1 ==============================
2 Release Notes for Samba 4.15.5
4 ==============================
7 This is a security release in order to address the following defects:
9 o CVE-2021-44141: UNIX extensions in SMB1 disclose whether the outside target
11 https://www.samba.org/samba/security/CVE-2021-44141.html
13 o CVE-2021-44142: Out-of-Bound Read/Write on Samba vfs_fruit module.
14 https://www.samba.org/samba/security/CVE-2021-44142.html
16 o CVE-2022-0336: Re-adding an SPN skips subsequent SPN conflict checks.
17 https://www.samba.org/samba/security/CVE-2022-0336.html
23 o Jeremy Allison <jra@samba.org>
24 * BUG 14911: CVE-2021-44141
26 o Ralph Boehme <slow@samba.org>
27 * BUG 14914: CVE-2021-44142
29 o Joseph Sutton <josephsutton@catalyst.net.nz>
30 * BUG 14950: CVE-2022-0336
33 #######################################
34 Reporting bugs & Development Discussion
35 #######################################
37 Please discuss this release on the samba-technical mailing list or by
38 joining the #samba-technical IRC channel on irc.libera.chat or the
39 #samba-technical:matrix.org matrix channel.
41 If you do report problems then please try to send high quality
42 feedback. If you don't provide vital information to help us track down
43 the problem then you will probably be ignored. All bug reports should
44 be filed under the Samba 4.1 and newer product in the project's Bugzilla
45 database (https://bugzilla.samba.org/).
48 ======================================================================
49 == Our Code, Our Bugs, Our Responsibility.
51 ======================================================================
54 Release notes for older releases follow:
55 ----------------------------------------
56 ==============================
57 Release Notes for Samba 4.15.4
59 ==============================
62 This is the latest stable release of the Samba 4.15 release series.
68 o Jeremy Allison <jra@samba.org>
69 * BUG 14928: Duplicate SMB file_ids leading to Windows client cache
71 * BUG 14939: smbclient -L doesn't set "client max protocol" to NT1 before
72 calling the "Reconnecting with SMB1 for workgroup listing" path.
73 * BUG 14944: Missing pop_sec_ctx() in error path inside close_directory().
75 o Pavel Filipenský <pfilipen@redhat.com>
76 * BUG 14940: Cross device copy of the crossrename module always fails.
77 * BUG 14941: symlinkat function from VFS cap module always fails with an
79 * BUG 14942: Fix possible fsp pointer deference.
81 o Volker Lendecke <vl@samba.org>
82 * BUG 14934: kill_tcp_connections does not work.
84 o Stefan Metzmacher <metze@samba.org>
85 * BUG 14932: Failed to parse NTLMv2_RESPONSE length 95 - Buffer Size Error -
86 NT_STATUS_BUFFER_TOO_SMALL.
87 * BUG 14935: Can't connect to Windows shares not requiring authentication
90 o Andreas Schneider <asn@samba.org>
91 * BUG 14945: "smbd --build-options" no longer works without an smb.conf file.
93 o Jones Syue <jonessyue@qnap.com>
94 * BUG 14928: Duplicate SMB file_ids leading to Windows client cache
98 #######################################
99 Reporting bugs & Development Discussion
100 #######################################
102 Please discuss this release on the samba-technical mailing list or by
103 joining the #samba-technical IRC channel on irc.libera.chat or the
104 #samba-technical:matrix.org matrix channel.
106 If you do report problems then please try to send high quality
107 feedback. If you don't provide vital information to help us track down
108 the problem then you will probably be ignored. All bug reports should
109 be filed under the Samba 4.1 and newer product in the project's Bugzilla
110 database (https://bugzilla.samba.org/).
113 ======================================================================
114 == Our Code, Our Bugs, Our Responsibility.
116 ======================================================================
119 ----------------------------------------------------------------------
120 ==============================
121 Release Notes for Samba 4.15.3
123 ==============================
126 This is the latest stable release of the Samba 4.15 release series.
131 There have been a few regressions in the security release 4.15.2:
133 o CVE-2020-25717: A user on the domain can become root on domain members.
134 https://www.samba.org/samba/security/CVE-2020-25717.html
136 The instructions have been updated and some workarounds
137 initially adviced for 4.15.2 are no longer required and
138 should be reverted in most cases.
140 o BUG-14902: User with multiple spaces (eg Fred<space><space>Nurk) become
141 un-deletable. While this release should fix this bug, it is
142 adviced to have a look at the bug report for more detailed
143 information, see https://bugzilla.samba.org/show_bug.cgi?id=14902.
148 o Jeremy Allison <jra@samba.org>
149 * BUG 14878: Recursive directory delete with veto files is broken in 4.15.0.
150 * BUG 14879: A directory containing dangling symlinks cannot be deleted by
151 SMB2 alone when they are the only entry in the directory.
152 * BUG 14892: SIGSEGV in rmdir_internals/synthetic_pathref - dirfsp is used
153 uninitialized in rmdir_internals().
155 o Andrew Bartlett <abartlet@samba.org>
156 * BUG 14694: MaxQueryDuration not honoured in Samba AD DC LDAP.
157 * BUG 14901: The CVE-2020-25717 username map [script] advice has undesired
158 side effects for the local nt token.
159 * BUG 14902: User with multiple spaces (eg Fred<space><space>Nurk) become
162 o Ralph Boehme <slow@samba.org>
163 * BUG 14127: Avoid storing NTTIME_THAW (-2) as value on disk.
164 * BUG 14882: smbXsrv_client_global record validation leads to crash if
165 existing record points at non-existing process.
166 * BUG 14890: Crash in vfs_fruit asking for fsp_get_io_fd() for an XATTR call.
167 * BUG 14897: Samba process doesn't log to logfile.
168 * BUG 14907: set_ea_dos_attribute() fallback calling
169 get_file_handle_for_metadata() triggers locking.tdb assert.
170 * BUG 14922: Kerberos authentication on standalone server in MIT realm
172 * BUG 14923: Segmentation fault when joining the domain.
174 o Alexander Bokovoy <ab@samba.org>
175 * BUG 14903: Support for ROLE_IPA_DC is incomplete.
177 o Günther Deschner <gd@samba.org>
178 * BUG 14767: rpcclient cannot connect to ncacn_ip_tcp services anymore
179 * BUG 14893: winexe crashes since 4.15.0 after popt parsing.
181 o Volker Lendecke <vl@samba.org>
182 * BUG 14908: net ads status -P broken in a clustered environment.
184 o Stefan Metzmacher <metze@samba.org>
185 * BUG 14788: Memory leak if ioctl(FSCTL_VALIDATE_NEGOTIATE_INFO) fails before
186 smbd_smb2_ioctl_send.
187 * BUG 14882: smbXsrv_client_global record validation leads to crash if
188 existing record points at non-existing process.
189 * BUG 14899: winbindd doesn't start when "allow trusted domains" is off.
190 * BUG 14901: The CVE-2020-25717 username map [script] advice has undesired
191 side effects for the local nt token.
193 o Andreas Schneider <asn@samba.org>
194 * BUG 14767: rpcclient cannot connect to ncacn_ip_tcp services anymore.
195 * BUG 14883: smbclient login without password using '-N' fails with
196 NT_STATUS_INVALID_PARAMETER on Samba AD DC.
197 * BUG 14912: A schannel client incorrectly detects a downgrade connecting to
199 * BUG 14921: Possible null pointer dereference in winbind.
201 o Andreas Schneider <asn@cryptomilk.org>
202 * BUG 14846: Fix -k legacy option for client tools like smbclient, rpcclient,
205 o Martin Schwenke <martin@meltin.net>
206 * BUG 14872: Add Debian 11 CI bootstrap support.
208 o Joseph Sutton <josephsutton@catalyst.net.nz>
209 * BUG 14694: MaxQueryDuration not honoured in Samba AD DC LDAP.
210 * BUG 14901: The CVE-2020-25717 username map [script] advice has undesired
211 side effects for the local nt token.
213 o Andrew Walker <awalker@ixsystems.com>
214 * BUG 14888: Crash in recycle_unlink_internal().
217 #######################################
218 Reporting bugs & Development Discussion
219 #######################################
221 Please discuss this release on the samba-technical mailing list or by
222 joining the #samba-technical IRC channel on irc.freenode.net.
224 If you do report problems then please try to send high quality
225 feedback. If you don't provide vital information to help us track down
226 the problem then you will probably be ignored. All bug reports should
227 be filed under the Samba 4.1 and newer product in the project's Bugzilla
228 database (https://bugzilla.samba.org/).
231 ======================================================================
232 == Our Code, Our Bugs, Our Responsibility.
234 ======================================================================
237 ----------------------------------------------------------------------
238 ==============================
239 Release Notes for Samba 4.15.2
241 ==============================
244 This is a security release in order to address the following defects:
246 o CVE-2016-2124: SMB1 client connections can be downgraded to plaintext
248 https://www.samba.org/samba/security/CVE-2016-2124.html
250 o CVE-2020-25717: A user on the domain can become root on domain members.
251 https://www.samba.org/samba/security/CVE-2020-25717.html
252 (PLEASE READ! There are important behaviour changes described)
254 o CVE-2020-25718: Samba AD DC did not correctly sandbox Kerberos tickets issued
256 https://www.samba.org/samba/security/CVE-2020-25718.html
258 o CVE-2020-25719: Samba AD DC did not always rely on the SID and PAC in Kerberos
260 https://www.samba.org/samba/security/CVE-2020-25719.html
262 o CVE-2020-25721: Kerberos acceptors need easy access to stable AD identifiers
264 https://www.samba.org/samba/security/CVE-2020-25721.html
266 o CVE-2020-25722: Samba AD DC did not do suffienct access and conformance
267 checking of data stored.
268 https://www.samba.org/samba/security/CVE-2020-25722.html
270 o CVE-2021-3738: Use after free in Samba AD DC RPC server.
271 https://www.samba.org/samba/security/CVE-2021-3738.html
273 o CVE-2021-23192: Subsequent DCE/RPC fragment injection vulnerability.
274 https://www.samba.org/samba/security/CVE-2021-23192.html
280 o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
283 o Andrew Bartlett <abartlet@samba.org>
289 o Ralph Boehme <slow@samba.org>
292 o Alexander Bokovoy <ab@samba.org>
295 o Samuel Cabrero <scabrero@samba.org>
298 o Nadezhda Ivanova <nivanova@symas.com>
301 o Stefan Metzmacher <metze@samba.org>
309 o Andreas Schneider <asn@samba.org>
312 o Joseph Sutton <josephsutton@catalyst.net.nz>
321 #######################################
322 Reporting bugs & Development Discussion
323 #######################################
325 Please discuss this release on the samba-technical mailing list or by
326 joining the #samba-technical IRC channel on irc.libera.chat or the
327 #samba-technical:matrix.org matrix channel.
329 If you do report problems then please try to send high quality
330 feedback. If you don't provide vital information to help us track down
331 the problem then you will probably be ignored. All bug reports should
332 be filed under the Samba 4.1 and newer product in the project's Bugzilla
333 database (https://bugzilla.samba.org/).
336 ======================================================================
337 == Our Code, Our Bugs, Our Responsibility.
339 ======================================================================
342 ----------------------------------------------------------------------
345 ==============================
346 Release Notes for Samba 4.15.1
348 ==============================
351 This is the latest stable release of the Samba 4.15 release series.
357 o Jeremy Allison <jra@samba.org>
358 * BUG 14682: vfs_shadow_copy2: core dump in make_relative_path.
359 * BUG 14685: Log clutter from filename_convert_internal.
360 * BUG 14862: MacOSX compilation fixes.
362 o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
363 * BUG 14868: rodc_rwdc test flaps.
365 o Andrew Bartlett <abartlet@samba.org>
366 * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze
367 bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded
369 * BUG 14836: Python ldb.msg_diff() memory handling failure.
370 * BUG 14845: "in" operator on ldb.Message is case sensitive.
371 * BUG 14848: Release LDB 2.4.1 for Samba 4.15.1.
372 * BUG 14854: samldb_krbtgtnumber_available() looks for incorrect string.
373 * BUG 14871: Fix Samba support for UF_NO_AUTH_DATA_REQUIRED.
374 * BUG 14874: Allow special chars like "@" in samAccountName when generating
377 o Ralph Boehme <slow@samba.org>
378 * BUG 14826: Correctly ignore comments in CTDB public addresses file.
380 o Isaac Boukris <iboukris@gmail.com>
381 * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze
382 bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded
385 o Viktor Dukhovni <viktor@twosigma.com>
386 * BUG 12998: Fix transit path validation.
388 o Pavel Filipenský <pfilipen@redhat.com>
389 * BUG 14852: Fix that child winbindd logs to log.winbindd instead of
392 o Luke Howard <lukeh@padl.com>
393 * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze
394 bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded
397 o Stefan Metzmacher <metze@samba.org>
398 * BUG 14855: SMB3 cancel requests should only include the MID together with
399 AsyncID when AES-128-GMAC is used.
401 o Alex Richardson <Alexander.Richardson@cl.cam.ac.uk>
402 * BUG 14862: MacOSX compilation fixes.
404 o Andreas Schneider <asn@samba.org>
405 * BUG 14870: Prepare to operate with MIT krb5 >= 1.20.
407 o Martin Schwenke <martin@meltin.net>
408 * BUG 14826: Correctly ignore comments in CTDB public addresses file.
410 o Joseph Sutton <josephsutton@catalyst.net.nz>
411 * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze
412 bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded
414 * BUG 14836: Python ldb.msg_diff() memory handling failure.
415 * BUG 14845: "in" operator on ldb.Message is case sensitive.
416 * BUG 14864: Heimdal prefers RC4 over AES for machine accounts.
417 * BUG 14868: rodc_rwdc test flaps.
418 * BUG 14871: Fix Samba support for UF_NO_AUTH_DATA_REQUIRED.
419 * BUG 14874: Allow special chars like "@" in samAccountName when generating
422 o Nicolas Williams <nico@twosigma.com>
423 * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze
424 bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded
428 #######################################
429 Reporting bugs & Development Discussion
430 #######################################
432 Please discuss this release on the samba-technical mailing list or by
433 joining the #samba-technical IRC channel on irc.freenode.net.
435 If you do report problems then please try to send high quality
436 feedback. If you don't provide vital information to help us track down
437 the problem then you will probably be ignored. All bug reports should
438 be filed under the Samba 4.1 and newer product in the project's Bugzilla
439 database (https://bugzilla.samba.org/).
442 ======================================================================
443 == Our Code, Our Bugs, Our Responsibility.
445 ======================================================================
448 ----------------------------------------------------------------------
450 ==============================
451 Release Notes for Samba 4.15.0
453 ==============================
456 This is the first stable release of the Samba 4.15 release series.
457 Please read the release notes carefully before upgrading.
460 Removed SMB (development) dialects
461 ==================================
463 The following SMB (development) dialects are no longer
464 supported: SMB2_22, SMB2_24 and SMB3_10. They are were
465 only supported by Windows technical preview builds.
466 They used to be useful in order to test against the
467 latest Windows versions, but it's no longer useful
468 to have them. If you have them explicitly specified
469 in your smb.conf or an the command line,
470 you need to replace them like this:
474 Note that it's typically not useful to specify
475 "client max protocol" or "server max protocol"
476 explicitly to a specific dialect, just leave
477 them unspecified or specify the value "default".
482 The GPG release key for Samba releases changed from:
484 pub dsa1024/6F33915B6568B7EA 2007-02-04 [SC] [expires: 2021-02-05]
485 Key fingerprint = 52FB C0B8 6D95 4B08 4332 4CDC 6F33 915B 6568 B7EA
486 uid [ full ] Samba Distribution Verification Key <samba-bugs@samba.org>
487 sub elg2048/9C6ED163DA6DFB44 2007-02-04 [E] [expires: 2021-02-05]
489 to the following new key:
491 pub rsa4096/AA99442FB680B620 2020-12-21 [SC] [expires: 2022-12-21]
492 Key fingerprint = 81F5 E283 2BD2 545A 1897 B713 AA99 442F B680 B620
493 uid [ultimate] Samba Distribution Verification Key <samba-bugs@samba.org>
494 sub rsa4096/97EF9386FBFD4002 2020-12-21 [E] [expires: 2022-12-21]
496 Starting from Jan 21th 2021, all Samba releases will be signed with the new key.
498 See also GPG_AA99442FB680B620_replaces_6F33915B6568B7EA.txt
500 New minimum version for the experimental MIT KDC
501 ================================================
503 The build of the AD DC using the system MIT Kerberos, an
504 experimental feature, now requires MIT Kerberos 1.19. An up-to-date
505 Fedora 34 has this version and has backported fixes for the KDC crash
506 bugs CVE-2021-37750 and CVE-2021-36222
515 The effort to modernize Samba's VFS interface is complete and Samba 4.15.0 ships
516 with a modernized VFS designed for the post SMB1 world.
518 For details please refer to the documentation at source3/modules/The_New_VFS.txt
519 or visit the <https://wiki.samba.org/index.php/The_New_VFS>.
522 Bind DLZ: add the ability to set allow/deny lists for zone transfer clients
523 ---------------------------------------------------------------------------
525 Up to now, any client could use a DNS zone transfer request to the
526 bind server, and get an answer from Samba. Now the default behaviour
527 will be to deny those request. Two new options have been added to
528 manage the list of authorized/denied clients for zone transfer
529 requests. In order to be accepted, the request must be issued by a
530 client that is in the allow list and NOT in the deny list.
533 "server multi channel support" no longer experimental
534 -----------------------------------------------------
536 This option is enabled by default starting with 4.15 (on Linux and FreeBSD).
537 Due to dependencies on kernel APIs of Linux or FreeBSD, it's only possible
538 to use this feature on Linux and FreeBSD for now.
541 samba-tool available without the ad-dc
542 --------------------------------------
544 The 'samba-tool' command is now available when samba is configured
545 "--without-ad-dc". Not all features will work, and some ad-dc specific options
546 have been disabled. The 'samba-tool domain' options, for example, are limited
547 when no ad-dc is present. Samba must still be built with ads in order to enable
551 Improved command line user experience
552 -------------------------------------
554 Samba utilities did not consistently implement their command line interface. A
555 number of options were requiring to specify values in one tool and not in the
556 other, some options meant different in different tools.
558 These should be stories of the past now. A new command line parser has been
559 implemented with sanity checking. Also the command line interface has been
560 simplified and provides better control for encryption, signing and kerberos.
562 Previously many tools silently ignored unknown options. To prevent unexpected
563 behaviour all tools will now consistently reject unknown options.
565 Also several command line options have a smb.conf variable to control the
568 All tools are now logging to stderr by default. You can use "--debug-stdout" to
569 change the behavior. All servers will log to stderr at early startup until logging
570 is setup to go to a file by default.
575 --client-protection=off|sign|encrypt
578 --kerberos -> --use-kerberos=required|desired|off
579 --krb5-ccache -> --use-krb5-ccache=CCACHE
580 --scope -> --netbios-scope=SCOPE
581 --use-ccache -> --use-winbind-ccache
585 -C removed from --use-winbind-ccache
586 -i removed from --netbios-scope
590 ### Duplicates in command line utils
592 ldbadd/ldbdel/ldbedit/ldbmodify/ldbrename/ldbsearch:
593 -e is still available as an alias for --editor,
595 -s is no longer reported as an alias for --configfile,
596 it never worked that way as it was shadowed by '-s' for '--scope'.
599 -l is not available for --load-dso anymore
602 -l is not available for --long anymore
605 -V is not available for --viewsddl anymore
608 --user -> --quota-user
611 --log-stdout -> --debug-stdout
614 --log-stdout -> --debug-stdout
617 --log-stdout -> --debug-stdout
620 Scanning of trusted domains and enterprise principals
621 -----------------------------------------------------
623 As an artifact from the NT4 times, we still scanned the list of trusted domains
624 on winbindd startup. This is wrong as we never can get a full picture in Active
625 Directory. It is time to change the default value to "No". Also with this change
626 we always use enterprise principals for Kerberos so that the DC will be able
627 to redirect ticket requests to the right DC. This is e.g. needed for one way
628 trusts. The options `winbind use krb5 enterprise principals` and
629 `winbind scan trusted domains` will be deprecated in one of the next releases.
632 Support for Offline Domain Join (ODJ)
633 -------------------------------------
635 The net utility is now able to support the offline domain join feature
636 as known from the Windows djoin.exe command for many years. Samba's
637 implementation is accessible via the 'net offlinejoin' subcommand. It
638 can provision computers and request offline joining for both Windows
639 and Unix machines. It is also possible to provision computers from
640 Windows (using djoin.exe) and use the generated data in Samba's 'net'
641 utility. The existing options for the provisioning and joining steps
642 are documented in the net(8) manpage.
645 'samba-tool dns zoneoptions' for aging control
646 ----------------------------------------------
648 The 'samba-tool dns zoneoptions' command can be used to turn aging on
649 and off, alter the refresh and no-refresh periods, and manipulate the
650 timestamps of existing records.
652 To turn aging on for a zone, you can use something like this:
654 samba-tool dns zoneoptions --aging=1 --refreshinterval=306600
656 which turns on aging and ensures no records less than five years old
657 are aged out and scavenged. After aging has been on for sufficient
658 time for records to be renewed, the command
660 samba-tool dns zoneoptions --refreshinterval=168
662 will set the refresh period to the standard seven days. Using this two
663 step process will help prevent the temporary loss of dynamic records
664 if scavenging happens before their first renewal.
667 Marking old records as static or dynamic with 'samba-tool'
668 ----------------------------------------------------------
670 A bug in Samba versions prior to 4.9 meant records that were meant to
671 be static were marked as dynamic and vice versa. To fix the timestamps
672 in these domains, it is possible to use the following options,
673 preferably before turning aging on.
675 --mark-old-records-static
676 --mark-records-dynamic-regex
677 --mark-records-static-regex
679 The "--mark-old-records-static" option will make records older than the
680 specified date static (that is, with a zero timestamp). For example,
681 if you upgraded to Samba 4.9 in November 2018, you could use ensure no
682 old records will be mistakenly interpreted as dynamic using the
685 samba-tool dns zoneoptions --mark-old-records-static=2018-11-30
687 Then, if you know that that will have marked some records as static
688 that should be dynamic, and you know which those are due to your
689 naming scheme, you can use commands like:
691 samba-tool dns zoneoptions --mark-records-dynamic-regex='\w+-desktop'
693 where '\w+-desktop' is a perl-compatible regular expression that will
694 match 'bob-desktop', 'alice-desktop', and so on.
696 These options are deliberately long and cumbersome to type, so people
697 have a chance to think before they get to the end. You can make a
698 mess if you get it wrong.
700 All 'samba-tool dns zoneoptions' modes can be given a "--dry-run/-n"
701 argument that allows you to inspect the likely results before going
704 NOTE: for aging to work, you need to have "dns zone scavenging = yes"
705 set in the smb.conf of at least one server.
708 DNS tombstones are now deleted as appropriate
709 ---------------------------------------------
711 When all the records for a DNS name have been deleted, the node is put
712 in a tombstoned state (separate from general AD object tombstoning,
713 which deleted nodes also go through). These tombstones should be
714 cleaned up periodically. Due to a conflation of scavenging and
715 tombstoning, we have only been deleting tombstones when aging is
718 If you have a lot of tombstoned DNS nodes (that is, DNS names for
719 which you have removed all the records), cleaning up these DNS
720 tombstones may take a noticeable time.
723 DNS tombstones use a consistent timestamp format
724 ------------------------------------------------
726 DNS records use an hours-since-1601 timestamp format except for in the
727 case of tombstone records where a 100-nanosecond-intervals-since-1601
728 format is used (this latter format being the most common in Windows).
729 We had mixed that up, which might have had strange effects in zones
730 where aging was enabled (and hence tombstone timestamps were used).
733 samba-tool dns update and RPC changes
734 -------------------------------------
736 The dnsserver DCERPC pipe can be used by 'samba-tool' and Windows tools
737 to manipulate dns records on the remote server. A bug in Samba meant
738 it was not possible to update an existing DNS record to change the
739 TTL. The general behaviour of RPC updates is now closer to that of
742 'samba-tool dns update' is now a bit more careful in rejecting and
743 warning you about malformed IPv4 and IPv6 addresses.
745 CVE-2021-3671: Crash in Heimdal KDC and updated security release policy
746 -----------------------------------------------------------------------
748 An unuthenticated user can crash the AD DC KDC by omitting the server
749 name in a TGS-REQ. Per Samba's updated security process a specific
750 security release was not made for this issue as it is a recoverable
753 See https://wiki.samba.org/index.php/Samba_Security_Proces
755 samba-tool domain backup offline with the LMDB backend
756 ------------------------------------------------------
758 samba-tool domain backup offline, when operating with the LMDB backend
759 now correctly takes out locks against concurrent modification of the
760 database during the backup. If you use this tool on a Samba AD DC
761 using LMDB, you should upgrade to this release for safer backups.
766 Tru64 ACL support has been removed from this release. The last
767 supported release of Tru64 UNIX was in 2012.
769 NIS support has been removed from this release. This is not
770 available in Linux distributions anymore.
772 The DLZ DNS plugin is no longer built for Bind versions 9.8 and 9.9,
773 which have been out of support since 2018.
779 Parameter Name Description Default
780 -------------- ----------- -------
781 client use kerberos New desired
782 client max protocol Values Removed
783 client min protocol Values Removed
784 client protection New default
785 client smb3 signing algorithms New see man smb.conf
786 client smb3 encryption algorithms New see man smb.conf
787 preopen:posix-basic-regex New No
788 preopen:nomatch_log_level New 5
789 preopen:match_log_level New 5
790 preopen:nodigits_log_level New 1
791 preopen:founddigits_log_level New 3
792 preopen:reset_log_level New 5
793 preopen:push_log_level New 3
794 preopen:queue_log_level New 10
795 server max protocol Values Removed
796 server min protocol Values Removed
797 server multi channel support Changed Yes (on Linux and FreeBSD)
798 server smb3 signing algorithms New see man smb.conf
799 server smb3 encryption algorithms New see man smb.conf
800 winbind use krb5 enterprise principals Changed Yes
801 winbind scan trusted domains Changed No
804 CHANGES SINCE 4.15.0rc6
805 =======================
807 o Andrew Bartlett <abartlet@samba.org>
808 * BUG 14791: All the ways to specify a password are not documented.
810 o Ralph Boehme <slow@samba.org>
811 * BUG 14790: vfs_btrfs compression support broken.
812 * BUG 14828: Problems with commandline parsing.
813 * BUG 14829: smbd crashes when "ea support" is set to no.
815 o Stefan Metzmacher <metze@samba.org>
816 * BUG 14825: "{client,server} smb3 {signing,encryption} algorithms" should
817 use the same strings as smbstatus output.
818 * BUG 14828: Problems with commandline parsing.
820 o Alex Richardson <Alexander.Richardson@cl.cam.ac.uk>
821 * BUG 8773: smbd fails to run as root because it belongs to more than 16
824 o Martin Schwenke <martin@meltin.net>
825 * BUG 14784: Fix CTDB flag/status update race conditions.
828 CHANGES SINCE 4.15.0rc5
829 =======================
831 o Andrew Bartlett <abartlet@samba.org>
832 * BUG 14806: Address a signifcant performance regression in database access
833 in the AD DC since Samba 4.12.
834 * BUG 14807: Fix performance regression in lsa_LookupSids3/LookupNames4 since
835 Samba 4.9 by using an explicit database handle cache.
836 * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
837 server name in a TGS-REQ.
838 * BUG 14818: Address flapping samba_tool_drs_showrepl test.
839 * BUG 14819: Address flapping dsdb_schema_attributes test.
841 o Luke Howard <lukeh@padl.com>
842 * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
843 server name in a TGS-REQ.
845 o Gary Lockyer <gary@catalyst.net.nz>
846 * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
847 server name in a TGS-REQ.
849 o Andreas Schneider <asn@samba.org>
850 * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
851 server name in a TGS-REQ.
853 o Joseph Sutton <josephsutton@catalyst.net.nz>
854 * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
855 server name in a TGS-REQ.
858 CHANGES SINCE 4.15.0rc4
859 =======================
861 o Jeremy Allison <jra@samba.org>
862 * BUG 14809: Shares with variable substitutions cause core dump upon
863 connection from MacOS Big Sur 11.5.2.
864 * BUG 14816: Fix pathref open of a filesystem fifo in the DISABLE_OPATH
867 o Andrew Bartlett <abartlet@samba.org>
868 * BUG 14815: A subset of tests from Samba's selftest system were not being
869 run, while others were run twice.
871 o Ralph Boehme <slow@samba.org>
872 * BUG 14771: Some VFS operations on pathref (O_PATH) handles fail on GPFS.
873 * BUG 14787: net conf list crashes when run as normal user,
874 * BUG 14803: smbd/winbindd started in daemon mode generate output on
876 * BUG 14804: winbindd can crash because idmap child state is not fully
879 o Stefan Metzmacher <metze@samba.org>
880 * BUG 14771: Some VFS operations on pathref (O_PATH) handles fail on GPFS.
883 CHANGES SINCE 4.15.0rc3
884 =======================
886 o Bjoern Jacke <bj@sernet.de>
887 * BUG 14800: util_sock: fix assignment of sa_socklen.
890 CHANGES SINCE 4.15.0rc2
891 =======================
893 o Jeremy Allison <jra@samba.org>
894 * BUG 14760: vfs_streams_depot directory creation permissions and store
896 * BUG 14766: vfs_ceph openat() doesn't cope with dirfsp != AT_FDCW.
897 * BUG 14769: smbd panic on force-close share during offload write.
898 * BUG 14805: OpenDir() loses the correct errno return.
900 o Ralph Boehme <slow@samba.org>
901 * BUG 14795: copy_file_range() may fail with EOPNOTSUPP.
903 o Stefan Metzmacher <metze@samba.org>
904 * BUG 14793: Start the SMB encryption as soon as possible.
906 o Andreas Schneider <asn@samba.org>
907 * BUG 14779: Winbind should not start if the socket path is too long.
909 o Noel Power <noel.power@suse.com>
910 * BUG 14760: vfs_streams_depot directory creation permissions and store
914 CHANGES SINCE 4.15.0rc1
915 =======================
917 o Andreas Schneider <asn@samba.org>
918 * BUG 14768: smbd/winbind should load the registry if configured
919 * BUG 14777: do not quote passed argument of configure script
920 * BUG 14779: Winbind should not start if the socket path is too long
922 o Stefan Metzmacher <metze@samba.org>
923 * BUG 14607: tree connect failed: NT_STATUS_INVALID_PARAMETER
924 * BUG 14764: aes-256-gcm and aes-256-ccm doesn't work in the server
926 o Ralph Boehme <slow@samba.org>
927 * BUG 14700: file owner not available when file unredable
929 o Jeremy Allison <jra@samba.org>
930 * BUG 14607: tree connect failed: NT_STATUS_INVALID_PARAMETER
931 * BUG 14759: 4.15rc can leak meta-data about the directory containing the
938 https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.15#Release_blocking_bugs
941 #######################################
942 Reporting bugs & Development Discussion
943 #######################################
945 Please discuss this release on the samba-technical mailing list or by
946 joining the #samba-technical IRC channel on irc.libera.chat or the
947 #samba-technical:matrix.org matrix channel.
949 If you do report problems then please try to send high quality
950 feedback. If you don't provide vital information to help us track down
951 the problem then you will probably be ignored. All bug reports should
952 be filed under the Samba 4.1 and newer product in the project's Bugzilla
953 database (https://bugzilla.samba.org/).
956 ======================================================================
957 == Our Code, Our Bugs, Our Responsibility.
959 ======================================================================