1 ===============================
2 Release Notes for Samba 4.16.11
4 ===============================
7 This is a security release in order to address the following defects:
9 o CVE-2022-2127: When winbind is used for NTLM authentication, a maliciously
10 crafted request can trigger an out-of-bounds read in winbind
11 and possibly crash it.
12 https://www.samba.org/samba/security/CVE-2022-2127.html
14 o CVE-2023-34966: An infinite loop bug in Samba's mdssvc RPC service for
15 Spotlight can be triggered by an unauthenticated attacker by
16 issuing a malformed RPC request.
17 https://www.samba.org/samba/security/CVE-2023-34966.html
19 o CVE-2023-34967: Missing type validation in Samba's mdssvc RPC service for
20 Spotlight can be used by an unauthenticated attacker to
21 trigger a process crash in a shared RPC mdssvc worker process.
22 https://www.samba.org/samba/security/CVE-2023-34967.html
24 o CVE-2023-34968: As part of the Spotlight protocol Samba discloses the server-
25 side absolute path of shares and files and directories in
27 https://www.samba.org/samba/security/CVE-2023-34968.html
33 o Ralph Boehme <slow@samba.org>
34 * BUG 15072: CVE-2022-2127.
35 * BUG 15340: CVE-2023-34966.
36 * BUG 15341: CVE-2023-34967.
37 * BUG 15388: CVE-2023-34968.
39 o Samuel Cabrero <scabrero@samba.org>
40 * BUG 15072: CVE-2022-2127.
42 o Volker Lendecke <vl@samba.org>
43 * BUG 15072: CVE-2022-2127.
45 o Stefan Metzmacher <metze@samba.org>
46 * BUG 15418: Secure channel faulty since Windows 10/11 update 07/2023.
49 #######################################
50 Reporting bugs & Development Discussion
51 #######################################
53 Please discuss this release on the samba-technical mailing list or by
54 joining the #samba-technical:matrix.org matrix room, or
55 #samba-technical IRC channel on irc.libera.chat.
57 If you do report problems then please try to send high quality
58 feedback. If you don't provide vital information to help us track down
59 the problem then you will probably be ignored. All bug reports should
60 be filed under the Samba 4.1 and newer product in the project's Bugzilla
61 database (https://bugzilla.samba.org/).
64 ======================================================================
65 == Our Code, Our Bugs, Our Responsibility.
67 ======================================================================
70 Release notes for older releases follow:
71 ----------------------------------------
72 ===============================
73 Release Notes for Samba 4.16.10
75 ===============================
78 This is a security release in order to address the following defects:
80 o CVE-2023-0922: The Samba AD DC administration tool, when operating against a
81 remote LDAP server, will by default send new or reset
82 passwords over a signed-only connection.
83 https://www.samba.org/samba/security/CVE-2023-0922.html
85 o CVE-2023-0614: The fix in 4.6.16, 4.7.9, 4.8.4 and 4.9.7 for CVE-2018-10919
86 Confidential attribute disclosure via LDAP filters was
87 insufficient and an attacker may be able to obtain
88 confidential BitLocker recovery keys from a Samba AD DC.
89 Installations with such secrets in their Samba AD should
90 assume they have been obtained and need replacing.
91 https://www.samba.org/samba/security/CVE-2023-0614.html
97 o Andrew Bartlett <abartlet@samba.org>
98 * BUG 15270: VE-2023-0614.
99 * BUG 15331: ldb wildcard matching makes excessive allocations.
100 * BUG 15332: large_ldap test is inefficient.
102 o Rob van der Linde <rob@catalyst.net.nz>
103 * BUG 15315: CVE-2023-0922.
105 o Joseph Sutton <josephsutton@catalyst.net.nz>
106 * BUG 15270: CVE-2023-0614.
109 #######################################
110 Reporting bugs & Development Discussion
111 #######################################
113 Please discuss this release on the samba-technical mailing list or by
114 joining the #samba-technical:matrix.org matrix room, or
115 #samba-technical IRC channel on irc.libera.chat.
117 If you do report problems then please try to send high quality
118 feedback. If you don't provide vital information to help us track down
119 the problem then you will probably be ignored. All bug reports should
120 be filed under the Samba 4.1 and newer product in the project's Bugzilla
121 database (https://bugzilla.samba.org/).
124 ======================================================================
125 == Our Code, Our Bugs, Our Responsibility.
127 ======================================================================
130 ----------------------------------------------------------------------
131 ==============================
132 Release Notes for Samba 4.16.9
134 ==============================
137 This is the latest stable release of the Samba 4.16 release series.
143 o Jeremy Allison <jra@samba.org>
144 * BUG 14808: smbc_getxattr() return value is incorrect.
145 * BUG 15172: Compound SMB2 FLUSH+CLOSE requests from MacOSX are not handled
147 * BUG 15210: synthetic_pathref AFP_AfpInfo failed errors.
148 * BUG 15226: samba-tool gpo listall fails IPv6 only - finddcs() fails to find
149 DC when there is only an AAAA record for the DC in DNS.
150 * BUG 15236: smbd crashes if an FSCTL request is done on a stream handle.
152 o Ralph Boehme <slow@samba.org>
153 * BUG 15299: Spotlight doesn't work with latest macOS Ventura.
155 o Samuel Cabrero <scabrero@suse.de>
156 * BUG 15240: CVE-2022-38023 [SECURITY] Samba should refuse RC4 (aka md5)
157 based SChannel on NETLOGON.
159 o Volker Lendecke <vl@samba.org>
160 * BUG 15243: %U for include directive doesn't work for share listing
162 * BUG 15266: Shares missing from netshareenum response in samba 4.17.4.
163 * BUG 15269: ctdb: use-after-free in run_proc.
165 o Stefan Metzmacher <metze@samba.org>
166 * BUG 15243: %U for include directive doesn't work for share listing
168 * BUG 15266: Shares missing from netshareenum response in samba 4.17.4.
169 * BUG 15280: irpc_destructor may crash during shutdown.
170 * BUG 15286: auth3_generate_session_info_pac leaks wbcAuthUserInfo.
172 o Andreas Schneider <asn@samba.org>
173 * BUG 15268: smbclient segfaults with use after free on an optimized build.
175 o Andrew Walker <awalker@ixsystems.com>
176 * BUG 15164: Leak in wbcCtxPingDc2.
177 * BUG 15265: Access based share enum does not work in Samba 4.16+.
178 * BUG 15267: Crash during share enumeration.
179 * BUG 15271: rep_listxattr on FreeBSD does not properly check for reads off
180 end of returned buffer.
183 #######################################
184 Reporting bugs & Development Discussion
185 #######################################
187 Please discuss this release on the samba-technical mailing list or by
188 joining the #samba-technical:matrix.org matrix room, or
189 #samba-technical IRC channel on irc.libera.chat.
192 If you do report problems then please try to send high quality
193 feedback. If you don't provide vital information to help us track down
194 the problem then you will probably be ignored. All bug reports should
195 be filed under the Samba 4.1 and newer product in the project's Bugzilla
196 database (https://bugzilla.samba.org/).
199 ======================================================================
200 == Our Code, Our Bugs, Our Responsibility.
202 ======================================================================
205 ----------------------------------------------------------------------
206 ==============================
207 Release Notes for Samba 4.16.8
209 ==============================
212 This is the latest stable release of the Samba 4.16 release series.
213 It also contains security changes in order to address the following defects
215 o CVE-2022-37966: This is the Samba CVE for the Windows Kerberos
216 RC4-HMAC Elevation of Privilege Vulnerability
217 disclosed by Microsoft on Nov 8 2022.
219 A Samba Active Directory DC will issue weak rc4-hmac
220 session keys for use between modern clients and servers
221 despite all modern Kerberos implementations supporting
222 the aes256-cts-hmac-sha1-96 cipher.
224 On Samba Active Directory DCs and members
225 'kerberos encryption types = legacy' would force
226 rc4-hmac as a client even if the server supports
227 aes128-cts-hmac-sha1-96 and/or aes256-cts-hmac-sha1-96.
229 https://www.samba.org/samba/security/CVE-2022-37966.html
231 o CVE-2022-37967: This is the Samba CVE for the Windows
232 Kerberos Elevation of Privilege Vulnerability
233 disclosed by Microsoft on Nov 8 2022.
235 A service account with the special constrained
236 delegation permission could forge a more powerful
237 ticket than the one it was presented with.
239 https://www.samba.org/samba/security/CVE-2022-37967.html
241 o CVE-2022-38023: The "RC4" protection of the NetLogon Secure channel uses the
242 same algorithms as rc4-hmac cryptography in Kerberos,
243 and so must also be assumed to be weak.
245 https://www.samba.org/samba/security/CVE-2022-38023.html
247 Note that there are several important behavior changes
248 included in this release, which may cause compatibility problems
249 interacting with system still expecting the former behavior.
250 Please read the advisories of CVE-2022-37966,
251 CVE-2022-37967 and CVE-2022-38023 carefully!
253 samba-tool got a new 'domain trust modify' subcommand
254 -----------------------------------------------------
256 This allows "msDS-SupportedEncryptionTypes" to be changed
257 on trustedDomain objects. Even against remote DCs (including Windows)
258 using the --local-dc-ipaddress= (and other --local-dc-* options).
259 See 'samba-tool domain trust modify --help' for further details.
264 Parameter Name Description Default
265 -------------- ----------- -------
266 allow nt4 crypto Deprecated no
267 allow nt4 crypto:COMPUTERACCOUNT New
268 kdc default domain supported enctypes New (see manpage)
269 kdc supported enctypes New (see manpage)
270 kdc force enable rc4 weak session keys New No
271 reject md5 clients New Default, Deprecated Yes
272 reject md5 servers New Default, Deprecated Yes
273 server schannel Deprecated Yes
274 server schannel require seal New, Deprecated Yes
275 server schannel require seal:COMPUTERACCOUNT New
276 winbind sealed pipes Deprecated Yes
281 o Jeremy Allison <jra@samba.org>
282 * BUG 15224: pam_winbind uses time_t and pointers assuming they are of the
285 o Andrew Bartlett <abartlet@samba.org>
286 * BUG 14929: CVE-2022-44640 [SECURITY] Upstream Heimdal free of
287 user-controlled pointer in FAST.
288 * BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry.
289 * BUG 15237: CVE-2022-37966.
290 * BUG 15258: filter-subunit is inefficient with large numbers of knownfails.
292 o Ralph Boehme <slow@samba.org>
293 * BUG 15240: CVE-2022-38023.
294 * BUG 15252: smbd allows setting FILE_ATTRIBUTE_TEMPORARY on directories.
296 o Stefan Metzmacher <metze@samba.org>
297 * BUG 13135: The KDC logic arround msDs-supportedEncryptionTypes differs from
299 * BUG 14611: CVE-2021-20251 [SECURITY] Bad password count not incremented
301 * BUG 15203: CVE-2022-42898 [SECURITY] krb5_pac_parse() buffer parsing
303 * BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry.
304 * BUG 15230: Memory leak in snprintf replacement functions.
305 * BUG 15237: CVE-2022-37966.
306 * BUG 15240: CVE-2022-38023.
307 * BUG 15253: RODC doesn't reset badPwdCount reliable via an RWDC
308 (CVE-2021-20251 regression).
310 o Noel Power <noel.power@suse.com>
311 * BUG 15224: pam_winbind uses time_t and pointers assuming they are of the
314 o Andreas Schneider <asn@samba.org>
315 * BUG 15237: CVE-2022-37966.
316 * BUG 15243: %U for include directive doesn't work for share listing
318 * BUG 15257: Stack smashing in net offlinejoin requestodj.
320 o Joseph Sutton <josephsutton@catalyst.net.nz>
321 * BUG 15197: Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue.
322 * BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry.
323 * BUG 15231: CVE-2022-37967.
324 * BUG 15237: CVE-2022-37966.
326 o Nicolas Williams <nico@twosigma.com>
327 * BUG 14929: CVE-2022-44640 [SECURITY] Upstream Heimdal free of
328 user-controlled pointer in FAST.
331 #######################################
332 Reporting bugs & Development Discussion
333 #######################################
335 Please discuss this release on the samba-technical mailing list or by
336 joining the #samba-technical:matrix.org matrix room, or
337 #samba-technical IRC channel on irc.libera.chat.
340 If you do report problems then please try to send high quality
341 feedback. If you don't provide vital information to help us track down
342 the problem then you will probably be ignored. All bug reports should
343 be filed under the Samba 4.1 and newer product in the project's Bugzilla
344 database (https://bugzilla.samba.org/).
347 ======================================================================
348 == Our Code, Our Bugs, Our Responsibility.
350 ======================================================================
353 ----------------------------------------------------------------------
354 ==============================
355 Release Notes for Samba 4.16.7
357 ==============================
360 This is a security release in order to address the following defects:
362 o CVE-2022-42898: Samba's Kerberos libraries and AD DC failed to guard against
363 integer overflows when parsing a PAC on a 32-bit system, which
364 allowed an attacker with a forged PAC to corrupt the heap.
365 https://www.samba.org/samba/security/CVE-2022-42898.html
370 o Joseph Sutton <josephsutton@catalyst.net.nz>
371 * BUG 15203: CVE-2022-42898
373 o Nicolas Williams <nico@twosigma.com>
374 * BUG 15203: CVE-2022-42898
377 #######################################
378 Reporting bugs & Development Discussion
379 #######################################
381 Please discuss this release on the samba-technical mailing list or by
382 joining the #samba-technical:matrix.org matrix room, or
383 #samba-technical IRC channel on irc.libera.chat.
386 If you do report problems then please try to send high quality
387 feedback. If you don't provide vital information to help us track down
388 the problem then you will probably be ignored. All bug reports should
389 be filed under the Samba 4.1 and newer product in the project's Bugzilla
390 database (https://bugzilla.samba.org/).
393 ======================================================================
394 == Our Code, Our Bugs, Our Responsibility.
396 ======================================================================
399 ----------------------------------------------------------------------
400 ==============================
401 Release Notes for Samba 4.16.6
403 ==============================
406 This is a security release in order to address the following defect:
408 o CVE-2022-3437: There is a limited write heap buffer overflow in the GSSAPI
409 unwrap_des() and unwrap_des3() routines of Heimdal (included
411 https://www.samba.org/samba/security/CVE-2022-3437.html
414 ---------------------
416 o Joseph Sutton <josephsutton@catalyst.net.nz>
417 * BUG 15134: CVE-2022-3437.
420 #######################################
421 Reporting bugs & Development Discussion
422 #######################################
424 Please discuss this release on the samba-technical mailing list or by
425 joining the #samba-technical:matrix.org matrix room, or
426 #samba-technical IRC channel on irc.libera.chat.
428 If you do report problems then please try to send high quality
429 feedback. If you don't provide vital information to help us track down
430 the problem then you will probably be ignored. All bug reports should
431 be filed under the Samba 4.1 and newer product in the project's Bugzilla
432 database (https://bugzilla.samba.org/).
435 ======================================================================
436 == Our Code, Our Bugs, Our Responsibility.
438 ======================================================================
441 ----------------------------------------------------------------------
442 ==============================
443 Release Notes for Samba 4.16.5
445 ==============================
448 This is the latest stable release of the Samba 4.16 release series.
454 o Jeremy Allison <jra@samba.org>
455 * BUG 15128: Possible use after free of connection_struct when iterating
456 smbd_server_connection->connections.
458 o Ralph Boehme <slow@samba.org>
459 * BUG 15086: Spotlight RPC service returns wrong response when Spotlight is
461 * BUG 15126: acl_xattr VFS module may unintentionally use filesystem
462 permissions instead of ACL from xattr.
463 * BUG 15153: Missing SMB2-GETINFO access checks from MS-SMB2 3.3.5.20.1.
464 * BUG 15161: assert failed: !is_named_stream(smb_fname)") at
465 ../../lib/util/fault.c:197.
467 o Stefan Metzmacher <metze@samba.org>
468 * BUG 15148: Missing READ_LEASE break could cause data corruption.
470 o Andreas Schneider <asn@samba.org>
471 * BUG 15124: rpcclient can crash using setuserinfo(2).
472 * BUG 15132: Samba fails to build with glibc 2.36 caused by including
473 <sys/mount.h> in libreplace.
475 o Joseph Sutton <josephsutton@catalyst.net.nz>
476 * BUG 15152: SMB1 negotiation can fail to handle connection errors.
478 o Michael Tokarev <mjt@tls.msk.ru>
479 * BUG 15078: samba-tool domain join segfault when joining a samba ad domain.
482 #######################################
483 Reporting bugs & Development Discussion
484 #######################################
486 Please discuss this release on the samba-technical mailing list or by
487 joining the #samba-technical:matrix.org matrix room, or
488 #samba-technical IRC channel on irc.libera.chat.
491 If you do report problems then please try to send high quality
492 feedback. If you don't provide vital information to help us track down
493 the problem then you will probably be ignored. All bug reports should
494 be filed under the Samba 4.1 and newer product in the project's Bugzilla
495 database (https://bugzilla.samba.org/).
498 ======================================================================
499 == Our Code, Our Bugs, Our Responsibility.
501 ======================================================================
504 ----------------------------------------------------------------------
505 ==============================
506 Release Notes for Samba 4.16.4
508 ==============================
511 This is a security release in order to address the following defects:
513 o CVE-2022-2031: Samba AD users can bypass certain restrictions associated with
515 https://www.samba.org/samba/security/CVE-2022-2031.html
517 o CVE-2022-32744: Samba AD users can forge password change requests for any user.
518 https://www.samba.org/samba/security/CVE-2022-32744.html
520 o CVE-2022-32745: Samba AD users can crash the server process with an LDAP add
522 https://www.samba.org/samba/security/CVE-2022-32745.html
524 o CVE-2022-32746: Samba AD users can induce a use-after-free in the server
525 process with an LDAP add or modify request.
526 https://www.samba.org/samba/security/CVE-2022-32746.html
528 o CVE-2022-32742: Server memory information leak via SMB1.
529 https://www.samba.org/samba/security/CVE-2022-32742.html
534 o Jeremy Allison <jra@samba.org>
535 * BUG 15085: CVE-2022-32742.
537 o Andrew Bartlett <abartlet@samba.org>
538 * BUG 15009: CVE-2022-32746.
540 o Andreas Schneider <asn@samba.org>
541 * BUG 15047: CVE-2022-2031.
543 o Joseph Sutton <josephsutton@catalyst.net.nz>
544 * BUG 15008: CVE-2022-32745.
545 * BUG 15009: CVE-2022-32746.
546 * BUG 15047: CVE-2022-2031.
547 * BUG 15074: CVE-2022-32744.
550 #######################################
551 Reporting bugs & Development Discussion
552 #######################################
554 Please discuss this release on the samba-technical mailing list or by
555 joining the #samba-technical:matrix.org matrix room, or
556 #samba-technical IRC channel on irc.libera.chat.
558 If you do report problems then please try to send high quality
559 feedback. If you don't provide vital information to help us track down
560 the problem then you will probably be ignored. All bug reports should
561 be filed under the Samba 4.1 and newer product in the project's Bugzilla
562 database (https://bugzilla.samba.org/).
565 ======================================================================
566 == Our Code, Our Bugs, Our Responsibility.
568 ======================================================================
571 ----------------------------------------------------------------------
572 ==============================
573 Release Notes for Samba 4.16.3
575 ==============================
578 This is the latest stable release of the Samba 4.16 release series.
584 o Jeremy Allison <jra@samba.org>
585 * BUG 15099: Using vfs_streams_xattr and deleting a file causes a panic.
587 o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
588 * BUG 14986: Add support for bind 9.18.
589 * BUG 15076: logging dsdb audit to specific files does not work.
591 o Samuel Cabrero <scabrero@samba.org>
592 * BUG 14979: Problem when winbind renews Kerberos.
593 * BUG 15095: Samba with new lorikeet-heimdal fails to build on gcc 12.1 in
596 o Volker Lendecke <vl@samba.org>
597 * BUG 15105: Crash in streams_xattr because fsp->base_fsp->fsp_name is NULL.
598 * BUG 15118: Crash in rpcd_classic - NULL pointer deference in
601 o Noel Power <noel.power@suse.com>
602 * BUG 15100: smbclient commands del & deltree fail with
603 NT_STATUS_OBJECT_PATH_NOT_FOUND with DFS.
605 o Christof Schmitt <cs@samba.org>
606 * BUG 15120: Fix check for chown when processing NFSv4 ACL.
608 o Andreas Schneider <asn@samba.org>
609 * BUG 15082: The pcap background queue process should not be stopped.
610 * BUG 15097: testparm: Fix typo in idmap rangesize check.
611 * BUG 15106: net ads info returns LDAP server and LDAP server name as null.
612 * BUG 15108: ldconfig: /lib64/libsmbconf.so.0 is not a symbolic link.
614 o Martin Schwenke <martin@meltin.net>
615 * BUG 15090: CTDB child process logging does not work as expected.
618 #######################################
619 Reporting bugs & Development Discussion
620 #######################################
622 Please discuss this release on the samba-technical mailing list or by
623 joining the #samba-technical:matrix.org matrix room, or
624 #samba-technical IRC channel on irc.libera.chat.
626 If you do report problems then please try to send high quality
627 feedback. If you don't provide vital information to help us track down
628 the problem then you will probably be ignored. All bug reports should
629 be filed under the Samba 4.1 and newer product in the project's Bugzilla
630 database (https://bugzilla.samba.org/).
633 ======================================================================
634 == Our Code, Our Bugs, Our Responsibility.
636 ======================================================================
639 ----------------------------------------------------------------------
640 ==============================
641 Release Notes for Samba 4.16.2
643 ==============================
646 This is the latest stable release of the Samba 4.16 release series.
652 o Jeremy Allison <jra@samba.org>
653 * BUG 15042: Use pathref fd instead of io fd in vfs_default_durable_cookie.
655 o Ralph Boehme <slow@samba.org>
656 * BUG 15069: vfs_gpfs with vfs_shadowcopy2 fail to restore file if original
657 file had been deleted.
659 o Samuel Cabrero <scabrero@samba.org>
660 * BUG 15087: netgroups support removed.
662 o Samuel Cabrero <scabrero@suse.de>
663 * BUG 14674: net ads info shows LDAP Server: 0.0.0.0 depending on contacted
666 o Volker Lendecke <vl@samba.org>
667 * BUG 15062: Update from 4.15 to 4.16 breaks discovery of [homes] on
668 standalone server from Win and IOS.
670 o Stefan Metzmacher <metze@samba.org>
671 * BUG 15071: waf produces incorrect names for python extensions with Python
674 o Noel Power <noel.power@suse.com>
675 * BUG 15075: smbclient -E doesn't work as advertised.
677 o Andreas Schneider <asn@samba.org>
678 * BUG 15071: waf produces incorrect names for python extensions with Python
680 * BUG 15081: The samba background daemon doesn't refresh the printcap cache
683 o Robert Sprowson <webpages@sprow.co.uk>
684 * BUG 14443: Out-by-4 error in smbd read reply max_send clamp..
687 #######################################
688 Reporting bugs & Development Discussion
689 #######################################
691 Please discuss this release on the samba-technical mailing list or by
692 joining the #samba-technical:matrix.org matrix room, or
693 #samba-technical IRC channel on irc.libera.chat.
695 If you do report problems then please try to send high quality
696 feedback. If you don't provide vital information to help us track down
697 the problem then you will probably be ignored. All bug reports should
698 be filed under the Samba 4.1 and newer product in the project's Bugzilla
699 database (https://bugzilla.samba.org/).
702 ======================================================================
703 == Our Code, Our Bugs, Our Responsibility.
705 ======================================================================
708 ----------------------------------------------------------------------
709 ==============================
710 Release Notes for Samba 4.16.1
712 ==============================
715 This is the latest stable release of the Samba 4.16 release series.
721 o Jeremy Allison <jra@samba.org>
722 * BUG 14831: Share and server swapped in smbget password prompt.
723 * BUG 15022: Durable handles won't reconnect if the leased file is written
725 * BUG 15023: rmdir silently fails if directory contains unreadable files and
726 hide unreadable is yes.
727 * BUG 15038: SMB2_CLOSE_FLAGS_FULL_INFORMATION fails to return information on
730 o Andrew Bartlett <abartlet@samba.org>
731 * BUG 8731: Need to describe --builtin-libraries= better (compare with
732 --bundled-libraries).
734 o Ralph Boehme <slow@samba.org>
735 * BUG 14957: vfs_shadow_copy2 breaks "smbd async dosmode" sync fallback.
736 * BUG 15035: shadow_copy2 fails listing snapshotted dirs with
739 o Samuel Cabrero <scabrero@samba.org>
740 * BUG 15046: PAM Kerberos authentication incorrectly fails with a clock skew
743 o Pavel Filipenský <pfilipen@redhat.com>
744 * BUG 15041: Username map - samba erroneously applies unix group memberships
745 to user account entries.
747 o Stefan Metzmacher <metze@samba.org>
748 * BUG 14951: KVNO off by 100000.
750 o Christof Schmitt <cs@samba.org>
751 * BUG 15027: Uninitialized litemask in variable in vfs_gpfs module.
752 * BUG 15055: vfs_gpfs recalls=no option prevents listing files.
754 o Andreas Schneider <asn@cryptomilk.org>
755 * BUG 15054: smbd doesn't handle UPNs for looking up names.
758 #######################################
759 Reporting bugs & Development Discussion
760 #######################################
762 Please discuss this release on the samba-technical mailing list or by
763 joining the #samba-technical:matrix.org matrix room, or
764 #samba-technical IRC channel on irc.libera.chat.
766 If you do report problems then please try to send high quality
767 feedback. If you don't provide vital information to help us track down
768 the problem then you will probably be ignored. All bug reports should
769 be filed under the Samba 4.1 and newer product in the project's Bugzilla
770 database (https://bugzilla.samba.org/).
773 ======================================================================
774 == Our Code, Our Bugs, Our Responsibility.
776 ======================================================================
779 ----------------------------------------------------------------------
780 ==============================
781 Release Notes for Samba 4.16.0
783 ==============================
785 This is the first stable release of the Samba 4.16 release series.
786 Please read the release notes carefully before upgrading.
792 New samba-dcerpcd binary to provide DCERPC in the member server setup
793 ---------------------------------------------------------------------
795 In order to make it much easier to break out the DCERPC services
796 from smbd, a new samba-dcerpcd binary has been created.
798 samba-dcerpcd can be used in two ways. In the normal case without
799 startup script modification it is invoked on demand from smbd or
800 winbind --np-helper to serve DCERPC over named pipes. Note that
801 in order to run in this mode the smb.conf [global] section has
802 a new parameter "rpc start on demand helpers = [true|false]".
803 This parameter is set to "true" by default, meaning no changes to
804 smb.conf files are needed to run samba-dcerpcd on demand as a named
807 It can also be used in a standalone mode where it is started
808 separately from smbd or winbind but this requires changes to system
809 startup scripts, and in addition a change to smb.conf, setting the new
810 [global] parameter "rpc start on demand helpers = false". If "rpc
811 start on demand helpers" is not set to false, samba-dcerpcd will
812 refuse to start in standalone mode.
814 Note that when Samba is run in the Active Directory Domain Controller
815 mode the samba binary that provides the AD code will still provide its
816 normal DCERPC services whilst allowing samba-dcerpcd to provide
817 services like SRVSVC in the same way that smbd used to in this
820 The parameters that allowed some smbd-hosted services to be started
821 externally are now gone (detailed below) as this is now the default
824 samba-dcerpcd can also be useful for use outside of the Samba
825 framework, for example, use with the Linux kernel SMB2 server ksmbd or
826 possibly other SMB2 server implementations.
828 Heimdal-8.0pre used for Samba Internal Kerberos, adds FAST support
829 ------------------------------------------------------------------
831 Samba has since Samba 4.0 included a snapshot of the Heimdal Kerberos
832 implementation. This snapshot has now been updated and will closely
833 match what will be released as Heimdal 8.0 shortly.
835 This is a major update, previously we used a snapshot of Heimdal from
836 2011, and brings important new Kerberos security features such as
837 Kerberos request armoring, known as FAST. This tunnels ticket
838 requests and replies that might be encrypted with a weak password
839 inside a wrapper built with a stronger password, say from a machine
842 In Heimdal and MIT modes Samba's KDC now supports FAST, for the
843 support of non-Windows clients.
845 Windows clients will not use this feature however, as they do not
846 attempt to do so against a server not advertising domain Functional
847 Level 2012. Samba users are of course free to modify how Samba
848 advertises itself, but use with Windows clients is not supported "out
851 Finally, Samba also uses a per-KDC, not per-realm 'cookie' to secure part of
852 the FAST protocol. A future version will align this more closely with
853 Microsoft AD behaviour.
855 If FAST needs to be disabled on your Samba KDC, set
861 The Samba project wishes to thank the numerous developers who have put
862 in a massive effort to make this possible over many years. In
863 particular we thank Stefan Metzmacher, Joseph Sutton, Gary Lockyer,
864 Isaac Boukris and Andrew Bartlett. Samba's developers in turn thank
865 their employers and in turn their customers who have supported this
866 effort over many years.
868 Certificate Auto Enrollment
869 ---------------------------
871 Certificate Auto Enrollment allows devices to enroll for certificates from
872 Active Directory Certificate Services. It is enabled by Group Policy.
873 To enable Certificate Auto Enrollment, Samba's group policy will need to be
874 enabled by setting the smb.conf option `apply group policies` to Yes. Samba
875 Certificate Auto Enrollment depends on certmonger, the cepces certmonger
876 plugin, and sscep. Samba uses sscep to download the CA root chain, then uses
877 certmonger paired with cepces to monitor the host certificate templates.
878 Certificates are installed in /var/lib/samba/certs and private keys are
879 installed in /var/lib/samba/private/certs.
881 Ability to add ports to dns forwarder addresses in internal DNS backend
882 -----------------------------------------------------------------------
884 The internal DNS server of Samba forwards queries non-AD zones to one or more
885 configured forwarders. Up until now it has been assumed that these forwarders
886 listen on port 53. Starting with this version it is possible to configure the
887 port using host:port notation. See smb.conf for more details. Existing setups
888 are not affected, as the default port is 53.
893 * The "recovery master" role has been renamed "leader"
895 Documentation and logs now refer to "leader".
897 The following ctdb tool command names have changed:
900 setrecmasterrole -> setleaderrole
902 Command output has changed for the following commands:
907 The "[legacy] -> recmaster capability" configuration option has been
908 renamed and moved to the cluster section, so this is now:
910 [cluster] -> leader capability
912 * The "recovery lock" has been renamed "cluster lock"
914 Documentation and logs now refer to "cluster lock".
916 The "[cluster] -> recovery lock" configuration option has been
917 deprecated and will be removed in a future version. Please use
918 "[cluster] -> cluster lock" instead.
920 If the cluster lock is enabled then traditional elections are not
921 done and leader elections use a race for the cluster lock. This
922 avoids various conditions where a node is elected leader but can not
923 take the cluster lock. Such conditions included:
925 - At startup, a node elects itself leader of its own cluster before
926 connecting to other nodes
928 - Cluster filesystem failover is slow
930 The abbreviation "reclock" is still used in many places, because a
931 better abbreviation eludes us (i.e. "clock" is obvious bad) and
932 changing all instances would require a lot of churn. If the
933 abbreviation "reclock" for "cluster lock" is confusing, please
934 consider mentally prefixing it with "really excellent".
936 * CTDB now uses leader broadcasts and an associated timeout to
937 determine if an election is required
939 The leader broadcast timeout can be configured via new configuration
942 [cluster] -> leader timeout
944 This specifies the number of seconds without leader broadcasts
945 before a node calls an election. The default is 5.
951 Older SMB1 protocol SMBCopy command removed
952 -------------------------------------------
954 SMB is a nearly 30-year old protocol, and some protocol commands that
955 while supported in all versions, have not seen widespread use.
957 One of those is SMBCopy, a feature for a server-side copy of a file.
958 This feature has been so unmaintained that Samba has no testsuite for
961 The SMB1 command SMB_COM_COPY (SMB1 command number 0x29) was
962 introduced in the LAN Manager 1.0 dialect and it was rendered obsolete
963 in the NT LAN Manager dialect.
965 Therefore it has been removed from the Samba smbd server.
967 We do note that a fully supported and tested server-side copy is
968 present in SMB2, and can be accessed with "scopy" subcommand in
971 SMB1 server-side wildcard expansion removed
972 -------------------------------------------
974 Server-side wildcard expansion is another feature that sounds useful,
975 but is also rarely used and has become problematic - imposing extra
976 work on the server (both in terms of code and CPU time).
978 In actual OS design, wildcard expansion is handled in the local shell,
979 not at the remote server using SMB wildcard syntax (which is not shell
982 In Samba 4.16 the ability to process file name wildcards in requests
983 using the SMB1 commands SMB_COM_RENAME (SMB1 command number 0x7),
984 SMB_COM_NT_RENAME (SMB1 command number 0xA5) and SMB_COM_DELETE (SMB1
985 command number 0x6) has been removed.
987 SMB1 protocol has been deprecated, particularly older dialects
988 --------------------------------------------------------------
990 We take this opportunity to remind that we have deprecated and
991 disabled by default, but not removed, the whole SMB1 protocol since
992 Samba 4.11. If needed for security purposes or code maintenance we
993 will continue to remove older protocol commands and dialects that are
994 unused or have been replaced in more modern SMB1 versions.
996 We specifically deprecate the older dialects older than "NT LM 0.12"
997 (also known as "NT LANMAN 1.0" and "NT1").
999 Please note that "NT LM 0.12" is the dialect used by software as old
1000 as Windows 95, Windows NT and Samba 2.0, so this deprecation applies
1001 to DOS and similar era clients.
1003 We do reassure that that 'simple' operation of older clients than
1004 these (eg DOS) will, while untested, continue for the near future, our
1005 purpose is not to cripple use of Samba in unique situations, but to
1006 reduce the maintaince burden.
1008 Eventually SMB1 as a whole will be removed, but no broader change is
1011 In the rare case where the above changes cause incompatibilities,
1012 users requiring support for these features will need to use older
1015 No longer using Linux mandatory locks for sharemodes
1016 ====================================================
1018 smbd mapped sharemodes to Linux mandatory locks. This code in the Linux kernel
1019 was broken for a long time, and is planned to be removed with Linux 5.15. This
1020 Samba release removes the usage of mandatory locks for sharemodes and the
1021 "kernel share modes" config parameter is changed to default to "no". The Samba
1022 VFS interface is kept, so that file-system specific VFS modules can still use
1023 private calls for enforcing sharemodes.
1029 Parameter Name Description Default
1030 -------------- ----------- -------
1031 kernel share modes New default No
1032 dns forwarder Changed
1035 rpc start on demand helpers Added true
1038 CHANGES SINCE 4.16.0rc5
1039 =======================
1041 o Andrew Bartlett <abartlet@samba.org>
1042 * BUG 15000: Memory leak in FAST cookie handling.
1044 o Elia Geretto <elia.f.geretto@gmail.com>
1045 * BUG 14983: NT_STATUS_ACCESS_DENIED translates into EPERM instead of EACCES
1046 in SMBC_server_internal.
1048 o Stefan Metzmacher <metze@samba.org>
1049 * BUG 13879: Simple bind doesn't work against an RODC (with non-preloaded
1051 * BUG 14641: Crash of winbind on RODC.
1052 * BUG 15001: LDAP simple binds should honour "old password allowed period".
1053 * BUG 15002: S4U2Self requests don't work against servers without FAST
1055 * BUG 15003: wbinfo -a doesn't work reliable with upn names.
1056 * BUG 15005: A cross-realm kerberos client exchanges fail using KDCs with and
1058 * BUG 15015: PKINIT: hdb_samba4_audit: Unhandled hdb_auth_status=9 =>
1061 o Garming Sam <garming@catalyst.net.nz>
1062 * BUG 13879: Simple bind doesn't work against an RODC (with non-preloaded
1065 o Andreas Schneider <asn@samba.org>
1066 * BUG 15016: Regression: create krb5 conf = yes doesn't work with a single
1069 o Joseph Sutton <josephsutton@catalyst.net.nz>
1070 * BUG 15015: PKINIT: hdb_samba4_audit: Unhandled hdb_auth_status=9 =>
1074 CHANGES SINCE 4.16.0rc4
1075 =======================
1077 o Jeremy Allison <jra@samba.org>
1078 * BUG 14737: Samba does not response STATUS_INVALID_PARAMETER when opening 2
1079 objects with same lease key.
1081 o Jule Anger <janger@samba.org>
1082 * BUG 14999: Listing shares with smbstatus no longer works.
1084 o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
1085 * BUG 14996: Fix ldap simple bind with TLS auditing.
1087 o Andrew Bartlett <abartlet@samba.org>
1088 * BUG 14995: Use Heimdal 8.0 (pre) rather than an earlier snapshot.
1090 o Volker Lendecke <vl@samba.org>
1091 * BUG 14989: Fix a use-after-free in SMB1 server.
1093 o Stefan Metzmacher <metze@samba.org>
1094 * BUG 14865: Uncached logon on RODC always fails once.
1095 * BUG 14984: Changing the machine password against an RODC likely destroys
1097 * BUG 14993: authsam_make_user_info_dc() steals memory from its struct
1098 ldb_message *msg argument.
1099 * BUG 14995: Use Heimdal 8.0 (pre) rather than an earlier snapshot.
1101 o Joseph Sutton <josephsutton@catalyst.net.nz>
1102 * BUG 14995: Use Heimdal 8.0 (pre) rather than an earlier snapshot.
1105 CHANGES SINCE 4.16.0rc3
1106 =======================
1108 o Samuel Cabrero <scabrero@suse.de>
1109 * BUG 14979: Problem when winbind renews Kerberos.
1111 o Björn Jacke <bj@sernet.de>
1112 * BUG 13631: DFS fix for AIX broken.
1113 * BUG 14974: Solaris and AIX acl modules: wrong function arguments.
1114 * BUG 7239: Function aixacl_sys_acl_get_file not declared / coredump.
1116 o Andreas Schneider <asn@samba.org>
1117 * BUG 14967: Samba autorid fails to map AD users if id rangesize fits in the
1120 o Martin Schwenke <martin@meltin.net>
1121 * BUG 14958: CTDB can get stuck in election and recovery.
1124 CHANGES SINCE 4.16.0rc2
1125 =======================
1127 o Jeremy Allison <jra@samba.org>
1128 * BUG 14169: Renaming file on DFS root fails with
1129 NT_STATUS_OBJECT_PATH_NOT_FOUND.
1130 * BUG 14938: NT error code is not set when overwriting a file during rename
1133 o Ralph Boehme <slow@samba.org>
1134 * BUG 14674: net ads info shows LDAP Server: 0.0.0.0 depending on contacted
1137 o Pavel Filipenský <pfilipen@redhat.com>
1138 * BUG 14971: virusfilter_vfs_openat: Not scanned: Directory or special file.
1140 o Volker Lendecke <vl@samba.org>
1141 * BUG 14900: Regression: Samba 4.15.2 on macOS segfaults intermittently
1142 during strcpy in tdbsam_getsampwnam.
1143 * BUG 14975: Fix a crash in vfs_full_audit - CREATE_FILE can free a used fsp.
1145 o Stefan Metzmacher <metze@samba.org>
1146 * BUG 14968: smb2_signing_decrypt_pdu() may not decrypt with
1147 gnutls_aead_cipher_decrypt() from gnutls before 3.5.2.
1149 o Andreas Schneider <asn@samba.org>
1150 * BUG 14960: SDB uses HDB flags directly which can lead to unwanted side
1154 CHANGES SINCE 4.16.0rc1
1155 =======================
1157 o Jeremy Allison <jra@samba.org>
1158 * BUG 14911: CVE-2021-44141: UNIX extensions in SMB1 disclose whether the
1159 outside target of a symlink exists.
1161 o Ralph Boehme <slow@samba.org>
1162 * BUG 14914: CVE-2021-44142: Out-of-Bound Read/Write on Samba vfs_fruit
1164 * BUG 14961: install elasticsearch_mappings.json
1166 o FeRD (Frank Dana) <ferdnyc@gmail.com>
1167 * BUG 14947: samba-bgqd still notifying systemd, triggering log warnings
1168 without NotifyAccess=all.
1170 o Stefan Metzmacher <metze@samba.org>
1171 * BUG 14867: Printing no longer works on Windows 7 with 2021-10 monthly
1173 * BUG 14956: ndr_push_string() adds implicit termination for
1174 STR_NOTERM|REMAINING empty strings.
1176 o Joseph Sutton <josephsutton@catalyst.net.nz>
1177 * BUG 14950: CVE-2022-0336: Re-adding an SPN skips subsequent SPN conflict
1184 https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.16#Release_blocking_bugs
1187 #######################################
1188 Reporting bugs & Development Discussion
1189 #######################################
1191 Please discuss this release on the samba-technical mailing list or by
1192 joining the #samba-technical:matrix.org matrix room, or
1193 #samba-technical IRC channel on irc.libera.chat
1195 If you do report problems then please try to send high quality
1196 feedback. If you don't provide vital information to help us track down
1197 the problem then you will probably be ignored. All bug reports should
1198 be filed under the Samba 4.1 and newer product in the project's Bugzilla
1199 database (https://bugzilla.samba.org/).
1202 ======================================================================
1203 == Our Code, Our Bugs, Our Responsibility.
1205 ======================================================================