-Release Announcements
-=====================
+ ===============================
+ Release Notes for Samba 4.15.13
+ December 15, 2022
+ ===============================
-This is the first release candidate of Samba 4.15. This is *not*
-intended for production environments and is designed for testing
-purposes only. Please report any defects via the Samba bug reporting
-system at https://bugzilla.samba.org/.
-Samba 4.15 will be the next version of the Samba suite.
+This is the latest stable release of the Samba 4.15 release series.
+It also contains security changes in order to address the following defects:
+o CVE-2022-37966: This is the Samba CVE for the Windows Kerberos
+ RC4-HMAC Elevation of Privilege Vulnerability
+ disclosed by Microsoft on Nov 8 2022.
+
+ A Samba Active Directory DC will issue weak rc4-hmac
+ session keys for use between modern clients and servers
+ despite all modern Kerberos implementations supporting
+ the aes256-cts-hmac-sha1-96 cipher.
+
+ On Samba Active Directory DCs and members
+ 'kerberos encryption types = legacy' would force
+ rc4-hmac as a client even if the server supports
+ aes128-cts-hmac-sha1-96 and/or aes256-cts-hmac-sha1-96.
+
+ https://www.samba.org/samba/security/CVE-2022-37966.html
+
+o CVE-2022-37967: This is the Samba CVE for the Windows
+ Kerberos Elevation of Privilege Vulnerability
+ disclosed by Microsoft on Nov 8 2022.
+
+ A service account with the special constrained
+ delegation permission could forge a more powerful
+ ticket than the one it was presented with.
+
+ https://www.samba.org/samba/security/CVE-2022-37967.html
+
+o CVE-2022-38023: The "RC4" protection of the NetLogon Secure channel uses the
+ same algorithms as rc4-hmac cryptography in Kerberos,
+ and so must also be assumed to be weak.
+
+ https://www.samba.org/samba/security/CVE-2022-38023.html
+
+o CVE-2022-45141: Since the Windows Kerberos RC4-HMAC Elevation of Privilege
+ Vulnerability was disclosed by Microsoft on Nov 8 2022
+ and per RFC8429 it is assumed that rc4-hmac is weak,
+
+ Vulnerable Samba Active Directory DCs will issue rc4-hmac
+ encrypted tickets despite the target server supporting
+ better encryption (eg aes256-cts-hmac-sha1-96).
+
+ https://www.samba.org/samba/security/CVE-2022-45141.html
+
+Note that there are several important behavior changes
+included in this release, which may cause compatibility problems
+interacting with system still expecting the former behavior.
+Please read the advisories of CVE-2022-37966,
+CVE-2022-37967 and CVE-2022-38023 carefully!
+
+samba-tool got a new 'domain trust modify' subcommand
+-----------------------------------------------------
+
+This allows "msDS-SupportedEncryptionTypes" to be changed
+on trustedDomain objects. Even against remote DCs (including Windows)
+using the --local-dc-ipaddress= (and other --local-dc-* options).
+See 'samba-tool domain trust modify --help' for further details.
+
+smb.conf changes
+----------------
+
+ Parameter Name Description Default
+ -------------- ----------- -------
+ allow nt4 crypto Deprecated no
+ allow nt4 crypto:COMPUTERACCOUNT New
+ kdc default domain supported enctypes New (see manpage)
+ kdc supported enctypes New (see manpage)
+ kdc force enable rc4 weak session keys New No
+ reject md5 clients New Default, Deprecated Yes
+ reject md5 servers New Default, Deprecated Yes
+ server schannel Deprecated Yes
+ server schannel require seal New, Deprecated Yes
+ server schannel require seal:COMPUTERACCOUNT New
+ winbind sealed pipes Deprecated Yes
+
+Changes since 4.15.12
+---------------------
+
+o Andrew Bartlett <abartlet@samba.org>
+ * BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry.
+ * BUG 15237: CVE-2022-37966.
+ * BUG 15258: filter-subunit is inefficient with large numbers of knownfails.
+
+o Ralph Boehme <slow@samba.org>
+ * BUG 15240: CVE-2022-38023.
+
+o Luke Howard <lukeh@padl.com>
+ * BUG 15197: Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue.
+
+o Stefan Metzmacher <metze@samba.org>
+ * BUG 13135: The KDC logic arround msDs-supportedEncryptionTypes differs from
+ Windows.
+ * BUG 15203: CVE-2022-42898 [SECURITY] krb5_pac_parse() buffer parsing
+ vulnerability.
+ * BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry
+ * BUG 15237: CVE-2022-37966.
+ * BUG 15240: CVE-2022-38023.
+
+o Andreas Schneider <asn@samba.org>
+ * BUG 15237: CVE-2022-37966.
+
+o Joseph Sutton <josephsutton@catalyst.net.nz>
+ * BUG 14929: CVE-2022-44640 [SECURITY] Upstream Heimdal free of
+ user-controlled pointer in FAST.
+ * BUG 15197: Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue.
+ * BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry.
+ * BUG 15231: CVE-2022-37967.
+ * BUG 15237: CVE-2022-37966.
+
+o Nicolas Williams <nico@cryptonector.com>
+ * BUG 15214: CVE-2022-45141.
+ * BUG 15237: CVE-2022-37966.
+
+o Nicolas Williams <nico@twosigma.com>
+ * BUG 14929: CVE-2022-44640 [SECURITY] Upstream Heimdal free of
+ user-controlled pointer in FAST.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat.
+
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+ ===============================
+ Release Notes for Samba 4.15.12
+ November 15, 2022
+ ===============================
+
+
+This is a security release in order to address the following defects:
+
+o CVE-2022-42898: Samba's Kerberos libraries and AD DC failed to guard against
+ integer overflows when parsing a PAC on a 32-bit system, which
+ allowed an attacker with a forged PAC to corrupt the heap.
+ https://www.samba.org/samba/security/CVE-2022-42898.html
+
+Changes since 4.15.11
+---------------------
+o Joseph Sutton <josephsutton@catalyst.net.nz>
+ * BUG 15203: CVE-2022-42898
+
+o Nicolas Williams <nico@twosigma.com>
+ * BUG 15203: CVE-2022-42898
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat.
+
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+----------------------------------------------------------------------
+ ===============================
+ Release Notes for Samba 4.15.11
+ October 25, 2022
+ ===============================
+
+
+This is a security release in order to address the following defect:
+
+o CVE-2022-3437: There is a limited write heap buffer overflow in the GSSAPI
+ unwrap_des() and unwrap_des3() routines of Heimdal (included
+ in Samba).
+ https://www.samba.org/samba/security/CVE-2022-3437.html
+
+Changes since 4.15.10
+---------------------
+
+o Andrew Bartlett <abartlet@samba.org>
+ * BUG 15193: Allow rebuild of Centos 8 images after move to vault for Samba
+ 4.15.
+
+o Andreas Schneider <asn@samba.org>
+ * BUG 15193: Allow rebuild of Centos 8 images after move to vault for Samba
+ 4.15.
+
+o Joseph Sutton <josephsutton@catalyst.net.nz>
+ * BUG 15134: CVE-2022-3437.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+----------------------------------------------------------------------
+ ===============================
+ Release Notes for Samba 4.15.10
+ September 28, 2022
+ ===============================
+
+
+This is the latest stable release of the Samba 4.15 release series.
+
+
+Changes since 4.15.9
+--------------------
+
+o Jeremy Allison <jra@samba.org>
+ * BUG 15128: Possible use after free of connection_struct when iterating
+ smbd_server_connection->connections.
+ * BUG 15174: smbXsrv_connection_shutdown_send result leaked.
+
+o Ralph Boehme <slow@samba.org>
+ * BUG 15086: Spotlight RPC service returns wrong response when Spotlight is
+ disabled on a share.
+ * BUG 15126: acl_xattr VFS module may unintentionally use filesystem
+ permissions instead of ACL from xattr.
+ * BUG 15153: Missing SMB2-GETINFO access checks from MS-SMB2 3.3.5.20.1.
+ * BUG 15161: assert failed: !is_named_stream(smb_fname)") at
+ ../../lib/util/fault.c:197.
+
+o Stefan Metzmacher <metze@samba.org>
+ * BUG 15148: Missing READ_LEASE break could cause data corruption.
+
+o Andreas Schneider <asn@samba.org>
+ * BUG 15124: rpcclient can crash using setuserinfo(2).
+ * BUG 15132: Samba fails to build with glibc 2.36 caused by including
+ <sys/mount.h> in libreplace.
+
+o Joseph Sutton <josephsutton@catalyst.net.nz>
+ * BUG 15152: SMB1 negotiation can fail to handle connection errors.
+
+o Michael Tokarev <mjt@tls.msk.ru>
+ * BUG 15078: samba-tool domain join segfault when joining a samba ad domain.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat.
+
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+----------------------------------------------------------------------
+ ==============================
+ Release Notes for Samba 4.15.9
+ July 27, 2022
+ ==============================
+
+
+This is a security release in order to address the following defects:
+
+o CVE-2022-2031: Samba AD users can bypass certain restrictions associated with
+ changing passwords.
+ https://www.samba.org/samba/security/CVE-2022-2031.html
+
+o CVE-2022-32744: Samba AD users can forge password change requests for any user.
+ https://www.samba.org/samba/security/CVE-2022-32744.html
+
+o CVE-2022-32745: Samba AD users can crash the server process with an LDAP add
+ or modify request.
+ https://www.samba.org/samba/security/CVE-2022-32745.html
+
+o CVE-2022-32746: Samba AD users can induce a use-after-free in the server
+ process with an LDAP add or modify request.
+ https://www.samba.org/samba/security/CVE-2022-32746.html
+
+o CVE-2022-32742: Server memory information leak via SMB1.
+ https://www.samba.org/samba/security/CVE-2022-32742.html
+
+Changes since 4.15.8
+--------------------
+
+o Jeremy Allison <jra@samba.org>
+ * BUG 15085: CVE-2022-32742.
+
+o Andrew Bartlett <abartlet@samba.org>
+ * BUG 15009: CVE-2022-32746.
+
+o Isaac Boukris <iboukris@gmail.com>
+ * BUG 15047: CVE-2022-2031.
+
+o Andreas Schneider <asn@samba.org>
+ * BUG 15047: CVE-2022-2031.
+
+o Joseph Sutton <josephsutton@catalyst.net.nz>
+ * BUG 15008: CVE-2022-32745.
+ * BUG 15009: CVE-2022-32746.
+ * BUG 15047: CVE-2022-2031.
+ * BUG 15074: CVE-2022-32744.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+----------------------------------------------------------------------
+ ==============================
+ Release Notes for Samba 4.15.8
+ June 28, 2022
+ ==============================
+
+
+This is the latest stable release of the Samba 4.15 release series.
+
+
+Changes since 4.15.7
+--------------------
+
+o Jeremy Allison <jra@samba.org>
+ * BUG 15042: Use pathref fd instead of io fd in vfs_default_durable_cookie.
+ * BUG 15099: Setting fruit:resource = stream in vfs_fruit causes a panic.
+
+o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
+ * BUG 14986: Add support for bind 9.18.
+ * BUG 15076: logging dsdb audit to specific files does not work.
+
+o Ralph Boehme <slow@samba.org>
+ * BUG 15069: vfs_gpfs with vfs_shadowcopy2 fail to restore file if original
+ file had been deleted.
+
+o Samuel Cabrero <scabrero@samba.org>
+ * BUG 15087: netgroups support removed.
+
+o Samuel Cabrero <scabrero@suse.de>
+ * BUG 14674: net ads info shows LDAP Server: 0.0.0.0 depending on contacted
+ server.
+
+o Stefan Metzmacher <metze@samba.org>
+ * BUG 15071: waf produces incorrect names for python extensions with Python
+ 3.11.
+
+o Noel Power <noel.power@suse.com>
+ * BUG 15100: smbclient commands del & deltree fail with
+ NT_STATUS_OBJECT_PATH_NOT_FOUND with DFS.
+
+o Christof Schmitt <cs@samba.org>
+ * BUG 15055: vfs_gpfs recalls=no option prevents listing files.
+
+o Andreas Schneider <asn@samba.org>
+ * BUG 15071: waf produces incorrect names for python extensions with Python
+ 3.11.
+ * BUG 15091: Compile error in source3/utils/regedit_hexedit.c.
+ * BUG 15108: ldconfig: /lib64/libsmbconf.so.0 is not a symbolic link.
+
+o Andreas Schneider <asn@cryptomilk.org>
+ * BUG 15054: smbd doesn't handle UPNs for looking up names.
+
+o Robert Sprowson <webpages@sprow.co.uk>
+ * BUG 14443: Out-by-4 error in smbd read reply max_send clamp.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+----------------------------------------------------------------------
+ ==============================
+ Release Notes for Samba 4.15.7
+ April 26, 2022
+ ==============================
+
+
+This is the latest stable release of the Samba 4.15 release series.
+
+
+Changes since 4.15.6
+--------------------
+
+o Jeremy Allison <jra@samba.org>
+ * BUG 14831: Share and server swapped in smbget password prompt.
+ * BUG 15022: Durable handles won't reconnect if the leased file is written
+ to.
+ * BUG 15023: rmdir silently fails if directory contains unreadable files and
+ hide unreadable is yes.
+ * BUG 15038: SMB2_CLOSE_FLAGS_FULL_INFORMATION fails to return information on
+ renamed file handle.
+
+o Ralph Boehme <slow@samba.org>
+ * BUG 14957: vfs_shadow_copy2 breaks "smbd async dosmode" sync fallback.
+ * BUG 15035: shadow_copy2 fails listing snapshotted dirs with
+ shadow:fixinodes.
+
+o Samuel Cabrero <scabrero@samba.org>
+ * BUG 15046: PAM Kerberos authentication incorrectly fails with a clock skew
+ error.
+
+o Pavel Filipenský <pfilipen@redhat.com>
+ * BUG 15041: username map - samba erroneously applies unix group memberships
+ to user account entries.
+
+o Elia Geretto <elia.f.geretto@gmail.com>
+ * BUG 14983: NT_STATUS_ACCESS_DENIED translates into EPERM instead of EACCES
+ in SMBC_server_internal.
+
+o Stefan Metzmacher <metze@samba.org>
+ * BUG 13879: Simple bind doesn't work against an RODC (with non-preloaded
+ users).
+ * BUG 14641: Crash of winbind on RODC.
+ * BUG 14865: uncached logon on RODC always fails once.
+ * BUG 14951: KVNO off by 100000.
+ * BUG 15001: LDAP simple binds should honour "old password allowed period".
+ * BUG 15003: wbinfo -a doesn't work reliable with upn names.
+
+o Garming Sam <garming@catalyst.net.nz>
+ * BUG 13879: Simple bind doesn't work against an RODC (with non-preloaded
+ users).
+
+o Christof Schmitt <cs@samba.org>
+ * BUG 15027: Uninitialized litemask in variable in vfs_gpfs module.
+
+o Andreas Schneider <asn@samba.org>
+ * BUG 15016: Regression: create krb5 conf = yes doesn't work with a single
+ KDC.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+----------------------------------------------------------------------
+ ==============================
+ Release Notes for Samba 4.15.6
+ March 15, 2022
+ ==============================
+
+
+This is the latest stable release of the Samba 4.15 release series.
+
+
+Changes since 4.15.5
+--------------------
+
+o Jeremy Allison <jra@samba.org>
+ * BUG 14169: Renaming file on DFS root fails with
+ NT_STATUS_OBJECT_PATH_NOT_FOUND.
+ * BUG 14737: Samba does not response STATUS_INVALID_PARAMETER when opening 2
+ objects with same lease key.
+ * BUG 14938: NT error code is not set when overwriting a file during rename
+ in libsmbclient.
+
+o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
+ * BUG 14996: Fix ldap simple bind with TLS auditing.
+
+o Ralph Boehme <slow@samba.org>
+ * BUG 14674: net ads info shows LDAP Server: 0.0.0.0 depending on contacted
+ server.
+
+o Samuel Cabrero <scabrero@suse.de>
+ * BUG 14979: Problem when winbind renews Kerberos.
+
+o Günther Deschner <gd@samba.org>
+ * BUG 8691: pam_winbind will not allow gdm login if password about to expire.
+
+o Pavel Filipenský <pfilipen@redhat.com>
+ * BUG 14971: virusfilter_vfs_openat: Not scanned: Directory or special file.
+
+o Björn Jacke <bj@sernet.de>
+ * BUG 13631: DFS fix for AIX broken.
+ * BUG 14974: Solaris and AIX acl modules: wrong function arguments.
+ * BUG 7239: Function aixacl_sys_acl_get_file not declared / coredump.
+
+o Volker Lendecke <vl@samba.org>
+ * BUG 14900: Regression: Samba 4.15.2 on macOS segfaults intermittently
+ during strcpy in tdbsam_getsampwnam.
+ * BUG 14989: Fix a use-after-free in SMB1 server.
+
+o Stefan Metzmacher <metze@samba.org>
+ * BUG 14968: smb2_signing_decrypt_pdu() may not decrypt with
+ gnutls_aead_cipher_decrypt() from gnutls before 3.5.2.
+ * BUG 14984: changing the machine password against an RODC likely destroys
+ the domain join.
+ * BUG 14993: authsam_make_user_info_dc() steals memory from its struct
+ ldb_message *msg argument.
+ * BUG 14995: Use Heimdal 8.0 (pre) rather than an earlier snapshot.
+
+o Andreas Schneider <asn@samba.org>
+ * BUG 14967: Samba autorid fails to map AD users if id rangesize fits in the
+ id range only once.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.libera.chat or the
+#samba-technical:matrix.org matrix channel.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+----------------------------------------------------------------------
+ ==============================
+ Release Notes for Samba 4.15.5
+ January 31, 2022
+ ==============================
+
+
+This is a security release in order to address the following defects:
+
+o CVE-2021-44141: UNIX extensions in SMB1 disclose whether the outside target
+ of a symlink exists.
+ https://www.samba.org/samba/security/CVE-2021-44141.html
+
+o CVE-2021-44142: Out-of-Bound Read/Write on Samba vfs_fruit module.
+ https://www.samba.org/samba/security/CVE-2021-44142.html
+
+o CVE-2022-0336: Re-adding an SPN skips subsequent SPN conflict checks.
+ https://www.samba.org/samba/security/CVE-2022-0336.html
+
+
+Changes since 4.15.4
+--------------------
+
+o Jeremy Allison <jra@samba.org>
+ * BUG 14911: CVE-2021-44141
+
+o Ralph Boehme <slow@samba.org>
+ * BUG 14914: CVE-2021-44142
+
+o Joseph Sutton <josephsutton@catalyst.net.nz>
+ * BUG 14950: CVE-2022-0336
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.libera.chat or the
+#samba-technical:matrix.org matrix channel.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+----------------------------------------------------------------------
+ ==============================
+ Release Notes for Samba 4.15.4
+ January 19, 2022
+ ==============================
+
+
+This is the latest stable release of the Samba 4.15 release series.
+
+
+Changes since 4.15.3
+--------------------
+
+o Jeremy Allison <jra@samba.org>
+ * BUG 14928: Duplicate SMB file_ids leading to Windows client cache
+ poisoning.
+ * BUG 14939: smbclient -L doesn't set "client max protocol" to NT1 before
+ calling the "Reconnecting with SMB1 for workgroup listing" path.
+ * BUG 14944: Missing pop_sec_ctx() in error path inside close_directory().
+
+o Pavel Filipenský <pfilipen@redhat.com>
+ * BUG 14940: Cross device copy of the crossrename module always fails.
+ * BUG 14941: symlinkat function from VFS cap module always fails with an
+ error.
+ * BUG 14942: Fix possible fsp pointer deference.
+
+o Volker Lendecke <vl@samba.org>
+ * BUG 14934: kill_tcp_connections does not work.
+
+o Stefan Metzmacher <metze@samba.org>
+ * BUG 14932: Failed to parse NTLMv2_RESPONSE length 95 - Buffer Size Error -
+ NT_STATUS_BUFFER_TOO_SMALL.
+ * BUG 14935: Can't connect to Windows shares not requiring authentication
+ using KDE/Gnome.
+
+o Andreas Schneider <asn@samba.org>
+ * BUG 14945: "smbd --build-options" no longer works without an smb.conf file.
+
+o Jones Syue <jonessyue@qnap.com>
+ * BUG 14928: Duplicate SMB file_ids leading to Windows client cache
+ poisoning.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.libera.chat or the
+#samba-technical:matrix.org matrix channel.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+----------------------------------------------------------------------
+ ==============================
+ Release Notes for Samba 4.15.3
+ December 08, 2021
+ ==============================
+
+
+This is the latest stable release of the Samba 4.15 release series.
+
+Important Notes
+===============
+
+There have been a few regressions in the security release 4.15.2:
+
+o CVE-2020-25717: A user on the domain can become root on domain members.
+ https://www.samba.org/samba/security/CVE-2020-25717.html
+ PLEASE [RE-]READ!
+ The instructions have been updated and some workarounds
+ initially adviced for 4.15.2 are no longer required and
+ should be reverted in most cases.
+
+o BUG-14902: User with multiple spaces (eg Fred<space><space>Nurk) become
+ un-deletable. While this release should fix this bug, it is
+ adviced to have a look at the bug report for more detailed
+ information, see https://bugzilla.samba.org/show_bug.cgi?id=14902.
+
+Changes since 4.15.2
+--------------------
+
+o Jeremy Allison <jra@samba.org>
+ * BUG 14878: Recursive directory delete with veto files is broken in 4.15.0.
+ * BUG 14879: A directory containing dangling symlinks cannot be deleted by
+ SMB2 alone when they are the only entry in the directory.
+ * BUG 14892: SIGSEGV in rmdir_internals/synthetic_pathref - dirfsp is used
+ uninitialized in rmdir_internals().
+
+o Andrew Bartlett <abartlet@samba.org>
+ * BUG 14694: MaxQueryDuration not honoured in Samba AD DC LDAP.
+ * BUG 14901: The CVE-2020-25717 username map [script] advice has undesired
+ side effects for the local nt token.
+ * BUG 14902: User with multiple spaces (eg Fred<space><space>Nurk) become
+ un-deletable.
+
+o Ralph Boehme <slow@samba.org>
+ * BUG 14127: Avoid storing NTTIME_THAW (-2) as value on disk.
+ * BUG 14882: smbXsrv_client_global record validation leads to crash if
+ existing record points at non-existing process.
+ * BUG 14890: Crash in vfs_fruit asking for fsp_get_io_fd() for an XATTR call.
+ * BUG 14897: Samba process doesn't log to logfile.
+ * BUG 14907: set_ea_dos_attribute() fallback calling
+ get_file_handle_for_metadata() triggers locking.tdb assert.
+ * BUG 14922: Kerberos authentication on standalone server in MIT realm
+ broken.
+ * BUG 14923: Segmentation fault when joining the domain.
+
+o Alexander Bokovoy <ab@samba.org>
+ * BUG 14903: Support for ROLE_IPA_DC is incomplete.
+
+o Günther Deschner <gd@samba.org>
+ * BUG 14767: rpcclient cannot connect to ncacn_ip_tcp services anymore
+ * BUG 14893: winexe crashes since 4.15.0 after popt parsing.
+
+o Volker Lendecke <vl@samba.org>
+ * BUG 14908: net ads status -P broken in a clustered environment.
+
+o Stefan Metzmacher <metze@samba.org>
+ * BUG 14788: Memory leak if ioctl(FSCTL_VALIDATE_NEGOTIATE_INFO) fails before
+ smbd_smb2_ioctl_send.
+ * BUG 14882: smbXsrv_client_global record validation leads to crash if
+ existing record points at non-existing process.
+ * BUG 14899: winbindd doesn't start when "allow trusted domains" is off.
+ * BUG 14901: The CVE-2020-25717 username map [script] advice has undesired
+ side effects for the local nt token.
+
+o Andreas Schneider <asn@samba.org>
+ * BUG 14767: rpcclient cannot connect to ncacn_ip_tcp services anymore.
+ * BUG 14883: smbclient login without password using '-N' fails with
+ NT_STATUS_INVALID_PARAMETER on Samba AD DC.
+ * BUG 14912: A schannel client incorrectly detects a downgrade connecting to
+ an AES only server.
+ * BUG 14921: Possible null pointer dereference in winbind.
+
+o Andreas Schneider <asn@cryptomilk.org>
+ * BUG 14846: Fix -k legacy option for client tools like smbclient, rpcclient,
+ net, etc.
+
+o Martin Schwenke <martin@meltin.net>
+ * BUG 14872: Add Debian 11 CI bootstrap support.
+
+o Joseph Sutton <josephsutton@catalyst.net.nz>
+ * BUG 14694: MaxQueryDuration not honoured in Samba AD DC LDAP.
+ * BUG 14901: The CVE-2020-25717 username map [script] advice has undesired
+ side effects for the local nt token.
+
+o Andrew Walker <awalker@ixsystems.com>
+ * BUG 14888: Crash in recycle_unlink_internal().
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+----------------------------------------------------------------------
+ ==============================
+ Release Notes for Samba 4.15.2
+ November 9, 2021
+ ==============================
+
+
+This is a security release in order to address the following defects:
+
+o CVE-2016-2124: SMB1 client connections can be downgraded to plaintext
+ authentication.
+ https://www.samba.org/samba/security/CVE-2016-2124.html
+
+o CVE-2020-25717: A user on the domain can become root on domain members.
+ https://www.samba.org/samba/security/CVE-2020-25717.html
+ (PLEASE READ! There are important behaviour changes described)
+
+o CVE-2020-25718: Samba AD DC did not correctly sandbox Kerberos tickets issued
+ by an RODC.
+ https://www.samba.org/samba/security/CVE-2020-25718.html
+
+o CVE-2020-25719: Samba AD DC did not always rely on the SID and PAC in Kerberos
+ tickets.
+ https://www.samba.org/samba/security/CVE-2020-25719.html
+
+o CVE-2020-25721: Kerberos acceptors need easy access to stable AD identifiers
+ (eg objectSid).
+ https://www.samba.org/samba/security/CVE-2020-25721.html
+
+o CVE-2020-25722: Samba AD DC did not do suffienct access and conformance
+ checking of data stored.
+ https://www.samba.org/samba/security/CVE-2020-25722.html
+
+o CVE-2021-3738: Use after free in Samba AD DC RPC server.
+ https://www.samba.org/samba/security/CVE-2021-3738.html
+
+o CVE-2021-23192: Subsequent DCE/RPC fragment injection vulnerability.
+ https://www.samba.org/samba/security/CVE-2021-23192.html
+
+
+Changes since 4.15.1
+--------------------
+
+o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
+ * CVE-2020-25722
+
+o Andrew Bartlett <abartlet@samba.org>
+ * CVE-2020-25718
+ * CVE-2020-25719
+ * CVE-2020-25721
+ * CVE-2020-25722
+
+o Ralph Boehme <slow@samba.org>
+ * CVE-2020-25717
+
+o Alexander Bokovoy <ab@samba.org>
+ * CVE-2020-25717
+
+o Samuel Cabrero <scabrero@samba.org>
+ * CVE-2020-25717
+
+o Nadezhda Ivanova <nivanova@symas.com>
+ * CVE-2020-25722
+
+o Stefan Metzmacher <metze@samba.org>
+ * CVE-2016-2124
+ * CVE-2020-25717
+ * CVE-2020-25719
+ * CVE-2020-25722
+ * CVE-2021-23192
+ * CVE-2021-3738
+
+o Andreas Schneider <asn@samba.org>
+ * CVE-2020-25719
+
+o Joseph Sutton <josephsutton@catalyst.net.nz>
+ * CVE-2020-17049
+ * CVE-2020-25718
+ * CVE-2020-25719
+ * CVE-2020-25721
+ * CVE-2020-25722
+ * MS CVE-2020-17049
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.libera.chat or the
+#samba-technical:matrix.org matrix channel.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+----------------------------------------------------------------------
+
+
+ ==============================
+ Release Notes for Samba 4.15.1
+ October 27, 2021
+ ==============================
+
+
+This is the latest stable release of the Samba 4.15 release series.
+
+
+Changes since 4.15.0
+--------------------
+
+o Jeremy Allison <jra@samba.org>
+ * BUG 14682: vfs_shadow_copy2: core dump in make_relative_path.
+ * BUG 14685: Log clutter from filename_convert_internal.
+ * BUG 14862: MacOSX compilation fixes.
+
+o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
+ * BUG 14868: rodc_rwdc test flaps.
+
+o Andrew Bartlett <abartlet@samba.org>
+ * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze
+ bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded
+ Heimdal.
+ * BUG 14836: Python ldb.msg_diff() memory handling failure.
+ * BUG 14845: "in" operator on ldb.Message is case sensitive.
+ * BUG 14848: Release LDB 2.4.1 for Samba 4.15.1.
+ * BUG 14854: samldb_krbtgtnumber_available() looks for incorrect string.
+ * BUG 14871: Fix Samba support for UF_NO_AUTH_DATA_REQUIRED.
+ * BUG 14874: Allow special chars like "@" in samAccountName when generating
+ the salt.
+
+o Ralph Boehme <slow@samba.org>
+ * BUG 14826: Correctly ignore comments in CTDB public addresses file.
+
+o Isaac Boukris <iboukris@gmail.com>
+ * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze
+ bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded
+ Heimdal.
+
+o Viktor Dukhovni <viktor@twosigma.com>
+ * BUG 12998: Fix transit path validation.
+
+o Pavel Filipenský <pfilipen@redhat.com>
+ * BUG 14852: Fix that child winbindd logs to log.winbindd instead of
+ log.wb-<DOMAIN>.
+
+o Luke Howard <lukeh@padl.com>
+ * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze
+ bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded
+ Heimdal.
+
+o Stefan Metzmacher <metze@samba.org>
+ * BUG 14855: SMB3 cancel requests should only include the MID together with
+ AsyncID when AES-128-GMAC is used.
+
+o Alex Richardson <Alexander.Richardson@cl.cam.ac.uk>
+ * BUG 14862: MacOSX compilation fixes.
+
+o Andreas Schneider <asn@samba.org>
+ * BUG 14870: Prepare to operate with MIT krb5 >= 1.20.
+
+o Martin Schwenke <martin@meltin.net>
+ * BUG 14826: Correctly ignore comments in CTDB public addresses file.
+
+o Joseph Sutton <josephsutton@catalyst.net.nz>
+ * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze
+ bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded
+ Heimdal.
+ * BUG 14836: Python ldb.msg_diff() memory handling failure.
+ * BUG 14845: "in" operator on ldb.Message is case sensitive.
+ * BUG 14864: Heimdal prefers RC4 over AES for machine accounts.
+ * BUG 14868: rodc_rwdc test flaps.
+ * BUG 14871: Fix Samba support for UF_NO_AUTH_DATA_REQUIRED.
+ * BUG 14874: Allow special chars like "@" in samAccountName when generating
+ the salt.
+
+o Nicolas Williams <nico@twosigma.com>
+ * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze
+ bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded
+ Heimdal.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+----------------------------------------------------------------------
+
+ ==============================
+ Release Notes for Samba 4.15.0
+ September 20, 2021
+ ==============================
+
+
+This is the first stable release of the Samba 4.15 release series.
+Please read the release notes carefully before upgrading.
-UPGRADING
-=========
Removed SMB (development) dialects
-----------------------------------
+==================================
The following SMB (development) dialects are no longer
supported: SMB2_22, SMB2_24 and SMB3_10. They are were
them unspecified or specify the value "default".
New GPG key
------------
+===========
The GPG release key for Samba releases changed from:
See also GPG_AA99442FB680B620_replaces_6F33915B6568B7EA.txt
+New minimum version for the experimental MIT KDC
+================================================
+
+The build of the AD DC using the system MIT Kerberos, an
+experimental feature, now requires MIT Kerberos 1.19. An up-to-date
+Fedora 34 has this version and has backported fixes for the KDC crash
+bugs CVE-2021-37750 and CVE-2021-36222
+
NEW FEATURES/CHANGES
====================
-- bind DLZ: Added the ability to set allow/deny lists for zone
- transfer clients.
- Up to now, any client could use a DNS zone transfer request
- to the bind server, and get an answer from Samba.
- Now the default behaviour will be to deny those request.
- Two new options have been added to manage the list of
- authorized/denied clients for zone transfer requests.
- In order to be accepted, the request must be issued by a client
- that is in the allow list and NOT in the deny list.
+
+VFS
+---
+
+The effort to modernize Samba's VFS interface is complete and Samba 4.15.0 ships
+with a modernized VFS designed for the post SMB1 world.
+
+For details please refer to the documentation at source3/modules/The_New_VFS.txt
+or visit the <https://wiki.samba.org/index.php/The_New_VFS>.
+
+
+Bind DLZ: add the ability to set allow/deny lists for zone transfer clients
+---------------------------------------------------------------------------
+
+Up to now, any client could use a DNS zone transfer request to the
+bind server, and get an answer from Samba. Now the default behaviour
+will be to deny those request. Two new options have been added to
+manage the list of authorized/denied clients for zone transfer
+requests. In order to be accepted, the request must be issued by a
+client that is in the allow list and NOT in the deny list.
+
"server multi channel support" no longer experimental
-----------------------------------------------------
-This option is enabled by default starting with to 4.15 (on Linux and FreeBSD).
+This option is enabled by default starting with 4.15 (on Linux and FreeBSD).
Due to dependencies on kernel APIs of Linux or FreeBSD, it's only possible
to use this feature on Linux and FreeBSD for now.
+
samba-tool available without the ad-dc
--------------------------------------
-The samba-tool command is now available when samba is configured
---without-ad-dc. Not all features will work, and some ad-dc specific options
-have been disabled. The samba-tool domain options, for example, are limited
+The 'samba-tool' command is now available when samba is configured
+"--without-ad-dc". Not all features will work, and some ad-dc specific options
+have been disabled. The 'samba-tool domain' options, for example, are limited
when no ad-dc is present. Samba must still be built with ads in order to enable
-samba-tool.
+'samba-tool'.
+
Improved command line user experience
-------------------------------------
These should be stories of the past now. A new command line parser has been
implemented with sanity checking. Also the command line interface has been
-simplified and provides better control for encryption, singing and kerberos.
+simplified and provides better control for encryption, signing and kerberos.
+
+Previously many tools silently ignored unknown options. To prevent unexpected
+behaviour all tools will now consistently reject unknown options.
Also several command line options have a smb.conf variable to control the
default now.
-All tools are logging to stderr by default. You can use --debug-stdout to
-change the behavior.
+All tools are now logging to stderr by default. You can use "--debug-stdout" to
+change the behavior. All servers will log to stderr at early startup until logging
+is setup to go to a file by default.
### Common parser:
### Duplicates in command line utils
-ldbadd/ldbsearch/ldbdel/ldbmodify/ldbrename:
--e is not available for --editor anymore
--s is not used for --configfile anymore
+ldbadd/ldbdel/ldbedit/ldbmodify/ldbrename/ldbsearch:
+-e is still available as an alias for --editor,
+ as it used to be.
+-s is no longer reported as an alias for --configfile,
+ it never worked that way as it was shadowed by '-s' for '--scope'.
ndrdump:
-l is not available for --load-dso anymore
winbindd:
--log-stdout -> --debug-stdout
+
Scanning of trusted domains and enterprise principals
-----------------------------------------------------
`winbind scan trusted domains` will be deprecated in one of the next releases.
+Support for Offline Domain Join (ODJ)
+-------------------------------------
+
+The net utility is now able to support the offline domain join feature
+as known from the Windows djoin.exe command for many years. Samba's
+implementation is accessible via the 'net offlinejoin' subcommand. It
+can provision computers and request offline joining for both Windows
+and Unix machines. It is also possible to provision computers from
+Windows (using djoin.exe) and use the generated data in Samba's 'net'
+utility. The existing options for the provisioning and joining steps
+are documented in the net(8) manpage.
+
+
+'samba-tool dns zoneoptions' for aging control
+----------------------------------------------
+
+The 'samba-tool dns zoneoptions' command can be used to turn aging on
+and off, alter the refresh and no-refresh periods, and manipulate the
+timestamps of existing records.
+
+To turn aging on for a zone, you can use something like this:
+
+ samba-tool dns zoneoptions --aging=1 --refreshinterval=306600
+
+which turns on aging and ensures no records less than five years old
+are aged out and scavenged. After aging has been on for sufficient
+time for records to be renewed, the command
+
+ samba-tool dns zoneoptions --refreshinterval=168
+
+will set the refresh period to the standard seven days. Using this two
+step process will help prevent the temporary loss of dynamic records
+if scavenging happens before their first renewal.
+
+
+Marking old records as static or dynamic with 'samba-tool'
+----------------------------------------------------------
+
+A bug in Samba versions prior to 4.9 meant records that were meant to
+be static were marked as dynamic and vice versa. To fix the timestamps
+in these domains, it is possible to use the following options,
+preferably before turning aging on.
+
+ --mark-old-records-static
+ --mark-records-dynamic-regex
+ --mark-records-static-regex
+
+The "--mark-old-records-static" option will make records older than the
+specified date static (that is, with a zero timestamp). For example,
+if you upgraded to Samba 4.9 in November 2018, you could use ensure no
+old records will be mistakenly interpreted as dynamic using the
+following option:
+
+ samba-tool dns zoneoptions --mark-old-records-static=2018-11-30
+
+Then, if you know that that will have marked some records as static
+that should be dynamic, and you know which those are due to your
+naming scheme, you can use commands like:
+
+ samba-tool dns zoneoptions --mark-records-dynamic-regex='\w+-desktop'
+
+where '\w+-desktop' is a perl-compatible regular expression that will
+match 'bob-desktop', 'alice-desktop', and so on.
+
+These options are deliberately long and cumbersome to type, so people
+have a chance to think before they get to the end. You can make a
+mess if you get it wrong.
+
+All 'samba-tool dns zoneoptions' modes can be given a "--dry-run/-n"
+argument that allows you to inspect the likely results before going
+ahead.
+
+NOTE: for aging to work, you need to have "dns zone scavenging = yes"
+set in the smb.conf of at least one server.
+
+
+DNS tombstones are now deleted as appropriate
+---------------------------------------------
+
+When all the records for a DNS name have been deleted, the node is put
+in a tombstoned state (separate from general AD object tombstoning,
+which deleted nodes also go through). These tombstones should be
+cleaned up periodically. Due to a conflation of scavenging and
+tombstoning, we have only been deleting tombstones when aging is
+enabled.
+
+If you have a lot of tombstoned DNS nodes (that is, DNS names for
+which you have removed all the records), cleaning up these DNS
+tombstones may take a noticeable time.
+
+
+DNS tombstones use a consistent timestamp format
+------------------------------------------------
+
+DNS records use an hours-since-1601 timestamp format except for in the
+case of tombstone records where a 100-nanosecond-intervals-since-1601
+format is used (this latter format being the most common in Windows).
+We had mixed that up, which might have had strange effects in zones
+where aging was enabled (and hence tombstone timestamps were used).
+
+
+samba-tool dns update and RPC changes
+-------------------------------------
+
+The dnsserver DCERPC pipe can be used by 'samba-tool' and Windows tools
+to manipulate dns records on the remote server. A bug in Samba meant
+it was not possible to update an existing DNS record to change the
+TTL. The general behaviour of RPC updates is now closer to that of
+Windows.
+
+'samba-tool dns update' is now a bit more careful in rejecting and
+warning you about malformed IPv4 and IPv6 addresses.
+
+CVE-2021-3671: Crash in Heimdal KDC and updated security release policy
+-----------------------------------------------------------------------
+
+An unuthenticated user can crash the AD DC KDC by omitting the server
+name in a TGS-REQ. Per Samba's updated security process a specific
+security release was not made for this issue as it is a recoverable
+Denial Of Service.
+
+See https://wiki.samba.org/index.php/Samba_Security_Proces
+
+samba-tool domain backup offline with the LMDB backend
+------------------------------------------------------
+
+samba-tool domain backup offline, when operating with the LMDB backend
+now correctly takes out locks against concurrent modification of the
+database during the backup. If you use this tool on a Samba AD DC
+using LMDB, you should upgrade to this release for safer backups.
+
REMOVED FEATURES
================
winbind scan trusted domains Changed No
+CHANGES SINCE 4.15.0rc6
+=======================
+
+o Andrew Bartlett <abartlet@samba.org>
+ * BUG 14791: All the ways to specify a password are not documented.
+
+o Ralph Boehme <slow@samba.org>
+ * BUG 14790: vfs_btrfs compression support broken.
+ * BUG 14828: Problems with commandline parsing.
+ * BUG 14829: smbd crashes when "ea support" is set to no.
+
+o Stefan Metzmacher <metze@samba.org>
+ * BUG 14825: "{client,server} smb3 {signing,encryption} algorithms" should
+ use the same strings as smbstatus output.
+ * BUG 14828: Problems with commandline parsing.
+
+o Alex Richardson <Alexander.Richardson@cl.cam.ac.uk>
+ * BUG 8773: smbd fails to run as root because it belongs to more than 16
+ groups on MacOS X.
+
+o Martin Schwenke <martin@meltin.net>
+ * BUG 14784: Fix CTDB flag/status update race conditions.
+
+
+CHANGES SINCE 4.15.0rc5
+=======================
+
+o Andrew Bartlett <abartlet@samba.org>
+ * BUG 14806: Address a signifcant performance regression in database access
+ in the AD DC since Samba 4.12.
+ * BUG 14807: Fix performance regression in lsa_LookupSids3/LookupNames4 since
+ Samba 4.9 by using an explicit database handle cache.
+ * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
+ server name in a TGS-REQ.
+ * BUG 14818: Address flapping samba_tool_drs_showrepl test.
+ * BUG 14819: Address flapping dsdb_schema_attributes test.
+
+o Luke Howard <lukeh@padl.com>
+ * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
+ server name in a TGS-REQ.
+
+o Gary Lockyer <gary@catalyst.net.nz>
+ * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
+ server name in a TGS-REQ.
+
+o Andreas Schneider <asn@samba.org>
+ * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
+ server name in a TGS-REQ.
+
+o Joseph Sutton <josephsutton@catalyst.net.nz>
+ * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
+ server name in a TGS-REQ.
+
+
+CHANGES SINCE 4.15.0rc4
+=======================
+
+o Jeremy Allison <jra@samba.org>
+ * BUG 14809: Shares with variable substitutions cause core dump upon
+ connection from MacOS Big Sur 11.5.2.
+ * BUG 14816: Fix pathref open of a filesystem fifo in the DISABLE_OPATH
+ build.
+
+o Andrew Bartlett <abartlet@samba.org>
+ * BUG 14815: A subset of tests from Samba's selftest system were not being
+ run, while others were run twice.
+
+o Ralph Boehme <slow@samba.org>
+ * BUG 14771: Some VFS operations on pathref (O_PATH) handles fail on GPFS.
+ * BUG 14787: net conf list crashes when run as normal user,
+ * BUG 14803: smbd/winbindd started in daemon mode generate output on
+ stderr/stdout.
+ * BUG 14804: winbindd can crash because idmap child state is not fully
+ initialized.
+
+o Stefan Metzmacher <metze@samba.org>
+ * BUG 14771: Some VFS operations on pathref (O_PATH) handles fail on GPFS.
+
+
+CHANGES SINCE 4.15.0rc3
+=======================
+
+o Bjoern Jacke <bj@sernet.de>
+ * BUG 14800: util_sock: fix assignment of sa_socklen.
+
+
+CHANGES SINCE 4.15.0rc2
+=======================
+
+o Jeremy Allison <jra@samba.org>
+ * BUG 14760: vfs_streams_depot directory creation permissions and store
+ location problems.
+ * BUG 14766: vfs_ceph openat() doesn't cope with dirfsp != AT_FDCW.
+ * BUG 14769: smbd panic on force-close share during offload write.
+ * BUG 14805: OpenDir() loses the correct errno return.
+
+o Ralph Boehme <slow@samba.org>
+ * BUG 14795: copy_file_range() may fail with EOPNOTSUPP.
+
+o Stefan Metzmacher <metze@samba.org>
+ * BUG 14793: Start the SMB encryption as soon as possible.
+
+o Andreas Schneider <asn@samba.org>
+ * BUG 14779: Winbind should not start if the socket path is too long.
+
+o Noel Power <noel.power@suse.com>
+ * BUG 14760: vfs_streams_depot directory creation permissions and store
+ location problems.
+
+
+CHANGES SINCE 4.15.0rc1
+=======================
+
+o Andreas Schneider <asn@samba.org>
+ * BUG 14768: smbd/winbind should load the registry if configured
+ * BUG 14777: do not quote passed argument of configure script
+ * BUG 14779: Winbind should not start if the socket path is too long
+
+o Stefan Metzmacher <metze@samba.org>
+ * BUG 14607: tree connect failed: NT_STATUS_INVALID_PARAMETER
+ * BUG 14764: aes-256-gcm and aes-256-ccm doesn't work in the server
+
+o Ralph Boehme <slow@samba.org>
+ * BUG 14700: file owner not available when file unredable
+
+o Jeremy Allison <jra@samba.org>
+ * BUG 14607: tree connect failed: NT_STATUS_INVALID_PARAMETER
+ * BUG 14759: 4.15rc can leak meta-data about the directory containing the
+ share path
+
+
KNOWN ISSUES
============
#######################################
Please discuss this release on the samba-technical mailing list or by
-joining the #samba-technical IRC channel on irc.freenode.net.
+joining the #samba-technical IRC channel on irc.libera.chat or the
+#samba-technical:matrix.org matrix channel.
If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
git.samba.org / samba.git / blobdiff