1 =============================
2 Release Notes for Samba 4.2.7
4 =============================
7 This is a security release in order to address the following CVEs:
9 o CVE-2015-3223 (Denial of service in Samba Active Directory
11 o CVE-2015-5252 (Insufficient symlink verification in smbd)
12 o CVE-2015-5299 (Missing access control check in shadow copy
14 o CVE-2015-5296 (Samba client requesting encryption vulnerable
16 o CVE-2015-8467 (Denial of service attack against Windows
17 Active Directory server)
18 o CVE-2015-5330 (Remote memory read in Samba LDAP server)
20 Please note that if building against a system libldb, the required
21 version has been bumped to ldb-1.1.24. This is needed to ensure
22 we build against a system ldb library that contains the fixes
23 for CVE-2015-5330 and CVE-2015-3223.
30 All versions of Samba from 4.0.0 to 4.3.2 inclusive (resp. all
31 ldb versions up to 1.1.23 inclusive) are vulnerable to
32 a denial of service attack in the samba daemon LDAP server.
34 A malicious client can send packets that cause the LDAP server in the
35 samba daemon process to become unresponsive, preventing the server
36 from servicing any other requests.
38 This flaw is not exploitable beyond causing the code to loop expending
42 All versions of Samba from 3.0.0 to 4.3.2 inclusive are vulnerable to
43 a bug in symlink verification, which under certain circumstances could
44 allow client access to files outside the exported share path.
46 If a Samba share is configured with a path that shares a common path
47 prefix with another directory on the file system, the smbd daemon may
48 allow the client to follow a symlink pointing to a file or directory
49 in that other directory, even if the share parameter "wide links" is
50 set to "no" (the default).
53 All versions of Samba from 3.2.0 to 4.3.2 inclusive are vulnerable to
54 a missing access control check in the vfs_shadow_copy2 module. When
55 looking for the shadow copy directory under the share path the current
56 accessing user should have DIRECTORY_LIST access rights in order to
57 view the current snapshots.
59 This was not being checked in the affected versions of Samba.
62 Versions of Samba from 3.2.0 to 4.3.2 inclusive do not ensure that
63 signing is negotiated when creating an encrypted client connection to
66 Without this a man-in-the-middle attack could downgrade the connection
67 and connect using the supplied credentials as an unsigned, unencrypted
71 Samba, operating as an AD DC, is sometimes operated in a domain with a
72 mix of Samba and Windows Active Directory Domain Controllers.
74 All versions of Samba from 4.0.0 to 4.3.2 inclusive, when deployed as
75 an AD DC in the same domain with Windows DCs, could be used to
76 override the protection against the MS15-096 / CVE-2015-2535 security
79 Prior to MS16-096 it was possible to bypass the quota of machine
80 accounts a non-administrative user could create. Pure Samba domains
81 are not impacted, as Samba does not implement the
82 SeMachineAccountPrivilege functionality to allow non-administrator
83 users to create new computer objects.
86 All versions of Samba from 4.0.0 to 4.3.2 inclusive (resp. all
87 ldb versions up to 1.1.23 inclusive) are vulnerable to
88 a remote memory read attack in the samba daemon LDAP server.
90 A malicious client can send packets that cause the LDAP server in the
91 samba daemon process to return heap memory beyond the length of the
94 This memory may contain data that the client should not be allowed to
95 see, allowing compromise of the server.
97 The memory may either be returned to the client in an error string, or
98 stored in the database by a suitabily privileged user. If untrusted
99 users can create objects in your database, please confirm that all DN
100 and name attributes are reasonable.
106 o Andrew Bartlett <abartlet@samba.org>
107 * BUG 11552: CVE-2015-8467: samdb: Match MS15-096 behaviour for
110 o Jeremy Allison <jra@samba.org>
111 * BUG 11325: CVE-2015-3223: Fix LDAP \00 search expression attack DoS.
112 * BUG 11395: CVE-2015-5252: Fix insufficient symlink verification (file
113 access outside the share).
114 * BUG 11529: CVE-2015-5299: s3-shadow-copy2: Fix missing access check on
117 o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
118 * BUG 11599: CVE-2015-5330: Fix remote read memory exploit in LDB.
120 o Stefan Metzmacher <metze@samba.org>
121 * BUG 11536: CVE-2015-5296: Add man in the middle protection when forcing
122 smb encryption on the client side.
125 #######################################
126 Reporting bugs & Development Discussion
127 #######################################
129 Please discuss this release on the samba-technical mailing list or by
130 joining the #samba-technical IRC channel on irc.freenode.net.
132 If you do report problems then please try to send high quality
133 feedback. If you don't provide vital information to help us track down
134 the problem then you will probably be ignored. All bug reports should
135 be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
136 database (https://bugzilla.samba.org/).
139 ======================================================================
140 == Our Code, Our Bugs, Our Responsibility.
142 ======================================================================
145 Release notes for older releases follow:
146 ----------------------------------------
148 =============================
149 Release Notes for Samba 4.2.6
151 =============================
154 This is the latest stable release of Samba 4.2.
160 o Michael Adam <obnox@samba.org>
161 * BUG 11365: ctdb: Strip trailing spaces from nodes file.
162 * BUG 11577: ctdb: Open the RO tracking db with perms 0600 instead of 0000.
163 * BUG 11619: doc: Fix a typo in the smb.conf manpage.
166 o Jeremy Allison <jra@samba.org>
167 * BUG 11452: s3-smbd: Fix old DOS client doing wildcard delete - gives a
168 attribute type of zero.
169 * BUG 11565: auth: gensec: Fix a memory leak.
170 * BUG 11566: lib: util: Make non-critical message a warning.
171 * BUG 11589: s3: smbd: If EA's are turned off on a share don't allow an SMB2
172 create containing them.
173 * BUG 11615: s3: smbd: have_file_open_below() fails to enumerate open files
174 below an open directory handle.
177 o Ralph Boehme <slow@samba.org>
178 * BUG 11564: async_req: Fix non-blocking connect().
181 o Volker Lendecke <vl@samba.org>
182 * BUG 11243: vfs_gpfs: Re-enable share modes.
183 * BUG 11570: smbd: Send SMB2 oplock breaks unencrypted.
186 o YvanM <yvan.masson@openmailbox.org>
187 * BUG 11584: manpage: Correct small typo error.
190 o Marc Muehlfeld <mmuehlfeld@samba.org>
191 * BUG 9912: Changing log level of two entries to from 1 to 3.
194 o Andreas Schneider <asn@samba.org>
195 * BUG 11346: wafsamba: Also build libraries with RELRO protection.
196 * BUG 11563: nss_wins: Do not run into use after free issues when we access
197 memory allocated on the globals and the global being reinitialized.
200 o Karolin Seeger <kseeger@samba.org>
201 * BUG 11619: docs: Fix some typos in the idmap config section of man 5
205 o Noel Power <noel.power@suse.com>
206 * BUG 11569: Fix winbindd crashes with samlogon for trusted domain user.
207 * BUG 11597: Backport some valgrind fixes from upstream master.
210 #######################################
211 Reporting bugs & Development Discussion
212 #######################################
214 Please discuss this release on the samba-technical mailing list or by
215 joining the #samba-technical IRC channel on irc.freenode.net.
217 If you do report problems then please try to send high quality
218 feedback. If you don't provide vital information to help us track down
219 the problem then you will probably be ignored. All bug reports should
220 be filed under the Samba 4.2 product in the project's Bugzilla
221 database (https://bugzilla.samba.org/).
224 ======================================================================
225 == Our Code, Our Bugs, Our Responsibility.
227 ======================================================================
230 ----------------------------------------------------------------------
233 =============================
234 Release Notes for Samba 4.2.5
236 =============================
239 This is the latest stable release of Samba 4.2.
245 o Jeremy Allison <jra@samba.org>
246 * BUG 10252: s3: smbd: Fix our access-based enumeration on "hide unreadable"
248 * BUG 10634: smbd: Fix file name buflen and padding in notify repsonse.
249 * BUG 11486: s3: smbd: Fix mkdir race condition.
250 * BUG 11522: s3: smbd: Fix opening/creating :stream files on the root share
252 * BUG 11535: s3: smbd: Fix NULL pointer bug introduced by previous 'raw'
253 stream fix (bug #11522).
254 * BUG 11555: s3: lsa: lookup_name() logic for unqualified (no DOMAIN\
255 component) names is incorrect.
258 o Ralph Boehme <slow@samba.org>
259 * BUG 11535: s3: smbd: Fix a crash in unix_convert().
260 * BUG 11543: vfs_fruit: Return value of ad_pack in vfs_fruit.c.
261 * BUG 11549: Fix bug in smbstatus where the lease info is not printed.
262 * BUG 11550: s3:smbstatus: Add stream name to share_entry_forall().
263 * BUG 11555: s3:lib: validate domain name in lookup_wellknown_name().
266 o Günther Deschner <gd@samba.org>
267 * BUG 11038: kerberos: Make sure we only use prompter type when available.
270 o Björn Jacke <bj@sernet.de>
271 * BUG 10365: nss_winbind: Fix hang on Solaris on big groups.
272 * BUG 11355: build: Use as-needed linker flag also on OpenBSD.
275 o Volker Lendecke <vl@samba.org>
276 * BUG 11038: winbind: Fix 100% loop.
277 * BUG 11381: Fix a deadlock in tdb.
280 o Stefan Metzmacher <metze@samba.org>
281 * BUG 11316: s3:ctdbd_conn: Make sure we destroy tevent_fd before closing
283 * BUG 11327: dcerpc.idl: accept invalid dcerpc_bind_nak pdus.
286 o Har Gagan Sahai <SHarGagan@novell.com>
287 * BUG 11509: s3: dfs: Fix a crash when the dfs targets are disabled.
290 o Andreas Schneider <asn@samba.org>
291 * BUG 11502: pam_winbind: Fix a segfault if initialization fails.
294 o Uri Simchoni <uri@samba.org>
295 * BUG 11528: net: Fix a crash with 'net ads keytab create'.
296 * BUG 11547: vfs_commit: Set the fd on open before calling SMB_VFS_FSTAT.
299 #######################################
300 Reporting bugs & Development Discussion
301 #######################################
303 Please discuss this release on the samba-technical mailing list or by
304 joining the #samba-technical IRC channel on irc.freenode.net.
306 If you do report problems then please try to send high quality
307 feedback. If you don't provide vital information to help us track down
308 the problem then you will probably be ignored. All bug reports should
309 be filed under the Samba 4.2 product in the project's Bugzilla
310 database (https://bugzilla.samba.org/).
313 ======================================================================
314 == Our Code, Our Bugs, Our Responsibility.
316 ======================================================================
319 ----------------------------------------------------------------------
322 =============================
323 Release Notes for Samba 4.2.4
325 =============================
328 This is the latest stable release of Samba 4.2.
334 o Michael Adam <obnox@samba.org>
335 * BUG 11372: smbd: Fix SMB3 functionality of "smb encrypt".
338 o Jeremy Allison <jra@samba.org>
339 * BUG 11359: lib: replace: Add strsep function (missing on Solaris).
342 o Ralph Boehme <slow@samba.org>
343 * BUG 11278: Fix stream names with colon with "fruit:encoding = native".
344 * BUG 11317: vfs:fruit: Implement copyfile style copy_chunk.
345 * BUG 11426: s3-net: Use talloc array in share allowedusers.
346 * BUG 11467: vfs_fruit: Handling of empty resource fork.
349 o Alexander Bokovoy <ab@samba.org>
350 * BUG 11265: auth/credentials: If credentials have principal set, they are
351 not anonymous anymore.
354 o Günther Deschner <gd@samba.org>
355 * BUG 11373: s3-smbd: Reset protocol in smbXsrv_connection_init_tables
359 o Amitay Isaacs <amitay@gmail.com>
360 * BUG 11398: ctdb-daemon: Return correct sequence number for
361 CONTROL_GET_DB_SEQNUM.
362 * BUG 11431: ctdb-daemon: Improve error handling for running event scripts.
365 o Volker Lendecke <vl@samba.org>
366 * BUG 11316: lib: Fix rundown of open_socket_out().
367 * BUG 11488: Avoid quoting problems in user's DNs.
370 o Justin Maggard <jmaggard@netgear.com>
371 * BUG 11320: s3-passdb: Respect LOOKUP_NAME_GROUP flag in sid lookup.
374 o Roel van Meer <roel@1afa.com>
375 * BUG 11427: s3-util: Compare the maximum allowed length of a NetBIOS name.
378 o Stefan Metzmacher <metze@samba.org>
379 * BUG 11316: s3:lib: Fix some corner cases of open_socket_out_cleanup().
380 * BUG 11454: Backport dcesrv_netr_DsRGetDCNameEx2 fixes.
383 o Anubhav Rakshit <anubhav.rakshit@gmail.com>
384 * BUG 11361: s3:libsmb: Fix a bug in conversion of ea list to ea array.
387 o Arvid Requate <requate@univention.de>
388 * BUG 11291: s4:rpc_server/netlogon: Fix for NetApp.
391 o Andreas Schneider <asn@samba.org>
392 * BUG 9862: s3-auth: Fix "map to guest = Bad uid".
393 * BUG 11403: s3-smbd: Leave sys_disk_free() if dfree command is used.
394 * BUG 11404: s3-auth: Fix a possible null pointer dereference.
397 o Martin Schwenke <martin@meltin.net>
398 * BUG 11399: ctdb-scripts: Support monitoring of interestingly named VLANs
400 * BUG 11432: ctdb-daemon: Check if updates are in flight when releasing all
402 * BUG 11435: ctdb-build: Fix building of PCP PMDA module.
405 o Wei Zhong <wweyeww@gmail.com>
406 * BUG 10823: s3: winbindd: Fix TALLOC_FREE of uninitialized groups variable.
409 #######################################
410 Reporting bugs & Development Discussion
411 #######################################
413 Please discuss this release on the samba-technical mailing list or by
414 joining the #samba-technical IRC channel on irc.freenode.net.
416 If you do report problems then please try to send high quality
417 feedback. If you don't provide vital information to help us track down
418 the problem then you will probably be ignored. All bug reports should
419 be filed under the Samba 4.2 product in the project's Bugzilla
420 database (https://bugzilla.samba.org/).
423 ======================================================================
424 == Our Code, Our Bugs, Our Responsibility.
426 ======================================================================
429 ----------------------------------------------------------------------
432 =============================
433 Release Notes for Samba 4.2.3
435 =============================
438 This is the latest stable release of Samba 4.2.
444 o Michael Adam <obnox@samba.org>
445 * BUG 11366: docs: Overhaul the description of "smb encrypt" to include SMB3
449 o Jeremy Allison <jra@samba.org>
450 * BUG 11068: s3: lib: util: Ensure we read a hex number as %x, not %u.
451 * BUG 11295: Excessive cli_resolve_path() usage can slow down transmission.
452 * BUG 11328: winbindd: winbindd_raw_kerberos_login - ensure logon_info
454 * BUG 11339: s3: smbd: Use separate flag to track
455 become_root()/unbecome_root() state.
456 * BUG 11342: s3: smbd: Codenomicon crash in do_smb_load_module().
459 o Christian Ambach <ambi@samba.org>
460 * BUG 11170: s3:param/loadparm: Fix 'testparm --show-all-parameters'.
463 o Andrew Bartlett <abartlet@samba.org>
464 * BUG 10991: winbindd: Sync secrets.ldb into secrets.tdb on startup.
467 o Ralph Boehme <slow@samba.org>
468 * BUG 11277: s3:smb2: Add padding to last command in compound requests.
469 * BUG 11305: vfs_fruit: Add option "veto_appledouble".
470 * BUG 11323: smbd/trans2: Add a useful diagnostic for files with bad
472 * BUG 11363: vfs_fruit: Check offset and length for AFP_AfpInfo read
474 * BUG 11371: ncacn_http: Fix GNUism.
477 o Günther Deschner <gd@samba.org>
478 * BUG 11245: s3-rpc_server: Fix rpc_create_tcpip_sockets() processing of
482 o Alexander Drozdov <al.drozdov@gmail.com>
483 * BUG 11331: tdb: version 1.3.5: ABI change: tdb_chainlock_read_nonblock()
487 o Evangelos Foutras <evangelos@foutrelis.com>
488 * BUG 8780: s4:lib/tls: Fix build with gnutls 3.4.
491 o David Holder <david.holder@erion.co.uk>
492 * BUG 11281: Add IPv6 support to ADS client side LDAP connects.
493 * BUG 11282: Add IPv6 support for determining FQDN during ADS join.
494 * BUG 11283: s3: IPv6 enabled DNS connections for ADS client.
497 o Steve Howells <steve.howells@moscowfirst.com>
498 * BUG 10924: s4.2/fsmo.py: Fixed fsmo transfer exception.
501 o Amitay Isaacs <amitay@gmail.com>
502 * BUG 11293: Fix invalid write in ctdb_lock_context_destructor.
505 o Volker Lendecke <vl@samba.org>
506 * BUG 11218: smbd: Fix a use-after-free.
507 * BUG 11312: tstream: Make socketpair nonblocking.
508 * BUG 11330: tevent: Fix CID 1035381 Unchecked return value.
509 * BUG 11331: tdb: Fix CID 1034842 and 1034841 Resource leaks.
512 o Stefan Metzmacher <metze@samba.org>
513 * BUG 11061: Logon via MS Remote Desktop hangs.
514 * BUG 11141: tevent: Add a note to tevent_add_fd().
515 * BUG 11293: Fix invalid write in ctdb_lock_context_destructor.
516 * BUG 11316: tevent_fd needs to be destroyed before closing the fd.
517 * BUG 11319: Build fails on Solaris 11 with "‘PTHREAD_MUTEX_ROBUST’
519 * BUG 11326: Robust mutex support broken in 1.3.5.
520 * BUG 11329: s3:smb2_setinfo: Fix memory leak in the defer_rename case.
521 * BUG 11330: Backport tevent-0.9.25.
522 * BUG 11331: Backport tdb-1.3.6.
523 * BUG 11367: s3:auth_domain: Fix talloc problem in
524 connect_to_domain_password_server().
527 o Marc Muehlfeld <mmuehlfeld@samba.org>
528 * BUG 11315: Group creation: Add msSFU30Name only when --nis-domain was
531 o Matthieu Patou <mat@matws.net>
532 * BUG 11356: pidl: Make the compilation of PIDL producing the same results
533 if the content hasn't change.
536 o Noel Power <noel.power@suse.com>
537 * BUG 11328: Kerberos auth info3 should contain resource group ids available
541 o Gordon Ross <gordon.w.ross@gmail.com>
542 * BUG 11330: lib: tevent: Fix compile error in Solaris ports backend.
545 o Christof Schmitt <cs@samba.org>
546 * BUG 11313: idmap_rfc2307: Fix wbinfo '--gid-to-sid' query.
547 * BUG 11324: Change sharesec output back to previous format.
550 o Uri Simchoni <urisimchoni@gmail.com>
551 * BUG 11358: winbindd: Disconnect child process if request is cancelled at
555 o Petr Viktorin <pviktori@redhat.com>
556 * BUG 11330: Backport tevent-0.9.25.
559 o Youzhong Yang <yyang@mathworks.com>
560 * BUG 11217: s3-unix_msg: Remove socket file after closing socket fd.
563 #######################################
564 Reporting bugs & Development Discussion
565 #######################################
567 Please discuss this release on the samba-technical mailing list or by
568 joining the #samba-technical IRC channel on irc.freenode.net.
570 If you do report problems then please try to send high quality
571 feedback. If you don't provide vital information to help us track down
572 the problem then you will probably be ignored. All bug reports should
573 be filed under the Samba 4.2 product in the project's Bugzilla
574 database (https://bugzilla.samba.org/).
577 ======================================================================
578 == Our Code, Our Bugs, Our Responsibility.
580 ======================================================================
583 ----------------------------------------------------------------------
586 =============================
587 Release Notes for Samba 4.2.2
589 =============================
592 This is the latest stable release of Samba 4.2.
598 o Michael Adam <obnox@samba.org>
599 * BUG 11182: s3:smbXsrv: refactor duplicate code into
600 smbXsrv_session_clear_and_logoff().
601 * BUG 11260: gencache: don't fail gencache_stabilize if there were records
605 o Jeremy Allison <jra@samba.org>
606 * BUG 11186: s3: libsmbclient: After getting attribute server, ensure main
607 srv pointer is still valid.
608 * BUG 11236: s4: rpc: Refactor dcesrv_alter() function into setup and send
610 * BUG 11240: s3: smbd: Incorrect file size returned in the response of
611 "FILE_SUPERSEDE Create".
612 * BUG 11249: Mangled names do not work with acl_xattr.
613 * BUG 11254: nmbd rewrites browse.dat when not required.
616 o Ralph Boehme <slow@samba.org>
617 * BUG 11213: vfs_fruit: add option "nfs_aces" that controls the NFS ACEs
619 * BUG 11224: s3:smbd: Add missing tevent_req_nterror.
620 * BUG 11243: vfs: kernel_flock and named streams.
621 * BUG 11244: vfs_gpfs: Error code path doesn't call END_PROFILE.
624 o Alexander Bokovoy <ab@samba.org>
625 * BUG 11284: s4: libcli/finddcs_cldap: continue processing CLDAP until all
629 o David Disseldorp <ddiss@samba.org>
630 * BUG 11201: ctdb: check for talloc_asprintf() failure.:w
631 * BUG 11210: spoolss: purge the printer name cache on name change.
634 o Amitay Isaacs <amitay@gmail.com>
635 * BUG 11204: CTDB statd-callout does not scale.
638 o Björn Jacke <bj@sernet.de>
639 * BUG 11221: vfs_fruit: also map characters below 0x20.
642 o Rajesh Joseph <rjoseph@redhat.com>
643 * BUG 11201: ctdb: Coverity fix for CID 1291643.
646 o Julien Kerihuel <j.kerihuel@openchange.org>
647 * BUG 11225: Multiplexed RPC connections are not handled by DCERPC server.
648 * BUG 11226: Fix terminate connection behavior for asynchronous endpoint
649 with PUSH notification flavors.
652 o Led <ledest@gmail.com>
653 * BUG 11007: ctdb-scripts: Fix bashism in ctdbd_wrapper script.
656 o Volker Lendecke <vl@samba.org>
657 * BUG 11201: ctdb: Fix CIDs 1125615, 1125634, 1125613, 1288201 and 1125553.
658 * BUG 11257: SMB2 should cancel pending NOTIFY calls with DELETE_PENDING if
659 the directory is deleted.
662 o Stefan Metzmacher <metze@samba.org>
663 * BUG 11141: s3:winbindd: make sure we remove pending io requests before
664 closing client sockets.
665 * BUG 11182: Fix panic triggered by smbd_smb2_request_notify_done() ->
666 smbXsrv_session_find_channel() in smbd.
669 o Christof Schmitt <cs@samba.org>
670 * BUG 11237: 'sharesec' output no longer matches input format.
673 o Andreas Schneider <asn@samba.org>
674 * BUG 11200: waf: Fix systemd detection.
677 o Martin Schwenke <martin@meltin.net>
678 * BUG 11202: CTDB: Fix portability issues.
679 * BUG 11203: CTDB: Fix some IPv6-related issues.
680 * BUG 11204: CTDB statd-callout does not scale.
683 o Richard Sharpe <rsharpe@nutanix.com>
684 * BUG 11234: 'net ads dns gethostbyname' crashes with an error in TALLOC_FREE
685 if you enter invalid values.
688 o Uri Simchoni <urisimchoni@gmail.com>
689 * BUG 11267: libads: record service ticket endtime for sealed ldap
693 o Lukas Slebodnik <lslebodn@redhat.com>
694 * BUG 11033: lib/util: Include DEBUG macro in internal header files before
698 #######################################
699 Reporting bugs & Development Discussion
700 #######################################
702 Please discuss this release on the samba-technical mailing list or by
703 joining the #samba-technical IRC channel on irc.freenode.net.
705 If you do report problems then please try to send high quality
706 feedback. If you don't provide vital information to help us track down
707 the problem then you will probably be ignored. All bug reports should
708 be filed under the Samba 4.2 product in the project's Bugzilla
709 database (https://bugzilla.samba.org/).
712 ======================================================================
713 == Our Code, Our Bugs, Our Responsibility.
715 ======================================================================
718 ----------------------------------------------------------------------
721 =============================
722 Release Notes for Samba 4.2.1
724 =============================
727 This is the latest stable release of Samba 4.2.
733 o Michael Adam <obnox@samba.org>
734 * BUG 8905: s3:winbind:grent: Don't stop group enumeration when a group has
736 * BUG 10476: build:wafadmin: Fix use of spaces instead of tabs.
737 * BUG 11143: s3-winbind: Fix cached user group lookup of trusted domains.
740 o Jeremy Allison <jra@samba.org>
741 * BUG 10016: s3: lib: ntlmssp: If NTLMSSP_NEGOTIATE_TARGET_INFO isn't set,
742 cope with servers that don't send the 2 unused fields.
743 * BUG 10888: s3: client: "client use spnego principal = yes" code checks
745 * BUG 11079: s3: lib: libsmbclient: If reusing a server struct, check every
746 cli->timout miliseconds if it's still valid before use.
747 * BUG 11173: s3: libcli: smb1: Ensure we correctly finish a tevent req if
748 the writev fails in the SMB1 case.
749 * BUG 11175: Fix lots of winbindd zombie processes on Solaris platform.
750 * BUG 11177: s3: libsmbclient: Add missing talloc stackframe.
753 o Andrew Bartlett <abartlet@samba.org>
754 * BUG 11135: backupkey: Explicitly link to gnutls and gcrypt.
755 * BUG 11174: backupkey: Use ndr_pull_struct_blob_all().
758 o Ralph Boehme <slow@samba.org>
759 * BUG 11125: vfs_fruit: Enhance handling of malformed AppleDouble files.
762 o Samuel Cabrero <samuelcabrero@kernevil.me>
763 * BUG 9791: Initialize dwFlags field of DNS_RPC_NODE structure.
766 o David Disseldorp <ddiss@samba.org>
767 * BUG 11169: docs/idmap_rid: Remove deprecated base_rid from example.
770 o Volker Lendecke <vl@samba.org>
771 * BUG 10476: waf: Fix the build on openbsd.
774 o Stefan Metzmacher <metze@samba.org>
775 * BUG 11144: talloc: Version 2.1.2.
776 * BUG 11164: s4:auth/gensec_gssapi: Let gensec_gssapi_update() return
777 NT_STATUS_LOGON_FAILURE for unknown errors.
780 o Matthew Newton <matthew-git@newtoncomputing.co.uk>
781 * BUG 11149: Update libwbclient version to 0.12.
784 o Andreas Schneider <asn@samba.org>
785 * BUG 11018: spoolss: Retrieve published printer GUID if not in registry.
786 * BUG 11135: replace: Remove superfluous check for gcrypt header.
787 * BUG 11180: s4-process_model: Do not close random fds while forking.
788 * BUG 11185: s3-passdb: Fix 'force user' with winbind default domain.
791 o Christof Schmitt <cs@samba.org>
792 * BUG 11153: brlock: Use 0 instead of empty initializer list.
795 o Thomas Schulz <schulz@adi.com>
796 * BUG 11092: lib: texpect: Fix the build on Solaris.
797 * BUG 11140: libcli/auth: Match Declaration of
798 netlogon_creds_cli_context_tmp with implementation.
801 o Jelmer Vernooij <jelmer@samba.org>
802 * BUG 11137: Backport subunit changes.
805 #######################################
806 Reporting bugs & Development Discussion
807 #######################################
809 Please discuss this release on the samba-technical mailing list or by
810 joining the #samba-technical IRC channel on irc.freenode.net.
812 If you do report problems then please try to send high quality
813 feedback. If you don't provide vital information to help us track down
814 the problem then you will probably be ignored. All bug reports should
815 be filed under the Samba 4.2 product in the project's Bugzilla
816 database (https://bugzilla.samba.org/).
819 ======================================================================
820 == Our Code, Our Bugs, Our Responsibility.
822 ======================================================================
825 ----------------------------------------------------------------------
828 =============================
829 Release Notes for Samba 4.2.0
831 =============================
834 This is is the first stable release of Samba 4.2.
836 Samba 4.2 will be the next version of the Samba suite.
839 Samba User Survey 2015
840 ======================
842 https://www.surveygizmo.com/s3/2020369/Samba-User-Survey-2015
844 Please take our survey. It will help us improve Samba by understanding
845 your knowledge and needs. The survey runs until end of March 2015 and
846 won't ask for any personal info. The full results will be shared with
847 the Samba Team, and statistical summaries will be shared with the
848 Samba community after the SambaXP conference (http://sambaxp.org).
851 IMPORTANT NOTE ABOUT THE SUPPORT END OF SAMBA 3
852 =================================================
854 With the final release of Samba 4.2, the last series of Samba 3 has
855 been discontinued! People still running 3.6.x or earlier,should
856 consider moving to a more recent and maintained version (4.0 - 4.2).
857 One of the common misconceptions is that Samba 4.x automatically
858 means "Active Directory only": This is wrong!
860 Acting as an Active Directory Domain Controller is just one of the
861 enhancements included in Samba 4.0 and later. Version 4.0 was just the
862 next release after the 3.6 series and contains all the features of the
863 previous ones - including the NT4-style (classic) domain support. This
864 means you can update a Samba 3.x NT4-style PDC to 4.x, just as you've
865 updated in the past (e.g. from 3.4.x to 3.5.x). You don't have to move
866 your NT4-style domain to an Active Directory!
868 And of course the possibility remains unchanged, to setup a new NT4-style
869 PDC with Samba 4.x, like done in the past (e.g. with openLDAP backend).
870 Active Directory support in Samba 4 is additional and does not replace
871 any of these features. We do understand the difficulty presented by
872 existing LDAP structures and for that reason there isn't a plan to
873 decommission the classic PDC support. It remains tested by the continuous
876 The code that supports the classic Domain Controller is also the same
877 code that supports the internal 'Domain' of standalone servers and
878 Domain Member Servers. This means that we still use this code, even
879 when not acting as an AD Domain Controller. It is also the basis for
880 some of the features of FreeIPA and so it gets development attention
881 from that direction as well.
887 Read the "Winbindd/Netlogon improvements" section (below) carefully!
893 Transparent File Compression
894 ============================
896 Samba 4.2.0 adds support for the manipulation of file and folder
897 compression flags on the Btrfs filesystem.
898 With the Btrfs Samba VFS module enabled, SMB2+ compression flags can
899 be set remotely from the Windows Explorer File->Properties->Advanced
900 dialog. Files flagged for compression are transparently compressed
901 and uncompressed when accessed or modified.
903 Previous File Versions with Snapper
904 ===================================
906 The newly added Snapper VFS module exposes snapshots managed by
907 Snapper for use by Samba. This provides the ability for remote
908 clients to access shadow-copies via Windows Explorer using the
909 "previous versions" dialog.
911 Winbindd/Netlogon improvements
912 ==============================
914 The whole concept of maintaining the netlogon secure channel
915 to (other) domain controllers was rewritten in order to maintain
916 global state in a netlogon_creds_cli.tdb. This is the proper fix
917 for a large number of bugs:
919 https://bugzilla.samba.org/show_bug.cgi?id=6563
920 https://bugzilla.samba.org/show_bug.cgi?id=7944
921 https://bugzilla.samba.org/show_bug.cgi?id=7945
922 https://bugzilla.samba.org/show_bug.cgi?id=7568
923 https://bugzilla.samba.org/show_bug.cgi?id=8599
925 In addition a strong session key is now required by default,
926 which means that communication to older servers or clients
927 might be rejected by default.
929 For the client side we have the following new options:
930 "require strong key" (yes by default), "reject md5 servers" (no by default).
931 E.g. for Samba 3.0.37 you need "require strong key = no" and
932 for NT4 DCs you need "require strong key = no" and "client NTLMv2 auth = no",
934 On the server side (as domain controller) we have the following new options:
935 "allow nt4 crypto" (no by default), "reject md5 client" (no by default).
936 E.g. in order to allow Samba < 3.0.27 or NT4 members to work
937 you need "allow nt4 crypto = yes"
939 winbindd does not list group memberships for display purposes
940 (e.g. getent group <domain\<group>) anymore by default.
941 The new default is "winbind expand groups = 0" now,
942 the reason for this is the same as for "winbind enum users = no"
943 and "winbind enum groups = no". Providing this information is not always
944 reliably possible, e.g. if there are trusted domains.
946 Please consult the smb.conf manpage for more details on these new options.
948 Winbindd use on the Samba AD DC
949 ===============================
951 Winbindd is now used on the Samba AD DC by default, replacing the
952 partial rewrite used for winbind operations in Samba 4.0 and 4.1.
954 This allows more code to be shared, more options to be honoured, and
955 paves the way for support for trusted domains in the AD DC.
957 If required the old internal winbind can be activated by setting
958 'server services = +winbind -winbindd'. Upgrading users with a server
959 services parameter specified should ensure they change 'winbind' to
960 'winbindd' to obtain the new functionality.
962 The 'samba' binary still manages the starting of this service, there
963 is no need to start the winbindd binary manually.
965 Winbind now requires secured connections
966 ========================================
968 To improve protection against rogue domain controllers we now require
969 that when we connect to an AD DC in our forest, that the connection be
970 signed using SMB Signing. Set 'client signing = off' in the smb.conf
973 Also and DCE/RPC pipes must be sealed, set 'require strong key =
974 false' and 'winbind sealed pipes = false' to disable.
976 Finally, the default for 'client ldap sasl wrapping' has been set to
977 'sign', to ensure the integrity of LDAP connections. Set 'client ldap
978 sasl wrapping = plain' to disable.
980 Larger IO sizes for SMB2/3 by default
981 =====================================
983 The default values for "smb2 max read", "smb2 max write" and "smb2 max trans"
984 have been changed to 8388608 (8MiB) in order to match the default of
990 The SMB2 protocol allows clients to aggressively cache files
991 locally above and beyond the caching allowed by SMB1 and SMB2 oplocks.
993 Called SMB2 leases, this can greatly reduce traffic on an SMB2
994 connection. Samba 4.2 now implements SMB2 leases.
996 It can be turned on by setting the parameter "smb2 leases = yes"
997 in the [global] section of your smb.conf. This parameter is set
998 to off by default until the SMB2 leasing code is declared fully stable.
1000 Improved DCERPC man in the middle detection
1001 ===========================================
1003 The DCERPC header signing has been implemented
1004 in addition to the dcerpc_sec_verification_trailer
1007 Overhauled "net idmap" command
1008 ==============================
1010 The command line interface of the "net idmap" command has been
1011 made systematic, and subcommands for reading and writing the autorid idmap
1012 database have been added. Note that the writing commands should be
1013 used with great care. See the net(8) manual page for details.
1018 The tdb library, our core mechanism to store Samba-specific data on disk and
1019 share it between processes, has been improved to support process shared robust
1020 mutexes on Linux. These mutexes are available on Linux and Solaris and
1021 significantly reduce the overhead involved with tdb. To enable mutexes for
1024 dbwrap_tdb_mutexes:* = yes
1026 in the [global] section of your smb.conf.
1028 Tdb file space management has also been made more efficient. This
1029 will lead to smaller and less fragmented databases.
1031 Messaging improvements
1032 ======================
1034 Our internal messaging subsystem, used for example for things like oplock
1035 break messages between smbds or setting a process debug level dynamically, has
1036 been rewritten to use unix domain datagram messages.
1041 Samba's file server clustering component CTDB is now integrated in the
1042 Samba tree. This avoids the confusion of compatibility of Samba and CTDB
1043 versions as existed previously.
1045 To build the Samba file server with cluster support, use the configure
1046 command line option --with-cluster-support. This will build clustered
1047 file server against the in-tree CTDB and will also build CTDB.
1048 Building clustered samba with previous versions of CTDB is no longer
1051 Samba Registry Editor
1052 =====================
1054 The utitlity to browse the samba registry has been overhauled by our Google
1055 Summer of Code student Chris Davis. Now samba-regedit has a
1056 Midnight-Commander-like theme and UI experience. You can browse keys and edit
1057 the diffent value types. For a data value type a hexeditor has been
1060 Bad Password Lockout in the AD DC
1061 =================================
1063 Samba's AD DC now implements bad password lockout (on a per-DC basis).
1065 That is, incorrect password attempts are tracked, and accounts locked
1066 out if too many bad passwords are submitted. There is also a grace
1067 period of 60 minutes on the previous password when used for NTLM
1068 authentication (matching Windows 2003 SP1: https://support2.microsoft.com/kb/906305).
1070 The relevant settings can be seen using 'samba-tool domain
1071 passwordsettings show' (the new settings being highlighted):
1073 Password informations for domain 'DC=samba,DC=example,DC=com'
1075 Password complexity: on
1076 Store plaintext passwords: off
1077 Password history length: 24
1078 Minimum password length: 7
1079 Minimum password age (days): 1
1080 Maximum password age (days): 42
1081 * Account lockout duration (mins): 30 *
1082 * Account lockout threshold (attempts): 0 *
1083 * Reset account lockout after (mins): 30 *
1085 These values can be set using 'samba-tool domain passwordsettings set'.
1087 Correct defaults in the smb.conf manpages
1088 =========================================
1090 The default values for smb.conf parameters are now correctly specified
1091 in the smb.conf manpage, even when they refer to build-time specified
1092 paths. Provided Samba is built on a system with the right tools
1093 (xsltproc in particular) required to generate our man pages, then
1094 these will be built with the exact same embedded paths as used by the
1095 configuration parser at runtime. Additionally, the default values
1096 read from the smb.conf manpage are checked by our test suite to match
1097 the values seen in testparm and used by the running binaries.
1099 Consistent behaviour between samba-tool testparm and testparm
1100 =============================================================
1102 With the exception of the registry backend, which remains only
1103 available in the file server, the behaviour of the smb.conf parser and
1104 the tools 'samba-tool testparm' and 'testparm' is now consistent,
1105 particularly with regard to default values. Except with regard to
1106 registry shares, it is no longer needed to use one tool on the AD
1107 DC, and another on the file server.
1112 A VFS module for basic WORM (Write once read many) support has been
1113 added. It allows an additional layer on top of a Samba share, that provides
1114 a basic set of WORM functionality on the client side, to control the
1115 writeability of files and folders.
1117 As the module is simply an additional layer, share access and permissions
1118 work like expected - only WORM functionality is added on top. Removing the
1119 module from the share configuration, removes this layer again. The
1120 filesystem ACLs are not affected in any way from the module and treated
1123 The module does not provide complete WORM functions, like some archiving
1124 products do! It is not audit-proof, because the WORM function is only
1125 available on the client side, when accessing a share through SMB! If
1126 the same folder is shared by other services like NFS, the access only
1127 depends on the underlying filesystem ACLs. Equally if you access the
1128 content directly on the server.
1130 For additional information, see
1131 https://wiki.samba.org/index.php/VFS/vfs_worm
1133 vfs_fruit, a VFS module for OS X clients
1134 ========================================
1136 A new VFS module that provides enhanced compatibility with Apple SMB
1137 clients and interoperability with a Netatalk 3 AFP fileserver.
1139 The module features enhanced performance with reliable named streams
1140 support, interoperability with special characters commonly used by OS
1141 X client (eg '*', '/'), integrated file locking and Mac metadata
1142 access with Netatalk 3 and enhanced performance by implementing
1143 Apple's SMB2 extension codenamed "AAPL".
1145 The modules behaviour is fully configurable, please refer to the
1146 manpage vfs_fruit for further details.
1148 smbclient archival improvements
1149 ===============================
1151 Archive creation and extraction support in smbclient has been rewritten
1152 to use libarchive. This fixes a number of outstanding bugs in Samba's
1153 previous custom tar implementation and also adds support for the
1154 extraction of zipped archives.
1155 smbclient archive support can be enabled or disabled at build time with
1156 corresponding --with[out]-libarchive configure parameters.
1159 ######################################################################
1166 Parameter Name Description Default
1167 -------------- ----------- -------
1169 allow nt4 crypto New no
1170 neutralize nt4 emulation New no
1171 reject md5 client New no
1172 reject md5 servers New no
1173 require strong key New yes
1174 smb2 max read Changed default 8388608
1175 smb2 max write Changed default 8388608
1176 smb2 max trans Changed default 8388608
1177 winbind expand groups Changed default 0
1180 CHANGES SINCE 4.2.0rc5
1181 ======================
1183 o Michael Adam <obnox@samba.org>
1184 * BUG 11117: doc:man:vfs_glusterfs: improve the configuration section.
1187 o Jeremy Allison <jra@samba.org>
1188 * BUG 11118: tevent: Ignore unexpected signal events in the same way the
1192 o Andrew Bartlett <abartlet@samba.org>
1193 * BUG 11100: debug: Set close-on-exec for the main log file FD.
1194 * BUG 11097: Fix Win8.1 Credentials Manager issue after KB2992611 on Samba
1198 o Ira Cooper <ira@samba.org>
1199 * BUG 1115: smbd: Stop using vfs_Chdir after SMB_VFS_DISCONNECT.
1202 o Günther Deschner <gd@samba.org>
1203 * BUG 11088: vfs: Add a brief vfs_ceph manpage.
1206 o David Disseldorp <ddiss@samba.org>
1207 * BUG 11118: tevent: version 0.9.24.
1210 o Amitay Isaacs <amitay@gmail.com>
1211 * BUG 11124: ctdb-io: Do not use sys_write to write to client sockets.
1214 o Volker Lendecke <vl@samba.org>
1215 * BUG 11119: snprintf: Try to support %j.
1218 o Garming Sam <garming@catalyst.net.nz>
1219 * BUG 11097: Fix Win8.1 Credentials Manager issue after KB2992611 on Samba
1223 o Andreas Schneider <asn@samba.org>
1224 * BUG 11127: doc-xml: Add 'sharesec' reference to 'access based share
1228 CHANGES SINCE 4.2.0rc4
1229 ======================
1231 o Michael Adam <obnox@samba.org>
1232 * BUG 11032: Enable mutexes in gencache_notrans.tdb.
1233 * BUG 11058: cli_connect_nb_send: Don't segfault on host == NULL.
1236 o Jeremy Allison <jra@samba.org>
1237 * BUG 10849: s3: lib, s3: modules: Fix compilation on Solaris.
1238 * BUG 11044: Fix authentication using Kerberos (not AD).
1239 * BUG 11077: CVE-2015-0240: s3: netlogon: Ensure we don't call talloc_free
1240 on an uninitialized pointer.
1241 * BUG 11094: s3: smbclient: Allinfo leaves the file handle open.
1242 * BUG 11102: s3: smbd: leases - losen paranoia check. Stat opens can grant
1244 * BUG 11104: s3: smbd: SMB2 close. If a file has delete on close, store the
1245 return info before deleting.
1248 o Ira Cooper <ira@samba.org>
1249 * BUG 11069: vfs_glusterfs: Add comments to the pipe(2) code.
1252 o Günther Deschner <gd@samba.org>
1253 * BUG 11070: s3-vfs: Fix developer build of vfs_ceph module.
1256 o David Disseldorp <ddiss@samba.org>
1257 * BUG 10808: printing/cups: Pack requested-attributes with IPP_TAG_KEYWORD.
1258 * BUG 11055: vfs_snapper: Correctly handles multi-byte DBus strings.
1259 * BUG 11059: libsmb: Provide authinfo domain for encrypted session
1263 o Poornima G <pgurusid@redhat.com>
1264 * BUG 11069: vfs_glusterfs: Implement AIO support.
1267 o Volker Lendecke <vl@samba.org>
1268 * BUG 11032: Enable mutexes in gencache_notrans.tdb.
1271 o Stefan Metzmacher <metze@samba.org>
1272 * BUG 9299: nsswitch: Fix soname of linux nss_*.so.2 modules.
1273 * BUG 9702: s3:smb2_server: protect against integer wrap with "smb2 max
1275 * BUG 9810: Make validate_ldb of String(Generalized-Time) accept
1276 millisecond format ".000Z".
1277 * BUG 10112: Use -R linker flag on Solaris, not -rpath.
1280 o Marc Muehlfeld <mmuehlfeld@samba.org>
1281 * BUG 10909: samba-tool: Create NIS enabled users and unixHomeDirectory
1285 o Garming Sam <garming@catalyst.net.nz>
1286 * BUG 11022: Make Sharepoint search show user documents.
1289 o Christof Schmitt <cs@samba.org>
1290 * BUG 11032: Enable mutexes in gencache_notrans.tdb.
1293 o Andreas Schneider <asn@samba.org>
1294 * BUG 11058: utils: Fix 'net time' segfault.
1295 * BUG 11066: s3-pam_smbpass: Fix memory leak in pam_sm_authenticate().
1296 * BUG 11077: CVE-2015-0240: s3-netlogon: Make sure we do not deference a
1300 o Raghavendra Talur <raghavendra.talur@gmail.com>
1301 * BUG 11069: vfs/glusterfs: Change xattr key to match gluster key.
1304 CHANGES SINCE 4.2.0rc3
1305 ======================
1307 o Andrew Bartlett <abartlet@samba.org>
1308 * BUG 10993: CVE-2014-8143: dsdb-samldb: Check for extended access
1309 rights before we allow changes to userAccountControl.
1312 o Günther Deschner <gd@samba.org>
1313 * BUG 10240: vfs: Add glusterfs manpage.
1316 o David Disseldorp <ddiss@samba.org>
1317 * BUG 10984: Fix spoolss IDL response marshalling when returning error
1318 without clearing info.
1321 o Amitay Isaacs <amitay@gmail.com>
1322 * BUG 11000: ctdb-daemon: Use correct tdb flags when enabling robust mutex
1326 o Volker Lendecke <vl@samba.org>
1327 * BUG 11032: tdb_wrap: Make mutexes easier to use.
1328 * BUG 11039: vfs_fruit: Fix base_fsp name conversion.
1329 * BUG 11040: vfs_fruit: mmap under FreeBSD needs PROT_READ.
1330 * BUG 11051: net: Fix sam addgroupmem.
1333 o Stefan Metzmacher <metze@samba.org>
1334 * BUG 10940: s3:passdb: fix logic in pdb_set_pw_history().
1335 * BUG 11004: tdb: version 1.3.4.
1338 o Christof Schmitt <cs@samba.org>
1339 * BUG 11034: winbind: Retry after SESSION_EXPIRED error in ping-dc.
1342 o Andreas Schneider <asn@samba.org>
1343 * BUG 11008: s3-util: Fix authentication with long hostnames.
1344 * BUG 11026: nss_wrapper: check for nss.h.
1345 * BUG 11033: lib/util: Avoid collision which alread defined consumer DEBUG
1347 * BUG 11037: s3-libads: Fix a possible segfault in kerberos_fetch_pac().
1350 CHANGES SINCE 4.2.0rc2
1351 ======================
1353 o Michael Adam <obnox@samba.org>
1354 * BUG 10892: Integrate CTDB into top-level Samba build.
1357 o Jeremy Allison <jra@samba.org>
1358 * BUG 10851: lib: uid_wrapper: Fix setgroups and syscall detection on a
1359 system without native uid_wrapper library.
1360 * BUG 10896: s3-nmbd: Fix netbios name truncation.
1361 * BUG 10904: Fix smbclient loops doing a directory listing against Mac OS X 10
1362 server with a non-wildcard path.
1363 * BUG 10911: Add support for SMB2 leases.
1364 * BUG 10920: s3: nmbd: Ensure NetBIOS names are only 15 characters stored.
1365 * BUG 10966: libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a
1366 Windows client does.
1367 * BUG 10982: s3: smbd: Fix *allocate* calls to follow POSIX error return
1371 o Christian Ambach <ambi@samba.org>
1372 * BUG 9629: Make 'profiles' work again.
1375 o Björn Baumbach <bb@sernet.de>
1376 * BUG 11014: ctdb-build: Fix build without xsltproc.
1379 o Ralph Boehme <slow@samba.org>
1380 * BUG 10834: Don't build vfs_snapper on FreeBSD.
1381 * BUG 10971: vfs_streams_xattr: Check stream type.
1382 * BUG 10983: vfs_fruit: Add support for AAPL.
1383 * BUG 11005: vfs_streams_xattr: Add missing call to SMB_VFS_NEXT_CONNECT.
1386 o Günther Deschner <gd@samba.org>
1387 * BUG 9056: pam_winbind: fix warn_pwd_expire implementation.
1388 * BUG 10942: Cleanup add_string_to_array and usage.
1391 o David Disseldorp <ddiss@samba.org>
1392 * BUG 10898: spoolss: Fix handling of bad EnumJobs levels.
1393 * BUG 10905: Fix print job enumeration.
1396 o Amitay Isaacs <amitay@gmail.com>
1397 * BUG 10620: s4-dns: Add support for BIND 9.10.
1398 * BUG 10892: Integrate CTDB into top-level Samba build.
1399 * BUG 10996: Fix IPv6 support in CTDB.
1400 * BUG 11014: packaging: Include CTDB man pages in the tarball.
1403 o Björn Jacke <bj@sernet.de>
1404 * BUG 10835: nss_winbind: Add getgroupmembership for FreeBSD.
1407 o Guenter Kukkukk <linux@kukkukk.com>
1408 * BUG 10952: Fix 'samba-tool dns serverinfo <server>' for IPv6.
1411 o Volker Lendecke <vl@samba.org>
1412 * BUG 10932: pdb_tdb: Fix a TALLOC/SAFE_FREE mixup.
1413 * BUG 10942: dbwrap_ctdb: Pass on mutex flags to tdb_open.
1416 o Justin Maggard <jmaggard10@gmail.com>
1417 * BUG 10852: winbind3: Fix pwent variable substitution.
1420 o Kamen Mazdrashki <kamenim@samba.org>
1421 * BUG 10975: ldb: version 1.1.18
1424 o Stefan Metzmacher <metze@samba.org>
1425 * BUG 10781: tdb: version 1.3.3
1426 * BUG 10911: Add support for SMB2 leases.
1427 * BUG 10921: s3:smbd: Fix file corruption using "write cache size != 0".
1428 * BUG 10949: Fix RootDSE search with extended dn control.
1429 * BUG 10958: libcli/smb: only force signing of smb2 session setups when
1430 binding a new session.
1431 * BUG 10975: ldb: version 1.1.18
1432 * BUG 11016: pdb_get_trusteddom_pw() fails with non valid UTF16 random
1436 o Marc Muehlfeld <mmuehlfeld@samba.org>
1437 * BUG 10895: samba-tool group add: Add option '--nis-domain' and '--gid'.
1440 o Noel Power <noel.power@suse.com>
1441 * BUG 10918: btrfs: Don't leak opened directory handle.
1444 o Matt Rogers <mrogers@redhat.com>
1445 * BUG 10933: s3-keytab: fix keytab array NULL termination.
1448 o Garming Sam <garming@catalyst.net.nz>
1449 * BUG 10355: pdb: Fix build issues with shared modules.
1450 * BUG 10720: idmap: Return the correct id type to *id_to_sid methods.
1451 * BUG 10864: Fix testparm to show hidden share defaults.
1454 o Andreas Schneider <asn@samba.org>
1455 * BUG 10279: Make 'smbclient' use cached creds.
1456 * BUG 10960: s3-smbclient: Return success if we listed the shares.
1457 * BUG 10961: s3-smbstatus: Fix exit code of profile output.
1458 * BUG 10965: socket_wrapper: Add missing prototype check for eventfd.
1461 o Martin Schwenke <martin@meltin.net>
1462 * BUG 10892: Integrate CTDB into top-level Samba build.
1463 * BUG 10996: Fix IPv6 support in CTDB.
1466 CHANGES SINCE 4.2.0rc1
1467 ======================
1469 o Jeremy Allison <jra@samba.org>
1470 * BUG 10848: s3: smb2cli: query info return length check was reversed.
1473 o Björn Baumbach <bb@sernet.de>
1474 * BUG 10862: build: Do not install 'texpect' binary anymore.
1477 o Chris Davis <cd.rattan@gmail.com>
1478 * BUG 10859: Improve samba-regedit.
1481 o Jakub Hrozek <jakub.hrozek@gmail.com>
1482 * BUG 10861: Fix build of socket_wrapper on systems without SO_PROTOCOL.
1485 o Volker Lendecke <vl@samba.org>
1486 * BUG 10860: registry: Don't leave dangling transactions.
1489 o Stefan Metzmacher <metze@samba.org>
1490 * BUG 10866: libcli/smb: Fix smb2cli_validate_negotiate_info with
1491 min=PROTOCOL_NT1 max=PROTOCOL_SMB2_02.
1494 o Christof Schmitt <cs@samba.org>
1495 * BUG 10837: idmap_rfc2307: Fix a crash after connection problem to DC.
1498 #######################################
1499 Reporting bugs & Development Discussion
1500 #######################################
1502 Please discuss this release on the samba-technical mailing list or by
1503 joining the #samba-technical IRC channel on irc.freenode.net.
1505 If you do report problems then please try to send high quality
1506 feedback. If you don't provide vital information to help us track down
1507 the problem then you will probably be ignored. All bug reports should
1508 be filed under the Samba 4.2 product in the project's Bugzilla
1509 database (https://bugzilla.samba.org/).
1512 ======================================================================
1513 == Our Code, Our Bugs, Our Responsibility.
1515 ======================================================================