1 ===============================
2 Release Notes for Samba 4.15.13
4 ===============================
7 This is the latest stable release of the Samba 4.15 release series.
8 It also contains security changes in order to address the following defects:
10 o CVE-2022-37966: This is the Samba CVE for the Windows Kerberos
11 RC4-HMAC Elevation of Privilege Vulnerability
12 disclosed by Microsoft on Nov 8 2022.
14 A Samba Active Directory DC will issue weak rc4-hmac
15 session keys for use between modern clients and servers
16 despite all modern Kerberos implementations supporting
17 the aes256-cts-hmac-sha1-96 cipher.
19 On Samba Active Directory DCs and members
20 'kerberos encryption types = legacy' would force
21 rc4-hmac as a client even if the server supports
22 aes128-cts-hmac-sha1-96 and/or aes256-cts-hmac-sha1-96.
24 https://www.samba.org/samba/security/CVE-2022-37966.html
26 o CVE-2022-37967: This is the Samba CVE for the Windows
27 Kerberos Elevation of Privilege Vulnerability
28 disclosed by Microsoft on Nov 8 2022.
30 A service account with the special constrained
31 delegation permission could forge a more powerful
32 ticket than the one it was presented with.
34 https://www.samba.org/samba/security/CVE-2022-37967.html
36 o CVE-2022-38023: The "RC4" protection of the NetLogon Secure channel uses the
37 same algorithms as rc4-hmac cryptography in Kerberos,
38 and so must also be assumed to be weak.
40 https://www.samba.org/samba/security/CVE-2022-38023.html
42 o CVE-2022-45141: Since the Windows Kerberos RC4-HMAC Elevation of Privilege
43 Vulnerability was disclosed by Microsoft on Nov 8 2022
44 and per RFC8429 it is assumed that rc4-hmac is weak,
46 Vulnerable Samba Active Directory DCs will issue rc4-hmac
47 encrypted tickets despite the target server supporting
48 better encryption (eg aes256-cts-hmac-sha1-96).
50 https://www.samba.org/samba/security/CVE-2022-45141.html
52 Note that there are several important behavior changes
53 included in this release, which may cause compatibility problems
54 interacting with system still expecting the former behavior.
55 Please read the advisories of CVE-2022-37966,
56 CVE-2022-37967 and CVE-2022-38023 carefully!
58 samba-tool got a new 'domain trust modify' subcommand
59 -----------------------------------------------------
61 This allows "msDS-SupportedEncryptionTypes" to be changed
62 on trustedDomain objects. Even against remote DCs (including Windows)
63 using the --local-dc-ipaddress= (and other --local-dc-* options).
64 See 'samba-tool domain trust modify --help' for further details.
69 Parameter Name Description Default
70 -------------- ----------- -------
71 allow nt4 crypto Deprecated no
72 allow nt4 crypto:COMPUTERACCOUNT New
73 kdc default domain supported enctypes New (see manpage)
74 kdc supported enctypes New (see manpage)
75 kdc force enable rc4 weak session keys New No
76 reject md5 clients New Default, Deprecated Yes
77 reject md5 servers New Default, Deprecated Yes
78 server schannel Deprecated Yes
79 server schannel require seal New, Deprecated Yes
80 server schannel require seal:COMPUTERACCOUNT New
81 winbind sealed pipes Deprecated Yes
86 o Andrew Bartlett <abartlet@samba.org>
87 * BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry.
88 * BUG 15237: CVE-2022-37966.
89 * BUG 15258: filter-subunit is inefficient with large numbers of knownfails.
91 o Ralph Boehme <slow@samba.org>
92 * BUG 15240: CVE-2022-38023.
94 o Luke Howard <lukeh@padl.com>
95 * BUG 15197: Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue.
97 o Stefan Metzmacher <metze@samba.org>
98 * BUG 13135: The KDC logic arround msDs-supportedEncryptionTypes differs from
100 * BUG 15203: CVE-2022-42898 [SECURITY] krb5_pac_parse() buffer parsing
102 * BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry
103 * BUG 15237: CVE-2022-37966.
104 * BUG 15240: CVE-2022-38023.
106 o Andreas Schneider <asn@samba.org>
107 * BUG 15237: CVE-2022-37966.
109 o Joseph Sutton <josephsutton@catalyst.net.nz>
110 * BUG 14929: CVE-2022-44640 [SECURITY] Upstream Heimdal free of
111 user-controlled pointer in FAST.
112 * BUG 15197: Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue.
113 * BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry.
114 * BUG 15231: CVE-2022-37967.
115 * BUG 15237: CVE-2022-37966.
117 o Nicolas Williams <nico@cryptonector.com>
118 * BUG 15214: CVE-2022-45141.
119 * BUG 15237: CVE-2022-37966.
121 o Nicolas Williams <nico@twosigma.com>
122 * BUG 14929: CVE-2022-44640 [SECURITY] Upstream Heimdal free of
123 user-controlled pointer in FAST.
126 #######################################
127 Reporting bugs & Development Discussion
128 #######################################
130 Please discuss this release on the samba-technical mailing list or by
131 joining the #samba-technical:matrix.org matrix room, or
132 #samba-technical IRC channel on irc.libera.chat.
135 If you do report problems then please try to send high quality
136 feedback. If you don't provide vital information to help us track down
137 the problem then you will probably be ignored. All bug reports should
138 be filed under the Samba 4.1 and newer product in the project's Bugzilla
139 database (https://bugzilla.samba.org/).
142 ======================================================================
143 == Our Code, Our Bugs, Our Responsibility.
145 ======================================================================
148 Release notes for older releases follow:
149 ----------------------------------------
150 ===============================
151 Release Notes for Samba 4.15.12
153 ===============================
156 This is a security release in order to address the following defects:
158 o CVE-2022-42898: Samba's Kerberos libraries and AD DC failed to guard against
159 integer overflows when parsing a PAC on a 32-bit system, which
160 allowed an attacker with a forged PAC to corrupt the heap.
161 https://www.samba.org/samba/security/CVE-2022-42898.html
163 Changes since 4.15.11
164 ---------------------
165 o Joseph Sutton <josephsutton@catalyst.net.nz>
166 * BUG 15203: CVE-2022-42898
168 o Nicolas Williams <nico@twosigma.com>
169 * BUG 15203: CVE-2022-42898
172 #######################################
173 Reporting bugs & Development Discussion
174 #######################################
176 Please discuss this release on the samba-technical mailing list or by
177 joining the #samba-technical:matrix.org matrix room, or
178 #samba-technical IRC channel on irc.libera.chat.
181 If you do report problems then please try to send high quality
182 feedback. If you don't provide vital information to help us track down
183 the problem then you will probably be ignored. All bug reports should
184 be filed under the Samba 4.1 and newer product in the project's Bugzilla
185 database (https://bugzilla.samba.org/).
188 ======================================================================
189 == Our Code, Our Bugs, Our Responsibility.
191 ======================================================================
194 ----------------------------------------------------------------------
195 ===============================
196 Release Notes for Samba 4.15.11
198 ===============================
201 This is a security release in order to address the following defect:
203 o CVE-2022-3437: There is a limited write heap buffer overflow in the GSSAPI
204 unwrap_des() and unwrap_des3() routines of Heimdal (included
206 https://www.samba.org/samba/security/CVE-2022-3437.html
208 Changes since 4.15.10
209 ---------------------
211 o Andrew Bartlett <abartlet@samba.org>
212 * BUG 15193: Allow rebuild of Centos 8 images after move to vault for Samba
215 o Andreas Schneider <asn@samba.org>
216 * BUG 15193: Allow rebuild of Centos 8 images after move to vault for Samba
219 o Joseph Sutton <josephsutton@catalyst.net.nz>
220 * BUG 15134: CVE-2022-3437.
223 #######################################
224 Reporting bugs & Development Discussion
225 #######################################
227 Please discuss this release on the samba-technical mailing list or by
228 joining the #samba-technical:matrix.org matrix room, or
229 #samba-technical IRC channel on irc.libera.chat.
231 If you do report problems then please try to send high quality
232 feedback. If you don't provide vital information to help us track down
233 the problem then you will probably be ignored. All bug reports should
234 be filed under the Samba 4.1 and newer product in the project's Bugzilla
235 database (https://bugzilla.samba.org/).
238 ======================================================================
239 == Our Code, Our Bugs, Our Responsibility.
241 ======================================================================
244 ----------------------------------------------------------------------
245 ===============================
246 Release Notes for Samba 4.15.10
248 ===============================
251 This is the latest stable release of the Samba 4.15 release series.
257 o Jeremy Allison <jra@samba.org>
258 * BUG 15128: Possible use after free of connection_struct when iterating
259 smbd_server_connection->connections.
260 * BUG 15174: smbXsrv_connection_shutdown_send result leaked.
262 o Ralph Boehme <slow@samba.org>
263 * BUG 15086: Spotlight RPC service returns wrong response when Spotlight is
265 * BUG 15126: acl_xattr VFS module may unintentionally use filesystem
266 permissions instead of ACL from xattr.
267 * BUG 15153: Missing SMB2-GETINFO access checks from MS-SMB2 3.3.5.20.1.
268 * BUG 15161: assert failed: !is_named_stream(smb_fname)") at
269 ../../lib/util/fault.c:197.
271 o Stefan Metzmacher <metze@samba.org>
272 * BUG 15148: Missing READ_LEASE break could cause data corruption.
274 o Andreas Schneider <asn@samba.org>
275 * BUG 15124: rpcclient can crash using setuserinfo(2).
276 * BUG 15132: Samba fails to build with glibc 2.36 caused by including
277 <sys/mount.h> in libreplace.
279 o Joseph Sutton <josephsutton@catalyst.net.nz>
280 * BUG 15152: SMB1 negotiation can fail to handle connection errors.
282 o Michael Tokarev <mjt@tls.msk.ru>
283 * BUG 15078: samba-tool domain join segfault when joining a samba ad domain.
286 #######################################
287 Reporting bugs & Development Discussion
288 #######################################
290 Please discuss this release on the samba-technical mailing list or by
291 joining the #samba-technical:matrix.org matrix room, or
292 #samba-technical IRC channel on irc.libera.chat.
295 If you do report problems then please try to send high quality
296 feedback. If you don't provide vital information to help us track down
297 the problem then you will probably be ignored. All bug reports should
298 be filed under the Samba 4.1 and newer product in the project's Bugzilla
299 database (https://bugzilla.samba.org/).
302 ======================================================================
303 == Our Code, Our Bugs, Our Responsibility.
305 ======================================================================
308 ----------------------------------------------------------------------
309 ==============================
310 Release Notes for Samba 4.15.9
312 ==============================
315 This is a security release in order to address the following defects:
317 o CVE-2022-2031: Samba AD users can bypass certain restrictions associated with
319 https://www.samba.org/samba/security/CVE-2022-2031.html
321 o CVE-2022-32744: Samba AD users can forge password change requests for any user.
322 https://www.samba.org/samba/security/CVE-2022-32744.html
324 o CVE-2022-32745: Samba AD users can crash the server process with an LDAP add
326 https://www.samba.org/samba/security/CVE-2022-32745.html
328 o CVE-2022-32746: Samba AD users can induce a use-after-free in the server
329 process with an LDAP add or modify request.
330 https://www.samba.org/samba/security/CVE-2022-32746.html
332 o CVE-2022-32742: Server memory information leak via SMB1.
333 https://www.samba.org/samba/security/CVE-2022-32742.html
338 o Jeremy Allison <jra@samba.org>
339 * BUG 15085: CVE-2022-32742.
341 o Andrew Bartlett <abartlet@samba.org>
342 * BUG 15009: CVE-2022-32746.
344 o Isaac Boukris <iboukris@gmail.com>
345 * BUG 15047: CVE-2022-2031.
347 o Andreas Schneider <asn@samba.org>
348 * BUG 15047: CVE-2022-2031.
350 o Joseph Sutton <josephsutton@catalyst.net.nz>
351 * BUG 15008: CVE-2022-32745.
352 * BUG 15009: CVE-2022-32746.
353 * BUG 15047: CVE-2022-2031.
354 * BUG 15074: CVE-2022-32744.
357 #######################################
358 Reporting bugs & Development Discussion
359 #######################################
361 Please discuss this release on the samba-technical mailing list or by
362 joining the #samba-technical:matrix.org matrix room, or
363 #samba-technical IRC channel on irc.libera.chat.
365 If you do report problems then please try to send high quality
366 feedback. If you don't provide vital information to help us track down
367 the problem then you will probably be ignored. All bug reports should
368 be filed under the Samba 4.1 and newer product in the project's Bugzilla
369 database (https://bugzilla.samba.org/).
372 ======================================================================
373 == Our Code, Our Bugs, Our Responsibility.
375 ======================================================================
378 ----------------------------------------------------------------------
379 ==============================
380 Release Notes for Samba 4.15.8
382 ==============================
385 This is the latest stable release of the Samba 4.15 release series.
391 o Jeremy Allison <jra@samba.org>
392 * BUG 15042: Use pathref fd instead of io fd in vfs_default_durable_cookie.
393 * BUG 15099: Setting fruit:resource = stream in vfs_fruit causes a panic.
395 o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
396 * BUG 14986: Add support for bind 9.18.
397 * BUG 15076: logging dsdb audit to specific files does not work.
399 o Ralph Boehme <slow@samba.org>
400 * BUG 15069: vfs_gpfs with vfs_shadowcopy2 fail to restore file if original
401 file had been deleted.
403 o Samuel Cabrero <scabrero@samba.org>
404 * BUG 15087: netgroups support removed.
406 o Samuel Cabrero <scabrero@suse.de>
407 * BUG 14674: net ads info shows LDAP Server: 0.0.0.0 depending on contacted
410 o Stefan Metzmacher <metze@samba.org>
411 * BUG 15071: waf produces incorrect names for python extensions with Python
414 o Noel Power <noel.power@suse.com>
415 * BUG 15100: smbclient commands del & deltree fail with
416 NT_STATUS_OBJECT_PATH_NOT_FOUND with DFS.
418 o Christof Schmitt <cs@samba.org>
419 * BUG 15055: vfs_gpfs recalls=no option prevents listing files.
421 o Andreas Schneider <asn@samba.org>
422 * BUG 15071: waf produces incorrect names for python extensions with Python
424 * BUG 15091: Compile error in source3/utils/regedit_hexedit.c.
425 * BUG 15108: ldconfig: /lib64/libsmbconf.so.0 is not a symbolic link.
427 o Andreas Schneider <asn@cryptomilk.org>
428 * BUG 15054: smbd doesn't handle UPNs for looking up names.
430 o Robert Sprowson <webpages@sprow.co.uk>
431 * BUG 14443: Out-by-4 error in smbd read reply max_send clamp.
434 #######################################
435 Reporting bugs & Development Discussion
436 #######################################
438 Please discuss this release on the samba-technical mailing list or by
439 joining the #samba-technical:matrix.org matrix room, or
440 #samba-technical IRC channel on irc.libera.chat.
442 If you do report problems then please try to send high quality
443 feedback. If you don't provide vital information to help us track down
444 the problem then you will probably be ignored. All bug reports should
445 be filed under the Samba 4.1 and newer product in the project's Bugzilla
446 database (https://bugzilla.samba.org/).
449 ======================================================================
450 == Our Code, Our Bugs, Our Responsibility.
452 ======================================================================
455 ----------------------------------------------------------------------
456 ==============================
457 Release Notes for Samba 4.15.7
459 ==============================
462 This is the latest stable release of the Samba 4.15 release series.
468 o Jeremy Allison <jra@samba.org>
469 * BUG 14831: Share and server swapped in smbget password prompt.
470 * BUG 15022: Durable handles won't reconnect if the leased file is written
472 * BUG 15023: rmdir silently fails if directory contains unreadable files and
473 hide unreadable is yes.
474 * BUG 15038: SMB2_CLOSE_FLAGS_FULL_INFORMATION fails to return information on
477 o Ralph Boehme <slow@samba.org>
478 * BUG 14957: vfs_shadow_copy2 breaks "smbd async dosmode" sync fallback.
479 * BUG 15035: shadow_copy2 fails listing snapshotted dirs with
482 o Samuel Cabrero <scabrero@samba.org>
483 * BUG 15046: PAM Kerberos authentication incorrectly fails with a clock skew
486 o Pavel Filipenský <pfilipen@redhat.com>
487 * BUG 15041: username map - samba erroneously applies unix group memberships
488 to user account entries.
490 o Elia Geretto <elia.f.geretto@gmail.com>
491 * BUG 14983: NT_STATUS_ACCESS_DENIED translates into EPERM instead of EACCES
492 in SMBC_server_internal.
494 o Stefan Metzmacher <metze@samba.org>
495 * BUG 13879: Simple bind doesn't work against an RODC (with non-preloaded
497 * BUG 14641: Crash of winbind on RODC.
498 * BUG 14865: uncached logon on RODC always fails once.
499 * BUG 14951: KVNO off by 100000.
500 * BUG 15001: LDAP simple binds should honour "old password allowed period".
501 * BUG 15003: wbinfo -a doesn't work reliable with upn names.
503 o Garming Sam <garming@catalyst.net.nz>
504 * BUG 13879: Simple bind doesn't work against an RODC (with non-preloaded
507 o Christof Schmitt <cs@samba.org>
508 * BUG 15027: Uninitialized litemask in variable in vfs_gpfs module.
510 o Andreas Schneider <asn@samba.org>
511 * BUG 15016: Regression: create krb5 conf = yes doesn't work with a single
515 #######################################
516 Reporting bugs & Development Discussion
517 #######################################
519 Please discuss this release on the samba-technical mailing list or by
520 joining the #samba-technical:matrix.org matrix room, or
521 #samba-technical IRC channel on irc.libera.chat.
523 If you do report problems then please try to send high quality
524 feedback. If you don't provide vital information to help us track down
525 the problem then you will probably be ignored. All bug reports should
526 be filed under the Samba 4.1 and newer product in the project's Bugzilla
527 database (https://bugzilla.samba.org/).
530 ======================================================================
531 == Our Code, Our Bugs, Our Responsibility.
533 ======================================================================
536 ----------------------------------------------------------------------
537 ==============================
538 Release Notes for Samba 4.15.6
540 ==============================
543 This is the latest stable release of the Samba 4.15 release series.
549 o Jeremy Allison <jra@samba.org>
550 * BUG 14169: Renaming file on DFS root fails with
551 NT_STATUS_OBJECT_PATH_NOT_FOUND.
552 * BUG 14737: Samba does not response STATUS_INVALID_PARAMETER when opening 2
553 objects with same lease key.
554 * BUG 14938: NT error code is not set when overwriting a file during rename
557 o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
558 * BUG 14996: Fix ldap simple bind with TLS auditing.
560 o Ralph Boehme <slow@samba.org>
561 * BUG 14674: net ads info shows LDAP Server: 0.0.0.0 depending on contacted
564 o Samuel Cabrero <scabrero@suse.de>
565 * BUG 14979: Problem when winbind renews Kerberos.
567 o Günther Deschner <gd@samba.org>
568 * BUG 8691: pam_winbind will not allow gdm login if password about to expire.
570 o Pavel Filipenský <pfilipen@redhat.com>
571 * BUG 14971: virusfilter_vfs_openat: Not scanned: Directory or special file.
573 o Björn Jacke <bj@sernet.de>
574 * BUG 13631: DFS fix for AIX broken.
575 * BUG 14974: Solaris and AIX acl modules: wrong function arguments.
576 * BUG 7239: Function aixacl_sys_acl_get_file not declared / coredump.
578 o Volker Lendecke <vl@samba.org>
579 * BUG 14900: Regression: Samba 4.15.2 on macOS segfaults intermittently
580 during strcpy in tdbsam_getsampwnam.
581 * BUG 14989: Fix a use-after-free in SMB1 server.
583 o Stefan Metzmacher <metze@samba.org>
584 * BUG 14968: smb2_signing_decrypt_pdu() may not decrypt with
585 gnutls_aead_cipher_decrypt() from gnutls before 3.5.2.
586 * BUG 14984: changing the machine password against an RODC likely destroys
588 * BUG 14993: authsam_make_user_info_dc() steals memory from its struct
589 ldb_message *msg argument.
590 * BUG 14995: Use Heimdal 8.0 (pre) rather than an earlier snapshot.
592 o Andreas Schneider <asn@samba.org>
593 * BUG 14967: Samba autorid fails to map AD users if id rangesize fits in the
597 #######################################
598 Reporting bugs & Development Discussion
599 #######################################
601 Please discuss this release on the samba-technical mailing list or by
602 joining the #samba-technical IRC channel on irc.libera.chat or the
603 #samba-technical:matrix.org matrix channel.
605 If you do report problems then please try to send high quality
606 feedback. If you don't provide vital information to help us track down
607 the problem then you will probably be ignored. All bug reports should
608 be filed under the Samba 4.1 and newer product in the project's Bugzilla
609 database (https://bugzilla.samba.org/).
612 ======================================================================
613 == Our Code, Our Bugs, Our Responsibility.
615 ======================================================================
618 ----------------------------------------------------------------------
619 ==============================
620 Release Notes for Samba 4.15.5
622 ==============================
625 This is a security release in order to address the following defects:
627 o CVE-2021-44141: UNIX extensions in SMB1 disclose whether the outside target
629 https://www.samba.org/samba/security/CVE-2021-44141.html
631 o CVE-2021-44142: Out-of-Bound Read/Write on Samba vfs_fruit module.
632 https://www.samba.org/samba/security/CVE-2021-44142.html
634 o CVE-2022-0336: Re-adding an SPN skips subsequent SPN conflict checks.
635 https://www.samba.org/samba/security/CVE-2022-0336.html
641 o Jeremy Allison <jra@samba.org>
642 * BUG 14911: CVE-2021-44141
644 o Ralph Boehme <slow@samba.org>
645 * BUG 14914: CVE-2021-44142
647 o Joseph Sutton <josephsutton@catalyst.net.nz>
648 * BUG 14950: CVE-2022-0336
651 #######################################
652 Reporting bugs & Development Discussion
653 #######################################
655 Please discuss this release on the samba-technical mailing list or by
656 joining the #samba-technical IRC channel on irc.libera.chat or the
657 #samba-technical:matrix.org matrix channel.
659 If you do report problems then please try to send high quality
660 feedback. If you don't provide vital information to help us track down
661 the problem then you will probably be ignored. All bug reports should
662 be filed under the Samba 4.1 and newer product in the project's Bugzilla
663 database (https://bugzilla.samba.org/).
666 ======================================================================
667 == Our Code, Our Bugs, Our Responsibility.
669 ======================================================================
672 ----------------------------------------------------------------------
673 ==============================
674 Release Notes for Samba 4.15.4
676 ==============================
679 This is the latest stable release of the Samba 4.15 release series.
685 o Jeremy Allison <jra@samba.org>
686 * BUG 14928: Duplicate SMB file_ids leading to Windows client cache
688 * BUG 14939: smbclient -L doesn't set "client max protocol" to NT1 before
689 calling the "Reconnecting with SMB1 for workgroup listing" path.
690 * BUG 14944: Missing pop_sec_ctx() in error path inside close_directory().
692 o Pavel Filipenský <pfilipen@redhat.com>
693 * BUG 14940: Cross device copy of the crossrename module always fails.
694 * BUG 14941: symlinkat function from VFS cap module always fails with an
696 * BUG 14942: Fix possible fsp pointer deference.
698 o Volker Lendecke <vl@samba.org>
699 * BUG 14934: kill_tcp_connections does not work.
701 o Stefan Metzmacher <metze@samba.org>
702 * BUG 14932: Failed to parse NTLMv2_RESPONSE length 95 - Buffer Size Error -
703 NT_STATUS_BUFFER_TOO_SMALL.
704 * BUG 14935: Can't connect to Windows shares not requiring authentication
707 o Andreas Schneider <asn@samba.org>
708 * BUG 14945: "smbd --build-options" no longer works without an smb.conf file.
710 o Jones Syue <jonessyue@qnap.com>
711 * BUG 14928: Duplicate SMB file_ids leading to Windows client cache
715 #######################################
716 Reporting bugs & Development Discussion
717 #######################################
719 Please discuss this release on the samba-technical mailing list or by
720 joining the #samba-technical IRC channel on irc.libera.chat or the
721 #samba-technical:matrix.org matrix channel.
723 If you do report problems then please try to send high quality
724 feedback. If you don't provide vital information to help us track down
725 the problem then you will probably be ignored. All bug reports should
726 be filed under the Samba 4.1 and newer product in the project's Bugzilla
727 database (https://bugzilla.samba.org/).
730 ======================================================================
731 == Our Code, Our Bugs, Our Responsibility.
733 ======================================================================
736 ----------------------------------------------------------------------
737 ==============================
738 Release Notes for Samba 4.15.3
740 ==============================
743 This is the latest stable release of the Samba 4.15 release series.
748 There have been a few regressions in the security release 4.15.2:
750 o CVE-2020-25717: A user on the domain can become root on domain members.
751 https://www.samba.org/samba/security/CVE-2020-25717.html
753 The instructions have been updated and some workarounds
754 initially adviced for 4.15.2 are no longer required and
755 should be reverted in most cases.
757 o BUG-14902: User with multiple spaces (eg Fred<space><space>Nurk) become
758 un-deletable. While this release should fix this bug, it is
759 adviced to have a look at the bug report for more detailed
760 information, see https://bugzilla.samba.org/show_bug.cgi?id=14902.
765 o Jeremy Allison <jra@samba.org>
766 * BUG 14878: Recursive directory delete with veto files is broken in 4.15.0.
767 * BUG 14879: A directory containing dangling symlinks cannot be deleted by
768 SMB2 alone when they are the only entry in the directory.
769 * BUG 14892: SIGSEGV in rmdir_internals/synthetic_pathref - dirfsp is used
770 uninitialized in rmdir_internals().
772 o Andrew Bartlett <abartlet@samba.org>
773 * BUG 14694: MaxQueryDuration not honoured in Samba AD DC LDAP.
774 * BUG 14901: The CVE-2020-25717 username map [script] advice has undesired
775 side effects for the local nt token.
776 * BUG 14902: User with multiple spaces (eg Fred<space><space>Nurk) become
779 o Ralph Boehme <slow@samba.org>
780 * BUG 14127: Avoid storing NTTIME_THAW (-2) as value on disk.
781 * BUG 14882: smbXsrv_client_global record validation leads to crash if
782 existing record points at non-existing process.
783 * BUG 14890: Crash in vfs_fruit asking for fsp_get_io_fd() for an XATTR call.
784 * BUG 14897: Samba process doesn't log to logfile.
785 * BUG 14907: set_ea_dos_attribute() fallback calling
786 get_file_handle_for_metadata() triggers locking.tdb assert.
787 * BUG 14922: Kerberos authentication on standalone server in MIT realm
789 * BUG 14923: Segmentation fault when joining the domain.
791 o Alexander Bokovoy <ab@samba.org>
792 * BUG 14903: Support for ROLE_IPA_DC is incomplete.
794 o Günther Deschner <gd@samba.org>
795 * BUG 14767: rpcclient cannot connect to ncacn_ip_tcp services anymore
796 * BUG 14893: winexe crashes since 4.15.0 after popt parsing.
798 o Volker Lendecke <vl@samba.org>
799 * BUG 14908: net ads status -P broken in a clustered environment.
801 o Stefan Metzmacher <metze@samba.org>
802 * BUG 14788: Memory leak if ioctl(FSCTL_VALIDATE_NEGOTIATE_INFO) fails before
803 smbd_smb2_ioctl_send.
804 * BUG 14882: smbXsrv_client_global record validation leads to crash if
805 existing record points at non-existing process.
806 * BUG 14899: winbindd doesn't start when "allow trusted domains" is off.
807 * BUG 14901: The CVE-2020-25717 username map [script] advice has undesired
808 side effects for the local nt token.
810 o Andreas Schneider <asn@samba.org>
811 * BUG 14767: rpcclient cannot connect to ncacn_ip_tcp services anymore.
812 * BUG 14883: smbclient login without password using '-N' fails with
813 NT_STATUS_INVALID_PARAMETER on Samba AD DC.
814 * BUG 14912: A schannel client incorrectly detects a downgrade connecting to
816 * BUG 14921: Possible null pointer dereference in winbind.
818 o Andreas Schneider <asn@cryptomilk.org>
819 * BUG 14846: Fix -k legacy option for client tools like smbclient, rpcclient,
822 o Martin Schwenke <martin@meltin.net>
823 * BUG 14872: Add Debian 11 CI bootstrap support.
825 o Joseph Sutton <josephsutton@catalyst.net.nz>
826 * BUG 14694: MaxQueryDuration not honoured in Samba AD DC LDAP.
827 * BUG 14901: The CVE-2020-25717 username map [script] advice has undesired
828 side effects for the local nt token.
830 o Andrew Walker <awalker@ixsystems.com>
831 * BUG 14888: Crash in recycle_unlink_internal().
834 #######################################
835 Reporting bugs & Development Discussion
836 #######################################
838 Please discuss this release on the samba-technical mailing list or by
839 joining the #samba-technical:matrix.org matrix room, or
840 #samba-technical IRC channel on irc.libera.chat
842 If you do report problems then please try to send high quality
843 feedback. If you don't provide vital information to help us track down
844 the problem then you will probably be ignored. All bug reports should
845 be filed under the Samba 4.1 and newer product in the project's Bugzilla
846 database (https://bugzilla.samba.org/).
849 ======================================================================
850 == Our Code, Our Bugs, Our Responsibility.
852 ======================================================================
855 ----------------------------------------------------------------------
856 ==============================
857 Release Notes for Samba 4.15.2
859 ==============================
862 This is a security release in order to address the following defects:
864 o CVE-2016-2124: SMB1 client connections can be downgraded to plaintext
866 https://www.samba.org/samba/security/CVE-2016-2124.html
868 o CVE-2020-25717: A user on the domain can become root on domain members.
869 https://www.samba.org/samba/security/CVE-2020-25717.html
870 (PLEASE READ! There are important behaviour changes described)
872 o CVE-2020-25718: Samba AD DC did not correctly sandbox Kerberos tickets issued
874 https://www.samba.org/samba/security/CVE-2020-25718.html
876 o CVE-2020-25719: Samba AD DC did not always rely on the SID and PAC in Kerberos
878 https://www.samba.org/samba/security/CVE-2020-25719.html
880 o CVE-2020-25721: Kerberos acceptors need easy access to stable AD identifiers
882 https://www.samba.org/samba/security/CVE-2020-25721.html
884 o CVE-2020-25722: Samba AD DC did not do suffienct access and conformance
885 checking of data stored.
886 https://www.samba.org/samba/security/CVE-2020-25722.html
888 o CVE-2021-3738: Use after free in Samba AD DC RPC server.
889 https://www.samba.org/samba/security/CVE-2021-3738.html
891 o CVE-2021-23192: Subsequent DCE/RPC fragment injection vulnerability.
892 https://www.samba.org/samba/security/CVE-2021-23192.html
898 o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
901 o Andrew Bartlett <abartlet@samba.org>
907 o Ralph Boehme <slow@samba.org>
910 o Alexander Bokovoy <ab@samba.org>
913 o Samuel Cabrero <scabrero@samba.org>
916 o Nadezhda Ivanova <nivanova@symas.com>
919 o Stefan Metzmacher <metze@samba.org>
927 o Andreas Schneider <asn@samba.org>
930 o Joseph Sutton <josephsutton@catalyst.net.nz>
939 #######################################
940 Reporting bugs & Development Discussion
941 #######################################
943 Please discuss this release on the samba-technical mailing list or by
944 joining the #samba-technical IRC channel on irc.libera.chat or the
945 #samba-technical:matrix.org matrix channel.
947 If you do report problems then please try to send high quality
948 feedback. If you don't provide vital information to help us track down
949 the problem then you will probably be ignored. All bug reports should
950 be filed under the Samba 4.1 and newer product in the project's Bugzilla
951 database (https://bugzilla.samba.org/).
954 ======================================================================
955 == Our Code, Our Bugs, Our Responsibility.
957 ======================================================================
960 ----------------------------------------------------------------------
963 ==============================
964 Release Notes for Samba 4.15.1
966 ==============================
969 This is the latest stable release of the Samba 4.15 release series.
975 o Jeremy Allison <jra@samba.org>
976 * BUG 14682: vfs_shadow_copy2: core dump in make_relative_path.
977 * BUG 14685: Log clutter from filename_convert_internal.
978 * BUG 14862: MacOSX compilation fixes.
980 o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
981 * BUG 14868: rodc_rwdc test flaps.
983 o Andrew Bartlett <abartlet@samba.org>
984 * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze
985 bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded
987 * BUG 14836: Python ldb.msg_diff() memory handling failure.
988 * BUG 14845: "in" operator on ldb.Message is case sensitive.
989 * BUG 14848: Release LDB 2.4.1 for Samba 4.15.1.
990 * BUG 14854: samldb_krbtgtnumber_available() looks for incorrect string.
991 * BUG 14871: Fix Samba support for UF_NO_AUTH_DATA_REQUIRED.
992 * BUG 14874: Allow special chars like "@" in samAccountName when generating
995 o Ralph Boehme <slow@samba.org>
996 * BUG 14826: Correctly ignore comments in CTDB public addresses file.
998 o Isaac Boukris <iboukris@gmail.com>
999 * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze
1000 bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded
1003 o Viktor Dukhovni <viktor@twosigma.com>
1004 * BUG 12998: Fix transit path validation.
1006 o Pavel Filipenský <pfilipen@redhat.com>
1007 * BUG 14852: Fix that child winbindd logs to log.winbindd instead of
1010 o Luke Howard <lukeh@padl.com>
1011 * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze
1012 bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded
1015 o Stefan Metzmacher <metze@samba.org>
1016 * BUG 14855: SMB3 cancel requests should only include the MID together with
1017 AsyncID when AES-128-GMAC is used.
1019 o Alex Richardson <Alexander.Richardson@cl.cam.ac.uk>
1020 * BUG 14862: MacOSX compilation fixes.
1022 o Andreas Schneider <asn@samba.org>
1023 * BUG 14870: Prepare to operate with MIT krb5 >= 1.20.
1025 o Martin Schwenke <martin@meltin.net>
1026 * BUG 14826: Correctly ignore comments in CTDB public addresses file.
1028 o Joseph Sutton <josephsutton@catalyst.net.nz>
1029 * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze
1030 bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded
1032 * BUG 14836: Python ldb.msg_diff() memory handling failure.
1033 * BUG 14845: "in" operator on ldb.Message is case sensitive.
1034 * BUG 14864: Heimdal prefers RC4 over AES for machine accounts.
1035 * BUG 14868: rodc_rwdc test flaps.
1036 * BUG 14871: Fix Samba support for UF_NO_AUTH_DATA_REQUIRED.
1037 * BUG 14874: Allow special chars like "@" in samAccountName when generating
1040 o Nicolas Williams <nico@twosigma.com>
1041 * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze
1042 bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded
1046 #######################################
1047 Reporting bugs & Development Discussion
1048 #######################################
1050 Please discuss this release on the samba-technical mailing list or by
1051 joining the #samba-technical IRC channel on irc.freenode.net.
1053 If you do report problems then please try to send high quality
1054 feedback. If you don't provide vital information to help us track down
1055 the problem then you will probably be ignored. All bug reports should
1056 be filed under the Samba 4.1 and newer product in the project's Bugzilla
1057 database (https://bugzilla.samba.org/).
1060 ======================================================================
1061 == Our Code, Our Bugs, Our Responsibility.
1063 ======================================================================
1066 ----------------------------------------------------------------------
1068 ==============================
1069 Release Notes for Samba 4.15.0
1071 ==============================
1074 This is the first stable release of the Samba 4.15 release series.
1075 Please read the release notes carefully before upgrading.
1078 Removed SMB (development) dialects
1079 ==================================
1081 The following SMB (development) dialects are no longer
1082 supported: SMB2_22, SMB2_24 and SMB3_10. They are were
1083 only supported by Windows technical preview builds.
1084 They used to be useful in order to test against the
1085 latest Windows versions, but it's no longer useful
1086 to have them. If you have them explicitly specified
1087 in your smb.conf or an the command line,
1088 you need to replace them like this:
1089 - SMB2_22 => SMB3_00
1090 - SMB2_24 => SMB3_00
1091 - SMB3_10 => SMB3_11
1092 Note that it's typically not useful to specify
1093 "client max protocol" or "server max protocol"
1094 explicitly to a specific dialect, just leave
1095 them unspecified or specify the value "default".
1100 The GPG release key for Samba releases changed from:
1102 pub dsa1024/6F33915B6568B7EA 2007-02-04 [SC] [expires: 2021-02-05]
1103 Key fingerprint = 52FB C0B8 6D95 4B08 4332 4CDC 6F33 915B 6568 B7EA
1104 uid [ full ] Samba Distribution Verification Key <samba-bugs@samba.org>
1105 sub elg2048/9C6ED163DA6DFB44 2007-02-04 [E] [expires: 2021-02-05]
1107 to the following new key:
1109 pub rsa4096/AA99442FB680B620 2020-12-21 [SC] [expires: 2022-12-21]
1110 Key fingerprint = 81F5 E283 2BD2 545A 1897 B713 AA99 442F B680 B620
1111 uid [ultimate] Samba Distribution Verification Key <samba-bugs@samba.org>
1112 sub rsa4096/97EF9386FBFD4002 2020-12-21 [E] [expires: 2022-12-21]
1114 Starting from Jan 21th 2021, all Samba releases will be signed with the new key.
1116 See also GPG_AA99442FB680B620_replaces_6F33915B6568B7EA.txt
1118 New minimum version for the experimental MIT KDC
1119 ================================================
1121 The build of the AD DC using the system MIT Kerberos, an
1122 experimental feature, now requires MIT Kerberos 1.19. An up-to-date
1123 Fedora 34 has this version and has backported fixes for the KDC crash
1124 bugs CVE-2021-37750 and CVE-2021-36222
1127 NEW FEATURES/CHANGES
1128 ====================
1133 The effort to modernize Samba's VFS interface is complete and Samba 4.15.0 ships
1134 with a modernized VFS designed for the post SMB1 world.
1136 For details please refer to the documentation at source3/modules/The_New_VFS.txt
1137 or visit the <https://wiki.samba.org/index.php/The_New_VFS>.
1140 Bind DLZ: add the ability to set allow/deny lists for zone transfer clients
1141 ---------------------------------------------------------------------------
1143 Up to now, any client could use a DNS zone transfer request to the
1144 bind server, and get an answer from Samba. Now the default behaviour
1145 will be to deny those request. Two new options have been added to
1146 manage the list of authorized/denied clients for zone transfer
1147 requests. In order to be accepted, the request must be issued by a
1148 client that is in the allow list and NOT in the deny list.
1151 "server multi channel support" no longer experimental
1152 -----------------------------------------------------
1154 This option is enabled by default starting with 4.15 (on Linux and FreeBSD).
1155 Due to dependencies on kernel APIs of Linux or FreeBSD, it's only possible
1156 to use this feature on Linux and FreeBSD for now.
1159 samba-tool available without the ad-dc
1160 --------------------------------------
1162 The 'samba-tool' command is now available when samba is configured
1163 "--without-ad-dc". Not all features will work, and some ad-dc specific options
1164 have been disabled. The 'samba-tool domain' options, for example, are limited
1165 when no ad-dc is present. Samba must still be built with ads in order to enable
1169 Improved command line user experience
1170 -------------------------------------
1172 Samba utilities did not consistently implement their command line interface. A
1173 number of options were requiring to specify values in one tool and not in the
1174 other, some options meant different in different tools.
1176 These should be stories of the past now. A new command line parser has been
1177 implemented with sanity checking. Also the command line interface has been
1178 simplified and provides better control for encryption, signing and kerberos.
1180 Previously many tools silently ignored unknown options. To prevent unexpected
1181 behaviour all tools will now consistently reject unknown options.
1183 Also several command line options have a smb.conf variable to control the
1186 All tools are now logging to stderr by default. You can use "--debug-stdout" to
1187 change the behavior. All servers will log to stderr at early startup until logging
1188 is setup to go to a file by default.
1193 --client-protection=off|sign|encrypt
1196 --kerberos -> --use-kerberos=required|desired|off
1197 --krb5-ccache -> --use-krb5-ccache=CCACHE
1198 --scope -> --netbios-scope=SCOPE
1199 --use-ccache -> --use-winbind-ccache
1203 -C removed from --use-winbind-ccache
1204 -i removed from --netbios-scope
1208 ### Duplicates in command line utils
1210 ldbadd/ldbdel/ldbedit/ldbmodify/ldbrename/ldbsearch:
1211 -e is still available as an alias for --editor,
1213 -s is no longer reported as an alias for --configfile,
1214 it never worked that way as it was shadowed by '-s' for '--scope'.
1217 -l is not available for --load-dso anymore
1220 -l is not available for --long anymore
1223 -V is not available for --viewsddl anymore
1226 --user -> --quota-user
1229 --log-stdout -> --debug-stdout
1232 --log-stdout -> --debug-stdout
1235 --log-stdout -> --debug-stdout
1238 Scanning of trusted domains and enterprise principals
1239 -----------------------------------------------------
1241 As an artifact from the NT4 times, we still scanned the list of trusted domains
1242 on winbindd startup. This is wrong as we never can get a full picture in Active
1243 Directory. It is time to change the default value to "No". Also with this change
1244 we always use enterprise principals for Kerberos so that the DC will be able
1245 to redirect ticket requests to the right DC. This is e.g. needed for one way
1246 trusts. The options `winbind use krb5 enterprise principals` and
1247 `winbind scan trusted domains` will be deprecated in one of the next releases.
1250 Support for Offline Domain Join (ODJ)
1251 -------------------------------------
1253 The net utility is now able to support the offline domain join feature
1254 as known from the Windows djoin.exe command for many years. Samba's
1255 implementation is accessible via the 'net offlinejoin' subcommand. It
1256 can provision computers and request offline joining for both Windows
1257 and Unix machines. It is also possible to provision computers from
1258 Windows (using djoin.exe) and use the generated data in Samba's 'net'
1259 utility. The existing options for the provisioning and joining steps
1260 are documented in the net(8) manpage.
1263 'samba-tool dns zoneoptions' for aging control
1264 ----------------------------------------------
1266 The 'samba-tool dns zoneoptions' command can be used to turn aging on
1267 and off, alter the refresh and no-refresh periods, and manipulate the
1268 timestamps of existing records.
1270 To turn aging on for a zone, you can use something like this:
1272 samba-tool dns zoneoptions --aging=1 --refreshinterval=306600
1274 which turns on aging and ensures no records less than five years old
1275 are aged out and scavenged. After aging has been on for sufficient
1276 time for records to be renewed, the command
1278 samba-tool dns zoneoptions --refreshinterval=168
1280 will set the refresh period to the standard seven days. Using this two
1281 step process will help prevent the temporary loss of dynamic records
1282 if scavenging happens before their first renewal.
1285 Marking old records as static or dynamic with 'samba-tool'
1286 ----------------------------------------------------------
1288 A bug in Samba versions prior to 4.9 meant records that were meant to
1289 be static were marked as dynamic and vice versa. To fix the timestamps
1290 in these domains, it is possible to use the following options,
1291 preferably before turning aging on.
1293 --mark-old-records-static
1294 --mark-records-dynamic-regex
1295 --mark-records-static-regex
1297 The "--mark-old-records-static" option will make records older than the
1298 specified date static (that is, with a zero timestamp). For example,
1299 if you upgraded to Samba 4.9 in November 2018, you could use ensure no
1300 old records will be mistakenly interpreted as dynamic using the
1303 samba-tool dns zoneoptions --mark-old-records-static=2018-11-30
1305 Then, if you know that that will have marked some records as static
1306 that should be dynamic, and you know which those are due to your
1307 naming scheme, you can use commands like:
1309 samba-tool dns zoneoptions --mark-records-dynamic-regex='\w+-desktop'
1311 where '\w+-desktop' is a perl-compatible regular expression that will
1312 match 'bob-desktop', 'alice-desktop', and so on.
1314 These options are deliberately long and cumbersome to type, so people
1315 have a chance to think before they get to the end. You can make a
1316 mess if you get it wrong.
1318 All 'samba-tool dns zoneoptions' modes can be given a "--dry-run/-n"
1319 argument that allows you to inspect the likely results before going
1322 NOTE: for aging to work, you need to have "dns zone scavenging = yes"
1323 set in the smb.conf of at least one server.
1326 DNS tombstones are now deleted as appropriate
1327 ---------------------------------------------
1329 When all the records for a DNS name have been deleted, the node is put
1330 in a tombstoned state (separate from general AD object tombstoning,
1331 which deleted nodes also go through). These tombstones should be
1332 cleaned up periodically. Due to a conflation of scavenging and
1333 tombstoning, we have only been deleting tombstones when aging is
1336 If you have a lot of tombstoned DNS nodes (that is, DNS names for
1337 which you have removed all the records), cleaning up these DNS
1338 tombstones may take a noticeable time.
1341 DNS tombstones use a consistent timestamp format
1342 ------------------------------------------------
1344 DNS records use an hours-since-1601 timestamp format except for in the
1345 case of tombstone records where a 100-nanosecond-intervals-since-1601
1346 format is used (this latter format being the most common in Windows).
1347 We had mixed that up, which might have had strange effects in zones
1348 where aging was enabled (and hence tombstone timestamps were used).
1351 samba-tool dns update and RPC changes
1352 -------------------------------------
1354 The dnsserver DCERPC pipe can be used by 'samba-tool' and Windows tools
1355 to manipulate dns records on the remote server. A bug in Samba meant
1356 it was not possible to update an existing DNS record to change the
1357 TTL. The general behaviour of RPC updates is now closer to that of
1360 'samba-tool dns update' is now a bit more careful in rejecting and
1361 warning you about malformed IPv4 and IPv6 addresses.
1363 CVE-2021-3671: Crash in Heimdal KDC and updated security release policy
1364 -----------------------------------------------------------------------
1366 An unuthenticated user can crash the AD DC KDC by omitting the server
1367 name in a TGS-REQ. Per Samba's updated security process a specific
1368 security release was not made for this issue as it is a recoverable
1371 See https://wiki.samba.org/index.php/Samba_Security_Proces
1373 samba-tool domain backup offline with the LMDB backend
1374 ------------------------------------------------------
1376 samba-tool domain backup offline, when operating with the LMDB backend
1377 now correctly takes out locks against concurrent modification of the
1378 database during the backup. If you use this tool on a Samba AD DC
1379 using LMDB, you should upgrade to this release for safer backups.
1384 Tru64 ACL support has been removed from this release. The last
1385 supported release of Tru64 UNIX was in 2012.
1387 NIS support has been removed from this release. This is not
1388 available in Linux distributions anymore.
1390 The DLZ DNS plugin is no longer built for Bind versions 9.8 and 9.9,
1391 which have been out of support since 2018.
1397 Parameter Name Description Default
1398 -------------- ----------- -------
1399 client use kerberos New desired
1400 client max protocol Values Removed
1401 client min protocol Values Removed
1402 client protection New default
1403 client smb3 signing algorithms New see man smb.conf
1404 client smb3 encryption algorithms New see man smb.conf
1405 preopen:posix-basic-regex New No
1406 preopen:nomatch_log_level New 5
1407 preopen:match_log_level New 5
1408 preopen:nodigits_log_level New 1
1409 preopen:founddigits_log_level New 3
1410 preopen:reset_log_level New 5
1411 preopen:push_log_level New 3
1412 preopen:queue_log_level New 10
1413 server max protocol Values Removed
1414 server min protocol Values Removed
1415 server multi channel support Changed Yes (on Linux and FreeBSD)
1416 server smb3 signing algorithms New see man smb.conf
1417 server smb3 encryption algorithms New see man smb.conf
1418 winbind use krb5 enterprise principals Changed Yes
1419 winbind scan trusted domains Changed No
1422 CHANGES SINCE 4.15.0rc6
1423 =======================
1425 o Andrew Bartlett <abartlet@samba.org>
1426 * BUG 14791: All the ways to specify a password are not documented.
1428 o Ralph Boehme <slow@samba.org>
1429 * BUG 14790: vfs_btrfs compression support broken.
1430 * BUG 14828: Problems with commandline parsing.
1431 * BUG 14829: smbd crashes when "ea support" is set to no.
1433 o Stefan Metzmacher <metze@samba.org>
1434 * BUG 14825: "{client,server} smb3 {signing,encryption} algorithms" should
1435 use the same strings as smbstatus output.
1436 * BUG 14828: Problems with commandline parsing.
1438 o Alex Richardson <Alexander.Richardson@cl.cam.ac.uk>
1439 * BUG 8773: smbd fails to run as root because it belongs to more than 16
1442 o Martin Schwenke <martin@meltin.net>
1443 * BUG 14784: Fix CTDB flag/status update race conditions.
1446 CHANGES SINCE 4.15.0rc5
1447 =======================
1449 o Andrew Bartlett <abartlet@samba.org>
1450 * BUG 14806: Address a signifcant performance regression in database access
1451 in the AD DC since Samba 4.12.
1452 * BUG 14807: Fix performance regression in lsa_LookupSids3/LookupNames4 since
1453 Samba 4.9 by using an explicit database handle cache.
1454 * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
1455 server name in a TGS-REQ.
1456 * BUG 14818: Address flapping samba_tool_drs_showrepl test.
1457 * BUG 14819: Address flapping dsdb_schema_attributes test.
1459 o Luke Howard <lukeh@padl.com>
1460 * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
1461 server name in a TGS-REQ.
1463 o Gary Lockyer <gary@catalyst.net.nz>
1464 * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
1465 server name in a TGS-REQ.
1467 o Andreas Schneider <asn@samba.org>
1468 * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
1469 server name in a TGS-REQ.
1471 o Joseph Sutton <josephsutton@catalyst.net.nz>
1472 * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
1473 server name in a TGS-REQ.
1476 CHANGES SINCE 4.15.0rc4
1477 =======================
1479 o Jeremy Allison <jra@samba.org>
1480 * BUG 14809: Shares with variable substitutions cause core dump upon
1481 connection from MacOS Big Sur 11.5.2.
1482 * BUG 14816: Fix pathref open of a filesystem fifo in the DISABLE_OPATH
1485 o Andrew Bartlett <abartlet@samba.org>
1486 * BUG 14815: A subset of tests from Samba's selftest system were not being
1487 run, while others were run twice.
1489 o Ralph Boehme <slow@samba.org>
1490 * BUG 14771: Some VFS operations on pathref (O_PATH) handles fail on GPFS.
1491 * BUG 14787: net conf list crashes when run as normal user,
1492 * BUG 14803: smbd/winbindd started in daemon mode generate output on
1494 * BUG 14804: winbindd can crash because idmap child state is not fully
1497 o Stefan Metzmacher <metze@samba.org>
1498 * BUG 14771: Some VFS operations on pathref (O_PATH) handles fail on GPFS.
1501 CHANGES SINCE 4.15.0rc3
1502 =======================
1504 o Bjoern Jacke <bj@sernet.de>
1505 * BUG 14800: util_sock: fix assignment of sa_socklen.
1508 CHANGES SINCE 4.15.0rc2
1509 =======================
1511 o Jeremy Allison <jra@samba.org>
1512 * BUG 14760: vfs_streams_depot directory creation permissions and store
1514 * BUG 14766: vfs_ceph openat() doesn't cope with dirfsp != AT_FDCW.
1515 * BUG 14769: smbd panic on force-close share during offload write.
1516 * BUG 14805: OpenDir() loses the correct errno return.
1518 o Ralph Boehme <slow@samba.org>
1519 * BUG 14795: copy_file_range() may fail with EOPNOTSUPP.
1521 o Stefan Metzmacher <metze@samba.org>
1522 * BUG 14793: Start the SMB encryption as soon as possible.
1524 o Andreas Schneider <asn@samba.org>
1525 * BUG 14779: Winbind should not start if the socket path is too long.
1527 o Noel Power <noel.power@suse.com>
1528 * BUG 14760: vfs_streams_depot directory creation permissions and store
1532 CHANGES SINCE 4.15.0rc1
1533 =======================
1535 o Andreas Schneider <asn@samba.org>
1536 * BUG 14768: smbd/winbind should load the registry if configured
1537 * BUG 14777: do not quote passed argument of configure script
1538 * BUG 14779: Winbind should not start if the socket path is too long
1540 o Stefan Metzmacher <metze@samba.org>
1541 * BUG 14607: tree connect failed: NT_STATUS_INVALID_PARAMETER
1542 * BUG 14764: aes-256-gcm and aes-256-ccm doesn't work in the server
1544 o Ralph Boehme <slow@samba.org>
1545 * BUG 14700: file owner not available when file unredable
1547 o Jeremy Allison <jra@samba.org>
1548 * BUG 14607: tree connect failed: NT_STATUS_INVALID_PARAMETER
1549 * BUG 14759: 4.15rc can leak meta-data about the directory containing the
1556 https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.15#Release_blocking_bugs
1559 #######################################
1560 Reporting bugs & Development Discussion
1561 #######################################
1563 Please discuss this release on the samba-technical mailing list or by
1564 joining the #samba-technical IRC channel on irc.libera.chat or the
1565 #samba-technical:matrix.org matrix channel.
1567 If you do report problems then please try to send high quality
1568 feedback. If you don't provide vital information to help us track down
1569 the problem then you will probably be ignored. All bug reports should
1570 be filed under the Samba 4.1 and newer product in the project's Bugzilla
1571 database (https://bugzilla.samba.org/).
1574 ======================================================================
1575 == Our Code, Our Bugs, Our Responsibility.
1577 ======================================================================