--- /dev/null
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<title>Samba 4.16.0 - Release Notes</title>
+</head>
+<body>
+<H2>Samba 4.16.0 Available for Download</H2>
+<p>
+<a href="https://download.samba.org/pub/samba/stable/samba-4.16.0.tar.gz">Samba 4.16.0 (gzipped)</a><br>
+<a href="https://download.samba.org/pub/samba/stable/samba-4.16.0.tar.asc">Signature</a>
+</p>
+<p>
+<pre>
+ ==============================
+ Release Notes for Samba 4.16.0
+ March 21, 2022
+ ==============================
+
+This is the first stable release of the Samba 4.16 release series.
+Please read the release notes carefully before upgrading.
+
+
+NEW FEATURES/CHANGES
+====================
+
+New samba-dcerpcd binary to provide DCERPC in the member server setup
+---------------------------------------------------------------------
+
+In order to make it much easier to break out the DCERPC services
+from smbd, a new samba-dcerpcd binary has been created.
+
+samba-dcerpcd can be used in two ways. In the normal case without
+startup script modification it is invoked on demand from smbd or
+winbind --np-helper to serve DCERPC over named pipes. Note that
+in order to run in this mode the smb.conf [global] section has
+a new parameter "rpc start on demand helpers = [true|false]".
+This parameter is set to "true" by default, meaning no changes to
+smb.conf files are needed to run samba-dcerpcd on demand as a named
+pipe helper.
+
+It can also be used in a standalone mode where it is started
+separately from smbd or winbind but this requires changes to system
+startup scripts, and in addition a change to smb.conf, setting the new
+[global] parameter "rpc start on demand helpers = false". If "rpc
+start on demand helpers" is not set to false, samba-dcerpcd will
+refuse to start in standalone mode.
+
+Note that when Samba is run in the Active Directory Domain Controller
+mode the samba binary that provides the AD code will still provide its
+normal DCERPC services whilst allowing samba-dcerpcd to provide
+services like SRVSVC in the same way that smbd used to in this
+configuration.
+
+The parameters that allowed some smbd-hosted services to be started
+externally are now gone (detailed below) as this is now the default
+setting.
+
+samba-dcerpcd can also be useful for use outside of the Samba
+framework, for example, use with the Linux kernel SMB2 server ksmbd or
+possibly other SMB2 server implementations.
+
+Heimdal-8.0pre used for Samba Internal Kerberos, adds FAST support
+------------------------------------------------------------------
+
+Samba has since Samba 4.0 included a snapshot of the Heimdal Kerberos
+implementation. This snapshot has now been updated and will closely
+match what will be released as Heimdal 8.0 shortly.
+
+This is a major update, previously we used a snapshot of Heimdal from
+2011, and brings important new Kerberos security features such as
+Kerberos request armoring, known as FAST. This tunnels ticket
+requests and replies that might be encrypted with a weak password
+inside a wrapper built with a stronger password, say from a machine
+account.
+
+In Heimdal and MIT modes Samba's KDC now supports FAST, for the
+support of non-Windows clients.
+
+Windows clients will not use this feature however, as they do not
+attempt to do so against a server not advertising domain Functional
+Level 2012. Samba users are of course free to modify how Samba
+advertises itself, but use with Windows clients is not supported "out
+of the box".
+
+Finally, Samba also uses a per-KDC, not per-realm 'cookie' to secure part of
+the FAST protocol. A future version will align this more closely with
+Microsoft AD behaviour.
+
+If FAST needs to be disabled on your Samba KDC, set
+
+ kdc enable fast = no
+
+in the smb.conf.
+
+The Samba project wishes to thank the numerous developers who have put
+in a massive effort to make this possible over many years. In
+particular we thank Stefan Metzmacher, Joseph Sutton, Gary Lockyer,
+Isaac Boukris and Andrew Bartlett. Samba's developers in turn thank
+their employers and in turn their customers who have supported this
+effort over many years.
+
+Certificate Auto Enrollment
+---------------------------
+
+Certificate Auto Enrollment allows devices to enroll for certificates from
+Active Directory Certificate Services. It is enabled by Group Policy.
+To enable Certificate Auto Enrollment, Samba's group policy will need to be
+enabled by setting the smb.conf option `apply group policies` to Yes. Samba
+Certificate Auto Enrollment depends on certmonger, the cepces certmonger
+plugin, and sscep. Samba uses sscep to download the CA root chain, then uses
+certmonger paired with cepces to monitor the host certificate templates.
+Certificates are installed in /var/lib/samba/certs and private keys are
+installed in /var/lib/samba/private/certs.
+
+Ability to add ports to dns forwarder addresses in internal DNS backend
+-----------------------------------------------------------------------
+
+The internal DNS server of Samba forwards queries non-AD zones to one or more
+configured forwarders. Up until now it has been assumed that these forwarders
+listen on port 53. Starting with this version it is possible to configure the
+port using host:port notation. See smb.conf for more details. Existing setups
+are not affected, as the default port is 53.
+
+CTDB changes
+------------
+
+* The "recovery master" role has been renamed "leader"
+
+ Documentation and logs now refer to "leader".
+
+ The following ctdb tool command names have changed:
+
+ recmaster -> leader
+ setrecmasterrole -> setleaderrole
+
+ Command output has changed for the following commands:
+
+ status
+ getcapabilities
+
+ The "[legacy] -> recmaster capability" configuration option has been
+ renamed and moved to the cluster section, so this is now:
+
+ [cluster] -> leader capability
+
+* The "recovery lock" has been renamed "cluster lock"
+
+ Documentation and logs now refer to "cluster lock".
+
+ The "[cluster] -> recovery lock" configuration option has been
+ deprecated and will be removed in a future version. Please use
+ "[cluster] -> cluster lock" instead.
+
+ If the cluster lock is enabled then traditional elections are not
+ done and leader elections use a race for the cluster lock. This
+ avoids various conditions where a node is elected leader but can not
+ take the cluster lock. Such conditions included:
+
+ - At startup, a node elects itself leader of its own cluster before
+ connecting to other nodes
+
+ - Cluster filesystem failover is slow
+
+ The abbreviation "reclock" is still used in many places, because a
+ better abbreviation eludes us (i.e. "clock" is obvious bad) and
+ changing all instances would require a lot of churn. If the
+ abbreviation "reclock" for "cluster lock" is confusing, please
+ consider mentally prefixing it with "really excellent".
+
+* CTDB now uses leader broadcasts and an associated timeout to
+ determine if an election is required
+
+ The leader broadcast timeout can be configured via new configuration
+ option
+
+ [cluster] -> leader timeout
+
+ This specifies the number of seconds without leader broadcasts
+ before a node calls an election. The default is 5.
+
+
+REMOVED FEATURES
+================
+
+Older SMB1 protocol SMBCopy command removed
+-------------------------------------------
+
+SMB is a nearly 30-year old protocol, and some protocol commands that
+while supported in all versions, have not seen widespread use.
+
+One of those is SMBCopy, a feature for a server-side copy of a file.
+This feature has been so unmaintained that Samba has no testsuite for
+it.
+
+The SMB1 command SMB_COM_COPY (SMB1 command number 0x29) was
+introduced in the LAN Manager 1.0 dialect and it was rendered obsolete
+in the NT LAN Manager dialect.
+
+Therefore it has been removed from the Samba smbd server.
+
+We do note that a fully supported and tested server-side copy is
+present in SMB2, and can be accessed with "scopy" subcommand in
+smbclient)
+
+SMB1 server-side wildcard expansion removed
+-------------------------------------------
+
+Server-side wildcard expansion is another feature that sounds useful,
+but is also rarely used and has become problematic - imposing extra
+work on the server (both in terms of code and CPU time).
+
+In actual OS design, wildcard expansion is handled in the local shell,
+not at the remote server using SMB wildcard syntax (which is not shell
+syntax).
+
+In Samba 4.16 the ability to process file name wildcards in requests
+using the SMB1 commands SMB_COM_RENAME (SMB1 command number 0x7),
+SMB_COM_NT_RENAME (SMB1 command number 0xA5) and SMB_COM_DELETE (SMB1
+command number 0x6) has been removed.
+
+SMB1 protocol has been deprecated, particularly older dialects
+--------------------------------------------------------------
+
+We take this opportunity to remind that we have deprecated and
+disabled by default, but not removed, the whole SMB1 protocol since
+Samba 4.11. If needed for security purposes or code maintenance we
+will continue to remove older protocol commands and dialects that are
+unused or have been replaced in more modern SMB1 versions.
+
+We specifically deprecate the older dialects older than "NT LM 0.12"
+(also known as "NT LANMAN 1.0" and "NT1").
+
+Please note that "NT LM 0.12" is the dialect used by software as old
+as Windows 95, Windows NT and Samba 2.0, so this deprecation applies
+to DOS and similar era clients.
+
+We do reassure that that 'simple' operation of older clients than
+these (eg DOS) will, while untested, continue for the near future, our
+purpose is not to cripple use of Samba in unique situations, but to
+reduce the maintaince burden.
+
+Eventually SMB1 as a whole will be removed, but no broader change is
+announced for 4.16.
+
+In the rare case where the above changes cause incompatibilities,
+users requiring support for these features will need to use older
+versions of Samba.
+
+No longer using Linux mandatory locks for sharemodes
+====================================================
+
+smbd mapped sharemodes to Linux mandatory locks. This code in the Linux kernel
+was broken for a long time, and is planned to be removed with Linux 5.15. This
+Samba release removes the usage of mandatory locks for sharemodes and the
+"kernel share modes" config parameter is changed to default to "no". The Samba
+VFS interface is kept, so that file-system specific VFS modules can still use
+private calls for enforcing sharemodes.
+
+
+smb.conf changes
+================
+
+ Parameter Name Description Default
+ -------------- ----------- -------
+ kernel share modes New default No
+ dns forwarder Changed
+ rpc_daemon Removed
+ rpc_server Removed
+ rpc start on demand helpers Added true
+
+
+CHANGES SINCE 4.16.0rc5
+=======================
+
+o Andrew Bartlett <abartlet@samba.org>
+ * BUG 15000: Memory leak in FAST cookie handling.
+
+o Elia Geretto <elia.f.geretto@gmail.com>
+ * BUG 14983: NT_STATUS_ACCESS_DENIED translates into EPERM instead of EACCES
+ in SMBC_server_internal.
+
+o Stefan Metzmacher <metze@samba.org>
+ * BUG 13879: Simple bind doesn't work against an RODC (with non-preloaded
+ users).
+ * BUG 14641: Crash of winbind on RODC.
+ * BUG 15001: LDAP simple binds should honour "old password allowed period".
+ * BUG 15002: S4U2Self requests don't work against servers without FAST
+ support.
+ * BUG 15003: wbinfo -a doesn't work reliable with upn names.
+ * BUG 15005: A cross-realm kerberos client exchanges fail using KDCs with and
+ without FAST.
+ * BUG 15015: PKINIT: hdb_samba4_audit: Unhandled hdb_auth_status=9 =>
+ INTERNAL_ERROR.
+
+o Garming Sam <garming@catalyst.net.nz>
+ * BUG 13879: Simple bind doesn't work against an RODC (with non-preloaded
+ users).
+
+o Andreas Schneider <asn@samba.org>
+ * BUG 15016: Regression: create krb5 conf = yes doesn't work with a single
+ KDC.
+
+o Joseph Sutton <josephsutton@catalyst.net.nz>
+ * BUG 15015: PKINIT: hdb_samba4_audit: Unhandled hdb_auth_status=9 =>
+ INTERNAL_ERROR.
+
+
+CHANGES SINCE 4.16.0rc4
+=======================
+
+o Jeremy Allison <jra@samba.org>
+ * BUG 14737: Samba does not response STATUS_INVALID_PARAMETER when opening 2
+ objects with same lease key.
+
+o Jule Anger <janger@samba.org>
+ * BUG 14999: Listing shares with smbstatus no longer works.
+
+o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
+ * BUG 14996: Fix ldap simple bind with TLS auditing.
+
+o Andrew Bartlett <abartlet@samba.org>
+ * BUG 14995: Use Heimdal 8.0 (pre) rather than an earlier snapshot.
+
+o Volker Lendecke <vl@samba.org>
+ * BUG 14989: Fix a use-after-free in SMB1 server.
+
+o Stefan Metzmacher <metze@samba.org>
+ * BUG 14865: Uncached logon on RODC always fails once.
+ * BUG 14984: Changing the machine password against an RODC likely destroys
+ the domain join.
+ * BUG 14993: authsam_make_user_info_dc() steals memory from its struct
+ ldb_message *msg argument.
+ * BUG 14995: Use Heimdal 8.0 (pre) rather than an earlier snapshot.
+
+o Joseph Sutton <josephsutton@catalyst.net.nz>
+ * BUG 14995: Use Heimdal 8.0 (pre) rather than an earlier snapshot.
+
+
+CHANGES SINCE 4.16.0rc3
+=======================
+
+o Samuel Cabrero <scabrero@suse.de>
+ * BUG 14979: Problem when winbind renews Kerberos.
+
+o Björn Jacke <bj@sernet.de>
+ * BUG 13631: DFS fix for AIX broken.
+ * BUG 14974: Solaris and AIX acl modules: wrong function arguments.
+ * BUG 7239: Function aixacl_sys_acl_get_file not declared / coredump.
+
+o Andreas Schneider <asn@samba.org>
+ * BUG 14967: Samba autorid fails to map AD users if id rangesize fits in the
+ id range only once.
+
+o Martin Schwenke <martin@meltin.net>
+ * BUG 14958: CTDB can get stuck in election and recovery.
+
+
+CHANGES SINCE 4.16.0rc2
+=======================
+
+o Jeremy Allison <jra@samba.org>
+ * BUG 14169: Renaming file on DFS root fails with
+ NT_STATUS_OBJECT_PATH_NOT_FOUND.
+ * BUG 14938: NT error code is not set when overwriting a file during rename
+ in libsmbclient.
+
+o Ralph Boehme <slow@samba.org>
+ * BUG 14674: net ads info shows LDAP Server: 0.0.0.0 depending on contacted
+ server.
+
+o Pavel Filipenský <pfilipen@redhat.com>
+ * BUG 14971: virusfilter_vfs_openat: Not scanned: Directory or special file.
+
+o Volker Lendecke <vl@samba.org>
+ * BUG 14900: Regression: Samba 4.15.2 on macOS segfaults intermittently
+ during strcpy in tdbsam_getsampwnam.
+ * BUG 14975: Fix a crash in vfs_full_audit - CREATE_FILE can free a used fsp.
+
+o Stefan Metzmacher <metze@samba.org>
+ * BUG 14968: smb2_signing_decrypt_pdu() may not decrypt with
+ gnutls_aead_cipher_decrypt() from gnutls before 3.5.2.
+
+o Andreas Schneider <asn@samba.org>
+ * BUG 14960: SDB uses HDB flags directly which can lead to unwanted side
+ effects.
+
+
+CHANGES SINCE 4.16.0rc1
+=======================
+
+o Jeremy Allison <jra@samba.org>
+ * BUG 14911: CVE-2021-44141: UNIX extensions in SMB1 disclose whether the
+ outside target of a symlink exists.
+
+o Ralph Boehme <slow@samba.org>
+ * BUG 14914: CVE-2021-44142: Out-of-Bound Read/Write on Samba vfs_fruit
+ module.
+ * BUG 14961: install elasticsearch_mappings.json
+
+o FeRD (Frank Dana) <ferdnyc@gmail.com>
+ * BUG 14947: samba-bgqd still notifying systemd, triggering log warnings
+ without NotifyAccess=all.
+
+o Stefan Metzmacher <metze@samba.org>
+ * BUG 14867: Printing no longer works on Windows 7 with 2021-10 monthly
+ rollup patch.
+ * BUG 14956: ndr_push_string() adds implicit termination for
+ STR_NOTERM|REMAINING empty strings.
+
+o Joseph Sutton <josephsutton@catalyst.net.nz>
+ * BUG 14950: CVE-2022-0336: Re-adding an SPN skips subsequent SPN conflict
+ checks.
+
+
+KNOWN ISSUES
+============
+
+https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.16#Release_blocking_bugs
+
+
+</pre>
+</p>
+</body>
+</html>
git.samba.org / samba-web.git / commitdiff