1 ==============================
2 Release Notes for Samba 4.18.1
4 ==============================
7 This is a security release in order to address the following defects:
9 o CVE-2023-0225: An incomplete access check on dnsHostName allows authenticated
10 but otherwise unprivileged users to delete this attribute from
11 any object in the directory.
12 https://www.samba.org/samba/security/CVE-2023-0225.html
14 o CVE-2023-0922: The Samba AD DC administration tool, when operating against a
15 remote LDAP server, will by default send new or reset
16 passwords over a signed-only connection.
17 https://www.samba.org/samba/security/CVE-2023-0922.html
19 o CVE-2023-0614: The fix in 4.6.16, 4.7.9, 4.8.4 and 4.9.7 for CVE-2018-10919
20 Confidential attribute disclosure via LDAP filters was
21 insufficient and an attacker may be able to obtain
22 confidential BitLocker recovery keys from a Samba AD DC.
23 Installations with such secrets in their Samba AD should
24 assume they have been obtained and need replacing.
25 https://www.samba.org/samba/security/CVE-2023-0614.html
31 o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
32 * BUG 15276: CVE-2023-0225.
34 o Andrew Bartlett <abartlet@samba.org>
35 * BUG 15270: CVE-2023-0614.
36 * BUG 15331: ldb wildcard matching makes excessive allocations.
37 * BUG 15332: large_ldap test is inefficient.
39 o Rob van der Linde <rob@catalyst.net.nz>
40 * BUG 15315: CVE-2023-0922.
42 o Joseph Sutton <josephsutton@catalyst.net.nz>
43 * BUG 15270: CVE-2023-0614.
44 * BUG 15276: CVE-2023-0225.
47 #######################################
48 Reporting bugs & Development Discussion
49 #######################################
51 Please discuss this release on the samba-technical mailing list or by
52 joining the #samba-technical:matrix.org matrix room, or
53 #samba-technical IRC channel on irc.libera.chat.
55 If you do report problems then please try to send high quality
56 feedback. If you don't provide vital information to help us track down
57 the problem then you will probably be ignored. All bug reports should
58 be filed under the Samba 4.1 and newer product in the project's Bugzilla
59 database (https://bugzilla.samba.org/).
62 ======================================================================
63 == Our Code, Our Bugs, Our Responsibility.
65 ======================================================================
68 Release notes for older releases follow:
69 ----------------------------------------
70 ==============================
71 Release Notes for Samba 4.18.0
73 ==============================
75 This is the first stable release of the Samba 4.18 release series.
76 Please read the release notes carefully before upgrading.
81 SMB Server performance improvements
82 -----------------------------------
84 The security improvements in recent releases
85 (4.13, 4.14, 4.15, 4.16), mainly as protection against symlink races,
86 caused performance regressions for metadata heavy workloads.
88 While 4.17 already improved the situation quite a lot,
89 with 4.18 the locking overhead for contended path based operations
90 is reduced by an additional factor of ~ 3 compared to 4.17.
91 It means the throughput of open/close
92 operations reached the level of 4.12 again.
94 More succinct samba-tool error messages
95 ---------------------------------------
97 Historically samba-tool has reported user error or misconfiguration by
98 means of a Python traceback, showing you where in its code it noticed
99 something was wrong, but not always exactly what is amiss. Now it
100 tries harder to identify the true cause and restrict its output to
101 describing that. Particular cases include:
103 * a username or password is incorrect
104 * an ldb database filename is wrong (including in smb.conf)
105 * samba-tool dns: various zones or records do not exist
106 * samba-tool ntacl: certain files are missing
107 * the network seems to be down
108 * bad --realm or --debug arguments
110 Accessing the old samba-tool messages
111 -------------------------------------
113 This is not new, but users are reminded they can get the full Python
114 stack trace, along with other noise, by using the argument '-d3'.
115 This may be useful when searching the web.
117 The intention is that when samba-tool encounters an unrecognised
118 problem (especially a bug), it will still output a Python traceback.
119 If you encounter a problem that has been incorrectly identified by
120 samba-tool, please report it on https://bugzilla.samba.org.
122 Colour output with samba-tool --color
123 -------------------------------------
125 For some time a few samba-tool commands have had a --color=yes|no|auto
126 option, which determines whether the command outputs ANSI colour
127 codes. Now all samba-tool commands support this option, which now also
128 accepts 'always' and 'force' for 'yes', 'never' and 'none' for 'no',
129 and 'tty' and 'if-tty' for 'auto' (this more closely matches
130 convention). With --color=auto, or when --color is omitted, colour
131 codes are only used when output is directed to a terminal.
133 Most commands have very little colour in any case. For those that
134 already used it, the defaults have changed slightly.
136 * samba-tool drs showrepl: default is now 'auto', not 'no'
138 * samba-tool visualize: the interactions between --color-scheme,
139 --color, and --output have changed slightly. When --color-scheme is
140 set it overrides --color for the purpose of the output diagram, but
141 not for other output like error messages.
143 New samba-tool dsacl subcommand for deleting ACES
144 -------------------------------------------------
146 The samba-tool dsacl tool can now delete entries in directory access
147 control lists. The interface for 'samba-tool dsacl delete' is similar
148 to that of 'samba-tool dsacl set', with the difference being that the
149 ACEs described by the --sddl argument are deleted rather than added.
151 No colour with NO_COLOR environment variable
152 --------------------------------------------
154 With both samba-tool --color=auto (see above) and some other places
155 where we use ANSI colour codes, the NO_COLOR environment variable will
156 disable colour output. See https://no-color.org/ for a description of
157 this variable. `samba-tool --color=always` will use colour regardless
160 New wbinfo option --change-secret-at
161 ------------------------------------
163 The wbinfo command has a new option, --change-secret-at=<DOMAIN CONTROLLER>
164 which forces the trust account password to be changed at a specified domain
165 controller. If the specified domain controller cannot be contacted the
166 password change fails rather than trying other DCs.
168 New option to change the NT ACL default location
169 ------------------------------------------------
171 Usually the NT ACLs are stored in the security.NTACL extended
172 attribute (xattr) of files and directories. The new
173 "acl_xattr:security_acl_name" option allows to redefine the default
174 location. The default "security.NTACL" is a protected location, which
175 means the content of the security.NTACL attribute is not accessible
176 from normal users outside of Samba. When this option is set to use a
177 user-defined value, e.g. user.NTACL then any user can potentially
178 access and overwrite this information. The module prevents access to
179 this xattr over SMB, but the xattr may still be accessed by other
180 means (eg local access, SSH, NFS). This option must only be used when
181 this consequence is clearly understood and when specific precautions
182 are taken to avoid compromising the ACL content.
184 Azure Active Directory / Office365 synchronisation improvements
185 --------------------------------------------------------------
187 Use of the Azure AD Connect cloud sync tool is now supported for
188 password hash synchronisation, allowing Samba AD Domains to synchronise
189 passwords with this popular cloud environment.
198 Parameter Name Description Default
199 -------------- ----------- -------
200 acl_xattr:security_acl_name New security.NTACL
204 CHANGES SINCE 4.18.0rc4
205 =======================
207 o Jeremy Allison <jra@samba.org>
208 * BUG 15314: streams_xattr is creating unexpected locks on folders.
210 o Volker Lendecke <vl@samba.org>
211 * BUG 15310: New samba-dcerpc architecture does not scale gracefully.
214 CHANGES SINCE 4.18.0rc3
215 =======================
217 o Andreas Schneider <asn@samba.org>
218 * BUG 15308: Avoid that tests fail because other tests didn't do cleanup on
221 o baixiangcpp <baixiangcpp@gmail.com>
222 * BUG 15311: fd_load() function implicitly closes the fd where it should not.
225 CHANGES SINCE 4.18.0rc2
226 =======================
228 o Jeremy Allison <jra@samba.org>
229 * BUG 15301: Improve file_modtime() and issues around smb3 unix test.
231 o Ralph Boehme <slow@samba.org>
232 * BUG 15299: Spotlight doesn't work with latest macOS Ventura.
234 o Stefan Metzmacher <metze@samba.org>
235 * BUG 15298: Build failure on solaris with tevent 0.14.0 (and ldb 2.7.0).
236 (tevent 0.14.1 and ldb 2.7.1 are already released...)
238 o John Mulligan <jmulligan@redhat.com>
239 * BUG 15307: vfs_ceph incorrectly uses fsp_get_io_fd() instead of
240 fsp_get_pathref_fd() in close and fstat.
242 o Andreas Schneider <asn@samba.org>
243 * BUG 15291: test_chdir_cache.sh doesn't work with SMBD_DONT_LOG_STDOUT=1.
244 * BUG 15301: Improve file_modtime() and issues around smb3 unix test.
247 CHANGES SINCE 4.18.0rc1
248 =======================
250 o Andrew Bartlett <abartlet@samba.org>
251 * BUG 10635: Office365 azure Password Sync not working.
253 o Stefan Metzmacher <metze@samba.org>
254 * BUG 15286: auth3_generate_session_info_pac leaks wbcAuthUserInfo.
256 o Noel Power <noel.power@suse.com>
257 * BUG 15293: With clustering enabled samba-bgqd can core dump due to use
264 https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.18#Release_blocking_bugs
267 #######################################
268 Reporting bugs & Development Discussion
269 #######################################
271 Please discuss this release on the samba-technical mailing list or by
272 joining the #samba-technical:matrix.org matrix room, or
273 #samba-technical IRC channel on irc.libera.chat
275 If you do report problems then please try to send high quality
276 feedback. If you don't provide vital information to help us track down
277 the problem then you will probably be ignored. All bug reports should
278 be filed under the Samba 4.1 and newer product in the project's Bugzilla
279 database (https://bugzilla.samba.org/).
282 ======================================================================
283 == Our Code, Our Bugs, Our Responsibility.
285 ======================================================================