[Announce] Samba 4.20.3 Available for Download
Release Announcements - This is the latest stable release of the Samba 4.20 release series. LDAP TLS/SASL channel binding support - The ldap server supports SASL binds with kerberos or NTLMSSP over TLS connections now (either ldaps or starttls). Setups where 'ldap server require strong auth = allow_sasl_over_tls' was required before, can now most likely move to the default of 'ldap server require strong auth = yes'. If SASL binds without correct tls channel bindings are required 'ldap server require strong auth = allow_sasl_without_tls_channel_bindings' should be used now, as 'allow_sasl_over_tls' will generate a warning in every start of 'samba', as well as '[samba-tool ]testparm'. This is similar to LdapEnforceChannelBinding under HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters on Windows. All client tools using ldaps also include the correct channel bindings now. smb.conf changes Parameter Name Description Default -- --- --- ldap server require strong auth new values Changes since 4.20.2 o Andreas Schneider * BUG 15683: Running samba-bgqd a a standalone systemd service does not work. o Andrew Bartlett * BUG 15655: When claims enabled with heimdal kerberos, unable to log on to a Windows computer when user account need to change their own password. o Douglas Bagnall * BUG 15671: Invalid client warning about command line passwords. * BUG 15672: Version string is truncated in manpages. * BUG 15673: --version-* options are still not ergonomic, and they reject tilde characters. * BUG 15674: cmdline_burn does not always burn secrets. * BUG 15685: Samba does not parse SDDL found in defaultSecurityDescriptor in AD_DS_Classes_Windows_Server_v1903.ldf. o Jo Sutton * BUG 15655: When claims enabled with heimdal kerberos, unable to log on to a Windows computer when user account need to change their own password. o Pavel Filipenský * BUG 15660: The images don\'t build after the git security release and CentOS 8 Stream is EOL. o Ralph Boehme * BUG 15676: Fix clock skew error message and memory cache clock skew recovery. o Stefan Metzmacher * BUG 15603: Heimdal ignores _gsskrb5_decapsulate errors in init_sec_context/repl_mutual. * BUG 15621: s4:ldap_server: does not support tls channel bindings for sasl binds. o Xavi Hernandez * BUG 15678: CTDB socket output queues may suffer unbounded delays under some special conditions. ### Reporting bugs & Development Discussion ### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical:matrix.org matrix room, or #samba-technical IRC channel on irc.libera.chat. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). == == Our Code, Our Bugs, Our Responsibility. == The Samba Team == Download Details The uncompressed tarballs and patch files have been signed using GnuPG (ID AA99442FB680B620). The source code can be downloaded from: https://download.samba.org/pub/samba/stable/ The release notes are available online at: https://www.samba.org/samba/history/samba-4.20.3.html Our Code, Our Bugs, Our Responsibility. (https://bugzilla.samba.org/) --Enjoy The Samba Team
[Announce] Samba 4.21.0rc1 Available for Download
Release Announcements = This is the first release candidate of Samba 4.21. This is *not* intended for production environments and is designed for testing purposes only. Please report any defects via the Samba bug reporting system at https://bugzilla.samba.org/. Samba 4.21 will be the next version of the Samba suite. UPGRADING = Hardening of "valid users", "invalid users", "read list" and "write list" ----- In previous versions of Samba, if a user or group name in either of the mentioned options could not be resolved to a valid SID, the user (or group) would be skipped without any notification. This could result in unexpected and insecure behaviour. Starting with this version of Samba, if any user or group name in any of the options cannot be resolved due to a communication error with a domain controller, Samba will log an error and the tree connect will fail. Non existing users (or groups) are ignored. LDAP TLS/SASL channel binding support - The ldap server supports SASL binds with kerberos or NTLMSSP over TLS connections now (either ldaps or starttls). Setups where 'ldap server require strong auth = allow_sasl_over_tls' was required before, can now most likely move to the default of 'ldap server require strong auth = yes'. If SASL binds without correct tls channel bindings are required 'ldap server require strong auth = allow_sasl_without_tls_channel_bindings' should be used now, as 'allow_sasl_over_tls' will generate a warning in every start of 'samba', as well as '[samba-tool ]testparm'. This is similar to LdapEnforceChannelBinding under HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters on Windows. All client tools using ldaps also include the correct channel bindings now. NEW FEATURES/CHANGES LDB no longer a standalone tarball -- LDB, Samba's LDAP-like local database and the power behind the Samba AD DC, is no longer available to build as a distinct tarball, but is instead provided as an optional public library. If you need ldb as a public library, say to build sssd, then use ./configure --private-libraries='!ldb' This re-integration allows LDB tests to use the Samba's full selftest system, including our knownfail infrastructure, and decreases the work required during security releases as a coordinated release of the ldb tarball is not also required. This approach has been demonstrated already in Debian, which is already building Samba and LDB is this way. As part of this work, the pyldb-util public library, not known to be used by any other software, is made private to Samba. LDB Module API Python bindings removed -- The LDB Modules API, which we do not promise a stable ABI or API for, was wrapped in python in early LDB development. However that wrapping never took into account later changes, and so has not worked for a number of years. Samba 4.21 and LDB 2.10 removes this unused and broken feature. Some Samba public libraries made private by default ------- The following Samba C libraries are currently made public due to their use by OpenChange or for historical reasons that are no longer clear. dcerpc-samr, samba-policy, tevent-util, dcerpc, samba-hostconfig, samba-credentials, dcerpc_server, samdb The libraries used by the OpenChange client now private, but can be made public (like ldb above) with: ./configure --private-libraries='!dcerpc,!samba-hostconfig,!samba-credentials,!ldb' The C libraries without any known user or used only for the OpenChange server (a dead project) may be made private entirely in a future Samba version. If you use a Samba library in this list, please be in touch with the samba-technical mailing list. Using ldaps from 'winbindd' and 'net ads' ----- Beginning with Samba 3.0.22 the 'ldap ssl = start tls' option also impacted LDAP connections to active directory domain controllers. Using the STARTTLS operation on LDAP port 389 connections. Starting with Samba 3.5.0 'ldap ssl ads = yes' was required in addition in order let to 'ldap ssl = start tls' have any effect on those connections. 'ldap ssl ads' was deprecated with Samba 4.8.0 and removed together with the whole functionality in Samba 4.14.0, because it didn't support tls channel bindings required for the sasl authentication. The functionality is now re-added using the correct channel bindings based on the gnutls based tls implementation we already have, instead of using the tls layer provided by openldap. This makes it available and consistent with all LDAP client libraries we use and implement on our own. The 'client ldap sasl wrapping' option gained the two new possible values: 'starttls' (using STARTTLS on tcp port 389) and 'ld
[Announce] Samba 4.20.2 Available for Download
Release Announcements - This is the latest stable release of the Samba 4.20 release series. Changes since 4.20.1 o Jeremy Allison * BUG 15662: vfs_widelinks with DFS shares breaks case insensitivity. o Douglas Bagnall * BUG 13213: Samba build is not reproducible. * BUG 15569: ldb qsort might r/w out of bounds with an intransitive compare function. * BUG 15625: Many qsort() comparison functions are non-transitive, which can lead to out-of-bounds access in some circumstances. o Andrew Bartlett * BUG 15638: Need to change gitlab-ci.yml tags in all branches to avoid CI bill. * BUG 15654: We have added new options --vendor-name and --vendor-patch- revision arguments to ./configure to allow distributions and packagers to put their name in the Samba version string so that when debugging Samba the source of the binary is obvious. o Günther Deschner * BUG 15665: CTDB RADOS mutex helper misses namespace support. o Stefan Metzmacher * BUG 13019: Dynamic DNS updates with the internal DNS are not working. * BUG 14981: netr_LogonSamLogonEx returns NR_STATUS_ACCESS_DENIED with SysvolReady=0. * BUG 15412: Anonymous smb3 signing/encryption should be allowed (similar to Windows Server 2022). * BUG 15573: Panic in dreplsrv_op_pull_source_apply_changes_trigger. * BUG 15620: s4:nbt_server: does not provide unexpected handling, so winbindd can't use nmb requests instead cldap. * BUG 15642: winbindd, net ads join and other things don't work on an ipv6 only host. * BUG 15659: Segmentation fault when deleting files in vfs_recycle. * BUG 15664: Panic in vfs_offload_token_db_fetch_fsp(). * BUG 15666: "client use kerberos" and --use-kerberos is ignored for the machine account. o Noel Power * BUG 15435: Regression DFS not working with widelinks = true. o Andreas Schneider * BUG 15633: samba-gpupdate - Invalid NtVer in netlogon_samlogon_response. * BUG 15653: idmap_ad creates an incorrect local krb5.conf in case of trusted domain lookups. * BUG 15660: The images don't build after the git security release and CentOS 8 Stream is EOL. ### Reporting bugs & Development Discussion ### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical:matrix.org matrix room, or #samba-technical IRC channel on irc.libera.chat. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). == == Our Code, Our Bugs, Our Responsibility. == The Samba Team == Download Details The uncompressed tarballs and patch files have been signed using GnuPG (ID AA99442FB680B620). The source code can be downloaded from: https://download.samba.org/pub/samba/stable/ The release notes are available online at: https://www.samba.org/samba/history/samba-4.20.2.html If you are building/using ldb from a system library, you'll also need the related updated ldb tarball, otherwise you can ignore it. The uncompressed ldb tarballs have been signed using GnuPG (ID 4793916113084025). The ldb source code can be downloaded from: https://download.samba.org/pub/ldb/ldb-2.9.1.tar.gz Our Code, Our Bugs, Our Responsibility. (https://bugzilla.samba.org/) --Enjoy The Samba Team
[Announce] Samba 4.19.7 Available for Download
Release Announcements - This is the latest stable release of the Samba 4.19 release series. Changes since 4.19.6 o Douglas Bagnall * BUG 15569: ldb qsort might r/w out of bounds with an intransitive compare function (ldb 2.8.1 is already released). * BUG 15625: Many qsort() comparison functions are non-transitive, which can lead to out-of-bounds access in some circumstances (ldb 2.8.1 is already released). o Andrew Bartlett * BUG 15638: Need to change gitlab-ci.yml tags in all branches to avoid CI bill. o Stefan Metzmacher * BUG 14981: netr_LogonSamLogonEx returns NR_STATUS_ACCESS_DENIED with SysvolReady=0. * BUG 15412: Anonymous smb3 signing/encryption should be allowed (similar to Windows Server 2022). * BUG 15573: Panic in dreplsrv_op_pull_source_apply_changes_trigger. * BUG 15642: winbindd, net ads join and other things don't work on an ipv6 only host. o Anna Popova * BUG 15636: Smbcacls incorrectly propagates inheritance with Inherit-Only flag. o Noel Power * BUG 15611: http library doesn't support 'chunked transfer encoding'. ### Reporting bugs & Development Discussion ### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical:matrix.org matrix room, or #samba-technical IRC channel on irc.libera.chat. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). == == Our Code, Our Bugs, Our Responsibility. == The Samba Team == Download Details The uncompressed tarballs and patch files have been signed using GnuPG (ID AA99442FB680B620). The source code can be downloaded from: https://download.samba.org/pub/samba/stable/ The release notes are available online at: https://www.samba.org/samba/history/samba-4.19.7.html If you are building/using ldb from a system library, you'll also need the related updated ldb tarball, otherwise you can ignore it. The uncompressed ldb tarballs have been signed using GnuPG (ID 4793916113084025). The ldb source code can be downloaded from: https://download.samba.org/pub/ldb/ldb-2.8.1.tar.gz Our Code, Our Bugs, Our Responsibility. (https://bugzilla.samba.org/) --Enjoy The Samba Team
[Announce] Samba 4.20.1 Available for Download
Release Announcements - This is the latest stable release of the Samba 4.20 release series. Changes since 4.20.0 o Douglas Bagnall * BUG 15630: dns update debug message is too noisy. o Alexander Bokovoy * BUG 15635: Do not fail PAC validation for RFC8009 checksums types. o Pavel Filipenský * BUG 15605: Improve performance of lookup_groupmem() in idmap_ad. o Anna Popova * BUG 15636: Smbcacls incorrectly propagates inheritance with Inherit-Only flag. o Noel Power * BUG 15611: http library doesn't support 'chunked transfer encoding'. o Andreas Schneider * BUG 15600: Provide a systemd service file for the background queue daemon. ### Reporting bugs & Development Discussion ### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical:matrix.org matrix room, or #samba-technical IRC channel on irc.libera.chat. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). == == Our Code, Our Bugs, Our Responsibility. == The Samba Team == Download Details The uncompressed tarballs and patch files have been signed using GnuPG (ID AA99442FB680B620). The source code can be downloaded from: https://download.samba.org/pub/samba/stable/ The release notes are available online at: https://www.samba.org/samba/history/samba-4.20.1.html Our Code, Our Bugs, Our Responsibility. (https://bugzilla.samba.org/) --Enjoy The Samba Team
[Announce] Samba 4.19.6 Available for Download
Release Announcements - This is the latest stable release of the Samba 4.19 release series. Changes since 4.19.5 o Ralph Boehme * BUG 15527: fd_handle_destructor() panics within an smbd_smb2_close() if vfs_stat_fsp() fails in fd_close(). o Guenther Deschner * BUG 15588: samba-gpupdate: Correctly implement site support. o Noel Power * BUG 15527: fd_handle_destructor() panics within an smbd_smb2_close() if vfs_stat_fsp() fails in fd_close(). o Andreas Schneider * BUG 15588: samba-gpupdate: Correctly implement site support. * BUG 15599: libgpo: Segfault in python bindings. o Martin Schwenke * BUG 15580: Packet marshalling push support missing for CTDB_CONTROL_TCP_CLIENT_DISCONNECTED and CTDB_CONTROL_TCP_CLIENT_PASSED. ### Reporting bugs & Development Discussion ### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical:matrix.org matrix room, or #samba-technical IRC channel on irc.libera.chat. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). == == Our Code, Our Bugs, Our Responsibility. == The Samba Team == Download Details The uncompressed tarballs and patch files have been signed using GnuPG (ID AA99442FB680B620). The source code can be downloaded from: https://download.samba.org/pub/samba/stable/ The release notes are available online at: https://www.samba.org/samba/history/samba-4.19.6.html Our Code, Our Bugs, Our Responsibility. (https://bugzilla.samba.org/) --Enjoy The Samba Team
[Announce] Samba 4.20.0 Available for Download
Release Announcements - This is the first stable release of the Samba 4.20 release series. Please read the release notes carefully before upgrading. NEW FEATURES/CHANGES New Minimum MIT Krb5 version for Samba AD Domain Controller --- Samba now requires MIT 1.21 when built against a system MIT Krb5 and acting as an Active Directory DC. This addresses the issues that were fixed in CVE-2022-37967 (KrbtgtFullPacSignature) and ensures that Samba builds against the MIT version that allows us to avoid that attack. Removed dependency on Perl JSON module -- Distributions are advised that the Perl JSON package is no longer required by Samba builds that use the imported Heimdal. The build instead uses Perl's JSON::PP built into recent perl5 versions. Current lists of packages required by Samba for major distributions are found in the bootstrap/generated-dists/ directory of a Samba source tree. While there will be some differences - due to features chosen by packagers - comparing these lists with the build dependencies in a package may locate other dependencies we no longer require. samba-tool user getpassword / syncpasswords ;rounds= change --- The password access tool "samba-tool user getpassword" and the password sync tool "samba-tool user syncpasswords" allow attributes to be chosen for output, and accept parameters like pwdLastSet;format=GeneralizedTime These attributes then appear, in the same format, as the attributes in the LDIF output. This was not the case for the ;rounds= parameter of virtualCryptSHA256 and virtualCryptSHA512, for example as --attributes="virtualCryptSHA256;rounds=5" This release makes the behaviour consistent between these two features. Installations using GPG-encrypted passwords (or plaintext storage) and the rounds= option, will find the output has changed from: virtualCryptSHA256: {CRYPT}$5$rounds=2561$hXem.M9onhM9Vuix$dFdSBwF to: virtualCryptSHA256;rounds=2561: {CRYPT}$5$rounds=2561$hXem.M9onhM9Vuix$dFdSBwF Group Managed service account client-side features ------ samba-tool has been extended to provide client-side support for Group Managed Service accounts. These accounts have passwords that change automatically, giving the advantages of service isolation without risk of poor, unchanging passwords. Where possible, Samba's existing samba-tool password handling commands, which in the past have only operated against the local sam.ldb have been extended to permit operation against a remote server with authenticated access to "-H ldap://$DCNAME; Supported operations include: - reading the current and previous gMSA password via "samba-tool user getpassword" - writing a Kerberos Ticket Granting Ticket (TGT) to a local credentials cache with a new command "samba-tool user get-kerberos-ticket" New Windows Search Protocol Client -- Samba now by default builds new experimental Windows Search Protocol (WSP) command line client "wspsearch" The "wspsearch" cmd-line utility allows a WSP search request to be sent to a server (such as a windows server) that has the (WSP) Windows Search Protocol service configured and enabled. For more details see the wspsearch man page. Allow 'smbcacls' to save/restore DACLs to file 'smbcacls' has been extended to allow DACLs to be saved and restored to/from a file. This feature mimics the functionality that windows cmd line tool 'icacls.exe' provides. Additionally files created either by 'smbcalcs' or 'icacls.exe' are interchangeable and can be used by either tool as the same file format is used. New options added are: - '--save savefile' Saves DACLs in sddl format to file - '--recurse' Performs the '--save' operation above on directory and all files/directories below. - '--restore savefile' Restores the stored DACLS to files in directory Samba-tool extensions for AD Claims, Authentication Policies and Silos ------ samba-tool now allows users to be associated with claims. In the Samba AD DC, claims derive from Active Directory attributes mapped into specific names. These claims can be used in rules, which are conditional ACEs in a security descriptor, that decide if a user is restricted by an authentication policy. samba-tool also allows the creation and management of authentication policies, which are rules about where a user may authenticate from, if NTLM is permitted, and what services a user may authenticate to. Finally, support is added for the creation and management of authentication silos, which are helpful in defining net
[Announce] Samba 4.18.11 Available for Download
Release Announcements - This is the latest stable release of the Samba 4.18 release series. There will be security releases only beyond this point. Changes since 4.18.10 - o Martin Schwenke * BUG 15580: Packet marshalling push support missing for CTDB_CONTROL_TCP_CLIENT_DISCONNECTED and CTDB_CONTROL_TCP_CLIENT_PASSED ### Reporting bugs & Development Discussion ### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical:matrix.org matrix room, or #samba-technical IRC channel on irc.libera.chat. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). == == Our Code, Our Bugs, Our Responsibility. == The Samba Team == Download Details The uncompressed tarballs and patch files have been signed using GnuPG (ID AA99442FB680B620). The source code can be downloaded from: https://download.samba.org/pub/samba/stable/ The release notes are available online at: https://www.samba.org/samba/history/samba-4.18.11.html Our Code, Our Bugs, Our Responsibility. (https://bugzilla.samba.org/) --Enjoy The Samba Team
[Announce] Samba 4.20.0rc4 Available for Download
Release Announcements = This is the fourth release candidate of Samba 4.20. This is *not* intended for production environments and is designed for testing purposes only. Please report any defects via the Samba bug reporting system at https://bugzilla.samba.org/. Samba 4.20 will be the next version of the Samba suite. UPGRADING = NEW FEATURES/CHANGES New Minimum MIT Krb5 version for Samba AD Domain Controller --- Samba now requires MIT 1.21 when built against a system MIT Krb5 and acting as an Active Directory DC. This addresses the issues that were fixed in CVE-2022-37967 (KrbtgtFullPacSignature) and ensures that Samba builds against the MIT version that allows us to avoid that attack. Removed dependency on Perl JSON module -- Distributions are advised that the Perl JSON package is no longer required by Samba builds that use the imported Heimdal. The build instead uses Perl's JSON::PP built into recent perl5 versions. Current lists of packages required by Samba for major distributions are found in the bootstrap/generated-dists/ directory of a Samba source tree. While there will be some differences - due to features chosen by packagers - comparing these lists with the build dependencies in a package may locate other dependencies we no longer require. samba-tool user getpassword / syncpasswords ;rounds= change --- The password access tool "samba-tool user getpassword" and the password sync tool "samba-tool user syncpasswords" allow attributes to be chosen for output, and accept parameters like pwdLastSet;format=GeneralizedTime These attributes then appear, in the same format, as the attributes in the LDIF output. This was not the case for the ;rounds= parameter of virtualCryptSHA256 and virtualCryptSHA512, for example as --attributes="virtualCryptSHA256;rounds=5" This release makes the behaviour consistent between these two features. Installations using GPG-encrypted passwords (or plaintext storage) and the rounds= option, will find the output has changed from: virtualCryptSHA256: {CRYPT}$5$rounds=2561$hXem.M9onhM9Vuix$dFdSBwF to: virtualCryptSHA256;rounds=2561: {CRYPT}$5$rounds=2561$hXem.M9onhM9Vuix$dFdSBwF Group Managed service account client-side features ------ samba-tool has been extended to provide client-side support for Group Managed Service accounts. These accounts have passwords that change automatically, giving the advantages of service isolation without risk of poor, unchanging passwords. Where possible, Samba's existing samba-tool password handling commands, which in the past have only operated against the local sam.ldb have been extended to permit operation against a remote server with authenticated access to "-H ldap://$DCNAME; Supported operations include: - reading the current and previous gMSA password via "samba-tool user getpassword" - writing a Kerberos Ticket Granting Ticket (TGT) to a local credentials cache with a new command "samba-tool user get-kerberos-ticket" New Windows Search Protocol Client -- Samba now by default builds new experimental Windows Search Protocol (WSP) command line client "wspsearch" The "wspsearch" cmd-line utility allows a WSP search request to be sent to a server (such as a windows server) that has the (WSP) Windows Search Protocol service configured and enabled. For more details see the wspsearch man page. Allow 'smbcacls' to save/restore DACLs to file 'smbcacls' has been extended to allow DACLs to be saved and restored to/from a file. This feature mimics the functionality that windows cmd line tool 'icacls.exe' provides. Additionally files created either by 'smbcalcs' or 'icacls.exe' are interchangeable and can be used by either tool as the same file format is used. New options added are: - '--save savefile' Saves DACLs in sddl format to file - '--recurse' Performs the '--save' operation above on directory and all files/directories below. - '--restore savefile' Restores the stored DACLS to files in directory Samba-tool extensions for AD Claims, Authentication Policies and Silos ------ samba-tool now allows users to be associated with claims. In the Samba AD DC, claims derive from Active Directory attributes mapped into specific names. These claims can be used in rules, which are conditional ACEs in a security descriptor, that decide if a user is restricted by an authentication policy. samba-tool also allows the creation and management of authentication policies, which are rules about where a user may authent
[Announce] Samba 4.20.0rc3 Available for Download
Release Announcements = This is the third release candidate of Samba 4.20. This is *not* intended for production environments and is designed for testing purposes only. Please report any defects via the Samba bug reporting system at https://bugzilla.samba.org/. Samba 4.20 will be the next version of the Samba suite. UPGRADING = NEW FEATURES/CHANGES New Minimum MIT Krb5 version for Samba AD Domain Controller --- Samba now requires MIT 1.21 when built against a system MIT Krb5 and acting as an Active Directory DC. This addresses the issues that were fixed in CVE-2022-37967 (KrbtgtFullPacSignature) and ensures that Samba builds against the MIT version that allows us to avoid that attack. Removed dependency on Perl JSON module -- Distributions are advised that the Perl JSON package is no longer required by Samba builds that use the imported Heimdal. The build instead uses Perl's JSON::PP built into recent perl5 versions. Current lists of packages required by Samba for major distributions are found in the bootstrap/generated-dists/ directory of a Samba source tree. While there will be some differences - due to features chosen by packagers - comparing these lists with the build dependencies in a package may locate other dependencies we no longer require. samba-tool user getpassword / syncpasswords ;rounds= change --- The password access tool "samba-tool user getpassword" and the password sync tool "samba-tool user syncpasswords" allow attributes to be chosen for output, and accept parameters like pwdLastSet;format=GeneralizedTime These attributes then appear, in the same format, as the attributes in the LDIF output. This was not the case for the ;rounds= parameter of virtualCryptSHA256 and virtualCryptSHA512, for example as --attributes="virtualCryptSHA256;rounds=5" This release makes the behaviour consistent between these two features. Installations using GPG-encrypted passwords (or plaintext storage) and the rounds= option, will find the output has changed from: virtualCryptSHA256: {CRYPT}$5$rounds=2561$hXem.M9onhM9Vuix$dFdSBwF to: virtualCryptSHA256;rounds=2561: {CRYPT}$5$rounds=2561$hXem.M9onhM9Vuix$dFdSBwF Group Managed service account client-side features ------ samba-tool has been extended to provide client-side support for Group Managed Service accounts. These accounts have passwords that change automatically, giving the advantages of service isolation without risk of poor, unchanging passwords. Where possible, Samba's existing samba-tool password handling commands, which in the past have only operated against the local sam.ldb have been extended to permit operation against a remote server with authenticated access to "-H ldap://$DCNAME; Supported operations include: - reading the current and previous gMSA password via "samba-tool user getpassword" - writing a Kerberos Ticket Granting Ticket (TGT) to a local credentials cache with a new command "samba-tool user get-kerberos-ticket" New Windows Search Protocol Client -- Samba now by default builds new experimental Windows Search Protocol (WSP) command line client "wspsearch" The "wspsearch" cmd-line utility allows a WSP search request to be sent to a server (such as a windows server) that has the (WSP) Windows Search Protocol service configured and enabled. For more details see the wspsearch man page. Allow 'smbcacls' to save/restore DACLs to file 'smbcacls' has been extended to allow DACLs to be saved and restored to/from a file. This feature mimics the functionality that windows cmd line tool 'icacls.exe' provides. Additionally files created either by 'smbcalcs' or 'icacls.exe' are interchangeable and can be used by either tool as the same file format is used. New options added are: - '--save savefile' Saves DACLs in sddl format to file - '--recurse' Performs the '--save' operation above on directory and all files/directories below. - '--restore savefile' Restores the stored DACLS to files in directory Samba-tool extensions for AD Claims, Authentication Policies and Silos ------ samba-tool now allows users to be associated with claims. In the Samba AD DC, claims derive from Active Directory attributes mapped into specific names. These claims can be used in rules, which are conditional ACEs in a security descriptor, that decide if a user is restricted by an authentication policy. samba-tool also allows the creation and management of authentication policies, which are rules about where a user may authent
[Announce] Samba 4.19.5 Available for Download
Release Announcements - This is the latest stable release of the Samba 4.19 release series. Changes since 4.19.4 o Ralph Boehme * BUG 13688: Windows 2016 fails to restore previous version of a file from a shadow_copy2 snapshot. * BUG 15549: Symlinks on AIX are broken in 4.19 (and a few version before that). o Bjoern Jacke * BUG 12421: Fake directory create times has no effect. o Björn Jacke * BUG 15550: ctime mixed up with mtime by smbd. o David Mulder * BUG 15548: samba-gpupdate --rsop fails if machine is not in a site. o Gabriel Nagy * BUG 15557: gpupdate: The root cert import when NDES is not available is broken. o Andreas Schneider * BUG 15552: samba-gpupdate should print a useful message if cepces-submit can't be found. * BUG 15558: samba-gpupdate logging doesn't work. o Jones Syue * BUG 1: smbpasswd reset permissions only if not 0600. ### Reporting bugs & Development Discussion ### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical:matrix.org matrix room, or #samba-technical IRC channel on irc.libera.chat. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). == == Our Code, Our Bugs, Our Responsibility. == The Samba Team == Download Details The uncompressed tarballs and patch files have been signed using GnuPG (ID AA99442FB680B620). The source code can be downloaded from: https://download.samba.org/pub/samba/stable/ The release notes are available online at: https://www.samba.org/samba/history/samba-4.19.5.html Our Code, Our Bugs, Our Responsibility. (https://bugzilla.samba.org/) --Enjoy The Samba Team
[Announce] Samba 4.20.0rc2 Available for Download
Release Announcements = This is the second release candidate of Samba 4.20. This is *not* intended for production environments and is designed for testing purposes only. Please report any defects via the Samba bug reporting system at https://bugzilla.samba.org/. Samba 4.20 will be the next version of the Samba suite. UPGRADING = NEW FEATURES/CHANGES New Minimum MIT Krb5 version for Samba AD Domain Controller --- Samba now requires MIT 1.21 when built against a system MIT Krb5 and acting as an Active Directory DC. This addresses the issues that were fixed in CVE-2022-37967 (KrbtgtFullPacSignature) and ensures that Samba builds against the MIT version that allows us to avoid that attack. Removed dependency on Perl JSON module -- Distributions are advised that the Perl JSON package is no longer required by Samba builds that use the imported Heimdal. The build instead uses Perl's JSON::PP built into recent perl5 versions. Current lists of packages required by Samba for major distributions are found in the bootstrap/generated-dists/ directory of a Samba source tree. While there will be some differences - due to features chosen by packagers - comparing these lists with the build dependencies in a package may locate other dependencies we no longer require. samba-tool user getpassword / syncpasswords ;rounds= change --- The password access tool "samba-tool user getpassword" and the password sync tool "samba-tool user syncpasswords" allow attributes to be chosen for output, and accept parameters like pwdLastSet;format=GeneralizedTime These attributes then appear, in the same format, as the attributes in the LDIF output. This was not the case for the ;rounds= parameter of virtualCryptSHA256 and virtualCryptSHA512, for example as --attributes="virtualCryptSHA256;rounds=5" This release makes the behaviour consistent between these two features. Installations using GPG-encrypted passwords (or plaintext storage) and the rounds= option, will find the output has changed from: virtualCryptSHA256: {CRYPT}$5$rounds=2561$hXem.M9onhM9Vuix$dFdSBwF to: virtualCryptSHA256;rounds=2561: {CRYPT}$5$rounds=2561$hXem.M9onhM9Vuix$dFdSBwF Group Managed service account client-side features ------ samba-tool has been extended to provide client-side support for Group Managed Service accounts. These accounts have passwords that change automatically, giving the advantages of service isolation without risk of poor, unchanging passwords. Where possible, Samba's existing samba-tool password handling commands, which in the past have only operated against the local sam.ldb have been extended to permit operation against a remote server with authenticated access to "-H ldap://$DCNAME; Supported operations include: - reading the current and previous gMSA password via "samba-tool user getpassword" - writing a Kerberos Ticket Granting Ticket (TGT) to a local credentials cache with a new command "samba-tool user get-kerberos-ticket" New Windows Search Protocol Client -- Samba now by default builds new experimental Windows Search Protocol (WSP) command line client "wspsearch" The "wspsearch" cmd-line utility allows a WSP search request to be sent to a server (such as a windows server) that has the (WSP) Windows Search Protocol service configured and enabled. For more details see the wspsearch man page. Allow 'smbcacls' to save/restore DACLs to file 'smbcacls' has been extended to allow DACLs to be saved and restored to/from a file. This feature mimics the functionality that windows cmd line tool 'icacls.exe' provides. Additionally files created either by 'smbcalcs' or 'icacls.exe' are interchangeable and can be used by either tool as the same file format is used. New options added are: - '--save savefile' Saves DACLs in sddl format to file - '--recurse' Performs the '--save' operation above on directory and all files/directories below. - '--restore savefile' Restores the stored DACLS to files in directory Samba-tool extensions for AD Claims, Authentication Policies and Silos ------ samba-tool now allows users to be associated with claims. In the Samba AD DC, claims derive from Active Directory attributes mapped into specific names. These claims can be used in rules, which are conditional ACEs in a security descriptor, that decide if a user is restricted by an authentication policy. samba-tool also allows the creation and management of authentication policies, which are rules about where a user may authent
[Announce] Samba 4.18.10 Available for Download
Release Announcements - This is the latest stable release of the Samba 4.18 release series. Changes since 4.18.9 o Ralph Boehme * BUG 13688: Windows 2016 fails to restore previous version of a file from a shadow_copy2 snapshot. * BUG 15549: Symlinks on AIX are broken in 4.19 (and a few version before that). o Samuel Cabrero * BUG 13577: net changesecretpw cannot set the machine account password if secrets.tdb is empty. o Bjoern Jacke * BUG 12421: Fake directory create times has no effect. o Björn Jacke * BUG 15540: For generating doc, take, if defined, env XML_CATALOG_FILES. * BUG 15541: Trivial C typo in nsswitch/winbind_nss_netbsd.c. * BUG 15542: vfs_linux_xfs is incorrectly named. * BUG 15550: ctime mixed up with mtime by smbd. o Volker Lendecke * BUG 15523: ctdb RELEASE_IP causes a crash in release_ip if a connection to a non-public address disconnects first. * BUG 15544: shadow_copy2 broken when current fileset's directories are removed. o Stefan Metzmacher * BUG 15523: ctdb RELEASE_IP causes a crash in release_ip if a connection to a non-public address disconnects first. * BUG 15534: smbd does not detect ctdb public ipv6 addresses for multichannel exclusion. o Martin Schwenke * BUG 15523: ctdb RELEASE_IP causes a crash in release_ip if a connection to a non-public address disconnects first. o Shachar Sharon * BUG 15440: Unable to copy and write files from clients to Ceph cluster via SMB Linux gateway with Ceph VFS module. o Jones Syue * BUG 15547: Multichannel refresh network information. * BUG 1: smbpasswd reset permissions only if not 0600. ### Reporting bugs & Development Discussion ### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical:matrix.org matrix room, or #samba-technical IRC channel on irc.libera.chat. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). == == Our Code, Our Bugs, Our Responsibility. == The Samba Team == Download Details The uncompressed tarballs and patch files have been signed using GnuPG (ID AA99442FB680B620). The source code can be downloaded from: https://download.samba.org/pub/samba/stable/ The release notes are available online at: https://www.samba.org/samba/history/samba-4.18.10.html Our Code, Our Bugs, Our Responsibility. (https://bugzilla.samba.org/) --Enjoy The Samba Team
[Announce] Samba 4.20.0rc1 Available for Download
Release Announcements = This is the first release candidate of Samba 4.20. This is *not* intended for production environments and is designed for testing purposes only. Please report any defects via the Samba bug reporting system at https://bugzilla.samba.org/. Samba 4.20 will be the next version of the Samba suite. UPGRADING = NEW FEATURES/CHANGES New Minimum MIT Krb5 version for Samba AD Domain Controller --- Samba now requires MIT 1.21 when built against a system MIT Krb5 and acting as an Active Directory DC. This addresses the issues that were fixed in CVE-2022-37967 (KrbtgtFullPacSignature) and ensures that Samba builds against the MIT version that allows us to avoid that attack. Removed dependency on Perl JSON module -- Distributions are advised that the Perl JSON package is no longer required by Samba builds that use the imported Heimdal. The build instead uses Perl's JSON::PP built into recent perl5 versions. Current lists of packages required by Samba for major distributions are found in the bootstrap/generated-dists/ directory of a Samba source tree. While there will be some differences - due to features chosen by packagers - comparing these lists with the build dependencies in a package may locate other dependencies we no longer require. samba-tool user getpassword / syncpasswords ;rounds= change --- The password access tool "samba-tool user getpassword" and the password sync tool "samba-tool user syncpasswords" allow attributes to be chosen for output, and accept parameters like pwdLastSet;format=GeneralizedTime These attributes then appear, in the same format, as the attributes in the LDIF output. This was not the case for the ;rounds= parameter of virtualCryptSHA256 and virtualCryptSHA512, for example as --attributes="virtualCryptSHA256;rounds=5" This release makes the behaviour consistent between these two features. Installations using GPG-encrypted passwords (or plaintext storage) and the rounds= option, will find the output has changed from: virtualCryptSHA256: {CRYPT}$5$rounds=2561$hXem.M9onhM9Vuix$dFdSBwF to: virtualCryptSHA256;rounds=2561: {CRYPT}$5$rounds=2561$hXem.M9onhM9Vuix$dFdSBwF Group Managed service account client-side features ------ samba-tool has been extended to provide client-side support for Group Managed Service accounts. These accounts have passwords that change automatically, giving the advantages of service isolation without risk of poor, unchanging passwords. Where possible, Samba's existing samba-tool password handling commands, which in the past have only operated against the local sam.ldb have been extended to permit operation against a remote server with authenticated access to "-H ldap://$DCNAME; Supported operations include: - reading the current and previous gMSA password via "samba-tool user getpassword" - writing a Kerberos Ticket Granting Ticket (TGT) to a local credentials cache with a new command "samba-tool user get-kerberos-ticket" New Windows Search Protocol Client -- Samba now by default builds new experimental Windows Search Protocol (WSP) command line client "wspsearch" The "wspsearch" cmd-line utility allows a WSP search request to be sent to a server (such as a windows server) that has the (WSP) Windows Search Protocol service configured and enabled. For more details see the wspsearch man page. Allow 'smbcacls' to save/restore DACLs to file 'smbcacls' has been extended to allow DACLs to be saved and restored to/from a file. This feature mimics the functionality that windows cmd line tool 'icacls.exe' provides. Additionally files created either by 'smbcalcs' or 'icacls.exe' are interchangeable and can be used by either tool as the same file format is used. New options added are: - '--save savefile' Saves DACLs in sddl format to file - '--recurse' Performs the '--save' operation above on directory and all files/directories below. - '--restore savefile' Restores the stored DACLS to files in directory REMOVED FEATURES Get locally logged on users from utmp - The Workstation Service Remote Protocol [MS-WKST] calls NetWkstaGetInfo level 102 and NetWkstaEnumUsers level 0 and 1 return the list of locally logged on users. Samba was getting the list from utmp, which is not Y2038 safe. This feature has been completely removed and Samba will always return an empty list. smb.conf changes Parameter Name Description Default -- ---
[Announce] Samba 4.19.4 Available for Download
Release Announcements - This is the latest stable release of the Samba 4.19 release series. Changes since 4.19.3 o Samuel Cabrero * BUG 13577: net changesecretpw cannot set the machine account password if secrets.tdb is empty. o Björn Jacke * BUG 15540: For generating doc, take, if defined, env XML_CATALOG_FILES. * BUG 15541: Trivial C typo in nsswitch/winbind_nss_netbsd.c. * BUG 15542: vfs_linux_xfs is incorrectly named. o Björn Jacke * BUG 15377: systemd stumbled over copyright-message at smbd startup. o Volker Lendecke * BUG 15505: Following intermediate abolute share-local symlinks is broken. * BUG 15523: ctdb RELEASE_IP causes a crash in release_ip if a connection to a non-public address disconnects first. * BUG 15544: shadow_copy2 broken when current fileset's directories are removed. o Stefan Metzmacher * BUG 15377: systemd stumbled over copyright-message at smbd startup. * BUG 15523: ctdb RELEASE_IP causes a crash in release_ip if a connection to a non-public address disconnects first. * BUG 15534: smbd does not detect ctdb public ipv6 addresses for multichannel exclusion. o Andreas Schneider * BUG 15469: 'force user = localunixuser' doesn't work if 'allow trusted domains = no' is set. * BUG 15525: smbget debug logging doesn't work. * BUG 15532: smget: username in the smburl and interactive password entry doesn't work. * BUG 15538: smbget auth function doesn't set values for password prompt correctly. o Martin Schwenke * BUG 15523: ctdb RELEASE_IP causes a crash in release_ip if a connection to a non-public address disconnects first. o Shachar Sharon * BUG 15440: Unable to copy and write files from clients to Ceph cluster via SMB Linux gateway with Ceph VFS module. o Jones Syue * BUG 15547: Multichannel refresh network information. ### Reporting bugs & Development Discussion ### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical:matrix.org matrix room, or #samba-technical IRC channel on irc.libera.chat. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). == == Our Code, Our Bugs, Our Responsibility. == The Samba Team == Download Details The uncompressed tarballs and patch files have been signed using GnuPG (ID AA99442FB680B620). The source code can be downloaded from: https://download.samba.org/pub/samba/stable/ The release notes are available online at: https://www.samba.org/samba/history/samba-4.19.4.html Our Code, Our Bugs, Our Responsibility. (https://bugzilla.samba.org/) --Enjoy The Samba Team
[Announce] Samba 4.18.9 Available for Download
Release Announcements - This is the latest stable release of the Samba 4.18 release series. It contains the security-relevant bug CVE-2018-14628: Wrong ntSecurityDescriptor values for "CN=Deleted Objects" allow read of object tombstones over LDAP (Administrator action required!) https://www.samba.org/samba/security/CVE-2018-14628.html Description of CVE-2018-14628 - All versions of Samba from 4.0.0 onwards are vulnerable to an information leak (compared with the established behaviour of Microsoft's Active Directory) when Samba is an Active Directory Domain Controller. When a domain was provisioned with an unpatched Samba version, the ntSecurityDescriptor is simply inherited from Domain/Partition-HEAD-Object instead of being very strict (as on a Windows provisioned domain). This means also non privileged users can use the LDAP_SERVER_SHOW_DELETED_OID control in order to view, the names and preserved attributes of deleted objects. No information that was hidden before the deletion is visible, but in with the correct ntSecurityDescriptor value in place the whole object is also not visible without administrative rights. There is no further vulnerability associated with this error, merely an information disclosure. Action required in order to resolve CVE-2018-14628! --- The patched Samba does NOT protect existing domains! The administrator needs to run the following command (on only one domain controller) in order to apply the protection to an existing domain: samba-tool dbcheck --cross-ncs --attrs=nTSecurityDescriptor --fix The above requires manual interaction in order to review the changes before they are applied. Typicall question look like this: Reset nTSecurityDescriptor on CN=Deleted Objects,DC=samba,DC=org back to provision default? Owner mismatch: SY (in ref) DA(in current) Group mismatch: SY (in ref) DA(in current) Part dacl is different between reference and current here is the detail: (A;;LCRPLORC;;;AU) ACE is not present in the reference (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY) ACE is not present in the reference (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DA) ACE is not present in the reference (A;;CCDCLCSWRPWPSDRCWDWO;;;SY) ACE is not present in the current (A;;LCRP;;;BA) ACE is not present in the current [y/N/all/none] y Fixed attribute 'nTSecurityDescriptor' of 'CN=Deleted Objects,DC=samba,DC=org' The change should be confirmed with 'y' for all objects starting with 'CN=Deleted Objects'. Changes since 4.18.8 o Michael Adam * BUG 15497: Add make command for querying Samba version. o Ralph Boehme * BUG 15487: smbd crashes if asked to return full information on close of a stream handle with delete on close disposition set. * BUG 15521: smbd: fix close order of base_fsp and stream_fsp in smb_fname_fsp_destructor(). o Björn Jacke * BUG 15093: Files without "read attributes" NFS4 ACL permission are not listed in directories. o Stefan Metzmacher * BUG 13595: CVE-2018-14628 [SECURITY] Deleted Object tombstones visible in AD LDAP to normal users. o Christof Schmitt * BUG 15507: vfs_gpfs stat calls fail due to file system permissions. o Christof Schmitt * BUG 15497: Add make command for querying Samba version. o Martin Schwenke * BUG 15479: ctdbd: setproctitle not initialized messages flooding logs. ### Reporting bugs & Development Discussion ### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical:matrix.org matrix room, or #samba-technical IRC channel on irc.libera.chat. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). == == Our Code, Our Bugs, Our Responsibility. == The Samba Team == Download Details The uncompressed tarballs and patch files have been signed using GnuPG (ID AA99442FB680B620). The source code can be downloaded from: https://download.samba.org/pub/samba/stable/ The release notes are available online at: https://www.samba.org/samba/history/samba-4.18.9.html Our Code, Our Bugs, Our Responsibility. (https://bugzilla.samba.org/) --Enjoy The Samba Team
[Announce] Samba 4.19.3 Available for Download
Release Announcements - This is the latest stable release of the Samba 4.19 release series. It contains the security-relevant bug CVE-2018-14628: Wrong ntSecurityDescriptor values for "CN=Deleted Objects" allow read of object tombstones over LDAP (Administrator action required!) https://www.samba.org/samba/security/CVE-2018-14628.html Description of CVE-2018-14628 - All versions of Samba from 4.0.0 onwards are vulnerable to an information leak (compared with the established behaviour of Microsoft's Active Directory) when Samba is an Active Directory Domain Controller. When a domain was provisioned with an unpatched Samba version, the ntSecurityDescriptor is simply inherited from Domain/Partition-HEAD-Object instead of being very strict (as on a Windows provisioned domain). This means also non privileged users can use the LDAP_SERVER_SHOW_DELETED_OID control in order to view, the names and preserved attributes of deleted objects. No information that was hidden before the deletion is visible, but in with the correct ntSecurityDescriptor value in place the whole object is also not visible without administrative rights. There is no further vulnerability associated with this error, merely an information disclosure. Action required in order to resolve CVE-2018-14628! --- The patched Samba does NOT protect existing domains! The administrator needs to run the following command (on only one domain controller) in order to apply the protection to an existing domain: samba-tool dbcheck --cross-ncs --attrs=nTSecurityDescriptor --fix The above requires manual interaction in order to review the changes before they are applied. Typicall question look like this: Reset nTSecurityDescriptor on CN=Deleted Objects,DC=samba,DC=org back to provision default? Owner mismatch: SY (in ref) DA(in current) Group mismatch: SY (in ref) DA(in current) Part dacl is different between reference and current here is the detail: (A;;LCRPLORC;;;AU) ACE is not present in the reference (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY) ACE is not present in the reference (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DA) ACE is not present in the reference (A;;CCDCLCSWRPWPSDRCWDWO;;;SY) ACE is not present in the current (A;;LCRP;;;BA) ACE is not present in the current [y/N/all/none] y Fixed attribute 'nTSecurityDescriptor' of 'CN=Deleted Objects,DC=samba,DC=org' The change should be confirmed with 'y' for all objects starting with 'CN=Deleted Objects'. Changes since 4.19.2 o Douglas Bagnall * BUG 15520: sid_strings test broken by unix epoch > 17. o Ralph Boehme * BUG 15487: smbd crashes if asked to return full information on close of a stream handle with delete on close disposition set. * BUG 15521: smbd: fix close order of base_fsp and stream_fsp in smb_fname_fsp_destructor(). o Pavel Filipenský * BUG 15499: Improve logging for failover scenarios. o Björn Jacke * BUG 15093: Files without "read attributes" NFS4 ACL permission are not listed in directories. o Stefan Metzmacher * BUG 13595: CVE-2018-14628 [SECURITY] Deleted Object tombstones visible in AD LDAP to normal users. * BUG 15492: Kerberos TGS-REQ with User2User does not work for normal accounts. o Christof Schmitt * BUG 15507: vfs_gpfs stat calls fail due to file system permissions. o Andreas Schneider * BUG 15513: Samba doesn't build with Python 3.12. ### Reporting bugs & Development Discussion ### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical:matrix.org matrix room, or #samba-technical IRC channel on irc.libera.chat. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). == == Our Code, Our Bugs, Our Responsibility. == The Samba Team == Download Details The uncompressed tarballs and patch files have been signed using GnuPG (ID AA99442FB680B620). The source code can be downloaded from: https://download.samba.org/pub/samba/stable/ The release notes are available online at: https://www.samba.org/samba/history/samba-4.19.3.html Our Code, Our Bugs, Our Responsibility. (https://bugzilla.samba.org/) --Enjoy The Samba Team
[Announce] Samba 4.19.2 Available for Download
Release Announcements - This is the latest stable release of the Samba 4.19 release series. Changes since 4.19.1 o Jeremy Allison * BUG 15423: Use-after-free in aio_del_req_from_fsp during smbd shutdown after failed IPC FSCTL_PIPE_TRANSCEIVE. * BUG 15426: clidfs.c do_connect() missing a "return" after a cli_shutdown() call. o Ralph Boehme * BUG 15463: macOS mdfind returns only 50 results. o Volker Lendecke * BUG 15481: GETREALFILENAME_CACHE can modify incoming new filename with previous cache entry value. o Stefan Metzmacher * BUG 15464: libnss_winbind causes memory corruption since samba-4.18, impacts sendmail, zabbix, potentially more. o Martin Schwenke * BUG 15479: ctdbd: setproctitle not initialized messages flooding logs. o Joseph Sutton * BUG 15491: CVE-2023-5568 Heap buffer overflow with freshness tokens in the Heimdal KDC in Samba 4.19 * BUG 15477: The heimdal KDC doesn't detect s4u2self correctly when fast is in use. ### Reporting bugs & Development Discussion ### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical:matrix.org matrix room, or #samba-technical IRC channel on irc.libera.chat. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). == == Our Code, Our Bugs, Our Responsibility. == The Samba Team == Download Details The uncompressed tarballs and patch files have been signed using GnuPG (ID AA99442FB680B620). The source code can be downloaded from: https://download.samba.org/pub/samba/stable/ The release notes are available online at: https://www.samba.org/samba/history/samba-4.19.2.html Our Code, Our Bugs, Our Responsibility. (https://bugzilla.samba.org/) --Enjoy The Samba Team
Samba 4.19.1, 4.18.8 and 4.17.12 Security Releases are available for Download
Release Announcements - This is a security release in order to address the following defects: o CVE-2023-3961: Unsanitized pipe names allow SMB clients to connect as root to existing unix domain sockets on the file system. https://www.samba.org/samba/security/CVE-2023-3961.html o CVE-2023-4091: SMB client can truncate files to 0 bytes by opening files with OVERWRITE disposition when using the acl_xattr Samba VFS module with the smb.conf setting "acl_xattr:ignore system acls = yes" https://www.samba.org/samba/security/CVE-2023-4091.html o CVE-2023-4154: An RODC and a user with the GET_CHANGES right can view all attributes, including secrets and passwords. Additionally, the access check fails open on error conditions. https://www.samba.org/samba/security/CVE-2023-4154.html o CVE-2023-42669: Calls to the rpcecho server on the AD DC can request that the server block for a user-defined amount of time, denying service. https://www.samba.org/samba/security/CVE-2023-42669.html o CVE-2023-42670: Samba can be made to start multiple incompatible RPC listeners, disrupting service on the AD DC. https://www.samba.org/samba/security/CVE-2023-42670.html Changes --- o Jeremy Allison * BUG 15422: CVE-2023-3961. o Andrew Bartlett * BUG 15424: CVE-2023-4154. * BUG 15473: CVE-2023-42670. * BUG 15474: CVE-2023-42669. o Ralph Boehme * BUG 15439: CVE-2023-4091. ### Reporting bugs & Development Discussion ### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical:matrix.org matrix room, or #samba-technical IRC channel on irc.libera.chat. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). == == Our Code, Our Bugs, Our Responsibility. == The Samba Team == Download Details The uncompressed tarballs and patch files have been signed using GnuPG (ID AA99442FB680B620). The source code can be downloaded from: https://download.samba.org/pub/samba/stable/ The release notes are available online at: https://www.samba.org/samba/history/samba-4.19.1.html https://www.samba.org/samba/history/samba-4.18.8.html https://www.samba.org/samba/history/samba-4.17.12.html Our Code, Our Bugs, Our Responsibility. (https://bugzilla.samba.org/) --Enjoy The Samba Team
Heads-up: Upcoming Samba security releases
Hi, this is a heads-up that there will be Samba security updates for 4.17, 4.18 and 4.19 on Tuesday October 10 2023. Please make sure that your Samba servers will be updated soon after the release! Impacted component: - Fileserver (CVSS 6.5, Medium) - DCE-RPCs and pipes (CVSS 6.8, Medium) - AD DC (CVSS 7.5, High; CVSS 6.5, Medium, and CVSS 6.5, Medium) Jule Anger -- Jule Anger Release Manager Samba Team samba.org SerNet Samba Team sernet.de
[Announce] Samba 4.18.7 Available for Download
Release Announcements - This is the latest stable release of the Samba 4.18 release series. Changes since 4.18.6 o Jeremy Allison * BUG 15419: Weird filename can cause assert to fail in openat_pathref_fsp_nosymlink(). * BUG 15423: use-after-free in aio_del_req_from_fsp during smbd shutdown after failed IPC FSCTL_PIPE_TRANSCEIVE. * BUG 15432: TREE_CONNECT without SETUP causes smbd to use uninitialized pointer. o Andrew Bartlett * BUG 15401: Avoid infinite loop in initial user sync with Azure AD Connect. * BUG 15407: Samba replication logs show (null) DN. o Ralph Boehme * BUG 15463: macOS mdfind returns only 50 results. o Remi Collet * BUG 14808: smbc_getxattr() return value is incorrect. o Volker Lendecke * BUG 15481: GETREALFILENAME_CACHE can modify incoming new filename with previous cache entry value. o Stefan Metzmacher * BUG 15464: libnss_winbind causes memory corruption since samba-4.18, impacts sendmail, zabbix, potentially more. o MikeLiu * BUG 15453: File doesn't show when user doesn't have permission if aio_pthread is loaded. o Martin Schwenke * BUG 15451: ctdb_killtcp fails to work with --enable-pcap and libpcap ≥ 1.9.1. o Joseph Sutton * BUG 15476: The KDC in 4.18 (and older) is not able to accept tickets with empty claims pac blobs (from Samba 4.19 or Windows). * BUG 15477: The heimdal KDC doesn't detect s4u2self correctly when fast is in use. ### Reporting bugs & Development Discussion ### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical:matrix.org matrix room, or #samba-technical IRC channel on irc.libera.chat. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). == == Our Code, Our Bugs, Our Responsibility. == The Samba Team == Download Details The uncompressed tarballs and patch files have been signed using GnuPG (ID AA99442FB680B620). The source code can be downloaded from: https://download.samba.org/pub/samba/stable/ The release notes are available online at: https://www.samba.org/samba/history/samba-4.18.7.html Our Code, Our Bugs, Our Responsibility. (https://bugzilla.samba.org/) --Enjoy The Samba Team
[Announce] Samba 4.17.11 Available for Download
Release Announcements - This is the latest stable release of the Samba 4.17 release series. Changes since 4.17.10 - o Jeremy Allison * BUG 15419: Weird filename can cause assert to fail in openat_pathref_fsp_nosymlink(). * BUG 15420: reply_sesssetup_and_X() can dereference uninitialized tmp pointer. * BUG 15430: Missing return in reply_exit_done(). * BUG 15432: TREE_CONNECT without SETUP causes smbd to use uninitialized pointer. o Andrew Bartlett * BUG 15401: Improve GetNChanges to address some (but not all "Azure AD Connect") syncronisation tool looping during the initial user sync phase. * BUG 15407: Samba replication logs show (null) DN. * BUG 9959: Windows client join fails if a second container CN=System exists somewhere. o Ralph Boehme * BUG 15342: Spotlight sometimes returns no results on latest macOS. * BUG 15417: Renaming results in NT_STATUS_SHARING_VIOLATION if previously attempted to remove the destination. * BUG 15427: Spotlight results return wrong date in result list. * BUG 15463: macOS mdfind returns only 50 results. o Volker Lendecke * BUG 15346: 2-3min delays at reconnect with smb2_validate_sequence_number: bad message_id 2. o Stefan Metzmacher * BUG 15346: 2-3min delays at reconnect with smb2_validate_sequence_number: bad message_id 2. * BUG 15441: samba-tool ntacl get segfault if aio_pthread appended. * BUG 15446: DCERPC_PKT_CO_CANCEL and DCERPC_PKT_ORPHANED can't be parsed. o MikeLiu * BUG 15453: File doesn't show when user doesn't have permission if aio_pthread is loaded. o Noel Power * BUG 15384: net ads lookup (with unspecified realm) fails * BUG 15435: Regression DFS not working with widelinks = true. o Arvid Requate * BUG 9959: Windows client join fails if a second container CN=System exists somewhere. o Martin Schwenke * BUG 15451: ctdb_killtcp fails to work with --enable-pcap and libpcap ≥ 1.9.1. o Jones Syue * BUG 15441: samba-tool ntacl get segfault if aio_pthread appended. * BUG 15449: mdssvc: Do an early talloc_free() in _mdssvc_open(). ### Reporting bugs & Development Discussion ### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical:matrix.org matrix room, or #samba-technical IRC channel on irc.libera.chat. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). == == Our Code, Our Bugs, Our Responsibility. == The Samba Team == Download Details The uncompressed tarballs and patch files have been signed using GnuPG (ID AA99442FB680B620). The source code can be downloaded from: https://download.samba.org/pub/samba/stable/ The release notes are available online at: https://www.samba.org/samba/history/samba-4.17.11.html Our Code, Our Bugs, Our Responsibility. (https://bugzilla.samba.org/) --Enjoy The Samba Team
[Announce] Samba 4.19.0 Available for Download
Release Announcements - This is the first stable release of the Samba 4.19 release series. Please read the release notes carefully before upgrading. NEW FEATURES/CHANGES Migrated smbget to use common command line parser - The smbget utility implemented its own command line parsing logic. After discovering an issue we decided to migrate it to use the common command line parser. This has some advantages as you get all the feature it provides like Kerberos authentication. The downside is that breaks the options interface. The support for smbgetrc has been removed. You can use an authentication file if needed, this is documented in the manpage. Please check the smbget manpage or --help output. gpupdate changes The libgpo.get_gpo_list function has been deprecated in favor of an implementation written in python. The new function can be imported via `import samba.gp`. The python implementation connects to Active Directory using the SamDB module, instead of ADS (which is what libgpo uses). Improved winbind logging and a new tool for parsing the winbind logs Winbind logs (if smb.conf 'winbind debug traceid = yes' is set) contain new trace header fields 'traceid' and 'depth'. Field 'traceid' allows to track the trace records belonging to the same request. Field 'depth' allows to track the request nesting level. A new tool samba-log-parser is added for better log parsing. AD database prepared to FL 2016 standards for new domains - While Samba still provides only Functional Level 2008R2 by default, Samba as an AD DC will now, in provision ensure that the blank database is already prepared for Functional Level 2016, with AD Schema 2019. This preparation is of the default objects in the database, adding containers for Authentication Policies, Authentication Silos and AD claims in particular. These DB objects must be updated to allow operation of the new features found in higher functional levels. Kerberos Claims, Authentication Silos and NTLM authentication policies -- An initial, partial implementation of Active Directory Functional Level 2012, 2012R2 and 2016 is available in this release. In particular Samba will issue Active Directory "Claims" in the PAC, for member servers that support these, and honour in-directory configuration for Authentication Policies and Authentication Silos. The primary limitation is that while Samba can read and write claims in the directory, and populate the PAC, Samba does not yet use them for access control decisions. While we continue to develop these features, existing domains can test the feature by selecting the functional level in provision or raising the DC functional level by setting ad dc functional level = 2016 in the smb.conf The smb.conf file on each DC must have 'ad dc functional level = 2016' set to have the partially complete feature available. This will also, at first startup, update the server's own AD entry with the configured functional level. For new domains, add these parameters to 'samba-tool provision' --option="ad dc functional level = 2016" --function-level=2016 The second option, setting the overall domain functional level indicates that all DCs should be at this functional level. To raise the domain functional level of an existing domain, after updating the smb.conf and restarting Samba run samba-tool domain schemaupgrade --schema=2019 samba-tool domain functionalprep --function-level=2016 samba-tool domain level raise --domain-level=2016 --forest-level=2016 Improved KDC Auditing - As part of the auditing required to allow successful deployment of Authentication Policies and Authentication Silos, our KDC now provides Samba-style JSON audit logging of all issued Kerberos tickets, including if they would fail a policy that is not yet enforced. Additionally most failures are audited, (after the initial pre-validation of the request). Kerberos Armoring (FAST) Support for Windows clients In domains where the domain controller functional level is set, as above, to 2012, 2012_R2 or 2016, Windows clients will, if configured via GPO, use FAST to protect user passwords between (in particular) a workstation and the KDC on the AD DC. This is a significant security improvement, as weak passwords in an AS-REQ are no longer available for offline attack. Claims compression in the AD PAC ---- Samba as an AD DC will compress "AD claims" using the same compression algorithm as Microsoft Windows. Resource SID compression in the AD PAC ------ Samba as an AD DC will now correctly
[Announce] Samba 4.19.0rc4 Available for Download
Release Announcements = This is the fourth release candidate of Samba 4.19. This is *not* intended for production environments and is designed for testing purposes only. Please report any defects via the Samba bug reporting system at https://bugzilla.samba.org/. Samba 4.19 will be the next version of the Samba suite. UPGRADING = NEW FEATURES/CHANGES Migrated smbget to use common command line parser - The smbget utility implemented its own command line parsing logic. After discovering an issue we decided to migrate it to use the common command line parser. This has some advantages as you get all the feature it provides like Kerberos authentication. The downside is that breaks the options interface. The support for smbgetrc has been removed. You can use an authentication file if needed, this is documented in the manpage. Please check the smbget manpage or --help output. gpupdate changes The libgpo.get_gpo_list function has been deprecated in favor of an implementation written in python. The new function can be imported via `import samba.gp`. The python implementation connects to Active Directory using the SamDB module, instead of ADS (which is what libgpo uses). Improved winbind logging and a new tool for parsing the winbind logs Winbind logs (if smb.conf 'winbind debug traceid = yes' is set) contain new trace header fields 'traceid' and 'depth'. Field 'traceid' allows to track the trace records belonging to the same request. Field 'depth' allows to track the request nesting level. A new tool samba-log-parser is added for better log parsing. AD database prepared to FL 2016 standards for new domains - While Samba still provides only Functional Level 2008R2 by default, Samba as an AD DC will now, in provision ensure that the blank database is already prepared for Functional Level 2016, with AD Schema 2019. This preparation is of the default objects in the database, adding containers for Authentication Policies, Authentication Silos and AD claims in particular. These DB objects must be updated to allow operation of the new features found in higher functional levels. Kerberos Claims, Authentication Silos and NTLM authentication policies -- An initial, partial implementation of Active Directory Functional Level 2012, 2012R2 and 2016 is available in this release. In particular Samba will issue Active Directory "Claims" in the PAC, for member servers that support these, and honour in-directory configuration for Authentication Policies and Authentication Silos. The primary limitation is that while Samba can read and write claims in the directory, and populate the PAC, Samba does not yet use them for access control decisions. While we continue to develop these features, existing domains can test the feature by selecting the functional level in provision or raising the DC functional level by setting ad dc functional level = 2016 in the smb.conf The smb.conf file on each DC must have 'ad dc functional level = 2016' set to have the partially complete feature available. This will also, at first startup, update the server's own AD entry with the configured functional level. For new domains, add these parameters to 'samba-tool provision' --option="ad dc functional level = 2016" --function-level=2016 The second option, setting the overall domain functional level indicates that all DCs should be at this functional level. To raise the domain functional level of an existing domain, after updating the smb.conf and restarting Samba run samba-tool domain schemaupgrade --schema=2019 samba-tool domain functionalprep --function-level=2016 samba-tool domain level raise --domain-level=2016 --forest-level=2016 Improved KDC Auditing - As part of the auditing required to allow successful deployment of Authentication Policies and Authentication Silos, our KDC now provides Samba-style JSON audit logging of all issued Kerberos tickets, including if they would fail a policy that is not yet enforced. Additionally most failures are audited, (after the initial pre-validation of the request). Kerberos Armoring (FAST) Support for Windows clients In domains where the domain controller functional level is set, as above, to 2012, 2012_R2 or 2016, Windows clients will, if configured via GPO, use FAST to protect user passwords between (in particular) a workstation and the KDC on the AD DC. This is a significant security improvement, as weak passwords in an AS-REQ are no longer available for offline attack. Claims compression in the AD PAC ---- Samba as an AD DC will compress "
[Announce] Samba 4.19.0rc3 Available for Download
Release Announcements = This is the third release candidate of Samba 4.19. This is *not* intended for production environments and is designed for testing purposes only. Please report any defects via the Samba bug reporting system at https://bugzilla.samba.org/. Samba 4.19 will be the next version of the Samba suite. UPGRADING = NEW FEATURES/CHANGES Migrated smbget to use common command line parser - The smbget utility implemented its own command line parsing logic. After discovering an issue we decided to migrate it to use the common command line parser. This has some advantages as you get all the feature it provides like Kerberos authentication. The downside is that breaks the options interface. The support for smbgetrc has been removed. You can use an authentication file if needed, this is documented in the manpage. Please check the smbget manpage or --help output. gpupdate changes The libgpo.get_gpo_list function has been deprecated in favor of an implementation written in python. The new function can be imported via `import samba.gp`. The python implementation connects to Active Directory using the SamDB module, instead of ADS (which is what libgpo uses). Improved winbind logging and a new tool for parsing the winbind logs Winbind logs (if smb.conf 'winbind debug traceid = yes' is set) contain new trace header fields 'traceid' and 'depth'. Field 'traceid' allows to track the trace records belonging to the same request. Field 'depth' allows to track the request nesting level. A new tool samba-log-parser is added for better log parsing. AD database prepared to FL 2016 standards for new domains - While Samba still provides only Functional Level 2008R2 by default, Samba as an AD DC will now, in provision ensure that the blank database is already prepared for Functional Level 2016, with AD Schema 2019. This preparation is of the default objects in the database, adding containers for Authentication Policies, Authentication Silos and AD claims in particular. These DB objects must be updated to allow operation of the new features found in higher functional levels. Kerberos Claims, Authentication Silos and NTLM authentication policies -- An initial, partial implementation of Active Directory Functional Level 2012, 2012R2 and 2016 is available in this release. In particular Samba will issue Active Directory "Claims" in the PAC, for member servers that support these, and honour in-directory configuration for Authentication Policies and Authentication Silos. The primary limitation is that while Samba can read and write claims in the directory, and populate the PAC, Samba does not yet use them for access control decisions. While we continue to develop these features, existing domains can test the feature by selecting the functional level in provision or raising the DC functional level by setting ad dc functional level = 2016 in the smb.conf The smb.conf file on each DC must have 'ad dc functional level = 2016' set to have the partially complete feature available. This will also, at first startup, update the server's own AD entry with the configured functional level. For new domains, add these parameters to 'samba-tool provision' --option="ad dc functional level = 2016" --function-level=2016 The second option, setting the overall domain functional level indicates that all DCs should be at this functional level. To raise the domain functional level of an existing domain, after updating the smb.conf and restarting Samba run samba-tool domain schemaupgrade --schema=2019 samba-tool domain functionalprep --function-level=2016 samba-tool domain level raise --domain-level=2016 --forest-level=2016 Improved KDC Auditing - As part of the auditing required to allow successful deployment of Authentication Policies and Authentication Silos, our KDC now provides Samba-style JSON audit logging of all issued Kerberos tickets, including if they would fail a policy that is not yet enforced. Additionally most failures are audited, (after the initial pre-validation of the request). Kerberos Armoring (FAST) Support for Windows clients In domains where the domain controller functional level is set, as above, to 2012, 2012_R2 or 2016, Windows clients will, if configured via GPO, use FAST to protect user passwords between (in particular) a workstation and the KDC on the AD DC. This is a significant security improvement, as weak passwords in an AS-REQ are no longer available for offline attack. Claims compression in the AD PAC ---- Samba as an AD DC will compress "
[Announce] Samba 4.18.6 Available for Download
Release Announcements - This is the latest stable release of the Samba 4.18 release series. Changes since 4.18.5 o Jeremy Allison * BUG 15420: reply_sesssetup_and_X() can dereference uninitialized tmp pointer. * BUG 15430: Missing return in reply_exit_done(). o Andrew Bartlett * BUG 15289: post-exec password redaction for samba-tool is more reliable for fully random passwords as it no longer uses regular expressions containing the password value itself. * BUG 9959: Windows client join fails if a second container CN=System exists somewhere. o Ralph Boehme * BUG 15342: Spotlight sometimes returns no results on latest macOS. * BUG 15417: Renaming results in NT_STATUS_SHARING_VIOLATION if previously attempted to remove the destination. * BUG 15427: Spotlight results return wrong date in result list. o Günther Deschner * BUG 15414: "net offlinejoin provision" does not work as non-root user. o Pavel Filipenský * BUG 15400: rpcserver no longer accepts double backslash in dfs pathname. * BUG 15433: cm_prepare_connection() calls close(fd) for the second time. o Stefan Metzmacher * BUG 15346: 2-3min delays at reconnect with smb2_validate_sequence_number: bad message_id 2. * BUG 15441: samba-tool ntacl get segfault if aio_pthread appended. * BUG 15446: DCERPC_PKT_CO_CANCEL and DCERPC_PKT_ORPHANED can't be parsed. o Noel Power * BUG 15390: Python tarfile extraction needs change to avoid a warning (CVE-2007-4559 mitigation). * BUG 15435: Regression DFS not working with widelinks = true. o Arvid Requate * BUG 9959: Windows client join fails if a second container CN=System exists somewhere. o Jones Syue * BUG 15441: samba-tool ntacl get segfault if aio_pthread appended. * BUG 15449: mdssvc: Do an early talloc_free() in _mdssvc_open(). ### Reporting bugs & Development Discussion ### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical:matrix.org matrix room, or #samba-technical IRC channel on irc.libera.chat. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). == == Our Code, Our Bugs, Our Responsibility. == The Samba Team == Download Details The uncompressed tarballs and patch files have been signed using GnuPG (ID AA99442FB680B620). The source code can be downloaded from: https://download.samba.org/pub/samba/stable/ The release notes are available online at: https://www.samba.org/samba/history/samba-4.18.6.html Our Code, Our Bugs, Our Responsibility. (https://bugzilla.samba.org/) --Enjoy The Samba Team
INVITE: SMB3 IO Lab participation at Storage Developers Conference Sept. 18-21, 2023 in Freemont, CA.
Hi Samba-people, Arnold Jones, Technical Council Managing Director or the Storage Network Industry Association (SNIA) asked me to forward this invitation to anyone who would like to participate in the SMB3 IO Lab. --- Hi Samba Developers, Presentations are only part of what is going on at the SNIA’s 2023 Storage Developer Conference, September 18-21, Fremont, CA. The SNIA SMB3 IO Lab is also an integral part of the program. The purpose of this IO Lab is for vendors to bring their implementations of SMB3 to test, identify, and fix bugs in a collaborative setting with the goal of providing a forum in which companies can develop interoperable products. There are several new features that have recently been added to the SMB3 protocol: * SMB over QUIC support for mutual authentication. * Server Notification update for logon session scenario (when server discards a logon session before client). * Significant Windows security behavior defaults updates in certain Windows releases: + SMB Signing required by default. + Auth rate limiter on by default. + Guest auth fallback now off by default. + Mail slots off by default and SMB1 now disabled in all Windows releases. * And other SMB security updates and features. The IO Lab is an opportunity to learn about these new features and test your implementation with Microsoft Windows protocol test suites. During the IO Lab you can directly engage with Windows Protocol Support, Test Suite Development, and members of the Windows development team as well as network with other professionals from all over the world. This IO Lab is held in one large room (open 24 hrs.), giving participants an easy way to interact with both Microsoft professionals and with all other participants and their implementations. If you are reluctant to participate because you feel that your SMB implementation is "not ready", you should still participate! The SMB3 IO Lab is also a development opportunity, not just a testing opportunity. Implementations still in development are encouraged to participate. It's a great opportunity to get help and learn from the experts! This year we are pleased to announce the full participation and continued support of Microsoft, our 2023 SNIA SDC SMB3 IO Lab underwriter. For complete details on how to participate please see: http://www.snia.org/SMB3IOLab If you have any additional questions, please contact me at arn...@snia.org. I look forward to seeing you and your company at the SMB3 IO Lab this year! -- Arnold Arnold Jones Technical Council Managing Director SNIA http://www.storagedeveloper.org/ http://www.snia.org/SMB3IOLab ---
[Announce] Samba 4.19.0rc2 Available for Download
Release Announcements = This is the second release candidate of Samba 4.19. This is *not* intended for production environments and is designed for testing purposes only. Please report any defects via the Samba bug reporting system at https://bugzilla.samba.org/. Samba 4.19 will be the next version of the Samba suite. UPGRADING = NEW FEATURES/CHANGES Migrated smbget to use common command line parser - The smbget utility implemented its own command line parsing logic. After discovering an issue we decided to migrate it to use the common command line parser. This has some advantages as you get all the feature it provides like Kerberos authentication. The downside is that breaks the options interface. The support for smbgetrc has been removed. You can use an authentication file if needed, this is documented in the manpage. Please check the smbget manpage or --help output. gpupdate changes The libgpo.get_gpo_list function has been deprecated in favor of an implementation written in python. The new function can be imported via `import samba.gp`. The python implementation connects to Active Directory using the SamDB module, instead of ADS (which is what libgpo uses). Improved winbind logging and a new tool for parsing the winbind logs Winbind logs (if smb.conf 'winbind debug traceid = yes' is set) contain new trace header fields 'traceid' and 'depth'. Field 'traceid' allows to track the trace records belonging to the same request. Field 'depth' allows to track the request nesting level. A new tool samba-log-parser is added for better log parsing. AD database prepared to FL 2016 standards for new domains - While Samba still provides only Functional Level 2008R2 by default, Samba as an AD DC will now, in provision ensure that the blank database is already prepared for Functional Level 2016, with AD Schema 2019. This preparation is of the default objects in the database, adding containers for Authentication Policies, Authentication Silos and AD claims in particular. These DB objects must be updated to allow operation of the new features found in higher functional levels. Kerberos Claims, Authentication Silos and NTLM authentication policies -- An initial, partial implementation of Active Directory Functional Level 2012, 2012R2 and 2016 is available in this release. In particular Samba will issue Active Directory "Claims" in the PAC, for member servers that support these, and honour in-directory configuration for Authentication Policies and Authentication Silos. The primary limitation is that while Samba can read and write claims in the directory, and populate the PAC, Samba does not yet use them for access control decisions. While we continue to develop these features, existing domains can test the feature by selecting the functional level in provision or raising the DC functional level by setting ad dc functional level = 2016 in the smb.conf The smb.conf file on each DC must have 'ad dc functional level = 2016' set to have the partially complete feature available. This will also, at first startup, update the server's own AD entry with the configured functional level. For new domains, add these parameters to 'samba-tool provision' --option="ad dc functional level = 2016" --function-level=2016 The second option, setting the overall domain functional level indicates that all DCs should be at this functional level. To raise the domain functional level of an existing domain, after updating the smb.conf and restarting Samba run samba-tool domain schemaupgrade --schema=2019 samba-tool domain functionalprep --function-level=2016 samba-tool domain level raise --domain-level=2016 --forest-level=2016 Improved KDC Auditing - As part of the auditing required to allow successful deployment of Authentication Policies and Authentication Silos, our KDC now provides Samba-style JSON audit logging of all issued Kerberos tickets, including if they would fail a policy that is not yet enforced. Additionally most failures are audited, (after the initial pre-validation of the request). Kerberos Armoring (FAST) Support for Windows clients In domains where the domain controller functional level is set, as above, to 2012, 2012_R2 or 2016, Windows clients will, if configured via GPO, use FAST to protect user passwords between (in particular) a workstation and the KDC on the AD DC. This is a significant security improvement, as weak passwords in an AS-REQ are no longer available for offline attack. Claims compression in the AD PAC ---- Samba as an AD DC will compress "
[Announce] Samba 4.19.0rc1 Available for Download
Release Announcements = This is the first release candidate of Samba 4.19. This is *not* intended for production environments and is designed for testing purposes only. Please report any defects via the Samba bug reporting system at https://bugzilla.samba.org/. Samba 4.19 will be the next version of the Samba suite. UPGRADING = NEW FEATURES/CHANGES Migrated smbget to use common command line parser - The smbget utility implemented its own command line parsing logic. After discovering an issue we decided to migrate it to use the common command line parser. This has some advantages as you get all the feature it provides like Kerberos authentication. The downside is that breaks the options interface. The support for smbgetrc has been removed. You can use an authentication file if needed, this is documented in the manpage. Please check the smbget manpage or --help output. gpupdate changes The libgpo.get_gpo_list function has been deprecated in favor of an implementation written in python. The new function can be imported via `import samba.gp`. The python implementation connects to Active Directory using the SamDB module, instead of ADS (which is what libgpo uses). Improved winbind logging and a new tool for parsing the winbind logs Winbind logs (if smb.conf 'winbind debug traceid = yes' is set) contain new trace header fields 'traceid' and 'depth'. Field 'traceid' allows to track the trace records belonging to the same request. Field 'depth' allows to track the request nesting level. A new tool samba-log-parser is added for better log parsing. AD database prepared to FL 2016 standards for new domains - While Samba still provides only Functional Level 2008R2 by default, Samba as an AD DC will now, in provision ensure that the blank database is already prepared for Functional Level 2016, with AD Schema 2019. This preparation is of the default objects in the database, adding containers for Authentication Policies, Authentication Silos and AD claims in particular. These DB objects must be updated to allow operation of the new features found in higher functional levels. Kerberos Claims, Authentication Silos and NTLM authentication policies -- An initial, partial implementation of Active Directory Functional Level 2012, 2012R2 and 2016 is available in this release. In particular Samba will issue Active Directory "Claims" in the PAC, for member servers that support these, and honour in-directory configuration for Authentication Policies and Authentication Silos. The primary limitation is that while Samba can read and write claims in the directory, and populate the PAC, Samba does not yet use them for access control decisions. While we continue to develop these features, existing domains can test the feature by selecting the functional level in provision or raising the DC functional level by setting ad dc functional level = 2016 in the smb.conf The smb.conf file on each DC must have 'ad dc functional level = 2016' set to have the partially complete feature available. This will also, at first startup, update the server's own AD entry with the configured functional level. For new domains, add these parameters to 'samba-tool provision' --option="ad dc functional level = 2016" --function-level=2016 The second option, setting the overall domain functional level indicates that all DCs should be at this functional level. To raise the domain functional level of an existing domain, after updating the smb.conf and restarting Samba run samba-tool domain schemaupgrade --schema=2019 samba-tool domain functionalprep --function-level=2016 samba-tool domain level raise --domain-level=2016 --forest-level=2016 Improved KDC Auditing - As part of the auditing required to allow successful deployment of Authentication Policies and Authentication Silos, our KDC now provides Samba-style JSON audit logging of all issued Kerberos tickets, including if they would fail a policy that is not yet enforced. Additionally most failures are audited, (after the initial pre-validation of the request). Kerberos Armoring (FAST) Support for Windows clients In domains where the domain controller functional level is set, as above, to 2012, 2012_R2 or 2016, Windows clients will, if configured via GPO, use FAST to protect user passwords between (in particular) a workstation and the KDC on the AD DC. This is a significant security improvement, as weak passwords in an AS-REQ are no longer available for offline attack. Claims compression in the AD PAC ---- Samba as an AD DC will compress "
[Announce] Samba 4.18.5, 4.17.10., 4.16.11 Security Releases are available for Download
Release Announcements - This are security releases in order to address the following defects: o CVE-2022-2127: When winbind is used for NTLM authentication, a maliciously crafted request can trigger an out-of-bounds read in winbind and possibly crash it. https://www.samba.org/samba/security/CVE-2022-2127.html o CVE-2023-3347: SMB2 packet signing is not enforced if an admin configured "server signing = required" or for SMB2 connections to Domain Controllers where SMB2 packet signing is mandatory. https://www.samba.org/samba/security/CVE-2023-3347.html o CVE-2023-34966: An infinite loop bug in Samba's mdssvc RPC service for Spotlight can be triggered by an unauthenticated attacker by issuing a malformed RPC request. https://www.samba.org/samba/security/CVE-2023-34966.html o CVE-2023-34967: Missing type validation in Samba's mdssvc RPC service for Spotlight can be used by an unauthenticated attacker to trigger a process crash in a shared RPC mdssvc worker process. https://www.samba.org/samba/security/CVE-2023-34967.html o CVE-2023-34968: As part of the Spotlight protocol Samba discloses the server- side absolute path of shares and files and directories in search results. https://www.samba.org/samba/security/CVE-2023-34968.html Changes --- o Ralph Boehme * BUG 15072: CVE-2022-2127. * BUG 15340: CVE-2023-34966. * BUG 15341: CVE-2023-34967. * BUG 15388: CVE-2023-34968. * BUG 15397: CVE-2023-3347. o Samuel Cabrero * BUG 15072: CVE-2022-2127. o Volker Lendecke * BUG 15072: CVE-2022-2127. o Stefan Metzmacher * BUG 15418: Secure channel faulty since Windows 10/11 update 07/2023. ### Reporting bugs & Development Discussion ### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical:matrix.org matrix room, or #samba-technical IRC channel on irc.libera.chat. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). == == Our Code, Our Bugs, Our Responsibility. == The Samba Team == Download Details The uncompressed tarballs and patch files have been signed using GnuPG (ID AA99442FB680B620). The source code can be downloaded from: https://download.samba.org/pub/samba/stable/ The release notes are available online at: https://www.samba.org/samba/history/samba-4.18.5.html https://www.samba.org/samba/history/samba-4.17.10.html https://www.samba.org/samba/history/samba-4.16.11.html Our Code, Our Bugs, Our Responsibility. (https://bugzilla.samba.org/) --Enjoy The Samba Team
Heads-up: Upcoming Samba security releases
Hi, this is a heads-up that there will be Samba security updates for 4.16, 4.17 and 4.18 on Wednesday, July 19 2023. Please make sure that your Samba servers will be updated soon after the release! Impacted component: - Winbind (CVSS 5.9, Medium) - DCE-RPCs and pipes (CVSS 7.5, High, 5.3, Medium, and 5.3, Medium) - File services (CVSS 6.8, Medium) Cheers, Jule Anger -- Jule Anger Release Manager Samba Team samba.org SerNet Samba Team sernet.de
[Announce] Samba 4.17.9 Available for Download
Release Announcements - This is the latest stable release of the Samba 4.17 release series. Changes since 4.17.8 o Douglas Bagnall * BUG 15404: Backport --pidl-developer fixes. o Ralph Boehme * BUG 15275: smbd_scavenger crashes when service smbd is stopped. * BUG 15378: vfs_fruit might cause a failing open for delete. o Samuel Cabrero * BUG 14030: named crashes on DLZ zone update. o Volker Lendecke * BUG 15361: winbind recurses into itself via rpcd_lsad. * BUG 15382: cli_list loops 100% CPU against pre-lanman2 servers. * BUG 15391: smbclient leaks fds with showacls. o Stefan Metzmacher * BUG 15374: aes256 smb3 encryption algorithms are not allowed in smb3_sid_parse(). * BUG 15413: winbindd gets stuck on NT_STATUS_RPC_SEC_PKG_ERROR. o Jones Syue * BUG 15403: smbget memory leak if failed to download files recursively. ### Reporting bugs & Development Discussion ### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical:matrix.org matrix room, or #samba-technical IRC channel on irc.libera.chat. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). == == Our Code, Our Bugs, Our Responsibility. == The Samba Team == Download Details The uncompressed tarballs and patch files have been signed using GnuPG (ID AA99442FB680B620). The source code can be downloaded from: https://download.samba.org/pub/samba/stable/ The release notes are available online at: https://www.samba.org/samba/history/samba-4.17.9.html Our Code, Our Bugs, Our Responsibility. (https://bugzilla.samba.org/) --Enjoy The Samba Team
[Announce] Samba 4.18.4 Available for Download
Release Announcements - This is the latest stable release of the Samba 4.18 release series. Changes since 4.18.3 o Douglas Bagnall * BUG 15404: Backport --pidl-developer fixes. o Samuel Cabrero * BUG 14030: Named crashes on DLZ zone update. o Björn Jacke * BUG 2312: smbcacls and smbcquotas do not check // before the server. o Volker Lendecke * BUG 15382: cli_list loops 100% CPU against pre-lanman2 servers. * BUG 15391: smbclient leaks fds with showacls. * BUG 15402: smbd returns NOT_FOUND when creating files on a r/o filesystem. o Stefan Metzmacher * BUG 15355: NSS_WRAPPER_HOSTNAME doesn't match NSS_WRAPPER_HOSTS entry and causes test timeouts. o Noel Power * BUG 15384: net ads lookup (with unspecified realm) fails. o Christof Schmitt * BUG 15381: Register Samba processes with GPFS. o Andreas Schneider * BUG 15390: Python tarfile extraction needs change to avoid a warning (CVE-2007-4559 mitigation). * BUG 15398: The winbind child segfaults when listing users with `winbind scan trusted domains = yes`. o Jones Syue * BUG 15383: Remove comments about deprecated 'write cache size'. * BUG 15403: smbget memory leak if failed to download files recursively. ### Reporting bugs & Development Discussion ### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical:matrix.org matrix room, or #samba-technical IRC channel on irc.libera.chat. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). == == Our Code, Our Bugs, Our Responsibility. == The Samba Team == Download Details The uncompressed tarballs and patch files have been signed using GnuPG (ID AA99442FB680B620). The source code can be downloaded from: https://download.samba.org/pub/samba/stable/ The release notes are available online at: https://www.samba.org/samba/history/samba-4.18.4.html Our Code, Our Bugs, Our Responsibility. (https://bugzilla.samba.org/) --Enjoy The Samba Team
[Announce] Samba 4.18.3 Available for Download
Release Announcements - This is the latest stable release of the Samba 4.18 release series. Changes since 4.18.2 o Ralph Boehme * BUG 15375: Symlinks to files can have random DOS mode information in a directory listing. * BUG 15378: vfs_fruit might cause a failing open for delete. o Volker Lendecke * BUG 15361: winbind recurses into itself via rpcd_lsad. * BUG 15366: wbinfo -u fails on ad dc with >1000 users. o Stefan Metzmacher * BUG 15338: DS ACEs might be inherited to unrelated object classes. * BUG 15362: a lot of messages: get_static_share_mode_data: get_static_share_mode_data_fn failed: NT_STATUS_NOT_FOUND. * BUG 15374: aes256 smb3 encryption algorithms are not allowed in smb3_sid_parse(). o Andreas Schneider * BUG 15360: Setting veto files = /.*/ break listing directories. o Joseph Sutton * BUG 15363: "samba-tool domain provision" does not run interactive mode if no arguments are given. o Nathaniel W. Turner * BUG 15325: dsgetdcname: assumes local system uses IPv4. ### Reporting bugs & Development Discussion ### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical:matrix.org matrix room, or #samba-technical IRC channel on irc.libera.chat. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). == == Our Code, Our Bugs, Our Responsibility. == The Samba Team == Download Details The uncompressed tarballs and patch files have been signed using GnuPG (ID AA99442FB680B620). The source code can be downloaded from: https://download.samba.org/pub/samba/stable/ The release notes are available online at: https://www.samba.org/samba/history/samba-4.18.3.html Our Code, Our Bugs, Our Responsibility. (https://bugzilla.samba.org/) --Enjoy The Samba Team
[Announce] Samba 4.17.8 Available for Download
Release Announcements - This is the latest stable release of the Samba 4.17 release series. Changes since 4.17.7 o Jeremy Allison * BUG 15302: log flood: smbd_calculate_access_mask_fsp: Access denied: message level should be lower. * BUG 15306: Floating point exception (FPE) via cli_pull_send at source3/libsmb/clireadwrite.c. o Andrew Bartlett * BUG 15328: test_tstream_more_tcp_user_timeout_spin fails intermittently on Rackspace GitLab runners. * BUG 15329: Reduce flapping of ridalloc test. * BUG 15351: large_ldap test is unreliable. o Ralph Boehme * BUG 15143: New filename parser doesn't check veto files smb.conf parameter. * BUG 15354: mdssvc may crash when initializing. o Volker Lendecke * BUG 15313: Large directory optimization broken for non-lcomp path elements. * BUG 15357: streams_depot fails to create streams. * BUG 15358: shadow_copy2 and streams_depot don't play well together. * BUG 15366: wbinfo -u fails on ad dc with >1000 users. o Stefan Metzmacher * BUG 15317: winbindd idmap child contacts the domain controller without a need. * BUG 15318: idmap_autorid may fail to map sids of trusted domains for the first time. * BUG 15319: idmap_hash doesn't use ID_TYPE_BOTH for reverse mappings. * BUG 15323: net ads search -P doesn't work against servers in other domains. * BUG 15338: DS ACEs might be inherited to unrelated object classes. * BUG 15353: Temporary smbXsrv_tcon_global.tdb can't be parsed. o Andreas Schneider * BUG 15360: Setting veto files = /.*/ break listing directories. o Joseph Sutton * BUG 14810: CVE-2020-25720 [SECURITY] Create Child permission should not allow full write to all attributes (additional changes). * BUG 15329: Reduce flapping of ridalloc test. o Nathaniel W. Turner * BUG 15325: dsgetdcname: assumes local system uses IPv4. ### Reporting bugs & Development Discussion ### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical:matrix.org matrix room, or #samba-technical IRC channel on irc.libera.chat. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). == == Our Code, Our Bugs, Our Responsibility. == The Samba Team == Download Details The uncompressed tarballs and patch files have been signed using GnuPG (ID AA99442FB680B620). The source code can be downloaded from: https://download.samba.org/pub/samba/stable/ The release notes are available online at: https://www.samba.org/samba/history/samba-4.17.8.html Our Code, Our Bugs, Our Responsibility. (https://bugzilla.samba.org/) --Enjoy The Samba Team
[Announce] Samba 4.18.2 Available for Download
Release Announcements - This is the latest stable release of the Samba 4.18 release series. Changes since 4.18.1 o Jeremy Allison * BUG 15302: Log flood: smbd_calculate_access_mask_fsp: Access denied: message level should be lower. * BUG 15306: Floating point exception (FPE) via cli_pull_send at source3/libsmb/clireadwrite.c. o Andrew Bartlett * BUG 15328: test_tstream_more_tcp_user_timeout_spin fails intermittently on Rackspace GitLab runners. * BUG 15329: Reduce flapping of ridalloc test. * BUG 15351: large_ldap test is unreliable. o Ralph Boehme * BUG 15143: New filename parser doesn't check veto files smb.conf parameter. * BUG 15354: mdssvc may crash when initializing. o Volker Lendecke * BUG 15313: large directory optimization broken for non-lcomp path elements. * BUG 15357: streams_depot fails to create streams. * BUG 15358: shadow_copy2 and streams_depot don't play well together. o Rob van der Linde * BUG 15316: Flapping tests in samba_tool_drs_show_repl.py. o Stefan Metzmacher * BUG 15317: winbindd idmap child contacts the domain controller without a need. * BUG 15318: idmap_autorid may fail to map sids of trusted domains for the first time. * BUG 15319: idmap_hash doesn't use ID_TYPE_BOTH for reverse mappings. * BUG 15323: net ads search -P doesn't work against servers in other domains. * BUG 15353: Temporary smbXsrv_tcon_global.tdb can't be parsed. o Joseph Sutton * BUG 15316: Flapping tests in samba_tool_drs_show_repl.py. * BUG 15343: Tests use depricated and removed methods like assertRegexpMatches. ### Reporting bugs & Development Discussion ### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical:matrix.org matrix room, or #samba-technical IRC channel on irc.libera.chat. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). == == Our Code, Our Bugs, Our Responsibility. == The Samba Team == Download Details The uncompressed tarballs and patch files have been signed using GnuPG (ID AA99442FB680B620). The source code can be downloaded from: https://download.samba.org/pub/samba/stable/ The release notes are available online at: https://www.samba.org/samba/history/samba-4.18.2.html Our Code, Our Bugs, Our Responsibility. (https://bugzilla.samba.org/) --Enjoy The Samba Team
[Announce] Samba 4.18.1, 4.17.7., 4.16.10 Security Releases are available for Download
Release Announcements - This are security releases in order to address the following defects: o CVE-2023-0225: An incomplete access check on dnsHostName allows authenticated but otherwise unprivileged users to delete this attribute from any object in the directory. https://www.samba.org/samba/security/CVE-2023-0225.html o CVE-2023-0922: The Samba AD DC administration tool, when operating against a remote LDAP server, will by default send new or reset passwords over a signed-only connection. https://www.samba.org/samba/security/CVE-2023-0922.html o CVE-2023-0614: The fix in 4.6.16, 4.7.9, 4.8.4 and 4.9.7 for CVE-2018-10919 Confidential attribute disclosure via LDAP filters was insufficient and an attacker may be able to obtain confidential BitLocker recovery keys from a Samba AD DC. Installations with such secrets in their Samba AD should assume they have been obtained and need replacing. https://www.samba.org/samba/security/CVE-2023-0614.html Changes --- o Douglas Bagnall * BUG 15276: CVE-2023-0225. o Andrew Bartlett * BUG 15270: CVE-2023-0614. * BUG 15331: ldb wildcard matching makes excessive allocations. * BUG 15332: large_ldap test is inefficient. o Rob van der Linde * BUG 15315: CVE-2023-0922. o Joseph Sutton * BUG 14810: CVE-2020-25720 [SECURITY] Create Child permission should not allow full write to all attributes (additional changes). * BUG 15270: CVE-2023-0614. * BUG 15276: CVE-2023-0225. ### Reporting bugs & Development Discussion ### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical:matrix.org matrix room, or #samba-technical IRC channel on irc.libera.chat. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). == == Our Code, Our Bugs, Our Responsibility. == The Samba Team == Download Details The uncompressed tarballs and patch files have been signed using GnuPG (ID AA99442FB680B620). The Samba source code can be downloaded from: https://download.samba.org/pub/samba/stable/ The release notes are available online at: https://www.samba.org/samba/history/samba-4.18.1.html https://www.samba.org/samba/history/samba-4.17.7.html https://www.samba.org/samba/history/samba-4.16.10.html If you are building/using ldb from a system library, you'll also need the related updated ldb tarball, otherwise you can ignore it. The uncompressed ldb tarballs have been signed using GnuPG (ID 4793916113084025). The ldb source code can be downloaded from: samba-4.18.1: https://download.samba.org/pub/ldb/ldb-2.7.2.tar.gz samba-4.17.7: https://download.samba.org/pub/ldb/ldb-2.6.2.tar.gz samba-4.16.10: https://download.samba.org/pub/ldb/ldb-2.5.3.tar.gz Our Code, Our Bugs, Our Responsibility. (https://bugzilla.samba.org/) --Enjoy The Samba Team
Heads-up: Upcoming Samba security releases
Hi, this is a heads-up that there will be Samba security updates for 4.16, 4.17 and 4.18 on Wednesday, March 29 2023. Please make sure that your Samba servers will be updated soon after the release! Impacted component: - AD DC (CVSS 5.4, Medium, andCVSS 5.9, Medium, and CVSS 7.7, High) Cheers, Jule Anger -- Jule Anger Release Manager Samba Team https://samba.org SerNet Samba Team https://sernet.de
[Announce] Samba 4.17.6 Available for Download
Release Announcements - This is the latest stable release of the Samba 4.17 release series. Changes since 4.17.5 o Jeremy Allison * BUG 15314: streams_xattr is creating unexpected locks on folders. o Andrew Bartlett * BUG 10635: Use of the Azure AD Connect cloud sync tool is now supported for password hash synchronisation, allowing Samba AD Domains to synchronise passwords with this popular cloud environment. o Ralph Boehme * BUG 15299: Spotlight doesn't work with latest macOS Ventura. o Volker Lendecke * BUG 15310: New samba-dcerpc architecture does not scale gracefully. o John Mulligan * BUG 15307: vfs_ceph incorrectly uses fsp_get_io_fd() instead of fsp_get_pathref_fd() in close and fstat. o Noel Power * BUG 15293: With clustering enabled samba-bgqd can core dump due to use after free. o baixiangcpp * BUG 15311: fd_load() function implicitly closes the fd where it should not. ### Reporting bugs & Development Discussion ### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical:matrix.org matrix room, or #samba-technical IRC channel on irc.libera.chat. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). == == Our Code, Our Bugs, Our Responsibility. == The Samba Team == Download Details The uncompressed tarballs and patch files have been signed using GnuPG (ID AA99442FB680B620). The source code can be downloaded from: https://download.samba.org/pub/samba/stable/ The release notes are available online at: https://www.samba.org/samba/history/samba-4.17.6.html Our Code, Our Bugs, Our Responsibility. (https://bugzilla.samba.org/) --Enjoy The Samba Team
[Announce] Samba 4.18.0 Available for Download
Release Announcements - This is the first stable release of the Samba 4.18 release series. Please read the release notes carefully before upgrading. NEW FEATURES/CHANGES SMB Server performance improvements --- The security improvements in recent releases (4.13, 4.14, 4.15, 4.16), mainly as protection against symlink races, caused performance regressions for metadata heavy workloads. While 4.17 already improved the situation quite a lot, with 4.18 the locking overhead for contended path based operations is reduced by an additional factor of ~ 3 compared to 4.17. It means the throughput of open/close operations reached the level of 4.12 again. More succinct samba-tool error messages --- Historically samba-tool has reported user error or misconfiguration by means of a Python traceback, showing you where in its code it noticed something was wrong, but not always exactly what is amiss. Now it tries harder to identify the true cause and restrict its output to describing that. Particular cases include: * a username or password is incorrect * an ldb database filename is wrong (including in smb.conf) * samba-tool dns: various zones or records do not exist * samba-tool ntacl: certain files are missing * the network seems to be down * bad --realm or --debug arguments Accessing the old samba-tool messages - This is not new, but users are reminded they can get the full Python stack trace, along with other noise, by using the argument '-d3'. This may be useful when searching the web. The intention is that when samba-tool encounters an unrecognised problem (especially a bug), it will still output a Python traceback. If you encounter a problem that has been incorrectly identified by samba-tool, please report it on https://bugzilla.samba.org. Colour output with samba-tool --color - For some time a few samba-tool commands have had a --color=yes|no|auto option, which determines whether the command outputs ANSI colour codes. Now all samba-tool commands support this option, which now also accepts 'always' and 'force' for 'yes', 'never' and 'none' for 'no', and 'tty' and 'if-tty' for 'auto' (this more closely matches convention). With --color=auto, or when --color is omitted, colour codes are only used when output is directed to a terminal. Most commands have very little colour in any case. For those that already used it, the defaults have changed slightly. * samba-tool drs showrepl: default is now 'auto', not 'no' * samba-tool visualize: the interactions between --color-scheme, --color, and --output have changed slightly. When --color-scheme is set it overrides --color for the purpose of the output diagram, but not for other output like error messages. New samba-tool dsacl subcommand for deleting ACES - The samba-tool dsacl tool can now delete entries in directory access control lists. The interface for 'samba-tool dsacl delete' is similar to that of 'samba-tool dsacl set', with the difference being that the ACEs described by the --sddl argument are deleted rather than added. No colour with NO_COLOR environment variable With both samba-tool --color=auto (see above) and some other places where we use ANSI colour codes, the NO_COLOR environment variable will disable colour output. See https://no-color.org/ for a description of this variable. `samba-tool --color=always` will use colour regardless of NO_COLOR. New wbinfo option --change-secret-at The wbinfo command has a new option, --change-secret-at= which forces the trust account password to be changed at a specified domain controller. If the specified domain controller cannot be contacted the password change fails rather than trying other DCs. New option to change the NT ACL default location Usually the NT ACLs are stored in the security.NTACL extended attribute (xattr) of files and directories. The new "acl_xattr:security_acl_name" option allows to redefine the default location. The default "security.NTACL" is a protected location, which means the content of the security.NTACL attribute is not accessible from normal users outside of Samba. When this option is set to use a user-defined value, e.g. user.NTACL then any user can potentially access and overwrite this information. The module prevents access to this xattr over SMB, but the xattr may still be accessed by other means (eg local access, SSH, NFS). This option must only be used when this consequence is clearly understood and when specific precautions are taken to avoid compromising the ACL content. Azure Active Directory / Office365 synchron
[Announce] Samba 4.18.0rc4 Available for Download
Release Announcements = This is the fourth release candidate of Samba 4.18. This is *not* intended for production environments and is designed for testing purposes only. Please report any defects via the Samba bug reporting system at https://bugzilla.samba.org/. Samba 4.18 will be the next version of the Samba suite. UPGRADING = NEW FEATURES/CHANGES SMB Server performance improvements --- The security improvements in recent releases (4.13, 4.14, 4.15, 4.16), mainly as protection against symlink races, caused performance regressions for metadata heavy workloads. While 4.17 already improved the situation quite a lot, with 4.18 the locking overhead for contended path based operations is reduced by an additional factor of ~ 3 compared to 4.17. It means the throughput of open/close operations reached the level of 4.12 again. More succinct samba-tool error messages --- Historically samba-tool has reported user error or misconfiguration by means of a Python traceback, showing you where in its code it noticed something was wrong, but not always exactly what is amiss. Now it tries harder to identify the true cause and restrict its output to describing that. Particular cases include: * a username or password is incorrect * an ldb database filename is wrong (including in smb.conf) * samba-tool dns: various zones or records do not exist * samba-tool ntacl: certain files are missing * the network seems to be down * bad --realm or --debug arguments Accessing the old samba-tool messages - This is not new, but users are reminded they can get the full Python stack trace, along with other noise, by using the argument '-d3'. This may be useful when searching the web. The intention is that when samba-tool encounters an unrecognised problem (especially a bug), it will still output a Python traceback. If you encounter a problem that has been incorrectly identified by samba-tool, please report it on https://bugzilla.samba.org. Colour output with samba-tool --color - For some time a few samba-tool commands have had a --color=yes|no|auto option, which determines whether the command outputs ANSI colour codes. Now all samba-tool commands support this option, which now also accepts 'always' and 'force' for 'yes', 'never' and 'none' for 'no', and 'tty' and 'if-tty' for 'auto' (this more closely matches convention). With --color=auto, or when --color is omitted, colour codes are only used when output is directed to a terminal. Most commands have very little colour in any case. For those that already used it, the defaults have changed slightly. * samba-tool drs showrepl: default is now 'auto', not 'no' * samba-tool visualize: the interactions between --color-scheme, --color, and --output have changed slightly. When --color-scheme is set it overrides --color for the purpose of the output diagram, but not for other output like error messages. New samba-tool dsacl subcommand for deleting ACES - The samba-tool dsacl tool can now delete entries in directory access control lists. The interface for 'samba-tool dsacl delete' is similar to that of 'samba-tool dsacl set', with the difference being that the ACEs described by the --sddl argument are deleted rather than added. No colour with NO_COLOR environment variable With both samba-tool --color=auto (see above) and some other places where we use ANSI colour codes, the NO_COLOR environment variable will disable colour output. See https://no-color.org/ for a description of this variable. `samba-tool --color=always` will use colour regardless of NO_COLOR. New wbinfo option --change-secret-at The wbinfo command has a new option, --change-secret-at= which forces the trust account password to be changed at a specified domain controller. If the specified domain controller cannot be contacted the password change fails rather than trying other DCs. New option to change the NT ACL default location Usually the NT ACLs are stored in the security.NTACL extended attribute (xattr) of files and directories. The new "acl_xattr:security_acl_name" option allows to redefine the default location. The default "security.NTACL" is a protected location, which means the content of the security.NTACL attribute is not accessible from normal users outside of Samba. When this option is set to use a user-defined value, e.g. user.NTACL then any user can potentially access and overwrite this information. The module prevents access to this xattr over SMB, but the xattr may still be accessed by other means (eg local access, SSH, NFS). This option must only be used when this consequence is clearly
[Announce] Samba 4.16.9 Available for Download
Release Announcements - This is the latest stable release of the Samba 4.16 release series. Changes since 4.16.8 o Jeremy Allison * BUG 14808: smbc_getxattr() return value is incorrect. * BUG 15172: Compound SMB2 FLUSH+CLOSE requests from MacOSX are not handled correctly. * BUG 15210: synthetic_pathref AFP_AfpInfo failed errors. * BUG 15226: samba-tool gpo listall fails IPv6 only - finddcs() fails to find DC when there is only an record for the DC in DNS. * BUG 15236: smbd crashes if an FSCTL request is done on a stream handle. o Ralph Boehme * BUG 15299: Spotlight doesn't work with latest macOS Ventura. o Samuel Cabrero * BUG 15240: CVE-2022-38023 [SECURITY] Samba should refuse RC4 (aka md5) based SChannel on NETLOGON. o Volker Lendecke * BUG 15243: %U for include directive doesn't work for share listing (netshareenum). * BUG 15266: Shares missing from netshareenum response in samba 4.17.4. * BUG 15269: ctdb: use-after-free in run_proc. o Stefan Metzmacher * BUG 15243: %U for include directive doesn't work for share listing (netshareenum). * BUG 15266: Shares missing from netshareenum response in samba 4.17.4. * BUG 15280: irpc_destructor may crash during shutdown. * BUG 15286: auth3_generate_session_info_pac leaks wbcAuthUserInfo. o Andreas Schneider * BUG 15268: smbclient segfaults with use after free on an optimized build. o Andrew Walker * BUG 15164: Leak in wbcCtxPingDc2. * BUG 15265: Access based share enum does not work in Samba 4.16+. * BUG 15267: Crash during share enumeration. * BUG 15271: rep_listxattr on FreeBSD does not properly check for reads off end of returned buffer. ### Reporting bugs & Development Discussion ### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical:matrix.org matrix room, or #samba-technical IRC channel on irc.libera.chat. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). == == Our Code, Our Bugs, Our Responsibility. == The Samba Team == Download Details The uncompressed tarballs and patch files have been signed using GnuPG (ID AA99442FB680B620). The source code can be downloaded from: https://download.samba.org/pub/samba/stable/ The release notes are available online at: https://www.samba.org/samba/history/samba-4.16.9.html Our Code, Our Bugs, Our Responsibility. (https://bugzilla.samba.org/) --Enjoy The Samba Team
[Announce] Samba 4.18.0rc3 Available for Download
Release Announcements = This is the third release candidate of Samba 4.18. This is *not* intended for production environments and is designed for testing purposes only. Please report any defects via the Samba bug reporting system at https://bugzilla.samba.org/. Samba 4.18 will be the next version of the Samba suite. UPGRADING = NEW FEATURES/CHANGES More succinct samba-tool error messages --- Historically samba-tool has reported user error or misconfiguration by means of a Python traceback, showing you where in its code it noticed something was wrong, but not always exactly what is amiss. Now it tries harder to identify the true cause and restrict its output to describing that. Particular cases include: * a username or password is incorrect * an ldb database filename is wrong (including in smb.conf) * samba-tool dns: various zones or records do not exist * samba-tool ntacl: certain files are missing * the network seems to be down * bad --realm or --debug arguments Accessing the old samba-tool messages - This is not new, but users are reminded they can get the full Python stack trace, along with other noise, by using the argument '-d3'. This may be useful when searching the web. The intention is that when samba-tool encounters an unrecognised problem (especially a bug), it will still output a Python traceback. If you encounter a problem that has been incorrectly identified by samba-tool, please report it on https://bugzilla.samba.org. Colour output with samba-tool --color - For some time a few samba-tool commands have had a --color=yes|no|auto option, which determines whether the command outputs ANSI colour codes. Now all samba-tool commands support this option, which now also accepts 'always' and 'force' for 'yes', 'never' and 'none' for 'no', and 'tty' and 'if-tty' for 'auto' (this more closely matches convention). With --color=auto, or when --color is omitted, colour codes are only used when output is directed to a terminal. Most commands have very little colour in any case. For those that already used it, the defaults have changed slightly. * samba-tool drs showrepl: default is now 'auto', not 'no' * samba-tool visualize: the interactions between --color-scheme, --color, and --output have changed slightly. When --color-scheme is set it overrides --color for the purpose of the output diagram, but not for other output like error messages. New samba-tool dsacl subcommand for deleting ACES - The samba-tool dsacl tool can now delete entries in directory access control lists. The interface for 'samba-tool dsacl delete' is similar to that of 'samba-tool dsacl set', with the difference being that the ACEs described by the --sddl argument are deleted rather than added. No colour with NO_COLOR environment variable With both samba-tool --color=auto (see above) and some other places where we use ANSI colour codes, the NO_COLOR environment variable will disable colour output. See https://no-color.org/ for a description of this variable. `samba-tool --color=always` will use colour regardless of NO_COLOR. New wbinfo option --change-secret-at The wbinfo command has a new option, --change-secret-at= which forces the trust account password to be changed at a specified domain controller. If the specified domain controller cannot be contacted the password change fails rather than trying other DCs. New option to change the NT ACL default location Usually the NT ACLs are stored in the security.NTACL extended attribute (xattr) of files and directories. The new "acl_xattr:security_acl_name" option allows to redefine the default location. The default "security.NTACL" is a protected location, which means the content of the security.NTACL attribute is not accessible from normal users outside of Samba. When this option is set to use a user-defined value, e.g. user.NTACL then any user can potentially access and overwrite this information. The module prevents access to this xattr over SMB, but the xattr may still be accessed by other means (eg local access, SSH, NFS). This option must only be used when this consequence is clearly understood and when specific precautions are taken to avoid compromising the ACL content. Azure Active Directory / Office365 synchronisation improvements -- Use of the Azure AD Connect cloud sync tool is now supported for password hash synchronisation, allowing Samba AD Domains to synchronise passwords with this popular cloud environment. REMOVED FEATURES smb.conf changes Parameter Name
[Announce] Samba 4.18.0rc2 Available for Download
Release Announcements = This is the second release candidate of Samba 4.18. This is *not* intended for production environments and is designed for testing purposes only. Please report any defects via the Samba bug reporting system at https://bugzilla.samba.org/. Samba 4.18 will be the next version of the Samba suite. UPGRADING = NEW FEATURES/CHANGES More succinct samba-tool error messages --- Historically samba-tool has reported user error or misconfiguration by means of a Python traceback, showing you where in its code it noticed something was wrong, but not always exactly what is amiss. Now it tries harder to identify the true cause and restrict its output to describing that. Particular cases include: * a username or password is incorrect * an ldb database filename is wrong (including in smb.conf) * samba-tool dns: various zones or records do not exist * samba-tool ntacl: certain files are missing * the network seems to be down * bad --realm or --debug arguments Accessing the old samba-tool messages - This is not new, but users are reminded they can get the full Python stack trace, along with other noise, by using the argument '-d3'. This may be useful when searching the web. The intention is that when samba-tool encounters an unrecognised problem (especially a bug), it will still output a Python traceback. If you encounter a problem that has been incorrectly identified by samba-tool, please report it on https://bugzilla.samba.org. Colour output with samba-tool --color - For some time a few samba-tool commands have had a --color=yes|no|auto option, which determines whether the command outputs ANSI colour codes. Now all samba-tool commands support this option, which now also accepts 'always' and 'force' for 'yes', 'never' and 'none' for 'no', and 'tty' and 'if-tty' for 'auto' (this more closely matches convention). With --color=auto, or when --color is omitted, colour codes are only used when output is directed to a terminal. Most commands have very little colour in any case. For those that already used it, the defaults have changed slightly. * samba-tool drs showrepl: default is now 'auto', not 'no' * samba-tool visualize: the interactions between --color-scheme, --color, and --output have changed slightly. When --color-scheme is set it overrides --color for the purpose of the output diagram, but not for other output like error messages. New samba-tool dsacl subcommand for deleting ACES - The samba-tool dsacl tool can now delete entries in directory access control lists. The interface for 'samba-tool dsacl delete' is similar to that of 'samba-tool dsacl set', with the difference being that the ACEs described by the --sddl argument are deleted rather than added. No colour with NO_COLOR environment variable With both samba-tool --color=auto (see above) and some other places where we use ANSI colour codes, the NO_COLOR environment variable will disable colour output. See https://no-color.org/ for a description of this variable. `samba-tool --color=always` will use colour regardless of NO_COLOR. New wbinfo option --change-secret-at The wbinfo command has a new option, --change-secret-at= which forces the trust account password to be changed at a specified domain controller. If the specified domain controller cannot be contacted the password change fails rather than trying other DCs. New option to change the NT ACL default location Usually the NT ACLs are stored in the security.NTACL extended attribute (xattr) of files and directories. The new "acl_xattr:security_acl_name" option allows to redefine the default location. The default "security.NTACL" is a protected location, which means the content of the security.NTACL attribute is not accessible from normal users outside of Samba. When this option is set to use a user-defined value, e.g. user.NTACL then any user can potentially access and overwrite this information. The module prevents access to this xattr over SMB, but the xattr may still be accessed by other means (eg local access, SSH, NFS). This option must only be used when this consequence is clearly understood and when specific precautions are taken to avoid compromising the ACL content. Azure Active Directory / Office365 synchronisation improvements -- Use of the Azure AD Connect cloud sync tool is now supported for password hash synchronisation, allowing Samba AD Domains to synchronise passwords with this popular cloud environment. REMOVED FEATURES smb.conf changes Parameter Name
[Announce] Samba 4.17.5 Available for Download
Release Announcements - This is the latest stable release of the Samba 4.17 release series. Changes since 4.17.4 o Jeremy Allison * BUG 14808: smbc_getxattr() return value is incorrect. * BUG 15172: Compound SMB2 FLUSH+CLOSE requests from MacOSX are not handled correctly. * BUG 15210: synthetic_pathref AFP_AfpInfo failed errors. * BUG 15226: samba-tool gpo listall fails IPv6 only - finddcs() fails to find DC when there is only an record for the DC in DNS. * BUG 15236: smbd crashes if an FSCTL request is done on a stream handle. * BUG 15277: DFS links don't work anymore on Mac clients since 4.17. * BUG 15283: vfs_virusfilter segfault on access, directory edgecase (accessing NULL value). o Samuel Cabrero * BUG 15240: CVE-2022-38023 [SECURITY] Samba should refuse RC4 (aka md5) based SChannel on NETLOGON (additional changes). o Volker Lendecke * BUG 15243: %U for include directive doesn't work for share listing (netshareenum). * BUG 15266: Shares missing from netshareenum response in samba 4.17.4. * BUG 15269: ctdb: use-after-free in run_proc. o Stefan Metzmacher * BUG 15243: %U for include directive doesn't work for share listing (netshareenum). * BUG 15266: Shares missing from netshareenum response in samba 4.17.4. * BUG 15280: irpc_destructor may crash during shutdown. * BUG 15286: auth3_generate_session_info_pac leaks wbcAuthUserInfo. o Andreas Schneider * BUG 15268: smbclient segfaults with use after free on an optimized build. o Jones Syue * BUG 15282: smbstatus leaking files in msg.sock and msg.lock. o Andrew Walker * BUG 15164: Leak in wbcCtxPingDc2. * BUG 15265: Access based share enum does not work in Samba 4.16+. * BUG 15267: Crash during share enumeration. * BUG 15271: rep_listxattr on FreeBSD does not properly check for reads off end of returned buffer. o Florian Weimer * BUG 15281: Avoid relying on C89 features in a few places. ### Reporting bugs & Development Discussion ### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical:matrix.org matrix room, or #samba-technical IRC channel on irc.libera.chat. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). == == Our Code, Our Bugs, Our Responsibility. == The Samba Team == Download Details The uncompressed tarballs and patch files have been signed using GnuPG (ID AA99442FB680B620). The source code can be downloaded from: https://download.samba.org/pub/samba/stable/ The release notes are available online at: https://www.samba.org/samba/history/samba-4.17.5.html Our Code, Our Bugs, Our Responsibility. (https://bugzilla.samba.org/) --Enjoy The Samba Team
[Announce] Samba 4.18.0rc1 Available for Download
Release Announcements = This is the first release candidate of Samba 4.18. This is *not* intended for production environments and is designed for testing purposes only. Please report any defects via the Samba bug reporting system at https://bugzilla.samba.org/. Samba 4.18 will be the next version of the Samba suite. UPGRADING = NEW FEATURES/CHANGES More succinct samba-tool error messages --- Historically samba-tool has reported user error or misconfiguration by means of a Python traceback, showing you where in its code it noticed something was wrong, but not always exactly what is amiss. Now it tries harder to identify the true cause and restrict its output to describing that. Particular cases include: * a username or password is incorrect * an ldb database filename is wrong (including in smb.conf) * samba-tool dns: various zones or records do not exist * samba-tool ntacl: certain files are missing * the network seems to be down * bad --realm or --debug arguments Accessing the old samba-tool messages - This is not new, but users are reminded they can get the full Python stack trace, along with other noise, by using the argument '-d3'. This may be useful when searching the web. The intention is that when samba-tool encounters an unrecognised problem (especially a bug), it will still output a Python traceback. If you encounter a problem that has been incorrectly identified by samba-tool, please report it on https://bugzilla.samba.org. Colour output with samba-tool --color - For some time a few samba-tool commands have had a --color=yes|no|auto option, which determines whether the command outputs ANSI colour codes. Now all samba-tool commands support this option, which now also accepts 'always' and 'force' for 'yes', 'never' and 'none' for 'no', and 'tty' and 'if-tty' for 'auto' (this more closely matches convention). With --color=auto, or when --color is omitted, colour codes are only used when output is directed to a terminal. Most commands have very little colour in any case. For those that already used it, the defaults have changed slightly. * samba-tool drs showrepl: default is now 'auto', not 'no' * samba-tool visualize: the interactions between --color-scheme, --color, and --output have changed slightly. When --color-scheme is set it overrides --color for the purpose of the output diagram, but not for other output like error messages. No colour with NO_COLOR environment variable With both samba-tool --color=auto (see above) and some other places where we use ANSI colour codes, the NO_COLOR environment variable will disable colour output. See https://no-color.org/ for a description of this variable. `samba-tool --color=always` will use colour regardless of NO_COLOR. New wbinfo option --change-secret-at The wbinfo command has a new option, --change-secret-at= which forces the trust account password to be changed at a specified domain controller. If the specified domain controller cannot be contacted the password change fails rather than trying other DCs. REMOVED FEATURES smb.conf changes Parameter Name Description Default -- --- --- KNOWN ISSUES https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.18#Release_blocking_bugs ### Reporting bugs & Development Discussion ### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical:matrix.org matrix room, or #samba-technical IRC channel on irc.libera.chat If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). == == Our Code, Our Bugs, Our Responsibility. == The Samba Team == Download Details The uncompressed tarballs and patch files have been signed using GnuPG (ID AA99442FB680B620). The source code can be downloaded from: https://download.samba.org/pub/samba/rc/ The release notes are available online at: https://download.samba.org/pub/samba/rc/samba-4.18.0rc1.WHATSNEW.txt Our Code, Our Bugs, Our Responsibility. (https://bugzilla.samba.org/) --Enjoy The Samba Team
[Announce] Samba 4.17.4, 4.16.8 and 4.15.13 Security Releases are available for Download
Release Announcements - This are security releases in order to address the following defects: o CVE-2022-37966: This is the Samba CVE for the Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability disclosed by Microsoft on Nov 8 2022. A Samba Active Directory DC will issue weak rc4-hmac session keys for use between modern clients and servers despite all modern Kerberos implementations supporting the aes256-cts-hmac-sha1-96 cipher. On Samba Active Directory DCs and members 'kerberos encryption types = legacy' would force rc4-hmac as a client even if the server supports aes128-cts-hmac-sha1-96 and/or aes256-cts-hmac-sha1-96. https://www.samba.org/samba/security/CVE-2022-37966.html o CVE-2022-37967: This is the Samba CVE for the Windows Kerberos Elevation of Privilege Vulnerability disclosed by Microsoft on Nov 8 2022. A service account with the special constrained delegation permission could forge a more powerful ticket than the one it was presented with. https://www.samba.org/samba/security/CVE-2022-37967.html o CVE-2022-38023: The "RC4" protection of the NetLogon Secure channel uses the same algorithms as rc4-hmac cryptography in Kerberos, and so must also be assumed to be weak. https://www.samba.org/samba/security/CVE-2022-38023.html o CVE-2022-45141: Since the Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability was disclosed by Microsoft on Nov 8 2022 and per RFC8429 it is assumed that rc4-hmac is weak, Vulnerable Samba Active Directory DCs will issue rc4-hmac encrypted tickets despite the target server supporting better encryption (eg aes256-cts-hmac-sha1-96). https://www.samba.org/samba/security/CVE-2022-45141.html Changes --- o Jeremy Allison * BUG 15224: pam_winbind uses time_t and pointers assuming they are of the same size. o Andrew Bartlett * BUG 14929: CVE-2022-44640 [SECURITY] Upstream Heimdal free of user-controlled pointer in FAST. * BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry. * BUG 15237: CVE-2022-37966. * BUG 15258: filter-subunit is inefficient with large numbers of knownfails. o Ralph Boehme * BUG 15240: CVE-2022-38023. * BUG 15252: smbd allows setting FILE_ATTRIBUTE_TEMPORARY on directories. o Stefan Metzmacher * BUG 13135: The KDC logic arround msDs-supportedEncryptionTypes differs from Windows. * BUG 14611: CVE-2021-20251 [SECURITY] Bad password count not incremented atomically. * BUG 15203: CVE-2022-42898 [SECURITY] krb5_pac_parse() buffer parsing vulnerability. * BUG 15206: libnet: change_password() doesn't work with dcerpc_samr_ChangePasswordUser4(). * BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry. * BUG 15230: Memory leak in snprintf replacement functions. * BUG 15237: CVE-2022-37966. * BUG 15240: CVE-2022-38023. * BUG 15253: RODC doesn't reset badPwdCount reliable via an RWDC (CVE-2021-20251 regression). o Noel Power * BUG 15224: pam_winbind uses time_t and pointers assuming they are of the same size. o Anoop C S * BUG 15198: Prevent EBADF errors with vfs_glusterfs. o Andreas Schneider * BUG 15237: CVE-2022-37966. * BUG 15243: %U for include directive doesn't work for share listing (netshareenum). * BUG 15257: Stack smashing in net offlinejoin requestodj. o Joseph Sutton * BUG 15197: Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue. * BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry. * BUG 15231: CVE-2022-37967. * BUG 15237: CVE-2022-37966. o Nicolas Williams * BUG 14929: CVE-2022-44640 [SECURITY] Upstream Heimdal free of user-controlled pointer in FAST. ### Reporting bugs & Development Discussion ### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical IRC channel on irc.libera.chat or the #samba-technical:matrix.org matrix channel. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). == == Our Code, Our Bugs, Our Responsibility. ==
[Announce] Samba 4.17.3, 4.16.7 and 4.15.12 Security Releases are available for Download
Release Announcements - This are security releases in order to address the following defects: o CVE-2022-42898: Samba's Kerberos libraries and AD DC failed to guard against integer overflows when parsing a PAC on a 32-bit system, which allowed an attacker with a forged PAC to corrupt the heap. https://www.samba.org/samba/security/CVE-2022-42898.html Changes --- o Joseph Sutton * BUG 15203: CVE-2022-42898 o Nicolas Williams * BUG 15203: CVE-2022-42898 ### Reporting bugs & Development Discussion ### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical IRC channel on irc.libera.chat or the #samba-technical:matrix.org matrix channel. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). == == Our Code, Our Bugs, Our Responsibility. == The Samba Team == Download Details The uncompressed tarballs and patch files have been signed using GnuPG (ID AA99442FB680B620). The source code can be downloaded from: https://download.samba.org/pub/samba/stable/ The release notes are available online at: https://www.samba.org/samba/history/samba-4.17.3.html https://www.samba.org/samba/history/samba-4.16.7.html https://www.samba.org/samba/history/samba-4.15.12.html Our Code, Our Bugs, Our Responsibility. (https://bugzilla.samba.org/) --Enjoy The Samba Team
Heads-up: Upcoming Samba security releases
Hi, this is a heads-up that there will be Samba security updates for 4.15, 4.16 and 4.17 on Tuesday, November 15 2022. Please make sure that your Samba servers will be updated soon after the release! Impacted components: - AD DC (CVSS 6.4, Medium) Cheers, Jule Anger -- Jule Anger Release Manager Samba Team https://samba.org SerNet Samba Team https://sernet.de
[Announce] Samba 4.17.2, 4.16.6 and 4.15.11 Security Releases Available for Download
Release Announcements - This are security releases in order to address the following defects: o CVE-2022-3437: There is a limited write heap buffer overflow in the GSSAPI unwrap_des() and unwrap_des3() routines of Heimdal (included in Samba). https://www.samba.org/samba/security/CVE-2022-3437.html o CVE-2022-3592: A malicious client can use a symlink to escape the exported directory. (4.17 only) https://www.samba.org/samba/security/CVE-2022-3592.html Changes --- o Volker Lendecke * BUG 15207: CVE-2022-3592. o Joseph Sutton * BUG 15134: CVE-2022-3437. ### Reporting bugs & Development Discussion ### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical:matrix.org matrix room, or #samba-technical IRC channel on irc.libera.chat. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). == == Our Code, Our Bugs, Our Responsibility. == The Samba Team == Download Details The uncompressed tarballs and patch files have been signed using GnuPG (ID AA99442FB680B620). The source code can be downloaded from: https://download.samba.org/pub/samba/stable/ The release notes are available online at: https://www.samba.org/samba/history/samba-4.17.2.html https://www.samba.org/samba/history/samba-4.16.6.html https://www.samba.org/samba/history/samba-4.15.11.html Our Code, Our Bugs, Our Responsibility. (https://bugzilla.samba.org/) --Enjoy The Samba Team
[Announce] Samba 4.17.1 Available for Download
Release Announcements - This is the latest stable release of the Samba 4.17 release series. Changes since 4.17.0 o Jeremy Allison * BUG 14611: CVE-2021-20251 [SECURITY] Bad password count not incremented atomically. * BUG 15174: smbXsrv_connection_shutdown_send result leaked. * BUG 15182: Flush on a named stream never completes. * BUG 15195: Permission denied calling SMBC_getatr when file not exists. o Douglas Bagnall * BUG 15189: Samba 4.5 sometimes cannot be upgraded to Samba 4.6 or later over DRS: WERROR_DS_DRA_MISSING_PARENT due to faulty GET_ANC. * BUG 15191: pytest: add file removal helpers for TestCaseInTempDir. o Andrew Bartlett * BUG 14611: CVE-2021-20251 [SECURITY] Bad password count not incremented atomically. * BUG 15189: Samba 4.5 sometimes cannot be upgraded to Samba 4.6 or later. over DRS: WERROR_DS_DRA_MISSING_PARENT due to faulty GET_ANC. o Ralph Boehme * BUG 15182: Flush on a named stream never completes. o Volker Lendecke * BUG 15151: vfs_gpfs silently garbles timestamps > year 2106. o Gary Lockyer * BUG 14611: CVE-2021-20251 [SECURITY] Bad password count not incremented atomically. o Stefan Metzmacher * BUG 15200: multi-channel socket passing may hit a race if one of the involved processes already existed. * BUG 15201: memory leak on temporary of struct imessaging_post_state and struct tevent_immediate on struct imessaging_context (in rpcd_spoolss and maybe others). o Noel Power * BUG 15205: Since popt1.19 various use after free errors using result of poptGetArg are now exposed. o Anoop C S * BUG 15192: Remove special case for O_CREAT in SMB_VFS_OPENAT from vfs_glusterfs. o Andreas Schneider * BUG 15169: GETPWSID in memory cache grows indefinetly with each NTLM auth. o Joseph Sutton * BUG 14611: CVE-2021-20251 [SECURITY] Bad password count not incremented atomically. ### Reporting bugs & Development Discussion ### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical:matrix.org matrix room, or #samba-technical IRC channel on irc.libera.chat. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). == == Our Code, Our Bugs, Our Responsibility. == The Samba Team == Download Details The uncompressed tarballs and patch files have been signed using GnuPG (ID AA99442FB680B620). The source code can be downloaded from: https://download.samba.org/pub/samba/stable/ The release notes are available online at: https://www.samba.org/samba/history/samba-4.17.1.html Our Code, Our Bugs, Our Responsibility. (https://bugzilla.samba.org/) --Enjoy The Samba Team
Heads-up: Upcoming Samba security releases
Hi, this is a heads-up that there will be Samba security updates for 4.15, 4.16 and 4.17 on Tuesday, October 25 2022. Please make sure that your Samba servers will be updated soon after the release! Impacted components: - AD DC (CVSS 5.9, Medium) - Fileserver (CVSS 5.4, Medium) Cheers, Jule Anger -- Jule Anger Release Manager Samba Teamhttps://samba.org SerNet Samba Teamhttps://sernet.de
[Announce] Samba 4.15.10 Available for Download
Release Announcements - This is the latest stable release of the Samba 4.15 release series. Changes since 4.15.9 o Jeremy Allison * BUG 15128: Possible use after free of connection_struct when iterating smbd_server_connection->connections. * BUG 15174: smbXsrv_connection_shutdown_send result leaked. o Ralph Boehme * BUG 15086: Spotlight RPC service returns wrong response when Spotlight is disabled on a share. * BUG 15126: acl_xattr VFS module may unintentionally use filesystem permissions instead of ACL from xattr. * BUG 15153: Missing SMB2-GETINFO access checks from MS-SMB2 3.3.5.20.1. * BUG 15161: assert failed: !is_named_stream(smb_fname)") at ../../lib/util/fault.c:197. o Stefan Metzmacher * BUG 15148: Missing READ_LEASE break could cause data corruption. o Andreas Schneider * BUG 15124: rpcclient can crash using setuserinfo(2). * BUG 15132: Samba fails to build with glibc 2.36 caused by including in libreplace. o Joseph Sutton * BUG 15152: SMB1 negotiation can fail to handle connection errors. o Michael Tokarev * BUG 15078: samba-tool domain join segfault when joining a samba ad domain. ### Reporting bugs & Development Discussion ### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical:matrix.org matrix room, or #samba-technical IRC channel on irc.libera.chat. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). == == Our Code, Our Bugs, Our Responsibility. == The Samba Team == Download Details The uncompressed tarballs and patch files have been signed using GnuPG (ID AA99442FB680B620). The source code can be downloaded from: https://download.samba.org/pub/samba/stable/ The release notes are available online at: https://www.samba.org/samba/history/samba-4.15.10.html Our Code, Our Bugs, Our Responsibility. (https://bugzilla.samba.org/) --Enjoy The Samba Team
[Announce] Samba 4.17.0rc3 Available for Download
Release Announcements = This is the third release candidate of Samba 4.17. This is *not* intended for production environments and is designed for testing purposes only. Please report any defects via the Samba bug reporting system at https://bugzilla.samba.org/. Samba 4.17 will be the next version of the Samba suite. UPGRADING = NEW FEATURES/CHANGES SMB Server performance improvements --- The security improvements in recent releases (4.13, 4.14, 4.15, 4.16), mainly as protection against symlink races, caused performance regressions for meta data heavy workloads. With 4.17 the situation improved a lot again: - Pathnames given by a client are devided into dirname and basename. The amount of syscalls to validate dirnames is reduced to 2 syscalls (openat, close) per component. On modern Linux kernels (>= 5.6) smbd makes use of the openat2() syscall with RESOLVE_NO_SYMLINKS, in order to just use 2 syscalls (openat2, close) for the whole dirname. - Contended path based operations used to generate a lot of unsolicited wakeup events causing thundering herd problems, which lead to masive latencies for some clients. These events are now avoided in order to provide stable latencies and much higher throughput of open/close operations. Configure without the SMB1 Server - It is now possible to configure Samba without support for the SMB1 protocol in smbd. This can be selected at configure time with either of the options: --with-smb1-server --without-smb1-server By default (without either of these options set) Samba is configured to include SMB1 support (i.e. --with-smb1-server is the default). When Samba is configured without SMB1 support, none of the SMB1 code is included inside smbd except the minimal stub code needed to allow a client to connect as SMB1 and immediately negotiate the selected protocol into SMB2 (as a Windows server also allows). None of the SMB1-only smb.conf parameters are removed when configured without SMB1, but these parameters are ignored by the smbd server. This allows deployment without having to change an existing smb.conf file. This option allows sites, OEMs and integrators to configure Samba to remove the old and insecure SMB1 protocol from their products. Note that the Samba client libraries still support SMB1 connections even when Samba is configured as --without-smb1-server. This is to ensure maximum compatibility with environments containing old SMB1 servers. Bronze bit and S4U support with MIT Kerberos 1.20 - In 2020 Microsoft Security Response Team received another Kerberos-related report. Eventually, that led to a security update of the CVE-2020-17049, Kerberos KDC Security Feature Bypass Vulnerability, also known as a ‘Bronze Bit’. With this vulnerability, a compromised service that is configured to use Kerberos constrained delegation feature could tamper with a service ticket that is not valid for delegation to force the KDC to accept it. With the release of MIT Kerberos 1.20, Samba AD DC is able able to mitigate the ‘Bronze Bit’ attack. MIT Kerberos KDC's KDB (Kerberos Database Driver) API was changed to allow passing more details between KDC and KDB components. When built against MIT Kerberos, Samba AD DC supports MIT Kerberos 1.19 and 1.20 versions but 'Bronze Bit' mitigation is provided only with MIT Kerberos 1.20. In addition to fixing the ‘Bronze Bit’ issue, Samba AD DC now fully supports S4U2Self and S4U2Proxy Kerberos extensions. Resource Based Constrained Delegation (RBCD) support ---- Samba AD DC built with MIT Kerberos 1.20 offers RBCD support now. With MIT Kerberos 1.20 we have complete RBCD support passing Sambas S4U testsuite. Note that samba-tool lacks support for setting this up yet! To complete RBCD support and make it useful to Administrators we added the Asserted Identity [1] SID into the PAC for constrained delegation. This is available for Samba AD compiled with MIT Kerberos 1.20. [1] https://docs.microsoft.com/en-us/windows-server/security/kerberos/kerberos-constrained-delegation-overview Customizable DNS listening port --- It is now possible to set a custom listening port for the builtin DNS service, making easy to host another DNS on the same system that would bind to the default port and forward the domain-specific queries to Samba using the custom port. This is the opposite configuration of setting a forwarder in Samba. It makes possible to use another DNS server as a front and forward to Samba. Dynamic DNS updates may not be proxied by the front DNS server when forwarding to Samba. Dynamic DNS update proxying depends on the features of the other DNS server used as a front. CTDB changes * When Samba is configured with both --with-cluster-supp
[Announce] Samba 4.16.4, 4.15.9, 4.14.14 Security Releases are available for Download
Release Announcements - This are security releases in order to address the following defects: o CVE-2022-2031: Samba AD users can bypass certain restrictions associated with changing passwords. https://www.samba.org/samba/security/CVE-2022-2031.html o CVE-2022-32744: Samba AD users can forge password change requests for any user. https://www.samba.org/samba/security/CVE-2022-32744.html o CVE-2022-32745: Samba AD users can crash the server process with an LDAP add or modify request. https://www.samba.org/samba/security/CVE-2022-32745.html o CVE-2022-32746: Samba AD users can induce a use-after-free in the server process with an LDAP add or modify request. https://www.samba.org/samba/security/CVE-2022-32746.html o CVE-2022-32742: Server memory information leak via SMB1. https://www.samba.org/samba/security/CVE-2022-32742.html Changes --- o Jeremy Allison * BUG 15085: CVE-2022-32742. o Andrew Bartlett * BUG 15009: CVE-2022-32746. o Andreas Schneider * BUG 15047: CVE-2022-2031. o Joseph Sutton * BUG 15008: CVE-2022-32745. * BUG 15009: CVE-2022-32746. * BUG 15047: CVE-2022-2031. * BUG 15074: CVE-2022-32744. ### Reporting bugs & Development Discussion ### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical IRC channel on irc.libera.chat or the #samba-technical:matrix.org matrix channel. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). == == Our Code, Our Bugs, Our Responsibility. == The Samba Team == Download Details The uncompressed Samba tarballs and patch files have been signed using GnuPG (ID AA99442FB680B620). The Samba source code can be downloaded from: https://download.samba.org/pub/samba/stable/ The release notes are available online at: https://www.samba.org/samba/history/samba-4.16.4.html https://www.samba.org/samba/history/samba-4.15.9.html https://www.samba.org/samba/history/samba-4.14.14.html If you are building/using ldb from a system library, you'll also need the related updated ldb tarball, otherwise you can ignore it. The uncompressed ldb tarballs have been signed using GnuPG (ID 4793916113084025). The ldb source code can be downloaded from: samba-4.16.4: https://download.samba.org/pub/ldb/ldb-2.5.2.tar.gz samba-4.15.9: https://download.samba.org/pub/ldb/ldb-2.4.4.tar.gz samba-4.14.14: https://download.samba.org/pub/ldb/ldb-2.3.4.tar.gz Our Code, Our Bugs, Our Responsibility. (https://bugzilla.samba.org/) --Enjoy The Samba Team
Heads-up: Upcoming Samba security releases
Hi, this is a heads-up that there will be Samba security updates for 4.14, 4.15 and 4.16 on Wednesday, July 27 2022. Please make sure that your Samba servers will be updated soon after the release! Impacted components: - File server (CVSS 4.3, Medium) - AD DC (CVSS 8.8, High, and CVSS 5.4, Medium) Cheers, Jule Anger -- Jule Anger Release Manager Samba Team https://samba.org SerNet Samba Team https://sernet.de
[Announce] Samba 4.15.8 Available for Download
Release Announcements - This is the latest stable release of the Samba 4.15 release series. Changes since 4.15.7 o Jeremy Allison * BUG 15042: Use pathref fd instead of io fd in vfs_default_durable_cookie. * BUG 15099: Setting fruit:resource = stream in vfs_fruit causes a panic. o Douglas Bagnall * BUG 14986: Add support for bind 9.18. * BUG 15076: logging dsdb audit to specific files does not work. o Ralph Boehme * BUG 15069: vfs_gpfs with vfs_shadowcopy2 fail to restore file if original file had been deleted. o Samuel Cabrero * BUG 15087: netgroups support removed. o Samuel Cabrero * BUG 14674: net ads info shows LDAP Server: 0.0.0.0 depending on contacted server. o Stefan Metzmacher * BUG 15071: waf produces incorrect names for python extensions with Python 3.11. o Noel Power * BUG 15100: smbclient commands del & deltree fail with NT_STATUS_OBJECT_PATH_NOT_FOUND with DFS. o Christof Schmitt * BUG 15055: vfs_gpfs recalls=no option prevents listing files. o Andreas Schneider * BUG 15071: waf produces incorrect names for python extensions with Python 3.11. * BUG 15091: Compile error in source3/utils/regedit_hexedit.c. * BUG 15108: ldconfig: /lib64/libsmbconf.so.0 is not a symbolic link. o Andreas Schneider * BUG 15054: smbd doesn't handle UPNs for looking up names. o Robert Sprowson * BUG 14443: Out-by-4 error in smbd read reply max_send clamp. ### Reporting bugs & Development Discussion ### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical:matrix.org matrix room, or #samba-technical IRC channel on irc.libera.chat. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). == == Our Code, Our Bugs, Our Responsibility. == The Samba Team == Download Details The uncompressed tarballs and patch files have been signed using GnuPG (ID AA99442FB680B620). The source code can be downloaded from: https://download.samba.org/pub/samba/stable/ The release notes are available online at: https://www.samba.org/samba/history/samba-4.15.8.html Our Code, Our Bugs, Our Responsibility. (https://bugzilla.samba.org/) --Enjoy The Samba Team -- Jule Anger Release Manager Samba Team https://samba.org SerNet Samba Team https://sernet.de
[Announce] Samba 4.14.13 Available for Download
Release Announcements - This is the last bugfix release of the Samba 4.14 release series. There will be security releases only beyond this point. Changes since 4.14.12 - o Jeremy Allison * BUG 14169: Renaming file on DFS root fails with NT_STATUS_OBJECT_PATH_NOT_FOUND. * BUG 14737: Samba does not response STATUS_INVALID_PARAMETER when opening 2 objects with same lease key. * BUG 14938: NT error code is not set when overwriting a file during rename in libsmbclient. o Douglas Bagnall * BUG 14996: Fix ldap simple bind with TLS auditing. o Ralph Boehme * BUG 14674: net ads info shows LDAP Server: 0.0.0.0 depending on contacted server. o Samuel Cabrero * BUG 14979: Problem when winbind renews Kerberos. o Pavel Filipenský * BUG 14971: virusfilter_vfs_openat: Not scanned: Directory or special file. o Elia Geretto * BUG 14983: NT_STATUS_ACCESS_DENIED translates into EPERM instead of EACCES in SMBC_server_internal. o Björn Jacke * BUG 13631: DFS fix for AIX broken. o Stefan Metzmacher * BUG 13879: Simple bind doesn't work against an RODC (with non-preloaded users). * BUG 14641: Crash of winbind on RODC. * BUG 14865: Uncached logon on RODC always fails once. * BUG 14951: KVNO off by 10. * BUG 14968: smb2_signing_decrypt_pdu() may not decrypt with gnutls_aead_cipher_decrypt() from gnutls before 3.5.2. * BUG 14984: Changing the machine password against an RODC likely destroys the domain join. * BUG 14993: authsam_make_user_info_dc() steals memory from its struct ldb_message *msg argument. * BUG 14995: Use Heimdal 8.0 (pre) rather than an earlier snapshot. * BUG 15001: LDAP simple binds should honour "old password allowed period". * BUG 15003: wbinfo -a doesn't work reliable with upn names. o Garming Sam * BUG 13879: Simple bind doesn't work against an RODC (with non-preloaded users). o Joseph Sutton * BUG 14621: "password hash userPassword schemes = CryptSHA256" does not seem to work with samba-tool. * BUG 14984: Changing the machine password against an RODC likely destroys the domain join. ### Reporting bugs & Development Discussion ### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical:matrix.org matrix room, or #samba-technical IRC channel on irc.libera.chat. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). == == Our Code, Our Bugs, Our Responsibility. == The Samba Team == Download Details The uncompressed tarballs and patch files have been signed using GnuPG (ID AA99442FB680B620). The source code can be downloaded from: https://download.samba.org/pub/samba/stable/ The release notes are available online at: https://www.samba.org/samba/history/samba-4.14.13.html Our Code, Our Bugs, Our Responsibility. (https://bugzilla.samba.org/) --Enjoy The Samba Team
[Announce] Samba 4.16.0rc4 Available for Download
Release Announcements = This is the fourth release candidate of Samba 4.16. This is *not* intended for production environments and is designed for testing purposes only. Please report any defects via the Samba bug reporting system at https://bugzilla.samba.org/. Samba 4.16 will be the next version of the Samba suite. UPGRADING = NEW FEATURES/CHANGES New samba-dcerpcd binary to provide DCERPC in the member server setup - In order to make it much easier to break out the DCERPC services from smbd, a new samba-dcerpcd binary has been created. samba-dcerpcd can be used in two ways. In the normal case without startup script modification it is invoked on demand from smbd or winbind --np-helper to serve DCERPC over named pipes. Note that in order to run in this mode the smb.conf [global] section has a new parameter "rpc start on demand helpers = [true|false]". This parameter is set to "true" by default, meaning no changes to smb.conf files are needed to run samba-dcerpcd on demand as a named pipe helper. It can also be used in a standalone mode where it is started separately from smbd or winbind but this requires changes to system startup scripts, and in addition a change to smb.conf, setting the new [global] parameter "rpc start on demand helpers = false". If "rpc start on demand helpers" is not set to false, samba-dcerpcd will refuse to start in standalone mode. Note that when Samba is run in the Active Directory Domain Controller mode the samba binary that provides the AD code will still provide its normal DCERPC services whilst allowing samba-dcerpcd to provide services like SRVSVC in the same way that smbd used to in this configuration. The parameters that allowed some smbd-hosted services to be started externally are now gone (detailed below) as this is now the default setting. samba-dcerpcd can also be useful for use outside of the Samba framework, for example, use with the Linux kernel SMB2 server ksmbd or possibly other SMB2 server implementations. Certificate Auto Enrollment --- Certificate Auto Enrollment allows devices to enroll for certificates from Active Directory Certificate Services. It is enabled by Group Policy. To enable Certificate Auto Enrollment, Samba's group policy will need to be enabled by setting the smb.conf option `apply group policies` to Yes. Samba Certificate Auto Enrollment depends on certmonger, the cepces certmonger plugin, and sscep. Samba uses sscep to download the CA root chain, then uses certmonger paired with cepces to monitor the host certificate templates. Certificates are installed in /var/lib/samba/certs and private keys are installed in /var/lib/samba/private/certs. Ability to add ports to dns forwarder addresses in internal DNS backend --- The internal DNS server of Samba forwards queries non-AD zones to one or more configured forwarders. Up until now it has been assumed that these forwarders listen on port 53. Starting with this version it is possible to configure the port using host:port notation. See smb.conf for more details. Existing setups are not affected, as the default port is 53. CTDB changes * The "recovery master" role has been renamed "leader" Documentation and logs now refer to "leader". The following ctdb tool command names have changed: recmaster -> leader setrecmasterrole -> setleaderrole Command output has changed for the following commands: status getcapabilities The "[legacy] -> recmaster capability" configuration option has been renamed and moved to the cluster section, so this is now: [cluster] -> leader capability * The "recovery lock" has been renamed "cluster lock" Documentation and logs now refer to "cluster lock". The "[cluster] -> recovery lock" configuration option has been deprecated and will be removed in a future version. Please use "[cluster] -> cluster lock" instead. If the cluster lock is enabled then traditional elections are not done and leader elections use a race for the cluster lock. This avoids various conditions where a node is elected leader but can not take the cluster lock. Such conditions included: - At startup, a node elects itself leader of its own cluster before connecting to other nodes - Cluster filesystem failover is slow The abbreviation "reclock" is still used in many places, because a better abbreviation eludes us (i.e. "clock" is obvious bad) and changing all instances would require a lot of churn. If the abbreviation "reclock" for "cluster lock" is confusing, please consider mentally prefixing
[Announce] Samba 4.16.0rc3 Available for Download
Release Announcements = This is the third release candidate of Samba 4.16. This is *not* intended for production environments and is designed for testing purposes only. Please report any defects via the Samba bug reporting system at https://bugzilla.samba.org/. Samba 4.16 will be the next version of the Samba suite. UPGRADING = NEW FEATURES/CHANGES New samba-dcerpcd binary to provide DCERPC in the member server setup - In order to make it much easier to break out the DCERPC services from smbd, a new samba-dcerpcd binary has been created. samba-dcerpcd can be used in two ways. In the normal case without startup script modification it is invoked on demand from smbd or winbind --np-helper to serve DCERPC over named pipes. Note that in order to run in this mode the smb.conf [global] section has a new parameter "rpc start on demand helpers = [true|false]". This parameter is set to "true" by default, meaning no changes to smb.conf files are needed to run samba-dcerpcd on demand as a named pipe helper. It can also be used in a standalone mode where it is started separately from smbd or winbind but this requires changes to system startup scripts, and in addition a change to smb.conf, setting the new [global] parameter "rpc start on demand helpers = false". If "rpc start on demand helpers" is not set to false, samba-dcerpcd will refuse to start in standalone mode. Note that when Samba is run in the Active Directory Domain Controller mode the samba binary that provides the AD code will still provide its normal DCERPC services whilst allowing samba-dcerpcd to provide services like SRVSVC in the same way that smbd used to in this configuration. The parameters that allowed some smbd-hosted services to be started externally are now gone (detailed below) as this is now the default setting. samba-dcerpcd can also be useful for use outside of the Samba framework, for example, use with the Linux kernel SMB2 server ksmbd or possibly other SMB2 server implementations. Certificate Auto Enrollment --- Certificate Auto Enrollment allows devices to enroll for certificates from Active Directory Certificate Services. It is enabled by Group Policy. To enable Certificate Auto Enrollment, Samba's group policy will need to be enabled by setting the smb.conf option `apply group policies` to Yes. Samba Certificate Auto Enrollment depends on certmonger, the cepces certmonger plugin, and sscep. Samba uses sscep to download the CA root chain, then uses certmonger paired with cepces to monitor the host certificate templates. Certificates are installed in /var/lib/samba/certs and private keys are installed in /var/lib/samba/private/certs. Ability to add ports to dns forwarder addresses in internal DNS backend --- The internal DNS server of Samba forwards queries non-AD zones to one or more configured forwarders. Up until now it has been assumed that these forwarders listen on port 53. Starting with this version it is possible to configure the port using host:port notation. See smb.conf for more details. Existing setups are not affected, as the default port is 53. CTDB changes * The "recovery master" role has been renamed "leader" Documentation and logs now refer to "leader". The following ctdb tool command names have changed: recmaster -> leader setrecmasterrole -> setleaderrole Command output has changed for the following commands: status getcapabilities The "[legacy] -> recmaster capability" configuration option has been renamed and moved to the cluster section, so this is now: [cluster] -> leader capability * The "recovery lock" has been renamed "cluster lock" Documentation and logs now refer to "cluster lock". The "[cluster] -> recovery lock" configuration option has been deprecated and will be removed in a future version. Please use "[cluster] -> cluster lock" instead. If the cluster lock is enabled then traditional elections are not done and leader elections use a race for the cluster lock. This avoids various conditions where a node is elected leader but can not take the cluster lock. Such conditions included: - At startup, a node elects itself leader of its own cluster before connecting to other nodes - Cluster filesystem failover is slow The abbreviation "reclock" is still used in many places, because a better abbreviation eludes us (i.e. "clock" is obvious bad) and changing all instances would require a lot of churn. If the abbreviation "reclock" for "cluster lock" is confusing, please consider mentally prefixing
[Announce] Samba 4.16.0rc2 Available for Download
Release Announcements = This is the second release candidate of Samba 4.16. This is *not* intended for production environments and is designed for testing purposes only. Please report any defects via the Samba bug reporting system at https://bugzilla.samba.org/. Samba 4.16 will be the next version of the Samba suite. UPGRADING = NEW FEATURES/CHANGES New samba-dcerpcd binary to provide DCERPC in the member server setup - In order to make it much easier to break out the DCERPC services from smbd, a new samba-dcerpcd binary has been created. samba-dcerpcd can be used in two ways. In the normal case without startup script modification it is invoked on demand from smbd or winbind --np-helper to serve DCERPC over named pipes. Note that in order to run in this mode the smb.conf [global] section has a new parameter "rpc start on demand helpers = [true|false]". This parameter is set to "true" by default, meaning no changes to smb.conf files are needed to run samba-dcerpcd on demand as a named pipe helper. It can also be used in a standalone mode where it is started separately from smbd or winbind but this requires changes to system startup scripts, and in addition a change to smb.conf, setting the new [global] parameter "rpc start on demand helpers = false". If "rpc start on demand helpers" is not set to false, samba-dcerpcd will refuse to start in standalone mode. Note that when Samba is run in the Active Directory Domain Controller mode the samba binary that provides the AD code will still provide its normal DCERPC services whilst allowing samba-dcerpcd to provide services like SRVSVC in the same way that smbd used to in this configuration. The parameters that allowed some smbd-hosted services to be started externally are now gone (detailed below) as this is now the default setting. samba-dcerpcd can also be useful for use outside of the Samba framework, for example, use with the Linux kernel SMB2 server ksmbd or possibly other SMB2 server implementations. Certificate Auto Enrollment --- Certificate Auto Enrollment allows devices to enroll for certificates from Active Directory Certificate Services. It is enabled by Group Policy. To enable Certificate Auto Enrollment, Samba's group policy will need to be enabled by setting the smb.conf option `apply group policies` to Yes. Samba Certificate Auto Enrollment depends on certmonger, the cepces certmonger plugin, and sscep. Samba uses sscep to download the CA root chain, then uses certmonger paired with cepces to monitor the host certificate templates. Certificates are installed in /var/lib/samba/certs and private keys are installed in /var/lib/samba/private/certs. Ability to add ports to dns forwarder addresses in internal DNS backend --- The internal DNS server of Samba forwards queries non-AD zones to one or more configured forwarders. Up until now it has been assumed that these forwarders listen on port 53. Starting with this version it is possible to configure the port using host:port notation. See smb.conf for more details. Existing setups are not affected, as the default port is 53. CTDB changes * The "recovery master" role has been renamed "leader" Documentation and logs now refer to "leader". The following ctdb tool command names have changed: recmaster -> leader setrecmasterrole -> setleaderrole Command output has changed for the following commands: status getcapabilities The "[legacy] -> recmaster capability" configuration option has been renamed and moved to the cluster section, so this is now: [cluster] -> leader capability * The "recovery lock" has been renamed "cluster lock" Documentation and logs now refer to "cluster lock". The "[cluster] -> recovery lock" configuration option has been deprecated and will be removed in a future version. Please use "[cluster] -> cluster lock" instead. If the cluster lock is enabled then traditional elections are not done and leader elections use a race for the cluster lock. This avoids various conditions where a node is elected leader but can not take the cluster lock. Such conditions included: - At startup, a node elects itself leader of its own cluster before connecting to other nodes - Cluster filesystem failover is slow The abbreviation "reclock" is still used in many places, because a better abbreviation eludes us (i.e. "clock" is obvious bad) and changing all instances would require a lot of churn. If the abbreviation "reclock" for "cluster lock" is confusing, please consider mentally prefixing
Heads-up: Upcoming Samba security releases
Hi, this is a heads-up that there will be Samba security updates for 4.13 , 4.14 and 4.15 on Monday, January 31 2022. Please make sure that your Samba servers will be updated soon after the release! Impacted components: - File server (CVSS 4.2, Medium) - AD DC (CVSS 8.8, High) - VFS Modules (CVSS 9.9, Critical) Cheers, Jule Anger -- Jule Anger Release Manager Samba Team https://samba.org SerNet Samba Team https://sernet.de
[Announce] Samba 4.16.0rc1 Available for Download
Release Announcements = This is the first release candidate of Samba 4.16. This is *not* intended for production environments and is designed for testing purposes only. Please report any defects via the Samba bug reporting system at https://bugzilla.samba.org/. Samba 4.16 will be the next version of the Samba suite. UPGRADING = NEW FEATURES/CHANGES New samba-dcerpcd binary to provide DCERPC in the member server setup - In order to make it much easier to break out the DCERPC services from smbd, a new samba-dcerpcd binary has been created. samba-dcerpcd can be used in two ways. In the normal case without startup script modification it is invoked on demand from smbd or winbind --np-helper to serve DCERPC over named pipes. Note that in order to run in this mode the smb.conf [global] section has a new parameter "rpc start on demand helpers = [true|false]". This parameter is set to "true" by default, meaning no changes to smb.conf files are needed to run samba-dcerpcd on demand as a named pipe helper. It can also be used in a standalone mode where it is started separately from smbd or winbind but this requires changes to system startup scripts, and in addition a change to smb.conf, setting the new [global] parameter "rpc start on demand helpers = false". If "rpc start on demand helpers" is not set to false, samba-dcerpcd will refuse to start in standalone mode. Note that when Samba is run in the Active Directory Domain Controller mode the samba binary that provides the AD code will still provide its normal DCERPC services whilst allowing samba-dcerpcd to provide services like SRVSVC in the same way that smbd used to in this configuration. The parameters that allowed some smbd-hosted services to be started externally are now gone (detailed below) as this is now the default setting. samba-dcerpcd can also be useful for use outside of the Samba framework, for example, use with the Linux kernel SMB2 server ksmbd or possibly other SMB2 server implementations. Certificate Auto Enrollment --- Certificate Auto Enrollment allows devices to enroll for certificates from Active Directory Certificate Services. It is enabled by Group Policy. To enable Certificate Auto Enrollment, Samba's group policy will need to be enabled by setting the smb.conf option `apply group policies` to Yes. Samba Certificate Auto Enrollment depends on certmonger, the cepces certmonger plugin, and sscep. Samba uses sscep to download the CA root chain, then uses certmonger paired with cepces to monitor the host certificate templates. Certificates are installed in /var/lib/samba/certs and private keys are installed in /var/lib/samba/private/certs. Ability to add ports to dns forwarder addresses in internal DNS backend --- The internal DNS server of Samba forwards queries non-AD zones to one or more configured forwarders. Up until now it has been assumed that these forwarders listen on port 53. Starting with this version it is possible to configure the port using host:port notation. See smb.conf for more details. Existing setups are not affected, as the default port is 53. CTDB changes * The "recovery master" role has been renamed "leader" Documentation and logs now refer to "leader". The following ctdb tool command names have changed: recmaster -> leader setrecmasterrole -> setleaderrole Command output has changed for the following commands: status getcapabilities The "[legacy] -> recmaster capability" configuration option has been renamed and moved to the cluster section, so this is now: [cluster] -> leader capability * The "recovery lock" has been renamed "cluster lock" Documentation and logs now refer to "cluster lock". The "[cluster] -> recovery lock" configuration option has been deprecated and will be removed in a future version. Please use "[cluster] -> cluster lock" instead. If the cluster lock is enabled then traditional elections are not done and leader elections use a race for the cluster lock. This avoids various conditions where a node is elected leader but can not take the cluster lock. Such conditions included: - At startup, a node elects itself leader of its own cluster before connecting to other nodes - Cluster filesystem failover is slow The abbreviation "reclock" is still used in many places, because a better abbreviation eludes us (i.e. "clock" is obvious bad) and changing all instances would require a lot of churn. If the abbreviation "reclock" for "cluster lock" is confusing, please consider mentally prefixing
[Announce] Samba 4.15.4 Available for Download
Release Announcements - This is the latest stable release of the Samba 4.15 release series. Changes since 4.15.3 o Jeremy Allison * BUG 14928: Duplicate SMB file_ids leading to Windows client cache poisoning. * BUG 14939: smbclient -L doesn't set "client max protocol" to NT1 before calling the "Reconnecting with SMB1 for workgroup listing" path. * BUG 14944: Missing pop_sec_ctx() in error path inside close_directory(). o Pavel Filipenský * BUG 14940: Cross device copy of the crossrename module always fails. * BUG 14941: symlinkat function from VFS cap module always fails with an error. * BUG 14942: Fix possible fsp pointer deference. o Volker Lendecke * BUG 14934: kill_tcp_connections does not work. o Stefan Metzmacher * BUG 14932: Failed to parse NTLMv2_RESPONSE length 95 - Buffer Size Error - NT_STATUS_BUFFER_TOO_SMALL. * BUG 14935: Can't connect to Windows shares not requiring authentication using KDE/Gnome. o Andreas Schneider * BUG 14945: "smbd --build-options" no longer works without an smb.conf file. o Jones Syue * BUG 14928: Duplicate SMB file_ids leading to Windows client cache poisoning. ### Reporting bugs & Development Discussion ### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical IRC channel on irc.libera.chat or the #samba-technical:matrix.org matrix channel. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). == == Our Code, Our Bugs, Our Responsibility. == The Samba Team == Download Details The uncompressed tarballs and patch files have been signed using GnuPG (ID AA99442FB680B620). The source code can be downloaded from: https://download.samba.org/pub/samba/stable/ The release notes are available online at: https://www.samba.org/samba/history/samba-4.15.4.html Our Code, Our Bugs, Our Responsibility. (https://bugzilla.samba.org/) --Enjoy The Samba Team
[Announce] Samba meta-data symlink vulnerability CVE-2021-20316
Security Advisory - All versions of the Samba file server prior to 4.15.0 are affected by CVE-2021-20316. There will be no patches available for older Samba versions before 4.15 and 4.15 itself is already secure. * CVE-2021-20316: Symlink race error can allow metadata read and modify outside of the exported share. https://www.samba.org/samba/security/CVE-2021-20316.html Please update affected systems as soon as possible. === Details === All versions of Samba prior to 4.15.0 are vulnerable to a malicious client using an SMB1 or NFS symlink race to allow filesystem metadata to be accessed in an area of the server file system not exported under the share definition. Note that SMB1 has to be enabled, or the share also available via NFS in order for this attack to succeed. Clients that have write access to the exported part of the file system under a share via SMB1 unix extensions or NFS can create symlinks that can race the server by renaming an existing path and then replacing it with a symlink. If the client wins the race it can cause the server to read or modify file or directory metadata on the symlink target. The authenticated user must have permissions to read or modify the metadata of the target of the symlink in order to perform the operation outside of the share. Filesystem metadata includes such attributes as timestamps, extended attributes, permissions, and ownership. This is a difficult race to win, but theoretically possible. Note that the proof of concept code supplied wins the race only when the server is slowed down and put under heavy load. Exploitation of this bug has not been seen in the wild. == Patch Availability == Prior to Samba 4.15.0 patches for this are not possible, due to the prior design of the Samba VFS layer which used pathname-based calls for most meta-data operations. A two and a half year effort was undertaken to completely re-write the Samba VFS layer to stop use of pathname-based calls in all cases involving reading and writing of metadata returned to the client. This work has finally been completed in Samba 4.15.0. Pathname-based VFS calls are still used as an initial optimization to determine if a client requested path exists, but when data is returned to the client or written onto the underlying filesystem then the target component is first opened as a file handle, going through rigourous checking to ensure it is contained within the share path. All meta-data is then refreshed from or written to the open handle, not via pathname-based VFS calls. As all operations are now done on an open handle we believe that any further symlink race conditions have been completely eliminated in Samba 4.15.0 and all future versions of Samba. ### Reporting bugs & Development Discussion ### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical IRC channel on irc.libera.chat or the #samba-technical:matrix.org matrix channel. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). Our Code, Our Bugs, Our Responsibility. (https://bugzilla.samba.org/) --Enjoy The Samba Team
[Announce] Samba 4.13.16 Security Release is available for Download
Release Announcements - This is a security release in order to address the following defects: o CVE-2021-43566: mkdir race condition allows share escape in Samba 4.x. https://www.samba.org/samba/security/CVE-2021-43566.html === Details === o CVE-2021-43566: All versions of Samba prior to 4.13.16 are vulnerable to a malicious client using an SMB1 or NFS symlink race to allow a directory to be created in an area of the server file system not exported under the share definition. Note that SMB1 has to be enabled, or the share also available via NFS in order for this attack to succeed. Clients that have write access to the exported part of the file system under a share via SMB1 unix extensions or NFS can create symlinks that can race the server by renaming an existing path and then replacing it with a symlink. If the client wins the race it can cause the server to create a directory under the new symlink target after the exported share path check has been done. This new symlink target can point to anywhere on the server file system. The authenticated user must have permissions to create a directory under the target directory of the symlink. This is a difficult race to win, but theoretically possible. Note that the proof of concept code supplied wins the race only when the server is slowed down and put under heavy load. Exploitation of this bug has not been seen in the wild. Changes since 4.13.15 - o Jeremy Allison * BUG 13979: CVE-2021-43566: mkdir race condition allows share escape in Samba 4.x ### Reporting bugs & Development Discussion ### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical IRC channel on irc.libera.chat or the #samba-technical:matrix.org matrix channel. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). == == Our Code, Our Bugs, Our Responsibility. == The Samba Team == Download Details The uncompressed tarballs and patch files have been signed using GnuPG (ID AA99442FB680B620). The source code can be downloaded from: https://download.samba.org/pub/samba/stable/ The release notes are available online at: https://www.samba.org/samba/history/samba-4.13.16.html Our Code, Our Bugs, Our Responsibility. (https://bugzilla.samba.org/) --Enjoy The Samba Team
Heads-up: Upcoming Samba security release for 4.13
Hi, this is a heads-up that there will be a Samba security update for 4.13 on Monday, January 10 2022. Please make sure that your Samba servers will be updated soon after the release! Impacted components: - file server (CVSS 2.6, Low) Cheers, Jule Anger -- Jule Anger Release Manager Samba Team https://samba.org SerNet Samba Team https://sernet.de
[Announce] Samba 4.14.11 Available for Download
Release Announcements - This is the latest stable release of the Samba 4.14 release series. Important Notes === There have been a few regressions in the security release 4.14.10: o CVE-2020-25717: A user on the domain can become root on domain members. https://www.samba.org/samba/security/CVE-2020-25717.html PLEASE [RE-]READ! The instructions have been updated and some workarounds initially adviced for 4.14.10 are no longer required and should be reverted in most cases. o BUG-14902: User with multiple spaces (eg FredNurk) become un-deletable. While this release should fix this bug, it is adviced to have a look at the bug report for more detailed information, see https://bugzilla.samba.org/show_bug.cgi?id=14902. Changes since 4.14.10 - o Jeremy Allison * BUG 14878: Recursive directory delete with veto files is broken. * BUG 14879: A directory containing dangling symlinks cannot be deleted by SMB2 alone when they are the only entry in the directory. o Andrew Bartlett * BUG 14656: Spaces incorrectly collapsed in ldb attributes. * BUG 14694: Ensure that the LDB request has not timed out during filter processing as the LDAP server MaxQueryDuration is otherwise not honoured. * BUG 14901: The CVE-2020-25717 username map [script] advice has undesired side effects for the local nt token. * BUG 14902: User with multiple spaces (eg FredNurk) become un- deletable. o Ralph Boehme * BUG 14127: Avoid storing NTTIME_THAW (-2) as value on disk * BUG 14922: Kerberos authentication on standalone server in MIT realm broken. * BUG 14923: Segmentation fault when joining the domain. o Alexander Bokovoy * BUG 14903: Support for ROLE_IPA_DC is incomplete. o Stefan Metzmacher * BUG 14788: Memory leak if ioctl(FSCTL_VALIDATE_NEGOTIATE_INFO) fails before smbd_smb2_ioctl_send. * BUG 14899: winbindd doesn't start when "allow trusted domains" is off. * BUG 14901: The CVE-2020-25717 username map [script] advice has undesired side effects for the local nt token. o Joseph Sutton * BUG 14694: Ensure that the LDB request has not timed out during filter processing as the LDAP server MaxQueryDuration is otherwise not honoured. * BUG 14901: The CVE-2020-25717 username map [script] advice has undesired side effects for the local nt token. ### Reporting bugs & Development Discussion ### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical IRC channel on irc.freenode.net. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). == == Our Code, Our Bugs, Our Responsibility. == The Samba Team == Download Details The uncompressed tarballs and patch files have been signed using GnuPG (ID AA99442FB680B620). The source code can be downloaded from: https://download.samba.org/pub/samba/stable/ The release notes are available online at: https://www.samba.org/samba/history/samba-4.14.11.html Our Code, Our Bugs, Our Responsibility. (https://bugzilla.samba.org/) --Enjoy The Samba Team
[Announce] Samba 4.13.15 Available for Download
Release Announcements - This is the latest stable release of the Samba 4.13 release series. Important Notes === There have been a few regressions in the security release 4.13.14: o CVE-2020-25717: A user on the domain can become root on domain members. https://www.samba.org/samba/security/CVE-2020-25717.html PLEASE [RE-]READ! The instructions have been updated and some workarounds initially adviced for 4.13.14 are no longer required and should be reverted in most cases. o BUG-14902: User with multiple spaces (eg FredNurk) become un-deletable. While this release should fix this bug, it is adviced to have a look at the bug report for more detailed information, see https://bugzilla.samba.org/show_bug.cgi?id=14902. Changes since 4.13.14 - o Andrew Bartlett * BUG 14656: Spaces incorrectly collapsed in ldb attributes. * BUG 14901: The CVE-2020-25717 username map [script] advice has undesired side effects for the local nt token. * BUG 14902: User with multiple spaces (eg FredNurk) become un- deletable. o Ralph Boehme * BUG 14922: Kerberos authentication on standalone server in MIT realm broken. o Alexander Bokovoy * BUG 14903: Support for ROLE_IPA_DC is incomplete. o Stefan Metzmacher * BUG 14899: winbindd doesn't start when "allow trusted domains" is off. * BUG 14901: The CVE-2020-25717 username map [script] advice has undesired side effects for the local nt token. o Joseph Sutton * BUG 14901: The CVE-2020-25717 username map [script] advice has undesired side effects for the local nt token. ### Reporting bugs & Development Discussion ### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical IRC channel on irc.freenode.net. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). == == Our Code, Our Bugs, Our Responsibility. == The Samba Team == Download Details The uncompressed tarballs and patch files have been signed using GnuPG (ID AA99442FB680B620). The source code can be downloaded from: https://download.samba.org/pub/samba/stable/ The release notes are available online at: https://www.samba.org/samba/history/samba-4.13.15.html Our Code, Our Bugs, Our Responsibility. (https://bugzilla.samba.org/) --Enjoy The Samba Team
[Announce] Samba 4.15.3 Available for Download
Release Announcements - This is the latest stable release of the Samba 4.15 release series. Important Notes === There have been a few regressions in the security release 4.15.2: o CVE-2020-25717: A user on the domain can become root on domain members. https://www.samba.org/samba/security/CVE-2020-25717.html PLEASE [RE-]READ! The instructions have been updated and some workarounds initially adviced for 4.15.2 are no longer required and should be reverted in most cases. o BUG-14902: User with multiple spaces (eg FredNurk) become un-deletable. While this release should fix this bug, it is adviced to have a look at the bug report for more detailed information, see https://bugzilla.samba.org/show_bug.cgi?id=14902. Changes since 4.15.2 o Jeremy Allison * BUG 14878: Recursive directory delete with veto files is broken in 4.15.0. * BUG 14879: A directory containing dangling symlinks cannot be deleted by SMB2 alone when they are the only entry in the directory. * BUG 14892: SIGSEGV in rmdir_internals/synthetic_pathref - dirfsp is used uninitialized in rmdir_internals(). o Andrew Bartlett * BUG 14694: MaxQueryDuration not honoured in Samba AD DC LDAP. * BUG 14901: The CVE-2020-25717 username map [script] advice has undesired side effects for the local nt token. * BUG 14902: User with multiple spaces (eg FredNurk) become un-deletable. o Ralph Boehme * BUG 14127: Avoid storing NTTIME_THAW (-2) as value on disk. * BUG 14882: smbXsrv_client_global record validation leads to crash if existing record points at non-existing process. * BUG 14890: Crash in vfs_fruit asking for fsp_get_io_fd() for an XATTR call. * BUG 14897: Samba process doesn't log to logfile. * BUG 14907: set_ea_dos_attribute() fallback calling get_file_handle_for_metadata() triggers locking.tdb assert. * BUG 14922: Kerberos authentication on standalone server in MIT realm broken. * BUG 14923: Segmentation fault when joining the domain. o Alexander Bokovoy * BUG 14903: Support for ROLE_IPA_DC is incomplete. o Günther Deschner * BUG 14767: rpcclient cannot connect to ncacn_ip_tcp services anymore * BUG 14893: winexe crashes since 4.15.0 after popt parsing. o Volker Lendecke * BUG 14908: net ads status -P broken in a clustered environment. o Stefan Metzmacher * BUG 14788: Memory leak if ioctl(FSCTL_VALIDATE_NEGOTIATE_INFO) fails before smbd_smb2_ioctl_send. * BUG 14882: smbXsrv_client_global record validation leads to crash if existing record points at non-existing process. * BUG 14899: winbindd doesn't start when "allow trusted domains" is off. * BUG 14901: The CVE-2020-25717 username map [script] advice has undesired side effects for the local nt token. o Andreas Schneider * BUG 14767: rpcclient cannot connect to ncacn_ip_tcp services anymore. * BUG 14883: smbclient login without password using '-N' fails with NT_STATUS_INVALID_PARAMETER on Samba AD DC. * BUG 14912: A schannel client incorrectly detects a downgrade connecting to an AES only server. * BUG 14921: Possible null pointer dereference in winbind. o Andreas Schneider * BUG 14846: Fix -k legacy option for client tools like smbclient, rpcclient, net, etc. o Martin Schwenke * BUG 14872: Add Debian 11 CI bootstrap support. o Joseph Sutton * BUG 14694: MaxQueryDuration not honoured in Samba AD DC LDAP. * BUG 14901: The CVE-2020-25717 username map [script] advice has undesired side effects for the local nt token. o Andrew Walker * BUG 14888: Crash in recycle_unlink_internal(). ### Reporting bugs & Development Discussion ### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical IRC channel on irc.freenode.net. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). == == Our Code, Our Bugs, Our Responsibility. == The Samba Team == Download Details The uncompressed tarballs and patch files have been signed using GnuPG (ID AA99442FB680B620). The source code can be downloaded from: https://download.samba.org/pub/samba/stable/ The release notes are available online at: https://www.samba.org/samba/history/samba-4.15.3.html Our Code,
Re: [Announce] Samba 4.15.2, 4.14.10, 4.13.14 Security Releases are available for Download
Hi, >> There's sadly a regression that "allow trusted domains = no" prevents >> winbindd >> from starting, we'll try to provide a follow up fix as soon as possible. > > The regression fix is discussed on this merge request: > https://gitlab.com/samba-team/samba/-/merge_requests/2246 The backported fixes are available at https://bugzilla.samba.org/show_bug.cgi?id=14899 Please also notice the additional fix and advanced example for the 'username map [script]' based fallback from 'DOMAIN\user' to 'user'. https://bugzilla.samba.org/show_bug.cgi?id=14901 https://gitlab.com/samba-team/samba/-/merge_requests/2251 metze OpenPGP_signature Description: OpenPGP digital signature
Re: [Announce] Samba 4.15.2, 4.14.10, 4.13.14 Security Releases are available for Download
Hi, > There's sadly a regression that "allow trusted domains = no" prevents winbindd > from starting, we'll try to provide a follow up fix as soon as possible. The regression fix is discussed on this merge request: https://gitlab.com/samba-team/samba/-/merge_requests/2246 metze OpenPGP_signature Description: OpenPGP digital signature
[Announce] Samba 4.15.2, 4.14.10, 4.13.14 Security Releases are available for Download
Release Announcements - These are security releases in order to address the following defects: o CVE-2016-2124: SMB1 client connections can be downgraded to plaintext authentication. https://www.samba.org/samba/security/CVE-2016-2124.html o CVE-2020-25717: A user on the domain can become root on domain members. https://www.samba.org/samba/security/CVE-2020-25717.html (PLEASE READ! There are important behaviour changes described) o CVE-2020-25718: Samba AD DC did not correctly sandbox Kerberos tickets issued by an RODC. https://www.samba.org/samba/security/CVE-2020-25718.html o CVE-2020-25719: Samba AD DC did not always rely on the SID and PAC in Kerberos tickets. https://www.samba.org/samba/security/CVE-2020-25719.html o CVE-2020-25721: Kerberos acceptors need easy access to stable AD identifiers (eg objectSid). https://www.samba.org/samba/security/CVE-2020-25721.html o CVE-2020-25722: Samba AD DC did not do suffienct access and conformance checking of data stored. https://www.samba.org/samba/security/CVE-2020-25722.html o CVE-2021-3738: Use after free in Samba AD DC RPC server. https://www.samba.org/samba/security/CVE-2021-3738.html o CVE-2021-23192: Subsequent DCE/RPC fragment injection vulnerability. https://www.samba.org/samba/security/CVE-2021-23192.html There's sadly a regression that "allow trusted domains = no" prevents winbindd from starting, we'll try to provide a follow up fix as soon as possible. Changes: o Douglas Bagnall * CVE-2020-25722 o Andrew Bartlett * CVE-2020-25718 * CVE-2020-25719 * CVE-2020-25721 * CVE-2020-25722 o Ralph Boehme * CVE-2020-25717 o Alexander Bokovoy * CVE-2020-25717 o Samuel Cabrero * CVE-2020-25717 o Nadezhda Ivanova * CVE-2020-25722 o Stefan Metzmacher * CVE-2016-2124 * CVE-2020-25717 * CVE-2020-25719 * CVE-2020-25722 * CVE-2021-23192 * CVE-2021-3738 * ldb release 2.3.2 (for Samba 4.14.10) * ldb release 2.2.3 (for Samba 4.13.14) o Andreas Schneider * CVE-2020-25719 o Joseph Sutton * CVE-2020-17049 * CVE-2020-25718 * CVE-2020-25719 * CVE-2020-25721 * CVE-2020-25722 * MS CVE-2020-17049 ### Reporting bugs & Development Discussion ### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical IRC channel on irc.libera.chat or the #samba-technical:matrix.org matrix channel. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). == == Our Code, Our Bugs, Our Responsibility. == The Samba Team == Download Details The uncompressed tarballs and patch files have been signed using GnuPG (ID AA99442FB680B620). The source code can be downloaded from: https://download.samba.org/pub/samba/stable/ The release notes are available online at: https://www.samba.org/samba/history/samba-4.15.2.html https://www.samba.org/samba/history/samba-4.14.10.html https://www.samba.org/samba/history/samba-4.13.14.html Our Code, Our Bugs, Our Responsibility. (https://bugzilla.samba.org/) --Enjoy The Samba Team signature.asc Description: PGP signature
Re: Upcoming Samba security release
Hi, the release will happen around 18:00 UTC November 9th. metze > this is a heads-up that there will be Samba security updates > on Tuesday, November 9. Please make sure that your Samba servers > will be updated immediately after the release! > > Impacted components: > > * AD DC (CVSS 8.8, high) > * AD Domain member (CVSS 8.1, high) > * File server (CVSS 4.8 medium) > > Cheers, > > Andrew Bartlett >
Upcoming Samba security release
Hi, this is a heads-up that there will be Samba security updates on Tuesday, November 9. Please make sure that your Samba servers will be updated immediately after the release! Impacted components: * AD DC (CVSS 8.8, high) * AD Domain member (CVSS 8.1, high) * File server (CVSS 4.8 medium) Cheers, Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba Samba Development and Support, Catalyst IT - Expert Open Source Solutions
Upcoming Samba security release
Hi, this is a heads-up that there will be Samba security updates on Tuesday, November 9. Please make sure that your Samba servers will be updated immediately after the release! Impacted components: * AD DC (CVSS 8.8, high) * AD Domain member (CVSS 8.1, high) * File server (CVSS 4.8 medium) Cheers, Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba Samba Development and Support, Catalyst IT - Expert Open Source Solutions
[Announce] Samba 4.13.13 Available for Download
Release Announcements - This is the latest stable release of the Samba 4.13 release series. Changes since 4.13.12 - o Douglas Bagnall * BUG 14868: rodc_rwdc test flaps. * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements. o Andrew Bartlett * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal. * BUG 14836: Python ldb.msg_diff() memory handling failure. * BUG 14845: "in" operator on ldb.Message is case sensitive. * BUG 14848: Release LDB 2.3.1 for Samba 4.14.9. * BUG 14871: Fix Samba support for UF_NO_AUTH_DATA_REQUIRED. * BUG 14874: Allow special chars like "@" in samAccountName when generating the salt. * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements. o Isaac Boukris * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal. * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements. o Viktor Dukhovni * BUG 12998: Fix transit path validation. * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements. o Luke Howard * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal. * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements. o Stefan Metzmacher * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements. o David Mulder * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements. o Andreas Schneider * BUG 14870: Prepare to operate with MIT krb5 >= 1.20. * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements. o Joseph Sutton * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal. * BUG 14645: rpcclient NetFileEnum and net rpc file both cause lock order violation: brlock.tdb, share_entries.tdb. * BUG 14836: Python ldb.msg_diff() memory handling failure. * BUG 14845: "in" operator on ldb.Message is case sensitive. * BUG 14848: Release LDB 2.3.1 for Samba 4.14.9. * BUG 14868: rodc_rwdc test flaps. * BUG 14871: Fix Samba support for UF_NO_AUTH_DATA_REQUIRED. * BUG 14874: Allow special chars like "@" in samAccountName when generating the salt. * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements. o Nicolas Williams * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal. * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements. ### Reporting bugs & Development Discussion ### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical IRC channel on irc.freenode.net. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). == == Our Code, Our Bugs, Our Responsibility. == The Samba Team == Download Details The uncompressed tarballs and patch files have been signed using GnuPG (ID AA99442FB680B620). The source code can be downloaded from: https://download.samba.org/pub/samba/stable/ The release notes are available online at: https://www.samba.org/samba/history/samba-4.13.13.html Our Code, Our Bugs, Our Responsibility. (https://bugzilla.samba.org/) --Enjoy The Samba Team
[Announce] Samba 4.14.9 Available for Download
Release Announcements - This is the latest stable release of the Samba 4.14 release series. Changes since 4.14.8 o Jeremy Allison * BUG 14682: vfs_shadow_copy2: core dump in make_relative_path. o Douglas Bagnall * BUG 14868: rodc_rwdc test flaps. * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements. o Andrew Bartlett * BUG 14836: Python ldb.msg_diff() memory handling failure. * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal. * BUG 14845: "in" operator on ldb.Message is case sensitive. * BUG 14848: Release LDB 2.3.1 for Samba 4.14.9. * BUG 14870: Prepare to operate with MIT krb5 >= 1.20. * BUG 14871: Fix Samba support for UF_NO_AUTH_DATA_REQUIRED. * BUG 14874: Allow special chars like "@" in samAccountName when generating the salt. * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements. o Ralph Boehme * BUG 14826: Correctly ignore comments in CTDB public addresses file. o Isaac Boukris * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal. * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements. o Viktor Dukhovni * BUG 12998: Fix transit path validation. * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements. o Luke Howard * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal. * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements. o Stefan Metzmacher * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements. o Andreas Schneider * BUG 14870: Prepare to operate with MIT krb5 >= 1.20. * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements. o Martin Schwenke * BUG 14826: Correctly ignore comments in CTDB public addresses file. o Joseph Sutton * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal. * BUG 14845: "in" operator on ldb.Message is case sensitive. * BUG 14868: rodc_rwdc test flaps. * BUG 14871: Fix Samba support for UF_NO_AUTH_DATA_REQUIRED. * BUG 14874: Allow special chars like "@" in samAccountName when generating the salt. * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements. o Nicolas Williams * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal. * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements. ### Reporting bugs & Development Discussion ### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical IRC channel on irc.freenode.net. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). == == Our Code, Our Bugs, Our Responsibility. == The Samba Team == Download Details The uncompressed tarballs and patch files have been signed using GnuPG (ID AA99442FB680B620). The source code can be downloaded from: https://download.samba.org/pub/samba/stable/ The release notes are available online at: https://www.samba.org/samba/history/samba-4.14.9.html Our Code, Our Bugs, Our Responsibility. (https://bugzilla.samba.org/) --Enjoy The Samba Team
[Announce] Samba 4.15.1 Available for Download
Release Announcements - This is the latest stable release of the Samba 4.15 release series. Changes since 4.15.0 o Jeremy Allison * BUG 14682: vfs_shadow_copy2: core dump in make_relative_path. * BUG 14685: Log clutter from filename_convert_internal. * BUG 14862: MacOSX compilation fixes. o Douglas Bagnall * BUG 14868: rodc_rwdc test flaps. o Andrew Bartlett * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal. * BUG 14836: Python ldb.msg_diff() memory handling failure. * BUG 14845: "in" operator on ldb.Message is case sensitive. * BUG 14848: Release LDB 2.4.1 for Samba 4.15.1. * BUG 14854: samldb_krbtgtnumber_available() looks for incorrect string. * BUG 14871: Fix Samba support for UF_NO_AUTH_DATA_REQUIRED. * BUG 14874: Allow special chars like "@" in samAccountName when generating the salt. o Ralph Boehme * BUG 14826: Correctly ignore comments in CTDB public addresses file. o Isaac Boukris * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal. o Viktor Dukhovni * BUG 12998: Fix transit path validation. o Pavel Filipenský * BUG 14852: Fix that child winbindd logs to log.winbindd instead of log.wb-. o Luke Howard * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal. o Stefan Metzmacher * BUG 14855: SMB3 cancel requests should only include the MID together with AsyncID when AES-128-GMAC is used. o Alex Richardson * BUG 14862: MacOSX compilation fixes. o Andreas Schneider * BUG 14870: Prepare to operate with MIT krb5 >= 1.20. o Martin Schwenke * BUG 14826: Correctly ignore comments in CTDB public addresses file. o Joseph Sutton * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal. * BUG 14836: Python ldb.msg_diff() memory handling failure. * BUG 14845: "in" operator on ldb.Message is case sensitive. * BUG 14864: Heimdal prefers RC4 over AES for machine accounts. * BUG 14868: rodc_rwdc test flaps. * BUG 14871: Fix Samba support for UF_NO_AUTH_DATA_REQUIRED. * BUG 14874: Allow special chars like "@" in samAccountName when generating the salt. o Nicolas Williams * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal. ### Reporting bugs & Development Discussion ### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical IRC channel on irc.freenode.net. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). == == Our Code, Our Bugs, Our Responsibility. == The Samba Team == Download Details The uncompressed tarballs and patch files have been signed using GnuPG (ID AA99442FB680B620). The source code can be downloaded from: https://download.samba.org/pub/samba/stable/ The release notes are available online at: https://www.samba.org/samba/history/samba-4.15.1.html Our Code, Our Bugs, Our Responsibility. (https://bugzilla.samba.org/) --Enjoy The Samba Team
[Announce] Samba 4.14.8 Available for Download
Release Announcements - This is the latest stable release of the Samba 4.14 release series. Changes since 4.14.7 o Jeremy Allison * BUG 14742: Python ldb.msg_diff() memory handling failure. * BUG 14805: OpenDir() loses the correct errno return. * BUG 14809: Shares with variable substitutions cause core dump upon connection from MacOS Big Sur 11.5.2. * BUG 14816: Fix pathref open of a filesystem fifo in the DISABLE_OPATH build. o Andrew Bartlett * BUG 14806: Address a signifcant performance regression in database access in the AD DC since Samba 4.12. * BUG 14807: Fix performance regression in lsa_LookupSids3/LookupNames4 since Samba 4.9 by using an explicit database handle cache. * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ. * BUG 14818: Address flapping samba_tool_drs_showrepl test. * BUG 14819: Address flapping dsdb_schema_attributes test. * BUG 14841: Samba CI runs can now continue past the first error if AUTOBUILD_FAIL_IMMEDIATELY=0 is set. * BUG 14854: samldb_krbtgtnumber_available() looks for incorrect string. o Ralph Boehme * BUG 14771: Some VFS operations on pathref (O_PATH) handles fail on GPFS. * BUG 14783: smbd "deadtime" parameter doesn't work anymore. * BUG 14787: net conf list crashes when run as normal user. * BUG 14790: vfs_btrfs compression support broken. * BUG 14804: winbindd can crash because idmap child state is not fully initialized. o Luke Howard * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ. o Volker Lendecke * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ. o Gary Lockyer * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ. o Stefan Metzmacher * BUG 14771: Some VFS operations on pathref (O_PATH) handles fail on GPFS. * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ. o Andreas Schneider * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ. o Martin Schwenke * BUG 14784: Fix CTDB flag/status update race conditions. o Joseph Sutton * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ. * BUG 14836: Python ldb.msg_diff() memory handling failure. ### Reporting bugs & Development Discussion ### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical IRC channel on irc.freenode.net. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). == == Our Code, Our Bugs, Our Responsibility. == The Samba Team == Download Details The uncompressed tarballs and patch files have been signed using GnuPG (ID AA99442FB680B620). The source code can be downloaded from: https://download.samba.org/pub/samba/stable/ The release notes are available online at: https://www.samba.org/samba/history/samba-4.14.8.html Our Code, Our Bugs, Our Responsibility. (https://bugzilla.samba.org/) --Enjoy The Samba Team
[Announce] Samba 4.13.12 Available for Download
Release Announcements - This is the latest stable release of the Samba 4.13 release series. Changes since 4.13.11 - o Andrew Bartlett * BUG 14806: Address a signifcant performance regression in database access in the AD DC since Samba 4.12. * BUG 14807: Fix performance regression in lsa_LookupSids3/LookupNames4 since Samba 4.9 by using an explicit database handle cache. * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ. * BUG 14818: Address flapping samba_tool_drs_showrepl test. * BUG 14819: Address flapping dsdb_schema_attributes test. o Björn Baumbach * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ o Luke Howard * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ. o Volker Lendecke * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ. o Gary Lockyer * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ. o Stefan Metzmacher * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ. o Andreas Schneider * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ. o Martin Schwenke * BUG 14784: Fix CTDB flag/status update race conditions. o Joseph Sutton * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ. ### Reporting bugs & Development Discussion ### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical IRC channel on irc.freenode.net. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). == == Our Code, Our Bugs, Our Responsibility. == The Samba Team == Download Details The uncompressed tarballs and patch files have been signed using GnuPG (ID AA99442FB680B620). The source code can be downloaded from: https://download.samba.org/pub/samba/stable/ The release notes are available online at: https://www.samba.org/samba/history/samba-4.13.12.html Our Code, Our Bugs, Our Responsibility. (https://bugzilla.samba.org/) --Enjoy The Samba Team
[Announce] Samba 4.15.0 Available for Download
Release Announcements - This is the first stable release of the Samba 4.15 release series. Please read the release notes carefully before upgrading. Removed SMB (development) dialects == The following SMB (development) dialects are no longer supported: SMB2_22, SMB2_24 and SMB3_10. They are were only supported by Windows technical preview builds. They used to be useful in order to test against the latest Windows versions, but it's no longer useful to have them. If you have them explicitly specified in your smb.conf or an the command line, you need to replace them like this: - SMB2_22 => SMB3_00 - SMB2_24 => SMB3_00 - SMB3_10 => SMB3_11 Note that it's typically not useful to specify "client max protocol" or "server max protocol" explicitly to a specific dialect, just leave them unspecified or specify the value "default". New GPG key === The GPG release key for Samba releases changed from: pub dsa1024/6F33915B6568B7EA 2007-02-04 [SC] [expires: 2021-02-05] Key fingerprint = 52FB C0B8 6D95 4B08 4332 4CDC 6F33 915B 6568 B7EA uid [ full ] Samba Distribution Verification Key sub elg2048/9C6ED163DA6DFB44 2007-02-04 [E] [expires: 2021-02-05] to the following new key: pub rsa4096/AA99442FB680B620 2020-12-21 [SC] [expires: 2022-12-21] Key fingerprint = 81F5 E283 2BD2 545A 1897 B713 AA99 442F B680 B620 uid [ultimate] Samba Distribution Verification Key sub rsa4096/97EF9386FBFD4002 2020-12-21 [E] [expires: 2022-12-21] Starting from Jan 21th 2021, all Samba releases will be signed with the new key. See also GPG_AA99442FB680B620_replaces_6F33915B6568B7EA.txt New minimum version for the experimental MIT KDC The build of the AD DC using the system MIT Kerberos, an experimental feature, now requires MIT Kerberos 1.19. An up-to-date Fedora 34 has this version and has backported fixes for the KDC crash bugs CVE-2021-37750 and CVE-2021-36222 NEW FEATURES/CHANGES VFS --- The effort to modernize Samba's VFS interface is complete and Samba 4.15.0 ships with a modernized VFS designed for the post SMB1 world. For details please refer to the documentation at source3/modules/The_New_VFS.txt or visit the <https://wiki.samba.org/index.php/The_New_VFS>. Bind DLZ: add the ability to set allow/deny lists for zone transfer clients --- Up to now, any client could use a DNS zone transfer request to the bind server, and get an answer from Samba. Now the default behaviour will be to deny those request. Two new options have been added to manage the list of authorized/denied clients for zone transfer requests. In order to be accepted, the request must be issued by a client that is in the allow list and NOT in the deny list. "server multi channel support" no longer experimental - This option is enabled by default starting with 4.15 (on Linux and FreeBSD). Due to dependencies on kernel APIs of Linux or FreeBSD, it's only possible to use this feature on Linux and FreeBSD for now. samba-tool available without the ad-dc -- The 'samba-tool' command is now available when samba is configured "--without-ad-dc". Not all features will work, and some ad-dc specific options have been disabled. The 'samba-tool domain' options, for example, are limited when no ad-dc is present. Samba must still be built with ads in order to enable 'samba-tool'. Improved command line user experience - Samba utilities did not consistently implement their command line interface. A number of options were requiring to specify values in one tool and not in the other, some options meant different in different tools. These should be stories of the past now. A new command line parser has been implemented with sanity checking. Also the command line interface has been simplified and provides better control for encryption, signing and kerberos. Previously many tools silently ignored unknown options. To prevent unexpected behaviour all tools will now consistently reject unknown options. Also several command line options have a smb.conf variable to control the default now. All tools are now logging to stderr by default. You can use "--debug-stdout" to change the behavior. All servers will log to stderr at early startup until logging is setup to go to a file by default. ### Common parser: Options added: --client-protection=off|sign|encrypt Options renamed: --kerberos -> --use-kerberos=required|desired|off --krb5-ccache -> --use-krb5-ccache=CCACHE --scope -> --netbios-scope=SCOPE --use-ccache -> --use-winbind-ccache Options remove
[Announce] Samba 4.15.0rc7 Available for Download
Release Announcements = This is the seventh release candidate of Samba 4.15. This is *not* intended for production environments and is designed for testing purposes only. Please report any defects via the Samba bug reporting system at https://bugzilla.samba.org/. Samba 4.15 will be the next version of the Samba suite. UPGRADING = Removed SMB (development) dialects -- The following SMB (development) dialects are no longer supported: SMB2_22, SMB2_24 and SMB3_10. They are were only supported by Windows technical preview builds. They used to be useful in order to test against the latest Windows versions, but it's no longer useful to have them. If you have them explicitly specified in your smb.conf or an the command line, you need to replace them like this: - SMB2_22 => SMB3_00 - SMB2_24 => SMB3_00 - SMB3_10 => SMB3_11 Note that it's typically not useful to specify "client max protocol" or "server max protocol" explicitly to a specific dialect, just leave them unspecified or specify the value "default". New GPG key --- The GPG release key for Samba releases changed from: pub dsa1024/6F33915B6568B7EA 2007-02-04 [SC] [expires: 2021-02-05] Key fingerprint = 52FB C0B8 6D95 4B08 4332 4CDC 6F33 915B 6568 B7EA uid [ full ] Samba Distribution Verification Key sub elg2048/9C6ED163DA6DFB44 2007-02-04 [E] [expires: 2021-02-05] to the following new key: pub rsa4096/AA99442FB680B620 2020-12-21 [SC] [expires: 2022-12-21] Key fingerprint = 81F5 E283 2BD2 545A 1897 B713 AA99 442F B680 B620 uid [ultimate] Samba Distribution Verification Key sub rsa4096/97EF9386FBFD4002 2020-12-21 [E] [expires: 2022-12-21] Starting from Jan 21th 2021, all Samba releases will be signed with the new key. See also GPG_AA99442FB680B620_replaces_6F33915B6568B7EA.txt New minimum version for the experimental MIT KDC The build of the AD DC using the system MIT Kerberos, an experimental feature, now requires MIT Kerberos 1.19. An up-to-date Fedora 34 has this version and has backported fixes for the KDC crash bugs CVE-2021-37750 and CVE-2021-36222 NEW FEATURES/CHANGES VFS --- The effort to modernize Samba's VFS interface is complete and Samba 4.15.0 ships with a modernized VFS designed for the post SMB1 world. For details please refer to the documentation at source3/modules/The_New_VFS.txt or visit the <https://wiki.samba.org/index.php/The_New_VFS>. Bind DLZ: add the ability to set allow/deny lists for zone transfer clients --- Up to now, any client could use a DNS zone transfer request to the bind server, and get an answer from Samba. Now the default behaviour will be to deny those request. Two new options have been added to manage the list of authorized/denied clients for zone transfer requests. In order to be accepted, the request must be issued by a client that is in the allow list and NOT in the deny list. "server multi channel support" no longer experimental - This option is enabled by default starting with 4.15 (on Linux and FreeBSD). Due to dependencies on kernel APIs of Linux or FreeBSD, it's only possible to use this feature on Linux and FreeBSD for now. samba-tool available without the ad-dc -- The 'samba-tool' command is now available when samba is configured "--without-ad-dc". Not all features will work, and some ad-dc specific options have been disabled. The 'samba-tool domain' options, for example, are limited when no ad-dc is present. Samba must still be built with ads in order to enable 'samba-tool'. Improved command line user experience - Samba utilities did not consistently implement their command line interface. A number of options were requiring to specify values in one tool and not in the other, some options meant different in different tools. These should be stories of the past now. A new command line parser has been implemented with sanity checking. Also the command line interface has been simplified and provides better control for encryption, signing and kerberos. Previously many tools silently ignored unknown options. To prevent unexpected behaviour all tools will now consistently reject unknown options. Also several command line options have a smb.conf variable to control the default now. All tools are now logging to stderr by default. You can use "--debug-stdout" to change the behavior. All servers will log to stderr at early startup until logging is setup to go to a file by default. ### Common parser: Options added: --client-protection=off|sign|encrypt Options renamed: --kerberos -> --use
[Announce] Samba 4.15.0rc5 Available for Download
Release Announcements = This is the fifth release candidate of Samba 4.15. This is *not* intended for production environments and is designed for testing purposes only. Please report any defects via the Samba bug reporting system at https://bugzilla.samba.org/. Samba 4.15 will be the next version of the Samba suite. UPGRADING = Removed SMB (development) dialects -- The following SMB (development) dialects are no longer supported: SMB2_22, SMB2_24 and SMB3_10. They are were only supported by Windows technical preview builds. They used to be useful in order to test against the latest Windows versions, but it's no longer useful to have them. If you have them explicitly specified in your smb.conf or an the command line, you need to replace them like this: - SMB2_22 => SMB3_00 - SMB2_24 => SMB3_00 - SMB3_10 => SMB3_11 Note that it's typically not useful to specify "client max protocol" or "server max protocol" explicitly to a specific dialect, just leave them unspecified or specify the value "default". New GPG key --- The GPG release key for Samba releases changed from: pub dsa1024/6F33915B6568B7EA 2007-02-04 [SC] [expires: 2021-02-05] Key fingerprint = 52FB C0B8 6D95 4B08 4332 4CDC 6F33 915B 6568 B7EA uid [ full ] Samba Distribution Verification Key sub elg2048/9C6ED163DA6DFB44 2007-02-04 [E] [expires: 2021-02-05] to the following new key: pub rsa4096/AA99442FB680B620 2020-12-21 [SC] [expires: 2022-12-21] Key fingerprint = 81F5 E283 2BD2 545A 1897 B713 AA99 442F B680 B620 uid [ultimate] Samba Distribution Verification Key sub rsa4096/97EF9386FBFD4002 2020-12-21 [E] [expires: 2022-12-21] Starting from Jan 21th 2021, all Samba releases will be signed with the new key. See also GPG_AA99442FB680B620_replaces_6F33915B6568B7EA.txt NEW FEATURES/CHANGES Bind DLZ: add the ability to set allow/deny lists for zone transfer clients --- Up to now, any client could use a DNS zone transfer request to the bind server, and get an answer from Samba. Now the default behaviour will be to deny those request. Two new options have been added to manage the list of authorized/denied clients for zone transfer requests. In order to be accepted, the request must be issued by a client that is in the allow list and NOT in the deny list. "server multi channel support" no longer experimental - This option is enabled by default starting with 4.15 (on Linux and FreeBSD). Due to dependencies on kernel APIs of Linux or FreeBSD, it's only possible to use this feature on Linux and FreeBSD for now. samba-tool available without the ad-dc -- The 'samba-tool' command is now available when samba is configured "--without-ad-dc". Not all features will work, and some ad-dc specific options have been disabled. The 'samba-tool domain' options, for example, are limited when no ad-dc is present. Samba must still be built with ads in order to enable 'samba-tool'. Improved command line user experience - Samba utilities did not consistently implement their command line interface. A number of options were requiring to specify values in one tool and not in the other, some options meant different in different tools. These should be stories of the past now. A new command line parser has been implemented with sanity checking. Also the command line interface has been simplified and provides better control for encryption, signing and kerberos. Also several command line options have a smb.conf variable to control the default now. All tools are now logging to stderr by default. You can use "--debug-stdout" to change the behavior. All servers will log to stderr at early startup until logging is setup to go to a file by default. ### Common parser: Options added: --client-protection=off|sign|encrypt Options renamed: --kerberos -> --use-kerberos=required|desired|off --krb5-ccache -> --use-krb5-ccache=CCACHE --scope -> --netbios-scope=SCOPE --use-ccache -> --use-winbind-ccache Options removed: -e|--encrypt -C removed from --use-winbind-ccache -i removed from --netbios-scope -S|--signing ### Duplicates in command line utils ldbadd/ldbsearch/ldbdel/ldbmodify/ldbrename: -e is not available for --editor anymore -s is not used for --configfile anymore ndrdump: -l is not available for --load-dso anymore net: -l is not available for --long anymore sharesec: -V is not available for --viewsddl anymore smbcquotas: --user -> --quota-user nmbd: --log-stdout -> --debug-stdout smbd: --log-stdout -> --debug-stdout winbindd:
[Announce] Samba 4.13.11 Available for Download
Release Announcements - This is the latest stable release of the Samba 4.13 release series. Changes since 4.13.10 - o Jeremy Allison * BUG 14769: smbd panic on force-close share during offload write. o Ralph Boehme * BUG 14731: Fix returned attributes on fake quota file handle and avoid hitting the VFS. * BUG 14783: smbd "deadtime" parameter doesn't work anymore. * BUG 14787: net conf list crashes when run as normal user. o Stefan Metzmacher * BUG 14607: Work around special SMB2 READ response behavior of NetApp Ontap 7.3.7. * BUG 14793: Start the SMB encryption as soon as possible. o Andreas Schneider * BUG 14792: Winbind should not start if the socket path for the privileged pipe is too long. ### Reporting bugs & Development Discussion ### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical IRC channel on irc.freenode.net. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). == == Our Code, Our Bugs, Our Responsibility. == The Samba Team == Download Details The uncompressed tarballs and patch files have been signed using GnuPG (ID AA99442FB680B620). The source code can be downloaded from: https://download.samba.org/pub/samba/stable/ The release notes are available online at: https://www.samba.org/samba/history/samba-4.13.11.html Our Code, Our Bugs, Our Responsibility. (https://bugzilla.samba.org/) --Enjoy The Samba Team
[Announce] Samba 4.15.0rc4 Available for Download
Release Announcements = This is the fourth release candidate of Samba 4.15. This is *not* intended for production environments and is designed for testing purposes only. Please report any defects via the Samba bug reporting system at https://bugzilla.samba.org/. Samba 4.15 will be the next version of the Samba suite. UPGRADING = Removed SMB (development) dialects -- The following SMB (development) dialects are no longer supported: SMB2_22, SMB2_24 and SMB3_10. They are were only supported by Windows technical preview builds. They used to be useful in order to test against the latest Windows versions, but it's no longer useful to have them. If you have them explicitly specified in your smb.conf or an the command line, you need to replace them like this: - SMB2_22 => SMB3_00 - SMB2_24 => SMB3_00 - SMB3_10 => SMB3_11 Note that it's typically not useful to specify "client max protocol" or "server max protocol" explicitly to a specific dialect, just leave them unspecified or specify the value "default". New GPG key --- The GPG release key for Samba releases changed from: pub dsa1024/6F33915B6568B7EA 2007-02-04 [SC] [expires: 2021-02-05] Key fingerprint = 52FB C0B8 6D95 4B08 4332 4CDC 6F33 915B 6568 B7EA uid [ full ] Samba Distribution Verification Key sub elg2048/9C6ED163DA6DFB44 2007-02-04 [E] [expires: 2021-02-05] to the following new key: pub rsa4096/AA99442FB680B620 2020-12-21 [SC] [expires: 2022-12-21] Key fingerprint = 81F5 E283 2BD2 545A 1897 B713 AA99 442F B680 B620 uid [ultimate] Samba Distribution Verification Key sub rsa4096/97EF9386FBFD4002 2020-12-21 [E] [expires: 2022-12-21] Starting from Jan 21th 2021, all Samba releases will be signed with the new key. See also GPG_AA99442FB680B620_replaces_6F33915B6568B7EA.txt NEW FEATURES/CHANGES Bind DLZ: add the ability to set allow/deny lists for zone transfer clients --- Up to now, any client could use a DNS zone transfer request to the bind server, and get an answer from Samba. Now the default behaviour will be to deny those request. Two new options have been added to manage the list of authorized/denied clients for zone transfer requests. In order to be accepted, the request must be issued by a client that is in the allow list and NOT in the deny list. "server multi channel support" no longer experimental - This option is enabled by default starting with 4.15 (on Linux and FreeBSD). Due to dependencies on kernel APIs of Linux or FreeBSD, it's only possible to use this feature on Linux and FreeBSD for now. samba-tool available without the ad-dc -- The 'samba-tool' command is now available when samba is configured "--without-ad-dc". Not all features will work, and some ad-dc specific options have been disabled. The 'samba-tool domain' options, for example, are limited when no ad-dc is present. Samba must still be built with ads in order to enable 'samba-tool'. Improved command line user experience - Samba utilities did not consistently implement their command line interface. A number of options were requiring to specify values in one tool and not in the other, some options meant different in different tools. These should be stories of the past now. A new command line parser has been implemented with sanity checking. Also the command line interface has been simplified and provides better control for encryption, singing and kerberos. Also several command line options have a smb.conf variable to control the default now. All tools are logging to stderr by default. You can use "--debug-stdout" to change the behavior. ### Common parser: Options added: --client-protection=off|sign|encrypt Options renamed: --kerberos ->--use-kerberos=required|desired|off --krb5-ccache->--use-krb5-ccache=CCACHE --scope ->--netbios-scope=SCOPE --use-ccache ->--use-winbind-ccache Options removed: -e|--encrypt -C removed from --use-winbind-ccache -i removed from --netbios-scope -S|--signing ### Duplicates in command line utils ldbadd/ldbsearch/ldbdel/ldbmodify/ldbrename: -e is not available for --editor anymore -s is not used for --configfile anymore ndrdump: -l is not available for --load-dso anymore net: -l is not available for --long anymore sharesec: -V is not available for --viewsddl anymore smbcquotas: --user->--quota-user nmbd: --log-stdout ->--debug-stdout smbd: --log-stdout ->--debug-stdout winbindd: --log-stdout ->--debug-stdout Scanning of trusted domains and enterprise principals -
[Announce] Samba 4.15.0rc3 Available for Download
Release Announcements = This is the third release candidate of Samba 4.15. This is *not* intended for production environments and is designed for testing purposes only. Please report any defects via the Samba bug reporting system at https://bugzilla.samba.org/. Samba 4.15 will be the next version of the Samba suite. UPGRADING = Removed SMB (development) dialects -- The following SMB (development) dialects are no longer supported: SMB2_22, SMB2_24 and SMB3_10. They are were only supported by Windows technical preview builds. They used to be useful in order to test against the latest Windows versions, but it's no longer useful to have them. If you have them explicitly specified in your smb.conf or an the command line, you need to replace them like this: - SMB2_22 => SMB3_00 - SMB2_24 => SMB3_00 - SMB3_10 => SMB3_11 Note that it's typically not useful to specify "client max protocol" or "server max protocol" explicitly to a specific dialect, just leave them unspecified or specify the value "default". New GPG key --- The GPG release key for Samba releases changed from: pub dsa1024/6F33915B6568B7EA 2007-02-04 [SC] [expires: 2021-02-05] Key fingerprint = 52FB C0B8 6D95 4B08 4332 4CDC 6F33 915B 6568 B7EA uid [ full ] Samba Distribution Verification Key sub elg2048/9C6ED163DA6DFB44 2007-02-04 [E] [expires: 2021-02-05] to the following new key: pub rsa4096/AA99442FB680B620 2020-12-21 [SC] [expires: 2022-12-21] Key fingerprint = 81F5 E283 2BD2 545A 1897 B713 AA99 442F B680 B620 uid [ultimate] Samba Distribution Verification Key sub rsa4096/97EF9386FBFD4002 2020-12-21 [E] [expires: 2022-12-21] Starting from Jan 21th 2021, all Samba releases will be signed with the new key. See also GPG_AA99442FB680B620_replaces_6F33915B6568B7EA.txt NEW FEATURES/CHANGES Bind DLZ: add the ability to set allow/deny lists for zone transfer clients --- Up to now, any client could use a DNS zone transfer request to the bind server, and get an answer from Samba. Now the default behaviour will be to deny those request. Two new options have been added to manage the list of authorized/denied clients for zone transfer requests. In order to be accepted, the request must be issued by a client that is in the allow list and NOT in the deny list. "server multi channel support" no longer experimental - This option is enabled by default starting with to 4.15 (on Linux and FreeBSD). Due to dependencies on kernel APIs of Linux or FreeBSD, it's only possible to use this feature on Linux and FreeBSD for now. samba-tool available without the ad-dc -- The samba-tool command is now available when samba is configured --without-ad-dc. Not all features will work, and some ad-dc specific options have been disabled. The samba-tool domain options, for example, are limited when no ad-dc is present. Samba must still be built with ads in order to enable samba-tool. Improved command line user experience - Samba utilities did not consistently implement their command line interface. A number of options were requiring to specify values in one tool and not in the other, some options meant different in different tools. These should be stories of the past now. A new command line parser has been implemented with sanity checking. Also the command line interface has been simplified and provides better control for encryption, singing and kerberos. Also several command line options have a smb.conf variable to control the default now. All tools are logging to stderr by default. You can use --debug-stdout to change the behavior. ### Common parser: Options added: --client-protection=off|sign|encrypt Options renamed: --kerberos -> --use-kerberos=required|desired|off --krb5-ccache -> --use-krb5-ccache=CCACHE --scope -> --netbios-scope=SCOPE --use-ccache -> --use-winbind-ccache Options removed: -e|--encrypt -C removed from --use-winbind-ccache -i removed from --netbios-scope -S|--signing ### Duplicates in command line utils ldbadd/ldbsearch/ldbdel/ldbmodify/ldbrename: -e is not available for --editor anymore -s is not used for --configfile anymore ndrdump: -l is not available for --load-dso anymore net: -l is not available for --long anymore sharesec: -V is not available for --viewsddl anymore smbcquotas: --user -> --quota-user nmbd: --log-stdout -> --debug-stdout smbd: --log-stdout -> --debug-stdout winbindd: --log-stdout -> --debug-stdout Scanning of trusted domains and enterprise principals - As an a
[Announce] Samba 4.14.7 Available for Download
Release Announcements - This is the latest stable release of the Samba 4.14 release series. Changes since 4.14.6 o Jeremy Allison * BUG 14769: smbd panic on force-close share during offload write. o Ralph Boehme * BUG 12033: smbd should support copy_file_range() for FSCTL_SRV_COPYCHUNK. * BUG 14731: Fix returned attributes on fake quota file handle and avoid hitting the VFS. * BUG 14756: vfs_shadow_copy2 fix inodes not correctly updating inode numbers. o David Gajewski * BUG 14774: Fix build on Solaris. o Björn Jacke * BUG 14654: Make dos attributes available for unreadable files. o Stefan Metzmacher * BUG 14607: Work around special SMB2 READ response behavior of NetApp Ontap 7.3.7. * BUG 14793: Start the SMB encryption as soon as possible. ### Reporting bugs & Development Discussion ### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical IRC channel on irc.freenode.net. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). == == Our Code, Our Bugs, Our Responsibility. == The Samba Team == Download Details The uncompressed tarballs and patch files have been signed using GnuPG (ID AA99442FB680B620). The source code can be downloaded from: https://download.samba.org/pub/samba/stable/ The release notes are available online at: https://www.samba.org/samba/history/samba-4.14.7.html Our Code, Our Bugs, Our Responsibility. (https://bugzilla.samba.org/) --Enjoy The Samba Team
[Announce] Samba 4.15.0rc2 Available for Download
Release Announcements = This is the second release candidate of Samba 4.15. This is *not* intended for production environments and is designed for testing purposes only. Please report any defects via the Samba bug reporting system at https://bugzilla.samba.org/. Samba 4.15 will be the next version of the Samba suite. UPGRADING = Removed SMB (development) dialects -- The following SMB (development) dialects are no longer supported: SMB2_22, SMB2_24 and SMB3_10. They are were only supported by Windows technical preview builds. They used to be useful in order to test against the latest Windows versions, but it's no longer useful to have them. If you have them explicitly specified in your smb.conf or an the command line, you need to replace them like this: - SMB2_22 => SMB3_00 - SMB2_24 => SMB3_00 - SMB3_10 => SMB3_11 Note that it's typically not useful to specify "client max protocol" or "server max protocol" explicitly to a specific dialect, just leave them unspecified or specify the value "default". New GPG key --- The GPG release key for Samba releases changed from: pub dsa1024/6F33915B6568B7EA 2007-02-04 [SC] [expires: 2021-02-05] Key fingerprint = 52FB C0B8 6D95 4B08 4332 4CDC 6F33 915B 6568 B7EA uid [ full ] Samba Distribution Verification Key sub elg2048/9C6ED163DA6DFB44 2007-02-04 [E] [expires: 2021-02-05] to the following new key: pub rsa4096/AA99442FB680B620 2020-12-21 [SC] [expires: 2022-12-21] Key fingerprint = 81F5 E283 2BD2 545A 1897 B713 AA99 442F B680 B620 uid [ultimate] Samba Distribution Verification Key sub rsa4096/97EF9386FBFD4002 2020-12-21 [E] [expires: 2022-12-21] Starting from Jan 21th 2021, all Samba releases will be signed with the new key. See also GPG_AA99442FB680B620_replaces_6F33915B6568B7EA.txt NEW FEATURES/CHANGES - bind DLZ: Added the ability to set allow/deny lists for zone transfer clients. Up to now, any client could use a DNS zone transfer request to the bind server, and get an answer from Samba. Now the default behaviour will be to deny those request. Two new options have been added to manage the list of authorized/denied clients for zone transfer requests. In order to be accepted, the request must be issued by a client that is in the allow list and NOT in the deny list. "server multi channel support" no longer experimental - This option is enabled by default starting with to 4.15 (on Linux and FreeBSD). Due to dependencies on kernel APIs of Linux or FreeBSD, it's only possible to use this feature on Linux and FreeBSD for now. samba-tool available without the ad-dc -- The samba-tool command is now available when samba is configured --without-ad-dc. Not all features will work, and some ad-dc specific options have been disabled. The samba-tool domain options, for example, are limited when no ad-dc is present. Samba must still be built with ads in order to enable samba-tool. Improved command line user experience - Samba utilities did not consistently implement their command line interface. A number of options were requiring to specify values in one tool and not in the other, some options meant different in different tools. These should be stories of the past now. A new command line parser has been implemented with sanity checking. Also the command line interface has been simplified and provides better control for encryption, singing and kerberos. Also several command line options have a smb.conf variable to control the default now. All tools are logging to stderr by default. You can use --debug-stdout to change the behavior. ### Common parser: Options added: --client-protection=off|sign|encrypt Options renamed: --kerberos ->--use-kerberos=required|desired|off --krb5-ccache->--use-krb5-ccache=CCACHE --scope ->--netbios-scope=SCOPE --use-ccache ->--use-winbind-ccache Options removed: -e|--encrypt -C removed from --use-winbind-ccache -i removed from --netbios-scope -S|--signing ### Duplicates in command line utils ldbadd/ldbsearch/ldbdel/ldbmodify/ldbrename: -e is not available for --editor anymore -s is not used for --configfile anymore ndrdump: -l is not available for --load-dso anymore net: -l is not available for --long anymore sharesec: -V is not available for --viewsddl anymore smbcquotas: --user->--quota-user nmbd: --log-stdout ->--debug-stdout smbd: --log-stdout ->--debug-stdout winbindd: --log-stdout ->--debug-stdout Scanning of trusted domains and enterprise principals - As an artifact from the NT4 times, we still scanned the list of trusted doma
[Announce] Samba 4.15.0rc1 Available for Download
Release Announcements = This is the first release candidate of Samba 4.15. This is *not* intended for production environments and is designed for testing purposes only. Please report any defects via the Samba bug reporting system at https://bugzilla.samba.org/. Samba 4.15 will be the next version of the Samba suite. UPGRADING = Removed SMB (development) dialects -- The following SMB (development) dialects are no longer supported: SMB2_22, SMB2_24 and SMB3_10. They are were only supported by Windows technical preview builds. They used to be useful in order to test against the latest Windows versions, but it's no longer useful to have them. If you have them explicitly specified in your smb.conf or an the command line, you need to replace them like this: - SMB2_22 => SMB3_00 - SMB2_24 => SMB3_00 - SMB3_10 => SMB3_11 Note that it's typically not useful to specify "client max protocol" or "server max protocol" explicitly to a specific dialect, just leave them unspecified or specify the value "default". New GPG key --- The GPG release key for Samba releases changed from: pub dsa1024/6F33915B6568B7EA 2007-02-04 [SC] [expires: 2021-02-05] Key fingerprint = 52FB C0B8 6D95 4B08 4332 4CDC 6F33 915B 6568 B7EA uid [ full ] Samba Distribution Verification Key sub elg2048/9C6ED163DA6DFB44 2007-02-04 [E] [expires: 2021-02-05] to the following new key: pub rsa4096/AA99442FB680B620 2020-12-21 [SC] [expires: 2022-12-21] Key fingerprint = 81F5 E283 2BD2 545A 1897 B713 AA99 442F B680 B620 uid [ultimate] Samba Distribution Verification Key sub rsa4096/97EF9386FBFD4002 2020-12-21 [E] [expires: 2022-12-21] Starting from Jan 21th 2021, all Samba releases will be signed with the new key. See also GPG_AA99442FB680B620_replaces_6F33915B6568B7EA.txt NEW FEATURES/CHANGES - bind DLZ: Added the ability to set allow/deny lists for zone transfer clients. Up to now, any client could use a DNS zone transfer request to the bind server, and get an answer from Samba. Now the default behaviour will be to deny those request. Two new options have been added to manage the list of authorized/denied clients for zone transfer requests. In order to be accepted, the request must be issued by a client that is in the allow list and NOT in the deny list. "server multi channel support" no longer experimental - This option is enabled by default starting with to 4.15 (on Linux and FreeBSD). Due to dependencies on kernel APIs of Linux or FreeBSD, it's only possible to use this feature on Linux and FreeBSD for now. samba-tool available without the ad-dc -- The samba-tool command is now available when samba is configured --without-ad-dc. Not all features will work, and some ad-dc specific options have been disabled. The samba-tool domain options, for example, are limited when no ad-dc is present. Samba must still be built with ads in order to enable samba-tool. Improved command line user experience - Samba utilities did not consistently implement their command line interface. A number of options were requiring to specify values in one tool and not in the other, some options meant different in different tools. These should be stories of the past now. A new command line parser has been implemented with sanity checking. Also the command line interface has been simplified and provides better control for encryption, singing and kerberos. Also several command line options have a smb.conf variable to control the default now. All tools are logging to stderr by default. You can use --debug-stdout to change the behavior. ### Common parser: Options added: --client-protection=off|sign|encrypt Options renamed: --kerberos ->--use-kerberos=required|desired|off --krb5-ccache->--use-krb5-ccache=CCACHE --scope ->--netbios-scope=SCOPE --use-ccache ->--use-winbind-ccache Options removed: -e|--encrypt -C removed from --use-winbind-ccache -i removed from --netbios-scope -S|--signing ### Duplicates in command line utils ldbadd/ldbsearch/ldbdel/ldbmodify/ldbrename: -e is not available for --editor anymore -s is not used for --configfile anymore ndrdump: -l is not available for --load-dso anymore net: -l is not available for --long anymore sharesec: -V is not available for --viewsddl anymore smbcquotas: --user->--quota-user nmbd: --log-stdout ->--debug-stdout smbd: --log-stdout ->--debug-stdout winbindd: --log-stdout ->--debug-stdout Scanning of trusted domains and enterprise principals - As an artifact from the NT4 times, we still scanned the list of trusted domains on win
[Announce] Samba 4.13.10 Available for Download
Release Announcements - This is the latest stable release of the Samba 4.13 release series. Changes since 4.13.9 o Jeremy Allison * BUG 14708: s3: smbd: Ensure POSIX default ACL is mapped into returned Windows ACL for directory handles. * BUG 14721: Take a copy to make sure we don't reference free'd memory. * BUG 14722: s3: lib: Fix talloc heirarcy error in parent_smb_fname(). * BUG 14736: s3: smbd: Remove erroneous TALLOC_FREE(smb_fname_parent) in change_file_owner_to_parent() error path. o Andrew Bartlett * BUG 14575: samba-tool: Give better error information when the 'domain backup restore' fails with a duplicate SID. o Ralph Boehme * BUG 14714: smbd: Correctly initialize close timestamp fields. * BUG 14740: Spotlight RPC service doesn't work with vfs_glusterfs. o Volker Lendecke * BUG 14475: ctdb: Fix a crash in run_proc_signal_handler(). o Stefan Metzmacher * BUG 14750: gensec_krb5: Restore ipv6 support for kpasswd. * BUG 14752: smbXsrv_{open,session,tcon}: Protect smbXsrv_{open,session,tcon}_global_traverse_fn against invalid records. o Joseph Sutton * BUG 14027: samba-tool domain backup offline doesn't work against bind DLZ backend. * BUG 14669: netcmd: Use next_free_rid() function to calculate a SID for restoring a backup. ### Reporting bugs & Development Discussion ### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical IRC channel on irc.freenode.net. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). == == Our Code, Our Bugs, Our Responsibility. == The Samba Team == Download Details The uncompressed tarballs and patch files have been signed using GnuPG (ID AA99442FB680B620). The source code can be downloaded from: https://download.samba.org/pub/samba/stable/ The release notes are available online at: https://www.samba.org/samba/history/samba-4.13.10.html Our Code, Our Bugs, Our Responsibility. (https://bugzilla.samba.org/) --Enjoy The Samba Team signature.asc Description: PGP signature
[Announce] Samba 4.14.6 Available for Download
Release Announcements - This is the latest stable release of the Samba 4.14 release series. Changes since 4.14.5 o Jeremy Allison * BUG 14722: s3: lib: Fix talloc heirarcy error in parent_smb_fname(). * BUG 14732: smbd: Fix pathref unlinking in create_file_unixpath(). * BUG 14734: s3: VFS: default: Add proc_fd's fallback for vfswrap_fchown(). * BUG 14736: s3: smbd: Remove erroneous TALLOC_FREE(smb_fname_parent) in change_file_owner_to_parent() error path. o Ralph Boehme * BUG 14730: NT_STATUS_FILE_IS_A_DIRECTORY error messages when using glusterfs VFS module. * BUG 14734: s3/modules: fchmod: Fallback to path based chmod if pathref. * BUG 14740: Spotlight RPC service doesn't work with vfs_glusterfs. o Stefan Metzmacher * BUG 14750: gensec_krb5: Restore ipv6 support for kpasswd. * BUG 14752: smbXsrv_{open,session,tcon}: protect smbXsrv_{open,session,tcon}_global_traverse_fn against invalid records. o Joseph Sutton * BUG 14027: samba-tool domain backup offline doesn't work against bind DLZ backend. * BUG 14669: netcmd: Use next_free_rid() function to calculate a SID for restoring a backup. ### Reporting bugs & Development Discussion ### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical IRC channel on irc.freenode.net. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). == == Our Code, Our Bugs, Our Responsibility. == The Samba Team == Download Details The uncompressed tarballs and patch files have been signed using GnuPG (ID AA99442FB680B620). The source code can be downloaded from: https://download.samba.org/pub/samba/stable/ The release notes are available online at: https://www.samba.org/samba/history/samba-4.14.6.html Our Code, Our Bugs, Our Responsibility. (https://bugzilla.samba.org/) --Enjoy The Samba Team signature.asc Description: PGP signature
[Announce] Samba 4.14.5 Available for Download
Release Announcements - This is the latest stable release of the Samba 4.14 release series. Changes since 4.14.4 o Jeremy Allison * BUG 14696: s3: smbd: SMB1 SMBsplwr doesn't send a reply packet on success. * BUG 14708: s3: smbd: Ensure POSIX default ACL is mapped into returned Windows ACL for directory handles. * BUG 14721: s3: smbd: Fix uninitialized memory read in process_symlink_open() when used with vfs_shadow_copy2(). o Andrew Bartlett * BUG 14689: docs: Expand the "log level" docs on audit logging. o Ralph Boehme * BUG 14714: smbd: Correctly initialize close timestamp fields. o Günther Deschner * BUG 14699: Fix gcc11 compiler issues. o Pavel Filipenský * BUG 14718: docs-xml: Update smbcacls manpage. * BUG 14719: docs: Update list of available commands in rpcclient. o Volker Lendecke * BUG 14475: ctdb: Fix a crash in run_proc_signal_handler(). o Andreas Schneider * BUG 14695: s3:winbind: For 'security = ADS' require realm/workgroup to be set. * BUG 14699: lib:replace: Do not build strndup test with gcc 11 or newer. ### Reporting bugs & Development Discussion ### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical IRC channel on irc.freenode.net. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). == == Our Code, Our Bugs, Our Responsibility. == The Samba Team == Download Details The uncompressed tarballs and patch files have been signed using GnuPG (ID AA99442FB680B620). The source code can be downloaded from: https://download.samba.org/pub/samba/stable/ The release notes are available online at: https://www.samba.org/samba/history/samba-4.14.5.html Our Code, Our Bugs, Our Responsibility. (https://bugzilla.samba.org/) --Enjoy The Samba Team signature.asc Description: PGP signature
[Announce] Samba 4.13.9 Available for Download
Release Announcements - This is the latest stable release of the Samba 4.13 release series. Changes since 4.13.8 o Jeremy Allison * BUG 14696: s3: smbd: SMB1 SMBsplwr doesn't send a reply packet on success. o Andrew Bartlett * BUG 14689: Add documentation for dsdb_group_audit and dsdb_group_json_audit to "log level", synchronise "log level" in smb.conf with the code. o Ralph Boehme * BUG 14672: Fix smbd panic when two clients open same file. * BUG 14675: Fix memory leak in the RPC server. * BUG 14679: s3: smbd: Fix deferred renames. o Samuel Cabrero * BUG 14675: s3-iremotewinspool: Set the per-request memory context. o Volker Lendecke * BUG 14675: rpc_server3: Fix a memleak for internal pipes. o Stefan Metzmacher * BUG 11899: third_party: Update socket_wrapper to version 1.3.2. * BUG 14640: third_party: Update socket_wrapper to version 1.3.3. o Christof Schmitt * BUG 14663: idmap_rfc2307 and idmap_nss return wrong mapping for uid/gid conflict. o Martin Schwenke https://bugzilla.samba.org/). == == Our Code, Our Bugs, Our Responsibility. == The Samba Team == Download Details The uncompressed tarballs and patch files have been signed using GnuPG (ID AA99442FB680B620). The source code can be downloaded from: https://download.samba.org/pub/samba/stable/ The release notes are available online at: https://www.samba.org/samba/history/samba-4.13.9.html Our Code, Our Bugs, Our Responsibility. (https://bugzilla.samba.org/) --Enjoy The Samba Team signature.asc Description: PGP signature
[Announce] Samba 4.14.4, 4.13.8 and 4.12.15 Security Releases Available
Release Announcements - These are security releases in order to address the following defect: o CVE-2021-20254: Negative idmap cache entries can cause incorrect group entries in the Samba file server process token. === Details === o CVE-2021-20254: The Samba smbd file server must map Windows group identities (SIDs) into unix group ids (gids). The code that performs this had a flaw that could allow it to read data beyond the end of the array in the case where a negative cache entry had been added to the mapping cache. This could cause the calling code to return those values into the process token that stores the group membership for a user. Most commonly this flaw caused the calling code to crash, but an alert user (Peter Eriksson, IT Department, Linköping University) found this flaw by noticing an unprivileged user was able to delete a file within a network share that they should have been disallowed access to. Analysis of the code paths has not allowed us to discover a way for a remote user to be able to trigger this flaw reproducibly or on demand, but this CVE has been issued out of an abundance of caution. Changes --- o Volker Lendecke * BUG 14571: CVE-2021-20254: Fix buffer overrun in sids_to_unixids(). ### Reporting bugs & Development Discussion ### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical IRC channel on irc.freenode.net. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). == == Our Code, Our Bugs, Our Responsibility. == The Samba Team == Download Details The uncompressed tarballs and patch files have been signed using GnuPG (ID AA99442FB680B620). The source code can be downloaded from: https://download.samba.org/pub/samba/stable/ The release notes are available online at: https://www.samba.org/samba/history/samba-4.14.4.html https://www.samba.org/samba/history/samba-4.13.8.html https://www.samba.org/samba/history/samba-4.12.15.html Our Code, Our Bugs, Our Responsibility. (https://bugzilla.samba.org/) --Enjoy The Samba Team signature.asc Description: PGP signature
[Announce] Samba 4.14.3 Available for Download
Release Announcements - This is the latest stable release of the Samba 4.14 release series. Changes since 4.14.2 o Trever L. Adams * BUG 14671: s3:modules:vfs_virusfilter: Recent New_VFS changes break vfs_virusfilter_openat. o Andrew Bartlett * BUG 14586: build: Notice if flex is missing at configure time. o Ralph Boehme * BUG 14672: Fix smbd panic when two clients open same file. * BUG 14675: Fix memory leak in the RPC server. * BUG 14679: s3: smbd: fix deferred renames. o Samuel Cabrero * BUG 14675: s3-iremotewinspool: Set the per-request memory context. o Volker Lendecke * BUG 14675: Fix memory leak in the RPC server. o Stefan Metzmacher * BUG 11899: third_party: Update socket_wrapper to version 1.3.2. * BUG 14640: third_party: Update socket_wrapper to version 1.3.3. o David Mulder * BUG 14665: samba-gpupdate: Test that sysvol paths download in case-insensitive way. o Sachin Prabhu * BUG 14662: smbd: Ensure errno is preserved across fsp destructor. o Christof Schmitt * BUG 14663: idmap_rfc2307 and idmap_nss return wrong mapping for uid/gid conflict. o Martin Schwenke * BUG 14288: build: Only add -Wl,--as-needed when supported. ### Reporting bugs & Development Discussion ### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical IRC channel on irc.freenode.net. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). == == Our Code, Our Bugs, Our Responsibility. == The Samba Team == Download Details The uncompressed tarballs and patch files have been signed using GnuPG (ID AA99442FB680B620). The source code can be downloaded from: https://download.samba.org/pub/samba/stable/ The release notes are available online at: https://www.samba.org/samba/history/samba-4.14.3.html Our Code, Our Bugs, Our Responsibility. (https://bugzilla.samba.org/) --Enjoy The Samba Team signature.asc Description: PGP signature
[Announce] Samba 4.14.2 (4.14.1), 4.13.7 (4.13.6) and 4.12.14 (4.12.13) Security Releases
Release Announcements - These are security releases in order to address the following defects: o CVE-2020-27840: Heap corruption via crafted DN strings. o CVE-2021-20277: Out of bounds read in AD DC LDAP server. === Details === o CVE-2020-27840: An anonymous attacker can crash the Samba AD DC LDAP server by sending easily crafted DNs as part of a bind request. More serious heap corruption is likely also possible. o CVE-2021-20277: User-controlled LDAP filter strings against the AD DC LDAP server may crash the LDAP server. For more details, please refer to the security advisories. ### Reporting bugs & Development Discussion ### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical IRC channel on irc.freenode.net. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). == == Our Code, Our Bugs, Our Responsibility. == The Samba Team == Download Details The uncompressed tarballs and patch files have been signed using GnuPG (ID AA99442FB680B620). The source code can be downloaded from: https://download.samba.org/pub/samba/stable/ The release notes are available online at: https://www.samba.org/samba/history/samba-4.14.2.html https://www.samba.org/samba/history/samba-4.13.7.html https://www.samba.org/samba/history/samba-4.12.14.html Our Code, Our Bugs, Our Responsibility. (https://bugzilla.samba.org/) --Enjoy The Samba Team signature.asc Description: PGP signature
Re: Heads-up: Security Releases ahead!
Am 17.03.21 um 11:57 schrieb Karolin Seeger via samba-announce: > this is a heads-up that there will be Samba security updates > on Wednesday, May 24th. Please make sure that your Samba AD DCs > will be updated immediately after the release! Wednesday, March 24th 2021, of course, sorry! Karolin -- Karolin Seeger https://samba.org/~kseeger/ Release Manager Samba Team https://samba.org Team Lead Samba SerNet https://sernet.de
Heads-up: Security Releases ahead!
Hi, this is a heads-up that there will be Samba security updates on Wednesday, May 24th. Please make sure that your Samba AD DCs will be updated immediately after the release! Impacted components: o AD DC LDAP Server (CVSS 7.5, high) Cheers, Karolin -- Karolin Seeger https://samba.org/~kseeger/ Release Manager Samba Team https://samba.org Team Lead Samba SerNet https://sernet.de
[Announce] Samba 4.12.12 Available for Download
Release Announcements - This is the latest stable release of the Samba 4.12 release series. Please note that this will be the last bugfix release of the Samba 4.12 release series. There will be Security Releases only beyond this point. New GPG key === The GPG release key for Samba releases changed from: pub dsa1024/6F33915B6568B7EA 2007-02-04 [SC] [expires: 2021-02-05] Key fingerprint = 52FB C0B8 6D95 4B08 4332 4CDC 6F33 915B 6568 B7EA uid [ full ] Samba Distribution Verification Key sub elg2048/9C6ED163DA6DFB44 2007-02-04 [E] [expires: 2021-02-05] to the following new key: pub rsa4096/AA99442FB680B620 2020-12-21 [SC] [expires: 2022-12-21] Key fingerprint = 81F5 E283 2BD2 545A 1897 B713 AA99 442F B680 B620 uid [ultimate] Samba Distribution Verification Key sub rsa4096/97EF9386FBFD4002 2020-12-21 [E] [expires: 2022-12-21] Starting from Jan 21th 2021, all Samba releases will be signed with the new key. See also GPG_AA99442FB680B620_replaces_6F33915B6568B7EA.txt Changes since 4.12.11 - o Trever L. Adams * BUG 14634: s3:modules:vfs_virusfilter: Recent talloc changes cause infinite start-up failure. o Jeremy Allison * BUG 13992: SAMBA RPC share error. * BUG 14612: s3: smbd: Add call to conn_setup_case_options() to create_conn_struct_as_root(). o Ralph Boehme * BUG 14602: s3/auth: Implement "winbind:ignore domains". * BUG 14612: build: Remove smbd_conn private library. o Peter Eriksson * BUG 14648: s3: VFS: nfs4_acls. Add missing TALLOC_FREE(frame) in error path. o Björn Jacke * BUG 14624: classicupgrade: Treat old never expires value right. o Volker Lendecke * BUG 1463: g_lock: Fix uninitalized variable reads. o Stefan Metzmacher * BUG 13898: s3:pysmbd: Fix fd leak in py_smbd_create_file(). * BUG 14607: Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7. o Andreas Schneider * BUG 14625: Fix smbd share mode double free crash. o Paul Wise * BUG 12505: HEIMDAL: krb5_storage_free(NULL) should work. ### Reporting bugs & Development Discussion ### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical IRC channel on irc.freenode.net. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). == == Our Code, Our Bugs, Our Responsibility. == The Samba Team == Download Details The uncompressed tarballs and patch files have been signed using GnuPG (ID AA99442FB680B620). The source code can be downloaded from: https://download.samba.org/pub/samba/stable/ The release notes are available online at: https://www.samba.org/samba/history/samba-4.12.12.html Our Code, Our Bugs, Our Responsibility. (https://bugzilla.samba.org/) --Enjoy The Samba Team signature.asc Description: PGP signature