============================== Release Notes for Samba 4.10.9 October 17, 2019 ============================== Changes since 4.10.8: --------------------- o Michael Adam * BUG 13972: Different Device Id for GlusterFS FUSE mount is causing data loss in CTDB cluster. * BUG 14141: winbind: Provide passwd struct for group sid with ID_TYPE_BOTH mapping (again). o Jeremy Allison * BUG 14094: smbc_readdirplus() is incompatible with smbc_telldir() and smbc_lseekdir(). * BUG 14152: s3: smbclient: Stop an SMB2-connection from blundering into SMB1-specific calls. o Douglas Bagnall * BUG 13978: s4/scripting: MORE py3 compatible print functions. o Andrew Bartlett * ldb: Release ldb 1.5.6 * BUG 13978: undoduididx: Add "or later" to warning about using tools from Samba 4.8. * BUG 13959: ldb_tdb fails to check error return when parsing pack formats. o Ralph Boehme * BUG 14038: ctdb: Fix compilation on systems with glibc robust mutexes. o Isaac Boukris * BUG 11362: GPO security filtering based on the groups in Kerberos PAC (but primary group is missing). * BUG 14106: Fix spnego fallback from kerberos to ntlmssp in smbd server. o Günther Deschner * BUG 14130: s3-winbindd: fix forest trusts with additional trust attributes. o Poornima G * BUG 14098: vfs_glusterfs: Use pthreadpool for scheduling aio operations. o Aaron Haslett * BUG 13977: ldb: baseinfo pack format check on init. * BUG 13978: ldb: ldbdump key and pack format version comments. o Amitay Isaacs * BUG 14140: Overlinking libreplace against librt and pthread against every binary or library causes issues. * BUG 14147: ctdb-vacuum: Process all records not deleted on a remote node. o Björn Jacke * BUG 14136: classicupgrade: Fix uncaught exception. * BUG 14139: fault.c: Improve fault_report message text pointing to our wiki. o Bryan Mason * BUG 14128: s3:client:Use DEVICE_URI, instead of argv[0],for Device URI. o Stefan Metzmacher * BUG 14055: We should send SMB2_NETNAME_NEGOTIATE_CONTEXT_ID negotiation context. * BUG 14124: 'pam_winbind' with 'krb5_auth' or 'wbinfo -K' doesn't work for users of trusted domains/forests principals" logic. o Anoop C S * BUG 14093: vfs_glusterfs: Enable profiling for file system operations. o Christof Schmitt * BUG 14032: vfs_gpfs: Implement special case for denying owner access to ACL. o Andreas Schneider * BUG 13884: Joining Active Directory should not use SAMR to set the password. * BUG 14106: s3:libsmb: Do not check the SPNEGO neg token for KRB5. * BUG 14140: Overlinking libreplace against librt and pthread against every binary or library causes issues. * BUG 14155: 'kpasswd' fails when built with MIT Kerberos. o Martin Schwenke * BUG 14084: CTDB replies can be lost before nodes are bidirectionally connected. * BUG 14087: "ctdb stop" command completes before databases are frozen. * BUG 14129: ctdb-tools: Stop deleted nodes from influencing ctdb nodestatus exit code. o Evgeny Sinelnikov * BUG 14007: s3:ldap: Fix join with don't exists machine account. ####################################### Reporting bugs & Development Discussion ####################################### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical IRC channel on irc.freenode.net. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the "Samba 4.1 and newer" product in the project's Bugzilla database (https://bugzilla.samba.org/). ====================================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ====================================================================== Release notes for older releases follow: ---------------------------------------- ============================== Release Notes for Samba 4.10.8 September 3, 2019 ============================== This is a security release in order to address the following defect: o CVE-2019-10197: Combination of parameters and permissions can allow user to escape from the share path definition. ======= Details ======= o CVE-2019-10197: Under certain parameter configurations, when an SMB client accesses a network share and the user does not have permission to access the share root directory, it is possible for the user to escape from the share to see the complete '/' filesystem. Unix permission checks in the kernel are still enforced. Changes since 4.10.7: --------------------- o Jeremy Allison * BUG 14035: CVE-2019-10197: Permissions check deny can allow user to escape from the share. o Stefan Metzmacher * BUG 14035: CVE-2019-10197: Permissions check deny can allow user to escape from the share. ####################################### Reporting bugs & Development Discussion ####################################### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical IRC channel on irc.freenode.net. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the "Samba 4.1 and newer" product in the project's Bugzilla database (https://bugzilla.samba.org/). ====================================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ====================================================================== ---------------------------------------------------------------------- ============================== Release Notes for Samba 4.10.7 August 22, 2019 ============================== This is the latest stable release of the Samba 4.10 release series. Changes since 4.10.6: --------------------- o Michael Adam * BUG 14010: Unable to create or rename file/directory inside shares configured with vfs_glusterfs_fuse module. o Andrew Bartlett * BUG 13844: build: Allow build when '--disable-gnutls' is set. o Björn Baumbach * BUG 13973: samba-tool: Add 'import samba.drs_utils' to fsmo.py. o Tim Beale * BUG 14008: Fix 'Error 32 determining PSOs in system' message on old DB with FL upgrade. * BUG 14021: s4/libnet: Fix joining a Windows pre-2008R2 DC. * BUG 14046: join: Use a specific attribute order for the DsAddEntry nTDSDSA object. o Ralph Boehme * BUG 14015: vfs_catia: Pass stat info to synthetic_smb_fname(). o Alexander Bokovoy * BUG 14091: lookup_name: Allow own domain lookup when flags == 0. o Gary Lockyer * BUG 13932: s4 librpc rpc pyrpc: Ensure tevent_context deleted last. o Stefan Metzmacher * BUG 13915: DEBUGC and DEBUGADDC doesn't print into a class specific log file. * BUG 13949: Request to keep deprecated option "server schannel", VMWare Quickprep requires "auto". * BUG 13967: dbcheck: Fallback to the default tombstoneLifetime of 180 days. * BUG 13969: dnsProperty fails to decode values from older Windows versions. * BUG 13973: samba-tool: Use only one LDAP modify for dns partition fsmo role transfer. o Andreas Schneider * BUG 13960: third_party: Update waf to version 2.0.17. o Garming Sam * BUG 14051: netcmd: Allow 'drs replicate --local' to create partitions. o Rafael David Tinoco * BUG 14017: ctdb-config: Depend on /etc/ctdb/nodes file. ####################################### Reporting bugs & Development Discussion ####################################### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical IRC channel on irc.freenode.net. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the "Samba 4.1 and newer" product in the project's Bugzilla database (https://bugzilla.samba.org/). ====================================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ====================================================================== ---------------------------------------------------------------------- ============================== Release Notes for Samba 4.10.6 July 8, 2019 ============================== This is the latest stable release of the Samba 4.10 release series. Changes since 4.10.5: --------------------- o Jeremy Allison * BUG 13956: s3: winbind: Fix crash when invoking winbind idmap scripts. * BUG 13964: smbd does not correctly parse arguments passed to dfree and quota scripts. o Douglas Bagnall * BUG 13965: samba-tool dns: use bytes for inet_ntop. o Andrew Bartlett * BUG 13828: samba-tool domain provision: Fix --interactive module in python3. * BUG 13893: ldb_kv: Skip @ records early in a search full scan. * BUG 13981: docs: Improve documentation of "lanman auth" and "ntlm auth" connection. o Björn Baumbach * BUG 14002: python/ntacls: Use correct "state directory" smb.conf option instead of "state dir". o Ralph Boehme * BUG 13840: registry: Add a missing include. * BUG 13944: Fix SMB guest authentication. * BUG 13958: AppleDouble conversion breaks Resourceforks. * BUG 13968: vfs_fruit makes direct use of syscalls like mmap() and pread(). * BUG 13987: s3:mdssvc: Fix flex compilation error. o Günther Deschner * BUG 13872: s3/vfs_glusterfs[_fuse]: Avoid using NAME_MAX directly: o Aaron Haslett * BUG 13799: dsdb:samdb: schemainfo update with relax control. o Aliaksei Karaliou * BUG 13964: s3:util: Move static file_pload() function to lib/util. o Volker Lendecke * BUG 13957: smbd: Fix a panic. o Gary Lockyer * BUG 12478: ldap server: Generate correct referral schemes. * BUG 13941: s4 dsdb/repl_meta_data: fix use after free in dsdb_audit_add_ldb_value. * BUG 13942: s4 dsdb: Fix use after free in samldb_rename_search_base_callback. o Stefan Metzmacher * BUG 12204: dsdb/repl: we need to replicate the whole schema before we can apply it. * BUG 12478: ldb: Release ldb 1.5.5 * BUG 13713: Schema replication fails if link crosses chunk boundary backwards. * BUG 13799: 'samba-tool domain schemaupgrade' uses relax control and skips the schemaInfo update provision. * BUG 13916: dsdb_audit: avoid printing "... remote host [Unknown] SID [(NULL SID)] ..." * BUG 13917: python/ntacls: We only need security.SEC_STD_READ_CONTROL in order to get the ACL. o Shyamsunder Rathi * BUG 13947: s3:loadparm: Ensure to truncate FS Volume Label at multibyte boundary. o Andreas Schneider * BUG 13939: Using Kerberos credentials to print using spoolss doesn't work. o Lukas Slebodnik * BUG 13998: wafsamba: Use native waf timer. o Rafael David Tinoco * BUG 13984: ctdb-scripts: Fix tcp_tw_recycle existence check. ####################################### Reporting bugs & Development Discussion ####################################### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical IRC channel on irc.freenode.net. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the "Samba 4.1 and newer" product in the project's Bugzilla database (https://bugzilla.samba.org/). ====================================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ====================================================================== ---------------------------------------------------------------------- ============================== Release Notes for Samba 4.10.5 June 19, 2019 ============================== This is a security release in order to address the following defects: o CVE-2019-12435 (Samba AD DC Denial of Service in DNS management server (dnsserver)) o CVE-2019-12436 (Samba AD DC LDAP server crash (paged searches)) ======= Details ======= o CVE-2019-12435: An authenticated user can crash the Samba AD DC's RPC server process via a NULL pointer dereference. o CVE-2019-12436: An user with read access to the directory can cause a NULL pointer dereference using the paged search control. For more details and workarounds, please refer to the security advisories. Changes since 4.10.4: --------------------- o Douglas Bagnall * BUG 13922: CVE-2019-12435 rpc/dns: Avoid NULL deference if zone not found in DnssrvOperation2. * BUG 13951: CVE-2019-12436 dsdb/paged_results: Ignore successful results without messages. ####################################### Reporting bugs & Development Discussion ####################################### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical IRC channel on irc.freenode.net. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the "Samba 4.1 and newer" product in the project's Bugzilla database (https://bugzilla.samba.org/). ====================================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ====================================================================== ---------------------------------------------------------------------- ============================== Release Notes for Samba 4.10.4 May 22, 2019 ============================== This is the latest stable release of the Samba 4.10 release series. Changes since 4.10.3: --------------------- o Jeremy Allison * BUG 13938: s3: SMB1: Don't allow recvfile on stream fsp's. o Douglas Bagnall * BUG 13882: py/provision: Fix for Python 2.6. o Tim Beale * BUG 13873: netcmd: Fix 'passwordsettings --max-pwd-age' command. o Ralph Boehme * BUG 13938: s3:smbd: Don't use recvfile on streams. o Günther Deschner * BUG 13861: s3-libnet_join: 'net ads join' to child domain fails when using "-U admin@forestroot". o David Disseldorp * BUG 13896: vfs_ceph: Explicitly enable libcephfs POSIX ACL support. * BUG 13940: vfs_ceph: Fix cephwrap_flistxattr() debug message. o Amitay Isaacs * BUG 13895: ctdb-common: Avoid race between fd and signal events. * BUG 13943: ctdb-common: Fix memory leak in run_proc. o Volker Lendecke * BUG 13892: lib: Initialize getline() arguments. * BUG 13903: winbind: Fix overlapping id ranges. o Gary Lockyer * BUG 13902: lib util debug: Increase format buffer to 4KiB. * BUG 13927: nsswitch pam_winbind: Fix Asan use after free. * BUG 13929: s4 lib socket: Ensure address string owned by parent struct. * BUG 13936: s3 rpc_client: Fix Asan stack use after scope. o Stefan Metzmacher * BUG 10097: s3:smbd: Handle IO_REPARSE_TAG_DFS in SMB_FIND_FILE_FULL_DIRECTORY_INFO. * BUG 10344: smb2_tcon: Avoid STATUS_PENDING completely on tdis. * BUG 12845: smb2_sesssetup: avoid STATUS_PENDING responses for session setup. * BUG 13698: smb2_tcon: Avoid STATUS_PENDING completely on tdis. * BUG 13796: smb2_sesssetup: avoid STATUS_PENDING responses for session setup. * BUG 13843: dbcheck: Fix the err_empty_attribute() check. * BUG 13858: vfs_snapper: Drop unneeded fstat handler. * BUG 13862: vfs_default: Fix vfswrap_offload_write_send() NT_STATUS_INVALID_VIEW_SIZE check. * BUG 13863: smb2_server: Grant all 8192 credits to clients. * BUG 13919: smbd: Implement SMB_FILE_NORMALIZED_NAME_INFORMATION handling. o Anoop C S * BUG 13872: s3/vfs_glusterfs: Dynamically determine NAME_MAX. o Robert Sander * BUG 13918: s3: modules: ceph: Use current working directory instead of share path. o Christof Schmitt * BUG 13831: winbind: Use domain name from lsa query for sid_to_name cache entry. * BUG 13865: memcache: Increase size of default memcache to 512k. o Andreas Schneider * BUG 13857: docs: Update smbclient manpage for "--max-protocol". * BUG 13861: 'net ads join' to child domain fails when using "-U admin@forestroot". * BUG 13937: s3:utils: If share is NULL in smbcacls, don't print it. * BUG 13939: s3:smbspool: Fix regression printing with Kerberos credentials. o Martin Schwenke * BUG 13860: ctdb-scripts: CTDB restarts failed NFS RPC services by hand, which is incompatible with systemd. * BUG 13888: ctdb-daemon: Revert "We can not assume that just because we could complete a TCP handshake". * BUG 13930: ctdb-daemon: Never use 0 as a client ID. * BUG 13943: ctdb-common: Fix memory leak. o Ralph Wuerthner * BUG 13904: s3:debug: Enable logging for early startup failures. ####################################### Reporting bugs & Development Discussion ####################################### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical IRC channel on irc.freenode.net. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the "Samba 4.1 and newer" product in the project's Bugzilla database (https://bugzilla.samba.org/). ====================================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ====================================================================== ---------------------------------------------------------------------- ============================== Release Notes for Samba 4.10.3 May 14, 2019 ============================== This is a security release in order to address the following defect: o CVE-2018-16860 (Samba AD DC S4U2Self/S4U2Proxy unkeyed checksum) ======= Details ======= o CVE-2018-16860: The checksum validation in the S4U2Self handler in the embedded Heimdal KDC did not first confirm that the checksum was keyed, allowing replacement of the requested target (client) principal. For more details and workarounds, please refer to the security advisory. Changes since 4.10.2: --------------------- o Isaac Boukris * BUG 13685: CVE-2018-16860: Heimdal KDC: Reject PA-S4U2Self with unkeyed checksum. ####################################### Reporting bugs & Development Discussion ####################################### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical IRC channel on irc.freenode.net. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the "Samba 4.1 and newer" product in the project's Bugzilla database (https://bugzilla.samba.org/). ====================================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ====================================================================== ---------------------------------------------------------------------- ============================== Release Notes for Samba 4.10.2 April 8, 2019 ============================== This is a security release in order to address the following defects: o CVE-2019-3870 (World writable files in Samba AD DC private/ dir) o CVE-2019-3880 (Save registry file outside share as unprivileged user) ======= Details ======= o CVE-2019-3870: During the provision of a new Active Directory DC, some files in the private/ directory are created world-writable. o CVE-2019-3880: Authenticated users with write permission can trigger a symlink traversal to write or detect files outside the Samba share. For more details and workarounds, please refer to the security advisories. Changes since 4.10.1: --------------------- o Andrew Bartlett * BUG 13834: CVE-2019-3870: pysmbd: Ensure a zero umask is set for smbd.mkdir(). o Jeremy Allison * BUG 13851: CVE-2018-14629: rpc: winreg: Remove implementations of SaveKey/RestoreKey. ####################################### Reporting bugs & Development Discussion ####################################### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical IRC channel on irc.freenode.net. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the "Samba 4.1 and newer" product in the project's Bugzilla database (https://bugzilla.samba.org/). ====================================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ====================================================================== ---------------------------------------------------------------------- ============================== Release Notes for Samba 4.10.1 April 3, 2019 ============================== This is the latest stable release of the Samba 4.10 release series. Changes since 4.10.0: --------------------- o Douglas Bagnall * BUG 13837: py/kcc_utils: py2.6 compatibility. o Philipp Gesang * BUG 13869: libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response. o Michael Hanselmann * BUG 13840: regfio: Improve handling of malformed registry hive files. o Amitay Isaacs * BUG 13789: ctdb-version: Simplify version string usage. o Volker Lendecke * BUG 13859: lib: Make fd_load work for non-regular files. o Stefan Metzmacher * BUG 13816: dbcheck in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option. * BUG 13818: ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(). o Anoop C S * BUG 13854: s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so. o Garming Sam * BUG 13836: acl_read: Fix regression for empty lists. o Michael Saxl * BUG 13841: s4:dlz make b9_has_soa check dc=@ node. o Andreas Schneider * BUG 13832: s3:client: Fix printing via smbspool backend with kerberos auth. * BUG 13847: s4:librpc: Fix installation of Samba. * BUG 13848: s3:lib: Fix the debug message for adding cache entries. * BUG 13793: s3:utils: Add 'smbstatus -L --resolve-uids' to show username. * BUG 13848: s3:lib: Fix the debug message for adding cache entries. * BUG 13853: s3:waf: Fix the detection of makdev() macro on Linux. o Martin Schwenke * BUG 13789: ctdb-build: Drop creation of .distversion in tarball. * BUG 13838: ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory. ####################################### Reporting bugs & Development Discussion ####################################### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical IRC channel on irc.freenode.net. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the "Samba 4.1 and newer" product in the project's Bugzilla database (https://bugzilla.samba.org/). ====================================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ====================================================================== ---------------------------------------------------------------------- ============================== Release Notes for Samba 4.10.0 March 19, 2019 ============================== This is the first stable release of the Samba 4.10 release series. Please read the release notes carefully before upgrading. NEW FEATURES/CHANGES ==================== GPO Improvements ---------------- A new 'samba-tool gpo backup' command has been added that can export a set of Group Policy Objects from a domain in a generalised XML format. A corresponding 'samba-tool gpo restore' command has been added to rebuild the Group Policy Objects from the XML after generalization. (The administrator needs to correct the values of XML entities between the backup and restore to account for the change in domain). KDC prefork ----------- The KDC now supports the pre-fork process model and worker processes will be forked for the KDC when the pre-fork process model is selected for samba. Prefork 'prefork children' -------------------------- The default value for this smdb.conf parameter has been increased from 1 to 4. Netlogon prefork ---------------- DCERPC now supports pre-forked NETLOGON processes. The netlogon processes are pre-forked when the prefork process model is selected for samba. Offline domain backups ---------------------- The 'samba-tool domain backup' command has been extended with a new 'offline' option. This safely creates a backup of the local DC's database directly from disk. The main benefits of an offline backup are it's quicker, it stores more database details (for forensic purposes), and the samba process does not have to be running when the backup is made. Refer to the samba-tool help for more details on using this command. Group membership statistics --------------------------- A new 'samba-tool group stats' command has been added. This provides summary information about how the users are spread across groups in your domain. The 'samba-tool group list --verbose' command has also been updated to include the number of users in each group. Paged results LDAP control -------------------------- The behaviour of the paged results control (1.2.840.113556.1.4.319, RFC2696) has been changed to more closely match Windows servers, to improve memory usage. Paged results may be used internally (or is requested by the user) by LDAP libraries or tools that deal with large result sizes, for example, when listing all the objects in the database. Previously, results were returned as a snapshot of the database but now, some changes made to the set of results while paging may be reflected in the responses. If strict inter-record consistency is required in answers (which is not possible on Windows with large result sets), consider avoiding the paged results control or alternatively, it might be possible to enforce restrictions using the LDAP filter expression. For further details see https://wiki.samba.org/index.php/Paged_Results Prefork process restart ----------------------- The pre-fork process model now restarts failed processes. The delay between restart attempts is controlled by the "prefork backoff increment" (default = 10) and "prefork maximum backoff" (default = 120) smbd.conf parameters. A linear back off strategy is used with "prefork backoff increment" added to the delay between restart attempts up until it reaches "prefork maximum backoff". Using the default sequence the restart delays (in seconds) are: 0, 10, 20, ..., 120, 120, ... Standard process model ---------------------- When using the standard process model samba forks a new process to handle ldap and netlogon connections. Samba now honours the 'max smbd processes' smb.conf parameter. The default value of 0, indicates there is no limit. The limit is applied individually to netlogon and ldap. When the process limit is exceeded Samba drops new connections immediately. python3 support --------------- This is the first release of Samba which has full support for Python 3. Samba 4.10 still has support for Python 2, however, Python 3 will be used by default, i.e. 'configure' & 'make' will execute using python3. To build Samba with python2 you *must* set the 'PYTHON' environment variable for both the 'configure' and 'make' steps, i.e. 'PYTHON=python2 ./configure' 'PYTHON=python2 make' This will override the python3 default. Alternatively, it is possible to produce Samba Python bindings for both Python 2 and Python 3. To do so, specify '--extra-python=/usr/bin/python2' as part of the 'configure' command. Note that python3 will still be used as the default in this case. Note that Samba 4.10 supports Python 3.4 onwards. Future Python support --------------------- Samba 4.10 will be the last release that comes with full support for Python 2. Unfortunately, the Samba Team doesn't have the resources to support both Python 2 and Python 3 long-term. Samba 4.11 will not have any runtime support for Python 2. This means if you use Python 2 bindings it is time to migrate to Python 3 now. If you are building Samba using the '--disable-python' option (i.e. you're excluding all the run-time Python support), then this will continue to work on a system that supports either python2 or python3. Also note that Samba 4.11 will most likely only support Python 3.6 onwards. JSON logging ------------ Authentication messages now contain the Windows Event Id "eventId" and logon type "logonType". The supported event codes and logon types are: Event codes: 4624 Successful logon 4625 Unsuccessful logon Logon Types: 2 Interactive 3 Network 8 NetworkCleartext The version number for Authentication messages is now 1.1, changed from 1.0 Password change messages now contain the Windows Event Id "eventId", the supported event Id's are: 4723 Password changed 4724 Password reset The version number for PasswordChange messages is now 1.1, changed from 1.0 Group membership change messages now contain the Windows Event Id "eventId", the supported event Id's are: 4728 A member was added to a security enabled global group 4729 A member was removed from a security enabled global group 4732 A member was added to a security enabled local group 4733 A member was removed from a security enabled local group 4746 A member was added to a security disabled local group 4747 A member was removed from a security disabled local group 4751 A member was added to a security disabled global group 4752 A member was removed from a security disabled global group 4756 A member was added to a security enabled universal group 4757 A member was removed from a security enabled universal group 4761 A member was added to a security disabled universal group 4762 A member was removed from a security disabled universal group The version number for GroupChange messages is now 1.1, changed from 1.0. Also A GroupChange message is generated when a new user is created to log that the user has been added to their primary group. The leading "JSON :" and source file prefix of the JSON formatted log entries has been removed to make the parsing of the JSON log messages easier. JSON log entries now start with 2 spaces followed by an opening brace i.e. " {" SMBv2 samba-tool support ------------------------ On previous releases, some samba-tool commands would not work against a remote DC that had SMBv1 disabled. SMBv2 support has now been added for samba-tool. The affected commands are 'samba-tool domain backup|rename' and the 'samba-tool gpo' set of commands. Refer also bug #13676. New glusterfs_fuse VFS module ----------------------------- The new vfs_glusterfs_fuse module improves performance when Samba accesses a glusterfs volume mounted via FUSE (Filesystem in Userspace as part of the Linux kernel). It achieves that by leveraging a mechanism to retrieve the appropriate case of filenames by querying a specific extended attribute in the filesystem. No extra configuration is required to use this module, only glusterfs_fuse needs to be set in the "vfs objects" parameter. Further details can be found in the vfs_glusterfs_fuse(8) manpage. This new vfs_glusterfs_fuse module does not replace the existing vfs_glusterfs module, it just provides an additional, alternative mechanism to access a Gluster volume. REMOVED FEATURES ================ MIT Kerberos build of the AD DC ------------------------------- While not removed, the MIT Kerberos build of the Samba AD DC is still considered experimental. Because Samba will not issue security patches for this configuration, such builds now require the explicit configure option: --with-experimental-mit-ad-dc For further details see https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC samba_backup ------------ The samba_backup script has been removed. This has now been replaced by the 'samba-tool domain backup offline' command. SMB client Python bindings -------------------------- The SMB client python bindings are now deprecated and will be removed in future Samba releases. This will only affects users that may have used the Samba Python bindings to write their own utilities, i.e. users with a custom Python script that includes the line 'from samba import smb'. smb.conf changes ================ Parameter Name Description Default -------------- ----------- ------- prefork backoff increment Delay added to process restart 10 (seconds) between attempts. prefork maximum backoff Maximum delay for process between 120 (seconds) process restart attempts smbd search ask sharemode Name changed, old name was "smbd:search ask sharemode" smbd async dosmode Name changed, old name was "smbd:async dosmode" smbd max async dosmode Name changed, old name was "smbd:max async dosmode" smbd getinfo ask sharemode New: similar to "smbd search ask yes sharemode" but for SMB getinfo CHANGES SINCE 4.10.0rc4 ======================= o Andrew Bartlett * BUG 13760: s4-server: Open and close a transaction on sam.ldb at startup. o Ralph Boehme * BUG 13812: access_check_max_allowed() doesn't process "Owner Rights" ACEs. o Joe Guo * s4/scripting/bin: Open unicode files with utf8 encoding and write * unicode string. o Björn Jacke * BUG 13759: sambaundoguididx: Use the right escaped oder unescaped sam ldb files. o Volker Lendecke * BUG 13813: Fix idmap cache pollution with S-1-22- IDs on winbind hickup. o Christof Schmitt * passdb: Update ABI to 0.27.2. * BUG 13813: lib/winbind_util: Add winbind_xid_to_sid for --without-winbind. o Andreas Schneider * BUG 13823: lib:util: Move debug message for mkdir failing to log level 1. CHANGES SINCE 4.10.0rc3 ======================= o Jeremy Allison * BUG 13803: SMB1 POSIX mkdir does case insensitive name lookup. o Ralph Boehme * BUG 13802: Fix idmap xid2sid cache issue. o David Disseldorp * BUG 13807: vfs_ceph strict_allocate_ftruncate calls (local FS) ftruncate and fallocate. o Volker Lendecke * BUG 13786: messages_dgm: Properly handle receiver re-initialization. o Gary Lockyer * BUG 13765: man pages: Document prefork process model. * BUG 13773: CVE-2019-3824 ldb: wildcard_match end of data check. o Stefan Metzmacher * tdb: Fix compatibility of wscript with older python. * tevent: version 0.9.39 * BUG 13773: CVE-2019-3824 ldb: version 1.5.4 o David Mulder * Search for location of waf script. o Noel Power * BUG 13777: buildtools/wafsamba: Avoid decode when using python2. o Jiří Šašek * BUG 13704: notifyd: Fix SIGBUS on sparc. o Swen Schillig * BUG 13791: ctdb: Buffer write beyond limits. o Lukas Slebodnik * BUG 13773: CVE-2019-3824 ldb: Out of bound read in ldb_wildcard_compare. o Martin Schwenke * BUG 13790: ctdb-config: Change example recovery lock setting to one that fails. * BUG 13800: Fix recovery lock bug. CHANGES SINCE 4.10.0rc2 ======================= o Jeremy Allison * BUG 13690: smbd: uid: Don't crash if 'force group' is added to an existing share connection. * BUG 13770: s3: VFS: vfs_fruit. Fix the NetAtalk deny mode compatibility code. o Andrew Bartlett * ldb: Release ldb 1.5.3 * BUG 13762: Avoid inefficient one-level searches. * BUG 13772: The test api.py should not rely on order of entries in dict. o Tim Beale * BUG 13762: ldb: Avoid inefficient one-level searches. o Ralph Boehme * BUG 13776: tldap: Avoid use after free errors. o Günther Deschner * BUG 13746: s3-smbd: Use fruit:model string for mDNS registration. o David Disseldorp * BUG 13766: printing: Check lp_load_printers() prior to pcap cache update. o Christof Schmitt * BUG 13787: waf: Check for libnscd. o Andreas Schneider * BUG 13770: s3:vfs: Correctly check if OFD locks should be enabled or not. * BUG 13778: Public ZERO_STRUCT() uses undefined C11 function memset_s(). CHANGES SINCE 4.10.0rc1 ======================= o Jeremy Allison * BUG 13750: libcli: dns: Change internal DNS_REQUEST_TIMEOUT from 2 to 10 seconds. o Tim Beale * BUG 13676: samba-tool SMB/sysvol connections do not work if SMBv1 is disabled. * BUG 13747: join: Throw CommandError instead of Exception for simple errors. o Günther Deschner * BUG 13774: s3-vfs: Add glusterfs_fuse vfs module. o Volker Lendecke * BUG 13742: ctdb: Print locks latency in machinereadable stats. o Stefan Metzmacher * BUG 13752: s4:server: Add support for 'smbcontrol samba shutdown'. o Anoop C S * BUG 13330: vfs_glusterfs: Adapt to changes in libgfapi signatures. * BUG 13774: s3-vfs: Use ENOATTR in errno comparison for getxattr. o Justin Stephenson * BUG 13727: s3:libsmb: Honor disable_netbios option in smbsock_connect_send. KNOWN ISSUES ============ https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.10#Release_blocking_bugs ####################################### Reporting bugs & Development Discussion ####################################### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical IRC channel on irc.freenode.net. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). ====================================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ======================================================================