1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
|
==============================
Release Notes for Samba 4.15.5
January 31, 2022
==============================
This is a security release in order to address the following defects:
o CVE-2021-44141: UNIX extensions in SMB1 disclose whether the outside target
of a symlink exists.
https://www.samba.org/samba/security/CVE-2021-44141.html
o CVE-2021-44142: Out-of-Bound Read/Write on Samba vfs_fruit module.
https://www.samba.org/samba/security/CVE-2021-44142.html
o CVE-2022-0336: Re-adding an SPN skips subsequent SPN conflict checks.
https://www.samba.org/samba/security/CVE-2022-0336.html
Changes since 4.15.4
--------------------
o Jeremy Allison <jra@samba.org>
* BUG 14911: CVE-2021-44141
o Ralph Boehme <slow@samba.org>
* BUG 14914: CVE-2021-44142
o Joseph Sutton <josephsutton@catalyst.net.nz>
* BUG 14950: CVE-2022-0336
#######################################
Reporting bugs & Development Discussion
#######################################
Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.libera.chat or the
#samba-technical:matrix.org matrix channel.
If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored. All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).
======================================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
======================================================================
Release notes for older releases follow:
----------------------------------------
==============================
Release Notes for Samba 4.15.4
January 19, 2022
==============================
This is the latest stable release of the Samba 4.15 release series.
Changes since 4.15.3
--------------------
o Jeremy Allison <jra@samba.org>
* BUG 14928: Duplicate SMB file_ids leading to Windows client cache
poisoning.
* BUG 14939: smbclient -L doesn't set "client max protocol" to NT1 before
calling the "Reconnecting with SMB1 for workgroup listing" path.
* BUG 14944: Missing pop_sec_ctx() in error path inside close_directory().
o Pavel Filipenský <pfilipen@redhat.com>
* BUG 14940: Cross device copy of the crossrename module always fails.
* BUG 14941: symlinkat function from VFS cap module always fails with an
error.
* BUG 14942: Fix possible fsp pointer deference.
o Volker Lendecke <vl@samba.org>
* BUG 14934: kill_tcp_connections does not work.
o Stefan Metzmacher <metze@samba.org>
* BUG 14932: Failed to parse NTLMv2_RESPONSE length 95 - Buffer Size Error -
NT_STATUS_BUFFER_TOO_SMALL.
* BUG 14935: Can't connect to Windows shares not requiring authentication
using KDE/Gnome.
o Andreas Schneider <asn@samba.org>
* BUG 14945: "smbd --build-options" no longer works without an smb.conf file.
o Jones Syue <jonessyue@qnap.com>
* BUG 14928: Duplicate SMB file_ids leading to Windows client cache
poisoning.
#######################################
Reporting bugs & Development Discussion
#######################################
Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.libera.chat or the
#samba-technical:matrix.org matrix channel.
If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored. All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).
======================================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
======================================================================
----------------------------------------------------------------------
==============================
Release Notes for Samba 4.15.3
December 08, 2021
==============================
This is the latest stable release of the Samba 4.15 release series.
Important Notes
===============
There have been a few regressions in the security release 4.15.2:
o CVE-2020-25717: A user on the domain can become root on domain members.
https://www.samba.org/samba/security/CVE-2020-25717.html
PLEASE [RE-]READ!
The instructions have been updated and some workarounds
initially adviced for 4.15.2 are no longer required and
should be reverted in most cases.
o BUG-14902: User with multiple spaces (eg Fred<space><space>Nurk) become
un-deletable. While this release should fix this bug, it is
adviced to have a look at the bug report for more detailed
information, see https://bugzilla.samba.org/show_bug.cgi?id=14902.
Changes since 4.15.2
--------------------
o Jeremy Allison <jra@samba.org>
* BUG 14878: Recursive directory delete with veto files is broken in 4.15.0.
* BUG 14879: A directory containing dangling symlinks cannot be deleted by
SMB2 alone when they are the only entry in the directory.
* BUG 14892: SIGSEGV in rmdir_internals/synthetic_pathref - dirfsp is used
uninitialized in rmdir_internals().
o Andrew Bartlett <abartlet@samba.org>
* BUG 14694: MaxQueryDuration not honoured in Samba AD DC LDAP.
* BUG 14901: The CVE-2020-25717 username map [script] advice has undesired
side effects for the local nt token.
* BUG 14902: User with multiple spaces (eg Fred<space><space>Nurk) become
un-deletable.
o Ralph Boehme <slow@samba.org>
* BUG 14127: Avoid storing NTTIME_THAW (-2) as value on disk.
* BUG 14882: smbXsrv_client_global record validation leads to crash if
existing record points at non-existing process.
* BUG 14890: Crash in vfs_fruit asking for fsp_get_io_fd() for an XATTR call.
* BUG 14897: Samba process doesn't log to logfile.
* BUG 14907: set_ea_dos_attribute() fallback calling
get_file_handle_for_metadata() triggers locking.tdb assert.
* BUG 14922: Kerberos authentication on standalone server in MIT realm
broken.
* BUG 14923: Segmentation fault when joining the domain.
o Alexander Bokovoy <ab@samba.org>
* BUG 14903: Support for ROLE_IPA_DC is incomplete.
o Günther Deschner <gd@samba.org>
* BUG 14767: rpcclient cannot connect to ncacn_ip_tcp services anymore
* BUG 14893: winexe crashes since 4.15.0 after popt parsing.
o Volker Lendecke <vl@samba.org>
* BUG 14908: net ads status -P broken in a clustered environment.
o Stefan Metzmacher <metze@samba.org>
* BUG 14788: Memory leak if ioctl(FSCTL_VALIDATE_NEGOTIATE_INFO) fails before
smbd_smb2_ioctl_send.
* BUG 14882: smbXsrv_client_global record validation leads to crash if
existing record points at non-existing process.
* BUG 14899: winbindd doesn't start when "allow trusted domains" is off.
* BUG 14901: The CVE-2020-25717 username map [script] advice has undesired
side effects for the local nt token.
o Andreas Schneider <asn@samba.org>
* BUG 14767: rpcclient cannot connect to ncacn_ip_tcp services anymore.
* BUG 14883: smbclient login without password using '-N' fails with
NT_STATUS_INVALID_PARAMETER on Samba AD DC.
* BUG 14912: A schannel client incorrectly detects a downgrade connecting to
an AES only server.
* BUG 14921: Possible null pointer dereference in winbind.
o Andreas Schneider <asn@cryptomilk.org>
* BUG 14846: Fix -k legacy option for client tools like smbclient, rpcclient,
net, etc.
o Martin Schwenke <martin@meltin.net>
* BUG 14872: Add Debian 11 CI bootstrap support.
o Joseph Sutton <josephsutton@catalyst.net.nz>
* BUG 14694: MaxQueryDuration not honoured in Samba AD DC LDAP.
* BUG 14901: The CVE-2020-25717 username map [script] advice has undesired
side effects for the local nt token.
o Andrew Walker <awalker@ixsystems.com>
* BUG 14888: Crash in recycle_unlink_internal().
#######################################
Reporting bugs & Development Discussion
#######################################
Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.
If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored. All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).
======================================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
======================================================================
----------------------------------------------------------------------
==============================
Release Notes for Samba 4.15.2
November 9, 2021
==============================
This is a security release in order to address the following defects:
o CVE-2016-2124: SMB1 client connections can be downgraded to plaintext
authentication.
https://www.samba.org/samba/security/CVE-2016-2124.html
o CVE-2020-25717: A user on the domain can become root on domain members.
https://www.samba.org/samba/security/CVE-2020-25717.html
(PLEASE READ! There are important behaviour changes described)
o CVE-2020-25718: Samba AD DC did not correctly sandbox Kerberos tickets issued
by an RODC.
https://www.samba.org/samba/security/CVE-2020-25718.html
o CVE-2020-25719: Samba AD DC did not always rely on the SID and PAC in Kerberos
tickets.
https://www.samba.org/samba/security/CVE-2020-25719.html
o CVE-2020-25721: Kerberos acceptors need easy access to stable AD identifiers
(eg objectSid).
https://www.samba.org/samba/security/CVE-2020-25721.html
o CVE-2020-25722: Samba AD DC did not do suffienct access and conformance
checking of data stored.
https://www.samba.org/samba/security/CVE-2020-25722.html
o CVE-2021-3738: Use after free in Samba AD DC RPC server.
https://www.samba.org/samba/security/CVE-2021-3738.html
o CVE-2021-23192: Subsequent DCE/RPC fragment injection vulnerability.
https://www.samba.org/samba/security/CVE-2021-23192.html
Changes since 4.15.1
--------------------
o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* CVE-2020-25722
o Andrew Bartlett <abartlet@samba.org>
* CVE-2020-25718
* CVE-2020-25719
* CVE-2020-25721
* CVE-2020-25722
o Ralph Boehme <slow@samba.org>
* CVE-2020-25717
o Alexander Bokovoy <ab@samba.org>
* CVE-2020-25717
o Samuel Cabrero <scabrero@samba.org>
* CVE-2020-25717
o Nadezhda Ivanova <nivanova@symas.com>
* CVE-2020-25722
o Stefan Metzmacher <metze@samba.org>
* CVE-2016-2124
* CVE-2020-25717
* CVE-2020-25719
* CVE-2020-25722
* CVE-2021-23192
* CVE-2021-3738
o Andreas Schneider <asn@samba.org>
* CVE-2020-25719
o Joseph Sutton <josephsutton@catalyst.net.nz>
* CVE-2020-17049
* CVE-2020-25718
* CVE-2020-25719
* CVE-2020-25721
* CVE-2020-25722
* MS CVE-2020-17049
#######################################
Reporting bugs & Development Discussion
#######################################
Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.libera.chat or the
#samba-technical:matrix.org matrix channel.
If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored. All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).
======================================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
======================================================================
----------------------------------------------------------------------
==============================
Release Notes for Samba 4.15.1
October 27, 2021
==============================
This is the latest stable release of the Samba 4.15 release series.
Changes since 4.15.0
--------------------
o Jeremy Allison <jra@samba.org>
* BUG 14682: vfs_shadow_copy2: core dump in make_relative_path.
* BUG 14685: Log clutter from filename_convert_internal.
* BUG 14862: MacOSX compilation fixes.
o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* BUG 14868: rodc_rwdc test flaps.
o Andrew Bartlett <abartlet@samba.org>
* BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze
bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded
Heimdal.
* BUG 14836: Python ldb.msg_diff() memory handling failure.
* BUG 14845: "in" operator on ldb.Message is case sensitive.
* BUG 14848: Release LDB 2.4.1 for Samba 4.15.1.
* BUG 14854: samldb_krbtgtnumber_available() looks for incorrect string.
* BUG 14871: Fix Samba support for UF_NO_AUTH_DATA_REQUIRED.
* BUG 14874: Allow special chars like "@" in samAccountName when generating
the salt.
o Ralph Boehme <slow@samba.org>
* BUG 14826: Correctly ignore comments in CTDB public addresses file.
o Isaac Boukris <iboukris@gmail.com>
* BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze
bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded
Heimdal.
o Viktor Dukhovni <viktor@twosigma.com>
* BUG 12998: Fix transit path validation.
o Pavel Filipenský <pfilipen@redhat.com>
* BUG 14852: Fix that child winbindd logs to log.winbindd instead of
log.wb-<DOMAIN>.
o Luke Howard <lukeh@padl.com>
* BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze
bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded
Heimdal.
o Stefan Metzmacher <metze@samba.org>
* BUG 14855: SMB3 cancel requests should only include the MID together with
AsyncID when AES-128-GMAC is used.
o Alex Richardson <Alexander.Richardson@cl.cam.ac.uk>
* BUG 14862: MacOSX compilation fixes.
o Andreas Schneider <asn@samba.org>
* BUG 14870: Prepare to operate with MIT krb5 >= 1.20.
o Martin Schwenke <martin@meltin.net>
* BUG 14826: Correctly ignore comments in CTDB public addresses file.
o Joseph Sutton <josephsutton@catalyst.net.nz>
* BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze
bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded
Heimdal.
* BUG 14836: Python ldb.msg_diff() memory handling failure.
* BUG 14845: "in" operator on ldb.Message is case sensitive.
* BUG 14864: Heimdal prefers RC4 over AES for machine accounts.
* BUG 14868: rodc_rwdc test flaps.
* BUG 14871: Fix Samba support for UF_NO_AUTH_DATA_REQUIRED.
* BUG 14874: Allow special chars like "@" in samAccountName when generating
the salt.
o Nicolas Williams <nico@twosigma.com>
* BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze
bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded
Heimdal.
#######################################
Reporting bugs & Development Discussion
#######################################
Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.
If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored. All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).
======================================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
======================================================================
----------------------------------------------------------------------
==============================
Release Notes for Samba 4.15.0
September 20, 2021
==============================
This is the first stable release of the Samba 4.15 release series.
Please read the release notes carefully before upgrading.
Removed SMB (development) dialects
==================================
The following SMB (development) dialects are no longer
supported: SMB2_22, SMB2_24 and SMB3_10. They are were
only supported by Windows technical preview builds.
They used to be useful in order to test against the
latest Windows versions, but it's no longer useful
to have them. If you have them explicitly specified
in your smb.conf or an the command line,
you need to replace them like this:
- SMB2_22 => SMB3_00
- SMB2_24 => SMB3_00
- SMB3_10 => SMB3_11
Note that it's typically not useful to specify
"client max protocol" or "server max protocol"
explicitly to a specific dialect, just leave
them unspecified or specify the value "default".
New GPG key
===========
The GPG release key for Samba releases changed from:
pub dsa1024/6F33915B6568B7EA 2007-02-04 [SC] [expires: 2021-02-05]
Key fingerprint = 52FB C0B8 6D95 4B08 4332 4CDC 6F33 915B 6568 B7EA
uid [ full ] Samba Distribution Verification Key <samba-bugs@samba.org>
sub elg2048/9C6ED163DA6DFB44 2007-02-04 [E] [expires: 2021-02-05]
to the following new key:
pub rsa4096/AA99442FB680B620 2020-12-21 [SC] [expires: 2022-12-21]
Key fingerprint = 81F5 E283 2BD2 545A 1897 B713 AA99 442F B680 B620
uid [ultimate] Samba Distribution Verification Key <samba-bugs@samba.org>
sub rsa4096/97EF9386FBFD4002 2020-12-21 [E] [expires: 2022-12-21]
Starting from Jan 21th 2021, all Samba releases will be signed with the new key.
See also GPG_AA99442FB680B620_replaces_6F33915B6568B7EA.txt
New minimum version for the experimental MIT KDC
================================================
The build of the AD DC using the system MIT Kerberos, an
experimental feature, now requires MIT Kerberos 1.19. An up-to-date
Fedora 34 has this version and has backported fixes for the KDC crash
bugs CVE-2021-37750 and CVE-2021-36222
NEW FEATURES/CHANGES
====================
VFS
---
The effort to modernize Samba's VFS interface is complete and Samba 4.15.0 ships
with a modernized VFS designed for the post SMB1 world.
For details please refer to the documentation at source3/modules/The_New_VFS.txt
or visit the <https://wiki.samba.org/index.php/The_New_VFS>.
Bind DLZ: add the ability to set allow/deny lists for zone transfer clients
---------------------------------------------------------------------------
Up to now, any client could use a DNS zone transfer request to the
bind server, and get an answer from Samba. Now the default behaviour
will be to deny those request. Two new options have been added to
manage the list of authorized/denied clients for zone transfer
requests. In order to be accepted, the request must be issued by a
client that is in the allow list and NOT in the deny list.
"server multi channel support" no longer experimental
-----------------------------------------------------
This option is enabled by default starting with 4.15 (on Linux and FreeBSD).
Due to dependencies on kernel APIs of Linux or FreeBSD, it's only possible
to use this feature on Linux and FreeBSD for now.
samba-tool available without the ad-dc
--------------------------------------
The 'samba-tool' command is now available when samba is configured
"--without-ad-dc". Not all features will work, and some ad-dc specific options
have been disabled. The 'samba-tool domain' options, for example, are limited
when no ad-dc is present. Samba must still be built with ads in order to enable
'samba-tool'.
Improved command line user experience
-------------------------------------
Samba utilities did not consistently implement their command line interface. A
number of options were requiring to specify values in one tool and not in the
other, some options meant different in different tools.
These should be stories of the past now. A new command line parser has been
implemented with sanity checking. Also the command line interface has been
simplified and provides better control for encryption, signing and kerberos.
Previously many tools silently ignored unknown options. To prevent unexpected
behaviour all tools will now consistently reject unknown options.
Also several command line options have a smb.conf variable to control the
default now.
All tools are now logging to stderr by default. You can use "--debug-stdout" to
change the behavior. All servers will log to stderr at early startup until logging
is setup to go to a file by default.
### Common parser:
Options added:
--client-protection=off|sign|encrypt
Options renamed:
--kerberos -> --use-kerberos=required|desired|off
--krb5-ccache -> --use-krb5-ccache=CCACHE
--scope -> --netbios-scope=SCOPE
--use-ccache -> --use-winbind-ccache
Options removed:
-e|--encrypt
-C removed from --use-winbind-ccache
-i removed from --netbios-scope
-S|--signing
### Duplicates in command line utils
ldbadd/ldbdel/ldbedit/ldbmodify/ldbrename/ldbsearch:
-e is still available as an alias for --editor,
as it used to be.
-s is no longer reported as an alias for --configfile,
it never worked that way as it was shadowed by '-s' for '--scope'.
ndrdump:
-l is not available for --load-dso anymore
net:
-l is not available for --long anymore
sharesec:
-V is not available for --viewsddl anymore
smbcquotas:
--user -> --quota-user
nmbd:
--log-stdout -> --debug-stdout
smbd:
--log-stdout -> --debug-stdout
winbindd:
--log-stdout -> --debug-stdout
Scanning of trusted domains and enterprise principals
-----------------------------------------------------
As an artifact from the NT4 times, we still scanned the list of trusted domains
on winbindd startup. This is wrong as we never can get a full picture in Active
Directory. It is time to change the default value to "No". Also with this change
we always use enterprise principals for Kerberos so that the DC will be able
to redirect ticket requests to the right DC. This is e.g. needed for one way
trusts. The options `winbind use krb5 enterprise principals` and
`winbind scan trusted domains` will be deprecated in one of the next releases.
Support for Offline Domain Join (ODJ)
-------------------------------------
The net utility is now able to support the offline domain join feature
as known from the Windows djoin.exe command for many years. Samba's
implementation is accessible via the 'net offlinejoin' subcommand. It
can provision computers and request offline joining for both Windows
and Unix machines. It is also possible to provision computers from
Windows (using djoin.exe) and use the generated data in Samba's 'net'
utility. The existing options for the provisioning and joining steps
are documented in the net(8) manpage.
'samba-tool dns zoneoptions' for aging control
----------------------------------------------
The 'samba-tool dns zoneoptions' command can be used to turn aging on
and off, alter the refresh and no-refresh periods, and manipulate the
timestamps of existing records.
To turn aging on for a zone, you can use something like this:
samba-tool dns zoneoptions --aging=1 --refreshinterval=306600
which turns on aging and ensures no records less than five years old
are aged out and scavenged. After aging has been on for sufficient
time for records to be renewed, the command
samba-tool dns zoneoptions --refreshinterval=168
will set the refresh period to the standard seven days. Using this two
step process will help prevent the temporary loss of dynamic records
if scavenging happens before their first renewal.
Marking old records as static or dynamic with 'samba-tool'
----------------------------------------------------------
A bug in Samba versions prior to 4.9 meant records that were meant to
be static were marked as dynamic and vice versa. To fix the timestamps
in these domains, it is possible to use the following options,
preferably before turning aging on.
--mark-old-records-static
--mark-records-dynamic-regex
--mark-records-static-regex
The "--mark-old-records-static" option will make records older than the
specified date static (that is, with a zero timestamp). For example,
if you upgraded to Samba 4.9 in November 2018, you could use ensure no
old records will be mistakenly interpreted as dynamic using the
following option:
samba-tool dns zoneoptions --mark-old-records-static=2018-11-30
Then, if you know that that will have marked some records as static
that should be dynamic, and you know which those are due to your
naming scheme, you can use commands like:
samba-tool dns zoneoptions --mark-records-dynamic-regex='\w+-desktop'
where '\w+-desktop' is a perl-compatible regular expression that will
match 'bob-desktop', 'alice-desktop', and so on.
These options are deliberately long and cumbersome to type, so people
have a chance to think before they get to the end. You can make a
mess if you get it wrong.
All 'samba-tool dns zoneoptions' modes can be given a "--dry-run/-n"
argument that allows you to inspect the likely results before going
ahead.
NOTE: for aging to work, you need to have "dns zone scavenging = yes"
set in the smb.conf of at least one server.
DNS tombstones are now deleted as appropriate
---------------------------------------------
When all the records for a DNS name have been deleted, the node is put
in a tombstoned state (separate from general AD object tombstoning,
which deleted nodes also go through). These tombstones should be
cleaned up periodically. Due to a conflation of scavenging and
tombstoning, we have only been deleting tombstones when aging is
enabled.
If you have a lot of tombstoned DNS nodes (that is, DNS names for
which you have removed all the records), cleaning up these DNS
tombstones may take a noticeable time.
DNS tombstones use a consistent timestamp format
------------------------------------------------
DNS records use an hours-since-1601 timestamp format except for in the
case of tombstone records where a 100-nanosecond-intervals-since-1601
format is used (this latter format being the most common in Windows).
We had mixed that up, which might have had strange effects in zones
where aging was enabled (and hence tombstone timestamps were used).
samba-tool dns update and RPC changes
-------------------------------------
The dnsserver DCERPC pipe can be used by 'samba-tool' and Windows tools
to manipulate dns records on the remote server. A bug in Samba meant
it was not possible to update an existing DNS record to change the
TTL. The general behaviour of RPC updates is now closer to that of
Windows.
'samba-tool dns update' is now a bit more careful in rejecting and
warning you about malformed IPv4 and IPv6 addresses.
CVE-2021-3671: Crash in Heimdal KDC and updated security release policy
-----------------------------------------------------------------------
An unuthenticated user can crash the AD DC KDC by omitting the server
name in a TGS-REQ. Per Samba's updated security process a specific
security release was not made for this issue as it is a recoverable
Denial Of Service.
See https://wiki.samba.org/index.php/Samba_Security_Proces
samba-tool domain backup offline with the LMDB backend
------------------------------------------------------
samba-tool domain backup offline, when operating with the LMDB backend
now correctly takes out locks against concurrent modification of the
database during the backup. If you use this tool on a Samba AD DC
using LMDB, you should upgrade to this release for safer backups.
REMOVED FEATURES
================
Tru64 ACL support has been removed from this release. The last
supported release of Tru64 UNIX was in 2012.
NIS support has been removed from this release. This is not
available in Linux distributions anymore.
The DLZ DNS plugin is no longer built for Bind versions 9.8 and 9.9,
which have been out of support since 2018.
smb.conf changes
================
Parameter Name Description Default
-------------- ----------- -------
client use kerberos New desired
client max protocol Values Removed
client min protocol Values Removed
client protection New default
client smb3 signing algorithms New see man smb.conf
client smb3 encryption algorithms New see man smb.conf
preopen:posix-basic-regex New No
preopen:nomatch_log_level New 5
preopen:match_log_level New 5
preopen:nodigits_log_level New 1
preopen:founddigits_log_level New 3
preopen:reset_log_level New 5
preopen:push_log_level New 3
preopen:queue_log_level New 10
server max protocol Values Removed
server min protocol Values Removed
server multi channel support Changed Yes (on Linux and FreeBSD)
server smb3 signing algorithms New see man smb.conf
server smb3 encryption algorithms New see man smb.conf
winbind use krb5 enterprise principals Changed Yes
winbind scan trusted domains Changed No
CHANGES SINCE 4.15.0rc6
=======================
o Andrew Bartlett <abartlet@samba.org>
* BUG 14791: All the ways to specify a password are not documented.
o Ralph Boehme <slow@samba.org>
* BUG 14790: vfs_btrfs compression support broken.
* BUG 14828: Problems with commandline parsing.
* BUG 14829: smbd crashes when "ea support" is set to no.
o Stefan Metzmacher <metze@samba.org>
* BUG 14825: "{client,server} smb3 {signing,encryption} algorithms" should
use the same strings as smbstatus output.
* BUG 14828: Problems with commandline parsing.
o Alex Richardson <Alexander.Richardson@cl.cam.ac.uk>
* BUG 8773: smbd fails to run as root because it belongs to more than 16
groups on MacOS X.
o Martin Schwenke <martin@meltin.net>
* BUG 14784: Fix CTDB flag/status update race conditions.
CHANGES SINCE 4.15.0rc5
=======================
o Andrew Bartlett <abartlet@samba.org>
* BUG 14806: Address a signifcant performance regression in database access
in the AD DC since Samba 4.12.
* BUG 14807: Fix performance regression in lsa_LookupSids3/LookupNames4 since
Samba 4.9 by using an explicit database handle cache.
* BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
server name in a TGS-REQ.
* BUG 14818: Address flapping samba_tool_drs_showrepl test.
* BUG 14819: Address flapping dsdb_schema_attributes test.
o Luke Howard <lukeh@padl.com>
* BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
server name in a TGS-REQ.
o Gary Lockyer <gary@catalyst.net.nz>
* BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
server name in a TGS-REQ.
o Andreas Schneider <asn@samba.org>
* BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
server name in a TGS-REQ.
o Joseph Sutton <josephsutton@catalyst.net.nz>
* BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
server name in a TGS-REQ.
CHANGES SINCE 4.15.0rc4
=======================
o Jeremy Allison <jra@samba.org>
* BUG 14809: Shares with variable substitutions cause core dump upon
connection from MacOS Big Sur 11.5.2.
* BUG 14816: Fix pathref open of a filesystem fifo in the DISABLE_OPATH
build.
o Andrew Bartlett <abartlet@samba.org>
* BUG 14815: A subset of tests from Samba's selftest system were not being
run, while others were run twice.
o Ralph Boehme <slow@samba.org>
* BUG 14771: Some VFS operations on pathref (O_PATH) handles fail on GPFS.
* BUG 14787: net conf list crashes when run as normal user,
* BUG 14803: smbd/winbindd started in daemon mode generate output on
stderr/stdout.
* BUG 14804: winbindd can crash because idmap child state is not fully
initialized.
o Stefan Metzmacher <metze@samba.org>
* BUG 14771: Some VFS operations on pathref (O_PATH) handles fail on GPFS.
CHANGES SINCE 4.15.0rc3
=======================
o Bjoern Jacke <bj@sernet.de>
* BUG 14800: util_sock: fix assignment of sa_socklen.
CHANGES SINCE 4.15.0rc2
=======================
o Jeremy Allison <jra@samba.org>
* BUG 14760: vfs_streams_depot directory creation permissions and store
location problems.
* BUG 14766: vfs_ceph openat() doesn't cope with dirfsp != AT_FDCW.
* BUG 14769: smbd panic on force-close share during offload write.
* BUG 14805: OpenDir() loses the correct errno return.
o Ralph Boehme <slow@samba.org>
* BUG 14795: copy_file_range() may fail with EOPNOTSUPP.
o Stefan Metzmacher <metze@samba.org>
* BUG 14793: Start the SMB encryption as soon as possible.
o Andreas Schneider <asn@samba.org>
* BUG 14779: Winbind should not start if the socket path is too long.
o Noel Power <noel.power@suse.com>
* BUG 14760: vfs_streams_depot directory creation permissions and store
location problems.
CHANGES SINCE 4.15.0rc1
=======================
o Andreas Schneider <asn@samba.org>
* BUG 14768: smbd/winbind should load the registry if configured
* BUG 14777: do not quote passed argument of configure script
* BUG 14779: Winbind should not start if the socket path is too long
o Stefan Metzmacher <metze@samba.org>
* BUG 14607: tree connect failed: NT_STATUS_INVALID_PARAMETER
* BUG 14764: aes-256-gcm and aes-256-ccm doesn't work in the server
o Ralph Boehme <slow@samba.org>
* BUG 14700: file owner not available when file unredable
o Jeremy Allison <jra@samba.org>
* BUG 14607: tree connect failed: NT_STATUS_INVALID_PARAMETER
* BUG 14759: 4.15rc can leak meta-data about the directory containing the
share path
KNOWN ISSUES
============
https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.15#Release_blocking_bugs
#######################################
Reporting bugs & Development Discussion
#######################################
Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.libera.chat or the
#samba-technical:matrix.org matrix channel.
If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored. All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).
======================================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
======================================================================
|
