1 ===============================
2 Release Notes for Samba 4.15.12
4 ===============================
7 This is a security release in order to address the following defects:
9 o CVE-2022-42898: Samba's Kerberos libraries and AD DC failed to guard against
10 integer overflows when parsing a PAC on a 32-bit system, which
11 allowed an attacker with a forged PAC to corrupt the heap.
12 https://www.samba.org/samba/security/CVE-2022-42898.html
16 o Joseph Sutton <josephsutton@catalyst.net.nz>
17 * BUG 15203: CVE-2022-42898
19 o Nicolas Williams <nico@twosigma.com>
20 * BUG 15203: CVE-2022-42898
23 #######################################
24 Reporting bugs & Development Discussion
25 #######################################
27 Please discuss this release on the samba-technical mailing list or by
28 joining the #samba-technical:matrix.org matrix room, or
29 #samba-technical IRC channel on irc.libera.chat.
32 If you do report problems then please try to send high quality
33 feedback. If you don't provide vital information to help us track down
34 the problem then you will probably be ignored. All bug reports should
35 be filed under the Samba 4.1 and newer product in the project's Bugzilla
36 database (https://bugzilla.samba.org/).
39 ======================================================================
40 == Our Code, Our Bugs, Our Responsibility.
42 ======================================================================
45 Release notes for older releases follow:
46 ----------------------------------------
47 ===============================
48 Release Notes for Samba 4.15.11
50 ===============================
53 This is a security release in order to address the following defect:
55 o CVE-2022-3437: There is a limited write heap buffer overflow in the GSSAPI
56 unwrap_des() and unwrap_des3() routines of Heimdal (included
58 https://www.samba.org/samba/security/CVE-2022-3437.html
63 o Andrew Bartlett <abartlet@samba.org>
64 * BUG 15193: Allow rebuild of Centos 8 images after move to vault for Samba
67 o Andreas Schneider <asn@samba.org>
68 * BUG 15193: Allow rebuild of Centos 8 images after move to vault for Samba
71 o Joseph Sutton <josephsutton@catalyst.net.nz>
72 * BUG 15134: CVE-2022-3437.
75 #######################################
76 Reporting bugs & Development Discussion
77 #######################################
79 Please discuss this release on the samba-technical mailing list or by
80 joining the #samba-technical:matrix.org matrix room, or
81 #samba-technical IRC channel on irc.libera.chat.
83 If you do report problems then please try to send high quality
84 feedback. If you don't provide vital information to help us track down
85 the problem then you will probably be ignored. All bug reports should
86 be filed under the Samba 4.1 and newer product in the project's Bugzilla
87 database (https://bugzilla.samba.org/).
90 ======================================================================
91 == Our Code, Our Bugs, Our Responsibility.
93 ======================================================================
96 ----------------------------------------------------------------------
97 ===============================
98 Release Notes for Samba 4.15.10
100 ===============================
103 This is the latest stable release of the Samba 4.15 release series.
109 o Jeremy Allison <jra@samba.org>
110 * BUG 15128: Possible use after free of connection_struct when iterating
111 smbd_server_connection->connections.
112 * BUG 15174: smbXsrv_connection_shutdown_send result leaked.
114 o Ralph Boehme <slow@samba.org>
115 * BUG 15086: Spotlight RPC service returns wrong response when Spotlight is
117 * BUG 15126: acl_xattr VFS module may unintentionally use filesystem
118 permissions instead of ACL from xattr.
119 * BUG 15153: Missing SMB2-GETINFO access checks from MS-SMB2 3.3.5.20.1.
120 * BUG 15161: assert failed: !is_named_stream(smb_fname)") at
121 ../../lib/util/fault.c:197.
123 o Stefan Metzmacher <metze@samba.org>
124 * BUG 15148: Missing READ_LEASE break could cause data corruption.
126 o Andreas Schneider <asn@samba.org>
127 * BUG 15124: rpcclient can crash using setuserinfo(2).
128 * BUG 15132: Samba fails to build with glibc 2.36 caused by including
129 <sys/mount.h> in libreplace.
131 o Joseph Sutton <josephsutton@catalyst.net.nz>
132 * BUG 15152: SMB1 negotiation can fail to handle connection errors.
134 o Michael Tokarev <mjt@tls.msk.ru>
135 * BUG 15078: samba-tool domain join segfault when joining a samba ad domain.
138 #######################################
139 Reporting bugs & Development Discussion
140 #######################################
142 Please discuss this release on the samba-technical mailing list or by
143 joining the #samba-technical:matrix.org matrix room, or
144 #samba-technical IRC channel on irc.libera.chat.
147 If you do report problems then please try to send high quality
148 feedback. If you don't provide vital information to help us track down
149 the problem then you will probably be ignored. All bug reports should
150 be filed under the Samba 4.1 and newer product in the project's Bugzilla
151 database (https://bugzilla.samba.org/).
154 ======================================================================
155 == Our Code, Our Bugs, Our Responsibility.
157 ======================================================================
160 ----------------------------------------------------------------------
161 ==============================
162 Release Notes for Samba 4.15.9
164 ==============================
167 This is a security release in order to address the following defects:
169 o CVE-2022-2031: Samba AD users can bypass certain restrictions associated with
171 https://www.samba.org/samba/security/CVE-2022-2031.html
173 o CVE-2022-32744: Samba AD users can forge password change requests for any user.
174 https://www.samba.org/samba/security/CVE-2022-32744.html
176 o CVE-2022-32745: Samba AD users can crash the server process with an LDAP add
178 https://www.samba.org/samba/security/CVE-2022-32745.html
180 o CVE-2022-32746: Samba AD users can induce a use-after-free in the server
181 process with an LDAP add or modify request.
182 https://www.samba.org/samba/security/CVE-2022-32746.html
184 o CVE-2022-32742: Server memory information leak via SMB1.
185 https://www.samba.org/samba/security/CVE-2022-32742.html
190 o Jeremy Allison <jra@samba.org>
191 * BUG 15085: CVE-2022-32742.
193 o Andrew Bartlett <abartlet@samba.org>
194 * BUG 15009: CVE-2022-32746.
196 o Isaac Boukris <iboukris@gmail.com>
197 * BUG 15047: CVE-2022-2031.
199 o Andreas Schneider <asn@samba.org>
200 * BUG 15047: CVE-2022-2031.
202 o Joseph Sutton <josephsutton@catalyst.net.nz>
203 * BUG 15008: CVE-2022-32745.
204 * BUG 15009: CVE-2022-32746.
205 * BUG 15047: CVE-2022-2031.
206 * BUG 15074: CVE-2022-32744.
209 #######################################
210 Reporting bugs & Development Discussion
211 #######################################
213 Please discuss this release on the samba-technical mailing list or by
214 joining the #samba-technical:matrix.org matrix room, or
215 #samba-technical IRC channel on irc.libera.chat.
217 If you do report problems then please try to send high quality
218 feedback. If you don't provide vital information to help us track down
219 the problem then you will probably be ignored. All bug reports should
220 be filed under the Samba 4.1 and newer product in the project's Bugzilla
221 database (https://bugzilla.samba.org/).
224 ======================================================================
225 == Our Code, Our Bugs, Our Responsibility.
227 ======================================================================
230 ----------------------------------------------------------------------
231 ==============================
232 Release Notes for Samba 4.15.8
234 ==============================
237 This is the latest stable release of the Samba 4.15 release series.
243 o Jeremy Allison <jra@samba.org>
244 * BUG 15042: Use pathref fd instead of io fd in vfs_default_durable_cookie.
245 * BUG 15099: Setting fruit:resource = stream in vfs_fruit causes a panic.
247 o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
248 * BUG 14986: Add support for bind 9.18.
249 * BUG 15076: logging dsdb audit to specific files does not work.
251 o Ralph Boehme <slow@samba.org>
252 * BUG 15069: vfs_gpfs with vfs_shadowcopy2 fail to restore file if original
253 file had been deleted.
255 o Samuel Cabrero <scabrero@samba.org>
256 * BUG 15087: netgroups support removed.
258 o Samuel Cabrero <scabrero@suse.de>
259 * BUG 14674: net ads info shows LDAP Server: 0.0.0.0 depending on contacted
262 o Stefan Metzmacher <metze@samba.org>
263 * BUG 15071: waf produces incorrect names for python extensions with Python
266 o Noel Power <noel.power@suse.com>
267 * BUG 15100: smbclient commands del & deltree fail with
268 NT_STATUS_OBJECT_PATH_NOT_FOUND with DFS.
270 o Christof Schmitt <cs@samba.org>
271 * BUG 15055: vfs_gpfs recalls=no option prevents listing files.
273 o Andreas Schneider <asn@samba.org>
274 * BUG 15071: waf produces incorrect names for python extensions with Python
276 * BUG 15091: Compile error in source3/utils/regedit_hexedit.c.
277 * BUG 15108: ldconfig: /lib64/libsmbconf.so.0 is not a symbolic link.
279 o Andreas Schneider <asn@cryptomilk.org>
280 * BUG 15054: smbd doesn't handle UPNs for looking up names.
282 o Robert Sprowson <webpages@sprow.co.uk>
283 * BUG 14443: Out-by-4 error in smbd read reply max_send clamp.
286 #######################################
287 Reporting bugs & Development Discussion
288 #######################################
290 Please discuss this release on the samba-technical mailing list or by
291 joining the #samba-technical:matrix.org matrix room, or
292 #samba-technical IRC channel on irc.libera.chat.
294 If you do report problems then please try to send high quality
295 feedback. If you don't provide vital information to help us track down
296 the problem then you will probably be ignored. All bug reports should
297 be filed under the Samba 4.1 and newer product in the project's Bugzilla
298 database (https://bugzilla.samba.org/).
301 ======================================================================
302 == Our Code, Our Bugs, Our Responsibility.
304 ======================================================================
307 ----------------------------------------------------------------------
308 ==============================
309 Release Notes for Samba 4.15.7
311 ==============================
314 This is the latest stable release of the Samba 4.15 release series.
320 o Jeremy Allison <jra@samba.org>
321 * BUG 14831: Share and server swapped in smbget password prompt.
322 * BUG 15022: Durable handles won't reconnect if the leased file is written
324 * BUG 15023: rmdir silently fails if directory contains unreadable files and
325 hide unreadable is yes.
326 * BUG 15038: SMB2_CLOSE_FLAGS_FULL_INFORMATION fails to return information on
329 o Ralph Boehme <slow@samba.org>
330 * BUG 14957: vfs_shadow_copy2 breaks "smbd async dosmode" sync fallback.
331 * BUG 15035: shadow_copy2 fails listing snapshotted dirs with
334 o Samuel Cabrero <scabrero@samba.org>
335 * BUG 15046: PAM Kerberos authentication incorrectly fails with a clock skew
338 o Pavel Filipenský <pfilipen@redhat.com>
339 * BUG 15041: username map - samba erroneously applies unix group memberships
340 to user account entries.
342 o Elia Geretto <elia.f.geretto@gmail.com>
343 * BUG 14983: NT_STATUS_ACCESS_DENIED translates into EPERM instead of EACCES
344 in SMBC_server_internal.
346 o Stefan Metzmacher <metze@samba.org>
347 * BUG 13879: Simple bind doesn't work against an RODC (with non-preloaded
349 * BUG 14641: Crash of winbind on RODC.
350 * BUG 14865: uncached logon on RODC always fails once.
351 * BUG 14951: KVNO off by 100000.
352 * BUG 15001: LDAP simple binds should honour "old password allowed period".
353 * BUG 15003: wbinfo -a doesn't work reliable with upn names.
355 o Garming Sam <garming@catalyst.net.nz>
356 * BUG 13879: Simple bind doesn't work against an RODC (with non-preloaded
359 o Christof Schmitt <cs@samba.org>
360 * BUG 15027: Uninitialized litemask in variable in vfs_gpfs module.
362 o Andreas Schneider <asn@samba.org>
363 * BUG 15016: Regression: create krb5 conf = yes doesn't work with a single
367 #######################################
368 Reporting bugs & Development Discussion
369 #######################################
371 Please discuss this release on the samba-technical mailing list or by
372 joining the #samba-technical:matrix.org matrix room, or
373 #samba-technical IRC channel on irc.libera.chat.
375 If you do report problems then please try to send high quality
376 feedback. If you don't provide vital information to help us track down
377 the problem then you will probably be ignored. All bug reports should
378 be filed under the Samba 4.1 and newer product in the project's Bugzilla
379 database (https://bugzilla.samba.org/).
382 ======================================================================
383 == Our Code, Our Bugs, Our Responsibility.
385 ======================================================================
388 ----------------------------------------------------------------------
389 ==============================
390 Release Notes for Samba 4.15.6
392 ==============================
395 This is the latest stable release of the Samba 4.15 release series.
401 o Jeremy Allison <jra@samba.org>
402 * BUG 14169: Renaming file on DFS root fails with
403 NT_STATUS_OBJECT_PATH_NOT_FOUND.
404 * BUG 14737: Samba does not response STATUS_INVALID_PARAMETER when opening 2
405 objects with same lease key.
406 * BUG 14938: NT error code is not set when overwriting a file during rename
409 o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
410 * BUG 14996: Fix ldap simple bind with TLS auditing.
412 o Ralph Boehme <slow@samba.org>
413 * BUG 14674: net ads info shows LDAP Server: 0.0.0.0 depending on contacted
416 o Samuel Cabrero <scabrero@suse.de>
417 * BUG 14979: Problem when winbind renews Kerberos.
419 o Günther Deschner <gd@samba.org>
420 * BUG 8691: pam_winbind will not allow gdm login if password about to expire.
422 o Pavel Filipenský <pfilipen@redhat.com>
423 * BUG 14971: virusfilter_vfs_openat: Not scanned: Directory or special file.
425 o Björn Jacke <bj@sernet.de>
426 * BUG 13631: DFS fix for AIX broken.
427 * BUG 14974: Solaris and AIX acl modules: wrong function arguments.
428 * BUG 7239: Function aixacl_sys_acl_get_file not declared / coredump.
430 o Volker Lendecke <vl@samba.org>
431 * BUG 14900: Regression: Samba 4.15.2 on macOS segfaults intermittently
432 during strcpy in tdbsam_getsampwnam.
433 * BUG 14989: Fix a use-after-free in SMB1 server.
435 o Stefan Metzmacher <metze@samba.org>
436 * BUG 14968: smb2_signing_decrypt_pdu() may not decrypt with
437 gnutls_aead_cipher_decrypt() from gnutls before 3.5.2.
438 * BUG 14984: changing the machine password against an RODC likely destroys
440 * BUG 14993: authsam_make_user_info_dc() steals memory from its struct
441 ldb_message *msg argument.
442 * BUG 14995: Use Heimdal 8.0 (pre) rather than an earlier snapshot.
444 o Andreas Schneider <asn@samba.org>
445 * BUG 14967: Samba autorid fails to map AD users if id rangesize fits in the
449 #######################################
450 Reporting bugs & Development Discussion
451 #######################################
453 Please discuss this release on the samba-technical mailing list or by
454 joining the #samba-technical IRC channel on irc.libera.chat or the
455 #samba-technical:matrix.org matrix channel.
457 If you do report problems then please try to send high quality
458 feedback. If you don't provide vital information to help us track down
459 the problem then you will probably be ignored. All bug reports should
460 be filed under the Samba 4.1 and newer product in the project's Bugzilla
461 database (https://bugzilla.samba.org/).
464 ======================================================================
465 == Our Code, Our Bugs, Our Responsibility.
467 ======================================================================
470 ----------------------------------------------------------------------
471 ==============================
472 Release Notes for Samba 4.15.5
474 ==============================
477 This is a security release in order to address the following defects:
479 o CVE-2021-44141: UNIX extensions in SMB1 disclose whether the outside target
481 https://www.samba.org/samba/security/CVE-2021-44141.html
483 o CVE-2021-44142: Out-of-Bound Read/Write on Samba vfs_fruit module.
484 https://www.samba.org/samba/security/CVE-2021-44142.html
486 o CVE-2022-0336: Re-adding an SPN skips subsequent SPN conflict checks.
487 https://www.samba.org/samba/security/CVE-2022-0336.html
493 o Jeremy Allison <jra@samba.org>
494 * BUG 14911: CVE-2021-44141
496 o Ralph Boehme <slow@samba.org>
497 * BUG 14914: CVE-2021-44142
499 o Joseph Sutton <josephsutton@catalyst.net.nz>
500 * BUG 14950: CVE-2022-0336
503 #######################################
504 Reporting bugs & Development Discussion
505 #######################################
507 Please discuss this release on the samba-technical mailing list or by
508 joining the #samba-technical IRC channel on irc.libera.chat or the
509 #samba-technical:matrix.org matrix channel.
511 If you do report problems then please try to send high quality
512 feedback. If you don't provide vital information to help us track down
513 the problem then you will probably be ignored. All bug reports should
514 be filed under the Samba 4.1 and newer product in the project's Bugzilla
515 database (https://bugzilla.samba.org/).
518 ======================================================================
519 == Our Code, Our Bugs, Our Responsibility.
521 ======================================================================
524 ----------------------------------------------------------------------
525 ==============================
526 Release Notes for Samba 4.15.4
528 ==============================
531 This is the latest stable release of the Samba 4.15 release series.
537 o Jeremy Allison <jra@samba.org>
538 * BUG 14928: Duplicate SMB file_ids leading to Windows client cache
540 * BUG 14939: smbclient -L doesn't set "client max protocol" to NT1 before
541 calling the "Reconnecting with SMB1 for workgroup listing" path.
542 * BUG 14944: Missing pop_sec_ctx() in error path inside close_directory().
544 o Pavel Filipenský <pfilipen@redhat.com>
545 * BUG 14940: Cross device copy of the crossrename module always fails.
546 * BUG 14941: symlinkat function from VFS cap module always fails with an
548 * BUG 14942: Fix possible fsp pointer deference.
550 o Volker Lendecke <vl@samba.org>
551 * BUG 14934: kill_tcp_connections does not work.
553 o Stefan Metzmacher <metze@samba.org>
554 * BUG 14932: Failed to parse NTLMv2_RESPONSE length 95 - Buffer Size Error -
555 NT_STATUS_BUFFER_TOO_SMALL.
556 * BUG 14935: Can't connect to Windows shares not requiring authentication
559 o Andreas Schneider <asn@samba.org>
560 * BUG 14945: "smbd --build-options" no longer works without an smb.conf file.
562 o Jones Syue <jonessyue@qnap.com>
563 * BUG 14928: Duplicate SMB file_ids leading to Windows client cache
567 #######################################
568 Reporting bugs & Development Discussion
569 #######################################
571 Please discuss this release on the samba-technical mailing list or by
572 joining the #samba-technical IRC channel on irc.libera.chat or the
573 #samba-technical:matrix.org matrix channel.
575 If you do report problems then please try to send high quality
576 feedback. If you don't provide vital information to help us track down
577 the problem then you will probably be ignored. All bug reports should
578 be filed under the Samba 4.1 and newer product in the project's Bugzilla
579 database (https://bugzilla.samba.org/).
582 ======================================================================
583 == Our Code, Our Bugs, Our Responsibility.
585 ======================================================================
588 ----------------------------------------------------------------------
589 ==============================
590 Release Notes for Samba 4.15.3
592 ==============================
595 This is the latest stable release of the Samba 4.15 release series.
600 There have been a few regressions in the security release 4.15.2:
602 o CVE-2020-25717: A user on the domain can become root on domain members.
603 https://www.samba.org/samba/security/CVE-2020-25717.html
605 The instructions have been updated and some workarounds
606 initially adviced for 4.15.2 are no longer required and
607 should be reverted in most cases.
609 o BUG-14902: User with multiple spaces (eg Fred<space><space>Nurk) become
610 un-deletable. While this release should fix this bug, it is
611 adviced to have a look at the bug report for more detailed
612 information, see https://bugzilla.samba.org/show_bug.cgi?id=14902.
617 o Jeremy Allison <jra@samba.org>
618 * BUG 14878: Recursive directory delete with veto files is broken in 4.15.0.
619 * BUG 14879: A directory containing dangling symlinks cannot be deleted by
620 SMB2 alone when they are the only entry in the directory.
621 * BUG 14892: SIGSEGV in rmdir_internals/synthetic_pathref - dirfsp is used
622 uninitialized in rmdir_internals().
624 o Andrew Bartlett <abartlet@samba.org>
625 * BUG 14694: MaxQueryDuration not honoured in Samba AD DC LDAP.
626 * BUG 14901: The CVE-2020-25717 username map [script] advice has undesired
627 side effects for the local nt token.
628 * BUG 14902: User with multiple spaces (eg Fred<space><space>Nurk) become
631 o Ralph Boehme <slow@samba.org>
632 * BUG 14127: Avoid storing NTTIME_THAW (-2) as value on disk.
633 * BUG 14882: smbXsrv_client_global record validation leads to crash if
634 existing record points at non-existing process.
635 * BUG 14890: Crash in vfs_fruit asking for fsp_get_io_fd() for an XATTR call.
636 * BUG 14897: Samba process doesn't log to logfile.
637 * BUG 14907: set_ea_dos_attribute() fallback calling
638 get_file_handle_for_metadata() triggers locking.tdb assert.
639 * BUG 14922: Kerberos authentication on standalone server in MIT realm
641 * BUG 14923: Segmentation fault when joining the domain.
643 o Alexander Bokovoy <ab@samba.org>
644 * BUG 14903: Support for ROLE_IPA_DC is incomplete.
646 o Günther Deschner <gd@samba.org>
647 * BUG 14767: rpcclient cannot connect to ncacn_ip_tcp services anymore
648 * BUG 14893: winexe crashes since 4.15.0 after popt parsing.
650 o Volker Lendecke <vl@samba.org>
651 * BUG 14908: net ads status -P broken in a clustered environment.
653 o Stefan Metzmacher <metze@samba.org>
654 * BUG 14788: Memory leak if ioctl(FSCTL_VALIDATE_NEGOTIATE_INFO) fails before
655 smbd_smb2_ioctl_send.
656 * BUG 14882: smbXsrv_client_global record validation leads to crash if
657 existing record points at non-existing process.
658 * BUG 14899: winbindd doesn't start when "allow trusted domains" is off.
659 * BUG 14901: The CVE-2020-25717 username map [script] advice has undesired
660 side effects for the local nt token.
662 o Andreas Schneider <asn@samba.org>
663 * BUG 14767: rpcclient cannot connect to ncacn_ip_tcp services anymore.
664 * BUG 14883: smbclient login without password using '-N' fails with
665 NT_STATUS_INVALID_PARAMETER on Samba AD DC.
666 * BUG 14912: A schannel client incorrectly detects a downgrade connecting to
668 * BUG 14921: Possible null pointer dereference in winbind.
670 o Andreas Schneider <asn@cryptomilk.org>
671 * BUG 14846: Fix -k legacy option for client tools like smbclient, rpcclient,
674 o Martin Schwenke <martin@meltin.net>
675 * BUG 14872: Add Debian 11 CI bootstrap support.
677 o Joseph Sutton <josephsutton@catalyst.net.nz>
678 * BUG 14694: MaxQueryDuration not honoured in Samba AD DC LDAP.
679 * BUG 14901: The CVE-2020-25717 username map [script] advice has undesired
680 side effects for the local nt token.
682 o Andrew Walker <awalker@ixsystems.com>
683 * BUG 14888: Crash in recycle_unlink_internal().
686 #######################################
687 Reporting bugs & Development Discussion
688 #######################################
690 Please discuss this release on the samba-technical mailing list or by
691 joining the #samba-technical:matrix.org matrix room, or
692 #samba-technical IRC channel on irc.libera.chat
694 If you do report problems then please try to send high quality
695 feedback. If you don't provide vital information to help us track down
696 the problem then you will probably be ignored. All bug reports should
697 be filed under the Samba 4.1 and newer product in the project's Bugzilla
698 database (https://bugzilla.samba.org/).
701 ======================================================================
702 == Our Code, Our Bugs, Our Responsibility.
704 ======================================================================
707 ----------------------------------------------------------------------
708 ==============================
709 Release Notes for Samba 4.15.2
711 ==============================
714 This is a security release in order to address the following defects:
716 o CVE-2016-2124: SMB1 client connections can be downgraded to plaintext
718 https://www.samba.org/samba/security/CVE-2016-2124.html
720 o CVE-2020-25717: A user on the domain can become root on domain members.
721 https://www.samba.org/samba/security/CVE-2020-25717.html
722 (PLEASE READ! There are important behaviour changes described)
724 o CVE-2020-25718: Samba AD DC did not correctly sandbox Kerberos tickets issued
726 https://www.samba.org/samba/security/CVE-2020-25718.html
728 o CVE-2020-25719: Samba AD DC did not always rely on the SID and PAC in Kerberos
730 https://www.samba.org/samba/security/CVE-2020-25719.html
732 o CVE-2020-25721: Kerberos acceptors need easy access to stable AD identifiers
734 https://www.samba.org/samba/security/CVE-2020-25721.html
736 o CVE-2020-25722: Samba AD DC did not do suffienct access and conformance
737 checking of data stored.
738 https://www.samba.org/samba/security/CVE-2020-25722.html
740 o CVE-2021-3738: Use after free in Samba AD DC RPC server.
741 https://www.samba.org/samba/security/CVE-2021-3738.html
743 o CVE-2021-23192: Subsequent DCE/RPC fragment injection vulnerability.
744 https://www.samba.org/samba/security/CVE-2021-23192.html
750 o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
753 o Andrew Bartlett <abartlet@samba.org>
759 o Ralph Boehme <slow@samba.org>
762 o Alexander Bokovoy <ab@samba.org>
765 o Samuel Cabrero <scabrero@samba.org>
768 o Nadezhda Ivanova <nivanova@symas.com>
771 o Stefan Metzmacher <metze@samba.org>
779 o Andreas Schneider <asn@samba.org>
782 o Joseph Sutton <josephsutton@catalyst.net.nz>
791 #######################################
792 Reporting bugs & Development Discussion
793 #######################################
795 Please discuss this release on the samba-technical mailing list or by
796 joining the #samba-technical IRC channel on irc.libera.chat or the
797 #samba-technical:matrix.org matrix channel.
799 If you do report problems then please try to send high quality
800 feedback. If you don't provide vital information to help us track down
801 the problem then you will probably be ignored. All bug reports should
802 be filed under the Samba 4.1 and newer product in the project's Bugzilla
803 database (https://bugzilla.samba.org/).
806 ======================================================================
807 == Our Code, Our Bugs, Our Responsibility.
809 ======================================================================
812 ----------------------------------------------------------------------
815 ==============================
816 Release Notes for Samba 4.15.1
818 ==============================
821 This is the latest stable release of the Samba 4.15 release series.
827 o Jeremy Allison <jra@samba.org>
828 * BUG 14682: vfs_shadow_copy2: core dump in make_relative_path.
829 * BUG 14685: Log clutter from filename_convert_internal.
830 * BUG 14862: MacOSX compilation fixes.
832 o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
833 * BUG 14868: rodc_rwdc test flaps.
835 o Andrew Bartlett <abartlet@samba.org>
836 * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze
837 bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded
839 * BUG 14836: Python ldb.msg_diff() memory handling failure.
840 * BUG 14845: "in" operator on ldb.Message is case sensitive.
841 * BUG 14848: Release LDB 2.4.1 for Samba 4.15.1.
842 * BUG 14854: samldb_krbtgtnumber_available() looks for incorrect string.
843 * BUG 14871: Fix Samba support for UF_NO_AUTH_DATA_REQUIRED.
844 * BUG 14874: Allow special chars like "@" in samAccountName when generating
847 o Ralph Boehme <slow@samba.org>
848 * BUG 14826: Correctly ignore comments in CTDB public addresses file.
850 o Isaac Boukris <iboukris@gmail.com>
851 * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze
852 bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded
855 o Viktor Dukhovni <viktor@twosigma.com>
856 * BUG 12998: Fix transit path validation.
858 o Pavel Filipenský <pfilipen@redhat.com>
859 * BUG 14852: Fix that child winbindd logs to log.winbindd instead of
862 o Luke Howard <lukeh@padl.com>
863 * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze
864 bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded
867 o Stefan Metzmacher <metze@samba.org>
868 * BUG 14855: SMB3 cancel requests should only include the MID together with
869 AsyncID when AES-128-GMAC is used.
871 o Alex Richardson <Alexander.Richardson@cl.cam.ac.uk>
872 * BUG 14862: MacOSX compilation fixes.
874 o Andreas Schneider <asn@samba.org>
875 * BUG 14870: Prepare to operate with MIT krb5 >= 1.20.
877 o Martin Schwenke <martin@meltin.net>
878 * BUG 14826: Correctly ignore comments in CTDB public addresses file.
880 o Joseph Sutton <josephsutton@catalyst.net.nz>
881 * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze
882 bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded
884 * BUG 14836: Python ldb.msg_diff() memory handling failure.
885 * BUG 14845: "in" operator on ldb.Message is case sensitive.
886 * BUG 14864: Heimdal prefers RC4 over AES for machine accounts.
887 * BUG 14868: rodc_rwdc test flaps.
888 * BUG 14871: Fix Samba support for UF_NO_AUTH_DATA_REQUIRED.
889 * BUG 14874: Allow special chars like "@" in samAccountName when generating
892 o Nicolas Williams <nico@twosigma.com>
893 * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze
894 bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded
898 #######################################
899 Reporting bugs & Development Discussion
900 #######################################
902 Please discuss this release on the samba-technical mailing list or by
903 joining the #samba-technical IRC channel on irc.freenode.net.
905 If you do report problems then please try to send high quality
906 feedback. If you don't provide vital information to help us track down
907 the problem then you will probably be ignored. All bug reports should
908 be filed under the Samba 4.1 and newer product in the project's Bugzilla
909 database (https://bugzilla.samba.org/).
912 ======================================================================
913 == Our Code, Our Bugs, Our Responsibility.
915 ======================================================================
918 ----------------------------------------------------------------------
920 ==============================
921 Release Notes for Samba 4.15.0
923 ==============================
926 This is the first stable release of the Samba 4.15 release series.
927 Please read the release notes carefully before upgrading.
930 Removed SMB (development) dialects
931 ==================================
933 The following SMB (development) dialects are no longer
934 supported: SMB2_22, SMB2_24 and SMB3_10. They are were
935 only supported by Windows technical preview builds.
936 They used to be useful in order to test against the
937 latest Windows versions, but it's no longer useful
938 to have them. If you have them explicitly specified
939 in your smb.conf or an the command line,
940 you need to replace them like this:
944 Note that it's typically not useful to specify
945 "client max protocol" or "server max protocol"
946 explicitly to a specific dialect, just leave
947 them unspecified or specify the value "default".
952 The GPG release key for Samba releases changed from:
954 pub dsa1024/6F33915B6568B7EA 2007-02-04 [SC] [expires: 2021-02-05]
955 Key fingerprint = 52FB C0B8 6D95 4B08 4332 4CDC 6F33 915B 6568 B7EA
956 uid [ full ] Samba Distribution Verification Key <samba-bugs@samba.org>
957 sub elg2048/9C6ED163DA6DFB44 2007-02-04 [E] [expires: 2021-02-05]
959 to the following new key:
961 pub rsa4096/AA99442FB680B620 2020-12-21 [SC] [expires: 2022-12-21]
962 Key fingerprint = 81F5 E283 2BD2 545A 1897 B713 AA99 442F B680 B620
963 uid [ultimate] Samba Distribution Verification Key <samba-bugs@samba.org>
964 sub rsa4096/97EF9386FBFD4002 2020-12-21 [E] [expires: 2022-12-21]
966 Starting from Jan 21th 2021, all Samba releases will be signed with the new key.
968 See also GPG_AA99442FB680B620_replaces_6F33915B6568B7EA.txt
970 New minimum version for the experimental MIT KDC
971 ================================================
973 The build of the AD DC using the system MIT Kerberos, an
974 experimental feature, now requires MIT Kerberos 1.19. An up-to-date
975 Fedora 34 has this version and has backported fixes for the KDC crash
976 bugs CVE-2021-37750 and CVE-2021-36222
985 The effort to modernize Samba's VFS interface is complete and Samba 4.15.0 ships
986 with a modernized VFS designed for the post SMB1 world.
988 For details please refer to the documentation at source3/modules/The_New_VFS.txt
989 or visit the <https://wiki.samba.org/index.php/The_New_VFS>.
992 Bind DLZ: add the ability to set allow/deny lists for zone transfer clients
993 ---------------------------------------------------------------------------
995 Up to now, any client could use a DNS zone transfer request to the
996 bind server, and get an answer from Samba. Now the default behaviour
997 will be to deny those request. Two new options have been added to
998 manage the list of authorized/denied clients for zone transfer
999 requests. In order to be accepted, the request must be issued by a
1000 client that is in the allow list and NOT in the deny list.
1003 "server multi channel support" no longer experimental
1004 -----------------------------------------------------
1006 This option is enabled by default starting with 4.15 (on Linux and FreeBSD).
1007 Due to dependencies on kernel APIs of Linux or FreeBSD, it's only possible
1008 to use this feature on Linux and FreeBSD for now.
1011 samba-tool available without the ad-dc
1012 --------------------------------------
1014 The 'samba-tool' command is now available when samba is configured
1015 "--without-ad-dc". Not all features will work, and some ad-dc specific options
1016 have been disabled. The 'samba-tool domain' options, for example, are limited
1017 when no ad-dc is present. Samba must still be built with ads in order to enable
1021 Improved command line user experience
1022 -------------------------------------
1024 Samba utilities did not consistently implement their command line interface. A
1025 number of options were requiring to specify values in one tool and not in the
1026 other, some options meant different in different tools.
1028 These should be stories of the past now. A new command line parser has been
1029 implemented with sanity checking. Also the command line interface has been
1030 simplified and provides better control for encryption, signing and kerberos.
1032 Previously many tools silently ignored unknown options. To prevent unexpected
1033 behaviour all tools will now consistently reject unknown options.
1035 Also several command line options have a smb.conf variable to control the
1038 All tools are now logging to stderr by default. You can use "--debug-stdout" to
1039 change the behavior. All servers will log to stderr at early startup until logging
1040 is setup to go to a file by default.
1045 --client-protection=off|sign|encrypt
1048 --kerberos -> --use-kerberos=required|desired|off
1049 --krb5-ccache -> --use-krb5-ccache=CCACHE
1050 --scope -> --netbios-scope=SCOPE
1051 --use-ccache -> --use-winbind-ccache
1055 -C removed from --use-winbind-ccache
1056 -i removed from --netbios-scope
1060 ### Duplicates in command line utils
1062 ldbadd/ldbdel/ldbedit/ldbmodify/ldbrename/ldbsearch:
1063 -e is still available as an alias for --editor,
1065 -s is no longer reported as an alias for --configfile,
1066 it never worked that way as it was shadowed by '-s' for '--scope'.
1069 -l is not available for --load-dso anymore
1072 -l is not available for --long anymore
1075 -V is not available for --viewsddl anymore
1078 --user -> --quota-user
1081 --log-stdout -> --debug-stdout
1084 --log-stdout -> --debug-stdout
1087 --log-stdout -> --debug-stdout
1090 Scanning of trusted domains and enterprise principals
1091 -----------------------------------------------------
1093 As an artifact from the NT4 times, we still scanned the list of trusted domains
1094 on winbindd startup. This is wrong as we never can get a full picture in Active
1095 Directory. It is time to change the default value to "No". Also with this change
1096 we always use enterprise principals for Kerberos so that the DC will be able
1097 to redirect ticket requests to the right DC. This is e.g. needed for one way
1098 trusts. The options `winbind use krb5 enterprise principals` and
1099 `winbind scan trusted domains` will be deprecated in one of the next releases.
1102 Support for Offline Domain Join (ODJ)
1103 -------------------------------------
1105 The net utility is now able to support the offline domain join feature
1106 as known from the Windows djoin.exe command for many years. Samba's
1107 implementation is accessible via the 'net offlinejoin' subcommand. It
1108 can provision computers and request offline joining for both Windows
1109 and Unix machines. It is also possible to provision computers from
1110 Windows (using djoin.exe) and use the generated data in Samba's 'net'
1111 utility. The existing options for the provisioning and joining steps
1112 are documented in the net(8) manpage.
1115 'samba-tool dns zoneoptions' for aging control
1116 ----------------------------------------------
1118 The 'samba-tool dns zoneoptions' command can be used to turn aging on
1119 and off, alter the refresh and no-refresh periods, and manipulate the
1120 timestamps of existing records.
1122 To turn aging on for a zone, you can use something like this:
1124 samba-tool dns zoneoptions --aging=1 --refreshinterval=306600
1126 which turns on aging and ensures no records less than five years old
1127 are aged out and scavenged. After aging has been on for sufficient
1128 time for records to be renewed, the command
1130 samba-tool dns zoneoptions --refreshinterval=168
1132 will set the refresh period to the standard seven days. Using this two
1133 step process will help prevent the temporary loss of dynamic records
1134 if scavenging happens before their first renewal.
1137 Marking old records as static or dynamic with 'samba-tool'
1138 ----------------------------------------------------------
1140 A bug in Samba versions prior to 4.9 meant records that were meant to
1141 be static were marked as dynamic and vice versa. To fix the timestamps
1142 in these domains, it is possible to use the following options,
1143 preferably before turning aging on.
1145 --mark-old-records-static
1146 --mark-records-dynamic-regex
1147 --mark-records-static-regex
1149 The "--mark-old-records-static" option will make records older than the
1150 specified date static (that is, with a zero timestamp). For example,
1151 if you upgraded to Samba 4.9 in November 2018, you could use ensure no
1152 old records will be mistakenly interpreted as dynamic using the
1155 samba-tool dns zoneoptions --mark-old-records-static=2018-11-30
1157 Then, if you know that that will have marked some records as static
1158 that should be dynamic, and you know which those are due to your
1159 naming scheme, you can use commands like:
1161 samba-tool dns zoneoptions --mark-records-dynamic-regex='\w+-desktop'
1163 where '\w+-desktop' is a perl-compatible regular expression that will
1164 match 'bob-desktop', 'alice-desktop', and so on.
1166 These options are deliberately long and cumbersome to type, so people
1167 have a chance to think before they get to the end. You can make a
1168 mess if you get it wrong.
1170 All 'samba-tool dns zoneoptions' modes can be given a "--dry-run/-n"
1171 argument that allows you to inspect the likely results before going
1174 NOTE: for aging to work, you need to have "dns zone scavenging = yes"
1175 set in the smb.conf of at least one server.
1178 DNS tombstones are now deleted as appropriate
1179 ---------------------------------------------
1181 When all the records for a DNS name have been deleted, the node is put
1182 in a tombstoned state (separate from general AD object tombstoning,
1183 which deleted nodes also go through). These tombstones should be
1184 cleaned up periodically. Due to a conflation of scavenging and
1185 tombstoning, we have only been deleting tombstones when aging is
1188 If you have a lot of tombstoned DNS nodes (that is, DNS names for
1189 which you have removed all the records), cleaning up these DNS
1190 tombstones may take a noticeable time.
1193 DNS tombstones use a consistent timestamp format
1194 ------------------------------------------------
1196 DNS records use an hours-since-1601 timestamp format except for in the
1197 case of tombstone records where a 100-nanosecond-intervals-since-1601
1198 format is used (this latter format being the most common in Windows).
1199 We had mixed that up, which might have had strange effects in zones
1200 where aging was enabled (and hence tombstone timestamps were used).
1203 samba-tool dns update and RPC changes
1204 -------------------------------------
1206 The dnsserver DCERPC pipe can be used by 'samba-tool' and Windows tools
1207 to manipulate dns records on the remote server. A bug in Samba meant
1208 it was not possible to update an existing DNS record to change the
1209 TTL. The general behaviour of RPC updates is now closer to that of
1212 'samba-tool dns update' is now a bit more careful in rejecting and
1213 warning you about malformed IPv4 and IPv6 addresses.
1215 CVE-2021-3671: Crash in Heimdal KDC and updated security release policy
1216 -----------------------------------------------------------------------
1218 An unuthenticated user can crash the AD DC KDC by omitting the server
1219 name in a TGS-REQ. Per Samba's updated security process a specific
1220 security release was not made for this issue as it is a recoverable
1223 See https://wiki.samba.org/index.php/Samba_Security_Proces
1225 samba-tool domain backup offline with the LMDB backend
1226 ------------------------------------------------------
1228 samba-tool domain backup offline, when operating with the LMDB backend
1229 now correctly takes out locks against concurrent modification of the
1230 database during the backup. If you use this tool on a Samba AD DC
1231 using LMDB, you should upgrade to this release for safer backups.
1236 Tru64 ACL support has been removed from this release. The last
1237 supported release of Tru64 UNIX was in 2012.
1239 NIS support has been removed from this release. This is not
1240 available in Linux distributions anymore.
1242 The DLZ DNS plugin is no longer built for Bind versions 9.8 and 9.9,
1243 which have been out of support since 2018.
1249 Parameter Name Description Default
1250 -------------- ----------- -------
1251 client use kerberos New desired
1252 client max protocol Values Removed
1253 client min protocol Values Removed
1254 client protection New default
1255 client smb3 signing algorithms New see man smb.conf
1256 client smb3 encryption algorithms New see man smb.conf
1257 preopen:posix-basic-regex New No
1258 preopen:nomatch_log_level New 5
1259 preopen:match_log_level New 5
1260 preopen:nodigits_log_level New 1
1261 preopen:founddigits_log_level New 3
1262 preopen:reset_log_level New 5
1263 preopen:push_log_level New 3
1264 preopen:queue_log_level New 10
1265 server max protocol Values Removed
1266 server min protocol Values Removed
1267 server multi channel support Changed Yes (on Linux and FreeBSD)
1268 server smb3 signing algorithms New see man smb.conf
1269 server smb3 encryption algorithms New see man smb.conf
1270 winbind use krb5 enterprise principals Changed Yes
1271 winbind scan trusted domains Changed No
1274 CHANGES SINCE 4.15.0rc6
1275 =======================
1277 o Andrew Bartlett <abartlet@samba.org>
1278 * BUG 14791: All the ways to specify a password are not documented.
1280 o Ralph Boehme <slow@samba.org>
1281 * BUG 14790: vfs_btrfs compression support broken.
1282 * BUG 14828: Problems with commandline parsing.
1283 * BUG 14829: smbd crashes when "ea support" is set to no.
1285 o Stefan Metzmacher <metze@samba.org>
1286 * BUG 14825: "{client,server} smb3 {signing,encryption} algorithms" should
1287 use the same strings as smbstatus output.
1288 * BUG 14828: Problems with commandline parsing.
1290 o Alex Richardson <Alexander.Richardson@cl.cam.ac.uk>
1291 * BUG 8773: smbd fails to run as root because it belongs to more than 16
1294 o Martin Schwenke <martin@meltin.net>
1295 * BUG 14784: Fix CTDB flag/status update race conditions.
1298 CHANGES SINCE 4.15.0rc5
1299 =======================
1301 o Andrew Bartlett <abartlet@samba.org>
1302 * BUG 14806: Address a signifcant performance regression in database access
1303 in the AD DC since Samba 4.12.
1304 * BUG 14807: Fix performance regression in lsa_LookupSids3/LookupNames4 since
1305 Samba 4.9 by using an explicit database handle cache.
1306 * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
1307 server name in a TGS-REQ.
1308 * BUG 14818: Address flapping samba_tool_drs_showrepl test.
1309 * BUG 14819: Address flapping dsdb_schema_attributes test.
1311 o Luke Howard <lukeh@padl.com>
1312 * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
1313 server name in a TGS-REQ.
1315 o Gary Lockyer <gary@catalyst.net.nz>
1316 * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
1317 server name in a TGS-REQ.
1319 o Andreas Schneider <asn@samba.org>
1320 * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
1321 server name in a TGS-REQ.
1323 o Joseph Sutton <josephsutton@catalyst.net.nz>
1324 * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
1325 server name in a TGS-REQ.
1328 CHANGES SINCE 4.15.0rc4
1329 =======================
1331 o Jeremy Allison <jra@samba.org>
1332 * BUG 14809: Shares with variable substitutions cause core dump upon
1333 connection from MacOS Big Sur 11.5.2.
1334 * BUG 14816: Fix pathref open of a filesystem fifo in the DISABLE_OPATH
1337 o Andrew Bartlett <abartlet@samba.org>
1338 * BUG 14815: A subset of tests from Samba's selftest system were not being
1339 run, while others were run twice.
1341 o Ralph Boehme <slow@samba.org>
1342 * BUG 14771: Some VFS operations on pathref (O_PATH) handles fail on GPFS.
1343 * BUG 14787: net conf list crashes when run as normal user,
1344 * BUG 14803: smbd/winbindd started in daemon mode generate output on
1346 * BUG 14804: winbindd can crash because idmap child state is not fully
1349 o Stefan Metzmacher <metze@samba.org>
1350 * BUG 14771: Some VFS operations on pathref (O_PATH) handles fail on GPFS.
1353 CHANGES SINCE 4.15.0rc3
1354 =======================
1356 o Bjoern Jacke <bj@sernet.de>
1357 * BUG 14800: util_sock: fix assignment of sa_socklen.
1360 CHANGES SINCE 4.15.0rc2
1361 =======================
1363 o Jeremy Allison <jra@samba.org>
1364 * BUG 14760: vfs_streams_depot directory creation permissions and store
1366 * BUG 14766: vfs_ceph openat() doesn't cope with dirfsp != AT_FDCW.
1367 * BUG 14769: smbd panic on force-close share during offload write.
1368 * BUG 14805: OpenDir() loses the correct errno return.
1370 o Ralph Boehme <slow@samba.org>
1371 * BUG 14795: copy_file_range() may fail with EOPNOTSUPP.
1373 o Stefan Metzmacher <metze@samba.org>
1374 * BUG 14793: Start the SMB encryption as soon as possible.
1376 o Andreas Schneider <asn@samba.org>
1377 * BUG 14779: Winbind should not start if the socket path is too long.
1379 o Noel Power <noel.power@suse.com>
1380 * BUG 14760: vfs_streams_depot directory creation permissions and store
1384 CHANGES SINCE 4.15.0rc1
1385 =======================
1387 o Andreas Schneider <asn@samba.org>
1388 * BUG 14768: smbd/winbind should load the registry if configured
1389 * BUG 14777: do not quote passed argument of configure script
1390 * BUG 14779: Winbind should not start if the socket path is too long
1392 o Stefan Metzmacher <metze@samba.org>
1393 * BUG 14607: tree connect failed: NT_STATUS_INVALID_PARAMETER
1394 * BUG 14764: aes-256-gcm and aes-256-ccm doesn't work in the server
1396 o Ralph Boehme <slow@samba.org>
1397 * BUG 14700: file owner not available when file unredable
1399 o Jeremy Allison <jra@samba.org>
1400 * BUG 14607: tree connect failed: NT_STATUS_INVALID_PARAMETER
1401 * BUG 14759: 4.15rc can leak meta-data about the directory containing the
1408 https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.15#Release_blocking_bugs
1411 #######################################
1412 Reporting bugs & Development Discussion
1413 #######################################
1415 Please discuss this release on the samba-technical mailing list or by
1416 joining the #samba-technical IRC channel on irc.libera.chat or the
1417 #samba-technical:matrix.org matrix channel.
1419 If you do report problems then please try to send high quality
1420 feedback. If you don't provide vital information to help us track down
1421 the problem then you will probably be ignored. All bug reports should
1422 be filed under the Samba 4.1 and newer product in the project's Bugzilla
1423 database (https://bugzilla.samba.org/).
1426 ======================================================================
1427 == Our Code, Our Bugs, Our Responsibility.
1429 ======================================================================