info.
  • Amitay Isaacs <>
  • BUG #11000: ctdb-daemon: Use correct tdb flags when enabling robust mutex support.
  • Volker Lendecke <>
  • Stefan Metzmacher <>
  • Christof Schmitt <>
  • BUG #11034: winbind: Retry after SESSION_EXPIRED error in ping-dc.
  • Andreas Schneider <>
  • BUG #11008: s3-util: Fix authentication with long hostnames.
  • BUG #11026: nss_wrapper: check for nss.h.
  • BUG #11033: lib/util: Avoid collision which alread defined consumer DEBUG macro.
  • BUG #11037: s3-libads: Fix a possible segfault in kerberos_fetch_pac().


  • Michael Adam <>
BUG #10892: Integrate CTDB into top-level Samba build.
  • Jeremy Allison <>
BUG #10851: lib: uid_wrapper: Fix setgroups and syscall detection on a system without native uid_wrapper library.
BUG #10896: s3-nmbd: Fix netbios name truncation.
BUG #10904: Fix smbclient loops doing a directory listing against Mac OS X 10 server with a non-wildcard path.
BUG #10911: Add support for SMB2 leases.
BUG #10920: s3: nmbd: Ensure NetBIOS names are only 15 characters stored.
BUG #10966: libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does.
BUG #10982: s3: smbd: Fix *allocate* calls to follow POSIX error return convention.
  • Christian Ambach <>
BUG #9629: Make 'profiles' work again.
  • Björn Baumbach <>
BUG #11014: ctdb-build: Fix build without xsltproc.
  • Ralph Boehme <>
BUG #10834: Don't build vfs_snapper on FreeBSD.
BUG #10971: vfs_streams_xattr: Check stream type.
BUG #10983: vfs_fruit: Add support for AAPL.
BUG #11005: vfs_streams_xattr: Add missing call to SMB_VFS_NEXT_CONNECT.
  • Günther Deschner <>
BUG #9056: pam_winbind: fix warn_pwd_expire implementation.
BUG #10942: Cleanup add_string_to_array and usage.
  • David Disseldorp <>
BUG #10898: spoolss: Fix handling of bad EnumJobs levels.
BUG #10905: Fix print job enumeration.
  • Amitay Isaacs <>
BUG #10620: s4-dns: Add support for BIND 9.10.
BUG #10892: Integrate CTDB into top-level Samba build.
BUG #10996: Fix IPv6 support in CTDB.
BUG #11014: packaging: Include CTDB man pages in the tarball.
  • Björn Jacke <>
BUG #10835: nss_winbind: Add getgroupmembership for FreeBSD.
  • Guenter Kukkukk <>
BUG #10952: Fix 'samba-tool dns serverinfo <server>' for IPv6.
  • Volker Lendecke <>
BUG #10932: pdb_tdb: Fix a TALLOC/SAFE_FREE mixup.
BUG #10942: dbwrap_ctdb: Pass on mutex flags to tdb_open.
  • Justin Maggard <>
BUG #10852: winbind3: Fix pwent variable substitution.
  • Kamen Mazdrashki <>
BUG #10975: ldb: version 1.1.18
  • Stefan Metzmacher <>
BUG #10781: tdb: version 1.3.3
BUG #10911: Add support for SMB2 leases.
BUG #10921: s3:smbd: Fix file corruption using "write cache size != 0".
BUG #10949: Fix RootDSE search with extended dn control.
BUG #10958: libcli/smb: only force signing of smb2 session setups when binding a new session.
BUG #10975: ldb: version 1.1.18
BUG #11016: pdb_get_trusteddom_pw() fails with non valid UTF16 random passwords.
  • Marc Muehlfeld <>
BUG #10895: samba-tool group add: Add option '--nis-domain' and '--gid'.
  • Noel Power <>
BUG #10918: btrfs: Don't leak opened directory handle.
  • Matt Rogers <>
BUG #10933: s3-keytab: fix keytab array NULL termination.
  • Garming Sam <>
BUG #10355: pdb: Fix build issues with shared modules.
BUG #10720: idmap: Return the correct id type to *id_to_sid methods.
BUG #10864: Fix testparm to show hidden share defaults.
  • Andreas Schneider <>
BUG #10279: Make 'smbclient' use cached creds.
BUG #10960: s3-smbclient: Return success if we listed the shares.
BUG #10961: s3-smbstatus: Fix exit code of profile output.
BUG #10965: socket_wrapper: Add missing prototype check for eventfd.
  • Martin Schwenke <>
BUG #10892: Integrate CTDB into top-level Samba build.
BUG #10996: Fix IPv6 support in CTDB.


  • Jeremy Allison <>
BUG #10848: s3: smb2cli: query info return length check was reversed.
  • Björn Baumbach <>
BUG #10862: build: Do not install 'texpect' binary anymore.
  • Chris Davis <>
BUG #10859: Improve samba-regedit.
  • Jakub Hrozek <>
BUG #10861: Fix build of socket_wrapper on systems without SO_PROTOCOL.
  • Volker Lendecke <>
BUG #10860: registry: Don't leave dangling transactions.
  • Stefan Metzmacher <>
BUG #10866: libcli/smb: Fix smb2cli_validate_negotiate_info with min=PROTOCOL_NT1 max=PROTOCOL_SMB2_02.
  • Christof Schmitt <>
BUG #10837: idmap_rfc2307: Fix a crash after connection problem to DC.


Samba 4.2 release blocker