1 ==============================
2 Release Notes for Samba 4.14.6
4 ==============================
7 This is the latest stable release of the Samba 4.14 release series.
13 o Jeremy Allison <jra@samba.org>
14 * BUG 14722: s3: lib: Fix talloc heirarcy error in parent_smb_fname().
15 * BUG 14732: smbd: Fix pathref unlinking in create_file_unixpath().
16 * BUG 14734: s3: VFS: default: Add proc_fd's fallback for vfswrap_fchown().
17 * BUG 14736: s3: smbd: Remove erroneous TALLOC_FREE(smb_fname_parent) in
18 change_file_owner_to_parent() error path.
20 o Ralph Boehme <slow@samba.org>
21 * BUG 14730: NT_STATUS_FILE_IS_A_DIRECTORY error messages when using
23 * BUG 14734: s3/modules: fchmod: Fallback to path based chmod if pathref.
24 * BUG 14740: Spotlight RPC service doesn't work with vfs_glusterfs.
26 o Stefan Metzmacher <metze@samba.org>
27 * BUG 14750: gensec_krb5: Restore ipv6 support for kpasswd.
28 * BUG 14752: smbXsrv_{open,session,tcon}: protect
29 smbXsrv_{open,session,tcon}_global_traverse_fn against invalid records.
31 o Joseph Sutton <josephsutton@catalyst.net.nz>
32 * BUG 14027: samba-tool domain backup offline doesn't work against bind DLZ
34 * BUG 14669: netcmd: Use next_free_rid() function to calculate a SID for
38 #######################################
39 Reporting bugs & Development Discussion
40 #######################################
42 Please discuss this release on the samba-technical mailing list or by
43 joining the #samba-technical IRC channel on irc.freenode.net.
45 If you do report problems then please try to send high quality
46 feedback. If you don't provide vital information to help us track down
47 the problem then you will probably be ignored. All bug reports should
48 be filed under the Samba 4.1 and newer product in the project's Bugzilla
49 database (https://bugzilla.samba.org/).
52 ======================================================================
53 == Our Code, Our Bugs, Our Responsibility.
55 ======================================================================
58 Release notes for older releases follow:
59 ----------------------------------------
62 ==============================
63 Release Notes for Samba 4.14.5
65 ==============================
68 This is the latest stable release of the Samba 4.14 release series.
74 o Jeremy Allison <jra@samba.org>
75 * BUG 14696: s3: smbd: SMB1 SMBsplwr doesn't send a reply packet on success.
76 * BUG 14708: s3: smbd: Ensure POSIX default ACL is mapped into returned
77 Windows ACL for directory handles.
78 * BUG 14721: s3: smbd: Fix uninitialized memory read in
79 process_symlink_open() when used with vfs_shadow_copy2().
81 o Andrew Bartlett <abartlet@samba.org>
82 * BUG 14689: docs: Expand the "log level" docs on audit logging.
84 o Ralph Boehme <slow@samba.org>
85 * BUG 14714: smbd: Correctly initialize close timestamp fields.
87 o Günther Deschner <gd@samba.org>
88 * BUG 14699: Fix gcc11 compiler issues.
90 o Pavel Filipenský <pfilipen@redhat.com>
91 * BUG 14718: docs-xml: Update smbcacls manpage.
92 * BUG 14719: docs: Update list of available commands in rpcclient.
94 o Volker Lendecke <vl@samba.org>
95 * BUG 14475: ctdb: Fix a crash in run_proc_signal_handler().
97 o Andreas Schneider <asn@samba.org>
98 * BUG 14695: s3:winbind: For 'security = ADS' require realm/workgroup to be
100 * BUG 14699: lib:replace: Do not build strndup test with gcc 11 or newer.
103 #######################################
104 Reporting bugs & Development Discussion
105 #######################################
107 Please discuss this release on the samba-technical mailing list or by
108 joining the #samba-technical IRC channel on irc.freenode.net.
110 If you do report problems then please try to send high quality
111 feedback. If you don't provide vital information to help us track down
112 the problem then you will probably be ignored. All bug reports should
113 be filed under the Samba 4.1 and newer product in the project's Bugzilla
114 database (https://bugzilla.samba.org/).
117 ======================================================================
118 == Our Code, Our Bugs, Our Responsibility.
120 ======================================================================
123 ----------------------------------------------------------------------
126 ==============================
127 Release Notes for Samba 4.14.4
129 ==============================
132 This is a security release in order to address the following defect:
134 o CVE-2021-20254: Negative idmap cache entries can cause incorrect group entries
135 in the Samba file server process token.
143 The Samba smbd file server must map Windows group identities (SIDs) into unix
144 group ids (gids). The code that performs this had a flaw that could allow it
145 to read data beyond the end of the array in the case where a negative cache
146 entry had been added to the mapping cache. This could cause the calling code
147 to return those values into the process token that stores the group
148 membership for a user.
150 Most commonly this flaw caused the calling code to crash, but an alert user
151 (Peter Eriksson, IT Department, Linköping University) found this flaw by
152 noticing an unprivileged user was able to delete a file within a network
153 share that they should have been disallowed access to.
155 Analysis of the code paths has not allowed us to discover a way for a
156 remote user to be able to trigger this flaw reproducibly or on demand,
157 but this CVE has been issued out of an abundance of caution.
163 o Volker Lendecke <vl@samba.org>
164 * BUG 14571: CVE-2021-20254: Fix buffer overrun in sids_to_unixids().
167 #######################################
168 Reporting bugs & Development Discussion
169 #######################################
171 Please discuss this release on the samba-technical mailing list or by
172 joining the #samba-technical IRC channel on irc.freenode.net.
174 If you do report problems then please try to send high quality
175 feedback. If you don't provide vital information to help us track down
176 the problem then you will probably be ignored. All bug reports should
177 be filed under the Samba 4.1 and newer product in the project's Bugzilla
178 database (https://bugzilla.samba.org/).
181 ======================================================================
182 == Our Code, Our Bugs, Our Responsibility.
184 ======================================================================
187 ----------------------------------------------------------------------
190 ==============================
191 Release Notes for Samba 4.14.3
193 ==============================
196 This is the latest stable release of the Samba 4.14 release series.
202 o Trever L. Adams <trever.adams@gmail.com>
203 * BUG 14671: s3:modules:vfs_virusfilter: Recent New_VFS changes break
204 vfs_virusfilter_openat.
206 o Andrew Bartlett <abartlet@samba.org>
207 * BUG 14586: build: Notice if flex is missing at configure time.
209 o Ralph Boehme <slow@samba.org>
210 * BUG 14672: Fix smbd panic when two clients open same file.
211 * BUG 14675: Fix memory leak in the RPC server.
212 * BUG 14679: s3: smbd: fix deferred renames.
214 o Samuel Cabrero <scabrero@samba.org>
215 * BUG 14675: s3-iremotewinspool: Set the per-request memory context.
217 o Volker Lendecke <vl@samba.org>
218 * BUG 14675: Fix memory leak in the RPC server.
220 o Stefan Metzmacher <metze@samba.org>
221 * BUG 11899: third_party: Update socket_wrapper to version 1.3.2.
222 * BUG 14640: third_party: Update socket_wrapper to version 1.3.3.
224 o David Mulder <dmulder@suse.com>
225 * BUG 14665: samba-gpupdate: Test that sysvol paths download in
226 case-insensitive way.
228 o Sachin Prabhu <sprabhu@redhat.com>
229 * BUG 14662: smbd: Ensure errno is preserved across fsp destructor.
231 o Christof Schmitt <cs@samba.org>
232 * BUG 14663: idmap_rfc2307 and idmap_nss return wrong mapping for uid/gid
235 o Martin Schwenke <martin@meltin.net>
236 * BUG 14288: build: Only add -Wl,--as-needed when supported.
239 #######################################
240 Reporting bugs & Development Discussion
241 #######################################
243 Please discuss this release on the samba-technical mailing list or by
244 joining the #samba-technical IRC channel on irc.freenode.net.
246 If you do report problems then please try to send high quality
247 feedback. If you don't provide vital information to help us track down
248 the problem then you will probably be ignored. All bug reports should
249 be filed under the Samba 4.1 and newer product in the project's Bugzilla
250 database (https://bugzilla.samba.org/).
253 ======================================================================
254 == Our Code, Our Bugs, Our Responsibility.
256 ======================================================================
259 ----------------------------------------------------------------------
262 ==============================
263 Release Notes for Samba 4.14.2
265 ==============================
268 This is a follow-up release to depend on the correct ldb version. This is only
269 needed when building against a system ldb library.
271 This is a security release in order to address the following defects:
273 o CVE-2020-27840: Heap corruption via crafted DN strings.
274 o CVE-2021-20277: Out of bounds read in AD DC LDAP server.
282 An anonymous attacker can crash the Samba AD DC LDAP server by sending easily
283 crafted DNs as part of a bind request. More serious heap corruption is likely
287 User-controlled LDAP filter strings against the AD DC LDAP server may crash
290 For more details, please refer to the security advisories.
296 o Release with dependency on ldb version 2.3.0.
299 #######################################
300 Reporting bugs & Development Discussion
301 #######################################
303 Please discuss this release on the samba-technical mailing list or by
304 joining the #samba-technical IRC channel on irc.freenode.net.
306 If you do report problems then please try to send high quality
307 feedback. If you don't provide vital information to help us track down
308 the problem then you will probably be ignored. All bug reports should
309 be filed under the Samba 4.1 and newer product in the project's Bugzilla
310 database (https://bugzilla.samba.org/).
313 ======================================================================
314 == Our Code, Our Bugs, Our Responsibility.
316 ======================================================================
319 ----------------------------------------------------------------------
322 ==============================
323 Release Notes for Samba 4.14.1
325 ==============================
328 This is a security release in order to address the following defects:
330 o CVE-2020-27840: Heap corruption via crafted DN strings.
331 o CVE-2021-20277: Out of bounds read in AD DC LDAP server.
339 An anonymous attacker can crash the Samba AD DC LDAP server by sending easily
340 crafted DNs as part of a bind request. More serious heap corruption is likely
344 User-controlled LDAP filter strings against the AD DC LDAP server may crash
347 For more details, please refer to the security advisories.
353 o Andrew Bartlett <abartlet@samba.org>
354 * BUG 14655: CVE-2021-20277: Fix out of bounds read in ldb_handler_fold.
356 o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
357 * BUG 14595: CVE-2020-27840: Fix unauthenticated remote heap corruption via
359 * BUG 14655: CVE-2021-20277: Fix out of bounds read in ldb_handler_fold.
362 #######################################
363 Reporting bugs & Development Discussion
364 #######################################
366 Please discuss this release on the samba-technical mailing list or by
367 joining the #samba-technical IRC channel on irc.freenode.net.
369 If you do report problems then please try to send high quality
370 feedback. If you don't provide vital information to help us track down
371 the problem then you will probably be ignored. All bug reports should
372 be filed under the Samba 4.1 and newer product in the project's Bugzilla
373 database (https://bugzilla.samba.org/).
376 ======================================================================
377 == Our Code, Our Bugs, Our Responsibility.
379 ======================================================================
382 ----------------------------------------------------------------------
385 ==============================
386 Release Notes for Samba 4.14.0
388 ==============================
391 This is the first stable release of the Samba 4.14 release series.
392 Please read the release notes carefully before upgrading.
398 The GPG release key for Samba releases changed from:
400 pub dsa1024/6F33915B6568B7EA 2007-02-04 [SC] [expires: 2021-02-05]
401 Key fingerprint = 52FB C0B8 6D95 4B08 4332 4CDC 6F33 915B 6568 B7EA
402 uid [ full ] Samba Distribution Verification Key <samba-bugs@samba.org>
403 sub elg2048/9C6ED163DA6DFB44 2007-02-04 [E] [expires: 2021-02-05]
405 to the following new key:
407 pub rsa4096/AA99442FB680B620 2020-12-21 [SC] [expires: 2022-12-21]
408 Key fingerprint = 81F5 E283 2BD2 545A 1897 B713 AA99 442F B680 B620
409 uid [ultimate] Samba Distribution Verification Key <samba-bugs@samba.org>
410 sub rsa4096/97EF9386FBFD4002 2020-12-21 [E] [expires: 2022-12-21]
412 Starting from Jan 21th 2021, all Samba releases will be signed with the new key.
414 See also GPG_AA99442FB680B620_replaces_6F33915B6568B7EA.txt
420 Here is a copy of a clarification note added to the Samba code
421 in the file: VFS-License-clarification.txt.
422 --------------------------------------------------------------
424 A clarification of our GNU GPL License enforcement boundary within the Samba
425 Virtual File System (VFS) layer.
427 Samba is licensed under the GNU GPL. All code committed to the Samba
428 project or that creates a "modified version" or software "based on" Samba must
429 be either licensed under the GNU GPL or a compatible license.
431 Samba has several plug-in interfaces where external code may be called
432 from Samba GNU GPL licensed code. The most important of these is the
435 Samba VFS modules are intimately connected by header files and API
436 definitions to the part of the Samba code that provides file services,
437 and as such, code that implements a plug-in Samba VFS module must be
438 licensed under the GNU GPL or a compatible license.
440 However, Samba VFS modules may themselves call third-party external
441 libraries that are not part of the Samba project and are externally
442 developed and maintained.
444 As long as these third-party external libraries do not use any of the
445 Samba internal structure, APIs or interface definitions created by the
446 Samba project (to the extent that they would be considered subject to the GNU
447 GPL), then the Samba Team will not consider such third-party external
448 libraries called from Samba VFS modules as "based on" and/or creating a
449 "modified version" of the Samba code for the purposes of GNU GPL.
450 Accordingly, we do not require such libraries be licensed under the GNU GPL
451 or a GNU GPL compatible license.
456 The effort to modernize Samba's VFS interface has reached a major milestone with
457 the next release Samba 4.14.
459 For details please refer to the documentation at source3/modules/The_New_VFS.txt or
460 visit the <https://wiki.samba.org/index.php/The_New_VFS>.
465 Publishing printers in AD is more reliable and more printer features are
466 added to the published information in AD. Samba now also supports Windows
467 drivers for the ARM64 architecture.
471 This release extends Samba to support Group Policy functionality for Winbind
472 clients. Active Directory Administrators can set policies that apply Sudoers
473 configuration, and cron jobs to run hourly, daily, weekly or monthly.
475 To enable the application of Group Policies on a client, set the global
476 smb.conf option 'apply group policies' to 'yes'. Policies are applied on an
477 interval of every 90 minutes, plus a random offset between 0 and 30 minutes.
479 Policies applied by Samba are 'non-tattooing', meaning that changes can be
480 reverted by executing the `samba-gpupdate --unapply` command. Policies can be
481 re-applied using the `samba-gpupdate --force` command.
482 To view what policies have been or will be applied to a system, use the
483 `samba-gpupdate --rsop` command.
485 Administration of Samba policy requires that a Samba ADMX template be uploaded
486 to the SYSVOL share. The samba-tool command `samba-tool gpo admxload` is
487 provided as a convenient method for adding this policy. Once uploaded, policies
488 can be modified in the Group Policy Management Editor under Computer
489 Configuration/Policies/Administrative Templates. Alternatively, Samba policy
490 may be managed using the `samba-tool gpo manage` command. This tool does not
491 require the admx templates to be installed.
493 Python 3.6 or later required
494 ----------------------------
496 Samba's minimum runtime requirement for python was raised to Python
497 3.6 with samba 4.13. Samba 4.14 raises this minimum version to Python
498 3.6 also to build Samba. It is no longer possible to build Samba
499 (even just the file server) with Python versions 2.6 and 2.7.
501 As Python 2.7 has been End Of Life upstream since April 2020, Samba
502 is dropping ALL Python 2.x support in this release.
504 Miscellaneous samba-tool changes
505 --------------------------------
507 The 'samba-tool' subcommands to manage AD objects (e.g. users, computers and
508 groups) now consistently use the "add" command when adding a new object to
509 the AD. The previous deprecation warnings when using the 'add' commands
510 have been removed. For compatibility reasons, both the 'add' and 'create'
511 commands can be used now.
513 Users, groups and contacts can now be renamed with the respective rename
516 Locked users can be unlocked with the new 'samba-tool user unlock' command.
518 The 'samba-tool user list' and 'samba-tool group listmembers' commands
519 provide additional options to hide expired and disabled user accounts
520 (--hide-expired and --hide-disabled).
526 * The NAT gateway and LVS features now uses the term "leader" to refer
527 to the main node in a group through which traffic is routed and
528 "follower" for other members of a group. The command for
529 determining the leader has changed to "ctdb natgw leader" (from
530 "ctdb natgw master"). The configuration keyword for indicating that
531 a node can not be the leader of a group has changed to
532 "follower-only" (from "slave-only"). Identical changes were made
535 * Remove "ctdb isnotrecmaster" command. It isn't used by CTDB's
536 scripts and can be checked by users with "ctdb pnn" and "ctdb
543 Parameter Name Description Default
544 -------------- ----------- -------
546 async dns timeout New 10
547 client smb encrypt New default
548 honor change notify privilege New No
549 smbd force process locks New No
550 server smb encrypt New default
553 CHANGES SINCE 4.14.0rc4
554 =======================
556 o Trever L. Adams <trever.adams@gmail.com>
557 * BUG 14634: s3:modules:vfs_virusfilter: Recent talloc changes cause infinite
560 o Peter Eriksson <pen@lysator.liu.se>
561 * BUG 14648: s3: VFS: nfs4_acls. Add missing TALLOC_FREE(frame) in error
564 o Volker Lendecke <vl@samba.org>
565 * BUG 14636: g_lock: Fix uninitalized variable reads.
568 CHANGES SINCE 4.14.0rc3
569 =======================
571 o Jeremy Allison <jra@samba.org>
572 * BUG 14604: smbd: In conn_force_tdis_done() when forcing a connection closed
573 force a full reload of services.
575 o Andrew Bartlett <abartlet@samba.org>
576 * BUG 14593: dbcheck: Check Deleted Objects and reduce noise in reports about
579 o Ralph Boehme <slow@samba.org>
580 * BUG 14619: vfs: Restore platform specific POSIX sys_acl_set_file()
582 * BUG 14620: Fix the build on AIX.
583 * BUG 14629: smbd: Don't overwrite _mode if neither a msdfs symlink nor
584 get_dosmode is requested.
585 * BUG 14635: Fix printer driver upload.
588 CHANGES SINCE 4.14.0rc2
589 =======================
591 o Björn Jacke <bj@sernet.de>
592 * BUG 14624: classicupgrade: Treat old never expires value right.
594 o Stefan Metzmacher <metze@samba.org>
595 * BUG 13898: s3:pysmbd: fix fd leak in py_smbd_create_file().
597 o Andreas Schneider <asn@samba.org>
598 * BUG 14625: Fix smbd share mode double free crash.
600 o Paul Wise <pabs3@bonedaddy.net>
601 * BUG 12505: HEIMDAL: krb5_storage_free(NULL) should work.
604 CHANGES SINCE 4.14.0rc1
605 =======================
607 o Jeremy Allison <jra@samba.org>
608 * BUG 13992: Fix SAMBA RPC share error.
610 o Ralph Boehme <slow@samba.org>
611 * BUG 14602: "winbind:ignore domains" doesn't prevent user login from trusted
613 * BUG 14617: smbd tries to delete files with wrong permissions (uses guest
614 instead of user from force user =).
616 o Stefan Metzmacher <metze@samba.org>
617 * BUG 14539: s3:idmap_hash: Reliably return ID_TYPE_BOTH.
619 o Andreas Schneider <asn@samba.org>
620 * BUG 14627: s3:smbd: Fix invalid memory access in
621 posix_sys_acl_blob_get_fd().
627 https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.14#Release_blocking_bugs
630 #######################################
631 Reporting bugs & Development Discussion
632 #######################################
634 Please discuss this release on the samba-technical mailing list or by
635 joining the #samba-technical IRC channel on irc.freenode.net.
637 If you do report problems then please try to send high quality
638 feedback. If you don't provide vital information to help us track down
639 the problem then you will probably be ignored. All bug reports should
640 be filed under the Samba 4.1 and newer product in the project's Bugzilla
641 database (https://bugzilla.samba.org/).
644 ======================================================================
645 == Our Code, Our Bugs, Our Responsibility.
647 ======================================================================