1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
|
==============================
Release Notes for Samba 4.7.12
November 27, 2018
==============================
This is a security release in order to address the following defects:
o CVE-2018-14629 (Unprivileged adding of CNAME record causing loop in AD
Internal DNS server)
o CVE-2018-16841 (Double-free in Samba AD DC KDC with PKINIT)
o CVE-2018-16851 (NULL pointer de-reference in Samba AD DC LDAP server)
o CVE-2018-16853 (Samba AD DC S4U2Self crash in experimental MIT Kerberos
configuration (unsupported))
=======
Details
=======
o CVE-2018-14629:
All versions of Samba from 4.0.0 onwards are vulnerable to infinite
query recursion caused by CNAME loops. Any dns record can be added via
ldap by an unprivileged user using the ldbadd tool, so this is a
security issue.
o CVE-2018-16841:
When configured to accept smart-card authentication, Samba's KDC will call
talloc_free() twice on the same memory if the principal in a validly signed
certificate does not match the principal in the AS-REQ.
This is only possible after authentication with a trusted certificate.
talloc is robust against further corruption from a double-free with
talloc_free() and directly calls abort(), terminating the KDC process.
There is no further vulnerability associated with this issue, merely a
denial of service.
o CVE-2018-16851:
During the processing of an LDAP search before Samba's AD DC returns
the LDAP entries to the client, the entries are cached in a single
memory object with a maximum size of 256MB. When this size is
reached, the Samba process providing the LDAP service will follow the
NULL pointer, terminating the process.
There is no further vulnerability associated with this issue, merely a
denial of service.
o CVE-2018-16853:
A user in a Samba AD domain can crash the KDC when Samba is built in the
non-default MIT Kerberos configuration.
With this advisory we clarify that the MIT Kerberos build of the Samba
AD DC is considered experimental. Therefore the Samba Team will not
issue security patches for this configuration.
For more details and workarounds, please refer to the security advisories.
Changes since 4.7.11:
--------------------
o Andrew Bartlett <abartlet@samba.org>
* BUG 13628: CVE-2018-16841: heimdal: Fix segfault on PKINIT with
mis-matching principal.
* BUG 13678: CVE-2018-16853: build: The Samba AD DC, when build with MIT
Kerberos is experimental
o Aaron Haslett <aaronhaslett@catalyst.net.nz>
* BUG 13600: CVE-2018-14629: dns: CNAME loop prevention using counter.
o Garming Sam <garming@catalyst.net.nz>
* BUG 13674: CVE-2018-16851: ldap_server: Check ret before manipulating blob.
#######################################
Reporting bugs & Development Discussion
#######################################
Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.
If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored. All bug reports should
be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
database (https://bugzilla.samba.org/).
======================================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
======================================================================
Release notes for older releases follow:
----------------------------------------
==============================
Release Notes for Samba 4.7.11
October 23, 2018
==============================
Please note that this will very likely be the last bugfix release of the Samba
4.7 release series. There will be security fixes only beyond this point.
Changes since 4.7.10:
--------------------
o Paulo Alcantara <paulo@paulo.ac>
* BUG 13578: s3: util: Do not take over stderr when there is no log file.
o Jeremy Allison <jra@samba.org>
* BUG 13585: s3: smbd: Ensure get_real_filename() copes with empty pathnames.
* BUG 13633: s3: smbd: Prevent valgrind errors in smbtorture3 POSIX test.
o Ralph Boehme <slow@samba.org>
* BUG 13549: Durable Reconnect fails because cookie.allow_reconnect is not
set redundant for SMB2.
o Alexander Bokovoy <ab@samba.org>
* BUG 13539: krb5-samba: Interdomain trust uses different salt principal.
o Volker Lendecke <vl@samba.org>
* BUG 13362: Fix possible memory leak in the Samba process.
* BUG 13441: vfs_fruit: Don't unlink the main file.
* BUG 13602: smbd: Fix a memleak in async search ask sharemode.
o Stefan Metzmacher <metze@samba.org>
* BUG 11517: Fix Samba GPO issue when Trust is enabled.
* BUG 13539: samba-tool: Add virtualKerberosSalt attribute to 'user
getpassword/syncpasswords'.
* BUG 13624: smb2_server: Set req->do_encryption = true earlier.
o Andreas Schneider <asn@samba.org>
* BUG 12851: s3:winbind: Fix regression.
#######################################
Reporting bugs & Development Discussion
#######################################
Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.
If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored. All bug reports should
be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
database (https://bugzilla.samba.org/).
======================================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
======================================================================
----------------------------------------------------------------------
==============================
Release Notes for Samba 4.7.10
August 27, 2018
==============================
This is the latest stable release of the Samba 4.7 release series.
Changes since 4.7.9:
--------------------
o Jeremy Allison <jra@samba.org>
* BUG 13474: python: pysmbd: Additional error path leak fix.
* BUG 13511: libsmbclient: Initialize written value before use.
* BUG 13527: s3: libsmbclient: Fix cli_splice() fallback when reading less
than a complete file.
* BUG 13537: Using "sendfile = yes" with SMB2 can cause CPU spin.
o Jeffrey Altman <jaltman@secure-endpoints.com>
* BUG 11573: heimdal: lib/krb5: Do not fail set_config_files due to parse
error.
o Andrew Bartlett <abartlet@samba.org>
* BUG 13519: ldb: Refuse to build Samba against a newer minor version of
ldb.
o Bailey Berro <baileyberro@chromium.org>
* BUG 13511: libsmbclient: Initialize written in cli_splice_fallback().
o Alexander Bokovoy <ab@samba.org>
* BUG 13538: samba-tool trust: Support discovery via netr_GetDcName.
o Ralph Boehme <slow@samba.org>
* BUG 13318: Durable Handles reconnect fails in a cluster when the cluster
fs uses different device ids.
* BUG 13351: s3: smbd: Always set vuid in check_user_ok().
* BUG 13505: lib: smb_threads: Fix access before init bug.
* BUG 13535: s3: smbd: Fix path check in
smbd_smb2_create_durable_lease_check().
* BUG 13451: Fail renaming file if that file has open streams.
o Günther Deschner <gd@samba.org>
* BUG 13437: Fix building Samba with gcc 8.1.
o David Disseldorp <ddiss@samba.org>
* BUG 13506: vfs_ceph: Don't lie about flock support.
* BUG 13540: Fix deadlock with ctdb_mutex_ceph_rados_helper.
o Volker Lendecke <vl@samba.org>
* BUG 13195: g_lock: Fix lock upgrades.
* BUG 13584: vfs_fruit: Fix a panic if fruit_access_check detects a locking
conflict.
o Gary Lockyer <gary@catalyst.net.nz>
* BUG 13536: The current position in the dns name was not advanced past the
'.' character.
o Stefan Metzmacher <metze@samba.org>
* BUG 13308: samba-tool domain trust: Fix trust compatibility to Windows
Server 1709 and FreeIPA.
o Christof Schmitt <cs@samba.org>
* BUG 13478: krb5_wrap: Fix keep_old_entries logic for older kerberos
libraries.
o Andreas Schneider <asn@samba.org>
* BUG 13437: Fix building Samba with gcc 8.1.
o Martin Schwenke <martin@meltin.net>
* BUG 13499: Don't use CTDB_BROADCAST_VNNMAP.
* BUG 13500: ctdb-daemon: Only consider client ID for local database attach.
o Karolin Seeger <kseeger@samba.org>
* BUG 13499: s3/notifyd.c: Rename CTDB_BROADCAST_VNNMAP to
CTDB_BROADCAST_ACTIVE.
o Ralph Wuerthner <ralph.wuerthner@de.ibm.com>
* BUG 13568: vfs_time_audit: Fix handling of token_blob in
smb_time_audit_offload_read_recv().
#######################################
Reporting bugs & Development Discussion
#######################################
Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.
If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored. All bug reports should
be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
database (https://bugzilla.samba.org/).
======================================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
======================================================================
----------------------------------------------------------------------
=============================
Release Notes for Samba 4.7.9
August 14, 2018
=============================
This is a security release in order to address the following defects:
o CVE-2018-1139 (Weak authentication protocol allowed.)
o CVE-2018-10858 (Insufficient input validation on client directory
listing in libsmbclient.)
o CVE-2018-10918 (Denial of Service Attack on AD DC DRSUAPI server.)
o CVE-2018-10919 (Confidential attribute disclosure from the AD LDAP
server.)
=======
Details
=======
o CVE-2018-1139:
Vulnerability that allows authentication via NTLMv1 even if disabled.
o CVE-2018-10858:
A malicious server could return a directory entry that could corrupt
libsmbclient memory.
o CVE-2018-10918:
Missing null pointer checks may crash the Samba AD DC, over the
authenticated DRSUAPI RPC service.
o CVE-2018-10919:
Missing access control checks allow discovery of confidential attribute
values via authenticated LDAP search expressions.
Changes since 4.7.8:
--------------------
o Jeremy Allison <jra@samba.org>
* BUG 13453: CVE-2018-10858: libsmb: Harden smbc_readdir_internal() against
returns from malicious servers.
o Andrew Bartlett <abartlet@samba.org>
* BUG 13552: CVE-2018-10918: cracknames: Fix DoS (NULL pointer de-ref) when
not servicePrincipalName is set on a user.
o Tim Beale <timbeale@catalyst.net.nz>
* BUG 13434: CVE-2018-10919: acl_read: Fix unauthorized attribute access via
searches.
o Günther Deschner <gd@samba.org>
* BUG 13360: CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1 when it
is disabled via "ntlm auth".
#######################################
Reporting bugs & Development Discussion
#######################################
Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.
If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored. All bug reports should
be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
database (https://bugzilla.samba.org/).
======================================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
======================================================================
----------------------------------------------------------------------
=============================
Release Notes for Samba 4.7.8
June 21, 2018
=============================
This is the latest stable release of the Samba 4.7 release series.
Changes since 4.7.7:
--------------------
o Jeremy Allison <jra@samba.org>
* BUG 13380: s3: smbd: Generic fix for incorrect reporting of stream dos
attributes on a directory.
* BUG 13412: ceph: VFS: Add asynchronous fsync to ceph module, fake using
synchronous call.
* BUG 13419: s3: libsmbclient: Fix hard-coded connection error return of
ETIMEDOUT.
* BUG 13428: s3: smbd: Fix SMB2-FLUSH against directories.
* BUG 13457: s3: smbd: printing: Re-implement delete-on-close semantics for
print files missing since 3.5.x.
* BUG 13474: python: Fix talloc frame use in make_simple_acl().
o Andrew Bartlett <abartlet@samba.org>
* BUG 13430: winbindd on the AD DC is slow for passdb queries.
* BUG 13454: No Backtrace given by Samba's AD DC by default.
o Ralph Boehme <slow@samba.org>
* BUG 13332: winbindd doesn't recover loss of netlogon secure channel in
case the peer DC is rebooted.
* BUG 13432: s3:smbd: Fix interaction between chown and SD flags.
o Günther Deschner <gd@samba.org>
* BUG 13437: s4-heimdal: Fix the format-truncation errors.
o David Disseldorp <ddiss@samba.org>
* BUG 13425: vfs_ceph: Add fake async pwrite/pread send/recv hooks.
o Björn Jacke <bjacke@samba.org>
* BUG 13395: printing: Return the same error code as Windows does on upload
failures.
o Volker Lendecke <vl@samba.org>
* BUG 13290: winbind: Improve child selection.
* BUG 13292: winbind: Maintain a binding handle per domain and always go via
wb_domain_request_send().
* BUG 13332: winbindd doesn't recover loss of netlogon secure channel in
case the peer DC is rebooted.
* BUG 13369: Looking up the user using the UPN results in user name with the
REALM instead of the DOMAIN.
* BUG 13370: rpc_server: Init local_server_* in
make_internal_rpc_pipe_socketpair.
* BUG 13382: smbclient: Fix broken notify.
o Stefan Metzmacher <metze@samba.org>
* BUG 13273: libads: Fix the build --without-ads.
* BUG 13279: winbindd: Don't split the rid for SID_NAME_DOMAIN sids in
wb_lookupsids.
* BUG 13280: winbindd: initialize type = SID_NAME_UNKNOWN in
wb_lookupsids_single_done().
* BUG 13289: s4:rpc_server: Fix call_id truncation in
dcesrv_find_fragmented_call().
* BUG 13290: A disconnecting winbind client can cause a problem in the
winbind parent child communication.
* BUG 13291: tevent: version 0.9.36
- improve documentation of tevent_queue_add_optimize_empty()
- add tevent_queue_entry_untrigger()
* BUG 13292: winbind: Use one queue for all domain children.
* BUG 13293: Minimize the lifetime of winbindd_cli_state->{pw,gr}ent_state.
* BUG 13294: winbind should avoid using fstrcpy(domain->dcname,...) on a
char *.
* BUG 13295: The winbind parent should find the dc of a foreign domain via
the primary domain.
* BUG 13400: nsswitch: Fix memory leak in winbind_open_pipe_sock() when the
privileged pipe is not accessable.
* BUG 13427: Fix broken server side GENSEC_FEATURE_LDAP_STYLE handling
(NTLMSSP NTLM2 packet check failed due to invalid signature!).
o Vandana Rungta <vrungta@amazon.com>
* BUG 13424: s3: VFS: Fix memory leak in vfs_ceph.
o Christof Schmitt <cs@samba.org>
* BUG 13407: rpc_server: Fix NetSessEnum with stale sessions.
* BUG 13446: dfree cache returning incorrect data for sub directory mounts.
o Andreas Schneider <asn@samba.org>
* BUG 13369: Looking up the user using the UPN results in user name with the
REALM instead of the DOMAIN.
* BUG 13376: s3:passdb: Do not return OK if we don't have pinfo set up.
* BUG 13440: s3:utils: Do not segfault on error in DoDNSUpdate().
#######################################
Reporting bugs & Development Discussion
#######################################
Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.
If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored. All bug reports should
be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
database (https://bugzilla.samba.org/).
======================================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
======================================================================
----------------------------------------------------------------------
=============================
Release Notes for Samba 4.7.7
April 17, 2018
=============================
This is the latest stable release of the Samba 4.7 release series.
Changes since 4.7.6:
--------------------
o Jeremy Allison <jra@samba.org>
* BUG 13206: s4:auth_sam: Allow logons with an empty domain name.
* BUG 13244: s3: ldap: Ensure the ADS_STRUCT pointer doesn't get freed on
error, we don't own it here.
* BUG 13270: s3: smbd: Fix possible directory fd leak if the underlying
OS doesn't support fdopendir().
* BUG 13319: Round-tripping ACL get/set through vfs_fruit will increase
the number of ACE entries without limit.
* BUG 13347: s3: smbd: SMB2: Add DBGC_SMB2_CREDITS class to specifically
debug credit issues.
* BUG 13358: s3: smbd: Files or directories can't be opened DELETE_ON_CLOSE
without delete access.
* BUG 13372: s3: smbd: Fix memory leak in vfswrap_getwd().
* BUG 13375: s3: smbd: Unix extensions attempts to change wrong field
in fchown call.
o Ralph Boehme <slow@samba.org>
* BUG 13363: s3:smbd: Don't use the directory cache for SMB2/3.
o Günther Deschner <gd@samba.org>
* BUG 13277: build: Fix libceph-common detection.
o David Disseldorp <ddiss@suse.de>
* BUG 13250: build: Fix ceph_statx check when configured with libcephfs_dir.
o Poornima G <pgurusid@redhat.com>
* BUG 13297: vfs_glusterfs: Fix the wrong pointer being sent in
glfs_fsync_async.
o Amitay Isaacs <amitay@gmail.com>
* BUG 13359: ctdb-scripts: Drop 'net serverid wipe' from 50.samba event
script.
o Lutz Justen <ljusten@google.com>
* BUG 13368: s3: lib: messages: Don't use the result of sec_init() before
calling sec_init().
o Volker Lendecke <vl@samba.org>
* BUG 13215: smbd can panic if the client-supplied channel sequence number
wraps.
* BUG 13367: dsdb: Fix CID 1034966 Uninitialized scalar variable.
o Stefan Metzmacher <metze@samba.org>
* BUG 13206: s3:libsmb: Allow -U"\\administrator" to work.
* BUG 13328: Windows 10 cannot logon on Samba NT4 domain.
o David Mulder <dmulder@suse.com>
* BUG 13050: smbc_opendir should not return EEXIST with invalid login
credentials.
o Anton Nefedov
* BUG 13338: s3:smbd: map nterror on smb2_flush errorpath.
o Dan Robertson <drobertson@tripwire.com>
* BUG 13310: libsmb: Use smb2 tcon if conn_protocol >= SMB2_02.
o Garming Sam <garming@catalyst.net.nz>
* BUG 13031: subnet: Avoid a segfault when renaming subnet objects.
o Christof Schmitt <cs@samba.org>
* BUG 13312: 'wbinfo --name-to-sid' returns misleading result on invalid
query.
o Andreas Schneider <asn@samba.org>
* BUG 13315: s3:smbd: Do not crash if we fail to init the session table.
o Eric Vannier <evannier@google.com>
* BUG 13302: Allow AESNI to be used on all processor supporting AESNI.
#######################################
Reporting bugs & Development Discussion
#######################################
Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.
If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored. All bug reports should
be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
database (https://bugzilla.samba.org/).
======================================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
======================================================================
----------------------------------------------------------------------
=============================
Release Notes for Samba 4.7.6
March 13, 2018
=============================
This is a security release in order to address the following defects:
o CVE-2018-1050 (Denial of Service Attack on external print server.)
o CVE-2018-1057 (Authenticated users can change other users' password.)
=======
Details
=======
o CVE-2018-1050:
All versions of Samba from 4.0.0 onwards are vulnerable to a denial of
service attack when the RPC spoolss service is configured to be run as
an external daemon. Missing input sanitization checks on some of the
input parameters to spoolss RPC calls could cause the print spooler
service to crash.
There is no known vulnerability associated with this error, merely a
denial of service. If the RPC spoolss service is left by default as an
internal service, all a client can do is crash its own authenticated
connection.
o CVE-2018-1057:
On a Samba 4 AD DC the LDAP server in all versions of Samba from
4.0.0 onwards incorrectly validates permissions to modify passwords
over LDAP allowing authenticated users to change any other users'
passwords, including administrative users.
Possible workarounds are described at a dedicated page in the Samba wiki:
https://wiki.samba.org/index.php/CVE-2018-1057
Changes since 4.7.5:
--------------------
o Jeremy Allison <jra@samba.org>
* BUG 11343: CVE-2018-1050: Codenomicon crashes in spoolss server code.
o Ralph Boehme <slow@samba.org>
* BUG 13272: CVE-2018-1057: Unprivileged user can change any user (and admin)
password.
o Stefan Metzmacher <metze@samba.org>
* BUG 13272: CVE-2018-1057: Unprivileged user can change any user (and admin)
password.
#######################################
Reporting bugs & Development Discussion
#######################################
Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.
If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored. All bug reports should
be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
database (https://bugzilla.samba.org/).
======================================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
======================================================================
----------------------------------------------------------------------
=============================
Release Notes for Samba 4.7.5
February 7, 2018
=============================
This is the latest stable release of the Samba 4.7 release series.
Major enhancements include:
o BUG 13228: This is a major issue in Samba's ActiveDirectory domain
controller code. It might happen that AD objects have missing or broken
linked attributes. This could lead to broken group memberships e.g.
All Samba AD domain controllers set up with Samba 4.6 or lower and then
upgraded to 4.7 are affected. The corrupt database can be fixed with
'samba-tool dbcheck --cross-ncs --fix'.
Changes since 4.7.4:
--------------------
o Jeremy Allison <jra@samba.org>
* BUG 13193: smbd tries to release not leased oplock during oplock II
downgrade.
o Ralph Boehme <slow@samba.org>
* BUG 13181: Fix copying file with empty FinderInfo from Windows client
to Samba share with fruit.
o Günther Deschner <gd@samba.org>
* BUG 10976: build: Deal with recent glibc sunrpc header removal.
* BUG 13238: Make Samba work with tirpc and libnsl2.
o David Disseldorp <ddiss@samba.org>
* BUG 13208: vfs_ceph: Add fs_capabilities hook to avoid local statvfs.
o Love Hornquist Astrand <lha@h5l.org>
* BUG 12986: Kerberos: PKINIT: Can't decode algorithm parameters in
clientPublicValue.
o Amitay Isaacs <amitay@gmail.com>
* BUG 13188: ctdb-recovery-helper: Deregister message handler in error
paths.
o Volker Lendecke <vl@samba.org>
* BUG 13240: samba: Only use async signal-safe functions in signal handler.
o Stefan Metzmacher <metze@samba.org>
* BUG 12986: Kerberos: PKINIT: Can't decode algorithm parameters in
clientPublicValue.
* BUG 13228: repl_meta_data: Fix linked attribute corruption on databases
with unsorted links on expunge. dbcheck: Add functionality to fix the
corrupt database.
o Christof Schmitt <cs@samba.org>
* BUG 13189: Fix smbd panic when chdir returns error during exit.
o Andreas Schneider <asn@samba.org>
* BUG 13238: Make Samba work with tirpc and libnsl2.
o Uri Simchoni <uri@samba.org>
* BUG 13176: Fix POSIX ACL support on HPUX and possibly other big-endian OSs.
#######################################
Reporting bugs & Development Discussion
#######################################
Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.
If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored. All bug reports should
be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
database (https://bugzilla.samba.org/).
======================================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
======================================================================
----------------------------------------------------------------------
=============================
Release Notes for Samba 4.7.4
December 22, 2017
=============================
This is the latest stable release of the Samba 4.7 release series.
smbclient reparse point symlink parameters reversed
===================================================
A bug in smbclient caused the 'symlink' command to reverse the
meaning of the new name and link target parameters when creating a
reparse point symlink against a Windows server.
This only affects using the smbclient 'symlink' command against
a Windows server, not a Samba server using the UNIX extensions
(the parameter order is correct in that case) so no existing
user scripts that depend on creating symlinks on Samba servers
need to change.
As this is a little used feature the ordering of these parameters
has been reversed to match the parameter ordering of the UNIX
extensions 'symlink' command. This means running 'symlink' against
both Windows and Samba now uses the same paramter ordering in both
cases.
The usage message for this command has also been improved to remove confusion.
Changes since 4.7.3:
--------------------
o Jeremy Allison <jra@samba.org>
* BUG 13140: s3: smbclient: Implement 'volume' command over SMB2.
* BUG 13171: s3: libsmb: Fix valgrind read-after-free error in
cli_smb2_close_fnum_recv().
* BUG 13172: s3: libsmb: Fix reversing of oldname/newname paths when creating
a reparse point symlink on Windows from smbclient.
o Timur I. Bakeyev <timur@iXsystems.com>
* BUG 12934: Build man page for vfs_zfsacl.8 with Samba.
o Andrew Bartlett <abartlet@samba.org>
* BUG 13095: repl_meta_data: Allow delete of an object with dangling
backlinks.
* BUG 13129: s4:samba: Fix default to be running samba as a deamon.
* BUG 13191: Performance regression in DNS server with introduction of
DNS wildcard, ldb: Release 1.2.3
o Ralph Boehme <slow@samba.org>
* BUG 6133: vfs_zfsacl: Fix compilation error.
* BUG 13051: "smb encrypt" setting changes are not fully applied until full
smbd restart.
* BUG 13052: winbindd: Fix idmap_rid dependency on trusted domain list.
* BUG 13155: vfs_fruit: Proper VFS-stackable conversion of FinderInfo.
* BUG 13173: winbindd: Dependency on trusted-domain list in winbindd in
critical auth codepath.
o Andrej Gessel <Andrej.Gessel@janztec.com>
* BUG 13120: repl_meta_data: Fix removing of backlink on deleted objects.
o Amitay Isaacs <amitay@gmail.com>
"* BUG 13153: ctdb: sock_daemon leaks memory.
* BUG 13154: TCP tickles not getting synchronised on CTDB restart.
o Volker Lendecke <vl@samba.org>
* BUG 13150: winbindd: winbind parent and child share a ctdb connection.
* BUG 13170: pthreadpool: Fix deadlock.
* BUG 13179: pthreadpool: Fix starvation after fork.
* BUG 13180: messaging: Always register the unique id.
o Gary Lockyer <gary@catalyst.net.nz>
* 13129: s4/smbd: set the process group.
o Stefan Metzmacher <metze@samba.org>
* BUG 13095: Fix broken linked attribute handling.
* BUG 13132: The KDC on an RWDC doesn't send error replies in some
situations.
* BUG 13149: libnet_join: Fix 'net rpc oldjoin'.
* BUG 13195: g_lock conflict detection broken when processing stale entries.
* BUG 13197: s3:smb2_server: allow logoff, close, unlock, cancel and echo
on expired sessions.
o Noel Power <noel.power@suse.com>
* BUG 13166: s3:libads: net ads keytab list fails with "Key table name
malformed".
o Christof Schmitt <cs@samba.org>
* BUG 13170: Fix crash in pthreadpool thread after failure from pthread_create.
o Andreas Schneider <asn@samba.org>
* BUG 13129: s4:samba: Allow samba daemon to run in foreground.
* BUG 13174: third_party: Link the aesni-intel library with "-z noexecstack".
o Niels de Vos <ndevos@redhat.com>
* BUG 13125: vfs_glusterfs: include glusterfs/api/glfs.h without relying on
"-I" options.
#######################################
Reporting bugs & Development Discussion
#######################################
Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.
If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored. All bug reports should
be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
database (https://bugzilla.samba.org/).
======================================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
======================================================================
----------------------------------------------------------------------
=============================
Release Notes for Samba 4.7.3
November 21, 2017
=============================
This is a security release in order to address the following defects:
o CVE-2017-14746 (Use-after-free vulnerability.)
o CVE-2017-15275 (Server heap memory information leak.)
=======
Details
=======
o CVE-2017-14746:
All versions of Samba from 4.0.0 onwards are vulnerable to a use after
free vulnerability, where a malicious SMB1 request can be used to
control the contents of heap memory via a deallocated heap pointer. It
is possible this may be used to compromise the SMB server.
o CVE-2017-15275:
All versions of Samba from 3.6.0 onwards are vulnerable to a heap
memory information leak, where server allocated heap memory may be
returned to the client without being cleared.
There is no known vulnerability associated with this error, but
uncleared heap memory may contain previously used data that may help
an attacker compromise the server via other methods. Uncleared heap
memory may potentially contain password hashes or other high-value
data.
For more details and workarounds, please see the security advisories:
o https://www.samba.org/samba/security/CVE-2017-14746.html
o https://www.samba.org/samba/security/CVE-2017-15275.html
Changes since 4.7.2:
--------------------
o Jeremy Allison <jra@samba.org>
* BUG 13041: CVE-2017-14746: s3: smbd: Fix SMB1 use-after-free crash bug.
* BUG 13077: CVE-2017-15275: s3: smbd: Chain code can return uninitialized
memory when talloc buffer is grown.
#######################################
Reporting bugs & Development Discussion
#######################################
Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.
If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored. All bug reports should
be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
database (https://bugzilla.samba.org/).
======================================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
======================================================================
----------------------------------------------------------------------
=============================
Release Notes for Samba 4.7.2
November 15, 2017
=============================
This is an additional bugfix release to address a possible data corruption
issue. Please update immediately! For details, please see
https://bugzilla.samba.org/show_bug.cgi?id=13130
Samba 4.6.0 and newer is affected by this issue.
Changes since 4.7.1:
--------------------
o Jeremy Allison <jra@samba.org>
* BUG 13121: Non-smbd processes using kernel oplocks can hang smbd.
o Joe Guo <joeg@catalyst.net.nz>
* BUG 13127: python: use communicate to fix Popen deadlock.
o Volker Lendecke <vl@samba.org>
* BUG 13130: smbd on disk file corruption bug under heavy threaded load.
o Stefan Metzmacher <metze@samba.org>
* BUG 13130: tevent: version 0.9.34.
o Ralph Wuerthner <ralph.wuerthner@de.ibm.com>
* BUG 13118: s3: smbd: Fix delete-on-close after smb2_find.
#######################################
Reporting bugs & Development Discussion
#######################################
Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.
If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored. All bug reports should
be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
database (https://bugzilla.samba.org/).
======================================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
======================================================================
----------------------------------------------------------------------
=============================
Release Notes for Samba 4.7.1
November 02, 2017
=============================
This is the latest stable release of the Samba 4.7 release series.
Changes since 4.7.0:
--------------------
o Michael Adam <obnox@samba.org>
* BUG 13091: vfs_glusterfs: Fix exporting subdirs with shadow_copy2.
o Jeremy Allison <jra@samba.org>
* BUG 13027: s3: smbd: Currently if getwd() fails after a chdir(), we panic.
* BUG 13068: s3: VFS: Ensure default SMB_VFS_GETWD() call can't return a
partially completed struct smb_filename.
* BUG 13069: sys_getwd() can leak memory or possibly return the wrong errno
on older systems.
* BUG 13093: 'smbclient' doesn't correctly canonicalize all local names
before use.
o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* BUG 13095: Fix broken linked attribute handling.
o Andrew Bartlett <abartlet@samba.org>
* BUG 12994: Missing LDAP query escapes in DNS rpc server.
* BUG 13087: replace: Link to -lbsd when building replace.c by hand.
o Ralph Boehme <slow@samba.org>
* BUG 6133: Cannot delete non-ACL files on Solaris/ZFS/NFSv4 ACL filesystem.
* BUG 7909: Map SYNCHRONIZE acl permission statically in zfs_acl vfs module.
* BUG 7933: Samba fails to honor SEC_STD_WRITE_OWNER bit with the
acl_xattr module.
* BUG 12991: s3/mdssvc: Missing assignment in sl_pack_float.
* BUG 12995: Wrong Samba access checks when changing DOS attributes.
* BUG 13062: samba_runcmd_send() leaves zombie processes on timeout
* BUG 13065: net: groupmap cleanup should not delete BUILTIN mappings.
* BUG 13076: Enabling vfs_fruit results in loss of Finder tags and other
xattrs.
o Alexander Bokovoy <ab@samba.org>
* BUG 9613: man pages: Properly ident lists.
* BUG 13081: smb.conf.5: Sort parameters alphabetically.
o Samuel Cabrero <scabrero@suse.de>
* BUG 12993: s3: spoolss: Fix GUID string format on GetPrinter info.
o Amitay Isaacs <amitay@gmail.com>
* BUG 13042: Remote serverid check doesn't check for the unique id.
* BUG 13056: CTDB starts consuming memory if there are dead nodes in the
cluster.
* BUG 13070: ctdb-common: Ignore event scripts with multiple '.'s.
o Lutz Justen <ljusten@google.com>
* BUG 13046: libgpo doesn't sort the GPOs in the correct order.
o Volker Lendecke <vl@samba.org>
* BUG 13042: Remote serverid check doesn't check for the unique id.
* BUG 13090: vfs_catia: Fix a potential memleak.
* BUG 12903: Fix file change notification for renames.
o Gary Lockyer <gary@catalyst.net.nz>
* BUG 12952: Samba DNS server does not honour wildcards.
o Stefan Metzmacher <metze@samba.org>
* BUG 13079: Can't change password in samba from a Windows client if Samba
runs on IPv6 only interface.
o Anoop C S <anoopcs@redhat.com>
* BUG 13086: vfs_fruit: Replace closedir() by SMB_VFS_CLOSEDIR.
o Christof Schmitt <cs@samba.org>
* BUG 13047: Apple client can't cope with SMB2 async replies when creating
symlinks.
o Andreas Schneider <asn@samba.org>
* BUG 12959: s4:rpc_server:backupkey: Move variable into scope.
* BUG 13099: s4:scripting: Fix ntstatus_gen.h generation on 32bit.
* BUG 13100: s3:vfs_glusterfs: Fix a double free in vfs_gluster_getwd().
* BUG 13101: Fix resouce leaks and pointer issues.
o Jorge Schrauwen
* BUG 13049: vfs_solarisacl: Fix build for samba 4.7 and up.
#######################################
Reporting bugs & Development Discussion
#######################################
Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.
If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored. All bug reports should
be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
database (https://bugzilla.samba.org/).
======================================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
======================================================================
----------------------------------------------------------------------
=============================
Release Notes for Samba 4.7.0
September 20, 2017
=============================
This is the first stable release of Samba 4.7.
Please read the release notes carefully before upgrading.
UPGRADING
=========
'smbclient' changes
------------------
'smbclient' no longer prints a 'Domain=[...] OS=[Windows 6.1] Server=[...]'
banner when connecting to the first server. With SMB2 and Kerberos,
there's no way to print this information reliably. Now we avoid it at all
consistently. In interactive sessions the following banner is now presented
to the user: 'Try "help" do get a list of possible commands.'.
The default for "client max protocol" has changed to "SMB3_11",
which means that 'smbclient' (and related commands) will work against
servers without SMB1 support.
It's possible to use the '-m/--max-protocol' option to overwrite
the "client max protocol" option temporarily.
Note that the '-e/--encrypt' option also works with most SMB3 servers
(e.g. Windows >= 2012 and Samba >= 4.0.0), so the SMB1 unix extensions
are not required for encryption.
The change to SMB3_11 as default also means 'smbclient' no longer
negotiates SMB1 unix extensions by default, when talking to a Samba server with
"unix extensions = yes". As a result, some commands are not available, e.g.
'posix_encrypt', 'posix_open', 'posix_mkdir', 'posix_rmdir', 'posix_unlink',
'posix_whoami', 'getfacl' and 'symlink'. Using "-mNT1" reenables them, if the
server supports SMB1.
Note the default ("CORE") for "client min protocol" hasn't changed,
so it's still possible to connect to SMB1-only servers by default.
'smbclient' learned a new command 'deltree' that is able to do
a recursive deletion of a directory tree.
NEW FEATURES/CHANGES
====================
Whole DB read locks: Improved LDAP and replication consistency
--------------------------------------------------------------
Prior to Samba 4.7 and ldb 1.2.0, the LDB database layer used by Samba
erroneously did not take whole-DB read locks to protect search
and DRS replication operations.
While each object returned remained subject to a record-level lock (so
would remain consistent to itself), under a race condition with a
rename or delete, it and any links (like the member attribute) to it
would not be returned.
The symptoms of this issue include:
Replication failures with this error showing in the client side logs:
error during DRS repl ADD: No objectClass found in replPropertyMetaData for
Failed to commit objects:
WERR_GEN_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE
A crash of the server, in particular the rpc_server process with
INTERNAL ERROR: Signal 11
LDAP read inconsistency
A DN subject to a search at the same time as it is being renamed
may not appear under either the old or new name, but will re-appear
for a subsequent search.
See https://bugzilla.samba.org/show_bug.cgi?id=12858 for more details
and updated advise on database recovery for affected installations.
Samba AD with MIT Kerberos
--------------------------
After four years of development, Samba finally supports compiling and
running Samba AD with MIT Kerberos. You can enable it with:
./configure --with-system-mitkrb5
Samba requires version 1.15.1 of MIT Kerberos to build with AD DC support.
The krb5-devel and krb5-server packages are required.
The feature set is not on par with the Heimdal build but the most important
things, like forest and external trusts, are working. Samba uses the KDC binary
provided by MIT Kerberos.
Missing features, compared to Heimdal, are:
* PKINIT support
* S4U2SELF/S4U2PROXY support
* RODC support (not fully working with Heimdal either)
The Samba AD process will take care of starting the MIT KDC and it will load a
KDB (Kerberos Database) driver to access the Samba AD database. When
provisioning an AD DC using 'samba-tool' it will take care of creating a correct
kdc.conf file for the MIT KDC.
For further details, see:
https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC
Dynamic RPC port range
----------------------
The dynamic port range for RPC services has been changed from the old default
value "1024-1300" to "49152-65535". This port range is not only used by a
Samba AD DC, but also applies to all other server roles including NT4-style
domain controllers. The new value has been defined by Microsoft in Windows
Server 2008 and newer versions. To make it easier for Administrators to control
those port ranges we use the same default and make it configurable with the
option: "rpc server dynamic port range".
The "rpc server port" option sets the first available port from the new
"rpc server dynamic port range" option. The option "rpc server port" only
applies to Samba provisioned as an AD DC.
Authentication and Authorization audit support
----------------------------------------------
Detailed authentication and authorization audit information is now
logged to Samba's debug logs under the "auth_audit" debug class,
including in particular the client IP address triggering the audit
line. Additionally, if Samba is compiled against the jansson JSON
library, a JSON representation is logged under the "auth_json_audit"
debug class.
Audit support is comprehensive for all authentication and
authorisation of user accounts in the Samba Active Directory Domain
Controller, as well as the implicit authentication in password
changes. In the file server and classic/NT4 domain controller, NTLM
authentication, SMB and RPC authorization is covered, however password
changes are not at this stage, and this support is not currently
backed by a testsuite.
For further details, see:
https://wiki.samba.org/index.php/Setting_up_Audit_Logging
Multi-process LDAP Server
-------------------------
The LDAP server in the AD DC now honours the process model used for
the rest of the 'samba' process, rather than being forced into a single
process. This aids in Samba's ability to scale to larger numbers of AD
clients and the AD DC's overall resiliency, but will mean that there is a
fork()ed child for every LDAP client, which may be more resource
intensive in some situations. If you run Samba in a
resource-constrained VM, consider allocating more RAM and swap space.
Improved Read-Only Domain Controller (RODC) Support
---------------------------------------------------
Support for RODCs in Samba AD until now has been experimental. With this latest
version, many of the critical bugs have been fixed and the RODC can be used in
DC environments requiring no writable behaviour. RODCs now correctly support
bad password lockouts and password disclosure auditing through the
msDS-RevealedUsers attribute.
The fixes made to the RWDC will also allow Windows RODC to function more
correctly and to avoid strange data omissions such as failures to replicate
groups or updated passwords. Password changes are currently rejected at the
RODC, although referrals should be given over LDAP. While any bad passwords can
trigger domain-wide lockout, good passwords which have not been replicated yet
for a password change can only be used via NTLM on the RODC (and not Kerberos).
The reliability of RODCs locating a writable partner still requires some
improvements and so the 'password server' configuration option is generally
recommended on the RODC.
Samba 4.7 is the first Samba release to be secure as an RODC or when
hosting an RODC. If you have been using earlier Samba versions to
host or be an RODC, please upgrade.
In particular see https://bugzilla.samba.org/show_bug.cgi?id=12977 for
details on the security implications for password disclosure to an
RODC using earlier versions.
Additional password hashes stored in supplementalCredentials
------------------------------------------------------------
A new config option 'password hash userPassword schemes' has been added to
enable generation of SHA-256 and SHA-512 hashes (without storing the plaintext
password with reversible encryption). This builds upon previous work to improve
password sync for the AD DC (originally using GPG).
The user command of 'samba-tool' has been updated in order to be able to
extract these additional hashes, as well as extracting the (HTTP) WDigest
hashes that we had also been storing in supplementalCredentials.
Improvements to DNS during Active Directory domain join
-------------------------------------------------------
The 'samba-tool' domain join command will now add the A and GUID DNS records
(on both the local and remote servers) during a join if possible via RPC. This
should allow replication to proceed more smoothly post-join.
The mname element of the SOA record will now also be dynamically generated to
point to the local read-write server. 'samba_dnsupdate' should now be more
reliable as it will now find the appropriate name server even when resolv.conf
points to a forwarder.
Significant AD performance and replication improvements
-------------------------------------------------------
Previously, replication of group memberships was been an incredibly expensive
process for the AD DC. This was mostly due to unnecessary CPU time being spent
parsing member linked attributes. The database now stores these linked
attributes in sorted form to perform efficient searches for existing members.
In domains with a large number of group memberships, a join can now be
completed in half the time compared with Samba 4.6.
LDAP search performance has also improved, particularly in the unindexed search
case. Parsing and processing of security descriptors should now be more
efficient, improving replication but also overall performance.
Query record for open file or directory
---------------------------------------
The record attached to an open file or directory in Samba can be
queried through the 'net tdb locking' command. In clustered Samba this
can be useful to determine the file or directory triggering
corresponding "hot" record warnings in ctdb.
Removal of lpcfg_register_defaults_hook()
-----------------------------------------
The undocumented and unsupported function lpcfg_register_defaults_hook()
that was used by external projects to call into Samba and modify
smb.conf default parameter settings has been removed. If your project
was using this call please raise the issue on
samba-technical@lists.samba.org in order to design a supported
way of obtaining the same functionality.
Change of loadable module interface
-----------------------------------
The _init function of all loadable modules in Samba has changed
from:
NTSTATUS _init(void);
to:
NTSTATUS _init(TALLOC_CTX *);
This allows a program loading a module to pass in a long-lived
talloc context (which must be guaranteed to be alive for the
lifetime of the module). This allows modules to avoid use of
the talloc_autofree_context() (which is inherently thread-unsafe)
and still be valgrind-clean on exit. Modules that don't need to
free long-lived data on exit should use the NULL talloc context.
SHA256 LDAPS Certificates
-------------------------
The self-signed certificate generated for use on LDAPS will now be
generated with a SHA256 self-signature, not a SHA1 self-signature.
Replacing this certificate with a certificate signed by a trusted
CA is still highly recommended.
CTDB changes
------------
* CTDB no longer allows mixed minor versions in a cluster
See the AllowMixedVersions tunable option in ctdb-tunables(7) and also
https://wiki.samba.org/index.php/Upgrading_a_CTDB_cluster#Policy
* CTDB now ignores hints from Samba about TDB flags when attaching to databases
CTDB will use the correct flags depending on the type of database.
For clustered databases, the smb.conf setting
dbwrap_tdb_mutexes:*=true will be ignored. Instead, CTDB continues
to use the TDBMutexEnabled tunable.
* New configuration variable CTDB_NFS_CHECKS_DIR
See ctdbd.conf(5) for more details.
* The CTDB_SERVICE_AUTOSTARTSTOP configuration variable has been
removed
To continue to manage/unmanage services while CTDB is running:
- Start service by hand and then flag it as managed
- Mark service as unmanaged and shut it down by hand
- In some cases CTDB does something fancy - e.g. start Samba under
"nice", so care is needed. One technique is to disable the
eventscript, mark as managed, run the startup event by hand and then
re-enable the eventscript.
* The CTDB_SCRIPT_DEBUGLEVEL configuration variable has been removed
* The example NFS Ganesha call-out has been improved
* A new "replicated" database type is available
Replicated databases are intended for CTDB's internal use to
replicate state data across the cluster, but may find other
uses. The data in replicated databases is valid for the lifetime of
CTDB and cleared on first attach.
Using x86_64 Accelerated AES Crypto Instructions
------------------------------------------------
Samba on x86_64 can now be configured to use the Intel accelerated AES
instruction set, which has the potential to make SMB3 signing and
encryption much faster on client and server. To enable this, configure
Samba using the new option --accel-aes=intelaesni.
This is a temporary solution that is being included to allow users
to enjoy the benefits of Intel accelerated AES on the x86_64 platform,
but the longer-term solution will be to move Samba to a fully supported
external crypto library.
The third_party/aesni-intel code will be removed from Samba as soon as
external crypto library performance reaches parity.
The default is to build without setting --accel-aes, which uses the
existing Samba software AES implementation.
Parameter changes
-----------------
The "strict sync" global parameter has been changed from
a default of "no" to "yes". This means smbd will by default
obey client requests to synchronize unwritten data in operating
system buffers safely onto disk. This is a safer default setting
for modern SMB1/2/3 clients.
The 'ntlm auth' option default is renamed to 'ntlmv2-only', reflecting
the previous behaviour. Two new values have been provided,
'mschapv2-and-ntlmv2-only' (allowing MSCHAPv2 while denying NTLMv1)
and 'disabled', totally disabling NTLM authentication and password
changes.
smb.conf changes
================
Parameter Name Description Default
-------------- ----------- -------
allow unsafe cluster upgrade New parameter no
auth event notification New parameter no
auth methods Deprecated
client max protocol Effective SMB3_11
default changed
map untrusted to domain New value/ auto
Default changed/
Deprecated
mit kdc command New parameter
profile acls Deprecated
rpc server dynamic port range New parameter 49152-65535
strict sync Default changed yes
password hash userPassword schemes New parameter
ntlm auth New values ntlmv2-only
KNOWN ISSUES
============
https://wiki.samba.org/inFdex.php/Release_Planning_for_Samba_4.7#Release_blocking_bugs
CHANGES SINCE 4.7.0rc6
======================
o CVE-2017-12150:
A man in the middle attack may hijack client connections.
o CVE-2017-12151:
A man in the middle attack can read and may alter confidential
documents transferred via a client connection, which are reached
via DFS redirect when the original connection used SMB3.
o CVE-2017-12163:
Client with write access to a share can cause server memory contents to be
written into a file or printer.
CHANGES SINCE 4.7.0rc5
======================
o Jeremy Allison <jra@samba.org>
* BUG 13003: s3: vfs: catia: compression get/set must act only on base file, and
must cope with fsp==NULL.
* BUG 13008: lib: crypto: Make smbd use the Intel AES instruction set for signing
and encryption.
o Andrew Bartlett <abartlet@samba.org>
* BUG 12946: s4-drsuapi: Avoid segfault when replicating as a non-admin with
GUID_DRS_GET_CHANGES.
* BUG 13015: Allow re-index of newer databases with binary GUID TDB keys
(this officially removes support for re-index of the original pack format 0,
rather than simply segfaulting).
* BUG 13017: Add ldb_ldif_message_redacted_string() to allow debug of redacted
log messages, avoiding showing secret values.
* BUG 13023: ldb: version 1.2.2.
* BUG 13025: schema: Rework dsdb_schema_set_indices_and_attributes() db
operations.
o Alexander Bokovoy <ab@samba.org>
* BUG 13030: Install dcerpc/__init__.py for all Python environments.
o Ralph Boehme <slow@samba.org>
* BUG 13024: s3/smbd: Sticky write time offset miscalculation causes broken
timestamps
* BUG 13037: lib/util: Only close the event_fd in tfork if the caller didn't
call tfork_event_fd().
o Volker Lendecke <vl@samba.org>
* BUG 13006: messaging: Avoid a socket leak after fork.
o Stefan Metzmacher <metze@samba.org>
* BUG 13018: charset: Fix str[n]casecmp_m() by comparing lower case values.
o Gary Lockyer <gary@catalyst.net.nz>
* BUG 13037: util_runcmd: Free the fde in event handler.
o Amitay Isaacs <amitay@gmail.com>
* BUG 13012: ctdb-daemon: Fix implementation of process_exists control.
* BUG 13021: GET_DB_SEQNUM control can cause ctdb to deadlock when databases
are frozen.
* BUG 13029: ctdb-daemon: Free up record data if a call request is deferred.
* BUG 13036: ctdb-client: Initialize ctdb_ltdb_header completely for empty
record.
o Christof Schmitt <cs@samba.org>
* BUG 13032: vfs_streams_xattr: Fix segfault when running with log level 10.
CHANGES SINCE 4.7.0rc4
======================
o Andrew Bartlett <abartlet@samba.org>
* BUG 12929: smb.conf: Explain that "ntlm auth" is a per-passdb setting.
* BUG 12953: s4/lib/tls: Use SHA256 to sign the TLS certificates.
o Jeremy Allison <jra@samba.org>
* BUG 12932: Get rid of talloc_autofree_context().
o Amitay Isaacs <amitay@gmail.com>
* BUG 12978: After restarting CTDB, it attaches replicated databases with
wrong flags.
o Stefan Metzmacher <metze@samba.org>
* BUG 12863: s3:smbclient: Don't try any workgroup listing with
"client min protocol = SMB2".
* BUG 12876: s3:libsmb: Don't call cli_NetServerEnum() on SMB2/3 connections
in SMBC_opendir_ctx().
* BUG 12881: s3:libsmb: Let do_connect() debug the negotiation result
similar to "session request ok".
* BUG 12919: s4:http/gensec: add missing tevent_req_done() to
gensec_http_ntlm_update_done().
* BUG 12968: Fix 'smbclient tarmode' with SMB2/3.
* BUG 12973: 'smbd': Don't use a lot of CPU on startup of a connection.
o Christof Schmitt <cs@samba.org>
* BUG 12983: vfs_default: Fix passing of errno from async calls.
o Andreas Schneider <asn@samba.org>
* BUG 12629: s3:utils: Do not report an invalid range for AD DC role.
* BUG 12704: s3:libsmb: Let get_ipc_connect() use
CLI_FULL_CONNECTION_FORCE_SMB1.
* BUG 12930: Fix build issues with GCC 7.1.
* BUG 12950: s3:script: Untaint user supplied data in modprinter.pl.
* BUG 12956: s3:libads: Fix changing passwords with Kerberos.
* BUG 12975: Fix changing the password with 'smbpasswd' as a local user on
a domain member.
CHANGES SINCE 4.7.0rc3
======================
o Jeremy Allison <jra@samba.org>
* BUG 12913: Implement cli_smb2_setatr() by calling cli_smb2_setpathinfo().
o Andrew Bartlett <abartlet@samba.org>
* BUG 11392: s4-cldap/netlogon: Match Windows 2012R2 and return
NETLOGON_NT_VERSION_5 when version unspecified.
* BUG 12855: dsdb: Do not force a re-index of sam.ldb on upgrade to 4.7.
* BUG 12904: dsdb: Fix dsdb_next_callback to correctly use ldb_module_done()
etc.
* BUG 12939: s4-rpc_server: Improve debug of new endpoints.
o Ralph Boehme <slow@samba.org>
* BUG 12791: Fix kernel oplocks issues with named streams.
* BUG 12944: vfs_gpfs: Handle EACCES when fetching DOS attributes from xattr.
o Bob Campbell <bobcampbell@catalyst.net.nz>
* BUG 12842: samdb/cracknames: Support user and service principal as desired
format.
o David Disseldorp <ddiss@samba.org>
* BUG 12911: vfs_ceph: Fix cephwrap_chdir().
o Gary Lockyer <gary@catalyst.net.nz>
* BUG 12865: Track machine account ServerAuthenticate3.
o Marc Muehlfeld <mmuehlfeld@samba.org>
* BUG 12947: python: Fix incorrect kdc.conf parameter name in kerberos.py.
o Noel Power <noel.power@suse.com>
* BUG 12937: s3/utils: 'smbcacls' failed to detect DIRECTORIES using SMB2
(Windows only).
o Arvid Requate <requate@univention.de>
* BUG 11392: s4-dsdb/netlogon: Allow missing ntver in cldap ping.
o Anoop C S <anoopcs@redhat.com>
* BUG 12936: source3/client: Fix typo in help message displayed by default.
o Andreas Schneider <asn@samba.org>
* BUG 12930: Fix building with GCC 7.1.1.
CHANGES SINCE 4.7.0rc2
======================
o Jeremy Allison <jra@samba.org>
* BUG 12836: s3: smbd: Fix a read after free if a chained SMB1 call goes
async.
* BUG 12899: s3: libsmb: Reverse sense of 'clear all attributes', ignore
attribute change in SMB2 to match SMB1.
* BUG 12914: s3: smbclient: Add new command deltree.
o Ralph Boehme <slow@samba.org>
* BUG 12885: s3/smbd: Let non_widelink_open() chdir() to directories
directly.
* BUG 12887: Remove SMB_VFS_STRICT_UNLOCK noop from the VFS.
* BUG 12891: Enable TDB mutexes in dbwrap and ctdb.
* BUG 12897: vfs_fruit: don't use MS NFS ACEs with Windows clients.
* BUG 12910: s3/notifyd: Ensure notifyd doesn't return from
smbd_notifyd_init.
o Alexander Bokovoy <ab@samba.org>
* BUG 12905: Build py3 versions of other rpc modules.
o Günther Deschner <gd@samba.org>
* BUG 12840: vfs_fruit: Add "fruit:model = <modelname>" parametric option.
o Dustin L. Howett
* BUG 12720: idmap_ad: Retry query_user exactly once if we get
TLDAP_SERVER_DOWN.
o Amitay Isaacs <amitay@gmail.com>
* BUG 12891: dbwrap_ctdb: Fix calculation of persistent flag.
o Thomas Jarosch <thomas.jarosch@intra2net.com>
* BUG 12927: s3: libsmb: Fix use-after-free when accessing pointer *p.
o Volker Lendecke <vl@samba.org>
* BUG 12925: smbd: Fix a connection run-down race condition.
o Stefan Metzmacher <metze@samba.org>
* tevent: version 0.9.33: make tevent_req_print() more robust against crashes.
* ldb: version 1.2.1
* BUG 12882: Do not install _ldb_text.py if we have system libldb.
* BUG 12890: s3:smbd: consistently use talloc_tos() memory for
rpc_pipe_open_interface().
* BUG 12900: Fix index out of bound in ldb_msg_find_common_values.
o Rowland Penny <rpenny@samba.org>
* BUG 12884: Easily edit a users object in AD, as if using 'ldbedit'.
o Bernhard M. Wiedemann <bwiedemann@suse.de>
* BUG 12906: s3: drop build_env
o Andreas Schneider <asn@samba.org>
* BUG 12882: waf: Do not install _ldb_text.py if we have system libldb.
o Martin Schwenke <martin@meltin.net>
* BUG 12898: ctdb-common: Set close-on-exec when creating PID file.
CHANGES SINCE 4.7.0rc1
======================
o Jeffrey Altman <jaltman@secure-endpoints.com>
* BUG 12894: CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation
#######################################
Reporting bugs & Development Discussion
#######################################
Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.
If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored. All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).
======================================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
======================================================================
|
