============================== Release Notes for Samba 4.4.16 September 20, 2017 ============================== This is a security release in order to address the following defects: o CVE-2017-12150 (SMB1/2/3 connections may not require signing where they should) o CVE-2017-12151 (SMB3 connections don't keep encryption across DFS redirects) o CVE-2017-12163 (Server memory information leak over SMB1) ======= Details ======= o CVE-2017-12150: A man in the middle attack may hijack client connections. o CVE-2017-12151: A man in the middle attack can read and may alter confidential documents transferred via a client connection, which are reached via DFS redirect when the original connection used SMB3. o CVE-2017-12163: Client with write access to a share can cause server memory contents to be written into a file or printer. For more details and workarounds, please see the security advisories: o https://www.samba.org/samba/security/CVE-2017-12150.html o https://www.samba.org/samba/security/CVE-2017-12151.html o https://www.samba.org/samba/security/CVE-2017-12163.html Changes since 4.4.15: --------------------- o Jeremy Allison * BUG 12836: s3: smbd: Fix a read after free if a chained SMB1 call goes async. * BUG 13020: CVE-2017-12163: s3:smbd: Prevent client short SMB1 write from writing server memory to file. o Ralph Boehme * BUG 12885: s3/smbd: Let non_widelink_open() chdir() to directories directly. o Stefan Metzmacher * BUG 12996: CVE-2017-12151: Keep required encryption across SMB3 dfs redirects. * BUG 12997: CVE-2017-12150: Some code path don't enforce smb signing when they should. ####################################### Reporting bugs & Development Discussion ####################################### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical IRC channel on irc.freenode.net. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the "Samba 4.1 and newer" product in the project's Bugzilla database (https://bugzilla.samba.org/). ====================================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ====================================================================== Release notes for older releases follow: ---------------------------------------- ============================== Release Notes for Samba 4.4.15 July 12, 2017 ============================== This is a security release in order to address the following defect: o CVE-2017-11103 (Orpheus' Lyre mutual authentication validation bypass) ======= Details ======= o CVE-2017-11103 (Heimdal): All versions of Samba from 4.0.0 onwards using embedded Heimdal Kerberos are vulnerable to a man-in-the-middle attack impersonating a trusted server, who may gain elevated access to the domain by returning malicious replication or authorization data. Samba binaries built against MIT Kerberos are not vulnerable. Changes since 4.4.14: --------------------- o Jeffrey Altman * BUG 12894: CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation ####################################### Reporting bugs & Development Discussion ####################################### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical IRC channel on irc.freenode.net. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the "Samba 4.1 and newer" product in the project's Bugzilla database (https://bugzilla.samba.org/). ====================================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ====================================================================== ---------------------------------------------------------------------- ============================== Release Notes for Samba 4.4.14 May 24, 2017 ============================== This is a security release in order to address the following defect: o CVE-2017-7494 (Remote code execution from a writable share) ======= Details ======= o CVE-2017-7494: All versions of Samba from 3.5.0 onwards are vulnerable to a remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it. Changes since 4.4.13: --------------------- o Volker Lendecke * BUG 12780: CVE-2017-7494: Avoid remote code execution from a writable share. ####################################### Reporting bugs & Development Discussion ####################################### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical IRC channel on irc.freenode.net. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the "Samba 4.1 and newer" product in the project's Bugzilla database (https://bugzilla.samba.org/). ====================================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ====================================================================== --------------------------------------------------------------------- ============================== Release Notes for Samba 4.4.13 March 31, 2017 ============================== This is a bug fix release to address a regression introduced by the security fixes for CVE-2017-2619 (Symlink race allows access outside share definition). Please see https://bugzilla.samba.org/show_bug.cgi?id=12721 for details. Changes since 4.4.12: --------------------- o Jeremy Allison * BUG 12721: Fix regression with "follow symlinks = no". ####################################### Reporting bugs & Development Discussion ####################################### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical IRC channel on irc.freenode.net. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the "Samba 4.1 and newer" product in the project's Bugzilla database (https://bugzilla.samba.org/). ====================================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ====================================================================== --------------------------------------------------------------------- ============================== Release Notes for Samba 4.4.12 March 23, 2017 ============================== This is a security release in order to address the following defect: o CVE-2017-2619 (Symlink race allows access outside share definition) ======= Details ======= o CVE-2017-2619: All versions of Samba prior to 4.6.1, 4.5.7, 4.4.12 are vulnerable to a malicious client using a symlink race to allow access to areas of the server file system not exported under the share definition. Samba uses the realpath() system call to ensure when a client requests access to a pathname that it is under the exported share path on the server file system. Clients that have write access to the exported part of the file system via SMB1 unix extensions or NFS to create symlinks can race the server by renaming a realpath() checked path and then creating a symlink. If the client wins the race it can cause the server to access the new symlink target after the exported share path check has been done. This new symlink target can point to anywhere on the server file system. This is a difficult race to win, but theoretically possible. Note that the proof of concept code supplied wins the race reliably only when the server is slowed down using the strace utility running on the server. Exploitation of this bug has not been seen in the wild. Changes since 4.4.11: --------------------- o Jeremy Allison * BUG 12496: CVE-2017-2619: Symlink race permits opening files outside share directory. o Ralph Boehme * BUG 12496: CVE-2017-2619: Symlink race permits opening files outside share directory. ####################################### Reporting bugs & Development Discussion ####################################### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical IRC channel on irc.freenode.net. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the "Samba 4.1 and newer" product in the project's Bugzilla database (https://bugzilla.samba.org/). ====================================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ====================================================================== ---------------------------------------------------------------------- ============================== Release Notes for Samba 4.4.11 March 16, 2017 ============================== This is the latest stable release of Samba 4.4. Please note that this will very likely be the last maintenance release of the Samba 4.4 release branch. Changes since 4.4.10: --------------------- o Jeremy Allison * BUG 12608: s3: smbd: Restart reading the incoming SMB2 fd when the send queue is drained. o Ralph Boehme * BUG 7537: s3/smbd: Fix deferred open with streams and kernel oplocks. * BUG 12604: vfs_fruit: Enabling AAPL extensions must be a global switch. * BUG 12615: manpages/vfs_fruit: Document global options. o Volker Lendecke * BUG 12610: smbd: Do an early exit on negprot failure. o Stefan Metzmacher * BUG 11830: s3:winbindd: Fix endless forest trust scan. o Andreas Schneider * BUG 12686: Fix build with newer glibc. ####################################### Reporting bugs & Development Discussion ####################################### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical IRC channel on irc.freenode.net. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the "Samba 4.1 and newer" product in the project's Bugzilla database (https://bugzilla.samba.org/). ====================================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ====================================================================== ---------------------------------------------------------------------- ============================== Release Notes for Samba 4.4.10 March 1, 2017 ============================== This is the latest stable release of Samba 4.4. Please note that this will likely be the last maintenance release of the Samba 4.4 release branch. Major enhancements in Samba 4.4.10 include: o Domain join broken under certain circumstances after winbindd changed the trust password (bug #12262). A new parameter "include system krb5 conf" has been added (bug #12441). Please see the man page for details. Changes since 4.4.9: -------------------- o Jeremy Allison * BUG 12479: s3: libsmb: Add cli_smb2_ftruncate(), plumb into cli_ftruncate(). * BUG 12499: s3: vfs: dirsort doesn't handle opendir of "." correctly. * BUG 12572: s3: smbd: Don't loop infinitely on bad-symlink resolution. * BUG 12531: Make vfs_shadow_copy2 cope with server changing directories. * BUG 12546: s3: VFS: vfs_streams_xattr.c: Make streams_xattr_open() store the same path as streams_xattr_recheck(). o Ralph Boehme * BUG 12536: s3/smbd: Check for invalid access_mask smbd_calculate_access_mask(). * BUG 12541: vfs_fruit: checks wrong AAPL config state and so always uses readdirattr. * BUG 12545: s3/rpc_server/mdssvc: Add attribute "kMDItemContentType". * BUG 12591: vfs_streams_xattr: Use fsp, not base_fsp. o David Disseldorp * BUG 12144: smbd/ioctl: Match WS2016 ReFS set compression behaviour. o Amitay Isaacs * BUG 12580: ctdb-common: Fix use-after-free error in comm_fd_handler(). o Björn Jacke * BUG 2210: pam: Map more NT password errors to PAM errors. * BUG 12535: vfs_default: Unlock the right file in copy chunk. o Volker Lendecke * BUG 12509: messaging: Fix dead but not cleaned-up-yet destination sockets. * BUG 12551: smbd: Fix "map acl inherit" = yes. o Stefan Metzmacher * BUG 11830: Domain member cannot resolve trusted domains' users. * BUG 12262: Domain join broken under certain circumstances after winbindd changed the trust password. * BUG 12480: 'kinit' succeeded, but ads_sasl_spnego_gensec_bind(KRB5) failed: An internal error occurred (with MIT krb5). * BUG 12540: s3:smbd: allow "server min protocol = SMB3_00" to go via "SMB 2.???" negprot. * BUG 12581: 'smbclient' fails on bad endianess when listing shares from Solaris kernel SMB server on SPARC. * BUG 12585: librpc/rpc: fix regression in NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE error mapping. * BUG 12586: netlogon_creds_cli_LogonSamLogon doesn't work without netr_LogonSamLogonEx. * BUG 12587: Fix winbindd child segfaults on connect to an NT4 domain. * BUG 12588: cm_prepare_connection may return NT_STATUS_OK without a valid connection. * BUG 12598: winbindd (as member) requires kerberos against trusted ad domain, while it shouldn't. o Andreas Schneider * BUG 12441: s3:libads: Include system /etc/krb5.conf if we use MIT Kerberos. * BUG 12571: s3-vfs: Only walk the directory once in open_and_sort_dir(). o Martin Schwenke * BUG 12589: CTDB statd-callout does not cause grace period when CTDB_NFS_CALLOUT="". o Uri Simchoni * BUG 12529: waf: Backport finding of pkg-config. ####################################### Reporting bugs & Development Discussion ####################################### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical IRC channel on irc.freenode.net. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the "Samba 4.1 and newer" product in the project's Bugzilla database (https://bugzilla.samba.org/). ====================================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ====================================================================== ---------------------------------------------------------------------- ============================= Release Notes for Samba 4.4.9 January 2, 2017 ============================= This is the latest stable release of Samba 4.4. Changes since 4.4.8: -------------------- o Michael Adam * BUG 12404: vfs:glusterfs: Preallocate result for glfs_realpath. o Jeremy Allison * BUG 12299: Fix unitialized variable warnings in smbd open.c and close.c. * BUG 12387: s3: vfs: streams_depot. Use conn->connectpath not conn->cwd. * BUG 12436: s3/smbd: Fix the last resort check that sets the file type attribute. o Andrew Bartlett * BUG 12395: build: Fix build with perl on debian sid. o Ralph Boehme * BUG 12412: Fix typo in vfs_fruit: fruit:ressource -> fruit:resource. o Günther Deschner * BUG 11197: spoolss: Use correct values for secdesc and devmode pointers. o Amitay Isaacs * BUG 12366: provision: Add support for BIND 9.11.x. * BUG 12392: ctdb-locking: Reset real-time priority in lock helper. * BUG 12434: ctdb-recovery: Avoid NULL dereference in failure case. o Stefan Metzmacher * BUG 10297: s3:smbd: Only pass UCF_PREP_CREATEFILE to filename_convert() if we may create a new file. * BUG 12471: Fix build with MIT Kerberos. o Mathieu Parent * BUG 12371: ctdb-scripts: Fix Debian init in Samba eventscript. o Andreas Schneider * BUG 12183: s3-printing: Correctly encode CUPS printer URIs. * BUG 12195: s3-printing: Allow printer names longer than 16 chars. * BUG 12269: nss_wins: Fix errno values for HOST_NOT_FOUND. * BUG 12405: s3-winbind: Do not return NO_MEMORY if we have an empty user list. * BUG 12415: s3:spoolss: Add support for COPY_FROM_DIRECTORY in AddPrinterDriverEx. o Martin Schwenke * BUG 12104: ctdb-packaging: Move CTDB tests to /usr/local/share/ctdb/tests/. o Ralph Wuerthner * BUG 12372: ctdb-conn: Add missing variable initialization. ####################################### Reporting bugs & Development Discussion ####################################### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical IRC channel on irc.freenode.net. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the "Samba 4.1 and newer" product in the project's Bugzilla database (https://bugzilla.samba.org/). ====================================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ====================================================================== ---------------------------------------------------------------------- ============================= Release Notes for Samba 4.4.8 December 19, 2016 ============================= This is a security release in order to address the following defects: o CVE-2016-2123 (Samba NDR Parsing ndr_pull_dnsp_name Heap-based Buffer Overflow Remote Code Execution Vulnerability). o CVE-2016-2125 (Unconditional privilege delegation to Kerberos servers in trusted realms). o CVE-2016-2126 (Flaws in Kerberos PAC validation can trigger privilege elevation). ======= Details ======= o CVE-2016-2123: The Samba routine ndr_pull_dnsp_name contains an integer wrap problem, leading to an attacker-controlled memory overwrite. ndr_pull_dnsp_name parses data from the Samba Active Directory ldb database. Any user who can write to the dnsRecord attribute over LDAP can trigger this memory corruption. By default, all authenticated LDAP users can write to the dnsRecord attribute on new DNS objects. This makes the defect a remote privilege escalation. o CVE-2016-2125 Samba client code always requests a forwardable ticket when using Kerberos authentication. This means the target server, which must be in the current or trusted domain/realm, is given a valid general purpose Kerberos "Ticket Granting Ticket" (TGT), which can be used to fully impersonate the authenticated user or service. o CVE-2016-2126 A remote, authenticated, attacker can cause the winbindd process to crash using a legitimate Kerberos ticket due to incorrect handling of the arcfour-hmac-md5 PAC checksum. A local service with access to the winbindd privileged pipe can cause winbindd to cache elevated access permissions. Changes since 4.4.7: -------------------- o Volker Lendecke * BUG 12409: CVE-2016-2123: Fix DNS vuln ZDI-CAN-3995. o Stefan Metzmacher * BUG 12445: CVE-2016-2125: Don't send delegated credentials to all servers. * BUG 12446: CVE-2016-2126: auth/kerberos: Only allow known checksum types in check_pac_checksum(). ####################################### Reporting bugs & Development Discussion ####################################### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical IRC channel on irc.freenode.net. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the "Samba 4.1 and newer" product in the project's Bugzilla database (https://bugzilla.samba.org/). ====================================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ====================================================================== ---------------------------------------------------------------------- ============================= Release Notes for Samba 4.4.7 October 26, 2016 ============================= This is the latest stable release of Samba 4.4. Major enhancements in Samba 4.4.7 include: o Let winbindd discard expired kerberos tickets when built against (internal) heimdal (BUG #12369). o REGRESSION: smbd segfaults on startup, tevent context being freed (BUG #12283). Changes since 4.4.6: -------------------- o Jeremy Allison * BUG 11259: smbd contacts a domain controller for each session. * BUG 12283: REGRESSION: smbd segfaults on startup, tevent context being freed. * BUG 12291: source3/lib/msghdr: Fix syntax error before or at: ;. * BUG 12381: s3: cldap: cldap_multi_netlogon_send() fails with one bad IPv6 address. o Christian Ambach * BUG 9945: Setting specific logger levels in smb.conf makes 'samba-tool drs showrepl' crash. o Björn Baumbach * BUG 8618: s3-printing: Fix migrate printer code. o Ralph Boehme * BUG 12261: s3/smbd: Set FILE_ATTRIBUTE_DIRECTORY as necessary. o Günther Deschner * BUG 12285: "DriverVersion" registry backend parsing incorrect in spoolss. o David Disseldorp * BUG 12144: smbd/ioctl: Match WS2016 ReFS get compression behaviour. o Amitay Isaacs * BUG 12287: CTDB PID file handling is too weak. o Volker Lendecke * BUG 12045: gencache: Bail out of stabilize if we can not get the allrecord lock. * BUG 12283: glusterfs: Avoid tevent_internal.h. * BUG 12374: spoolss: Fix caching of printername->sharename. o Stefan Metzmacher * BUG 12283: REGRESSION: smbd segfaults on startup, tevent context being freed. * BUG 12369: Let winbindd discard expired kerberos tickets when built against (internal) heimdal. o Noel Power * BUG 12298: s3/winbindd: Using default domain with user@domain.com format fails. o Jose A. Rivera * BUG 12362: ctdb-scripts: Avoid dividing by zero in memory calculation. o Anoop C S * BUG 12377: vfs_glusterfs: Fix a memory leak in connect path. o Andreas Schneider * BUG 12269: nss_wins has incorrect function definitions for gethostbyname*. * BUG 12276: s3-lib: Fix %G substitution in AD member environment. * BUG 12364: s3-utils: Fix loading smb.conf in smbcquotas. o Martin Schwenke * BUG 12287: CTDB PID file handling is too weak. * BUG 12362: ctdb-scripts: Fix incorrect variable reference. ####################################### Reporting bugs & Development Discussion ####################################### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical IRC channel on irc.freenode.net. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the "Samba 4.1 and newer" product in the project's Bugzilla database (https://bugzilla.samba.org/). ====================================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ====================================================================== ---------------------------------------------------------------------- ============================= Release Notes for Samba 4.4.6 September 22, 2016 ============================= This is the latest stable release of Samba 4.4. Changes since 4.4.5: -------------------- o Michael Adam * BUG 11977: libnet: Ignore realm setting for domain security joins to AD domains if 'winbind rpc only = true'. * BUG 12155: idmap: Centrally check that unix IDs returned by the idmap backends are in range. o Jeremy Allison * BUG 11838: s4: ldb: Ignore case of "range" in sscanf as we've already checked for its presence. * BUG 11845: Incorrect bytecount in ReadAndX smb1 response. * BUG 11955: lib: Fix uninitialized read in msghdr_copy. * BUG 11959: s3: krb5: keytab - The done label can be jumped to with context == NULL. * BUG 11986: s3: libsmb: Correctly trim a trailing \\ character in cli_smb2_create_fnum_send() when passing a pathname to SMB2 create. * BUG 12021: Fix smbd crash ( 4) on File Delete. * BUG 12135: libgpo: Correctly use the 'server' parameter after parsing it out of the GPO path. * BUG 12139: s3: oplock: Fix race condition when closing an oplocked file. * BUG 12272: Fix messaging subsystem crash. o Douglas Bagnall * BUG 11750: gcc6 fails to build internal heimdal. o Andrew Bartlett * BUG 11991: build: Build less of Samba when building '--without-ntvfs-fileserver'. * BUG 12026: build: Always build eventlog6. This is not a duplicate of eventlog. * BUG 12154: ldb-samba: Add "secret" as a value to hide in LDIF files. * BUG 12178: dbcheck: Abandon dbcheck if we get an error during a transaction. o Ralph Boehme * BUG 10008: dbwrap_ctdb: Treat empty records in ltdb as non-existing. * BUG 11520: Fix DNS secure updates. * BUG 11961: idmap_autorid allocates ids for unknown SIDs from other backends. * BUG 11992: s3/smbd: Only use stored dos attributes for open_match_attributes() check. * BUG 12005: smbd: Ignore ctdb tombstone records in fetch_share_mode_unlocked_parser(). * BUG 12016: cleanupd terminates main smbd on exit. * BUG 12028: vfs_acl_xattr: Objects without NT ACL xattr. * BUG 12105: async_req: Make async_connect_send() "reentrant". * BUG 12177: vfs_acl_common: Fix unexpected synthesized default ACL from vfs_acl_xattr. * BUG 12181: vfs_acl_xattr|tdb: Enforced settings when "ignore system acls = yes". o Alexander Bokovoy * BUG 11975: libnet_join: use sitename if it was set by pre-join detection. o Günther Deschner * BUG 11977: s3-libnet: Print error string even on successful completion of libnetjoin. o Amitay Isaacs * BUG 11940: CTDB fails to recover large database. * BUG 11941: CTDB does not ban misbehaving nodes during recovery. * BUG 11946: Samba and CTDB packages both have tevent-unix-util dependency. * BUG 11956: ctdb-recoverd: Avoid duplicate recoverd event in parallel recovery. * BUG 12158: CTDB release IP fixes. * BUG 12259: ctdb-protocol: Fix marshalling for GET_DB_SEQNUM control request. * BUG 12271: CTDB recovery does not terminate if no node is banned due to failure. * BUG 12275: ctdb-recovery-helper: Add missing initialisation of ban_credits. o Volker Lendecke * BUG 12268: smbd: Reset O_NONBLOCK on open files. o Stefan Metzmacher * BUG 11948: dcerpc.idl: Remove unused DCERPC_NCACN_PAYLOAD_MAX_SIZE. * BUG 11982: Invalid auth_pad_length is not ignored for BIND_* and ALTER_* pdus. * BUG 11994: gensec/spnego: Work around missing server mechListMIC in SMB servers. * BUG 12007: libads: Ensure the right ccache is used during spnego bind. * BUG 12018: python/remove_dc: Handle dnsNode objects without dnsRecord attribute. * BUG 12129: samba-tool/ldapcmp: Ignore differences of whenChanged. o Marc Muehlfeld * BUG 12023: man: Wrong option for parameter ldap ssl in smb.conf man page. o Andreas Schneider * BUG 11936: libutil: Support systemd 230. * BUG 11999: s3-winbind: Fix memory leak with each cached credential login. * BUG 12104: ctdb-waf: Move ctdb tests to libexec directory. * BUG 12175: s3-util: Fix asking for username and password in smbget. o Martin Schwenke * BUG 12104: ctdb-packaging: Move ctdb tests to libexec directory. * BUG 12110: ctdb-daemon: Fix several Coverity IDs. * BUG 12158: CTDB release IP fixes. * BUG 12161: Fix CTDB cumulative takeover timeout. * BUG 12180: Fix CTDB crashes running eventscripts. o Uri Simchoni * BUG 12006: auth: Fix a memory leak in gssapi_get_session_key(). * BUG 12145: smbd: If inherit owner is enabled, the free disk on a folder should take the owner's quota into account. * BUG 12149: smbd: Allow reading files based on FILE_EXECUTE access right. * BUG 12172: Fix access of snapshot folders via SMB1. o Lorinczy Zsigmond * BUG 11947: lib: replace: snprintf: Fix length calculation for hex/octal 64-bit values. ####################################### Reporting bugs & Development Discussion ####################################### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical IRC channel on irc.freenode.net. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the "Samba 4.1 and newer" product in the project's Bugzilla database (https://bugzilla.samba.org/). ====================================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ====================================================================== ---------------------------------------------------------------------- ============================= Release Notes for Samba 4.4.5 July 7, 2016 ============================= This is a security release in order to address the following defect: o CVE-2016-2119 (Client side SMB2/3 required signing can be downgraded) ======= Details ======= o CVE-2016-2119: It's possible for an attacker to downgrade the required signing for an SMB2/3 client connection, by injecting the SMB2_SESSION_FLAG_IS_GUEST or SMB2_SESSION_FLAG_IS_NULL flags. This means that the attacker can impersonate a server being connected to by Samba, and return malicious results. The primary concern is with winbindd, as it uses DCERPC over SMB2 when talking to domain controllers as a member server, and trusted domains as a domain controller. These DCE/RPC connections were intended to protected by the combination of "client ipc signing" and "client ipc max protocol" in their effective default settings ("mandatory" and "SMB3_11"). Additionally, management tools like net, samba-tool and rpcclient use DCERPC over SMB2/3 connections. By default, other tools in Samba are unprotected, but rarely they are configured to use smb signing, via the "client signing" parameter (the default is "if_required"). Even more rarely the "client max protocol" is set to SMB2, rather than the NT1 default. If both these conditions are met, then this issue would also apply to these other tools, including command line tools like smbcacls, smbcquota, smbclient, smbget and applications using libsmbclient. Changes since 4.4.4: -------------------- o Stefan Metzmacher * BUG 11860: CVE-2016-2119: Fix client side SMB2 signing downgrade. * BUG 11948: Total dcerpc response payload more than 0x400000. ####################################### Reporting bugs & Development Discussion ####################################### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical IRC channel on irc.freenode.net. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the "Samba 4.1 and newer" product in the project's Bugzilla database (https://bugzilla.samba.org/). ====================================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ====================================================================== ---------------------------------------------------------------------- ============================= Release Notes for Samba 4.4.4 June 7, 2016 ============================= This is the latest stable release of Samba 4.4. Changes since 4.4.3: -------------------- o Michael Adam * BUG 11809: SMB3 multichannel: Add implementation of missing channel sequence number verification. * BUG 11919: smbd:close: Only remove kernel share modes if they had been taken at open. * BUG 11930: notifyd: Prevent NULL deref segfault in notifyd_peer_destructor. o Jeremy Allison * BUG 10618: s3: auth: Move the declaration of struct dom_sid tmp_sid to function level scope. o Christian Ambach * BUG 10796: s3:rpcclient: Make '--pw-nt-hash' option work. * BUG 11354: s3:libsmb/clifile: Use correct value for MaxParameterCount for setting EAs. * BUG 11438: Fix case sensitivity issues over SMB2 or above. o Ralph Boehme * BUG 1703: s3:libnet:libnet_join: Add netbios aliases as SPNs. * BUG 11721: vfs_fruit: Add an option that allows disabling POSIX rename behaviour. o Alexander Bokovoy * BUG 11936: s3-smbd: Support systemd 230. o Ira Cooper * BUG 11907: source3: Honor the core soft limit of the OS. o Günther Deschner * BUG 11809: SMB3 multichannel: Add implementation of missing channel sequence number verification. * BUG 11864: s3:client:smbspool_krb5_wrapper: Fix the non clearenv build. * BUG 11906: s3-kerberos: Avoid entering a password change dialogue also when using MIT. o Robin Hack * BUG 11890: ldb-samba/ldb_matching_rules: Fix CID 1349424 - Uninitialized pointer read. o Volker Lendecke * BUG 11844: dbwrap_ctdb: Fix ENOENT->NT_STATUS_NOT_FOUND. o Robin McCorkell * BUG 11276: Correctly set cli->raw_status for libsmbclient in SMB2 code. o Stefan Metzmacher * BUG 11910: s3:smbd: Fix anonymous authentication if signing is mandatory. * BUG 11912: libcli/auth: Let msrpc_parse() return talloc'ed empty strings. * BUG 11914: Fix NTLM Authentication issue with squid. * BUG 11927: s3:rpcclient: make use of SMB_SIGNING_IPC_DEFAULT. o Luca Olivetti * BUG 11530: pdb: Fix segfault in pdb_ldap for missing gecos. o Rowland Penny * BUG 11613: Allow 'samba-tool fsmo' to cope with empty or missing fsmo roles. o Anoop C S * BUG 11907: packaging: Set default limit for core file size in service files. o Andreas Schneider * BUG 11922: s3-net: Convert the key_name to UTF8 during migration. * BUG 11935: s3-smbspool: Log to stderr. o Uri Simchoni * BUG 11900: heimdal: Encode/decode kvno as signed integer. * BUG 11931: s3-quotas: Fix sysquotas_4B quota fetching for BSD. * BUG 11937: smbd: dfree: Ignore quota if not enforced. o Raghavendra Talur * BUG 11907: init: Set core file size to unlimited by default. o Hemanth Thummala * BUG 11934: Fix memory leak in share mode locking. ####################################### Reporting bugs & Development Discussion ####################################### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical IRC channel on irc.freenode.net. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the "Samba 4.1 and newer" product in the project's Bugzilla database (https://bugzilla.samba.org/). ====================================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ====================================================================== ---------------------------------------------------------------------- ============================= Release Notes for Samba 4.4.3 May 2, 2016 ============================= This is the latest stable release of Samba 4.4. This release fixes some regressions introduced by the last security fixes. Please see bug https://bugzilla.samba.org/show_bug.cgi?id=11849 for a list of bugs addressing these regressions and more information. Changes since 4.4.2: -------------------- o Michael Adam * BUG 11786: idmap_hash: Only allow the hash module for default idmap config. o Jeremy Allison * BUG 11822: s3: libsmb: Fix error where short name length was read as 2 bytes, should be 1. o Andrew Bartlett * BUG 11789: Fix returning of ldb.MessageElement. o Ralph Boehme * BUG 11855: cleanupd: Restart as needed. o Günther Deschner * BUG 11786: s3:winbindd:idmap: check loadparm in domain_has_idmap_config() helper as well. * BUG 11789: libsmb/pysmb: Add pytalloc-util dependency to fix the build. o Volker Lendecke * BUG 11786: winbind: Fix CID 1357100: Unchecked return value. * BUG 11816: nwrap: Fix the build on Solaris. * BUG 11827: vfs_catia: Fix memleak. * BUG 11878: smbd: Avoid large reads beyond EOF. o Stefan Metzmacher * BUG 11789: s3:wscript: pylibsmb depends on pycredentials. * BUG 11841: Fix NT_STATUS_ACCESS_DENIED when accessing Windows public share. * BUG 11847: Only validate MIC if "map to guest" is not being used. * BUG 11849: auth/ntlmssp: Add ntlmssp_{client,server}:force_old_spnego option for testing. * BUG 11850: NetAPP SMB servers don't negotiate NTLMSSP_SIGN. * BUG 11858: Allow anonymous smb connections. * BUG 11870: Fix ads_sasl_spnego_gensec_bind(KRB5). * BUG 11872: Fix 'wbinfo -u' and 'net ads search'. o Tom Mortensen * BUG 11875: nss_wins: Fix the hostent setup. o Garming Sam * BUG 11789: build: Mark explicit dependencies on pytalloc-util. o Partha Sarathi * BUG 11819: Fix the smb2_setinfo to handle FS info types and FSQUOTA infolevel. o Jorge Schrauwen * BUG 11816: configure: Don't check for inotify on illumos. o Uri Simchoni * BUG 11806: vfs_acl_common: Avoid setting POSIX ACLs if "ignore system acls" is set. * BUG 11815: smbcquotas: print "NO LIMIT" only if returned quota value is 0. * BUG 11852: libads: Record session expiry for spnego sasl binds. o Hemanth Thummala * BUG 11840: Mask general purpose signals for notifyd. ####################################### Reporting bugs & Development Discussion ####################################### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical IRC channel on irc.freenode.net. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the "Samba 4.1 and newer" product in the project's Bugzilla database (https://bugzilla.samba.org/). ====================================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ====================================================================== ---------------------------------------------------------------------- ============================= Release Notes for Samba 4.4.2 April 12, 2016 ============================= This is a security release containing one additional regression fix for the security release 4.4.1. This fixes a regression that prevents things like 'net ads join' from working against a Windows 2003 domain. Changes since 4.4.1: ==================== o Stefan Metzmacher * Bug 11804 - prerequisite backports for the security release on April 12th, 2016 ----------------------------------------------------------------------- ============================= Release Notes for Samba 4.4.1 April 12, 2016 ============================= This is a security release in order to address the following CVEs: o CVE-2015-5370 (Multiple errors in DCE-RPC code) o CVE-2016-2110 (Man in the middle attacks possible with NTLMSSP) o CVE-2016-2111 (NETLOGON Spoofing Vulnerability) o CVE-2016-2112 (LDAP client and server don't enforce integrity) o CVE-2016-2113 (Missing TLS certificate validation) o CVE-2016-2114 ("server signing = mandatory" not enforced) o CVE-2016-2115 (SMB IPC traffic is not integrity protected) o CVE-2016-2118 (SAMR and LSA man in the middle attacks possible) The number of changes are rather huge for a security release, compared to typical security releases. Given the number of problems and the fact that they are all related to man in the middle attacks we decided to fix them all at once instead of splitting them. In order to prevent the man in the middle attacks it was required to change the (default) behavior for some protocols. Please see the "New smb.conf options" and "Behavior changes" sections below. ======= Details ======= o CVE-2015-5370 Versions of Samba from 3.6.0 to 4.4.0 inclusive are vulnerable to denial of service attacks (crashes and high cpu consumption) in the DCE-RPC client and server implementations. In addition, errors in validation of the DCE-RPC packets can lead to a downgrade of a secure connection to an insecure one. While we think it is unlikely, there's a nonzero chance for a remote code execution attack against the client components, which are used by smbd, winbindd and tools like net, rpcclient and others. This may gain root access to the attacker. The above applies all possible server roles Samba can operate in. Note that versions before 3.6.0 had completely different marshalling functions for the generic DCE-RPC layer. It's quite possible that that code has similar problems! The downgrade of a secure connection to an insecure one may allow an attacker to take control of Active Directory object handles created on a connection created from an Administrator account and re-use them on the now non-privileged connection, compromising the security of the Samba AD-DC. o CVE-2016-2110: There are several man in the middle attacks possible with NTLMSSP authentication. E.g. NTLMSSP_NEGOTIATE_SIGN and NTLMSSP_NEGOTIATE_SEAL can be cleared by a man in the middle. This was by protocol design in earlier Windows versions. Windows Server 2003 RTM and Vista RTM introduced a way to protect against the trivial downgrade. See MsvAvFlags and flag 0x00000002 in https://msdn.microsoft.com/en-us/library/cc236646.aspx This new feature also implies support for a mechlistMIC when used within SPNEGO, which may prevent downgrades from other SPNEGO mechs, e.g. Kerberos, if sign or seal is finally negotiated. The Samba implementation doesn't enforce the existence of required flags, which were requested by the application layer, e.g. LDAP or SMB1 encryption (via the unix extensions). As a result a man in the middle can take over the connection. It is also possible to misguide client and/or server to send unencrypted traffic even if encryption was explicitly requested. LDAP (with NTLMSSP authentication) is used as a client by various admin tools of the Samba project, e.g. "net", "samba-tool", "ldbsearch", "ldbedit", ... As an active directory member server LDAP is also used by the winbindd service when connecting to domain controllers. Samba also offers an LDAP server when running as active directory domain controller. The NTLMSSP authentication used by the SMB1 encryption is protected by smb signing, see CVE-2015-5296. o CVE-2016-2111: It's basically the same as CVE-2015-0005 for Windows: The NETLOGON service in Microsoft Windows Server 2003 SP2, Windows Server 2008 SP2 and R2 SP1, and Windows Server 2012 Gold and R2, when a Domain Controller is configured, allows remote attackers to spoof the computer name of a secure channel's endpoint, and obtain sensitive session information, by running a crafted application and leveraging the ability to sniff network traffic, aka "NETLOGON Spoofing Vulnerability". The vulnerability in Samba is worse as it doesn't require credentials of a computer account in the domain. This only applies to Samba running as classic primary domain controller, classic backup domain controller or active directory domain controller. The security patches introduce a new option called "raw NTLMv2 auth" ("yes" or "no") for the [global] section in smb.conf. Samba (the smbd process) will reject client using raw NTLMv2 without using NTLMSSP. Note that this option also applies to Samba running as standalone server and member server. You should also consider using "lanman auth = no" (which is already the default) and "ntlm auth = no". Have a look at the smb.conf manpage for further details, as they might impact compatibility with older clients. These also apply for all server roles. o CVE-2016-2112: Samba uses various LDAP client libraries, a builtin one and/or the system ldap libraries (typically openldap). As active directory domain controller Samba also provides an LDAP server. Samba takes care of doing SASL (GSS-SPNEGO) authentication with Kerberos or NTLMSSP for LDAP connections, including possible integrity (sign) and privacy (seal) protection. Samba has support for an option called "client ldap sasl wrapping" since version 3.2.0. Its default value has changed from "plain" to "sign" with version 4.2.0. Tools using the builtin LDAP client library do not obey the "client ldap sasl wrapping" option. This applies to tools like: "samba-tool", "ldbsearch", "ldbedit" and more. Some of them have command line options like "--sign" and "--encrypt". With the security update they will also obey the "client ldap sasl wrapping" option as default. In all cases, even if explicitly request via "client ldap sasl wrapping", "--sign" or "--encrypt", the protection can be downgraded by a man in the middle. The LDAP server doesn't have an option to enforce strong authentication yet. The security patches will introduce a new option called "ldap server require strong auth", possible values are "no", "allow_sasl_over_tls" and "yes". As the default behavior was as "no" before, you may have to explicitly change this option until all clients have been adjusted to handle LDAP_STRONG_AUTH_REQUIRED errors. Windows clients and Samba member servers already use integrity protection. o CVE-2016-2113: Samba has support for TLS/SSL for some protocols: ldap and http, but currently certificates are not validated at all. While we have a "tls cafile" option, the configured certificate is not used to validate the server certificate. This applies to ldaps:// connections triggered by tools like: "ldbsearch", "ldbedit" and more. Note that it only applies to the ldb tools when they are built as part of Samba or with Samba extensions installed, which means the Samba builtin LDAP client library is used. It also applies to dcerpc client connections using ncacn_http (with https://), which are only used by the openchange project. Support for ncacn_http was introduced in version 4.2.0. The security patches will introduce a new option called "tls verify peer". Possible values are "no_check", "ca_only", "ca_and_name_if_available", "ca_and_name" and "as_strict_as_possible". If you use the self-signed certificates which are auto-generated by Samba, you won't have a crl file and need to explicitly set "tls verify peer = ca_and_name". o CVE-2016-2114 Due to a regression introduced in Samba 4.0.0, an explicit "server signing = mandatory" in the [global] section of the smb.conf was not enforced for clients using the SMB1 protocol. As a result it does not enforce smb signing and allows man in the middle attacks. This problem applies to all possible server roles: standalone server, member server, classic primary domain controller, classic backup domain controller and active directory domain controller. In addition, when Samba is configured with "server role = active directory domain controller" the effective default for the "server signing" option should be "mandatory". During the early development of Samba 4 we had a new experimental file server located under source4/smb_server. But before the final 4.0.0 release we switched back to the file server under source3/smbd. But the logic for the correct default of "server signing" was not ported correctly ported. Note that the default for server roles other than active directory domain controller, is "off" because of performance reasons. o CVE-2016-2115: Samba has an option called "client signing", this is turned off by default for performance reasons on file transfers. This option is also used when using DCERPC with ncacn_np. In order to get integrity protection for ipc related communication by default the "client ipc signing" option is introduced. The effective default for this new option is "mandatory". In order to be compatible with more SMB server implementations, the following additional options are introduced: "client ipc min protocol" ("NT1" by default) and "client ipc max protocol" (the highest support SMB2/3 dialect by default). These options overwrite the "client min protocol" and "client max protocol" options, because the default for "client max protocol" is still "NT1". The reason for this is the fact that all SMB2/3 support SMB signing, while there are still SMB1 implementations which don't offer SMB signing by default (this includes Samba versions before 4.0.0). Note that winbindd (in versions 4.2.0 and higher) enforces SMB signing against active directory domain controllers despite of the "client signing" and "client ipc signing" options. o CVE-2016-2118 (a.k.a. BADLOCK): The Security Account Manager Remote Protocol [MS-SAMR] and the Local Security Authority (Domain Policy) Remote Protocol [MS-LSAD] are both vulnerable to man in the middle attacks. Both are application level protocols based on the generic DCE 1.1 Remote Procedure Call (DCERPC) protocol. These protocols are typically available on all Windows installations as well as every Samba server. They are used to maintain the Security Account Manager Database. This applies to all roles, e.g. standalone, domain member, domain controller. Any authenticated DCERPC connection a client initiates against a server can be used by a man in the middle to impersonate the authenticated user against the SAMR or LSAD service on the server. The client chosen application protocol, auth type (e.g. Kerberos or NTLMSSP) and auth level (NONE, CONNECT, PKT_INTEGRITY, PKT_PRIVACY) do not matter in this case. A man in the middle can change auth level to CONNECT (which means authentication without message protection) and take over the connection. As a result, a man in the middle is able to get read/write access to the Security Account Manager Database, which reveals all passwords and any other potential sensitive information. Samba running as an active directory domain controller is additionally missing checks to enforce PKT_PRIVACY for the Directory Replication Service Remote Protocol [MS-DRSR] (drsuapi) and the BackupKey Remote Protocol [MS-BKRP] (backupkey). The Domain Name Service Server Management Protocol [MS-DNSP] (dnsserver) is not enforcing at least PKT_INTEGRITY. ==================== New smb.conf options ==================== allow dcerpc auth level connect (G) This option controls whether DCERPC services are allowed to be used with DCERPC_AUTH_LEVEL_CONNECT, which provides authentication, but no per message integrity nor privacy protection. Some interfaces like samr, lsarpc and netlogon have a hard-coded default of no and epmapper, mgmt and rpcecho have a hard-coded default of yes. The behavior can be overwritten per interface name (e.g. lsarpc, netlogon, samr, srvsvc, winreg, wkssvc ...) by using 'allow dcerpc auth level connect:interface = yes' as option. This option yields precedence to the implementation specific restrictions. E.g. the drsuapi and backupkey protocols require DCERPC_AUTH_LEVEL_PRIVACY. The dnsserver protocol requires DCERPC_AUTH_LEVEL_INTEGRITY. Default: allow dcerpc auth level connect = no Example: allow dcerpc auth level connect = yes client ipc signing (G) This controls whether the client is allowed or required to use SMB signing for IPC$ connections as DCERPC transport. Possible values are auto, mandatory and disabled. When set to mandatory or default, SMB signing is required. When set to auto, SMB signing is offered, but not enforced and if set to disabled, SMB signing is not offered either. Connections from winbindd to Active Directory Domain Controllers always enforce signing. Default: client ipc signing = default client ipc max protocol (G) The value of the parameter (a string) is the highest protocol level that will be supported for IPC$ connections as DCERPC transport. Normally this option should not be set as the automatic negotiation phase in the SMB protocol takes care of choosing the appropriate protocol. The value default refers to the latest supported protocol, currently SMB3_11. See client max protocol for a full list of available protocols. The values CORE, COREPLUS, LANMAN1, LANMAN2 are silently upgraded to NT1. Default: client ipc max protocol = default Example: client ipc max protocol = SMB2_10 client ipc min protocol (G) This setting controls the minimum protocol version that the will be attempted to use for IPC$ connections as DCERPC transport. Normally this option should not be set as the automatic negotiation phase in the SMB protocol takes care of choosing the appropriate protocol. The value default refers to the higher value of NT1 and the effective value of "client min protocol". See client max protocol for a full list of available protocols. The values CORE, COREPLUS, LANMAN1, LANMAN2 are silently upgraded to NT1. Default: client ipc min protocol = default Example: client ipc min protocol = SMB3_11 ldap server require strong auth (G) The ldap server require strong auth defines whether the ldap server requires ldap traffic to be signed or signed and encrypted (sealed). Possible values are no, allow_sasl_over_tls and yes. A value of no allows simple and sasl binds over all transports. A value of allow_sasl_over_tls allows simple and sasl binds (without sign or seal) over TLS encrypted connections. Unencrypted connections only allow sasl binds with sign or seal. A value of yes allows only simple binds over TLS encrypted connections. Unencrypted connections only allow sasl binds with sign or seal. Default: ldap server require strong auth = yes raw NTLMv2 auth (G) This parameter determines whether or not smbd(8) will allow SMB1 clients without extended security (without SPNEGO) to use NTLMv2 authentication. If this option, lanman auth and ntlm auth are all disabled, then only clients with SPNEGO support will be permitted. That means NTLMv2 is only supported within NTLMSSP. Default: raw NTLMv2 auth = no tls verify peer (G) This controls if and how strict the client will verify the peer's certificate and name. Possible values are (in increasing order): no_check, ca_only, ca_and_name_if_available, ca_and_name and as_strict_as_possible. When set to no_check the certificate is not verified at all, which allows trivial man in the middle attacks. When set to ca_only the certificate is verified to be signed from a ca specified in the "tls ca file" option. Setting "tls ca file" to a valid file is required. The certificate lifetime is also verified. If the "tls crl file" option is configured, the certificate is also verified against the ca crl. When set to ca_and_name_if_available all checks from ca_only are performed. In addition, the peer hostname is verified against the certificate's name, if it is provided by the application layer and not given as an ip address string. When set to ca_and_name all checks from ca_and_name_if_available are performed. In addition the peer hostname needs to be provided and even an ip address is checked against the certificate's name. When set to as_strict_as_possible all checks from ca_and_name are performed. In addition the "tls crl file" needs to be configured. Future versions of Samba may implement additional checks. Default: tls verify peer = as_strict_as_possible tls priority (G) (backported from Samba 4.3 to Samba 4.2) This option can be set to a string describing the TLS protocols to be supported in the parts of Samba that use GnuTLS, specifically the AD DC. The default turns off SSLv3, as this protocol is no longer considered secure after CVE-2014-3566 (otherwise known as POODLE) impacted SSLv3 use in HTTPS applications. The valid options are described in the GNUTLS Priority-Strings documentation at http://gnutls.org/manual/html_node/Priority-Strings.html Default: tls priority = NORMAL:-VERS-SSL3.0 ================ Behavior changes ================ o The default auth level for authenticated binds has changed from DCERPC_AUTH_LEVEL_CONNECT to DCERPC_AUTH_LEVEL_INTEGRITY. That means ncacn_ip_tcp:server is now implicitly the same as ncacn_ip_tcp:server[sign] and offers a similar protection as ncacn_np:server, which relies on smb signing. o The following constraints are applied to SMB1 connections: - "client lanman auth = yes" is now consistently required for authenticated connections using the SMB1 LANMAN2 dialect. - "client ntlmv2 auth = yes" and "client use spnego = yes" (both the default values), require extended security (SPNEGO) support from the server. That means NTLMv2 is only used within NTLMSSP. o Tools like "samba-tool", "ldbsearch", "ldbedit" and more obey the default of "client ldap sasl wrapping = sign". Even with "client ldap sasl wrapping = plain" they will automatically upgrade to "sign" when getting LDAP_STRONG_AUTH_REQUIRED from the LDAP server. Changes since 4.4.0: ==================== o Jeremy Allison * Bug 11344 - CVE-2015-5370: Multiple errors in DCE-RPC code. o Christian Ambach * Bug 11804 - prerequisite backports for the security release on April 12th, 2016. o Ralph Boehme * Bug 11644 - CVE-2016-2112: The LDAP client and server don't enforce integrity protection. o Günther Deschner * Bug 11749 - CVE-2016-2111: NETLOGON Spoofing Vulnerability. * Bug 11804 - prerequisite backports for the security release on April 12th, 2016. o Volker Lendecke * Bug 11804 - prerequisite backports for the security release on April 12th, 2016. o Stefan Metzmacher * Bug 11344 - CVE-2015-5370: Multiple errors in DCE-RPC code. * Bug 11616 - CVE-2016-2118: SAMR and LSA man in the middle attacks possible. * Bug 11644 - CVE-2016-2112: The LDAP client and server doesn't enforce integrity protection. * Bug 11687 - CVE-2016-2114: "server signing = mandatory" not enforced. * Bug 11688 - CVE-2016-2110: Man in the middle attacks possible with NTLMSSP. * Bug 11749 - CVE-2016-2111: NETLOGON Spoofing Vulnerability. * Bug 11752 - CVE-2016-2113: Missing TLS certificate validation allows man in the middle attacks. * Bug 11756 - CVE-2016-2115: SMB client connections for IPC traffic are not integrity protected. * Bug 11804 - prerequisite backports for the security release on April 12th, 2016. ####################################### Reporting bugs & Development Discussion ####################################### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical IRC channel on irc.freenode.net. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the "Samba 4.1 and newer" product in the project's Bugzilla database (https://bugzilla.samba.org/). ====================================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ====================================================================== ---------------------------------------------------------------------- ============================= Release Notes for Samba 4.4.0 March 22, 2016 ============================= This is the first stable release of the Samba 4.4 release series. UPGRADING ========= Nothing special. NEW FEATURES/CHANGES ==================== Asynchronous flush requests --------------------------- Flush requests from SMB2/3 clients are handled asynchronously and do not block the processing of other requests. Note that 'strict sync' has to be set to 'yes' for Samba to honor flush requests from SMB clients. s3: smbd -------- Remove '--with-aio-support' configure option. We no longer would ever prefer POSIX-RT aio, use pthread_aio instead. samba-tool sites ---------------- The 'samba-tool sites' subcommand can now be run against another server by specifying an LDB URL using the '-H' option and not against the local database only (which is still the default when no URL is given). samba-tool domain demote ------------------------ Add '--remove-other-dead-server' option to 'samba-tool domain demote' subcommand. The new version of this tool now can remove another DC that is itself offline. The '--remove-other-dead-server' removes as many references to the DC as possible. samba-tool drs clone-dc-database -------------------------------- Replicate an initial clone of domain, but do not join it. This is developed for debugging purposes, but not for setting up another DC. pdbedit ------- Add '--set-nt-hash' option to pdbedit to update user password from nt-hash hexstring. 'pdbedit -vw' shows also password hashes. smbstatus --------- 'smbstatus' was enhanced to show the state of signing and encryption for sessions and shares. smbget ------ The -u and -p options for user and password were replaced by the -U option that accepts username[%password] as in many other tools of the Samba suite. Similary, smbgetrc files do not accept username and password options any more, only a single "user" option which also accepts user%password combinations. The -P option was removed. s4-rpc_server ------------- Add a GnuTLS based backupkey implementation. ntlm_auth --------- Using the '--offline-logon' enables ntlm_auth to use cached passwords when the DC is offline. Allow '--password' force a local password check for ntlm-server-1 mode. vfs_offline ----------- A new VFS module called vfs_offline has been added to mark all files in the share as offline. It can be useful for shares mounted on top of a remote file system (either through a samba VFS module or via FUSE). KCC --- The Samba KCC has been improved, but is still disabled by default. DNS --- There were several improvements concerning the Samba DNS server. Active Directory ---------------- There were some improvements in the Active Directory area. WINS nsswitch module -------------------- The WINS nsswitch module has been rewritten to address memory issues and to simplify the code. The module now uses libwbclient to do WINS queries. This means that winbind needs to be running in order to resolve WINS names using the nss_wins module. This does not affect smbd. CTDB changes ------------ * CTDB now uses a newly implemented parallel database recovery scheme that avoids deadlocks with smbd. In certain circumstances CTDB and smbd could deadlock. The new recovery implementation avoid this. It also provides improved recovery performance. * All files are now installed into and referred to by the paths configured at build time. Therefore, CTDB will now work properly when installed into the default location at /usr/local. * Public CTDB header files are no longer installed, since Samba and CTDB are built from within the same source tree. * CTDB_DBDIR can now be set to tmpfs[:] This will cause volatile TDBs to be located in a tmpfs. This can help to avoid performance problems associated with contention on the disk where volatile TDBs are usually stored. See ctdbd.conf(5) for more details. * Configuration variable CTDB_NATGW_SLAVE_ONLY is no longer used. Instead, nodes should be annotated with the "slave-only" option in the CTDB NAT gateway nodes file. This file must be consistent across nodes in a NAT gateway group. See ctdbd.conf(5) for more details. * New event script 05.system allows various system resources to be monitored This can be helpful for explaining poor performance or unexpected behaviour. New configuration variables are CTDB_MONITOR_FILESYSTEM_USAGE, CTDB_MONITOR_MEMORY_USAGE and CTDB_MONITOR_SWAP_USAGE. Default values cause warnings to be logged. See the SYSTEM RESOURCE MONITORING CONFIGURATION in ctdbd.conf(5) for more information. The memory, swap and filesystem usage monitoring previously found in 00.ctdb and 40.fs_use is no longer available. Therefore, configuration variables CTDB_CHECK_FS_USE, CTDB_MONITOR_FREE_MEMORY, CTDB_MONITOR_FREE_MEMORY_WARN and CTDB_CHECK_SWAP_IS_NOT_USED are now ignored. * The 62.cnfs eventscript has been removed. To get a similar effect just do something like this: mmaddcallback ctdb-disable-on-quorumLoss \ --command /usr/bin/ctdb \ --event quorumLoss --parms "disable" mmaddcallback ctdb-enable-on-quorumReached \ --command /usr/bin/ctdb \ --event quorumReached --parms "enable" * The CTDB tunable parameter EventScriptTimeoutCount has been renamed to MonitorTimeoutCount It has only ever been used to limit timed-out monitor events. Configurations containing CTDB_SET_EventScriptTimeoutCount= will cause CTDB to fail at startup. Useful messages will be logged. * The commandline option "-n all" to CTDB tool has been removed. The option was not uniformly implemented for all the commands. Instead of command "ctdb ip -n all", use "ctdb ip all". * All CTDB current manual pages are now correctly installed EXPERIMENTAL FEATURES ===================== SMB3 Multi-Channel ------------------ Samba 4.4.0 adds *experimental* support for SMB3 Multi-Channel. Multi-Channel is an SMB3 protocol feature that allows the client to bind multiple transport connections into one authenticated SMB session. This allows for increased fault tolerance and throughput. The client chooses transport connections as reported by the server and also chooses over which of the bound transport connections to send traffic. I/O operations for a given file handle can span multiple network connections this way. An SMB multi-channel session will be valid as long as at least one of its channels are up. In Samba, multi-channel can be enabled by setting the new smb.conf option "server multi channel support" to "yes". It is disabled by default. Samba has to report interface speeds and some capabilities to the client. On Linux, Samba can auto-detect the speed of an interface. But to support other platforms, and in order to be able to manually override the detected values, the "interfaces" smb.conf option has been given an extended syntax, by which an interface specification can additionally carry speed and capability information. The extended syntax looks like this for setting the speed to 1 gigabit per second: interfaces = 192.168.1.42;speed=1000000000 This extension should be used with care and are mainly intended for testing. See the smb.conf manual page for details. CAVEAT: While this should be working without problems mostly, there are still corner cases in the treatment of channel failures that may result in DATA CORRUPTION when these race conditions hit. It is hence NOT RECOMMENDED TO USE MULTI-CHANNEL IN PRODUCTION at this stage. This situation can be expected to improve during the life-time of the 4.4 release. Feed-back from test-setups is highly welcome. REMOVED FEATURES ================ Public headers -------------- Several public headers are not installed any longer. They are made for internal use only. More public headers will very likely be removed in future releases. The following headers are not installed any longer: dlinklist.h, gen_ndr/epmapper.h, gen_ndr/mgmt.h, gen_ndr/ndr_atsvc_c.h, gen_ndr/ndr_epmapper_c.h, gen_ndr/ndr_epmapper.h, gen_ndr/ndr_mgmt_c.h, gen_ndr/ndr_mgmt.h,gensec.h, ldap_errors.h, ldap_message.h, ldap_ndr.h, ldap-util.h, pytalloc.h, read_smb.h, registry.h, roles.h, samba_util.h, smb2_constants.h, smb2_create_blob.h, smb2.h, smb2_lease.h, smb2_signing.h, smb_cli.h, smb_cliraw.h, smb_common.h, smb_composite.h, smb_constants.h, smb_raw.h, smb_raw_interfaces.h, smb_raw_signing.h, smb_raw_trans2.h, smb_request.h, smb_seal.h, smb_signing.h, smb_unix_ext.h, smb_util.h, torture.h, tstream_smbXcli_np.h. vfs_smb_traffic_analyzer ------------------------ The SMB traffic analyzer VFS module has been removed, because it is not maintained any longer and not widely used. vfs_scannedonly --------------- The scannedonly VFS module has been removed, because it is not maintained any longer. smb.conf changes ---------------- Parameter Name Description Default -------------- ----------- ------- aio max threads New 100 ldap page size Changed default 1000 server multi channel support New No interfaces Extended syntax KNOWN ISSUES ============ Currently none. CHANGES SINCE 4.4.0rc5 ====================== o Michael Adam * BUG 11796: smbd: Enable multi-channel if 'server multi channel support = yes' in the config. o Günther Deschner * BUG 11802: lib/socket/interfaces: Fix some uninitialied bytes. o Uri Simchoni * BUG 11798: build: Fix build when '--without-quota' specified. CHANGES SINCE 4.4.0rc4 ====================== o Andrew Bartlett * BUG 11780: mkdir can return ACCESS_DENIED incorrectly on create race. * BUG 11783: Mismatch between local and remote attribute ids lets replication fail with custom schema. * BUG 11789: Talloc: Version 2.1.6. o Ira Cooper * BUG 11774: vfs_glusterfs: Fix use after free in AIO callback. o Günther Deschner * BUG 11755: Fix net join. o Amitay Isaacs * BUG 11770: Reset TCP Connections during IP failover. o Justin Maggard * BUG 11773: s3:smbd: Add negprot remote arch detection for OSX. o Stefan Metzmacher * BUG 11772: ldb: Version 1.1.26. * BUG 11782: "trustdom_list_done: Got invalid trustdom response" message should be avoided. o Uri Simchoni * BUG 11769: libnet: Make Kerberos domain join site-aware. * BUG 11788: Quota is not supported on Solaris 10. CHANGES SINCE 4.4.0rc3 ====================== o Jeremy Allison * BUG 11648: CVE-2015-7560: Getting and setting Windows ACLs on symlinks can change permissions on link target. o Christian Ambach * BUG 11767: s3:utils/smbget: Fix option parsing. o Alberto Maria Fiaschi * BUG 8093: Access based share enum: handle permission set in configuration files. o Stefan Metzmacher * BUG 11702: s3:clispnego: Fix confusing warning in spnego_gen_krb5_wrap(). * BUG 11742: tevent: version 0.9.28: Fix memory leak when old signal action restored. * BUG 11755: s3:libads: setup the msDS-SupportedEncryptionTypes attribute on ldap_add. * BUGs 11128, 11686: CVE-2016-0771: Read of uninitialized memory DNS TXT handling. o Garming Sam * BUGs 11128, 11686: CVE-2016-0771: Read of uninitialized memory DNS TXT handling. o Uri Simchoni * BUG 11691: winbindd: Return trust parameters when listing trusts. * BUG 11753: smbd: Ignore SVHDX create context. * BUG 11763: passdb: Add linefeed to debug message. CHANGES SINCE 4.4.0rc2 ====================== o Michael Adam * BUG 11723: lib:socket: Fix CID 1350010: Integer OVERFLOW_BEFORE_WIDEN. * BUG 11735: lib:socket: Fix CID 1350009: Fix illegal memory accesses (BUFFER_SIZE_WARNING). o Jeremy Allison * BUG 10489: s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystem with no ACL support. o Christian Ambach * BUG 11700: s3:utils/smbget: Set default blocksize. o Anoop C S * BUG 11734: lib/socket: Fix improper use of default interface speed. o Ralph Boehme * BUG 11714: lib/tsocket: Work around sockets not supporting FIONREAD. o Volker Lendecke * BUG 11724: smbd: Fix CID 1351215 Improper use of negative value. * BUG 11725: smbd: Fix CID 1351216 Dereference null return value. * BUG 11732: param: Fix str_list_v3 to accept ; again. o Noel Power * BUG 11738: libcli: Fix debug message, print sid string for new_ace trustee. o Jose A. Rivera * BUG 11727: s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file. o Andreas Schneider * BUG 11730: docs: Add manpage for cifsdd. * BUG 11739: Fix installation path of Samba helper binaries. o Berend De Schouwer * BUG 11643: docs: Add example for domain logins to smbspool man page. o Martin Schwenke * BUG 11719: ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..." o Hemanth Thummala * BUG 11708: loadparm: Fix memory leak issue. * BUG 11740: Fix memory leak in loadparm. CHANGES SINCE 4.4.0rc1 ====================== o Michael Adam * BUG 11715: s3:vfs:glusterfs: Fix build after quota changes. o Jeremy Allison * BUG 11703: s3: smbd: Fix timestamp rounding inside SMB2 create. o Christian Ambach * BUG 11700: Streamline 'smbget' options with the rest of the Samba utils. o Günther Deschner * BUG 11696: ctdb: Do not provide a useless pkgconfig file for ctdb. o Stefan Metzmacher * BUG 11699: Crypto.Cipher.ARC4 is not available on some platforms, fallback to M2Crypto.RC4.RC4 then. o Amitay Isaacs * BUG 11705: Sockets with htons(IPPROTO_RAW) and CVE-2015-8543. o Andreas Schneider * BUG 11690: docs: Add smbspool_krb5_wrapper manpage. o Uri Simchoni * BUG 11681: smbd: Show correct disk size for different quota and dfree block sizes. ####################################### Reporting bugs & Development Discussion ####################################### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical IRC channel on irc.freenode.net. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). ====================================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ======================================================================