[Announce] Samba 4.20.3 Available for Download

[Stefan Metzmacher via samba-announce]

Release Announcements
-

This is the latest stable release of the Samba 4.20 release series.

LDAP TLS/SASL channel binding support
-

The ldap server supports SASL binds with
kerberos or NTLMSSP over TLS connections
now (either ldaps or starttls).

Setups where 'ldap server require strong auth = allow_sasl_over_tls'
was required before, can now most likely move to the
default of 'ldap server require strong auth = yes'.

If SASL binds without correct tls channel bindings are required
'ldap server require strong auth = allow_sasl_without_tls_channel_bindings'
should be used now, as 'allow_sasl_over_tls' will generate a
warning in every start of 'samba', as well as '[samba-tool ]testparm'.

This is similar to LdapEnforceChannelBinding under
HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
on Windows.

All client tools using ldaps also include the correct
channel bindings now.

smb.conf changes


  Parameter Name  Description Default
  --  --- ---
  ldap server require strong auth new values

Changes since 4.20.2


o  Andreas Schneider 
   * BUG 15683: Running samba-bgqd a a standalone systemd service does not work.

o  Andrew Bartlett 
   * BUG 15655: When claims enabled with heimdal kerberos, unable to log on to a
 Windows computer when user account need to change their own password.

o  Douglas Bagnall 
   * BUG 15671: Invalid client warning about command line passwords.
   * BUG 15672: Version string is truncated in manpages.
   * BUG 15673: --version-* options are still not ergonomic, and they reject
 tilde characters.
   * BUG 15674: cmdline_burn does not always burn secrets.
   * BUG 15685: Samba does not parse SDDL found in defaultSecurityDescriptor in
 AD_DS_Classes_Windows_Server_v1903.ldf.

o  Jo Sutton 
   * BUG 15655: When claims enabled with heimdal kerberos, unable to log on to a
 Windows computer when user account need to change their own password.

o  Pavel Filipenský 
   * BUG 15660: The images don\'t build after the git security release and
 CentOS 8 Stream is EOL.

o  Ralph Boehme 
   * BUG 15676: Fix clock skew error message and memory cache clock skew
 recovery.

o  Stefan Metzmacher 
   * BUG 15603: Heimdal ignores _gsskrb5_decapsulate errors in
 init_sec_context/repl_mutual.
   * BUG 15621: s4:ldap_server: does not support tls channel bindings
 for sasl binds.

o  Xavi Hernandez 
   * BUG 15678: CTDB socket output queues may suffer unbounded delays under some
 special conditions.


###
Reporting bugs & Development Discussion
###

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical:matrix.org matrix room, or
#samba-technical IRC channel on irc.libera.chat.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).


==
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==




Download Details


The uncompressed tarballs and patch files have been signed
using GnuPG (ID AA99442FB680B620).  The source code can be downloaded
from:

https://download.samba.org/pub/samba/stable/

The release notes are available online at:

https://www.samba.org/samba/history/samba-4.20.3.html

Our Code, Our Bugs, Our Responsibility.
(https://bugzilla.samba.org/)

--Enjoy
The Samba Team

[Announce] Samba 4.21.0rc1 Available for Download

[Jule Anger via samba-announce]

Release Announcements
=

This is the first release candidate of Samba 4.21.  This is *not*
intended for production environments and is designed for testing
purposes only.  Please report any defects via the Samba bug reporting
system at https://bugzilla.samba.org/.

Samba 4.21 will be the next version of the Samba suite.


UPGRADING
=

Hardening of "valid users", "invalid users", "read list" and "write list"
-----

In previous versions of Samba, if a user or group name in either of the
mentioned options could not be resolved to a valid SID, the user (or group)
would be skipped without any notification. This could result in 
unexpected and
insecure behaviour. Starting with this version of Samba, if any user or 
group
name in any of the options cannot be resolved due to a communication 
error with

a domain controller, Samba will log an error and the tree connect will fail.
Non existing users (or groups) are ignored.

LDAP TLS/SASL channel binding support
-

The ldap server supports SASL binds with
kerberos or NTLMSSP over TLS connections
now (either ldaps or starttls).

Setups where 'ldap server require strong auth = allow_sasl_over_tls'
was required before, can now most likely move to the
default of 'ldap server require strong auth = yes'.

If SASL binds without correct tls channel bindings are required
'ldap server require strong auth = allow_sasl_without_tls_channel_bindings'
should be used now, as 'allow_sasl_over_tls' will generate a
warning in every start of 'samba', as well as '[samba-tool ]testparm'.

This is similar to LdapEnforceChannelBinding under
HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
on Windows.

All client tools using ldaps also include the correct
channel bindings now.


NEW FEATURES/CHANGES


LDB no longer a standalone tarball
--

LDB, Samba's LDAP-like local database and the power behind the Samba
AD DC, is no longer available to build as a distinct tarball, but is
instead provided as an optional public library.

If you need ldb as a public library, say to build sssd, then use
 ./configure --private-libraries='!ldb'

This re-integration allows LDB tests to use the Samba's full selftest
system, including our knownfail infrastructure, and decreases the work
required during security releases as a coordinated release of the ldb
tarball is not also required.

This approach has been demonstrated already in Debian, which is already
building Samba and LDB is this way.

As part of this work, the pyldb-util public library, not known to be
used by any other software, is made private to Samba.

LDB Module API Python bindings removed
--

The LDB Modules API, which we do not promise a stable ABI or API for,
was wrapped in python in early LDB development.  However that wrapping
never took into account later changes, and so has not worked for a
number of years.  Samba 4.21 and LDB 2.10 removes this unused and
broken feature.

Some Samba public libraries made private by default
-------

The following Samba C libraries are currently made public due to their
use by OpenChange or for historical reasons that are no longer clear.

 dcerpc-samr, samba-policy, tevent-util, dcerpc, samba-hostconfig,
 samba-credentials, dcerpc_server, samdb

The libraries used by the OpenChange client now private, but can be
made public (like ldb above) with:

 ./configure 
--private-libraries='!dcerpc,!samba-hostconfig,!samba-credentials,!ldb'


The C libraries without any known user or used only for the OpenChange
server (a dead project) may be made private entirely in a future Samba
version.

If you use a Samba library in this list, please be in touch with the
samba-technical mailing list.

Using ldaps from 'winbindd' and 'net ads'
-----

Beginning with Samba 3.0.22 the 'ldap ssl = start tls' option also
impacted LDAP connections to active directory domain controllers.
Using the STARTTLS operation on LDAP port 389 connections. Starting
with Samba 3.5.0 'ldap ssl ads = yes' was required in addition in
order let to 'ldap ssl = start tls' have any effect on those
connections.

'ldap ssl ads' was deprecated with Samba 4.8.0 and removed together
with the whole functionality in Samba 4.14.0, because it didn't support
tls channel bindings required for the sasl authentication.

The functionality is now re-added using the correct channel bindings
based on the gnutls based tls implementation we already have, instead
of using the tls layer provided by openldap. This makes it available
and consistent with all LDAP client libraries we use and implement on
our own.

The 'client ldap sasl wrapping' option gained the two new possible values:
'starttls' (using STARTTLS on tcp port 389)
and
'ld

[Announce] Samba 4.20.2 Available for Download

[Jule Anger via samba-announce]

Release Announcements
-

This is the latest stable release of the Samba 4.20 release series.


Changes since 4.20.1


o  Jeremy Allison 
   * BUG 15662: vfs_widelinks with DFS shares breaks case insensitivity.

o  Douglas Bagnall 
   * BUG 13213: Samba build is not reproducible.
   * BUG 15569: ldb qsort might r/w out of bounds with an intransitive 
compare

 function.
   * BUG 15625: Many qsort() comparison functions are non-transitive, 
which can

 lead to out-of-bounds access in some circumstances.

o  Andrew Bartlett 
   * BUG 15638: Need to change gitlab-ci.yml tags in all branches to 
avoid CI

 bill.
   * BUG 15654: We have added new options --vendor-name and --vendor-patch-
 revision arguments to ./configure to allow distributions and 
packagers to
 put their name in the Samba version string so that when debugging 
Samba the

 source of the binary is obvious.

o  Günther Deschner 
   * BUG 15665: CTDB RADOS mutex helper misses namespace support.

o  Stefan Metzmacher 
   * BUG 13019: Dynamic DNS updates with the internal DNS are not working.
   * BUG 14981: netr_LogonSamLogonEx returns NR_STATUS_ACCESS_DENIED with
 SysvolReady=0.
   * BUG 15412: Anonymous smb3 signing/encryption should be allowed 
(similar to

 Windows Server 2022).
   * BUG 15573: Panic in dreplsrv_op_pull_source_apply_changes_trigger.
   * BUG 15620: s4:nbt_server: does not provide unexpected handling, so 
winbindd

 can't use nmb requests instead cldap.
   * BUG 15642: winbindd, net ads join and other things don't work on 
an ipv6

 only host.
   * BUG 15659: Segmentation fault when deleting files in vfs_recycle.
   * BUG 15664: Panic in vfs_offload_token_db_fetch_fsp().
   * BUG 15666: "client use kerberos" and --use-kerberos is ignored for the
 machine account.

o  Noel Power 
   * BUG 15435: Regression DFS not working with widelinks = true.

o  Andreas Schneider 
   * BUG 15633: samba-gpupdate - Invalid NtVer in 
netlogon_samlogon_response.
   * BUG 15653: idmap_ad creates an incorrect local krb5.conf in case 
of trusted

 domain lookups.
   * BUG 15660: The images don't build after the git security release 
and CentOS

 8 Stream is EOL.


###
Reporting bugs & Development Discussion
###

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical:matrix.org matrix room, or
#samba-technical IRC channel on irc.libera.chat.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).


==
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==




Download Details


The uncompressed tarballs and patch files have been signed
using GnuPG (ID AA99442FB680B620).  The source code can be downloaded
from:

    https://download.samba.org/pub/samba/stable/

The release notes are available online at:

    https://www.samba.org/samba/history/samba-4.20.2.html

If you are building/using ldb from a system library, you'll
also need the related updated ldb tarball, otherwise you can ignore it.
The uncompressed ldb tarballs have been signed using GnuPG (ID 
4793916113084025).

The ldb source code can be downloaded from:

https://download.samba.org/pub/ldb/ldb-2.9.1.tar.gz


Our Code, Our Bugs, Our Responsibility.
(https://bugzilla.samba.org/)

    --Enjoy
    The Samba Team

[Announce] Samba 4.19.7 Available for Download

[Jule Anger via samba-announce]

Release Announcements
-

This is the latest stable release of the Samba 4.19 release series.


Changes since 4.19.6


o  Douglas Bagnall 
   * BUG 15569: ldb qsort might r/w out of bounds with an intransitive 
compare

 function (ldb 2.8.1 is already released).
   * BUG 15625: Many qsort() comparison functions are non-transitive, 
which can
 lead to out-of-bounds access in some circumstances (ldb 2.8.1 is 
already

 released).

o  Andrew Bartlett 
   * BUG 15638: Need to change gitlab-ci.yml tags in all branches to 
avoid CI

 bill.

o  Stefan Metzmacher 
   * BUG 14981: netr_LogonSamLogonEx returns NR_STATUS_ACCESS_DENIED with
 SysvolReady=0.
   * BUG 15412: Anonymous smb3 signing/encryption should be allowed 
(similar to

 Windows Server 2022).
   * BUG 15573: Panic in dreplsrv_op_pull_source_apply_changes_trigger.
   * BUG 15642: winbindd, net ads join and other things don't work on 
an ipv6

 only host.

o  Anna Popova 
   * BUG 15636: Smbcacls incorrectly propagates inheritance with 
Inherit-Only

 flag.

o  Noel Power 
   * BUG 15611: http library doesn't support  'chunked transfer encoding'.


###
Reporting bugs & Development Discussion
###

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical:matrix.org matrix room, or
#samba-technical IRC channel on irc.libera.chat.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).


==
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==




Download Details


The uncompressed tarballs and patch files have been signed
using GnuPG (ID AA99442FB680B620).  The source code can be downloaded
from:

    https://download.samba.org/pub/samba/stable/

The release notes are available online at:

    https://www.samba.org/samba/history/samba-4.19.7.html


If you are building/using ldb from a system library, you'll
also need the related updated ldb tarball, otherwise you can ignore it.
The uncompressed ldb tarballs have been signed using GnuPG (ID 
4793916113084025).

The ldb source code can be downloaded from:


https://download.samba.org/pub/ldb/ldb-2.8.1.tar.gz


Our Code, Our Bugs, Our Responsibility.
(https://bugzilla.samba.org/)

    --Enjoy
    The Samba Team

[Announce] Samba 4.20.1 Available for Download

[Jule Anger via samba-announce]

Release Announcements
-

This is the latest stable release of the Samba 4.20 release series.


Changes since 4.20.0


o  Douglas Bagnall 
   * BUG 15630: dns update debug message is too noisy.

o  Alexander Bokovoy 
   * BUG 15635: Do not fail PAC validation for RFC8009 checksums types.

o  Pavel Filipenský 
   * BUG 15605: Improve performance of lookup_groupmem() in idmap_ad.

o  Anna Popova 
   * BUG 15636: Smbcacls incorrectly propagates inheritance with 
Inherit-Only

 flag.

o  Noel Power 
   * BUG 15611: http library doesn't support 'chunked transfer encoding'.

o  Andreas Schneider 
   * BUG 15600: Provide a systemd service file for the background queue 
daemon.



###
Reporting bugs & Development Discussion
###

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical:matrix.org matrix room, or
#samba-technical IRC channel on irc.libera.chat.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).


==
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==




Download Details


The uncompressed tarballs and patch files have been signed
using GnuPG (ID AA99442FB680B620).  The source code can be downloaded
from:

    https://download.samba.org/pub/samba/stable/

The release notes are available online at:

    https://www.samba.org/samba/history/samba-4.20.1.html

Our Code, Our Bugs, Our Responsibility.
(https://bugzilla.samba.org/)

    --Enjoy
    The Samba Team

[Announce] Samba 4.19.6 Available for Download

[Jule Anger via samba-announce]

Release Announcements
-

This is the latest stable release of the Samba 4.19 release series.


Changes since 4.19.5


o  Ralph Boehme 
   * BUG 15527: fd_handle_destructor() panics within an 
smbd_smb2_close() if

 vfs_stat_fsp() fails in fd_close().

o  Guenther Deschner 
   * BUG 15588: samba-gpupdate: Correctly implement site support.

o  Noel Power 
   * BUG 15527: fd_handle_destructor() panics within an 
smbd_smb2_close() if

 vfs_stat_fsp() fails in fd_close().

o  Andreas Schneider 
   * BUG 15588: samba-gpupdate: Correctly implement site support.
   * BUG 15599: libgpo: Segfault in python bindings.

o  Martin Schwenke 
   * BUG 15580: Packet marshalling push support missing for
 CTDB_CONTROL_TCP_CLIENT_DISCONNECTED and
 CTDB_CONTROL_TCP_CLIENT_PASSED.


###
Reporting bugs & Development Discussion
###

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical:matrix.org matrix room, or
#samba-technical IRC channel on irc.libera.chat.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).


==
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==




Download Details


The uncompressed tarballs and patch files have been signed
using GnuPG (ID AA99442FB680B620).  The source code can be downloaded
from:

    https://download.samba.org/pub/samba/stable/

The release notes are available online at:

    https://www.samba.org/samba/history/samba-4.19.6.html

Our Code, Our Bugs, Our Responsibility.
(https://bugzilla.samba.org/)

    --Enjoy
    The Samba Team

[Announce] Samba 4.20.0 Available for Download

[Jule Anger via samba-announce]

Release Announcements
-

This is the first stable release of the Samba 4.20 release series.
Please read the release notes carefully before upgrading.


NEW FEATURES/CHANGES


New Minimum MIT Krb5 version for Samba AD Domain Controller
---

Samba now requires MIT 1.21 when built against a system MIT Krb5 and
acting as an Active Directory DC.  This addresses the issues that were
fixed in CVE-2022-37967 (KrbtgtFullPacSignature) and ensures that
Samba builds against the MIT version that allows us to avoid that
attack.

Removed dependency on Perl JSON module
--

Distributions are advised that the Perl JSON package is no longer
required by Samba builds that use the imported Heimdal.  The build
instead uses Perl's JSON::PP built into recent perl5 versions.

Current lists of packages required by Samba for major distributions
are found in the bootstrap/generated-dists/ directory of a Samba
source tree.  While there will be some differences - due to features
chosen by packagers - comparing these lists with the build dependencies
in a package may locate other dependencies we no longer require.

samba-tool user getpassword / syncpasswords ;rounds= change
---

The password access tool "samba-tool user getpassword" and the
password sync tool "samba-tool user syncpasswords" allow attributes to
be chosen for output, and accept parameters like
pwdLastSet;format=GeneralizedTime

These attributes then appear, in the same format, as the attributes in
the LDIF output.  This was not the case for the ;rounds= parameter of
virtualCryptSHA256 and virtualCryptSHA512, for example as
--attributes="virtualCryptSHA256;rounds=5"

This release makes the behaviour consistent between these two
features.  Installations using GPG-encrypted passwords (or plaintext
storage) and the rounds= option, will find the output has changed

from:
virtualCryptSHA256: {CRYPT}$5$rounds=2561$hXem.M9onhM9Vuix$dFdSBwF

to:
virtualCryptSHA256;rounds=2561: 
{CRYPT}$5$rounds=2561$hXem.M9onhM9Vuix$dFdSBwF


Group Managed service account client-side features
------

samba-tool has been extended to provide client-side support for Group
Managed Service accounts.  These accounts have passwords that change
automatically, giving the advantages of service isolation without risk
of poor, unchanging passwords.

Where possible, Samba's existing samba-tool password handling
commands, which in the past have only operated against the local
sam.ldb have been extended to permit operation against a remote server
with authenticated access to "-H ldap://$DCNAME;

Supported operations include:
 - reading the current and previous gMSA password via
   "samba-tool user getpassword"
 - writing a Kerberos Ticket Granting Ticket (TGT) to a local
   credentials cache with a new command
   "samba-tool user get-kerberos-ticket"

New Windows Search Protocol Client
--

Samba now by default builds new experimental Windows Search Protocol (WSP)
command line client "wspsearch"

The "wspsearch" cmd-line utility allows a WSP search request to be sent
to a server (such as a windows server) that has the (WSP)
Windows Search Protocol service configured and enabled.

For more details see the wspsearch man page.

Allow 'smbcacls' to save/restore DACLs to file


'smbcacls' has been extended to allow DACLs to be saved and restored
to/from a file. This feature mimics the functionality that windows cmd
line tool 'icacls.exe' provides. Additionally files created either
by 'smbcalcs' or 'icacls.exe' are interchangeable and can be used by
either tool as the same file format is used.

New options added are:
 - '--save savefile'    Saves DACLs in sddl format to file
 - '--recurse'  Performs the '--save' operation above on directory
    and all files/directories below.
 - '--restore savefile' Restores the stored DACLS to files in directory

Samba-tool extensions for AD Claims, Authentication Policies and Silos
------

samba-tool now allows users to be associated with claims.  In the
Samba AD DC, claims derive from Active Directory attributes mapped
into specific names.  These claims can be used in rules, which are
conditional ACEs in a security descriptor, that decide if a user is
restricted by an authentication policy.

samba-tool also allows the creation and management of authentication
policies, which are rules about where a user may authenticate from,
if NTLM is permitted, and what services a user may authenticate to.

Finally, support is added for the creation and management of
authentication silos, which are helpful in defining net

[Announce] Samba 4.18.11 Available for Download

[Jule Anger via samba-announce]

Release Announcements
-

This is the latest stable release of the Samba 4.18 release series.
There will be security releases only beyond this point.


Changes since 4.18.10
-

o  Martin Schwenke 
   * BUG 15580: Packet marshalling push support missing for
 CTDB_CONTROL_TCP_CLIENT_DISCONNECTED and
 CTDB_CONTROL_TCP_CLIENT_PASSED


###
Reporting bugs & Development Discussion
###

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical:matrix.org matrix room, or
#samba-technical IRC channel on irc.libera.chat.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).


==
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==




Download Details


The uncompressed tarballs and patch files have been signed
using GnuPG (ID AA99442FB680B620).  The source code can be downloaded
from:

    https://download.samba.org/pub/samba/stable/

The release notes are available online at:

    https://www.samba.org/samba/history/samba-4.18.11.html

Our Code, Our Bugs, Our Responsibility.
(https://bugzilla.samba.org/)

    --Enjoy
    The Samba Team

[Announce] Samba 4.20.0rc4 Available for Download

[Jule Anger via samba-announce]

Release Announcements
=

This is the fourth release candidate of Samba 4.20.  This is *not*
intended for production environments and is designed for testing
purposes only.  Please report any defects via the Samba bug reporting
system at https://bugzilla.samba.org/.

Samba 4.20 will be the next version of the Samba suite.


UPGRADING
=


NEW FEATURES/CHANGES


New Minimum MIT Krb5 version for Samba AD Domain Controller
---

Samba now requires MIT 1.21 when built against a system MIT Krb5 and
acting as an Active Directory DC.  This addresses the issues that were
fixed in CVE-2022-37967 (KrbtgtFullPacSignature) and ensures that
Samba builds against the MIT version that allows us to avoid that
attack.

Removed dependency on Perl JSON module
--

Distributions are advised that the Perl JSON package is no longer
required by Samba builds that use the imported Heimdal.  The build
instead uses Perl's JSON::PP built into recent perl5 versions.

Current lists of packages required by Samba for major distributions
are found in the bootstrap/generated-dists/ directory of a Samba
source tree.  While there will be some differences - due to features
chosen by packagers - comparing these lists with the build dependencies
in a package may locate other dependencies we no longer require.

samba-tool user getpassword / syncpasswords ;rounds= change
---

The password access tool "samba-tool user getpassword" and the
password sync tool "samba-tool user syncpasswords" allow attributes to
be chosen for output, and accept parameters like
pwdLastSet;format=GeneralizedTime

These attributes then appear, in the same format, as the attributes in
the LDIF output.  This was not the case for the ;rounds= parameter of
virtualCryptSHA256 and virtualCryptSHA512, for example as
--attributes="virtualCryptSHA256;rounds=5"

This release makes the behaviour consistent between these two
features.  Installations using GPG-encrypted passwords (or plaintext
storage) and the rounds= option, will find the output has changed

from:
virtualCryptSHA256: {CRYPT}$5$rounds=2561$hXem.M9onhM9Vuix$dFdSBwF

to:
virtualCryptSHA256;rounds=2561: 
{CRYPT}$5$rounds=2561$hXem.M9onhM9Vuix$dFdSBwF


Group Managed service account client-side features
------

samba-tool has been extended to provide client-side support for Group
Managed Service accounts.  These accounts have passwords that change
automatically, giving the advantages of service isolation without risk
of poor, unchanging passwords.

Where possible, Samba's existing samba-tool password handling
commands, which in the past have only operated against the local
sam.ldb have been extended to permit operation against a remote server
with authenticated access to "-H ldap://$DCNAME;

Supported operations include:
 - reading the current and previous gMSA password via
   "samba-tool user getpassword"
 - writing a Kerberos Ticket Granting Ticket (TGT) to a local
   credentials cache with a new command
   "samba-tool user get-kerberos-ticket"

New Windows Search Protocol Client
--

Samba now by default builds new experimental Windows Search Protocol (WSP)
command line client "wspsearch"

The "wspsearch" cmd-line utility allows a WSP search request to be sent
to a server (such as a windows server) that has the (WSP)
Windows Search Protocol service configured and enabled.

For more details see the wspsearch man page.

Allow 'smbcacls' to save/restore DACLs to file


'smbcacls' has been extended to allow DACLs to be saved and restored
to/from a file. This feature mimics the functionality that windows cmd
line tool 'icacls.exe' provides. Additionally files created either
by 'smbcalcs' or 'icacls.exe' are interchangeable and can be used by
either tool as the same file format is used.

New options added are:
 - '--save savefile'    Saves DACLs in sddl format to file
 - '--recurse'  Performs the '--save' operation above on directory
    and all files/directories below.
 - '--restore savefile' Restores the stored DACLS to files in directory

Samba-tool extensions for AD Claims, Authentication Policies and Silos
------

samba-tool now allows users to be associated with claims.  In the
Samba AD DC, claims derive from Active Directory attributes mapped
into specific names.  These claims can be used in rules, which are
conditional ACEs in a security descriptor, that decide if a user is
restricted by an authentication policy.

samba-tool also allows the creation and management of authentication
policies, which are rules about where a user may authent

[Announce] Samba 4.20.0rc3 Available for Download

[Jule Anger via samba-announce]

Release Announcements
=

This is the third release candidate of Samba 4.20.  This is *not*
intended for production environments and is designed for testing
purposes only.  Please report any defects via the Samba bug reporting
system at https://bugzilla.samba.org/.

Samba 4.20 will be the next version of the Samba suite.


UPGRADING
=


NEW FEATURES/CHANGES


New Minimum MIT Krb5 version for Samba AD Domain Controller
---

Samba now requires MIT 1.21 when built against a system MIT Krb5 and
acting as an Active Directory DC.  This addresses the issues that were
fixed in CVE-2022-37967 (KrbtgtFullPacSignature) and ensures that
Samba builds against the MIT version that allows us to avoid that
attack.

Removed dependency on Perl JSON module
--

Distributions are advised that the Perl JSON package is no longer
required by Samba builds that use the imported Heimdal.  The build
instead uses Perl's JSON::PP built into recent perl5 versions.

Current lists of packages required by Samba for major distributions
are found in the bootstrap/generated-dists/ directory of a Samba
source tree.  While there will be some differences - due to features
chosen by packagers - comparing these lists with the build dependencies
in a package may locate other dependencies we no longer require.

samba-tool user getpassword / syncpasswords ;rounds= change
---

The password access tool "samba-tool user getpassword" and the
password sync tool "samba-tool user syncpasswords" allow attributes to
be chosen for output, and accept parameters like
pwdLastSet;format=GeneralizedTime

These attributes then appear, in the same format, as the attributes in
the LDIF output.  This was not the case for the ;rounds= parameter of
virtualCryptSHA256 and virtualCryptSHA512, for example as
--attributes="virtualCryptSHA256;rounds=5"

This release makes the behaviour consistent between these two
features.  Installations using GPG-encrypted passwords (or plaintext
storage) and the rounds= option, will find the output has changed

from:
virtualCryptSHA256: {CRYPT}$5$rounds=2561$hXem.M9onhM9Vuix$dFdSBwF

to:
virtualCryptSHA256;rounds=2561: 
{CRYPT}$5$rounds=2561$hXem.M9onhM9Vuix$dFdSBwF


Group Managed service account client-side features
------

samba-tool has been extended to provide client-side support for Group
Managed Service accounts.  These accounts have passwords that change
automatically, giving the advantages of service isolation without risk
of poor, unchanging passwords.

Where possible, Samba's existing samba-tool password handling
commands, which in the past have only operated against the local
sam.ldb have been extended to permit operation against a remote server
with authenticated access to "-H ldap://$DCNAME;

Supported operations include:
 - reading the current and previous gMSA password via
   "samba-tool user getpassword"
 - writing a Kerberos Ticket Granting Ticket (TGT) to a local
   credentials cache with a new command
   "samba-tool user get-kerberos-ticket"

New Windows Search Protocol Client
--

Samba now by default builds new experimental Windows Search Protocol (WSP)
command line client "wspsearch"

The "wspsearch" cmd-line utility allows a WSP search request to be sent
to a server (such as a windows server) that has the (WSP)
Windows Search Protocol service configured and enabled.

For more details see the wspsearch man page.

Allow 'smbcacls' to save/restore DACLs to file


'smbcacls' has been extended to allow DACLs to be saved and restored
to/from a file. This feature mimics the functionality that windows cmd
line tool 'icacls.exe' provides. Additionally files created either
by 'smbcalcs' or 'icacls.exe' are interchangeable and can be used by
either tool as the same file format is used.

New options added are:
 - '--save savefile'    Saves DACLs in sddl format to file
 - '--recurse'  Performs the '--save' operation above on directory
    and all files/directories below.
 - '--restore savefile' Restores the stored DACLS to files in directory

Samba-tool extensions for AD Claims, Authentication Policies and Silos
------

samba-tool now allows users to be associated with claims.  In the
Samba AD DC, claims derive from Active Directory attributes mapped
into specific names.  These claims can be used in rules, which are
conditional ACEs in a security descriptor, that decide if a user is
restricted by an authentication policy.

samba-tool also allows the creation and management of authentication
policies, which are rules about where a user may authent

[Announce] Samba 4.19.5 Available for Download

[Jule Anger via samba-announce]

Release Announcements
-

This is the latest stable release of the Samba 4.19 release series.


Changes since 4.19.4


o  Ralph Boehme 
   * BUG 13688: Windows 2016 fails to restore previous version of a 
file from a

 shadow_copy2 snapshot.
   * BUG 15549: Symlinks on AIX are broken in 4.19 (and a few version 
before

 that).

o  Bjoern Jacke 
   * BUG 12421: Fake directory create times has no effect.

o  Björn Jacke 
   * BUG 15550: ctime mixed up with mtime by smbd.

o  David Mulder 
   * BUG 15548: samba-gpupdate --rsop fails if machine is not in a site.

o  Gabriel Nagy 
   * BUG 15557: gpupdate: The root cert import when NDES is not 
available is

 broken.

o  Andreas Schneider 
   * BUG 15552: samba-gpupdate should print a useful message if 
cepces-submit

 can't be found.
   * BUG 15558: samba-gpupdate logging doesn't work.

o  Jones Syue 
   * BUG 1: smbpasswd reset permissions only if not 0600.


###
Reporting bugs & Development Discussion
###

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical:matrix.org matrix room, or
#samba-technical IRC channel on irc.libera.chat.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).


==
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==




Download Details


The uncompressed tarballs and patch files have been signed
using GnuPG (ID AA99442FB680B620).  The source code can be downloaded
from:

    https://download.samba.org/pub/samba/stable/

The release notes are available online at:

    https://www.samba.org/samba/history/samba-4.19.5.html

Our Code, Our Bugs, Our Responsibility.
(https://bugzilla.samba.org/)

    --Enjoy
    The Samba Team

[Announce] Samba 4.20.0rc2 Available for Download

[Jule Anger via samba-announce]

Release Announcements
=

This is the second release candidate of Samba 4.20.  This is *not*
intended for production environments and is designed for testing
purposes only.  Please report any defects via the Samba bug reporting
system at https://bugzilla.samba.org/.

Samba 4.20 will be the next version of the Samba suite.


UPGRADING
=


NEW FEATURES/CHANGES


New Minimum MIT Krb5 version for Samba AD Domain Controller
---

Samba now requires MIT 1.21 when built against a system MIT Krb5 and
acting as an Active Directory DC.  This addresses the issues that were
fixed in CVE-2022-37967 (KrbtgtFullPacSignature) and ensures that
Samba builds against the MIT version that allows us to avoid that
attack.

Removed dependency on Perl JSON module
--

Distributions are advised that the Perl JSON package is no longer
required by Samba builds that use the imported Heimdal.  The build
instead uses Perl's JSON::PP built into recent perl5 versions.

Current lists of packages required by Samba for major distributions
are found in the bootstrap/generated-dists/ directory of a Samba
source tree.  While there will be some differences - due to features
chosen by packagers - comparing these lists with the build dependencies
in a package may locate other dependencies we no longer require.

samba-tool user getpassword / syncpasswords ;rounds= change
---

The password access tool "samba-tool user getpassword" and the
password sync tool "samba-tool user syncpasswords" allow attributes to
be chosen for output, and accept parameters like
pwdLastSet;format=GeneralizedTime

These attributes then appear, in the same format, as the attributes in
the LDIF output.  This was not the case for the ;rounds= parameter of
virtualCryptSHA256 and virtualCryptSHA512, for example as
--attributes="virtualCryptSHA256;rounds=5"

This release makes the behaviour consistent between these two
features.  Installations using GPG-encrypted passwords (or plaintext
storage) and the rounds= option, will find the output has changed

from:
virtualCryptSHA256: {CRYPT}$5$rounds=2561$hXem.M9onhM9Vuix$dFdSBwF

to:
virtualCryptSHA256;rounds=2561: 
{CRYPT}$5$rounds=2561$hXem.M9onhM9Vuix$dFdSBwF


Group Managed service account client-side features
------

samba-tool has been extended to provide client-side support for Group
Managed Service accounts.  These accounts have passwords that change
automatically, giving the advantages of service isolation without risk
of poor, unchanging passwords.

Where possible, Samba's existing samba-tool password handling
commands, which in the past have only operated against the local
sam.ldb have been extended to permit operation against a remote server
with authenticated access to "-H ldap://$DCNAME;

Supported operations include:
 - reading the current and previous gMSA password via
   "samba-tool user getpassword"
 - writing a Kerberos Ticket Granting Ticket (TGT) to a local
   credentials cache with a new command
   "samba-tool user get-kerberos-ticket"

New Windows Search Protocol Client
--

Samba now by default builds new experimental Windows Search Protocol (WSP)
command line client "wspsearch"

The "wspsearch" cmd-line utility allows a WSP search request to be sent
to a server (such as a windows server) that has the (WSP)
Windows Search Protocol service configured and enabled.

For more details see the wspsearch man page.

Allow 'smbcacls' to save/restore DACLs to file


'smbcacls' has been extended to allow DACLs to be saved and restored
to/from a file. This feature mimics the functionality that windows cmd
line tool 'icacls.exe' provides. Additionally files created either
by 'smbcalcs' or 'icacls.exe' are interchangeable and can be used by
either tool as the same file format is used.

New options added are:
 - '--save savefile'    Saves DACLs in sddl format to file
 - '--recurse'  Performs the '--save' operation above on directory
    and all files/directories below.
 - '--restore savefile' Restores the stored DACLS to files in directory

Samba-tool extensions for AD Claims, Authentication Policies and Silos
------

samba-tool now allows users to be associated with claims.  In the
Samba AD DC, claims derive from Active Directory attributes mapped
into specific names.  These claims can be used in rules, which are
conditional ACEs in a security descriptor, that decide if a user is
restricted by an authentication policy.

samba-tool also allows the creation and management of authentication
policies, which are rules about where a user may authent

[Announce] Samba 4.18.10 Available for Download

[Jule Anger via samba-announce]

Release Announcements
-

This is the latest stable release of the Samba 4.18 release series.


Changes since 4.18.9


o  Ralph Boehme 
   * BUG 13688: Windows 2016 fails to restore previous version of a 
file from a

 shadow_copy2 snapshot.
   * BUG 15549: Symlinks on AIX are broken in 4.19 (and a few version 
before

 that).

o  Samuel Cabrero 
   * BUG 13577: net changesecretpw cannot set the machine account 
password if

 secrets.tdb is empty.

o  Bjoern Jacke 
   * BUG 12421: Fake directory create times has no effect.

o  Björn Jacke 
   * BUG 15540: For generating doc, take, if defined, env 
XML_CATALOG_FILES.

   * BUG 15541: Trivial C typo in nsswitch/winbind_nss_netbsd.c.
   * BUG 15542: vfs_linux_xfs is incorrectly named.
   * BUG 15550: ctime mixed up with mtime by smbd.

o  Volker Lendecke 
   * BUG 15523: ctdb RELEASE_IP causes a crash in release_ip if a 
connection to

 a non-public address disconnects first.
   * BUG 15544: shadow_copy2 broken when current fileset's directories are
 removed.

o  Stefan Metzmacher 
   * BUG 15523: ctdb RELEASE_IP causes a crash in release_ip if a 
connection to

 a non-public address disconnects first.
   * BUG 15534: smbd does not detect ctdb public ipv6 addresses for 
multichannel

 exclusion.

o  Martin Schwenke 
   * BUG 15523: ctdb RELEASE_IP causes a crash in release_ip if a 
connection to

 a non-public address disconnects first.

o  Shachar Sharon 
   * BUG 15440: Unable to copy and write files from clients to Ceph 
cluster via

 SMB Linux gateway with Ceph VFS module.

o  Jones Syue 
   * BUG 15547: Multichannel refresh network information.
   * BUG 1: smbpasswd reset permissions only if not 0600.


###
Reporting bugs & Development Discussion
###

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical:matrix.org matrix room, or
#samba-technical IRC channel on irc.libera.chat.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).


==
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==




Download Details


The uncompressed tarballs and patch files have been signed
using GnuPG (ID AA99442FB680B620).  The source code can be downloaded
from:

    https://download.samba.org/pub/samba/stable/

The release notes are available online at:

    https://www.samba.org/samba/history/samba-4.18.10.html

Our Code, Our Bugs, Our Responsibility.
(https://bugzilla.samba.org/)

    --Enjoy
    The Samba Team

[Announce] Samba 4.20.0rc1 Available for Download

[Jule Anger via samba-announce]

Release Announcements
=

This is the first release candidate of Samba 4.20.  This is *not*
intended for production environments and is designed for testing
purposes only.  Please report any defects via the Samba bug reporting
system at https://bugzilla.samba.org/.

Samba 4.20 will be the next version of the Samba suite.


UPGRADING
=


NEW FEATURES/CHANGES


New Minimum MIT Krb5 version for Samba AD Domain Controller
---

Samba now requires MIT 1.21 when built against a system MIT Krb5 and
acting as an Active Directory DC.  This addresses the issues that were
fixed in CVE-2022-37967 (KrbtgtFullPacSignature) and ensures that
Samba builds against the MIT version that allows us to avoid that
attack.

Removed dependency on Perl JSON module
--

Distributions are advised that the Perl JSON package is no longer
required by Samba builds that use the imported Heimdal.  The build
instead uses Perl's JSON::PP built into recent perl5 versions.

Current lists of packages required by Samba for major distributions
are found in the bootstrap/generated-dists/ directory of a Samba
source tree.  While there will be some differences - due to features
chosen by packagers - comparing these lists with the build dependencies
in a package may locate other dependencies we no longer require.

samba-tool user getpassword / syncpasswords ;rounds= change
---

The password access tool "samba-tool user getpassword" and the
password sync tool "samba-tool user syncpasswords" allow attributes to
be chosen for output, and accept parameters like
pwdLastSet;format=GeneralizedTime

These attributes then appear, in the same format, as the attributes in
the LDIF output.  This was not the case for the ;rounds= parameter of
virtualCryptSHA256 and virtualCryptSHA512, for example as
--attributes="virtualCryptSHA256;rounds=5"

This release makes the behaviour consistent between these two
features.  Installations using GPG-encrypted passwords (or plaintext
storage) and the rounds= option, will find the output has changed

from:
virtualCryptSHA256: {CRYPT}$5$rounds=2561$hXem.M9onhM9Vuix$dFdSBwF

to:
virtualCryptSHA256;rounds=2561: 
{CRYPT}$5$rounds=2561$hXem.M9onhM9Vuix$dFdSBwF


Group Managed service account client-side features
------

samba-tool has been extended to provide client-side support for Group
Managed Service accounts.  These accounts have passwords that change
automatically, giving the advantages of service isolation without risk
of poor, unchanging passwords.

Where possible, Samba's existing samba-tool password handling
commands, which in the past have only operated against the local
sam.ldb have been extended to permit operation against a remote server
with authenticated access to "-H ldap://$DCNAME;

Supported operations include:
 - reading the current and previous gMSA password via
   "samba-tool user getpassword"
 - writing a Kerberos Ticket Granting Ticket (TGT) to a local
   credentials cache with a new command
   "samba-tool user get-kerberos-ticket"

New Windows Search Protocol Client
--

Samba now by default builds new experimental Windows Search Protocol (WSP)
command line client "wspsearch"

The "wspsearch" cmd-line utility allows a WSP search request to be sent
to a server (such as a windows server) that has the (WSP)
Windows Search Protocol service configured and enabled.

For more details see the wspsearch man page.

Allow 'smbcacls' to save/restore DACLs to file


'smbcacls' has been extended to allow DACLs to be saved and restored
to/from a file. This feature mimics the functionality that windows cmd
line tool 'icacls.exe' provides. Additionally files created either
by 'smbcalcs' or 'icacls.exe' are interchangeable and can be used by
either tool as the same file format is used.

New options added are:
 - '--save savefile'    Saves DACLs in sddl format to file
 - '--recurse'  Performs the '--save' operation above on directory
    and all files/directories below.
 - '--restore savefile' Restores the stored DACLS to files in directory

REMOVED FEATURES


Get locally logged on users from utmp
-

The Workstation Service Remote Protocol [MS-WKST] calls NetWkstaGetInfo
level 102 and NetWkstaEnumUsers level 0 and 1 return the list of locally
logged on users. Samba was getting the list from utmp, which is not
Y2038 safe. This feature has been completely removed and Samba will
always return an empty list.


smb.conf changes


  Parameter Name  Description Default
  --  --- 

[Announce] Samba 4.19.4 Available for Download

[Jule Anger via samba-announce]

Release Announcements
-

This is the latest stable release of the Samba 4.19 release series.


Changes since 4.19.3


o  Samuel Cabrero 
   * BUG 13577: net changesecretpw cannot set the machine account 
password if

 secrets.tdb is empty.

o  Björn Jacke 
   * BUG 15540: For generating doc, take, if defined, env 
XML_CATALOG_FILES.

   * BUG 15541: Trivial C typo in nsswitch/winbind_nss_netbsd.c.
   * BUG 15542: vfs_linux_xfs is incorrectly named.

o  Björn Jacke 
   * BUG 15377: systemd stumbled over copyright-message at smbd startup.

o  Volker Lendecke 
   * BUG 15505: Following intermediate abolute share-local symlinks is 
broken.
   * BUG 15523: ctdb RELEASE_IP causes a crash in release_ip if a 
connection to

 a non-public address disconnects first.
   * BUG 15544: shadow_copy2 broken when current fileset's directories are
 removed.

o  Stefan Metzmacher 
   * BUG 15377: systemd stumbled over copyright-message at smbd startup.
   * BUG 15523: ctdb RELEASE_IP causes a crash in release_ip if a 
connection to

 a non-public address disconnects first.
   * BUG 15534: smbd does not detect ctdb public ipv6 addresses for 
multichannel

 exclusion.

o  Andreas Schneider 
   * BUG 15469: 'force user = localunixuser' doesn't work if 'allow trusted
 domains = no' is set.
   * BUG 15525: smbget debug logging doesn't work.
   * BUG 15532: smget: username in the smburl and interactive password 
entry

 doesn't work.
   * BUG 15538: smbget auth function doesn't set values for password prompt
 correctly.

o  Martin Schwenke 
   * BUG 15523: ctdb RELEASE_IP causes a crash in release_ip if a 
connection to

 a non-public address disconnects first.

o  Shachar Sharon 
   * BUG 15440: Unable to copy and write files from clients to Ceph 
cluster via

 SMB Linux gateway with Ceph VFS module.

o  Jones Syue 
   * BUG 15547: Multichannel refresh network information.


###
Reporting bugs & Development Discussion
###

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical:matrix.org matrix room, or
#samba-technical IRC channel on irc.libera.chat.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).


==
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==




Download Details


The uncompressed tarballs and patch files have been signed
using GnuPG (ID AA99442FB680B620).  The source code can be downloaded
from:

    https://download.samba.org/pub/samba/stable/

The release notes are available online at:

    https://www.samba.org/samba/history/samba-4.19.4.html

Our Code, Our Bugs, Our Responsibility.
(https://bugzilla.samba.org/)

    --Enjoy
    The Samba Team

[Announce] Samba 4.18.9 Available for Download

[Jule Anger via samba-announce]

Release Announcements
-

This is the latest stable release of the Samba 4.18 release series.
It contains the security-relevant bug CVE-2018-14628:

    Wrong ntSecurityDescriptor values for "CN=Deleted Objects"
    allow read of object tombstones over LDAP
    (Administrator action required!)
    https://www.samba.org/samba/security/CVE-2018-14628.html


Description of CVE-2018-14628
-

All versions of Samba from 4.0.0 onwards are vulnerable to an
information leak (compared with the established behaviour of
Microsoft's Active Directory) when Samba is an Active Directory Domain
Controller.

When a domain was provisioned with an unpatched Samba version,
the ntSecurityDescriptor is simply inherited from 
Domain/Partition-HEAD-Object

instead of being very strict (as on a Windows provisioned domain).

This means also non privileged users can use the
LDAP_SERVER_SHOW_DELETED_OID control in order to view,
the names and preserved attributes of deleted objects.

No information that was hidden before the deletion is visible, but in
with the correct ntSecurityDescriptor value in place the whole object
is also not visible without administrative rights.

There is no further vulnerability associated with this error, merely an
information disclosure.

Action required in order to resolve CVE-2018-14628!
---

The patched Samba does NOT protect existing domains!

The administrator needs to run the following command
(on only one domain controller)
in order to apply the protection to an existing domain:

  samba-tool dbcheck --cross-ncs --attrs=nTSecurityDescriptor --fix

The above requires manual interaction in order to review the
changes before they are applied. Typicall question look like this:

  Reset nTSecurityDescriptor on CN=Deleted Objects,DC=samba,DC=org back 
to provision default?

    Owner mismatch: SY (in ref) DA(in current)
    Group mismatch: SY (in ref) DA(in current)
    Part dacl is different between reference and current here is 
the detail:

    (A;;LCRPLORC;;;AU) ACE is not present in the reference
    (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY) ACE is not present 
in the reference
    (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DA) ACE is not present 
in the reference
    (A;;CCDCLCSWRPWPSDRCWDWO;;;SY) ACE is not present in 
the current

    (A;;LCRP;;;BA) ACE is not present in the current
   [y/N/all/none] y
  Fixed attribute 'nTSecurityDescriptor' of 'CN=Deleted 
Objects,DC=samba,DC=org'


The change should be confirmed with 'y' for all objects starting with
'CN=Deleted Objects'.


Changes since 4.18.8


o  Michael Adam 
   * BUG 15497: Add make command for querying Samba version.

o  Ralph Boehme 
   * BUG 15487: smbd crashes if asked to return full information on 
close of a

 stream handle with delete on close disposition set.
   * BUG 15521: smbd: fix close order of base_fsp and stream_fsp in
 smb_fname_fsp_destructor().

o  Björn Jacke 
   * BUG 15093: Files without "read attributes" NFS4 ACL permission are not
 listed in directories.

o  Stefan Metzmacher 
   * BUG 13595: CVE-2018-14628 [SECURITY] Deleted Object tombstones 
visible in

 AD LDAP to normal users.

o  Christof Schmitt 
   * BUG 15507: vfs_gpfs stat calls fail due to file system permissions.

o  Christof Schmitt 
   * BUG 15497: Add make command for querying Samba version.

o  Martin Schwenke 
   * BUG 15479: ctdbd: setproctitle not initialized messages flooding logs.


###
Reporting bugs & Development Discussion
###

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical:matrix.org matrix room, or
#samba-technical IRC channel on irc.libera.chat.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).


==
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==




Download Details


The uncompressed tarballs and patch files have been signed
using GnuPG (ID AA99442FB680B620).  The source code can be downloaded
from:

    https://download.samba.org/pub/samba/stable/

The release notes are available online at:

    https://www.samba.org/samba/history/samba-4.18.9.html

Our Code, Our Bugs, Our Responsibility.
(https://bugzilla.samba.org/)

    --Enjoy
    The Samba Team

[Announce] Samba 4.19.3 Available for Download

[Jule Anger via samba-announce]

Release Announcements
-

This is the latest stable release of the Samba 4.19 release series.
It contains the security-relevant bug CVE-2018-14628:

    Wrong ntSecurityDescriptor values for "CN=Deleted Objects"
    allow read of object tombstones over LDAP
    (Administrator action required!)
    https://www.samba.org/samba/security/CVE-2018-14628.html


Description of CVE-2018-14628
-

All versions of Samba from 4.0.0 onwards are vulnerable to an
information leak (compared with the established behaviour of
Microsoft's Active Directory) when Samba is an Active Directory Domain
Controller.

When a domain was provisioned with an unpatched Samba version,
the ntSecurityDescriptor is simply inherited from 
Domain/Partition-HEAD-Object

instead of being very strict (as on a Windows provisioned domain).

This means also non privileged users can use the
LDAP_SERVER_SHOW_DELETED_OID control in order to view,
the names and preserved attributes of deleted objects.

No information that was hidden before the deletion is visible, but in
with the correct ntSecurityDescriptor value in place the whole object
is also not visible without administrative rights.

There is no further vulnerability associated with this error, merely an
information disclosure.

Action required in order to resolve CVE-2018-14628!
---

The patched Samba does NOT protect existing domains!

The administrator needs to run the following command
(on only one domain controller)
in order to apply the protection to an existing domain:

  samba-tool dbcheck --cross-ncs --attrs=nTSecurityDescriptor --fix

The above requires manual interaction in order to review the
changes before they are applied. Typicall question look like this:

  Reset nTSecurityDescriptor on CN=Deleted Objects,DC=samba,DC=org back 
to provision default?

    Owner mismatch: SY (in ref) DA(in current)
    Group mismatch: SY (in ref) DA(in current)
    Part dacl is different between reference and current here is 
the detail:

    (A;;LCRPLORC;;;AU) ACE is not present in the reference
    (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY) ACE is not present 
in the reference
    (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DA) ACE is not present 
in the reference
    (A;;CCDCLCSWRPWPSDRCWDWO;;;SY) ACE is not present in 
the current

    (A;;LCRP;;;BA) ACE is not present in the current
   [y/N/all/none] y
  Fixed attribute 'nTSecurityDescriptor' of 'CN=Deleted 
Objects,DC=samba,DC=org'


The change should be confirmed with 'y' for all objects starting with
'CN=Deleted Objects'.


Changes since 4.19.2


o  Douglas Bagnall 
   * BUG 15520: sid_strings test broken by unix epoch > 17.

o  Ralph Boehme 
   * BUG 15487: smbd crashes if asked to return full information on 
close of a

 stream handle with delete on close disposition set.
   * BUG 15521: smbd: fix close order of base_fsp and stream_fsp in
 smb_fname_fsp_destructor().

o  Pavel Filipenský 
   * BUG 15499: Improve logging for failover scenarios.

o  Björn Jacke 
   * BUG 15093: Files without "read attributes" NFS4 ACL permission are not
 listed in directories.

o  Stefan Metzmacher 
   * BUG 13595: CVE-2018-14628 [SECURITY] Deleted Object tombstones 
visible in

 AD LDAP to normal users.
   * BUG 15492: Kerberos TGS-REQ with User2User does not work for normal
 accounts.

o  Christof Schmitt 
   * BUG 15507: vfs_gpfs stat calls fail due to file system permissions.

o  Andreas Schneider 
   * BUG 15513: Samba doesn't build with Python 3.12.


###
Reporting bugs & Development Discussion
###

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical:matrix.org matrix room, or
#samba-technical IRC channel on irc.libera.chat.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).


==
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==




Download Details


The uncompressed tarballs and patch files have been signed
using GnuPG (ID AA99442FB680B620).  The source code can be downloaded
from:

    https://download.samba.org/pub/samba/stable/

The release notes are available online at:

    https://www.samba.org/samba/history/samba-4.19.3.html

Our Code, Our Bugs, Our Responsibility.
(https://bugzilla.samba.org/)

    --Enjoy
    The Samba Team

[Announce] Samba 4.19.2 Available for Download

[Jule Anger via samba-announce]

Release Announcements
-

This is the latest stable release of the Samba 4.19 release series.


Changes since 4.19.1


o  Jeremy Allison 
   * BUG 15423: Use-after-free in aio_del_req_from_fsp during smbd shutdown
 after failed IPC FSCTL_PIPE_TRANSCEIVE.
   * BUG 15426: clidfs.c do_connect() missing a "return" after a 
cli_shutdown()

 call.

o  Ralph Boehme 
   * BUG 15463: macOS mdfind returns only 50 results.

o  Volker Lendecke 
   * BUG 15481: GETREALFILENAME_CACHE can modify incoming new filename with
 previous cache entry value.

o  Stefan Metzmacher 
   * BUG 15464: libnss_winbind causes memory corruption since samba-4.18,
 impacts sendmail, zabbix, potentially more.

o  Martin Schwenke 
   * BUG 15479: ctdbd: setproctitle not initialized messages flooding logs.

o  Joseph Sutton 
   * BUG 15491: CVE-2023-5568 Heap buffer overflow with freshness 
tokens in the

 Heimdal KDC in Samba 4.19
   * BUG 15477: The heimdal KDC doesn't detect s4u2self correctly when 
fast is

 in use.


###
Reporting bugs & Development Discussion
###

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical:matrix.org matrix room, or
#samba-technical IRC channel on irc.libera.chat.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).


==
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==




Download Details


The uncompressed tarballs and patch files have been signed
using GnuPG (ID AA99442FB680B620).  The source code can be downloaded
from:

    https://download.samba.org/pub/samba/stable/

The release notes are available online at:

    https://www.samba.org/samba/history/samba-4.19.2.html

Our Code, Our Bugs, Our Responsibility.
(https://bugzilla.samba.org/)

    --Enjoy
    The Samba Team

Samba 4.19.1, 4.18.8 and 4.17.12 Security Releases are available for Download

[Jule Anger via samba-announce]

Release Announcements
-

This is a security release in order to address the following defects:


o CVE-2023-3961:  Unsanitized pipe names allow SMB clients to connect as 
root to

  existing unix domain sockets on the file system.
https://www.samba.org/samba/security/CVE-2023-3961.html

o CVE-2023-4091:  SMB client can truncate files to 0 bytes by opening 
files with

  OVERWRITE disposition when using the acl_xattr Samba VFS
  module with the smb.conf setting
  "acl_xattr:ignore system acls = yes"
https://www.samba.org/samba/security/CVE-2023-4091.html

o CVE-2023-4154:  An RODC and a user with the GET_CHANGES right can view all
  attributes, including secrets and passwords. 
Additionally,

  the access check fails open on error conditions.
https://www.samba.org/samba/security/CVE-2023-4154.html

o CVE-2023-42669: Calls to the rpcecho server on the AD DC can request 
that the

  server block for a user-defined amount of time, denying
  service.
https://www.samba.org/samba/security/CVE-2023-42669.html

o CVE-2023-42670: Samba can be made to start multiple incompatible RPC
  listeners, disrupting service on the AD DC.
https://www.samba.org/samba/security/CVE-2023-42670.html


Changes
---

o  Jeremy Allison 
   * BUG 15422: CVE-2023-3961.

o  Andrew Bartlett 
   * BUG 15424: CVE-2023-4154.
   * BUG 15473: CVE-2023-42670.
   * BUG 15474: CVE-2023-42669.

o  Ralph Boehme 
   * BUG 15439: CVE-2023-4091.


###
Reporting bugs & Development Discussion
###

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical:matrix.org matrix room, or
#samba-technical IRC channel on irc.libera.chat.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).


==
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==




Download Details


The uncompressed tarballs and patch files have been signed
using GnuPG (ID AA99442FB680B620).  The source code can be downloaded
from:

    https://download.samba.org/pub/samba/stable/

The release notes are available online at:

    https://www.samba.org/samba/history/samba-4.19.1.html
    https://www.samba.org/samba/history/samba-4.18.8.html
    https://www.samba.org/samba/history/samba-4.17.12.html

Our Code, Our Bugs, Our Responsibility.
(https://bugzilla.samba.org/)

    --Enjoy
    The Samba Team

Heads-up: Upcoming Samba security releases

[Jule Anger via samba-announce]

Hi,

this is a heads-up that there will be Samba security updates for 4.17, 
4.18 and 4.19 on Tuesday October 10 2023. Please make sure that your 
Samba servers will be updated soon after the release!


Impacted component:
 - Fileserver (CVSS 6.5, Medium)
 - DCE-RPCs and pipes (CVSS 6.8, Medium)
 - AD DC (CVSS 7.5, High; CVSS 6.5, Medium, and CVSS 6.5, Medium)


Jule Anger

--
Jule Anger
Release Manager Samba Team  samba.org
SerNet Samba Team   sernet.de

[Announce] Samba 4.18.7 Available for Download

[Jule Anger via samba-announce]

Release Announcements
-

This is the latest stable release of the Samba 4.18 release series.


Changes since 4.18.6


o  Jeremy Allison 
   * BUG 15419: Weird filename can cause assert to fail in
 openat_pathref_fsp_nosymlink().
   * BUG 15423: use-after-free in aio_del_req_from_fsp during smbd shutdown
 after failed IPC FSCTL_PIPE_TRANSCEIVE.
   * BUG 15432: TREE_CONNECT without SETUP causes smbd to use uninitialized
 pointer.

o  Andrew Bartlett 
   * BUG 15401: Avoid infinite loop in initial user sync with Azure AD 
Connect.

   * BUG 15407: Samba replication logs show (null) DN.

o  Ralph Boehme 
   * BUG 15463: macOS mdfind returns only 50 results.

o  Remi Collet 
   * BUG 14808: smbc_getxattr() return value is incorrect.

o  Volker Lendecke 
   * BUG 15481: GETREALFILENAME_CACHE can modify incoming new filename with
 previous cache entry value.

o  Stefan Metzmacher 
   * BUG 15464: libnss_winbind causes memory corruption since samba-4.18,
 impacts sendmail, zabbix, potentially more.

o  MikeLiu 
   * BUG 15453: File doesn't show when user doesn't have permission if
 aio_pthread is loaded.

o  Martin Schwenke 
   * BUG 15451: ctdb_killtcp fails to work with --enable-pcap and libpcap ≥
 1.9.1.

o  Joseph Sutton 
   * BUG 15476: The KDC in 4.18 (and older) is not able to accept 
tickets with

 empty claims pac blobs (from Samba 4.19 or Windows).
   * BUG 15477: The heimdal KDC doesn't detect s4u2self correctly when 
fast is

 in use.


###
Reporting bugs & Development Discussion
###

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical:matrix.org matrix room, or
#samba-technical IRC channel on irc.libera.chat.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).


==
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==




Download Details


The uncompressed tarballs and patch files have been signed
using GnuPG (ID AA99442FB680B620).  The source code can be downloaded
from:

    https://download.samba.org/pub/samba/stable/

The release notes are available online at:

    https://www.samba.org/samba/history/samba-4.18.7.html

Our Code, Our Bugs, Our Responsibility.
(https://bugzilla.samba.org/)

    --Enjoy
    The Samba Team

[Announce] Samba 4.17.11 Available for Download

[Jule Anger via samba-announce]

Release Announcements
-

This is the latest stable release of the Samba 4.17 release series.


Changes since 4.17.10
-

o  Jeremy Allison 
   * BUG 15419: Weird filename can cause assert to fail in
 openat_pathref_fsp_nosymlink().
   * BUG 15420: reply_sesssetup_and_X() can dereference uninitialized tmp
 pointer.
   * BUG 15430: Missing return in reply_exit_done().
   * BUG 15432: TREE_CONNECT without SETUP causes smbd to use uninitialized
 pointer.

o  Andrew Bartlett 
   * BUG 15401: Improve GetNChanges to address some (but not all "Azure AD
 Connect") syncronisation tool looping during the initial user sync 
phase.

   * BUG 15407: Samba replication logs show (null) DN.
   * BUG 9959: Windows client join fails if a second container 
CN=System exists

    somewhere.

o  Ralph Boehme 
   * BUG 15342: Spotlight sometimes returns no results on latest macOS.
   * BUG 15417: Renaming results in NT_STATUS_SHARING_VIOLATION if 
previously

 attempted to remove the destination.
   * BUG 15427: Spotlight results return wrong date in result list.
   * BUG 15463: macOS mdfind returns only 50 results.

o  Volker Lendecke 
   * BUG 15346: 2-3min delays at reconnect with 
smb2_validate_sequence_number:

 bad message_id 2.

o  Stefan Metzmacher 
   * BUG 15346: 2-3min delays at reconnect with 
smb2_validate_sequence_number:

 bad message_id 2.
   * BUG 15441: samba-tool ntacl get segfault if aio_pthread appended.
   * BUG 15446: DCERPC_PKT_CO_CANCEL and DCERPC_PKT_ORPHANED can't be 
parsed.


o  MikeLiu 
   * BUG 15453: File doesn't show when user doesn't have permission if
 aio_pthread is loaded.

o  Noel Power 
   * BUG 15384: net ads lookup (with unspecified realm) fails
   * BUG 15435: Regression DFS not working with widelinks = true.

o  Arvid Requate 
   * BUG 9959: Windows client join fails if a second container 
CN=System exists

    somewhere.

o  Martin Schwenke 
   * BUG 15451: ctdb_killtcp fails to work with --enable-pcap and libpcap ≥
 1.9.1.

o  Jones Syue 
   * BUG 15441: samba-tool ntacl get segfault if aio_pthread appended.
   * BUG 15449: mdssvc: Do an early talloc_free() in _mdssvc_open().


###
Reporting bugs & Development Discussion
###

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical:matrix.org matrix room, or
#samba-technical IRC channel on irc.libera.chat.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).


==
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==




Download Details


The uncompressed tarballs and patch files have been signed
using GnuPG (ID AA99442FB680B620).  The source code can be downloaded
from:

    https://download.samba.org/pub/samba/stable/

The release notes are available online at:

    https://www.samba.org/samba/history/samba-4.17.11.html

Our Code, Our Bugs, Our Responsibility.
(https://bugzilla.samba.org/)

    --Enjoy
    The Samba Team

[Announce] Samba 4.19.0 Available for Download

[Jule Anger via samba-announce]

Release Announcements
-

This is the first stable release of the Samba 4.19 release series.
Please read the release notes carefully before upgrading.

NEW FEATURES/CHANGES


Migrated smbget to use common command line parser
-

The smbget utility implemented its own command line parsing logic. After
discovering an issue we decided to migrate it to use the common command line
parser. This has some advantages as you get all the feature it provides like
Kerberos authentication. The downside is that breaks the options interface.
The support for smbgetrc has been removed. You can use an authentication 
file

if needed, this is documented in the manpage.

Please check the smbget manpage or --help output.

gpupdate changes


The libgpo.get_gpo_list function has been deprecated in favor of
an implementation written in python. The new function can be imported via
`import samba.gp`. The python implementation connects to Active Directory
using the SamDB module, instead of ADS (which is what libgpo uses).

Improved winbind logging and a new tool for parsing the winbind logs


Winbind logs (if smb.conf 'winbind debug traceid = yes' is set) contain new
trace header fields 'traceid' and 'depth'.  Field 'traceid' allows to 
track the
trace records belonging to the same request.  Field 'depth' allows to 
track the

request nesting level. A new tool samba-log-parser is added for better log
parsing.

AD database prepared to FL 2016 standards for new domains
-

While Samba still provides only Functional Level 2008R2 by default,
Samba as an AD DC will now, in provision ensure that the blank
database is already prepared for Functional Level 2016, with AD Schema
2019.

This preparation is of the default objects in the database, adding
containers for Authentication Policies, Authentication Silos and AD
claims in particular.  These DB objects must be updated to allow
operation of the new features found in higher functional levels.

Kerberos Claims, Authentication Silos and NTLM authentication policies
--

An initial, partial implementation of Active Directory Functional
Level 2012, 2012R2 and 2016 is available in this release.

In particular Samba will issue Active Directory "Claims" in the PAC,
for member servers that support these, and honour in-directory
configuration for Authentication Policies and Authentication Silos.

The primary limitation is that while Samba can read and write claims
in the directory, and populate the PAC, Samba does not yet use them
for access control decisions.

While we continue to develop these features, existing domains can
test the feature by selecting the functional level in provision or
raising the DC functional level by setting

 ad dc functional level = 2016

in the smb.conf

The smb.conf file on each DC must have 'ad dc functional level = 2016'
set to have the partially complete feature available.  This will also,
at first startup, update the server's own AD entry with the configured
functional level.

For new domains, add these parameters to 'samba-tool provision'

--option="ad dc functional level = 2016" --function-level=2016

The second option, setting the overall domain functional level
indicates that all DCs should be at this functional level.

To raise the domain functional level of an existing domain, after
updating the smb.conf and restarting Samba run
samba-tool domain schemaupgrade --schema=2019
samba-tool domain functionalprep --function-level=2016
samba-tool domain level raise --domain-level=2016 --forest-level=2016

Improved KDC Auditing
-

As part of the auditing required to allow successful deployment of
Authentication Policies and Authentication Silos, our KDC now provides
Samba-style JSON audit logging of all issued Kerberos tickets,
including if they would fail a policy that is not yet enforced.
Additionally most failures are audited, (after the initial
pre-validation of the request).

Kerberos Armoring (FAST) Support for Windows clients


In domains where the domain controller functional level is set, as
above, to 2012, 2012_R2 or 2016, Windows clients will, if configured
via GPO, use FAST to protect user passwords between (in particular) a
workstation and the KDC on the AD DC.  This is a significant security
improvement, as weak passwords in an AS-REQ are no longer available
for offline attack.

Claims compression in the AD PAC
----

Samba as an AD DC will compress "AD claims" using the same compression
algorithm as Microsoft Windows.

Resource SID compression in the AD PAC
------

Samba as an AD DC will now correctly 

[Announce] Samba 4.19.0rc4 Available for Download

[Jule Anger via samba-announce]

Release Announcements
=

This is the fourth release candidate of Samba 4.19.  This is *not*
intended for production environments and is designed for testing
purposes only.  Please report any defects via the Samba bug reporting
system at https://bugzilla.samba.org/.

Samba 4.19 will be the next version of the Samba suite.


UPGRADING
=


NEW FEATURES/CHANGES


Migrated smbget to use common command line parser
-

The smbget utility implemented its own command line parsing logic. After
discovering an issue we decided to migrate it to use the common command line
parser. This has some advantages as you get all the feature it provides like
Kerberos authentication. The downside is that breaks the options interface.
The support for smbgetrc has been removed. You can use an authentication 
file

if needed, this is documented in the manpage.

Please check the smbget manpage or --help output.

gpupdate changes


The libgpo.get_gpo_list function has been deprecated in favor of
an implementation written in python. The new function can be imported via
`import samba.gp`. The python implementation connects to Active Directory
using the SamDB module, instead of ADS (which is what libgpo uses).

Improved winbind logging and a new tool for parsing the winbind logs


Winbind logs (if smb.conf 'winbind debug traceid = yes' is set) contain new
trace header fields 'traceid' and 'depth'.  Field 'traceid' allows to 
track the
trace records belonging to the same request.  Field 'depth' allows to 
track the

request nesting level. A new tool samba-log-parser is added for better log
parsing.

AD database prepared to FL 2016 standards for new domains
-

While Samba still provides only Functional Level 2008R2 by default,
Samba as an AD DC will now, in provision ensure that the blank
database is already prepared for Functional Level 2016, with AD Schema
2019.

This preparation is of the default objects in the database, adding
containers for Authentication Policies, Authentication Silos and AD
claims in particular.  These DB objects must be updated to allow
operation of the new features found in higher functional levels.

Kerberos Claims, Authentication Silos and NTLM authentication policies
--

An initial, partial implementation of Active Directory Functional
Level 2012, 2012R2 and 2016 is available in this release.

In particular Samba will issue Active Directory "Claims" in the PAC,
for member servers that support these, and honour in-directory
configuration for Authentication Policies and Authentication Silos.

The primary limitation is that while Samba can read and write claims
in the directory, and populate the PAC, Samba does not yet use them
for access control decisions.

While we continue to develop these features, existing domains can
test the feature by selecting the functional level in provision or
raising the DC functional level by setting

 ad dc functional level = 2016

in the smb.conf

The smb.conf file on each DC must have 'ad dc functional level = 2016'
set to have the partially complete feature available.  This will also,
at first startup, update the server's own AD entry with the configured
functional level.

For new domains, add these parameters to 'samba-tool provision'

--option="ad dc functional level = 2016" --function-level=2016

The second option, setting the overall domain functional level
indicates that all DCs should be at this functional level.

To raise the domain functional level of an existing domain, after
updating the smb.conf and restarting Samba run
samba-tool domain schemaupgrade --schema=2019
samba-tool domain functionalprep --function-level=2016
samba-tool domain level raise --domain-level=2016 --forest-level=2016

Improved KDC Auditing
-

As part of the auditing required to allow successful deployment of
Authentication Policies and Authentication Silos, our KDC now provides
Samba-style JSON audit logging of all issued Kerberos tickets,
including if they would fail a policy that is not yet enforced.
Additionally most failures are audited, (after the initial
pre-validation of the request).

Kerberos Armoring (FAST) Support for Windows clients


In domains where the domain controller functional level is set, as
above, to 2012, 2012_R2 or 2016, Windows clients will, if configured
via GPO, use FAST to protect user passwords between (in particular) a
workstation and the KDC on the AD DC.  This is a significant security
improvement, as weak passwords in an AS-REQ are no longer available
for offline attack.

Claims compression in the AD PAC
----

Samba as an AD DC will compress "

[Announce] Samba 4.19.0rc3 Available for Download

[Jule Anger via samba-announce]

Release Announcements
=

This is the third release candidate of Samba 4.19.  This is *not*
intended for production environments and is designed for testing
purposes only.  Please report any defects via the Samba bug reporting
system at https://bugzilla.samba.org/.

Samba 4.19 will be the next version of the Samba suite.


UPGRADING
=


NEW FEATURES/CHANGES


Migrated smbget to use common command line parser
-

The smbget utility implemented its own command line parsing logic. After
discovering an issue we decided to migrate it to use the common command line
parser. This has some advantages as you get all the feature it provides like
Kerberos authentication. The downside is that breaks the options interface.
The support for smbgetrc has been removed. You can use an authentication 
file

if needed, this is documented in the manpage.

Please check the smbget manpage or --help output.

gpupdate changes


The libgpo.get_gpo_list function has been deprecated in favor of
an implementation written in python. The new function can be imported via
`import samba.gp`. The python implementation connects to Active Directory
using the SamDB module, instead of ADS (which is what libgpo uses).

Improved winbind logging and a new tool for parsing the winbind logs


Winbind logs (if smb.conf 'winbind debug traceid = yes' is set) contain new
trace header fields 'traceid' and 'depth'.  Field 'traceid' allows to 
track the
trace records belonging to the same request.  Field 'depth' allows to 
track the

request nesting level. A new tool samba-log-parser is added for better log
parsing.

AD database prepared to FL 2016 standards for new domains
-

While Samba still provides only Functional Level 2008R2 by default,
Samba as an AD DC will now, in provision ensure that the blank
database is already prepared for Functional Level 2016, with AD Schema
2019.

This preparation is of the default objects in the database, adding
containers for Authentication Policies, Authentication Silos and AD
claims in particular.  These DB objects must be updated to allow
operation of the new features found in higher functional levels.

Kerberos Claims, Authentication Silos and NTLM authentication policies
--

An initial, partial implementation of Active Directory Functional
Level 2012, 2012R2 and 2016 is available in this release.

In particular Samba will issue Active Directory "Claims" in the PAC,
for member servers that support these, and honour in-directory
configuration for Authentication Policies and Authentication Silos.

The primary limitation is that while Samba can read and write claims
in the directory, and populate the PAC, Samba does not yet use them
for access control decisions.

While we continue to develop these features, existing domains can
test the feature by selecting the functional level in provision or
raising the DC functional level by setting

 ad dc functional level = 2016

in the smb.conf

The smb.conf file on each DC must have 'ad dc functional level = 2016'
set to have the partially complete feature available.  This will also,
at first startup, update the server's own AD entry with the configured
functional level.

For new domains, add these parameters to 'samba-tool provision'

--option="ad dc functional level = 2016" --function-level=2016

The second option, setting the overall domain functional level
indicates that all DCs should be at this functional level.

To raise the domain functional level of an existing domain, after
updating the smb.conf and restarting Samba run
samba-tool domain schemaupgrade --schema=2019
samba-tool domain functionalprep --function-level=2016
samba-tool domain level raise --domain-level=2016 --forest-level=2016

Improved KDC Auditing
-

As part of the auditing required to allow successful deployment of
Authentication Policies and Authentication Silos, our KDC now provides
Samba-style JSON audit logging of all issued Kerberos tickets,
including if they would fail a policy that is not yet enforced.
Additionally most failures are audited, (after the initial
pre-validation of the request).

Kerberos Armoring (FAST) Support for Windows clients


In domains where the domain controller functional level is set, as
above, to 2012, 2012_R2 or 2016, Windows clients will, if configured
via GPO, use FAST to protect user passwords between (in particular) a
workstation and the KDC on the AD DC.  This is a significant security
improvement, as weak passwords in an AS-REQ are no longer available
for offline attack.

Claims compression in the AD PAC
----

Samba as an AD DC will compress "

[Announce] Samba 4.18.6 Available for Download

[Jule Anger via samba-announce]

Release Announcements
-

This is the latest stable release of the Samba 4.18 release series.


Changes since 4.18.5


o  Jeremy Allison 
   * BUG 15420: reply_sesssetup_and_X() can dereference uninitialized tmp
 pointer.
   * BUG 15430: Missing return in reply_exit_done().

o  Andrew Bartlett 
   * BUG 15289: post-exec password redaction for samba-tool is more 
reliable for

 fully random passwords as it no longer uses regular expressions
 containing the password value itself.
   * BUG 9959: Windows client join fails if a second container 
CN=System exists

 somewhere.

o  Ralph Boehme 
   * BUG 15342: Spotlight sometimes returns no results on latest macOS.
   * BUG 15417: Renaming results in NT_STATUS_SHARING_VIOLATION if 
previously

 attempted to remove the destination.
   * BUG 15427: Spotlight results return wrong date in result list.

o  Günther Deschner 
   * BUG 15414: "net offlinejoin provision" does not work as non-root user.

o  Pavel Filipenský 
   * BUG 15400: rpcserver no longer accepts double backslash in dfs 
pathname.
   * BUG 15433: cm_prepare_connection() calls close(fd) for the second 
time.


o  Stefan Metzmacher 
   * BUG 15346: 2-3min delays at reconnect with 
smb2_validate_sequence_number:

 bad message_id 2.
   * BUG 15441: samba-tool ntacl get segfault if aio_pthread appended.
   * BUG 15446: DCERPC_PKT_CO_CANCEL and DCERPC_PKT_ORPHANED can't be 
parsed.


o  Noel Power 
   * BUG 15390: Python tarfile extraction needs change to avoid a warning
 (CVE-2007-4559 mitigation).
   * BUG 15435: Regression DFS not working with widelinks = true.

o  Arvid Requate 
   * BUG 9959: Windows client join fails if a second container 
CN=System exists

    somewhere.

o  Jones Syue 
   * BUG 15441: samba-tool ntacl get segfault if aio_pthread appended.
   * BUG 15449: mdssvc: Do an early talloc_free() in _mdssvc_open().


###
Reporting bugs & Development Discussion
###

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical:matrix.org matrix room, or
#samba-technical IRC channel on irc.libera.chat.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).


==
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==




Download Details


The uncompressed tarballs and patch files have been signed
using GnuPG (ID AA99442FB680B620).  The source code can be downloaded
from:

    https://download.samba.org/pub/samba/stable/

The release notes are available online at:

    https://www.samba.org/samba/history/samba-4.18.6.html

Our Code, Our Bugs, Our Responsibility.
(https://bugzilla.samba.org/)

    --Enjoy
    The Samba Team

INVITE: SMB3 IO Lab participation at Storage Developers Conference Sept. 18-21, 2023 in Freemont, CA.

[Jeremy Allison via samba-announce]

Hi Samba-people, Arnold Jones, Technical Council Managing Director
or the Storage Network Industry Association (SNIA) asked me to
forward this invitation to anyone who would like to participate
in the SMB3 IO Lab.

---
   Hi Samba Developers,

   Presentations are only part of what is going on at the SNIA’s
   2023 Storage Developer Conference, September 18-21, Fremont, CA.
   The SNIA SMB3 IO Lab is also an integral part of the program.

   The purpose of this IO Lab is for vendors to bring their
   implementations of SMB3 to test, identify, and fix bugs in a
   collaborative setting with the goal of providing a forum in which
   companies can develop interoperable products.  There are several new
   features that have recently been added to the SMB3 protocol:
 * SMB over QUIC support for mutual authentication.
 * Server Notification update for logon session scenario (when server
   discards a logon session before client).
 * Significant Windows security behavior defaults updates in certain
   Windows releases:
  + SMB Signing required by default.
  + Auth rate limiter on by default.
  + Guest auth fallback now off by default.
  + Mail slots off by default and SMB1 now disabled in all Windows
releases.
 * And other SMB security updates and features.

   The IO Lab is an opportunity to learn about these new features and test
   your implementation with Microsoft Windows protocol test suites.
   During the IO Lab you can directly engage with Windows Protocol
   Support, Test Suite Development, and members of the Windows development
   team as well as network with other professionals from all over the
   world.

   This IO Lab is held in one large room (open 24 hrs.), giving
   participants an easy way to interact with both Microsoft professionals
   and with all other participants and their implementations.

   If you are reluctant to participate because you feel that your SMB
   implementation is "not ready", you should still participate! The SMB3
   IO Lab is also a development opportunity, not just a testing
   opportunity. Implementations still in development are encouraged to
   participate.  It's a great opportunity to get help and learn from the
   experts!

   This year we are pleased to announce the full participation and
   continued support of Microsoft, our 2023 SNIA SDC SMB3 IO Lab
   underwriter.

   For complete details on how to participate please see:
   http://www.snia.org/SMB3IOLab

   If you have any additional questions, please contact me at arn...@snia.org.

   I look forward to seeing you and your company at the SMB3 IO Lab this
   year!

   --  Arnold


   Arnold Jones
   Technical Council Managing Director
   SNIA

   http://www.storagedeveloper.org/
   http://www.snia.org/SMB3IOLab
---

[Announce] Samba 4.19.0rc2 Available for Download

[Jule Anger via samba-announce]

Release Announcements
=

This is the second release candidate of Samba 4.19.  This is *not*
intended for production environments and is designed for testing
purposes only.  Please report any defects via the Samba bug reporting
system at https://bugzilla.samba.org/.

Samba 4.19 will be the next version of the Samba suite.


UPGRADING
=


NEW FEATURES/CHANGES


Migrated smbget to use common command line parser
-

The smbget utility implemented its own command line parsing logic. After
discovering an issue we decided to migrate it to use the common command line
parser. This has some advantages as you get all the feature it provides like
Kerberos authentication. The downside is that breaks the options interface.
The support for smbgetrc has been removed. You can use an authentication 
file

if needed, this is documented in the manpage.

Please check the smbget manpage or --help output.

gpupdate changes


The libgpo.get_gpo_list function has been deprecated in favor of
an implementation written in python. The new function can be imported via
`import samba.gp`. The python implementation connects to Active Directory
using the SamDB module, instead of ADS (which is what libgpo uses).

Improved winbind logging and a new tool for parsing the winbind logs


Winbind logs (if smb.conf 'winbind debug traceid = yes' is set) contain new
trace header fields 'traceid' and 'depth'.  Field 'traceid' allows to 
track the
trace records belonging to the same request.  Field 'depth' allows to 
track the

request nesting level. A new tool samba-log-parser is added for better log
parsing.

AD database prepared to FL 2016 standards for new domains
-

While Samba still provides only Functional Level 2008R2 by default,
Samba as an AD DC will now, in provision ensure that the blank
database is already prepared for Functional Level 2016, with AD Schema
2019.

This preparation is of the default objects in the database, adding
containers for Authentication Policies, Authentication Silos and AD
claims in particular.  These DB objects must be updated to allow
operation of the new features found in higher functional levels.

Kerberos Claims, Authentication Silos and NTLM authentication policies
--

An initial, partial implementation of Active Directory Functional
Level 2012, 2012R2 and 2016 is available in this release.

In particular Samba will issue Active Directory "Claims" in the PAC,
for member servers that support these, and honour in-directory
configuration for Authentication Policies and Authentication Silos.

The primary limitation is that while Samba can read and write claims
in the directory, and populate the PAC, Samba does not yet use them
for access control decisions.

While we continue to develop these features, existing domains can
test the feature by selecting the functional level in provision or
raising the DC functional level by setting

 ad dc functional level = 2016

in the smb.conf

The smb.conf file on each DC must have 'ad dc functional level = 2016'
set to have the partially complete feature available.  This will also,
at first startup, update the server's own AD entry with the configured
functional level.

For new domains, add these parameters to 'samba-tool provision'

--option="ad dc functional level = 2016" --function-level=2016

The second option, setting the overall domain functional level
indicates that all DCs should be at this functional level.

To raise the domain functional level of an existing domain, after
updating the smb.conf and restarting Samba run
samba-tool domain schemaupgrade --schema=2019
samba-tool domain functionalprep --function-level=2016
samba-tool domain level raise --domain-level=2016 --forest-level=2016

Improved KDC Auditing
-

As part of the auditing required to allow successful deployment of
Authentication Policies and Authentication Silos, our KDC now provides
Samba-style JSON audit logging of all issued Kerberos tickets,
including if they would fail a policy that is not yet enforced.
Additionally most failures are audited, (after the initial
pre-validation of the request).

Kerberos Armoring (FAST) Support for Windows clients


In domains where the domain controller functional level is set, as
above, to 2012, 2012_R2 or 2016, Windows clients will, if configured
via GPO, use FAST to protect user passwords between (in particular) a
workstation and the KDC on the AD DC.  This is a significant security
improvement, as weak passwords in an AS-REQ are no longer available
for offline attack.

Claims compression in the AD PAC
----

Samba as an AD DC will compress "

[Announce] Samba 4.19.0rc1 Available for Download

[Jule Anger via samba-announce]

Release Announcements
=

This is the first release candidate of Samba 4.19.  This is *not*
intended for production environments and is designed for testing
purposes only.  Please report any defects via the Samba bug reporting
system at https://bugzilla.samba.org/.

Samba 4.19 will be the next version of the Samba suite.


UPGRADING
=


NEW FEATURES/CHANGES


Migrated smbget to use common command line parser
-

The smbget utility implemented its own command line parsing logic. After
discovering an issue we decided to migrate it to use the common command line
parser. This has some advantages as you get all the feature it provides like
Kerberos authentication. The downside is that breaks the options interface.
The support for smbgetrc has been removed. You can use an authentication 
file

if needed, this is documented in the manpage.

Please check the smbget manpage or --help output.

gpupdate changes


The libgpo.get_gpo_list function has been deprecated in favor of
an implementation written in python. The new function can be imported via
`import samba.gp`. The python implementation connects to Active Directory
using the SamDB module, instead of ADS (which is what libgpo uses).

Improved winbind logging and a new tool for parsing the winbind logs


Winbind logs (if smb.conf 'winbind debug traceid = yes' is set) contain new
trace header fields 'traceid' and 'depth'.  Field 'traceid' allows to 
track the
trace records belonging to the same request.  Field 'depth' allows to 
track the

request nesting level. A new tool samba-log-parser is added for better log
parsing.

AD database prepared to FL 2016 standards for new domains
-

While Samba still provides only Functional Level 2008R2 by default,
Samba as an AD DC will now, in provision ensure that the blank
database is already prepared for Functional Level 2016, with AD Schema
2019.

This preparation is of the default objects in the database, adding
containers for Authentication Policies, Authentication Silos and AD
claims in particular.  These DB objects must be updated to allow
operation of the new features found in higher functional levels.

Kerberos Claims, Authentication Silos and NTLM authentication policies
--

An initial, partial implementation of Active Directory Functional
Level 2012, 2012R2 and 2016 is available in this release.

In particular Samba will issue Active Directory "Claims" in the PAC,
for member servers that support these, and honour in-directory
configuration for Authentication Policies and Authentication Silos.

The primary limitation is that while Samba can read and write claims
in the directory, and populate the PAC, Samba does not yet use them
for access control decisions.

While we continue to develop these features, existing domains can
test the feature by selecting the functional level in provision or
raising the DC functional level by setting

 ad dc functional level = 2016

in the smb.conf

The smb.conf file on each DC must have 'ad dc functional level = 2016'
set to have the partially complete feature available.  This will also,
at first startup, update the server's own AD entry with the configured
functional level.

For new domains, add these parameters to 'samba-tool provision'

--option="ad dc functional level = 2016" --function-level=2016

The second option, setting the overall domain functional level
indicates that all DCs should be at this functional level.

To raise the domain functional level of an existing domain, after
updating the smb.conf and restarting Samba run
samba-tool domain schemaupgrade --schema=2019
samba-tool domain functionalprep --function-level=2016
samba-tool domain level raise --domain-level=2016 --forest-level=2016

Improved KDC Auditing
-

As part of the auditing required to allow successful deployment of
Authentication Policies and Authentication Silos, our KDC now provides
Samba-style JSON audit logging of all issued Kerberos tickets,
including if they would fail a policy that is not yet enforced.
Additionally most failures are audited, (after the initial
pre-validation of the request).

Kerberos Armoring (FAST) Support for Windows clients


In domains where the domain controller functional level is set, as
above, to 2012, 2012_R2 or 2016, Windows clients will, if configured
via GPO, use FAST to protect user passwords between (in particular) a
workstation and the KDC on the AD DC.  This is a significant security
improvement, as weak passwords in an AS-REQ are no longer available
for offline attack.

Claims compression in the AD PAC
----

Samba as an AD DC will compress "

[Announce] Samba 4.18.5, 4.17.10., 4.16.11 Security Releases are available for Download

[Jule Anger via samba-announce]

Release Announcements
-

This are security releases in order to address the following defects:

o CVE-2022-2127:  When winbind is used for NTLM authentication, a 
maliciously
  crafted request can trigger an out-of-bounds read in 
winbind

  and possibly crash it.
https://www.samba.org/samba/security/CVE-2022-2127.html

o CVE-2023-3347:  SMB2 packet signing is not enforced if an admin configured
  "server signing = required" or for SMB2 connections 
to Domain

  Controllers where SMB2 packet signing is mandatory.
https://www.samba.org/samba/security/CVE-2023-3347.html

o CVE-2023-34966: An infinite loop bug in Samba's mdssvc RPC service for
  Spotlight can be triggered by an unauthenticated 
attacker by

  issuing a malformed RPC request.
https://www.samba.org/samba/security/CVE-2023-34966.html

o CVE-2023-34967: Missing type validation in Samba's mdssvc RPC service for
  Spotlight can be used by an unauthenticated attacker to
  trigger a process crash in a shared RPC mdssvc worker 
process.

https://www.samba.org/samba/security/CVE-2023-34967.html

o CVE-2023-34968: As part of the Spotlight protocol Samba discloses the 
server-

  side absolute path of shares and files and directories in
  search results.
https://www.samba.org/samba/security/CVE-2023-34968.html


Changes
---

o  Ralph Boehme 
   * BUG 15072: CVE-2022-2127.
   * BUG 15340: CVE-2023-34966.
   * BUG 15341: CVE-2023-34967.
   * BUG 15388: CVE-2023-34968.
   * BUG 15397: CVE-2023-3347.

o  Samuel Cabrero 
   * BUG 15072: CVE-2022-2127.

o  Volker Lendecke 
   * BUG 15072: CVE-2022-2127.

o  Stefan Metzmacher 
   * BUG 15418: Secure channel faulty since Windows 10/11 update 07/2023.


###
Reporting bugs & Development Discussion
###

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical:matrix.org matrix room, or
#samba-technical IRC channel on irc.libera.chat.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).


==
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==




Download Details


The uncompressed tarballs and patch files have been signed
using GnuPG (ID AA99442FB680B620).  The source code can be downloaded
from:

    https://download.samba.org/pub/samba/stable/

The release notes are available online at:

    https://www.samba.org/samba/history/samba-4.18.5.html
    https://www.samba.org/samba/history/samba-4.17.10.html
https://www.samba.org/samba/history/samba-4.16.11.html

Our Code, Our Bugs, Our Responsibility.
(https://bugzilla.samba.org/)

    --Enjoy
    The Samba Team

Heads-up: Upcoming Samba security releases

[Jule Anger via samba-announce]

Hi,

this is a heads-up that there will be Samba security updates for 4.16, 
4.17 and 4.18 on Wednesday, July 19 2023. Please make sure that your 
Samba servers will be updated soon after the release!


Impacted component:
 - Winbind (CVSS 5.9, Medium)
 - DCE-RPCs and pipes (CVSS 7.5, High, 5.3, Medium, and 5.3, Medium)
 - File services (CVSS 6.8, Medium)


Cheers,
Jule Anger

--
Jule Anger
Release Manager Samba Team  samba.org
SerNet Samba Team   sernet.de

[Announce] Samba 4.17.9 Available for Download

[Jule Anger via samba-announce]

Release Announcements
-

This is the latest stable release of the Samba 4.17 release series.


Changes since 4.17.8


o  Douglas Bagnall 
   * BUG 15404: Backport --pidl-developer fixes.

o  Ralph Boehme 
   * BUG 15275: smbd_scavenger crashes when service smbd is stopped.
   * BUG 15378: vfs_fruit might cause a failing open for delete.

o  Samuel Cabrero 
   * BUG 14030: named crashes on DLZ zone update.

o  Volker Lendecke 
   * BUG 15361: winbind recurses into itself via rpcd_lsad.
   * BUG 15382: cli_list loops 100% CPU against pre-lanman2 servers.
   * BUG 15391: smbclient leaks fds with showacls.

o  Stefan Metzmacher 
   * BUG 15374: aes256 smb3 encryption algorithms are not allowed in
 smb3_sid_parse().
   * BUG 15413: winbindd gets stuck on NT_STATUS_RPC_SEC_PKG_ERROR.

o  Jones Syue 
   * BUG 15403: smbget memory leak if failed to download files recursively.


###
Reporting bugs & Development Discussion
###

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical:matrix.org matrix room, or
#samba-technical IRC channel on irc.libera.chat.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).


==
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==




Download Details


The uncompressed tarballs and patch files have been signed
using GnuPG (ID AA99442FB680B620).  The source code can be downloaded
from:

    https://download.samba.org/pub/samba/stable/

The release notes are available online at:

    https://www.samba.org/samba/history/samba-4.17.9.html

Our Code, Our Bugs, Our Responsibility.
(https://bugzilla.samba.org/)

    --Enjoy
    The Samba Team

[Announce] Samba 4.18.4 Available for Download

[Jule Anger via samba-announce]

Release Announcements
-

This is the latest stable release of the Samba 4.18 release series.


Changes since 4.18.3


o  Douglas Bagnall 
   * BUG 15404: Backport --pidl-developer fixes.

o  Samuel Cabrero 
   * BUG 14030: Named crashes on DLZ zone update.

o  Björn Jacke 
   * BUG 2312: smbcacls and smbcquotas do not check // before the server.

o  Volker Lendecke 
   * BUG 15382: cli_list loops 100% CPU against pre-lanman2 servers.
   * BUG 15391: smbclient leaks fds with showacls.
   * BUG 15402: smbd returns NOT_FOUND when creating files on a r/o 
filesystem.


o  Stefan Metzmacher 
   * BUG 15355: NSS_WRAPPER_HOSTNAME doesn't match NSS_WRAPPER_HOSTS 
entry and

 causes test timeouts.

o  Noel Power 
   * BUG 15384: net ads lookup (with unspecified realm) fails.

o  Christof Schmitt 
   * BUG 15381: Register Samba processes with GPFS.

o  Andreas Schneider 
   * BUG 15390: Python tarfile extraction needs change to avoid a warning
 (CVE-2007-4559 mitigation).
   * BUG 15398: The winbind child segfaults when listing users with 
`winbind

 scan trusted domains = yes`.

o  Jones Syue 
   * BUG 15383: Remove comments about deprecated 'write cache size'.
   * BUG 15403: smbget memory leak if failed to download files recursively.


###
Reporting bugs & Development Discussion
###

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical:matrix.org matrix room, or
#samba-technical IRC channel on irc.libera.chat.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).


==
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==




Download Details


The uncompressed tarballs and patch files have been signed
using GnuPG (ID AA99442FB680B620).  The source code can be downloaded
from:

    https://download.samba.org/pub/samba/stable/

The release notes are available online at:

    https://www.samba.org/samba/history/samba-4.18.4.html

Our Code, Our Bugs, Our Responsibility.
(https://bugzilla.samba.org/)

    --Enjoy
    The Samba Team

[Announce] Samba 4.18.3 Available for Download

[Jule Anger via samba-announce]

Release Announcements
-

This is the latest stable release of the Samba 4.18 release series.


Changes since 4.18.2


o  Ralph Boehme 
   * BUG 15375: Symlinks to files can have random DOS mode information in a
 directory listing.
   * BUG 15378: vfs_fruit might cause a failing open for delete.

o  Volker Lendecke 
   * BUG 15361: winbind recurses into itself via rpcd_lsad.
   * BUG 15366: wbinfo -u fails on ad dc with >1000 users.

o  Stefan Metzmacher 
   * BUG 15338: DS ACEs might be inherited to unrelated object classes.
   * BUG 15362: a lot of messages: get_static_share_mode_data:
 get_static_share_mode_data_fn failed: NT_STATUS_NOT_FOUND.
   * BUG 15374: aes256 smb3 encryption algorithms are not allowed in
 smb3_sid_parse().

o  Andreas Schneider 
   * BUG 15360: Setting veto files = /.*/ break listing directories.

o  Joseph Sutton 
   * BUG 15363: "samba-tool domain provision" does not run interactive 
mode if

 no arguments are given.

o  Nathaniel W. Turner 
   * BUG 15325: dsgetdcname: assumes local system uses IPv4.


###
Reporting bugs & Development Discussion
###

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical:matrix.org matrix room, or
#samba-technical IRC channel on irc.libera.chat.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).


==
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==




Download Details


The uncompressed tarballs and patch files have been signed
using GnuPG (ID AA99442FB680B620).  The source code can be downloaded
from:

    https://download.samba.org/pub/samba/stable/

The release notes are available online at:

    https://www.samba.org/samba/history/samba-4.18.3.html

Our Code, Our Bugs, Our Responsibility.
(https://bugzilla.samba.org/)

    --Enjoy
        The Samba Team

[Announce] Samba 4.17.8 Available for Download

[Jule Anger via samba-announce]

Release Announcements
-

This is the latest stable release of the Samba 4.17 release series.


Changes since 4.17.7


o  Jeremy Allison 
   * BUG 15302: log flood: smbd_calculate_access_mask_fsp: Access denied:
 message level should be lower.
   * BUG 15306: Floating point exception (FPE) via cli_pull_send at
 source3/libsmb/clireadwrite.c.

o  Andrew Bartlett 
   * BUG 15328: test_tstream_more_tcp_user_timeout_spin fails 
intermittently on

 Rackspace GitLab runners.
   * BUG 15329: Reduce flapping of ridalloc test.
   * BUG 15351: large_ldap test is unreliable.

o  Ralph Boehme 
   * BUG 15143: New filename parser doesn't check veto files smb.conf 
parameter.

   * BUG 15354: mdssvc may crash when initializing.

o  Volker Lendecke 
   * BUG 15313: Large directory optimization broken for non-lcomp path 
elements.

   * BUG 15357: streams_depot fails to create streams.
   * BUG 15358: shadow_copy2 and streams_depot don't play well together.
   * BUG 15366: wbinfo -u fails on ad dc with >1000 users.

o  Stefan Metzmacher 
   * BUG 15317: winbindd idmap child contacts the domain controller 
without a

 need.
   * BUG 15318: idmap_autorid may fail to map sids of trusted domains 
for the

 first time.
   * BUG 15319: idmap_hash doesn't use ID_TYPE_BOTH for reverse mappings.
   * BUG 15323: net ads search -P doesn't work against servers in other 
domains.

   * BUG 15338: DS ACEs might be inherited to unrelated object classes.
   * BUG 15353: Temporary smbXsrv_tcon_global.tdb can't be parsed.

o  Andreas Schneider 
   * BUG 15360: Setting veto files = /.*/ break listing directories.

o  Joseph Sutton 
   * BUG 14810: CVE-2020-25720 [SECURITY] Create Child permission 
should not

 allow full write to all attributes (additional changes).
   * BUG 15329: Reduce flapping of ridalloc test.

o  Nathaniel W. Turner 
   * BUG 15325: dsgetdcname: assumes local system uses IPv4.


###
Reporting bugs & Development Discussion
###

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical:matrix.org matrix room, or
#samba-technical IRC channel on irc.libera.chat.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).


==
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==




Download Details


The uncompressed tarballs and patch files have been signed
using GnuPG (ID AA99442FB680B620).  The source code can be downloaded
from:

    https://download.samba.org/pub/samba/stable/

The release notes are available online at:

    https://www.samba.org/samba/history/samba-4.17.8.html

Our Code, Our Bugs, Our Responsibility.
(https://bugzilla.samba.org/)

    --Enjoy
    The Samba Team

[Announce] Samba 4.18.2 Available for Download

[Jule Anger via samba-announce]

Release Announcements
-

This is the latest stable release of the Samba 4.18 release series.


Changes since 4.18.1


o  Jeremy Allison 
   * BUG 15302: Log flood: smbd_calculate_access_mask_fsp: Access denied:
 message level should be lower.
   * BUG 15306: Floating point exception (FPE) via cli_pull_send at
 source3/libsmb/clireadwrite.c.

o  Andrew Bartlett 
   * BUG 15328: test_tstream_more_tcp_user_timeout_spin fails 
intermittently on

 Rackspace GitLab runners.
   * BUG 15329: Reduce flapping of ridalloc test.
   * BUG 15351: large_ldap test is unreliable.

o  Ralph Boehme 
   * BUG 15143: New filename parser doesn't check veto files smb.conf 
parameter.

   * BUG 15354: mdssvc may crash when initializing.

o  Volker Lendecke 
   * BUG 15313: large directory optimization broken for non-lcomp path 
elements.

   * BUG 15357: streams_depot fails to create streams.
   * BUG 15358: shadow_copy2 and streams_depot don't play well together.

o  Rob van der Linde 
   * BUG 15316: Flapping tests in samba_tool_drs_show_repl.py.

o  Stefan Metzmacher 
   * BUG 15317: winbindd idmap child contacts the domain controller 
without a

 need.
   * BUG 15318: idmap_autorid may fail to map sids of trusted domains 
for the

 first time.
   * BUG 15319: idmap_hash doesn't use ID_TYPE_BOTH for reverse mappings.
   * BUG 15323: net ads search -P doesn't work against servers in other 
domains.

   * BUG 15353: Temporary smbXsrv_tcon_global.tdb can't be parsed.

o  Joseph Sutton 
   * BUG 15316: Flapping tests in samba_tool_drs_show_repl.py.
   * BUG 15343: Tests use depricated and removed methods like
 assertRegexpMatches.


###
Reporting bugs & Development Discussion
###

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical:matrix.org matrix room, or
#samba-technical IRC channel on irc.libera.chat.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).


==
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==




Download Details


The uncompressed tarballs and patch files have been signed
using GnuPG (ID AA99442FB680B620).  The source code can be downloaded
from:

    https://download.samba.org/pub/samba/stable/

The release notes are available online at:

    https://www.samba.org/samba/history/samba-4.18.2.html

Our Code, Our Bugs, Our Responsibility.
(https://bugzilla.samba.org/)

    --Enjoy
    The Samba Team

[Announce] Samba 4.18.1, 4.17.7., 4.16.10 Security Releases are available for Download

[Jule Anger via samba-announce]

Release Announcements
-

This are security releases in order to address the following defects:

o CVE-2023-0225: An incomplete access check on dnsHostName allows 
authenticated
 but otherwise unprivileged users to delete this 
attribute from

 any object in the directory.
https://www.samba.org/samba/security/CVE-2023-0225.html

o CVE-2023-0922: The Samba AD DC administration tool, when operating 
against a

 remote LDAP server, will by default send new or reset
 passwords over a signed-only connection.
https://www.samba.org/samba/security/CVE-2023-0922.html

o CVE-2023-0614: The fix in 4.6.16, 4.7.9, 4.8.4 and 4.9.7 for 
CVE-2018-10919

 Confidential attribute disclosure via LDAP filters was
 insufficient and an attacker may be able to obtain
 confidential BitLocker recovery keys from a Samba AD DC.
 Installations with such secrets in their Samba AD should
 assume they have been obtained and need replacing.
https://www.samba.org/samba/security/CVE-2023-0614.html


Changes
---

o  Douglas Bagnall 
   * BUG 15276: CVE-2023-0225.

o  Andrew Bartlett 
   * BUG 15270: CVE-2023-0614.
   * BUG 15331: ldb wildcard matching makes excessive allocations.
   * BUG 15332: large_ldap test is inefficient.

o  Rob van der Linde 
   * BUG 15315: CVE-2023-0922.

o  Joseph Sutton 
   * BUG 14810: CVE-2020-25720 [SECURITY] Create Child permission 
should not

 allow full write to all attributes (additional changes).
   * BUG 15270: CVE-2023-0614.
   * BUG 15276: CVE-2023-0225.


###
Reporting bugs & Development Discussion
###

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical:matrix.org matrix room, or
#samba-technical IRC channel on irc.libera.chat.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).


==
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==




Download Details


The uncompressed tarballs and patch files have been signed
using GnuPG (ID AA99442FB680B620). The Samba source code can be
downloaded from:

    https://download.samba.org/pub/samba/stable/

The release notes are available online at:

    https://www.samba.org/samba/history/samba-4.18.1.html
    https://www.samba.org/samba/history/samba-4.17.7.html
https://www.samba.org/samba/history/samba-4.16.10.html

If you are building/using ldb from a system library, you'll
also need the related updated ldb tarball, otherwise you can ignore it.
The uncompressed ldb tarballs have been signed using GnuPG (ID 
4793916113084025).

The ldb source code can be downloaded from:

samba-4.18.1:
https://download.samba.org/pub/ldb/ldb-2.7.2.tar.gz
samba-4.17.7:
https://download.samba.org/pub/ldb/ldb-2.6.2.tar.gz
samba-4.16.10:
https://download.samba.org/pub/ldb/ldb-2.5.3.tar.gz

Our Code, Our Bugs, Our Responsibility.
(https://bugzilla.samba.org/)

    --Enjoy
    The Samba Team

Heads-up: Upcoming Samba security releases

[Jule Anger via samba-announce]

Hi,

this is a heads-up that there will be Samba security updates for 4.16, 
4.17 and 4.18 on Wednesday, March 29 2023. Please make sure that your 
Samba servers will be updated soon after the release!


Impacted component:
 - AD DC (CVSS 5.4, Medium, andCVSS 5.9, Medium, and CVSS 7.7, High)


Cheers,
Jule Anger

--
Jule Anger
Release Manager Samba Team  https://samba.org
SerNet Samba Team   https://sernet.de

[Announce] Samba 4.17.6 Available for Download

[Jule Anger via samba-announce]

Release Announcements
-

This is the latest stable release of the Samba 4.17 release series.


Changes since 4.17.5


o  Jeremy Allison 
   * BUG 15314: streams_xattr is creating unexpected locks on folders.

o  Andrew Bartlett 
   * BUG 10635: Use of the Azure AD Connect cloud sync tool is now 
supported for
 password hash synchronisation, allowing Samba AD Domains to 
synchronise

 passwords with this popular cloud environment.

o  Ralph Boehme 
   * BUG 15299: Spotlight doesn't work with latest macOS Ventura.

o  Volker Lendecke 
   * BUG 15310: New samba-dcerpc architecture does not scale gracefully.

o  John Mulligan 
   * BUG 15307: vfs_ceph incorrectly uses fsp_get_io_fd() instead of
 fsp_get_pathref_fd() in close and fstat.

o  Noel Power 
   * BUG 15293: With clustering enabled samba-bgqd can core dump due to use
 after free.

o  baixiangcpp 
   * BUG 15311: fd_load() function implicitly closes the fd where it 
should not.



###
Reporting bugs & Development Discussion
###

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical:matrix.org matrix room, or
#samba-technical IRC channel on irc.libera.chat.


If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).


==
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==




Download Details


The uncompressed tarballs and patch files have been signed
using GnuPG (ID AA99442FB680B620).  The source code can be downloaded
from:

    https://download.samba.org/pub/samba/stable/

The release notes are available online at:

    https://www.samba.org/samba/history/samba-4.17.6.html

Our Code, Our Bugs, Our Responsibility.
(https://bugzilla.samba.org/)

    --Enjoy
    The Samba Team

[Announce] Samba 4.18.0 Available for Download

[Jule Anger via samba-announce]

Release Announcements
-

This is the first stable release of the Samba 4.18 release series.
Please read the release notes carefully before upgrading.

NEW FEATURES/CHANGES


SMB Server performance improvements
---

The security improvements in recent releases
(4.13, 4.14, 4.15, 4.16), mainly as protection against symlink races,
caused performance regressions for metadata heavy workloads.

While 4.17 already improved the situation quite a lot,
with 4.18 the locking overhead for contended path based operations
is reduced by an additional factor of ~ 3 compared to 4.17.
It means the throughput of open/close
operations reached the level of 4.12 again.

More succinct samba-tool error messages
---

Historically samba-tool has reported user error or misconfiguration by
means of a Python traceback, showing you where in its code it noticed
something was wrong, but not always exactly what is amiss. Now it
tries harder to identify the true cause and restrict its output to
describing that. Particular cases include:

 * a username or password is incorrect
 * an ldb database filename is wrong (including in smb.conf)
 * samba-tool dns: various zones or records do not exist
 * samba-tool ntacl: certain files are missing
 * the network seems to be down
 * bad --realm or --debug arguments

Accessing the old samba-tool messages
-

This is not new, but users are reminded they can get the full Python
stack trace, along with other noise, by using the argument '-d3'.
This may be useful when searching the web.

The intention is that when samba-tool encounters an unrecognised
problem (especially a bug), it will still output a Python traceback.
If you encounter a problem that has been incorrectly identified by
samba-tool, please report it on https://bugzilla.samba.org.

Colour output with samba-tool --color
-

For some time a few samba-tool commands have had a --color=yes|no|auto
option, which determines whether the command outputs ANSI colour
codes. Now all samba-tool commands support this option, which now also
accepts 'always' and 'force' for 'yes', 'never' and 'none' for 'no',
and 'tty' and 'if-tty' for 'auto' (this more closely matches
convention). With --color=auto, or when --color is omitted, colour
codes are only used when output is directed to a terminal.

Most commands have very little colour in any case. For those that
already used it, the defaults have changed slightly.

 * samba-tool drs showrepl: default is now 'auto', not 'no'

 * samba-tool visualize: the interactions between --color-scheme,
   --color, and --output have changed slightly. When --color-scheme is
   set it overrides --color for the purpose of the output diagram, but
   not for other output like error messages.

New samba-tool dsacl subcommand for deleting ACES
-

The samba-tool dsacl tool can now delete entries in directory access
control lists. The interface for 'samba-tool dsacl delete' is similar
to that of 'samba-tool dsacl set', with the difference being that the
ACEs described by the --sddl argument are deleted rather than added.

No colour with NO_COLOR environment variable


With both samba-tool --color=auto (see above) and some other places
where we use ANSI colour codes, the NO_COLOR environment variable will
disable colour output. See https://no-color.org/ for a description of
this variable. `samba-tool --color=always` will use colour regardless
of NO_COLOR.

New wbinfo option --change-secret-at


The wbinfo command has a new option, --change-secret-at=
which forces the trust account password to be changed at a specified domain
controller. If the specified domain controller cannot be contacted the
password change fails rather than trying other DCs.

New option to change the NT ACL default location


Usually the NT ACLs are stored in the security.NTACL extended
attribute (xattr) of files and directories. The new
"acl_xattr:security_acl_name" option allows to redefine the default
location. The default "security.NTACL" is a protected location, which
means the content of the security.NTACL attribute is not accessible
from normal users outside of Samba. When this option is set to use a
user-defined value, e.g. user.NTACL then any user can potentially
access and overwrite this information. The module prevents access to
this xattr over SMB, but the xattr may still be accessed by other
means (eg local access, SSH, NFS). This option must only be used when
this consequence is clearly understood and when specific precautions
are taken to avoid compromising the ACL content.

Azure Active Directory / Office365 synchron

[Announce] Samba 4.18.0rc4 Available for Download

[Jule Anger via samba-announce]

Release Announcements
=

This is the fourth release candidate of Samba 4.18.  This is *not*
intended for production environments and is designed for testing
purposes only.  Please report any defects via the Samba bug reporting
system at https://bugzilla.samba.org/.

Samba 4.18 will be the next version of the Samba suite.


UPGRADING
=


NEW FEATURES/CHANGES


SMB Server performance improvements
---

The security improvements in recent releases
(4.13, 4.14, 4.15, 4.16), mainly as protection against symlink races,
caused performance regressions for metadata heavy workloads.

While 4.17 already improved the situation quite a lot,
with 4.18 the locking overhead for contended path based operations
is reduced by an additional factor of ~ 3 compared to 4.17.
It means the throughput of open/close
operations reached the level of 4.12 again.

More succinct samba-tool error messages
---

Historically samba-tool has reported user error or misconfiguration by
means of a Python traceback, showing you where in its code it noticed
something was wrong, but not always exactly what is amiss. Now it
tries harder to identify the true cause and restrict its output to
describing that. Particular cases include:

 * a username or password is incorrect
 * an ldb database filename is wrong (including in smb.conf)
 * samba-tool dns: various zones or records do not exist
 * samba-tool ntacl: certain files are missing
 * the network seems to be down
 * bad --realm or --debug arguments

Accessing the old samba-tool messages
-

This is not new, but users are reminded they can get the full Python
stack trace, along with other noise, by using the argument '-d3'.
This may be useful when searching the web.

The intention is that when samba-tool encounters an unrecognised
problem (especially a bug), it will still output a Python traceback.
If you encounter a problem that has been incorrectly identified by
samba-tool, please report it on https://bugzilla.samba.org.

Colour output with samba-tool --color
-

For some time a few samba-tool commands have had a --color=yes|no|auto
option, which determines whether the command outputs ANSI colour
codes. Now all samba-tool commands support this option, which now also
accepts 'always' and 'force' for 'yes', 'never' and 'none' for 'no',
and 'tty' and 'if-tty' for 'auto' (this more closely matches
convention). With --color=auto, or when --color is omitted, colour
codes are only used when output is directed to a terminal.

Most commands have very little colour in any case. For those that
already used it, the defaults have changed slightly.

 * samba-tool drs showrepl: default is now 'auto', not 'no'

 * samba-tool visualize: the interactions between --color-scheme,
   --color, and --output have changed slightly. When --color-scheme is
   set it overrides --color for the purpose of the output diagram, but
   not for other output like error messages.

New samba-tool dsacl subcommand for deleting ACES
-

The samba-tool dsacl tool can now delete entries in directory access
control lists. The interface for 'samba-tool dsacl delete' is similar
to that of 'samba-tool dsacl set', with the difference being that the
ACEs described by the --sddl argument are deleted rather than added.

No colour with NO_COLOR environment variable


With both samba-tool --color=auto (see above) and some other places
where we use ANSI colour codes, the NO_COLOR environment variable will
disable colour output. See https://no-color.org/ for a description of
this variable. `samba-tool --color=always` will use colour regardless
of NO_COLOR.

New wbinfo option --change-secret-at


The wbinfo command has a new option, --change-secret-at=
which forces the trust account password to be changed at a specified domain
controller. If the specified domain controller cannot be contacted the
password change fails rather than trying other DCs.

New option to change the NT ACL default location


Usually the NT ACLs are stored in the security.NTACL extended
attribute (xattr) of files and directories. The new
"acl_xattr:security_acl_name" option allows to redefine the default
location. The default "security.NTACL" is a protected location, which
means the content of the security.NTACL attribute is not accessible
from normal users outside of Samba. When this option is set to use a
user-defined value, e.g. user.NTACL then any user can potentially
access and overwrite this information. The module prevents access to
this xattr over SMB, but the xattr may still be accessed by other
means (eg local access, SSH, NFS). This option must only be used when
this consequence is clearly

[Announce] Samba 4.16.9 Available for Download

[Jule Anger via samba-announce]

Release Announcements
-

This is the latest stable release of the Samba 4.16 release series.


Changes since 4.16.8


o  Jeremy Allison 
   * BUG 14808: smbc_getxattr() return value is incorrect.
   * BUG 15172: Compound SMB2 FLUSH+CLOSE requests from MacOSX are not 
handled

 correctly.
   * BUG 15210: synthetic_pathref AFP_AfpInfo failed errors.
   * BUG 15226: samba-tool gpo listall fails IPv6 only - finddcs() 
fails to find

 DC when there is only an  record for the DC in DNS.
   * BUG 15236: smbd crashes if an FSCTL request is done on a stream 
handle.


o  Ralph Boehme 
   * BUG 15299: Spotlight doesn't work with latest macOS Ventura.

o  Samuel Cabrero 
   * BUG 15240: CVE-2022-38023 [SECURITY] Samba should refuse RC4 (aka md5)
 based SChannel on NETLOGON.

o  Volker Lendecke 
   * BUG 15243: %U for include directive doesn't work for share listing
 (netshareenum).
   * BUG 15266: Shares missing from netshareenum response in samba 4.17.4.
   * BUG 15269: ctdb: use-after-free in run_proc.

o  Stefan Metzmacher 
   * BUG 15243: %U for include directive doesn't work for share listing
 (netshareenum).
   * BUG 15266: Shares missing from netshareenum response in samba 4.17.4.
   * BUG 15280: irpc_destructor may crash during shutdown.
   * BUG 15286: auth3_generate_session_info_pac leaks wbcAuthUserInfo.

o  Andreas Schneider 
   * BUG 15268: smbclient segfaults with use after free on an optimized 
build.


o  Andrew Walker 
   * BUG 15164: Leak in wbcCtxPingDc2.
   * BUG 15265: Access based share enum does not work in Samba 4.16+.
   * BUG 15267: Crash during share enumeration.
   * BUG 15271: rep_listxattr on FreeBSD does not properly check for 
reads off

 end of returned buffer.


###
Reporting bugs & Development Discussion
###

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical:matrix.org matrix room, or
#samba-technical IRC channel on irc.libera.chat.


If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).


==
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==




Download Details


The uncompressed tarballs and patch files have been signed
using GnuPG (ID AA99442FB680B620).  The source code can be downloaded
from:

    https://download.samba.org/pub/samba/stable/

The release notes are available online at:

    https://www.samba.org/samba/history/samba-4.16.9.html

Our Code, Our Bugs, Our Responsibility.
(https://bugzilla.samba.org/)

    --Enjoy
    The Samba Team

[Announce] Samba 4.18.0rc3 Available for Download

[Jule Anger via samba-announce]

Release Announcements
=

This is the third release candidate of Samba 4.18.  This is *not*
intended for production environments and is designed for testing
purposes only.  Please report any defects via the Samba bug reporting
system at https://bugzilla.samba.org/.

Samba 4.18 will be the next version of the Samba suite.


UPGRADING
=


NEW FEATURES/CHANGES


More succinct samba-tool error messages
---

Historically samba-tool has reported user error or misconfiguration by
means of a Python traceback, showing you where in its code it noticed
something was wrong, but not always exactly what is amiss. Now it
tries harder to identify the true cause and restrict its output to
describing that. Particular cases include:

 * a username or password is incorrect
 * an ldb database filename is wrong (including in smb.conf)
 * samba-tool dns: various zones or records do not exist
 * samba-tool ntacl: certain files are missing
 * the network seems to be down
 * bad --realm or --debug arguments

Accessing the old samba-tool messages
-

This is not new, but users are reminded they can get the full Python
stack trace, along with other noise, by using the argument '-d3'.
This may be useful when searching the web.

The intention is that when samba-tool encounters an unrecognised
problem (especially a bug), it will still output a Python traceback.
If you encounter a problem that has been incorrectly identified by
samba-tool, please report it on https://bugzilla.samba.org.

Colour output with samba-tool --color
-

For some time a few samba-tool commands have had a --color=yes|no|auto
option, which determines whether the command outputs ANSI colour
codes. Now all samba-tool commands support this option, which now also
accepts 'always' and 'force' for 'yes', 'never' and 'none' for 'no',
and 'tty' and 'if-tty' for 'auto' (this more closely matches
convention). With --color=auto, or when --color is omitted, colour
codes are only used when output is directed to a terminal.

Most commands have very little colour in any case. For those that
already used it, the defaults have changed slightly.

 * samba-tool drs showrepl: default is now 'auto', not 'no'

 * samba-tool visualize: the interactions between --color-scheme,
   --color, and --output have changed slightly. When --color-scheme is
   set it overrides --color for the purpose of the output diagram, but
   not for other output like error messages.

New samba-tool dsacl subcommand for deleting ACES
-

The samba-tool dsacl tool can now delete entries in directory access
control lists. The interface for 'samba-tool dsacl delete' is similar
to that of 'samba-tool dsacl set', with the difference being that the
ACEs described by the --sddl argument are deleted rather than added.

No colour with NO_COLOR environment variable


With both samba-tool --color=auto (see above) and some other places
where we use ANSI colour codes, the NO_COLOR environment variable will
disable colour output. See https://no-color.org/ for a description of
this variable. `samba-tool --color=always` will use colour regardless
of NO_COLOR.

New wbinfo option --change-secret-at


The wbinfo command has a new option, --change-secret-at=
which forces the trust account password to be changed at a specified domain
controller. If the specified domain controller cannot be contacted the
password change fails rather than trying other DCs.

New option to change the NT ACL default location


Usually the NT ACLs are stored in the security.NTACL extended
attribute (xattr) of files and directories. The new
"acl_xattr:security_acl_name" option allows to redefine the default
location. The default "security.NTACL" is a protected location, which
means the content of the security.NTACL attribute is not accessible
from normal users outside of Samba. When this option is set to use a
user-defined value, e.g. user.NTACL then any user can potentially
access and overwrite this information. The module prevents access to
this xattr over SMB, but the xattr may still be accessed by other
means (eg local access, SSH, NFS). This option must only be used when
this consequence is clearly understood and when specific precautions
are taken to avoid compromising the ACL content.

Azure Active Directory / Office365 synchronisation improvements
--

Use of the Azure AD Connect cloud sync tool is now supported for
password hash synchronisation, allowing Samba AD Domains to synchronise
passwords with this popular cloud environment.

REMOVED FEATURES



smb.conf changes


  Parameter Name 

[Announce] Samba 4.18.0rc2 Available for Download

[Jule Anger via samba-announce]

Release Announcements
=

This is the second release candidate of Samba 4.18.  This is *not*
intended for production environments and is designed for testing
purposes only.  Please report any defects via the Samba bug reporting
system at https://bugzilla.samba.org/.

Samba 4.18 will be the next version of the Samba suite.


UPGRADING
=


NEW FEATURES/CHANGES


More succinct samba-tool error messages
---

Historically samba-tool has reported user error or misconfiguration by
means of a Python traceback, showing you where in its code it noticed
something was wrong, but not always exactly what is amiss. Now it
tries harder to identify the true cause and restrict its output to
describing that. Particular cases include:

 * a username or password is incorrect
 * an ldb database filename is wrong (including in smb.conf)
 * samba-tool dns: various zones or records do not exist
 * samba-tool ntacl: certain files are missing
 * the network seems to be down
 * bad --realm or --debug arguments

Accessing the old samba-tool messages
-

This is not new, but users are reminded they can get the full Python
stack trace, along with other noise, by using the argument '-d3'.
This may be useful when searching the web.

The intention is that when samba-tool encounters an unrecognised
problem (especially a bug), it will still output a Python traceback.
If you encounter a problem that has been incorrectly identified by
samba-tool, please report it on https://bugzilla.samba.org.

Colour output with samba-tool --color
-

For some time a few samba-tool commands have had a --color=yes|no|auto
option, which determines whether the command outputs ANSI colour
codes. Now all samba-tool commands support this option, which now also
accepts 'always' and 'force' for 'yes', 'never' and 'none' for 'no',
and 'tty' and 'if-tty' for 'auto' (this more closely matches
convention). With --color=auto, or when --color is omitted, colour
codes are only used when output is directed to a terminal.

Most commands have very little colour in any case. For those that
already used it, the defaults have changed slightly.

 * samba-tool drs showrepl: default is now 'auto', not 'no'

 * samba-tool visualize: the interactions between --color-scheme,
   --color, and --output have changed slightly. When --color-scheme is
   set it overrides --color for the purpose of the output diagram, but
   not for other output like error messages.

New samba-tool dsacl subcommand for deleting ACES
-

The samba-tool dsacl tool can now delete entries in directory access
control lists. The interface for 'samba-tool dsacl delete' is similar
to that of 'samba-tool dsacl set', with the difference being that the
ACEs described by the --sddl argument are deleted rather than added.

No colour with NO_COLOR environment variable


With both samba-tool --color=auto (see above) and some other places
where we use ANSI colour codes, the NO_COLOR environment variable will
disable colour output. See https://no-color.org/ for a description of
this variable. `samba-tool --color=always` will use colour regardless
of NO_COLOR.

New wbinfo option --change-secret-at


The wbinfo command has a new option, --change-secret-at=
which forces the trust account password to be changed at a specified domain
controller. If the specified domain controller cannot be contacted the
password change fails rather than trying other DCs.

New option to change the NT ACL default location


Usually the NT ACLs are stored in the security.NTACL extended
attribute (xattr) of files and directories. The new
"acl_xattr:security_acl_name" option allows to redefine the default
location. The default "security.NTACL" is a protected location, which
means the content of the security.NTACL attribute is not accessible
from normal users outside of Samba. When this option is set to use a
user-defined value, e.g. user.NTACL then any user can potentially
access and overwrite this information. The module prevents access to
this xattr over SMB, but the xattr may still be accessed by other
means (eg local access, SSH, NFS). This option must only be used when
this consequence is clearly understood and when specific precautions
are taken to avoid compromising the ACL content.

Azure Active Directory / Office365 synchronisation improvements
--

Use of the Azure AD Connect cloud sync tool is now supported for
password hash synchronisation, allowing Samba AD Domains to synchronise
passwords with this popular cloud environment.

REMOVED FEATURES



smb.conf changes


  Parameter Name 

[Announce] Samba 4.17.5 Available for Download

[Jule Anger via samba-announce]

Release Announcements
-

This is the latest stable release of the Samba 4.17 release series.


Changes since 4.17.4


o  Jeremy Allison 
   * BUG 14808: smbc_getxattr() return value is incorrect.
   * BUG 15172: Compound SMB2 FLUSH+CLOSE requests from MacOSX are not 
handled

 correctly.
   * BUG 15210: synthetic_pathref AFP_AfpInfo failed errors.
   * BUG 15226: samba-tool gpo listall fails IPv6 only - finddcs() 
fails to find

 DC when there is only an  record for the DC in DNS.
   * BUG 15236: smbd crashes if an FSCTL request is done on a stream 
handle.

   * BUG 15277: DFS links don't work anymore on Mac clients since 4.17.
   * BUG 15283: vfs_virusfilter segfault on access, directory edgecase
 (accessing NULL value).

o  Samuel Cabrero 
   * BUG 15240: CVE-2022-38023 [SECURITY] Samba should refuse RC4 (aka md5)
 based SChannel on NETLOGON (additional changes).

o  Volker Lendecke 
   * BUG 15243: %U for include directive doesn't work for share listing
 (netshareenum).
   * BUG 15266: Shares missing from netshareenum response in samba 4.17.4.
   * BUG 15269: ctdb: use-after-free in run_proc.

o  Stefan Metzmacher 
   * BUG 15243: %U for include directive doesn't work for share listing
 (netshareenum).
   * BUG 15266: Shares missing from netshareenum response in samba 4.17.4.
   * BUG 15280: irpc_destructor may crash during shutdown.
   * BUG 15286: auth3_generate_session_info_pac leaks wbcAuthUserInfo.

o  Andreas Schneider 
   * BUG 15268: smbclient segfaults with use after free on an optimized 
build.


o  Jones Syue 
   * BUG 15282: smbstatus leaking files in msg.sock and msg.lock.

o  Andrew Walker 
   * BUG 15164: Leak in wbcCtxPingDc2.
   * BUG 15265: Access based share enum does not work in Samba 4.16+.
   * BUG 15267: Crash during share enumeration.
   * BUG 15271: rep_listxattr on FreeBSD does not properly check for 
reads off

 end of returned buffer.

o  Florian Weimer 
   * BUG 15281: Avoid relying on C89 features in a few places.


###
Reporting bugs & Development Discussion
###

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical:matrix.org matrix room, or
#samba-technical IRC channel on irc.libera.chat.


If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).


==
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==




Download Details


The uncompressed tarballs and patch files have been signed
using GnuPG (ID AA99442FB680B620).  The source code can be downloaded
from:

https://download.samba.org/pub/samba/stable/

The release notes are available online at:

https://www.samba.org/samba/history/samba-4.17.5.html

Our Code, Our Bugs, Our Responsibility.
(https://bugzilla.samba.org/)

    --Enjoy
    The Samba Team

[Announce] Samba 4.18.0rc1 Available for Download

[Jule Anger via samba-announce]

Release Announcements
=

This is the first release candidate of Samba 4.18.  This is *not*
intended for production environments and is designed for testing
purposes only.  Please report any defects via the Samba bug reporting
system at https://bugzilla.samba.org/.

Samba 4.18 will be the next version of the Samba suite.


UPGRADING
=


NEW FEATURES/CHANGES


More succinct samba-tool error messages
---

Historically samba-tool has reported user error or misconfiguration by
means of a Python traceback, showing you where in its code it noticed
something was wrong, but not always exactly what is amiss. Now it
tries harder to identify the true cause and restrict its output to
describing that. Particular cases include:

 * a username or password is incorrect
 * an ldb database filename is wrong (including in smb.conf)
 * samba-tool dns: various zones or records do not exist
 * samba-tool ntacl: certain files are missing
 * the network seems to be down
 * bad --realm or --debug arguments

Accessing the old samba-tool messages
-

This is not new, but users are reminded they can get the full Python
stack trace, along with other noise, by using the argument '-d3'.
This may be useful when searching the web.

The intention is that when samba-tool encounters an unrecognised
problem (especially a bug), it will still output a Python traceback.
If you encounter a problem that has been incorrectly identified by
samba-tool, please report it on https://bugzilla.samba.org.

Colour output with samba-tool --color
-

For some time a few samba-tool commands have had a --color=yes|no|auto
option, which determines whether the command outputs ANSI colour
codes. Now all samba-tool commands support this option, which now also
accepts 'always' and 'force' for 'yes', 'never' and 'none' for 'no',
and 'tty' and 'if-tty' for 'auto' (this more closely matches
convention). With --color=auto, or when --color is omitted, colour
codes are only used when output is directed to a terminal.

Most commands have very little colour in any case. For those that
already used it, the defaults have changed slightly.

 * samba-tool drs showrepl: default is now 'auto', not 'no'

 * samba-tool visualize: the interactions between --color-scheme,
   --color, and --output have changed slightly. When --color-scheme is
   set it overrides --color for the purpose of the output diagram, but
   not for other output like error messages.

No colour with NO_COLOR environment variable


With both samba-tool --color=auto (see above) and some other places
where we use ANSI colour codes, the NO_COLOR environment variable will
disable colour output. See https://no-color.org/ for a description of
this variable. `samba-tool --color=always` will use colour regardless
of NO_COLOR.

New wbinfo option --change-secret-at


The wbinfo command has a new option, --change-secret-at=
which forces the trust account password to be changed at a specified domain
controller. If the specified domain controller cannot be contacted the
password change fails rather than trying other DCs.


REMOVED FEATURES



smb.conf changes


  Parameter Name  Description Default
  --  --- ---


KNOWN ISSUES


https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.18#Release_blocking_bugs


###
Reporting bugs & Development Discussion
###

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical:matrix.org matrix room, or
#samba-technical IRC channel on irc.libera.chat

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).


==
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==



Download Details


The uncompressed tarballs and patch files have been signed
using GnuPG (ID AA99442FB680B620).  The source code can be downloaded
from:

    https://download.samba.org/pub/samba/rc/

The release notes are available online at:

https://download.samba.org/pub/samba/rc/samba-4.18.0rc1.WHATSNEW.txt

Our Code, Our Bugs, Our Responsibility.
(https://bugzilla.samba.org/)

    --Enjoy
    The Samba Team

[Announce] Samba 4.17.4, 4.16.8 and 4.15.13 Security Releases are available for Download

[Jule Anger via samba-announce]

Release Announcements
-

This are security releases in order to address the following defects:


o CVE-2022-37966: This is the Samba CVE for the Windows Kerberos
  RC4-HMAC Elevation of Privilege Vulnerability
  disclosed by Microsoft on Nov 8 2022.

  A Samba Active Directory DC will issue weak rc4-hmac
  session keys for use between modern clients and servers
  despite all modern Kerberos implementations supporting
  the aes256-cts-hmac-sha1-96 cipher.

  On Samba Active Directory DCs and members
  'kerberos encryption types = legacy' would force
  rc4-hmac as a client even if the server supports
  aes128-cts-hmac-sha1-96 and/or aes256-cts-hmac-sha1-96.

https://www.samba.org/samba/security/CVE-2022-37966.html

o CVE-2022-37967: This is the Samba CVE for the Windows
  Kerberos Elevation of Privilege Vulnerability
  disclosed by Microsoft on Nov 8 2022.

  A service account with the special constrained
  delegation permission could forge a more powerful
  ticket than the one it was presented with.

https://www.samba.org/samba/security/CVE-2022-37967.html

o CVE-2022-38023: The "RC4" protection of the NetLogon Secure channel 
uses the

  same algorithms as rc4-hmac cryptography in Kerberos,
  and so must also be assumed to be weak.

https://www.samba.org/samba/security/CVE-2022-38023.html

o CVE-2022-45141: Since the Windows Kerberos RC4-HMAC Elevation of Privilege
  Vulnerability was disclosed by Microsoft on Nov 8 2022
  and per RFC8429 it is assumed that rc4-hmac is weak,

  Vulnerable Samba Active Directory DCs will issue rc4-hmac
  encrypted tickets despite the target server supporting
  better encryption (eg aes256-cts-hmac-sha1-96).

https://www.samba.org/samba/security/CVE-2022-45141.html

Changes
---

o  Jeremy Allison 
   * BUG 15224: pam_winbind uses time_t and pointers assuming they are 
of the

 same size.

o  Andrew Bartlett 
   * BUG 14929: CVE-2022-44640 [SECURITY] Upstream Heimdal free of
 user-controlled pointer in FAST.
   * BUG 15219: Heimdal session key selection in AS-REQ examines wrong 
entry.

   * BUG 15237: CVE-2022-37966.
   * BUG 15258: filter-subunit is inefficient with large numbers of 
knownfails.


o  Ralph Boehme 
   * BUG 15240: CVE-2022-38023.
   * BUG 15252: smbd allows setting FILE_ATTRIBUTE_TEMPORARY on 
directories.


o  Stefan Metzmacher 
   * BUG 13135: The KDC logic arround msDs-supportedEncryptionTypes 
differs from

 Windows.
   * BUG 14611: CVE-2021-20251 [SECURITY] Bad password count not 
incremented

 atomically.
   * BUG 15203: CVE-2022-42898 [SECURITY] krb5_pac_parse() buffer parsing
 vulnerability.
   * BUG 15206: libnet: change_password() doesn't work with
 dcerpc_samr_ChangePasswordUser4().
   * BUG 15219: Heimdal session key selection in AS-REQ examines wrong 
entry.

   * BUG 15230: Memory leak in snprintf replacement functions.
   * BUG 15237: CVE-2022-37966.
   * BUG 15240: CVE-2022-38023.
   * BUG 15253: RODC doesn't reset badPwdCount reliable via an RWDC
 (CVE-2021-20251 regression).

o  Noel Power 
   * BUG 15224: pam_winbind uses time_t and pointers assuming they are 
of the

 same size.

o  Anoop C S 
   * BUG 15198: Prevent EBADF errors with vfs_glusterfs.

o  Andreas Schneider 
   * BUG 15237: CVE-2022-37966.
   * BUG 15243: %U for include directive doesn't work for share listing
 (netshareenum).
   * BUG 15257: Stack smashing in net offlinejoin requestodj.

o  Joseph Sutton 
   * BUG 15197: Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue.
   * BUG 15219: Heimdal session key selection in AS-REQ examines wrong 
entry.

   * BUG 15231: CVE-2022-37967.
   * BUG 15237: CVE-2022-37966.

o  Nicolas Williams 
   * BUG 14929: CVE-2022-44640 [SECURITY] Upstream Heimdal free of
 user-controlled pointer in FAST.


###
Reporting bugs & Development Discussion
###

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.libera.chat or the
#samba-technical:matrix.org matrix channel.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).


==
== Our Code, Our Bugs, Our Responsibility.
== 

[Announce] Samba 4.17.3, 4.16.7 and 4.15.12 Security Releases are available for Download

[Jule Anger via samba-announce]

Release Announcements
-

This are security releases in order to address the following defects:

o CVE-2022-42898: Samba's Kerberos libraries and AD DC failed to guard 
against
  integer overflows when parsing a PAC on a 32-bit 
system, which
  allowed an attacker with a forged PAC to corrupt the 
heap.

https://www.samba.org/samba/security/CVE-2022-42898.html

Changes
---

o  Joseph Sutton 
   * BUG 15203: CVE-2022-42898

o  Nicolas Williams 
   * BUG 15203: CVE-2022-42898

###
Reporting bugs & Development Discussion
###

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.libera.chat or the
#samba-technical:matrix.org matrix channel.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).


==
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==




Download Details


The uncompressed tarballs and patch files have been signed
using GnuPG (ID AA99442FB680B620).  The source code can be downloaded
from:

    https://download.samba.org/pub/samba/stable/

The release notes are available online at:

    https://www.samba.org/samba/history/samba-4.17.3.html
    https://www.samba.org/samba/history/samba-4.16.7.html
    https://www.samba.org/samba/history/samba-4.15.12.html

Our Code, Our Bugs, Our Responsibility.
(https://bugzilla.samba.org/)

    --Enjoy
    The Samba Team

Heads-up: Upcoming Samba security releases

[Jule Anger via samba-announce]

Hi,

this is a heads-up that there will be Samba security updates for 4.15, 
4.16 and 4.17 on Tuesday, November 15 2022. Please make sure that your 
Samba servers will be updated soon after the release!


Impacted components:
 - AD DC (CVSS 6.4, Medium)


Cheers,
Jule Anger

--
Jule Anger
Release Manager Samba Team  https://samba.org
SerNet Samba Team   https://sernet.de

[Announce] Samba 4.17.2, 4.16.6 and 4.15.11 Security Releases Available for Download

[Jule Anger via samba-announce]

Release Announcements
-

This are security releases in order to address the following defects:

o CVE-2022-3437:  There is a limited write heap buffer overflow in the 
GSSAPI
  unwrap_des() and unwrap_des3() routines of Heimdal 
(included

  in Samba).
https://www.samba.org/samba/security/CVE-2022-3437.html

o CVE-2022-3592:  A malicious client can use a symlink to escape the 
exported

  directory. (4.17 only)
https://www.samba.org/samba/security/CVE-2022-3592.html

Changes
---

o  Volker Lendecke 
   * BUG 15207: CVE-2022-3592.

o  Joseph Sutton 
   * BUG 15134: CVE-2022-3437.


###
Reporting bugs & Development Discussion
###

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical:matrix.org matrix room, or
#samba-technical IRC channel on irc.libera.chat.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).


==
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==




Download Details


The uncompressed tarballs and patch files have been signed
using GnuPG (ID AA99442FB680B620).  The source code can be downloaded
from:

    https://download.samba.org/pub/samba/stable/

The release notes are available online at:

    https://www.samba.org/samba/history/samba-4.17.2.html
    https://www.samba.org/samba/history/samba-4.16.6.html
    https://www.samba.org/samba/history/samba-4.15.11.html

Our Code, Our Bugs, Our Responsibility.
(https://bugzilla.samba.org/)

    --Enjoy
    The Samba Team

[Announce] Samba 4.17.1 Available for Download

[Jule Anger via samba-announce]

Release Announcements
-

This is the latest stable release of the Samba 4.17 release series.


Changes since 4.17.0


o  Jeremy Allison 
   * BUG 14611: CVE-2021-20251 [SECURITY] Bad password count not 
incremented

 atomically.
   * BUG 15174: smbXsrv_connection_shutdown_send result leaked.
   * BUG 15182: Flush on a named stream never completes.
   * BUG 15195: Permission denied calling SMBC_getatr when file not exists.

o  Douglas Bagnall 
   * BUG 15189: Samba 4.5 sometimes cannot be upgraded to Samba 4.6 or 
later

 over DRS: WERROR_DS_DRA_MISSING_PARENT due to faulty GET_ANC.
   * BUG 15191: pytest: add file removal helpers for TestCaseInTempDir.

o  Andrew Bartlett 
   * BUG 14611: CVE-2021-20251 [SECURITY] Bad password count not 
incremented

 atomically.
   * BUG 15189: Samba 4.5 sometimes cannot be upgraded to Samba 4.6 or 
later.

 over DRS: WERROR_DS_DRA_MISSING_PARENT due to faulty GET_ANC.

o  Ralph Boehme 
   * BUG 15182: Flush on a named stream never completes.

o  Volker Lendecke 
   * BUG 15151: vfs_gpfs silently garbles timestamps > year 2106.

o  Gary Lockyer 
   * BUG 14611: CVE-2021-20251 [SECURITY] Bad password count not 
incremented

 atomically.

o  Stefan Metzmacher 
   * BUG 15200: multi-channel socket passing may hit a race if one of the
 involved processes already existed.
   * BUG 15201: memory leak on temporary of struct 
imessaging_post_state and

 struct tevent_immediate on struct imessaging_context (in
 rpcd_spoolss and maybe others).

o  Noel Power 
   * BUG 15205: Since popt1.19 various use after free errors using 
result of

 poptGetArg are now exposed.

o  Anoop C S 
   * BUG 15192: Remove special case for O_CREAT in SMB_VFS_OPENAT from
 vfs_glusterfs.

o  Andreas Schneider 
   * BUG 15169: GETPWSID in memory cache grows indefinetly with each 
NTLM auth.


o  Joseph Sutton 
   * BUG 14611: CVE-2021-20251 [SECURITY] Bad password count not 
incremented

 atomically.


###
Reporting bugs & Development Discussion
###

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical:matrix.org matrix room, or
#samba-technical IRC channel on irc.libera.chat.


If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).


==
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==




Download Details


The uncompressed tarballs and patch files have been signed
using GnuPG (ID AA99442FB680B620).  The source code can be downloaded
from:

    https://download.samba.org/pub/samba/stable/

The release notes are available online at:

    https://www.samba.org/samba/history/samba-4.17.1.html

Our Code, Our Bugs, Our Responsibility.
(https://bugzilla.samba.org/)

    --Enjoy
    The Samba Team

Heads-up: Upcoming Samba security releases

[Jule Anger via samba-announce]

Hi,

this is a heads-up that there will be Samba security updates for 4.15, 
4.16 and 4.17 on Tuesday, October  25 2022. Please make sure that your 
Samba servers will be updated soon after the release!


Impacted components:
 - AD DC (CVSS 5.9, Medium)
 - Fileserver (CVSS 5.4, Medium)


Cheers,
Jule Anger

--
Jule Anger
Release Manager Samba Teamhttps://samba.org  
SerNet Samba Teamhttps://sernet.de

[Announce] Samba 4.15.10 Available for Download

[Jule Anger via samba-announce]

Release Announcements
-

This is the latest stable release of the Samba 4.15 release series.


Changes since 4.15.9


o  Jeremy Allison 
   * BUG 15128: Possible use after free of connection_struct when iterating
 smbd_server_connection->connections.
   * BUG 15174: smbXsrv_connection_shutdown_send result leaked.

o  Ralph Boehme 
   * BUG 15086: Spotlight RPC service returns wrong response when 
Spotlight is

 disabled on a share.
   * BUG 15126: acl_xattr VFS module may unintentionally use filesystem
 permissions instead of ACL from xattr.
   * BUG 15153: Missing SMB2-GETINFO access checks from MS-SMB2 3.3.5.20.1.
   * BUG 15161: assert failed: !is_named_stream(smb_fname)") at
 ../../lib/util/fault.c:197.

o  Stefan Metzmacher 
   * BUG 15148: Missing READ_LEASE break could cause data corruption.

o  Andreas Schneider 
   * BUG 15124: rpcclient can crash using setuserinfo(2).
   * BUG 15132: Samba fails to build with glibc 2.36 caused by including
  in libreplace.

o  Joseph Sutton 
   * BUG 15152: SMB1 negotiation can fail to handle connection errors.

o  Michael Tokarev 
   * BUG 15078: samba-tool domain join segfault when joining a samba ad 
domain.



###
Reporting bugs & Development Discussion
###

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical:matrix.org matrix room, or
#samba-technical IRC channel on irc.libera.chat.


If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).


==
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==




Download Details


The uncompressed tarballs and patch files have been signed
using GnuPG (ID AA99442FB680B620).  The source code can be downloaded
from:

    https://download.samba.org/pub/samba/stable/

The release notes are available online at:

    https://www.samba.org/samba/history/samba-4.15.10.html

Our Code, Our Bugs, Our Responsibility.
(https://bugzilla.samba.org/)

    --Enjoy
    The Samba Team

[Announce] Samba 4.17.0rc3 Available for Download

[Jule Anger via samba-announce]

Release Announcements
=

This is the third release candidate of Samba 4.17.  This is *not*
intended for production environments and is designed for testing
purposes only.  Please report any defects via the Samba bug reporting
system at https://bugzilla.samba.org/.

Samba 4.17 will be the next version of the Samba suite.


UPGRADING
=


NEW FEATURES/CHANGES


SMB Server performance improvements
---

The security improvements in recent releases
(4.13, 4.14, 4.15, 4.16), mainly as protection against symlink races,
caused performance regressions for meta data heavy workloads.

With 4.17 the situation improved a lot again:

- Pathnames given by a client are devided into dirname and basename.
  The amount of syscalls to validate dirnames is reduced to 2 syscalls
  (openat, close) per component. On modern Linux kernels (>= 5.6) smbd
  makes use of the openat2() syscall with RESOLVE_NO_SYMLINKS,
  in order to just use 2 syscalls (openat2, close) for the whole dirname.

- Contended path based operations used to generate a lot of unsolicited
  wakeup events causing thundering herd problems, which lead to masive
  latencies for some clients. These events are now avoided in order
  to provide stable latencies and much higher throughput of open/close
  operations.

Configure without the SMB1 Server
-

It is now possible to configure Samba without support for
the SMB1 protocol in smbd. This can be selected at configure
time with either of the options:

--with-smb1-server
--without-smb1-server

By default (without either of these options set) Samba
is configured to include SMB1 support (i.e. --with-smb1-server
is the default). When Samba is configured without SMB1 support,
none of the SMB1 code is included inside smbd except the minimal
stub code needed to allow a client to connect as SMB1 and immediately
negotiate the selected protocol into SMB2 (as a Windows server also
allows).

None of the SMB1-only smb.conf parameters are removed when
configured without SMB1, but these parameters are ignored by
the smbd server. This allows deployment without having to change
an existing smb.conf file.

This option allows sites, OEMs and integrators to configure Samba
to remove the old and insecure SMB1 protocol from their products.

Note that the Samba client libraries still support SMB1 connections
even when Samba is configured as --without-smb1-server. This is
to ensure maximum compatibility with environments containing old
SMB1 servers.

Bronze bit and S4U support with MIT Kerberos 1.20
-

In 2020 Microsoft Security Response Team received another Kerberos-related
report. Eventually, that led to a security update of the CVE-2020-17049,
Kerberos KDC Security Feature Bypass Vulnerability, also known as a ‘Bronze
Bit’. With this vulnerability, a compromised service that is configured 
to use
Kerberos constrained delegation feature could tamper with a service 
ticket that

is not valid for delegation to force the KDC to accept it.

With the release of MIT Kerberos 1.20, Samba AD DC is able able to 
mitigate the
‘Bronze Bit’ attack. MIT Kerberos KDC's KDB (Kerberos Database Driver) 
API was
changed to allow passing more details between KDC and KDB components. 
When built
against MIT Kerberos, Samba AD DC supports MIT Kerberos 1.19 and 1.20 
versions

but 'Bronze Bit' mitigation is provided only with MIT Kerberos 1.20.

In addition to fixing the ‘Bronze Bit’ issue, Samba AD DC now fully supports
S4U2Self and S4U2Proxy Kerberos extensions.

Resource Based Constrained Delegation (RBCD) support
----

Samba AD DC built with MIT Kerberos 1.20 offers RBCD support now. With MIT
Kerberos 1.20 we have complete RBCD support passing Sambas S4U testsuite.
Note that samba-tool lacks support for setting this up yet!

To complete RBCD support and make it useful to Administrators we added the
Asserted Identity [1] SID into the PAC for constrained delegation. This is
available for Samba AD compiled with MIT Kerberos 1.20.

[1] 
https://docs.microsoft.com/en-us/windows-server/security/kerberos/kerberos-constrained-delegation-overview


Customizable DNS listening port
---

It is now possible to set a custom listening port for the builtin DNS 
service,

making easy to host another DNS on the same system that would bind to the
default port and forward the domain-specific queries to Samba using the 
custom

port. This is the opposite configuration of setting a forwarder in Samba.

It makes possible to use another DNS server as a front and forward to Samba.

Dynamic DNS updates may not be proxied by the front DNS server when 
forwarding
to Samba. Dynamic DNS update proxying depends on the features of the 
other DNS

server used as a front.

CTDB changes


* When Samba is configured with both --with-cluster-supp

[Announce] Samba 4.16.4, 4.15.9, 4.14.14 Security Releases are available for Download

[Jule Anger via samba-announce]

Release Announcements
-

This are security releases in order to address the following defects:

o CVE-2022-2031:  Samba AD users can bypass certain restrictions 
associated with

  changing passwords.
https://www.samba.org/samba/security/CVE-2022-2031.html

o CVE-2022-32744: Samba AD users can forge password change requests for 
any user.

https://www.samba.org/samba/security/CVE-2022-32744.html

o CVE-2022-32745: Samba AD users can crash the server process with an 
LDAP add

  or modify request.
https://www.samba.org/samba/security/CVE-2022-32745.html

o CVE-2022-32746: Samba AD users can induce a use-after-free in the server
  process with an LDAP add or modify request.
https://www.samba.org/samba/security/CVE-2022-32746.html

o CVE-2022-32742: Server memory information leak via SMB1.
https://www.samba.org/samba/security/CVE-2022-32742.html

Changes
---

o  Jeremy Allison 
   * BUG 15085: CVE-2022-32742.

o  Andrew Bartlett 
   * BUG 15009: CVE-2022-32746.

o  Andreas Schneider 
   * BUG 15047: CVE-2022-2031.

o  Joseph Sutton 
   * BUG 15008: CVE-2022-32745.
   * BUG 15009: CVE-2022-32746.
   * BUG 15047: CVE-2022-2031.
   * BUG 15074: CVE-2022-32744.

###
Reporting bugs & Development Discussion
###

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.libera.chat or the
#samba-technical:matrix.org matrix channel.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).


==
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==




Download Details


The uncompressed Samba tarballs and patch files have been signed
using GnuPG (ID AA99442FB680B620). The Samba source code can be downloaded
from:

https://download.samba.org/pub/samba/stable/

The release notes are available online at:

    https://www.samba.org/samba/history/samba-4.16.4.html
    https://www.samba.org/samba/history/samba-4.15.9.html
    https://www.samba.org/samba/history/samba-4.14.14.html

If you are building/using ldb from a system library, you'll
also need the related updated ldb tarball, otherwise you can ignore it.
The uncompressed ldb tarballs have been signed using GnuPG (ID 
4793916113084025).

The ldb source code can be downloaded from:

samba-4.16.4:
https://download.samba.org/pub/ldb/ldb-2.5.2.tar.gz
samba-4.15.9:
https://download.samba.org/pub/ldb/ldb-2.4.4.tar.gz
samba-4.14.14:
https://download.samba.org/pub/ldb/ldb-2.3.4.tar.gz

Our Code, Our Bugs, Our Responsibility.
(https://bugzilla.samba.org/)

    --Enjoy
    The Samba Team

Heads-up: Upcoming Samba security releases

[Jule Anger via samba-announce]

Hi,

this is a heads-up that there will be Samba security updates for 4.14, 
4.15 and 4.16 on Wednesday, July 27 2022. Please make sure that your 
Samba servers will be updated soon after the release!


Impacted components:
 - File server (CVSS 4.3, Medium)
 - AD DC (CVSS 8.8, High, and CVSS 5.4, Medium)


Cheers,
Jule Anger

--
Jule Anger
Release Manager Samba Team  https://samba.org
SerNet Samba Team   https://sernet.de

[Announce] Samba 4.15.8 Available for Download

[Jule Anger via samba-announce]

Release Announcements
-

This is the latest stable release of the Samba 4.15 release series.


Changes since 4.15.7


o  Jeremy Allison 
   * BUG 15042: Use pathref fd instead of io fd in 
vfs_default_durable_cookie.
   * BUG 15099: Setting fruit:resource = stream in vfs_fruit causes a 
panic.


o  Douglas Bagnall 
   * BUG 14986: Add support for bind 9.18.
   * BUG 15076: logging dsdb audit to specific files does not work.

o  Ralph Boehme 
   * BUG 15069: vfs_gpfs with vfs_shadowcopy2 fail to restore file if 
original

 file had been deleted.

o  Samuel Cabrero 
   * BUG 15087: netgroups support removed.

o  Samuel Cabrero 
   * BUG 14674: net ads info shows LDAP Server: 0.0.0.0 depending on 
contacted

 server.

o  Stefan Metzmacher 
   * BUG 15071: waf produces incorrect names for python extensions with 
Python

 3.11.

o  Noel Power 
   * BUG 15100: smbclient commands del & deltree fail with
 NT_STATUS_OBJECT_PATH_NOT_FOUND with DFS.

o  Christof Schmitt 
   * BUG 15055: vfs_gpfs recalls=no option prevents listing files.

o  Andreas Schneider 
   * BUG 15071: waf produces incorrect names for python extensions with 
Python

 3.11.
   * BUG 15091: Compile error in source3/utils/regedit_hexedit.c.
   * BUG 15108: ldconfig: /lib64/libsmbconf.so.0 is not a symbolic link.

o  Andreas Schneider 
   * BUG 15054: smbd doesn't handle UPNs for looking up names.

o  Robert Sprowson 
   * BUG 14443: Out-by-4 error in smbd read reply max_send clamp.


###
Reporting bugs & Development Discussion
###

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical:matrix.org matrix room, or
#samba-technical IRC channel on irc.libera.chat.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).


==
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==




Download Details


The uncompressed tarballs and patch files have been signed
using GnuPG (ID AA99442FB680B620).  The source code can be downloaded
from:

    https://download.samba.org/pub/samba/stable/

The release notes are available online at:

    https://www.samba.org/samba/history/samba-4.15.8.html

Our Code, Our Bugs, Our Responsibility.
(https://bugzilla.samba.org/)

    --Enjoy
    The Samba Team

--
Jule Anger
Release Manager Samba Team  https://samba.org
SerNet Samba Team   https://sernet.de

[Announce] Samba 4.14.13 Available for Download

[Jule Anger via samba-announce]

Release Announcements
-

This is the last bugfix release of the Samba 4.14 release series. There 
will be

security releases only beyond this point.


Changes since 4.14.12
-

o  Jeremy Allison 
   * BUG 14169: Renaming file on DFS root fails with
 NT_STATUS_OBJECT_PATH_NOT_FOUND.
   * BUG 14737: Samba does not response STATUS_INVALID_PARAMETER when 
opening 2

 objects with same lease key.
   * BUG 14938: NT error code is not set when overwriting a file during 
rename

 in libsmbclient.

o  Douglas Bagnall 
   * BUG 14996: Fix ldap simple bind with TLS auditing.

o  Ralph Boehme 
   * BUG 14674: net ads info shows LDAP Server: 0.0.0.0 depending on 
contacted

 server.

o  Samuel Cabrero 
   * BUG 14979: Problem when winbind renews Kerberos.

o  Pavel Filipenský 
   * BUG 14971: virusfilter_vfs_openat: Not scanned: Directory or 
special file.


o  Elia Geretto 
   * BUG 14983: NT_STATUS_ACCESS_DENIED translates into EPERM instead 
of EACCES

 in SMBC_server_internal.

o  Björn Jacke 
   * BUG 13631: DFS fix for AIX broken.

o  Stefan Metzmacher 
   * BUG 13879: Simple bind doesn't work against an RODC (with 
non-preloaded

 users).
   * BUG 14641: Crash of winbind on RODC.
   * BUG 14865: Uncached logon on RODC always fails once.
   * BUG 14951: KVNO off by 10.
   * BUG 14968: smb2_signing_decrypt_pdu() may not decrypt with
 gnutls_aead_cipher_decrypt() from gnutls before 3.5.2.
   * BUG 14984: Changing the machine password against an RODC likely 
destroys

 the domain join.
   * BUG 14993: authsam_make_user_info_dc() steals memory from its struct
 ldb_message *msg argument.
   * BUG 14995: Use Heimdal 8.0 (pre) rather than an earlier snapshot.
   * BUG 15001: LDAP simple binds should honour "old password allowed 
period".

   * BUG 15003: wbinfo -a doesn't work reliable with upn names.

o  Garming Sam 
   * BUG 13879: Simple bind doesn't work against an RODC (with 
non-preloaded

 users).

o  Joseph Sutton 
   * BUG 14621: "password hash userPassword schemes = CryptSHA256" does 
not seem

     to work with samba-tool.
   * BUG 14984: Changing the machine password against an RODC likely 
destroys

 the domain join.


###
Reporting bugs & Development Discussion
###

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical:matrix.org matrix room, or
#samba-technical IRC channel on irc.libera.chat.


If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).


==
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==




Download Details


The uncompressed tarballs and patch files have been signed
using GnuPG (ID AA99442FB680B620).  The source code can be downloaded
from:

    https://download.samba.org/pub/samba/stable/

The release notes are available online at:

    https://www.samba.org/samba/history/samba-4.14.13.html

Our Code, Our Bugs, Our Responsibility.
(https://bugzilla.samba.org/)

    --Enjoy
    The Samba Team

[Announce] Samba 4.16.0rc4 Available for Download

[Jule Anger via samba-announce]

Release Announcements
=

This is the fourth release candidate of Samba 4.16.  This is *not*
intended for production environments and is designed for testing
purposes only.  Please report any defects via the Samba bug reporting
system at https://bugzilla.samba.org/.

Samba 4.16 will be the next version of the Samba suite.


UPGRADING
=


NEW FEATURES/CHANGES


New samba-dcerpcd binary to provide DCERPC in the member server setup
-

In order to make it much easier to break out the DCERPC services
from smbd, a new samba-dcerpcd binary has been created.

samba-dcerpcd can be used in two ways. In the normal case without
startup script modification it is invoked on demand from smbd or
winbind --np-helper to serve DCERPC over named pipes. Note that
in order to run in this mode the smb.conf [global] section has
a new parameter "rpc start on demand helpers = [true|false]".
This parameter is set to "true" by default, meaning no changes to
smb.conf files are needed to run samba-dcerpcd on demand as a named
pipe helper.

It can also be used in a standalone mode where it is started
separately from smbd or winbind but this requires changes to system
startup scripts, and in addition a change to smb.conf, setting the new
[global] parameter "rpc start on demand helpers = false". If "rpc
start on demand helpers" is not set to false, samba-dcerpcd will
refuse to start in standalone mode.

Note that when Samba is run in the Active Directory Domain Controller
mode the samba binary that provides the AD code will still provide its
normal DCERPC services whilst allowing samba-dcerpcd to provide
services like SRVSVC in the same way that smbd used to in this
configuration.

The parameters that allowed some smbd-hosted services to be started
externally are now gone (detailed below) as this is now the default
setting.

samba-dcerpcd can also be useful for use outside of the Samba
framework, for example, use with the Linux kernel SMB2 server ksmbd or
possibly other SMB2 server implementations.

Certificate Auto Enrollment
---

Certificate Auto Enrollment allows devices to enroll for certificates from
Active Directory Certificate Services. It is enabled by Group Policy.
To enable Certificate Auto Enrollment, Samba's group policy will need to be
enabled by setting the smb.conf option `apply group policies` to Yes. Samba
Certificate Auto Enrollment depends on certmonger, the cepces certmonger
plugin, and sscep. Samba uses sscep to download the CA root chain, then uses
certmonger paired with cepces to monitor the host certificate templates.
Certificates are installed in /var/lib/samba/certs and private keys are
installed in /var/lib/samba/private/certs.

Ability to add ports to dns forwarder addresses in internal DNS backend
---

The internal DNS server of Samba forwards queries non-AD zones to one or 
more
configured forwarders. Up until now it has been assumed that these 
forwarders
listen on port 53. Starting with this version it is possible to 
configure the
port using host:port notation. See smb.conf for more details. Existing 
setups

are not affected, as the default port is 53.

CTDB changes


* The "recovery master" role has been renamed "leader"

  Documentation and logs now refer to "leader".

  The following ctdb tool command names have changed:

    recmaster -> leader
    setrecmasterrole -> setleaderrole

  Command output has changed for the following commands:

    status
    getcapabilities

  The "[legacy] -> recmaster capability" configuration option has been
  renamed and moved to the cluster section, so this is now:

    [cluster] -> leader capability

* The "recovery lock" has been renamed "cluster lock"

  Documentation and logs now refer to "cluster lock".

  The "[cluster] -> recovery lock" configuration option has been
  deprecated and will be removed in a future version.  Please use
  "[cluster] -> cluster lock" instead.

  If the cluster lock is enabled then traditional elections are not
  done and leader elections use a race for the cluster lock.  This
  avoids various conditions where a node is elected leader but can not
  take the cluster lock.  Such conditions included:

  - At startup, a node elects itself leader of its own cluster before
    connecting to other nodes

  - Cluster filesystem failover is slow

  The abbreviation "reclock" is still used in many places, because a
  better abbreviation eludes us (i.e. "clock" is obvious bad) and
  changing all instances would require a lot of churn.  If the
  abbreviation "reclock" for "cluster lock" is confusing, please
  consider mentally prefixing 

[Announce] Samba 4.16.0rc3 Available for Download

[Jule Anger via samba-announce]

Release Announcements
=

This is the third release candidate of Samba 4.16.  This is *not*
intended for production environments and is designed for testing
purposes only.  Please report any defects via the Samba bug reporting
system at https://bugzilla.samba.org/.

Samba 4.16 will be the next version of the Samba suite.


UPGRADING
=


NEW FEATURES/CHANGES


New samba-dcerpcd binary to provide DCERPC in the member server setup
-

In order to make it much easier to break out the DCERPC services
from smbd, a new samba-dcerpcd binary has been created.

samba-dcerpcd can be used in two ways. In the normal case without
startup script modification it is invoked on demand from smbd or
winbind --np-helper to serve DCERPC over named pipes. Note that
in order to run in this mode the smb.conf [global] section has
a new parameter "rpc start on demand helpers = [true|false]".
This parameter is set to "true" by default, meaning no changes to
smb.conf files are needed to run samba-dcerpcd on demand as a named
pipe helper.

It can also be used in a standalone mode where it is started
separately from smbd or winbind but this requires changes to system
startup scripts, and in addition a change to smb.conf, setting the new
[global] parameter "rpc start on demand helpers = false". If "rpc
start on demand helpers" is not set to false, samba-dcerpcd will
refuse to start in standalone mode.

Note that when Samba is run in the Active Directory Domain Controller
mode the samba binary that provides the AD code will still provide its
normal DCERPC services whilst allowing samba-dcerpcd to provide
services like SRVSVC in the same way that smbd used to in this
configuration.

The parameters that allowed some smbd-hosted services to be started
externally are now gone (detailed below) as this is now the default
setting.

samba-dcerpcd can also be useful for use outside of the Samba
framework, for example, use with the Linux kernel SMB2 server ksmbd or
possibly other SMB2 server implementations.

Certificate Auto Enrollment
---

Certificate Auto Enrollment allows devices to enroll for certificates from
Active Directory Certificate Services. It is enabled by Group Policy.
To enable Certificate Auto Enrollment, Samba's group policy will need to be
enabled by setting the smb.conf option `apply group policies` to Yes. Samba
Certificate Auto Enrollment depends on certmonger, the cepces certmonger
plugin, and sscep. Samba uses sscep to download the CA root chain, then uses
certmonger paired with cepces to monitor the host certificate templates.
Certificates are installed in /var/lib/samba/certs and private keys are
installed in /var/lib/samba/private/certs.

Ability to add ports to dns forwarder addresses in internal DNS backend
---

The internal DNS server of Samba forwards queries non-AD zones to one or 
more
configured forwarders. Up until now it has been assumed that these 
forwarders
listen on port 53. Starting with this version it is possible to 
configure the
port using host:port notation. See smb.conf for more details. Existing 
setups

are not affected, as the default port is 53.

CTDB changes


* The "recovery master" role has been renamed "leader"

  Documentation and logs now refer to "leader".

  The following ctdb tool command names have changed:

    recmaster -> leader
    setrecmasterrole -> setleaderrole

  Command output has changed for the following commands:

    status
    getcapabilities

  The "[legacy] -> recmaster capability" configuration option has been
  renamed and moved to the cluster section, so this is now:

    [cluster] -> leader capability

* The "recovery lock" has been renamed "cluster lock"

  Documentation and logs now refer to "cluster lock".

  The "[cluster] -> recovery lock" configuration option has been
  deprecated and will be removed in a future version.  Please use
  "[cluster] -> cluster lock" instead.

  If the cluster lock is enabled then traditional elections are not
  done and leader elections use a race for the cluster lock.  This
  avoids various conditions where a node is elected leader but can not
  take the cluster lock.  Such conditions included:

  - At startup, a node elects itself leader of its own cluster before
    connecting to other nodes

  - Cluster filesystem failover is slow

  The abbreviation "reclock" is still used in many places, because a
  better abbreviation eludes us (i.e. "clock" is obvious bad) and
  changing all instances would require a lot of churn.  If the
  abbreviation "reclock" for "cluster lock" is confusing, please
  consider mentally prefixing 

[Announce] Samba 4.16.0rc2 Available for Download

[Jule Anger via samba-announce]

Release Announcements
=

This is the second release candidate of Samba 4.16.  This is *not*
intended for production environments and is designed for testing
purposes only.  Please report any defects via the Samba bug reporting
system at https://bugzilla.samba.org/.

Samba 4.16 will be the next version of the Samba suite.


UPGRADING
=


NEW FEATURES/CHANGES


New samba-dcerpcd binary to provide DCERPC in the member server setup
-

In order to make it much easier to break out the DCERPC services
from smbd, a new samba-dcerpcd binary has been created.

samba-dcerpcd can be used in two ways. In the normal case without
startup script modification it is invoked on demand from smbd or
winbind --np-helper to serve DCERPC over named pipes. Note that
in order to run in this mode the smb.conf [global] section has
a new parameter "rpc start on demand helpers = [true|false]".
This parameter is set to "true" by default, meaning no changes to
smb.conf files are needed to run samba-dcerpcd on demand as a named
pipe helper.

It can also be used in a standalone mode where it is started
separately from smbd or winbind but this requires changes to system
startup scripts, and in addition a change to smb.conf, setting the new
[global] parameter "rpc start on demand helpers = false". If "rpc
start on demand helpers" is not set to false, samba-dcerpcd will
refuse to start in standalone mode.

Note that when Samba is run in the Active Directory Domain Controller
mode the samba binary that provides the AD code will still provide its
normal DCERPC services whilst allowing samba-dcerpcd to provide
services like SRVSVC in the same way that smbd used to in this
configuration.

The parameters that allowed some smbd-hosted services to be started
externally are now gone (detailed below) as this is now the default
setting.

samba-dcerpcd can also be useful for use outside of the Samba
framework, for example, use with the Linux kernel SMB2 server ksmbd or
possibly other SMB2 server implementations.

Certificate Auto Enrollment
---

Certificate Auto Enrollment allows devices to enroll for certificates from
Active Directory Certificate Services. It is enabled by Group Policy.
To enable Certificate Auto Enrollment, Samba's group policy will need to be
enabled by setting the smb.conf option `apply group policies` to Yes. Samba
Certificate Auto Enrollment depends on certmonger, the cepces certmonger
plugin, and sscep. Samba uses sscep to download the CA root chain, then uses
certmonger paired with cepces to monitor the host certificate templates.
Certificates are installed in /var/lib/samba/certs and private keys are
installed in /var/lib/samba/private/certs.

Ability to add ports to dns forwarder addresses in internal DNS backend
---

The internal DNS server of Samba forwards queries non-AD zones to one or 
more
configured forwarders. Up until now it has been assumed that these 
forwarders
listen on port 53. Starting with this version it is possible to 
configure the
port using host:port notation. See smb.conf for more details. Existing 
setups

are not affected, as the default port is 53.

CTDB changes


* The "recovery master" role has been renamed "leader"

  Documentation and logs now refer to "leader".

  The following ctdb tool command names have changed:

    recmaster -> leader
    setrecmasterrole -> setleaderrole

  Command output has changed for the following commands:

    status
    getcapabilities

  The "[legacy] -> recmaster capability" configuration option has been
  renamed and moved to the cluster section, so this is now:

    [cluster] -> leader capability

* The "recovery lock" has been renamed "cluster lock"

  Documentation and logs now refer to "cluster lock".

  The "[cluster] -> recovery lock" configuration option has been
  deprecated and will be removed in a future version.  Please use
  "[cluster] -> cluster lock" instead.

  If the cluster lock is enabled then traditional elections are not
  done and leader elections use a race for the cluster lock.  This
  avoids various conditions where a node is elected leader but can not
  take the cluster lock.  Such conditions included:

  - At startup, a node elects itself leader of its own cluster before
    connecting to other nodes

  - Cluster filesystem failover is slow

  The abbreviation "reclock" is still used in many places, because a
  better abbreviation eludes us (i.e. "clock" is obvious bad) and
  changing all instances would require a lot of churn.  If the
  abbreviation "reclock" for "cluster lock" is confusing, please
  consider mentally prefixing 

Heads-up: Upcoming Samba security releases

[Jule Anger via samba-announce]

Hi,

this is a heads-up that there will be Samba security updates for 4.13 , 
4.14 and 4.15 on Monday, January 31 2022. Please make sure that your 
Samba servers will be updated soon after the release!


Impacted components:
 - File server (CVSS 4.2, Medium)
 - AD DC (CVSS 8.8, High)
 - VFS Modules (CVSS 9.9, Critical)

Cheers,
Jule Anger

--
Jule Anger
Release Manager Samba Team  https://samba.org
SerNet Samba Team   https://sernet.de

[Announce] Samba 4.16.0rc1 Available for Download

[Jule Anger via samba-announce]

Release Announcements
=

This is the first release candidate of Samba 4.16.  This is *not*
intended for production environments and is designed for testing
purposes only.  Please report any defects via the Samba bug reporting
system at https://bugzilla.samba.org/.

Samba 4.16 will be the next version of the Samba suite.


UPGRADING
=


NEW FEATURES/CHANGES


New samba-dcerpcd binary to provide DCERPC in the member server setup
-

In order to make it much easier to break out the DCERPC services
from smbd, a new samba-dcerpcd binary has been created.

samba-dcerpcd can be used in two ways. In the normal case without
startup script modification it is invoked on demand from smbd or
winbind --np-helper to serve DCERPC over named pipes. Note that
in order to run in this mode the smb.conf [global] section has
a new parameter "rpc start on demand helpers = [true|false]".
This parameter is set to "true" by default, meaning no changes to
smb.conf files are needed to run samba-dcerpcd on demand as a named
pipe helper.

It can also be used in a standalone mode where it is started
separately from smbd or winbind but this requires changes to system
startup scripts, and in addition a change to smb.conf, setting the new
[global] parameter "rpc start on demand helpers = false". If "rpc
start on demand helpers" is not set to false, samba-dcerpcd will
refuse to start in standalone mode.

Note that when Samba is run in the Active Directory Domain Controller
mode the samba binary that provides the AD code will still provide its
normal DCERPC services whilst allowing samba-dcerpcd to provide
services like SRVSVC in the same way that smbd used to in this
configuration.

The parameters that allowed some smbd-hosted services to be started
externally are now gone (detailed below) as this is now the default
setting.

samba-dcerpcd can also be useful for use outside of the Samba
framework, for example, use with the Linux kernel SMB2 server ksmbd or
possibly other SMB2 server implementations.

Certificate Auto Enrollment
---

Certificate Auto Enrollment allows devices to enroll for certificates from
Active Directory Certificate Services. It is enabled by Group Policy.
To enable Certificate Auto Enrollment, Samba's group policy will need to be
enabled by setting the smb.conf option `apply group policies` to Yes. Samba
Certificate Auto Enrollment depends on certmonger, the cepces certmonger
plugin, and sscep. Samba uses sscep to download the CA root chain, then uses
certmonger paired with cepces to monitor the host certificate templates.
Certificates are installed in /var/lib/samba/certs and private keys are
installed in /var/lib/samba/private/certs.

Ability to add ports to dns forwarder addresses in internal DNS backend
---

The internal DNS server of Samba forwards queries non-AD zones to one or 
more
configured forwarders. Up until now it has been assumed that these 
forwarders
listen on port 53. Starting with this version it is possible to 
configure the
port using host:port notation. See smb.conf for more details. Existing 
setups

are not affected, as the default port is 53.

CTDB changes


* The "recovery master" role has been renamed "leader"

  Documentation and logs now refer to "leader".

  The following ctdb tool command names have changed:

    recmaster -> leader
    setrecmasterrole -> setleaderrole

  Command output has changed for the following commands:

    status
    getcapabilities

  The "[legacy] -> recmaster capability" configuration option has been
  renamed and moved to the cluster section, so this is now:

    [cluster] -> leader capability

* The "recovery lock" has been renamed "cluster lock"

  Documentation and logs now refer to "cluster lock".

  The "[cluster] -> recovery lock" configuration option has been
  deprecated and will be removed in a future version.  Please use
  "[cluster] -> cluster lock" instead.

  If the cluster lock is enabled then traditional elections are not
  done and leader elections use a race for the cluster lock.  This
  avoids various conditions where a node is elected leader but can not
  take the cluster lock.  Such conditions included:

  - At startup, a node elects itself leader of its own cluster before
    connecting to other nodes

  - Cluster filesystem failover is slow

  The abbreviation "reclock" is still used in many places, because a
  better abbreviation eludes us (i.e. "clock" is obvious bad) and
  changing all instances would require a lot of churn.  If the
  abbreviation "reclock" for "cluster lock" is confusing, please
  consider mentally prefixing 

[Announce] Samba 4.15.4 Available for Download

[Jule Anger via samba-announce]

Release Announcements
-

This is the latest stable release of the Samba 4.15 release series.


Changes since 4.15.3


o  Jeremy Allison 
   * BUG 14928: Duplicate SMB file_ids leading to Windows client cache
 poisoning.
   * BUG 14939: smbclient -L doesn't set "client max protocol" to NT1 
before

 calling the "Reconnecting with SMB1 for workgroup listing" path.
   * BUG 14944: Missing pop_sec_ctx() in error path inside 
close_directory().


o  Pavel Filipenský 
   * BUG 14940: Cross device copy of the crossrename module always fails.
   * BUG 14941: symlinkat function from VFS cap module always fails with an
 error.
   * BUG 14942: Fix possible fsp pointer deference.

o  Volker Lendecke 
   * BUG 14934: kill_tcp_connections does not work.

o  Stefan Metzmacher 
   * BUG 14932: Failed to parse NTLMv2_RESPONSE length 95 - Buffer Size 
Error -

 NT_STATUS_BUFFER_TOO_SMALL.
   * BUG 14935: Can't connect to Windows shares not requiring 
authentication

 using KDE/Gnome.

o  Andreas Schneider 
   * BUG 14945: "smbd --build-options" no longer works without an 
smb.conf file.


o  Jones Syue 
   * BUG 14928: Duplicate SMB file_ids leading to Windows client cache
 poisoning.


###
Reporting bugs & Development Discussion
###

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.libera.chat or the
#samba-technical:matrix.org matrix channel.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).


==
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==




Download Details


The uncompressed tarballs and patch files have been signed
using GnuPG (ID AA99442FB680B620).  The source code can be downloaded
from:

    https://download.samba.org/pub/samba/stable/

The release notes are available online at:

    https://www.samba.org/samba/history/samba-4.15.4.html

Our Code, Our Bugs, Our Responsibility.
(https://bugzilla.samba.org/)

    --Enjoy
    The Samba Team

[Announce] Samba meta-data symlink vulnerability CVE-2021-20316

[Jule Anger via samba-announce]

Security Advisory
-

All versions of the Samba file server prior to 4.15.0 are affected by 
CVE-2021-20316. There will be no patches available for older Samba 
versions before 4.15 and 4.15 itself is already secure.


 * CVE-2021-20316: Symlink race error can allow metadata read
   and modify outside of the exported share.

https://www.samba.org/samba/security/CVE-2021-20316.html

Please update affected systems as soon as possible.

===
Details
===

All versions of Samba prior to 4.15.0 are vulnerable to a malicious
client using an SMB1 or NFS symlink race to allow filesystem metadata
to be accessed in an area of the server file system not exported under
the share definition. Note that SMB1 has to be enabled, or the share
also available via NFS in order for this attack to succeed.

Clients that have write access to the exported part of the file system
under a share via SMB1 unix extensions or NFS can create symlinks that
can race the server by renaming an existing path and then replacing it
with a symlink. If the client wins the race it can cause the server to
read or modify file or directory metadata on the symlink target.

The authenticated user must have permissions to read or modify the
metadata of the target of the symlink in order to perform the
operation outside of the share.

Filesystem metadata includes such attributes as timestamps, extended
attributes, permissions, and ownership.

This is a difficult race to win, but theoretically possible. Note that
the proof of concept code supplied wins the race only when the server
is slowed down and put under heavy load. Exploitation of this bug has
not been seen in the wild.

==
Patch Availability
==

Prior to Samba 4.15.0 patches for this are not possible, due to the
prior design of the Samba VFS layer which used pathname-based calls
for most meta-data operations.

A two and a half year effort was undertaken to completely re-write the
Samba VFS layer to stop use of pathname-based calls in all cases
involving reading and writing of metadata returned to the client.
This work has finally been completed in Samba 4.15.0.

Pathname-based VFS calls are still used as an initial optimization to
determine if a client requested path exists, but when data is returned
to the client or written onto the underlying filesystem then the
target component is first opened as a file handle, going through
rigourous checking to ensure it is contained within the share
path. All meta-data is then refreshed from or written to the open
handle, not via pathname-based VFS calls.

As all operations are now done on an open handle we believe that any
further symlink race conditions have been completely eliminated in
Samba 4.15.0 and all future versions of Samba.

###
Reporting bugs & Development Discussion
###

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.libera.chat or the
#samba-technical:matrix.org matrix channel.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).


Our Code, Our Bugs, Our Responsibility.
(https://bugzilla.samba.org/)

    --Enjoy
    The Samba Team

[Announce] Samba 4.13.16 Security Release is available for Download

[Jule Anger via samba-announce]

Release Announcements
-

This is a security release in order to address the following defects:

o CVE-2021-43566:  mkdir race condition allows share escape in Samba 4.x.
https://www.samba.org/samba/security/CVE-2021-43566.html


===
Details
===

o  CVE-2021-43566:
   All versions of Samba prior to 4.13.16 are vulnerable to a malicious
   client using an SMB1 or NFS symlink race to allow a directory to be
   created in an area of the server file system not exported under the
   share definition. Note that SMB1 has to be enabled, or the share
   also available via NFS in order for this attack to succeed.

   Clients that have write access to the exported part of the file system
   under a share via SMB1 unix extensions or NFS can create symlinks that
   can race the server by renaming an existing path and then replacing it
   with a symlink. If the client wins the race it can cause the server to
   create a directory under the new symlink target after the exported
   share path check has been done. This new symlink target can point to
   anywhere on the server file system. The authenticated user must have
   permissions to create a directory under the target directory of the
   symlink.

   This is a difficult race to win, but theoretically possible. Note that
   the proof of concept code supplied wins the race only when the server
   is slowed down and put under heavy load. Exploitation of this bug has
   not been seen in the wild.


Changes since 4.13.15
-

o  Jeremy Allison 
   * BUG 13979: CVE-2021-43566: mkdir race condition allows share 
escape in Samba 4.x



###
Reporting bugs & Development Discussion
###

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.libera.chat or the
#samba-technical:matrix.org matrix channel.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).


==
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==




Download Details


The uncompressed tarballs and patch files have been signed
using GnuPG (ID AA99442FB680B620).  The source code can be downloaded
from:

    https://download.samba.org/pub/samba/stable/

The release notes are available online at:

    https://www.samba.org/samba/history/samba-4.13.16.html

Our Code, Our Bugs, Our Responsibility.
(https://bugzilla.samba.org/)

    --Enjoy
    The Samba Team

Heads-up: Upcoming Samba security release for 4.13

[Jule Anger via samba-announce]

Hi,

this is a heads-up that there will be a Samba security update for 4.13 
on Monday, January 10 2022. Please make sure that your Samba servers 
will be updated soon after the release!


Impacted components:
 - file server (CVSS 2.6, Low)

Cheers,
Jule Anger

--
Jule Anger
Release Manager Samba Team  https://samba.org
SerNet Samba Team   https://sernet.de

[Announce] Samba 4.14.11 Available for Download

[Jule Anger via samba-announce]

Release Announcements
-

This is the latest stable release of the Samba 4.14 release series.

Important Notes
===

There have been a few regressions in the security release 4.14.10:

o CVE-2020-25717: A user on the domain can become root on domain members.
https://www.samba.org/samba/security/CVE-2020-25717.html
  PLEASE [RE-]READ!
  The instructions have been updated and some workarounds
  initially adviced for 4.14.10 are no longer required and
  should be reverted in most cases.

o BUG-14902: User with multiple spaces (eg FredNurk) become
 un-deletable. While this release should fix this bug, it is
 adviced to have a look at the bug report for more detailed
 information, see 
https://bugzilla.samba.org/show_bug.cgi?id=14902.


Changes since 4.14.10
-

o  Jeremy Allison 
   * BUG 14878: Recursive directory delete with veto files is broken.
   * BUG 14879: A directory containing dangling symlinks cannot be 
deleted by

 SMB2 alone when they are the only entry in the directory.

o  Andrew Bartlett 
   * BUG 14656: Spaces incorrectly collapsed in ldb attributes.
   * BUG 14694: Ensure that the LDB request has not timed out during filter
 processing as the LDAP server MaxQueryDuration is otherwise not 
honoured.
   * BUG 14901: The CVE-2020-25717 username map [script] advice has 
undesired

 side effects for the local nt token.
   * BUG 14902: User with multiple spaces (eg FredNurk) 
become un-

 deletable.

o  Ralph Boehme 
   * BUG 14127: Avoid storing NTTIME_THAW (-2) as value on disk
   * BUG 14922: Kerberos authentication on standalone server in MIT realm
 broken.
   * BUG 14923: Segmentation fault when joining the domain.

o  Alexander Bokovoy 
   * BUG 14903: Support for ROLE_IPA_DC is incomplete.

o  Stefan Metzmacher 
   * BUG 14788: Memory leak if ioctl(FSCTL_VALIDATE_NEGOTIATE_INFO) 
fails before

 smbd_smb2_ioctl_send.
   * BUG 14899: winbindd doesn't start when "allow trusted domains" is off.
   * BUG 14901: The CVE-2020-25717 username map [script] advice has 
undesired

 side effects for the local nt token.

o  Joseph Sutton 
   * BUG 14694: Ensure that the LDB request has not timed out during filter
 processing as the LDAP server MaxQueryDuration is otherwise not 
honoured.
   * BUG 14901: The CVE-2020-25717 username map [script] advice has 
undesired

 side effects for the local nt token.


###
Reporting bugs & Development Discussion
###

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).


==
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==




Download Details


The uncompressed tarballs and patch files have been signed
using GnuPG (ID AA99442FB680B620).  The source code can be downloaded
from:

    https://download.samba.org/pub/samba/stable/

The release notes are available online at:

    https://www.samba.org/samba/history/samba-4.14.11.html

Our Code, Our Bugs, Our Responsibility.
(https://bugzilla.samba.org/)

    --Enjoy
    The Samba Team

[Announce] Samba 4.13.15 Available for Download

[Jule Anger via samba-announce]

Release Announcements
-

This is the latest stable release of the Samba 4.13 release series.

Important Notes
===

There have been a few regressions in the security release 4.13.14:

o CVE-2020-25717: A user on the domain can become root on domain members.
https://www.samba.org/samba/security/CVE-2020-25717.html
  PLEASE [RE-]READ!
  The instructions have been updated and some workarounds
  initially adviced for 4.13.14 are no longer required and
  should be reverted in most cases.

o BUG-14902: User with multiple spaces (eg FredNurk) become
 un-deletable. While this release should fix this bug, it is
 adviced to have a look at the bug report for more detailed
 information, see 
https://bugzilla.samba.org/show_bug.cgi?id=14902.


Changes since 4.13.14
-

o  Andrew Bartlett 
   * BUG 14656: Spaces incorrectly collapsed in ldb attributes.
   * BUG 14901: The CVE-2020-25717 username map [script] advice has 
undesired

 side effects for the local nt token.
   * BUG 14902: User with multiple spaces (eg FredNurk) 
become un-

 deletable.

o  Ralph Boehme 
   * BUG 14922: Kerberos authentication on standalone server in MIT realm
 broken.

o  Alexander Bokovoy 
   * BUG 14903: Support for ROLE_IPA_DC is incomplete.

o  Stefan Metzmacher 
   * BUG 14899: winbindd doesn't start when "allow trusted domains" is off.
   * BUG 14901: The CVE-2020-25717 username map [script] advice has 
undesired

 side effects for the local nt token.

o  Joseph Sutton 
   * BUG 14901: The CVE-2020-25717 username map [script] advice has 
undesired

 side effects for the local nt token.


###
Reporting bugs & Development Discussion
###

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).


==
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==




Download Details


The uncompressed tarballs and patch files have been signed
using GnuPG (ID AA99442FB680B620).  The source code can be downloaded
from:

    https://download.samba.org/pub/samba/stable/

The release notes are available online at:

    https://www.samba.org/samba/history/samba-4.13.15.html

Our Code, Our Bugs, Our Responsibility.
(https://bugzilla.samba.org/)

    --Enjoy
    The Samba Team

[Announce] Samba 4.15.3 Available for Download

[Jule Anger via samba-announce]

Release Announcements
-

This is the latest stable release of the Samba 4.15 release series.

Important Notes
===

There have been a few regressions in the security release 4.15.2:

o CVE-2020-25717: A user on the domain can become root on domain members.
https://www.samba.org/samba/security/CVE-2020-25717.html
  PLEASE [RE-]READ!
  The instructions have been updated and some workarounds
  initially adviced for 4.15.2 are no longer required and
  should be reverted in most cases.

o BUG-14902: User with multiple spaces (eg FredNurk) become
 un-deletable. While this release should fix this bug, it is
 adviced to have a look at the bug report for more detailed
 information, see 
https://bugzilla.samba.org/show_bug.cgi?id=14902.


Changes since 4.15.2


o  Jeremy Allison 
   * BUG 14878: Recursive directory delete with veto files is broken in 
4.15.0.
   * BUG 14879: A directory containing dangling symlinks cannot be 
deleted by

 SMB2 alone when they are the only entry in the directory.
   * BUG 14892: SIGSEGV in rmdir_internals/synthetic_pathref - dirfsp 
is used

 uninitialized in rmdir_internals().

o  Andrew Bartlett 
   * BUG 14694: MaxQueryDuration not honoured in Samba AD DC LDAP.
   * BUG 14901: The CVE-2020-25717 username map [script] advice has 
undesired

 side effects for the local nt token.
   * BUG 14902: User with multiple spaces (eg FredNurk) 
become

 un-deletable.

o  Ralph Boehme 
   * BUG 14127: Avoid storing NTTIME_THAW (-2) as value on disk.
   * BUG 14882: smbXsrv_client_global record validation leads to crash if
 existing record points at non-existing process.
   * BUG 14890: Crash in vfs_fruit asking for fsp_get_io_fd() for an 
XATTR call.

   * BUG 14897: Samba process doesn't log to logfile.
   * BUG 14907: set_ea_dos_attribute() fallback calling
 get_file_handle_for_metadata() triggers locking.tdb assert.
   * BUG 14922: Kerberos authentication on standalone server in MIT realm
 broken.
   * BUG 14923: Segmentation fault when joining the domain.

o  Alexander Bokovoy 
   * BUG 14903: Support for ROLE_IPA_DC is incomplete.

o  Günther Deschner 
   * BUG 14767: rpcclient cannot connect to ncacn_ip_tcp services anymore
   * BUG 14893: winexe crashes since 4.15.0 after popt parsing.

o  Volker Lendecke 
   * BUG 14908: net ads status -P broken in a clustered environment.

o  Stefan Metzmacher 
   * BUG 14788: Memory leak if ioctl(FSCTL_VALIDATE_NEGOTIATE_INFO) 
fails before

 smbd_smb2_ioctl_send.
   * BUG 14882: smbXsrv_client_global record validation leads to crash if
 existing record points at non-existing process.
   * BUG 14899: winbindd doesn't start when "allow trusted domains" is off.
   * BUG 14901: The CVE-2020-25717 username map [script] advice has 
undesired

 side effects for the local nt token.

o  Andreas Schneider 
   * BUG 14767: rpcclient cannot connect to ncacn_ip_tcp services anymore.
   * BUG 14883: smbclient login without password using '-N' fails with
 NT_STATUS_INVALID_PARAMETER on Samba AD DC.
   * BUG 14912: A schannel client incorrectly detects a downgrade 
connecting to

 an AES only server.
   * BUG 14921: Possible null pointer dereference in winbind.

o  Andreas Schneider 
   * BUG 14846: Fix -k legacy option for client tools like smbclient, 
rpcclient,

 net, etc.

o  Martin Schwenke 
   * BUG 14872: Add Debian 11 CI bootstrap support.

o  Joseph Sutton 
   * BUG 14694: MaxQueryDuration not honoured in Samba AD DC LDAP.
   * BUG 14901: The CVE-2020-25717 username map [script] advice has 
undesired

 side effects for the local nt token.

o  Andrew Walker 
   * BUG 14888: Crash in recycle_unlink_internal().


###
Reporting bugs & Development Discussion
###

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).


==
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==




Download Details


The uncompressed tarballs and patch files have been signed
using GnuPG (ID AA99442FB680B620).  The source code can be downloaded
from:

    https://download.samba.org/pub/samba/stable/

The release notes are available online at:

    https://www.samba.org/samba/history/samba-4.15.3.html

Our Code,

Re: [Announce] Samba 4.15.2, 4.14.10, 4.13.14 Security Releases are available for Download

[Stefan Metzmacher via samba-announce]

Hi,

>> There's sadly a regression that "allow trusted domains = no" prevents 
>> winbindd
>> from starting, we'll try to provide a follow up fix as soon as possible.
> 
> The regression fix is discussed on this merge request:
> https://gitlab.com/samba-team/samba/-/merge_requests/2246

The backported fixes are available at
https://bugzilla.samba.org/show_bug.cgi?id=14899

Please also notice the additional fix and advanced example
for the 'username map [script]' based fallback from 'DOMAIN\user' to
'user'.
https://bugzilla.samba.org/show_bug.cgi?id=14901
https://gitlab.com/samba-team/samba/-/merge_requests/2251

metze



OpenPGP_signature
Description: OpenPGP digital signature

Re: [Announce] Samba 4.15.2, 4.14.10, 4.13.14 Security Releases are available for Download

[Stefan Metzmacher via samba-announce]

Hi,

> There's sadly a regression that "allow trusted domains = no" prevents winbindd
> from starting, we'll try to provide a follow up fix as soon as possible.

The regression fix is discussed on this merge request:
https://gitlab.com/samba-team/samba/-/merge_requests/2246

metze



OpenPGP_signature
Description: OpenPGP digital signature

[Announce] Samba 4.15.2, 4.14.10, 4.13.14 Security Releases are available for Download

[Stefan Metzmacher via samba-announce]

Release Announcements
-

These are security releases in order to address the following defects:

o CVE-2016-2124:  SMB1 client connections can be downgraded to plaintext
  authentication.
  https://www.samba.org/samba/security/CVE-2016-2124.html

o CVE-2020-25717: A user on the domain can become root on domain members.
  https://www.samba.org/samba/security/CVE-2020-25717.html
  (PLEASE READ! There are important behaviour changes described)

o CVE-2020-25718: Samba AD DC did not correctly sandbox Kerberos tickets issued
  by an RODC.
  https://www.samba.org/samba/security/CVE-2020-25718.html

o CVE-2020-25719: Samba AD DC did not always rely on the SID and PAC in Kerberos
  tickets.
  https://www.samba.org/samba/security/CVE-2020-25719.html

o CVE-2020-25721: Kerberos acceptors need easy access to stable AD identifiers
  (eg objectSid).
  https://www.samba.org/samba/security/CVE-2020-25721.html

o CVE-2020-25722: Samba AD DC did not do suffienct access and conformance
  checking of data stored.
  https://www.samba.org/samba/security/CVE-2020-25722.html

o CVE-2021-3738:  Use after free in Samba AD DC RPC server.
  https://www.samba.org/samba/security/CVE-2021-3738.html

o CVE-2021-23192: Subsequent DCE/RPC fragment injection vulnerability.
  https://www.samba.org/samba/security/CVE-2021-23192.html

There's sadly a regression that "allow trusted domains = no" prevents winbindd
from starting, we'll try to provide a follow up fix as soon as possible.

Changes:


o  Douglas Bagnall 
   * CVE-2020-25722

o  Andrew Bartlett 
   * CVE-2020-25718
   * CVE-2020-25719
   * CVE-2020-25721
   * CVE-2020-25722

o  Ralph Boehme 
   * CVE-2020-25717

o  Alexander Bokovoy 
   * CVE-2020-25717

o  Samuel Cabrero 
   * CVE-2020-25717

o  Nadezhda Ivanova 
   * CVE-2020-25722

o  Stefan Metzmacher 
   * CVE-2016-2124
   * CVE-2020-25717
   * CVE-2020-25719
   * CVE-2020-25722
   * CVE-2021-23192
   * CVE-2021-3738
   * ldb release 2.3.2 (for Samba 4.14.10)
   * ldb release 2.2.3 (for Samba 4.13.14)

o  Andreas Schneider 
   * CVE-2020-25719

o  Joseph Sutton 
   * CVE-2020-17049
   * CVE-2020-25718
   * CVE-2020-25719
   * CVE-2020-25721
   * CVE-2020-25722
   * MS CVE-2020-17049


###
Reporting bugs & Development Discussion
###

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.libera.chat or the
#samba-technical:matrix.org matrix channel.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).


==
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==




Download Details


The uncompressed tarballs and patch files have been signed
using GnuPG (ID AA99442FB680B620).  The source code can be downloaded
from:

https://download.samba.org/pub/samba/stable/

The release notes are available online at:

https://www.samba.org/samba/history/samba-4.15.2.html
https://www.samba.org/samba/history/samba-4.14.10.html
https://www.samba.org/samba/history/samba-4.13.14.html

Our Code, Our Bugs, Our Responsibility.
(https://bugzilla.samba.org/)

--Enjoy
    The Samba Team


signature.asc
Description: PGP signature

Re: Upcoming Samba security release

[Stefan Metzmacher via samba-announce]

Hi,

the release will happen around 18:00 UTC November 9th.

metze

> this is a heads-up that there will be Samba security updates
> on Tuesday, November 9. Please make sure that your Samba servers
> will be updated immediately after the release!
> 
> Impacted components:
> 
> * AD DC (CVSS 8.8, high)
> * AD Domain member (CVSS 8.1, high)
> * File server (CVSS 4.8 medium)
> 
> Cheers,
> 
> Andrew Bartlett
> 

Upcoming Samba security release

[Andrew Bartlett via samba-announce]

Hi,

this is a heads-up that there will be Samba security updates
on Tuesday, November 9. Please make sure that your Samba servers
will be updated immediately after the release!

Impacted components:

* AD DC (CVSS 8.8, high)
* AD Domain member (CVSS 8.1, high)
* File server (CVSS 4.8 medium)

Cheers,

Andrew Bartlett
-- 
Andrew Bartlett (he/him)   https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source
Solutions

Upcoming Samba security release

[Andrew Bartlett via samba-announce]

Hi,

this is a heads-up that there will be Samba security updates
on Tuesday, November 9. Please make sure that your Samba servers
will be updated immediately after the release!

Impacted components:

* AD DC (CVSS 8.8, high)
* AD Domain member (CVSS 8.1, high)
* File server (CVSS 4.8 medium)

Cheers,

Andrew Bartlett
-- 
Andrew Bartlett (he/him)   https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source
Solutions

[Announce] Samba 4.13.13 Available for Download

[Jule Anger via samba-announce]

Release Announcements
-

This is the latest stable release of the Samba 4.13 release series.


Changes since 4.13.12
-

o  Douglas Bagnall 
   * BUG 14868: rodc_rwdc test flaps.
   * BUG 14881: Backport bronze bit fixes, tests, and selftest 
improvements.


o  Andrew Bartlett 
   * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 
'Bronze

 bit' S4U2Proxy Constrained Delegation bypass in Samba with
 embedded Heimdal.
   * BUG 14836: Python ldb.msg_diff() memory handling failure.
   * BUG 14845: "in" operator on ldb.Message is case sensitive.
   * BUG 14848: Release LDB 2.3.1 for Samba 4.14.9.
   * BUG 14871: Fix Samba support for UF_NO_AUTH_DATA_REQUIRED.
   * BUG 14874: Allow special chars like "@" in samAccountName when 
generating

 the salt.
   * BUG 14881: Backport bronze bit fixes, tests, and selftest 
improvements.


o  Isaac Boukris 
   * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 
'Bronze

 bit' S4U2Proxy Constrained Delegation bypass in Samba with
 embedded Heimdal.
   * BUG 14881: Backport bronze bit fixes, tests, and selftest 
improvements.


o  Viktor Dukhovni 
   * BUG 12998: Fix transit path validation.
   * BUG 14881: Backport bronze bit fixes, tests, and selftest 
improvements.


o  Luke Howard 
   * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 
'Bronze

 bit' S4U2Proxy Constrained Delegation bypass in Samba with
 embedded Heimdal.
   * BUG 14881: Backport bronze bit fixes, tests, and selftest 
improvements.


o  Stefan Metzmacher 
   * BUG 14881: Backport bronze bit fixes, tests, and selftest 
improvements.


o  David Mulder 
   * BUG 14881: Backport bronze bit fixes, tests, and selftest 
improvements.


o  Andreas Schneider 
   * BUG 14870: Prepare to operate with MIT krb5 >= 1.20.
   * BUG 14881: Backport bronze bit fixes, tests, and selftest 
improvements.


o  Joseph Sutton 
   * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 
'Bronze

 bit' S4U2Proxy Constrained Delegation bypass in Samba with
 embedded Heimdal.
   * BUG 14645: rpcclient NetFileEnum and net rpc file both cause lock 
order

 violation: brlock.tdb, share_entries.tdb.
   * BUG 14836: Python ldb.msg_diff() memory handling failure.
   * BUG 14845: "in" operator on ldb.Message is case sensitive.
   * BUG 14848: Release LDB 2.3.1 for Samba 4.14.9.
   * BUG 14868: rodc_rwdc test flaps.
   * BUG 14871: Fix Samba support for UF_NO_AUTH_DATA_REQUIRED.
   * BUG 14874: Allow special chars like "@" in samAccountName when 
generating

 the salt.
   * BUG 14881: Backport bronze bit fixes, tests, and selftest 
improvements.


o  Nicolas Williams 
   * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 
'Bronze

 bit' S4U2Proxy Constrained Delegation bypass in Samba with
 embedded Heimdal.
   * BUG 14881: Backport bronze bit fixes, tests, and selftest 
improvements.



###
Reporting bugs & Development Discussion
###

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).


==
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==




Download Details


The uncompressed tarballs and patch files have been signed
using GnuPG (ID AA99442FB680B620).  The source code can be downloaded
from:

    https://download.samba.org/pub/samba/stable/

The release notes are available online at:

    https://www.samba.org/samba/history/samba-4.13.13.html

Our Code, Our Bugs, Our Responsibility.
(https://bugzilla.samba.org/)

    --Enjoy
    The Samba Team

[Announce] Samba 4.14.9 Available for Download

[Jule Anger via samba-announce]

Release Announcements
-

This is the latest stable release of the Samba 4.14 release series.


Changes since 4.14.8


o  Jeremy Allison 
   * BUG 14682: vfs_shadow_copy2: core dump in make_relative_path.

o  Douglas Bagnall 
   * BUG 14868: rodc_rwdc test flaps.
   * BUG 14881: Backport bronze bit fixes, tests, and selftest 
improvements.


o  Andrew Bartlett 
   * BUG 14836: Python ldb.msg_diff() memory handling failure.
   * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 
'Bronze

 bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded
 Heimdal.
   * BUG 14845: "in" operator on ldb.Message is case sensitive.
   * BUG 14848: Release LDB 2.3.1 for Samba 4.14.9.
   * BUG 14870: Prepare to operate with MIT krb5 >= 1.20.
   * BUG 14871: Fix Samba support for UF_NO_AUTH_DATA_REQUIRED.
   * BUG 14874: Allow special chars like "@" in samAccountName when 
generating

 the salt.
   * BUG 14881: Backport bronze bit fixes, tests, and selftest 
improvements.


o  Ralph Boehme 
   * BUG 14826: Correctly ignore comments in CTDB public addresses file.

o  Isaac Boukris 
   * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 
'Bronze

 bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded
 Heimdal.
   * BUG 14881: Backport bronze bit fixes, tests, and selftest 
improvements.


o  Viktor Dukhovni 
   * BUG 12998: Fix transit path validation.
   * BUG 14881: Backport bronze bit fixes, tests, and selftest 
improvements.


o  Luke Howard 
   * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 
'Bronze

 bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded
 Heimdal.
   * BUG 14881: Backport bronze bit fixes, tests, and selftest 
improvements.


o  Stefan Metzmacher 
   * BUG 14881: Backport bronze bit fixes, tests, and selftest 
improvements.


o  Andreas Schneider 
   * BUG 14870: Prepare to operate with MIT krb5 >= 1.20.
   * BUG 14881: Backport bronze bit fixes, tests, and selftest 
improvements.


o  Martin Schwenke 
   * BUG 14826: Correctly ignore comments in CTDB public addresses file.

o  Joseph Sutton 
   * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 
'Bronze

 bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded
 Heimdal.
   * BUG 14845: "in" operator on ldb.Message is case sensitive.
   * BUG 14868: rodc_rwdc test flaps.
   * BUG 14871: Fix Samba support for UF_NO_AUTH_DATA_REQUIRED.
   * BUG 14874: Allow special chars like "@" in samAccountName when 
generating

 the salt.
   * BUG 14881: Backport bronze bit fixes, tests, and selftest 
improvements.


o  Nicolas Williams 
   * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 
'Bronze

 bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded
 Heimdal.
   * BUG 14881: Backport bronze bit fixes, tests, and selftest 
improvements.



###
Reporting bugs & Development Discussion
###

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).


==
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==




Download Details


The uncompressed tarballs and patch files have been signed
using GnuPG (ID AA99442FB680B620).  The source code can be downloaded
from:

    https://download.samba.org/pub/samba/stable/

The release notes are available online at:

    https://www.samba.org/samba/history/samba-4.14.9.html

Our Code, Our Bugs, Our Responsibility.
(https://bugzilla.samba.org/)

    --Enjoy
    The Samba Team

[Announce] Samba 4.15.1 Available for Download

[Jule Anger via samba-announce]

Release Announcements
-

This is the latest stable release of the Samba 4.15 release series.


Changes since 4.15.0


o  Jeremy Allison 
   * BUG 14682: vfs_shadow_copy2: core dump in make_relative_path.
   * BUG 14685: Log clutter from filename_convert_internal.
   * BUG 14862: MacOSX compilation fixes.

o  Douglas Bagnall 
   * BUG 14868: rodc_rwdc test flaps.

o  Andrew Bartlett 
   * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 
'Bronze

 bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded
 Heimdal.
   * BUG 14836: Python ldb.msg_diff() memory handling failure.
   * BUG 14845: "in" operator on ldb.Message is case sensitive.
   * BUG 14848: Release LDB 2.4.1 for Samba 4.15.1.
   * BUG 14854: samldb_krbtgtnumber_available() looks for incorrect string.
   * BUG 14871: Fix Samba support for UF_NO_AUTH_DATA_REQUIRED.
   * BUG 14874: Allow special chars like "@" in samAccountName when 
generating

 the salt.

o  Ralph Boehme 
   * BUG 14826: Correctly ignore comments in CTDB public addresses file.

o  Isaac Boukris 
   * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 
'Bronze

 bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded
 Heimdal.

o  Viktor Dukhovni 
   * BUG 12998: Fix transit path validation.

o  Pavel Filipenský 
   * BUG 14852: Fix that child winbindd logs to log.winbindd instead of
 log.wb-.

o  Luke Howard 
   * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 
'Bronze

 bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded
 Heimdal.

o  Stefan Metzmacher 
   * BUG 14855: SMB3 cancel requests should only include the MID 
together with

 AsyncID when AES-128-GMAC is used.

o  Alex Richardson 
   * BUG 14862: MacOSX compilation fixes.

o  Andreas Schneider 
   * BUG 14870: Prepare to operate with MIT krb5 >= 1.20.

o  Martin Schwenke 
   * BUG 14826: Correctly ignore comments in CTDB public addresses file.

o  Joseph Sutton 
   * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 
'Bronze

 bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded
 Heimdal.
   * BUG 14836: Python ldb.msg_diff() memory handling failure.
   * BUG 14845: "in" operator on ldb.Message is case sensitive.
   * BUG 14864: Heimdal prefers RC4 over AES for machine accounts.
   * BUG 14868: rodc_rwdc test flaps.
   * BUG 14871: Fix Samba support for UF_NO_AUTH_DATA_REQUIRED.
   * BUG 14874: Allow special chars like "@" in samAccountName when 
generating

 the salt.

o  Nicolas Williams 
   * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 
'Bronze

 bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded
 Heimdal.


###
Reporting bugs & Development Discussion
###

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).


==
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==




Download Details


The uncompressed tarballs and patch files have been signed
using GnuPG (ID AA99442FB680B620).  The source code can be downloaded
from:

    https://download.samba.org/pub/samba/stable/

The release notes are available online at:

    https://www.samba.org/samba/history/samba-4.15.1.html

Our Code, Our Bugs, Our Responsibility.
(https://bugzilla.samba.org/)

    --Enjoy
    The Samba Team

[Announce] Samba 4.14.8 Available for Download

[Jule Anger via samba-announce]

Release Announcements
-

This is the latest stable release of the Samba 4.14 release series.


Changes since 4.14.7


o  Jeremy Allison 
   * BUG 14742: Python ldb.msg_diff() memory handling failure.
   * BUG 14805: OpenDir() loses the correct errno return.
   * BUG 14809: Shares with variable substitutions cause core dump upon
 connection from MacOS Big Sur 11.5.2.
   * BUG 14816: Fix pathref open of a filesystem fifo in the DISABLE_OPATH
 build.

o  Andrew Bartlett 
   * BUG 14806: Address a signifcant performance regression in database 
access

 in the AD DC since Samba 4.12.
   * BUG 14807: Fix performance regression in 
lsa_LookupSids3/LookupNames4 since

 Samba 4.9 by using an explicit database handle cache.
   * BUG 14817: An unuthenticated user can crash the AD DC KDC by 
omitting the

 server name in a TGS-REQ.
   * BUG 14818: Address flapping samba_tool_drs_showrepl test.
   * BUG 14819: Address flapping dsdb_schema_attributes test.
   * BUG 14841: Samba CI runs can now continue past the first error if
 AUTOBUILD_FAIL_IMMEDIATELY=0 is set.
   * BUG 14854: samldb_krbtgtnumber_available() looks for incorrect string.

o  Ralph Boehme 
   * BUG 14771: Some VFS operations on pathref (O_PATH) handles fail on 
GPFS.

   * BUG 14783: smbd "deadtime" parameter doesn't work anymore.
   * BUG 14787: net conf list crashes when run as normal user.
   * BUG 14790: vfs_btrfs compression support broken.
   * BUG 14804: winbindd can crash because idmap child state is not fully
 initialized.

o  Luke Howard 
   * BUG 14817: An unuthenticated user can crash the AD DC KDC by 
omitting the

 server name in a TGS-REQ.

o  Volker Lendecke 
   * BUG 14817: An unuthenticated user can crash the AD DC KDC by 
omitting the

 server name in a TGS-REQ.

o  Gary Lockyer 
   * BUG 14817: An unuthenticated user can crash the AD DC KDC by 
omitting the

 server name in a TGS-REQ.

o  Stefan Metzmacher 
   * BUG 14771: Some VFS operations on pathref (O_PATH) handles fail on 
GPFS.
   * BUG 14817: An unuthenticated user can crash the AD DC KDC by 
omitting the

 server name in a TGS-REQ.

o  Andreas Schneider 
   * BUG 14817: An unuthenticated user can crash the AD DC KDC by 
omitting the

 server name in a TGS-REQ.

o  Martin Schwenke 
   * BUG 14784: Fix CTDB flag/status update race conditions.

o  Joseph Sutton 
   * BUG 14817: An unuthenticated user can crash the AD DC KDC by 
omitting the

 server name in a TGS-REQ.
   * BUG 14836: Python ldb.msg_diff() memory handling failure.


###
Reporting bugs & Development Discussion
###

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).


==
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==




Download Details


The uncompressed tarballs and patch files have been signed
using GnuPG (ID AA99442FB680B620).  The source code can be downloaded
from:

    https://download.samba.org/pub/samba/stable/

The release notes are available online at:

    https://www.samba.org/samba/history/samba-4.14.8.html

Our Code, Our Bugs, Our Responsibility.
(https://bugzilla.samba.org/)

    --Enjoy
    The Samba Team

[Announce] Samba 4.13.12 Available for Download

[Jule Anger via samba-announce]

Release Announcements
-

This is the latest stable release of the Samba 4.13 release series.


Changes since 4.13.11
-

o  Andrew Bartlett 
   * BUG 14806: Address a signifcant performance regression in database 
access

 in the AD DC since Samba 4.12.
   * BUG 14807: Fix performance regression in 
lsa_LookupSids3/LookupNames4 since

 Samba 4.9 by using an explicit database handle cache.
   * BUG 14817: An unuthenticated user can crash the AD DC KDC by 
omitting the

 server name in a TGS-REQ.
   * BUG 14818: Address flapping samba_tool_drs_showrepl test.
   * BUG 14819: Address flapping dsdb_schema_attributes test.

o  Björn Baumbach 
   * BUG 14817: An unuthenticated user can crash the AD DC KDC by 
omitting the

 server name in a TGS-REQ

o  Luke Howard 
   * BUG 14817: An unuthenticated user can crash the AD DC KDC by 
omitting the

 server name in a TGS-REQ.

o  Volker Lendecke 
   * BUG 14817: An unuthenticated user can crash the AD DC KDC by 
omitting the

 server name in a TGS-REQ.

o  Gary Lockyer 
   * BUG 14817: An unuthenticated user can crash the AD DC KDC by 
omitting the

 server name in a TGS-REQ.

o  Stefan Metzmacher 
   * BUG 14817: An unuthenticated user can crash the AD DC KDC by 
omitting the

 server name in a TGS-REQ.

o  Andreas Schneider 
   * BUG 14817: An unuthenticated user can crash the AD DC KDC by 
omitting the

 server name in a TGS-REQ.

o  Martin Schwenke 
   * BUG 14784: Fix CTDB flag/status update race conditions.

o  Joseph Sutton 
   * BUG 14817: An unuthenticated user can crash the AD DC KDC by 
omitting the

 server name in a TGS-REQ.


###
Reporting bugs & Development Discussion
###

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).


==
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==




Download Details


The uncompressed tarballs and patch files have been signed
using GnuPG (ID AA99442FB680B620).  The source code can be downloaded
from:

    https://download.samba.org/pub/samba/stable/

The release notes are available online at:

    https://www.samba.org/samba/history/samba-4.13.12.html

Our Code, Our Bugs, Our Responsibility.
(https://bugzilla.samba.org/)

    --Enjoy
    The Samba Team

[Announce] Samba 4.15.0 Available for Download

[Jule Anger via samba-announce]

Release Announcements
-

This is the first stable release of the Samba 4.15 release series.
Please read the release notes carefully before upgrading.


Removed SMB (development) dialects
==

The following SMB (development) dialects are no longer
supported: SMB2_22, SMB2_24 and SMB3_10. They are were
only supported by Windows technical preview builds.
They used to be useful in order to test against the
latest Windows versions, but it's no longer useful
to have them. If you have them explicitly specified
in your smb.conf or an the command line,
you need to replace them like this:
- SMB2_22 => SMB3_00
- SMB2_24 => SMB3_00
- SMB3_10 => SMB3_11
Note that it's typically not useful to specify
"client max protocol" or "server max protocol"
explicitly to a specific dialect, just leave
them unspecified or specify the value "default".

New GPG key
===

The GPG release key for Samba releases changed from:

pub   dsa1024/6F33915B6568B7EA 2007-02-04 [SC] [expires: 2021-02-05]
  Key fingerprint = 52FB C0B8 6D95 4B08 4332  4CDC 6F33 915B 6568 B7EA
uid [  full  ] Samba Distribution Verification Key 


sub   elg2048/9C6ED163DA6DFB44 2007-02-04 [E] [expires: 2021-02-05]

to the following new key:

pub   rsa4096/AA99442FB680B620 2020-12-21 [SC] [expires: 2022-12-21]
  Key fingerprint = 81F5 E283 2BD2 545A 1897  B713 AA99 442F B680 B620
uid [ultimate] Samba Distribution Verification Key 


sub   rsa4096/97EF9386FBFD4002 2020-12-21 [E] [expires: 2022-12-21]

Starting from Jan 21th 2021, all Samba releases will be signed with the 
new key.


See also GPG_AA99442FB680B620_replaces_6F33915B6568B7EA.txt

New minimum version for the experimental MIT KDC


The build of the AD DC using the system MIT Kerberos, an
experimental feature, now requires MIT Kerberos 1.19.  An up-to-date
Fedora 34 has this version and has backported fixes for the KDC crash
bugs CVE-2021-37750 and CVE-2021-36222


NEW FEATURES/CHANGES


VFS
---

The effort to modernize Samba's VFS interface is complete and Samba 
4.15.0 ships

with a modernized VFS designed for the post SMB1 world.

For details please refer to the documentation at 
source3/modules/The_New_VFS.txt

or visit the <https://wiki.samba.org/index.php/The_New_VFS>.


Bind DLZ: add the ability to set allow/deny lists for zone transfer clients
---

Up to now, any client could use a DNS zone transfer request to the
bind server, and get an answer from Samba. Now the default behaviour
will be to deny those request. Two new options have been added to
manage the list of authorized/denied clients for zone transfer
requests. In order to be accepted, the request must be issued by a
client that is in the allow list and NOT in the deny list.


"server multi channel support" no longer experimental
-

This option is enabled by default starting with 4.15 (on Linux and FreeBSD).
Due to dependencies on kernel APIs of Linux or FreeBSD, it's only possible
to use this feature on Linux and FreeBSD for now.


samba-tool available without the ad-dc
--

The 'samba-tool' command is now available when samba is configured
"--without-ad-dc". Not all features will work, and some ad-dc specific 
options
have been disabled. The 'samba-tool domain' options, for example, are 
limited
when no ad-dc is present. Samba must still be built with ads in order to 
enable

'samba-tool'.


Improved command line user experience
-

Samba utilities did not consistently implement their command line 
interface. A
number of options were requiring to specify values in one tool and not 
in the

other, some options meant different in different tools.

These should be stories of the past now. A new command line parser has been
implemented with sanity checking. Also the command line interface has been
simplified and provides better control for encryption, signing and kerberos.

Previously many tools silently ignored unknown options. To prevent 
unexpected

behaviour all tools will now consistently reject unknown options.

Also several command line options have a smb.conf variable to control the
default now.

All tools are now logging to stderr by default. You can use 
"--debug-stdout" to
change the behavior. All servers will log to stderr at early startup 
until logging

is setup to go to a file by default.

### Common parser:

Options added:
--client-protection=off|sign|encrypt

Options renamed:
--kerberos   ->    --use-kerberos=required|desired|off
--krb5-ccache    ->    --use-krb5-ccache=CCACHE
--scope  ->    --netbios-scope=SCOPE
--use-ccache ->    --use-winbind-ccache

Options remove

[Announce] Samba 4.15.0rc7 Available for Download

[Jule Anger via samba-announce]

Release Announcements
=

This is the seventh release candidate of Samba 4.15.  This is *not*
intended for production environments and is designed for testing
purposes only.  Please report any defects via the Samba bug reporting
system at https://bugzilla.samba.org/.

Samba 4.15 will be the next version of the Samba suite.


UPGRADING
=

Removed SMB (development) dialects
--

The following SMB (development) dialects are no longer
supported: SMB2_22, SMB2_24 and SMB3_10. They are were
only supported by Windows technical preview builds.
They used to be useful in order to test against the
latest Windows versions, but it's no longer useful
to have them. If you have them explicitly specified
in your smb.conf or an the command line,
you need to replace them like this:
- SMB2_22 => SMB3_00
- SMB2_24 => SMB3_00
- SMB3_10 => SMB3_11
Note that it's typically not useful to specify
"client max protocol" or "server max protocol"
explicitly to a specific dialect, just leave
them unspecified or specify the value "default".

New GPG key
---

The GPG release key for Samba releases changed from:

pub   dsa1024/6F33915B6568B7EA 2007-02-04 [SC] [expires: 2021-02-05]
  Key fingerprint = 52FB C0B8 6D95 4B08 4332  4CDC 6F33 915B 6568 B7EA
uid [  full  ] Samba Distribution Verification Key 


sub   elg2048/9C6ED163DA6DFB44 2007-02-04 [E] [expires: 2021-02-05]

to the following new key:

pub   rsa4096/AA99442FB680B620 2020-12-21 [SC] [expires: 2022-12-21]
  Key fingerprint = 81F5 E283 2BD2 545A 1897  B713 AA99 442F B680 B620
uid [ultimate] Samba Distribution Verification Key 


sub   rsa4096/97EF9386FBFD4002 2020-12-21 [E] [expires: 2022-12-21]

Starting from Jan 21th 2021, all Samba releases will be signed with the 
new key.


See also GPG_AA99442FB680B620_replaces_6F33915B6568B7EA.txt

New minimum version for the experimental MIT KDC


The build of the AD DC using the system MIT Kerberos, an
experimental feature, now requires MIT Kerberos 1.19.  An up-to-date
Fedora 34 has this version and has backported fixes for the KDC crash
bugs CVE-2021-37750 and CVE-2021-36222


NEW FEATURES/CHANGES


VFS
---

The effort to modernize Samba's VFS interface is complete and Samba 
4.15.0 ships

with a modernized VFS designed for the post SMB1 world.

For details please refer to the documentation at 
source3/modules/The_New_VFS.txt

or visit the <https://wiki.samba.org/index.php/The_New_VFS>.


Bind DLZ: add the ability to set allow/deny lists for zone transfer clients
---

Up to now, any client could use a DNS zone transfer request to the
bind server, and get an answer from Samba. Now the default behaviour
will be to deny those request. Two new options have been added to
manage the list of authorized/denied clients for zone transfer
requests. In order to be accepted, the request must be issued by a
client that is in the allow list and NOT in the deny list.


"server multi channel support" no longer experimental
-

This option is enabled by default starting with 4.15 (on Linux and FreeBSD).
Due to dependencies on kernel APIs of Linux or FreeBSD, it's only possible
to use this feature on Linux and FreeBSD for now.


samba-tool available without the ad-dc
--

The 'samba-tool' command is now available when samba is configured
"--without-ad-dc". Not all features will work, and some ad-dc specific 
options
have been disabled. The 'samba-tool domain' options, for example, are 
limited
when no ad-dc is present. Samba must still be built with ads in order to 
enable

'samba-tool'.


Improved command line user experience
-

Samba utilities did not consistently implement their command line 
interface. A
number of options were requiring to specify values in one tool and not 
in the

other, some options meant different in different tools.

These should be stories of the past now. A new command line parser has been
implemented with sanity checking. Also the command line interface has been
simplified and provides better control for encryption, signing and kerberos.

Previously many tools silently ignored unknown options. To prevent 
unexpected

behaviour all tools will now consistently reject unknown options.

Also several command line options have a smb.conf variable to control the
default now.

All tools are now logging to stderr by default. You can use 
"--debug-stdout" to
change the behavior. All servers will log to stderr at early startup 
until logging

is setup to go to a file by default.

### Common parser:

Options added:
--client-protection=off|sign|encrypt

Options renamed:
--kerberos   ->    --use

[Announce] Samba 4.15.0rc5 Available for Download

[Jule Anger via samba-announce]

Release Announcements
=

This is the fifth release candidate of Samba 4.15.  This is *not*
intended for production environments and is designed for testing
purposes only.  Please report any defects via the Samba bug reporting
system at https://bugzilla.samba.org/.

Samba 4.15 will be the next version of the Samba suite.


UPGRADING
=

Removed SMB (development) dialects
--

The following SMB (development) dialects are no longer
supported: SMB2_22, SMB2_24 and SMB3_10. They are were
only supported by Windows technical preview builds.
They used to be useful in order to test against the
latest Windows versions, but it's no longer useful
to have them. If you have them explicitly specified
in your smb.conf or an the command line,
you need to replace them like this:
- SMB2_22 => SMB3_00
- SMB2_24 => SMB3_00
- SMB3_10 => SMB3_11
Note that it's typically not useful to specify
"client max protocol" or "server max protocol"
explicitly to a specific dialect, just leave
them unspecified or specify the value "default".

New GPG key
---

The GPG release key for Samba releases changed from:

pub   dsa1024/6F33915B6568B7EA 2007-02-04 [SC] [expires: 2021-02-05]
  Key fingerprint = 52FB C0B8 6D95 4B08 4332  4CDC 6F33 915B 6568 B7EA
uid [  full  ] Samba Distribution Verification Key 


sub   elg2048/9C6ED163DA6DFB44 2007-02-04 [E] [expires: 2021-02-05]

to the following new key:

pub   rsa4096/AA99442FB680B620 2020-12-21 [SC] [expires: 2022-12-21]
  Key fingerprint = 81F5 E283 2BD2 545A 1897  B713 AA99 442F B680 B620
uid [ultimate] Samba Distribution Verification Key 


sub   rsa4096/97EF9386FBFD4002 2020-12-21 [E] [expires: 2022-12-21]

Starting from Jan 21th 2021, all Samba releases will be signed with the 
new key.


See also GPG_AA99442FB680B620_replaces_6F33915B6568B7EA.txt


NEW FEATURES/CHANGES


Bind DLZ: add the ability to set allow/deny lists for zone transfer clients
---

Up to now, any client could use a DNS zone transfer request to the
bind server, and get an answer from Samba. Now the default behaviour
will be to deny those request. Two new options have been added to
manage the list of authorized/denied clients for zone transfer
requests. In order to be accepted, the request must be issued by a
client that is in the allow list and NOT in the deny list.


"server multi channel support" no longer experimental
-

This option is enabled by default starting with 4.15 (on Linux and FreeBSD).
Due to dependencies on kernel APIs of Linux or FreeBSD, it's only possible
to use this feature on Linux and FreeBSD for now.


samba-tool available without the ad-dc
--

The 'samba-tool' command is now available when samba is configured
"--without-ad-dc". Not all features will work, and some ad-dc specific 
options
have been disabled. The 'samba-tool domain' options, for example, are 
limited
when no ad-dc is present. Samba must still be built with ads in order to 
enable

'samba-tool'.


Improved command line user experience
-

Samba utilities did not consistently implement their command line 
interface. A
number of options were requiring to specify values in one tool and not 
in the

other, some options meant different in different tools.

These should be stories of the past now. A new command line parser has been
implemented with sanity checking. Also the command line interface has been
simplified and provides better control for encryption, signing and kerberos.

Also several command line options have a smb.conf variable to control the
default now.

All tools are now logging to stderr by default. You can use 
"--debug-stdout" to
change the behavior. All servers will log to stderr at early startup 
until logging

is setup to go to a file by default.

### Common parser:

Options added:
--client-protection=off|sign|encrypt

Options renamed:
--kerberos   ->    --use-kerberos=required|desired|off
--krb5-ccache    ->    --use-krb5-ccache=CCACHE
--scope  ->    --netbios-scope=SCOPE
--use-ccache ->    --use-winbind-ccache

Options removed:
-e|--encrypt
-C removed from --use-winbind-ccache
-i removed from --netbios-scope
-S|--signing


### Duplicates in command line utils

ldbadd/ldbsearch/ldbdel/ldbmodify/ldbrename:
-e is not available for --editor anymore
-s is not used for --configfile anymore

ndrdump:
-l is not available for --load-dso anymore

net:
-l is not available for --long anymore

sharesec:
-V is not available for --viewsddl anymore

smbcquotas:
--user    ->    --quota-user

nmbd:
--log-stdout  ->    --debug-stdout

smbd:
--log-stdout  ->    --debug-stdout

winbindd:

[Announce] Samba 4.13.11 Available for Download

[Jule Anger via samba-announce]

Release Announcements
-

This is the latest stable release of the Samba 4.13 release series.


Changes since 4.13.10
-

o  Jeremy Allison 
   * BUG 14769: smbd panic on force-close share during offload write.

o  Ralph Boehme 
   * BUG 14731: Fix returned attributes on fake quota file handle and avoid
 hitting the VFS.
   * BUG 14783: smbd "deadtime" parameter doesn't work anymore.
   * BUG 14787: net conf list crashes when run as normal user.

o  Stefan Metzmacher 
   * BUG 14607: Work around special SMB2 READ response behavior of 
NetApp Ontap

 7.3.7.
   * BUG 14793: Start the SMB encryption as soon as possible.

o  Andreas Schneider 
   * BUG 14792: Winbind should not start if the socket path for the 
privileged

 pipe is too long.


###
Reporting bugs & Development Discussion
###

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).


==
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==




Download Details


The uncompressed tarballs and patch files have been signed
using GnuPG (ID AA99442FB680B620).  The source code can be downloaded
from:

    https://download.samba.org/pub/samba/stable/

The release notes are available online at:

    https://www.samba.org/samba/history/samba-4.13.11.html

Our Code, Our Bugs, Our Responsibility.
(https://bugzilla.samba.org/)

    --Enjoy
    The Samba Team

[Announce] Samba 4.15.0rc4 Available for Download

[Karolin Seeger via samba-announce]

Release Announcements
=

This is the fourth release candidate of Samba 4.15.  This is *not*
intended for production environments and is designed for testing
purposes only.  Please report any defects via the Samba bug reporting
system at https://bugzilla.samba.org/.

Samba 4.15 will be the next version of the Samba suite.


UPGRADING
=

Removed SMB (development) dialects
--

The following SMB (development) dialects are no longer
supported: SMB2_22, SMB2_24 and SMB3_10. They are were
only supported by Windows technical preview builds.
They used to be useful in order to test against the
latest Windows versions, but it's no longer useful
to have them. If you have them explicitly specified
in your smb.conf or an the command line,
you need to replace them like this:
- SMB2_22 => SMB3_00
- SMB2_24 => SMB3_00
- SMB3_10 => SMB3_11
Note that it's typically not useful to specify
"client max protocol" or "server max protocol"
explicitly to a specific dialect, just leave
them unspecified or specify the value "default".

New GPG key
---

The GPG release key for Samba releases changed from:

pub   dsa1024/6F33915B6568B7EA 2007-02-04 [SC] [expires: 2021-02-05]
  Key fingerprint = 52FB C0B8 6D95 4B08 4332  4CDC 6F33 915B 6568 B7EA
uid [  full  ] Samba Distribution Verification Key 

sub   elg2048/9C6ED163DA6DFB44 2007-02-04 [E] [expires: 2021-02-05]

to the following new key:

pub   rsa4096/AA99442FB680B620 2020-12-21 [SC] [expires: 2022-12-21]
  Key fingerprint = 81F5 E283 2BD2 545A 1897  B713 AA99 442F B680 B620
uid [ultimate] Samba Distribution Verification Key 

sub   rsa4096/97EF9386FBFD4002 2020-12-21 [E] [expires: 2022-12-21]

Starting from Jan 21th 2021, all Samba releases will be signed with the new key.

See also GPG_AA99442FB680B620_replaces_6F33915B6568B7EA.txt


NEW FEATURES/CHANGES


Bind DLZ: add the ability to set allow/deny lists for zone transfer clients
---

Up to now, any client could use a DNS zone transfer request to the
bind server, and get an answer from Samba. Now the default behaviour
will be to deny those request. Two new options have been added to
manage the list of authorized/denied clients for zone transfer
requests. In order to be accepted, the request must be issued by a
client that is in the allow list and NOT in the deny list.


"server multi channel support" no longer experimental
-

This option is enabled by default starting with 4.15 (on Linux and FreeBSD).
Due to dependencies on kernel APIs of Linux or FreeBSD, it's only possible
to use this feature on Linux and FreeBSD for now.


samba-tool available without the ad-dc
--

The 'samba-tool' command is now available when samba is configured
"--without-ad-dc". Not all features will work, and some ad-dc specific options
have been disabled. The 'samba-tool domain' options, for example, are limited
when no ad-dc is present. Samba must still be built with ads in order to enable
'samba-tool'.


Improved command line user experience
-

Samba utilities did not consistently implement their command line interface. A
number of options were requiring to specify values in one tool and not in the
other, some options meant different in different tools.

These should be stories of the past now. A new command line parser has been
implemented with sanity checking. Also the command line interface has been
simplified and provides better control for encryption, singing and kerberos.

Also several command line options have a smb.conf variable to control the
default now.

All tools are logging to stderr by default. You can use "--debug-stdout" to
change the behavior.

### Common parser:

Options added:
--client-protection=off|sign|encrypt

Options renamed:
--kerberos   ->--use-kerberos=required|desired|off
--krb5-ccache->--use-krb5-ccache=CCACHE
--scope  ->--netbios-scope=SCOPE
--use-ccache ->--use-winbind-ccache

Options removed:
-e|--encrypt
-C removed from --use-winbind-ccache
-i removed from --netbios-scope
-S|--signing


### Duplicates in command line utils

ldbadd/ldbsearch/ldbdel/ldbmodify/ldbrename:
-e is not available for --editor anymore
-s is not used for --configfile anymore

ndrdump:
-l is not available for --load-dso anymore

net:
-l is not available for --long anymore

sharesec:
-V is not available for --viewsddl anymore

smbcquotas:
--user->--quota-user

nmbd:
--log-stdout  ->--debug-stdout

smbd:
--log-stdout  ->--debug-stdout

winbindd:
--log-stdout  ->--debug-stdout


Scanning of trusted domains and enterprise principals
-

[Announce] Samba 4.15.0rc3 Available for Download

[Jule Anger via samba-announce]

Release Announcements
=

This is the third release candidate of Samba 4.15.  This is *not*
intended for production environments and is designed for testing
purposes only.  Please report any defects via the Samba bug reporting
system at https://bugzilla.samba.org/.

Samba 4.15 will be the next version of the Samba suite.


UPGRADING
=

Removed SMB (development) dialects
--

The following SMB (development) dialects are no longer
supported: SMB2_22, SMB2_24 and SMB3_10. They are were
only supported by Windows technical preview builds.
They used to be useful in order to test against the
latest Windows versions, but it's no longer useful
to have them. If you have them explicitly specified
in your smb.conf or an the command line,
you need to replace them like this:
- SMB2_22 => SMB3_00
- SMB2_24 => SMB3_00
- SMB3_10 => SMB3_11
Note that it's typically not useful to specify
"client max protocol" or "server max protocol"
explicitly to a specific dialect, just leave
them unspecified or specify the value "default".

New GPG key
---

The GPG release key for Samba releases changed from:

pub   dsa1024/6F33915B6568B7EA 2007-02-04 [SC] [expires: 2021-02-05]
  Key fingerprint = 52FB C0B8 6D95 4B08 4332  4CDC 6F33 915B 6568 B7EA
uid [  full  ] Samba Distribution Verification Key 


sub   elg2048/9C6ED163DA6DFB44 2007-02-04 [E] [expires: 2021-02-05]

to the following new key:

pub   rsa4096/AA99442FB680B620 2020-12-21 [SC] [expires: 2022-12-21]
  Key fingerprint = 81F5 E283 2BD2 545A 1897  B713 AA99 442F B680 B620
uid [ultimate] Samba Distribution Verification Key 


sub   rsa4096/97EF9386FBFD4002 2020-12-21 [E] [expires: 2022-12-21]

Starting from Jan 21th 2021, all Samba releases will be signed with the 
new key.


See also GPG_AA99442FB680B620_replaces_6F33915B6568B7EA.txt


NEW FEATURES/CHANGES


Bind DLZ: add the ability to set allow/deny lists for zone transfer clients
---

Up to now, any client could use a DNS zone transfer request to the
bind server, and get an answer from Samba. Now the default behaviour
will be to deny those request. Two new options have been added to
manage the list of authorized/denied clients for zone transfer
requests. In order to be accepted, the request must be issued by a
client that is in the allow list and NOT in the deny list.


"server multi channel support" no longer experimental
-

This option is enabled by default starting with to 4.15 (on Linux and 
FreeBSD).

Due to dependencies on kernel APIs of Linux or FreeBSD, it's only possible
to use this feature on Linux and FreeBSD for now.

samba-tool available without the ad-dc
--

The samba-tool command is now available when samba is configured
--without-ad-dc. Not all features will work, and some ad-dc specific options
have been disabled. The samba-tool domain options, for example, are limited
when no ad-dc is present. Samba must still be built with ads in order to 
enable

samba-tool.


Improved command line user experience
-

Samba utilities did not consistently implement their command line 
interface. A
number of options were requiring to specify values in one tool and not 
in the

other, some options meant different in different tools.

These should be stories of the past now. A new command line parser has been
implemented with sanity checking. Also the command line interface has been
simplified and provides better control for encryption, singing and kerberos.

Also several command line options have a smb.conf variable to control the
default now.

All tools are logging to stderr by default. You can use --debug-stdout to
change the behavior.

### Common parser:

Options added:
--client-protection=off|sign|encrypt

Options renamed:
--kerberos   ->    --use-kerberos=required|desired|off
--krb5-ccache    ->    --use-krb5-ccache=CCACHE
--scope  ->    --netbios-scope=SCOPE
--use-ccache ->    --use-winbind-ccache

Options removed:
-e|--encrypt
-C removed from --use-winbind-ccache
-i removed from --netbios-scope
-S|--signing


### Duplicates in command line utils

ldbadd/ldbsearch/ldbdel/ldbmodify/ldbrename:
-e is not available for --editor anymore
-s is not used for --configfile anymore

ndrdump:
-l is not available for --load-dso anymore

net:
-l is not available for --long anymore

sharesec:
-V is not available for --viewsddl anymore

smbcquotas:
--user    ->    --quota-user

nmbd:
--log-stdout  ->    --debug-stdout

smbd:
--log-stdout  ->    --debug-stdout

winbindd:
--log-stdout  ->    --debug-stdout


Scanning of trusted domains and enterprise principals
-

As an a

[Announce] Samba 4.14.7 Available for Download

[Jule Anger via samba-announce]

Release Announcements
-

This is the latest stable release of the Samba 4.14 release series.


Changes since 4.14.6


o  Jeremy Allison 
   * BUG 14769: smbd panic on force-close share during offload write.

o  Ralph Boehme 
   * BUG 12033: smbd should support copy_file_range() for 
FSCTL_SRV_COPYCHUNK.

   * BUG 14731: Fix returned attributes on fake quota file handle and avoid
 hitting the VFS.
   * BUG 14756: vfs_shadow_copy2 fix inodes not correctly updating inode
 numbers.

o  David Gajewski 
   * BUG 14774: Fix build on Solaris.

o  Björn Jacke 
   * BUG 14654: Make dos attributes available for unreadable files.

o  Stefan Metzmacher 
   * BUG 14607: Work around special SMB2 READ response behavior of 
NetApp Ontap

 7.3.7.
   * BUG 14793: Start the SMB encryption as soon as possible.


###
Reporting bugs & Development Discussion
###

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).


==
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==




Download Details


The uncompressed tarballs and patch files have been signed
using GnuPG (ID AA99442FB680B620).  The source code can be downloaded
from:

    https://download.samba.org/pub/samba/stable/

The release notes are available online at:

    https://www.samba.org/samba/history/samba-4.14.7.html

Our Code, Our Bugs, Our Responsibility.
(https://bugzilla.samba.org/)

--Enjoy
The Samba Team

[Announce] Samba 4.15.0rc2 Available for Download

[Stefan Metzmacher via samba-announce]

Release Announcements
=

This is the second release candidate of Samba 4.15.  This is *not*
intended for production environments and is designed for testing
purposes only.  Please report any defects via the Samba bug reporting
system at https://bugzilla.samba.org/.

Samba 4.15 will be the next version of the Samba suite.


UPGRADING
=

Removed SMB (development) dialects
--

The following SMB (development) dialects are no longer
supported: SMB2_22, SMB2_24 and SMB3_10. They are were
only supported by Windows technical preview builds.
They used to be useful in order to test against the
latest Windows versions, but it's no longer useful
to have them. If you have them explicitly specified
in your smb.conf or an the command line,
you need to replace them like this:
- SMB2_22 => SMB3_00
- SMB2_24 => SMB3_00
- SMB3_10 => SMB3_11
Note that it's typically not useful to specify
"client max protocol" or "server max protocol"
explicitly to a specific dialect, just leave
them unspecified or specify the value "default".

New GPG key
---

The GPG release key for Samba releases changed from:

pub   dsa1024/6F33915B6568B7EA 2007-02-04 [SC] [expires: 2021-02-05]
  Key fingerprint = 52FB C0B8 6D95 4B08 4332  4CDC 6F33 915B 6568 B7EA
uid [  full  ] Samba Distribution Verification Key 

sub   elg2048/9C6ED163DA6DFB44 2007-02-04 [E] [expires: 2021-02-05]

to the following new key:

pub   rsa4096/AA99442FB680B620 2020-12-21 [SC] [expires: 2022-12-21]
  Key fingerprint = 81F5 E283 2BD2 545A 1897  B713 AA99 442F B680 B620
uid [ultimate] Samba Distribution Verification Key 

sub   rsa4096/97EF9386FBFD4002 2020-12-21 [E] [expires: 2022-12-21]

Starting from Jan 21th 2021, all Samba releases will be signed with the new key.

See also GPG_AA99442FB680B620_replaces_6F33915B6568B7EA.txt


NEW FEATURES/CHANGES

- bind DLZ: Added the ability to set allow/deny lists for zone
  transfer clients.
  Up to now, any client could use a DNS zone transfer request
  to the bind server, and get an answer from Samba.
  Now the default behaviour will be to deny those request.
  Two new options have been added to manage the list of
  authorized/denied clients for zone transfer requests.
  In order to be accepted, the request must be issued by a client
  that is in the allow list and NOT in the deny list.

"server multi channel support" no longer experimental
-

This option is enabled by default starting with to 4.15 (on Linux and FreeBSD).
Due to dependencies on kernel APIs of Linux or FreeBSD, it's only possible
to use this feature on Linux and FreeBSD for now.

samba-tool available without the ad-dc
--

The samba-tool command is now available when samba is configured
--without-ad-dc. Not all features will work, and some ad-dc specific options
have been disabled. The samba-tool domain options, for example, are limited
when no ad-dc is present. Samba must still be built with ads in order to enable
samba-tool.

Improved command line user experience
-

Samba utilities did not consistently implement their command line interface. A
number of options were requiring to specify values in one tool and not in the
other, some options meant different in different tools.

These should be stories of the past now. A new command line parser has been
implemented with sanity checking. Also the command line interface has been
simplified and provides better control for encryption, singing and kerberos.

Also several command line options have a smb.conf variable to control the
default now.

All tools are logging to stderr by default. You can use --debug-stdout to
change the behavior.

### Common parser:

Options added:
--client-protection=off|sign|encrypt

Options renamed:
--kerberos   ->--use-kerberos=required|desired|off
--krb5-ccache->--use-krb5-ccache=CCACHE
--scope  ->--netbios-scope=SCOPE
--use-ccache ->--use-winbind-ccache

Options removed:
-e|--encrypt
-C removed from --use-winbind-ccache
-i removed from --netbios-scope
-S|--signing


### Duplicates in command line utils

ldbadd/ldbsearch/ldbdel/ldbmodify/ldbrename:
-e is not available for --editor anymore
-s is not used for --configfile anymore

ndrdump:
-l is not available for --load-dso anymore

net:
-l is not available for --long anymore

sharesec:
-V is not available for --viewsddl anymore

smbcquotas:
--user->--quota-user

nmbd:
--log-stdout  ->--debug-stdout

smbd:
--log-stdout  ->--debug-stdout

winbindd:
--log-stdout  ->--debug-stdout

Scanning of trusted domains and enterprise principals
-

As an artifact from the NT4 times, we still scanned the list of trusted doma

[Announce] Samba 4.15.0rc1 Available for Download

[Karolin Seeger via samba-announce]

Release Announcements
=

This is the first release candidate of Samba 4.15.  This is *not*
intended for production environments and is designed for testing
purposes only.  Please report any defects via the Samba bug reporting
system at https://bugzilla.samba.org/.

Samba 4.15 will be the next version of the Samba suite.


UPGRADING
=

Removed SMB (development) dialects
--

The following SMB (development) dialects are no longer
supported: SMB2_22, SMB2_24 and SMB3_10. They are were
only supported by Windows technical preview builds.
They used to be useful in order to test against the
latest Windows versions, but it's no longer useful
to have them. If you have them explicitly specified
in your smb.conf or an the command line,
you need to replace them like this:
- SMB2_22 => SMB3_00
- SMB2_24 => SMB3_00
- SMB3_10 => SMB3_11
Note that it's typically not useful to specify
"client max protocol" or "server max protocol"
explicitly to a specific dialect, just leave
them unspecified or specify the value "default".

New GPG key
---

The GPG release key for Samba releases changed from:

pub   dsa1024/6F33915B6568B7EA 2007-02-04 [SC] [expires: 2021-02-05]
  Key fingerprint = 52FB C0B8 6D95 4B08 4332  4CDC 6F33 915B 6568 B7EA
uid [  full  ] Samba Distribution Verification Key 

sub   elg2048/9C6ED163DA6DFB44 2007-02-04 [E] [expires: 2021-02-05]

to the following new key:

pub   rsa4096/AA99442FB680B620 2020-12-21 [SC] [expires: 2022-12-21]
  Key fingerprint = 81F5 E283 2BD2 545A 1897  B713 AA99 442F B680 B620
uid [ultimate] Samba Distribution Verification Key 

sub   rsa4096/97EF9386FBFD4002 2020-12-21 [E] [expires: 2022-12-21]

Starting from Jan 21th 2021, all Samba releases will be signed with the new key.

See also GPG_AA99442FB680B620_replaces_6F33915B6568B7EA.txt


NEW FEATURES/CHANGES

- bind DLZ: Added the ability to set allow/deny lists for zone
  transfer clients.
  Up to now, any client could use a DNS zone transfer request
  to the bind server, and get an answer from Samba.
  Now the default behaviour will be to deny those request.
  Two new options have been added to manage the list of
  authorized/denied clients for zone transfer requests.
  In order to be accepted, the request must be issued by a client
  that is in the allow list and NOT in the deny list.

"server multi channel support" no longer experimental
-

This option is enabled by default starting with to 4.15 (on Linux and FreeBSD).
Due to dependencies on kernel APIs of Linux or FreeBSD, it's only possible
to use this feature on Linux and FreeBSD for now.

samba-tool available without the ad-dc
--

The samba-tool command is now available when samba is configured
--without-ad-dc. Not all features will work, and some ad-dc specific options
have been disabled. The samba-tool domain options, for example, are limited
when no ad-dc is present. Samba must still be built with ads in order to enable
samba-tool.

Improved command line user experience
-

Samba utilities did not consistently implement their command line interface. A
number of options were requiring to specify values in one tool and not in the
other, some options meant different in different tools.

These should be stories of the past now. A new command line parser has been
implemented with sanity checking. Also the command line interface has been
simplified and provides better control for encryption, singing and kerberos.

Also several command line options have a smb.conf variable to control the
default now.

All tools are logging to stderr by default. You can use --debug-stdout to
change the behavior.

### Common parser:

Options added:
--client-protection=off|sign|encrypt

Options renamed:
--kerberos   ->--use-kerberos=required|desired|off
--krb5-ccache->--use-krb5-ccache=CCACHE
--scope  ->--netbios-scope=SCOPE
--use-ccache ->--use-winbind-ccache

Options removed:
-e|--encrypt
-C removed from --use-winbind-ccache
-i removed from --netbios-scope
-S|--signing


### Duplicates in command line utils

ldbadd/ldbsearch/ldbdel/ldbmodify/ldbrename:
-e is not available for --editor anymore
-s is not used for --configfile anymore

ndrdump:
-l is not available for --load-dso anymore

net:
-l is not available for --long anymore

sharesec:
-V is not available for --viewsddl anymore

smbcquotas:
--user->--quota-user

nmbd:
--log-stdout  ->--debug-stdout

smbd:
--log-stdout  ->--debug-stdout

winbindd:
--log-stdout  ->--debug-stdout

Scanning of trusted domains and enterprise principals
-

As an artifact from the NT4 times, we still scanned the list of trusted domains
on win

[Announce] Samba 4.13.10 Available for Download

[Karolin Seeger via samba-announce]

Release Announcements
-

This is the latest stable release of the Samba 4.13 release series.


Changes since 4.13.9


o  Jeremy Allison 
   * BUG 14708: s3: smbd: Ensure POSIX default ACL is mapped into returned
 Windows ACL for directory handles.
   * BUG 14721: Take a copy to make sure we don't reference free'd memory.
   * BUG 14722: s3: lib: Fix talloc heirarcy error in parent_smb_fname().
   * BUG 14736: s3: smbd: Remove erroneous TALLOC_FREE(smb_fname_parent) in
 change_file_owner_to_parent() error path.

o  Andrew Bartlett 
   * BUG 14575: samba-tool: Give better error information when the
 'domain backup restore' fails with a duplicate SID.

o  Ralph Boehme 
   * BUG 14714: smbd: Correctly initialize close timestamp fields.
   * BUG 14740: Spotlight RPC service doesn't work with vfs_glusterfs.

o  Volker Lendecke 
   * BUG 14475: ctdb: Fix a crash in run_proc_signal_handler().

o  Stefan Metzmacher 
   * BUG 14750: gensec_krb5: Restore ipv6 support for kpasswd.
   * BUG 14752: smbXsrv_{open,session,tcon}: Protect
 smbXsrv_{open,session,tcon}_global_traverse_fn against invalid records.

o  Joseph Sutton 
   * BUG 14027: samba-tool domain backup offline doesn't work against bind DLZ
 backend.
   * BUG 14669: netcmd: Use next_free_rid() function to calculate a SID for
 restoring a backup.


###
Reporting bugs & Development Discussion
###

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).


==
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==




Download Details


The uncompressed tarballs and patch files have been signed
using GnuPG (ID AA99442FB680B620).  The source code can be downloaded
from:

https://download.samba.org/pub/samba/stable/

The release notes are available online at:

https://www.samba.org/samba/history/samba-4.13.10.html

Our Code, Our Bugs, Our Responsibility.
(https://bugzilla.samba.org/)

--Enjoy
The Samba Team


signature.asc
Description: PGP signature

[Announce] Samba 4.14.6 Available for Download

[Karolin Seeger via samba-announce]

Release Announcements
-

This is the latest stable release of the Samba 4.14 release series.


Changes since 4.14.5


o  Jeremy Allison 
   * BUG 14722: s3: lib: Fix talloc heirarcy error in parent_smb_fname().
   * BUG 14732: smbd: Fix pathref unlinking in create_file_unixpath().
   * BUG 14734: s3: VFS: default: Add proc_fd's fallback for vfswrap_fchown().
   * BUG 14736: s3: smbd: Remove erroneous TALLOC_FREE(smb_fname_parent) in
 change_file_owner_to_parent() error path.

o  Ralph Boehme 
   * BUG 14730: NT_STATUS_FILE_IS_A_DIRECTORY error messages when using
 glusterfs VFS module.
   * BUG 14734: s3/modules: fchmod: Fallback to path based chmod if pathref.
   * BUG 14740: Spotlight RPC service doesn't work with vfs_glusterfs.

o  Stefan Metzmacher 
   * BUG 14750: gensec_krb5: Restore ipv6 support for kpasswd.
   * BUG 14752: smbXsrv_{open,session,tcon}: protect
 smbXsrv_{open,session,tcon}_global_traverse_fn against invalid records.

o  Joseph Sutton 
   * BUG 14027: samba-tool domain backup offline doesn't work against bind DLZ
 backend.
   * BUG 14669: netcmd: Use next_free_rid() function to calculate a SID for
 restoring a backup.


###
Reporting bugs & Development Discussion
###

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).


==
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==




Download Details


The uncompressed tarballs and patch files have been signed
using GnuPG (ID AA99442FB680B620).  The source code can be downloaded
from:

https://download.samba.org/pub/samba/stable/

The release notes are available online at:

https://www.samba.org/samba/history/samba-4.14.6.html

Our Code, Our Bugs, Our Responsibility.
(https://bugzilla.samba.org/)

--Enjoy
The Samba Team


signature.asc
Description: PGP signature

[Announce] Samba 4.14.5 Available for Download

[Karolin Seeger via samba-announce]

Release Announcements
-

This is the latest stable release of the Samba 4.14 release series.


Changes since 4.14.4


o  Jeremy Allison 
   * BUG 14696: s3: smbd: SMB1 SMBsplwr doesn't send a reply packet on success.
   * BUG 14708: s3: smbd: Ensure POSIX default ACL is mapped into returned
 Windows ACL for directory handles.
   * BUG 14721: s3: smbd: Fix uninitialized memory read in
 process_symlink_open() when used with vfs_shadow_copy2().

o  Andrew Bartlett 
   * BUG 14689: docs: Expand the "log level" docs on audit logging.

o  Ralph Boehme 
   * BUG 14714: smbd: Correctly initialize close timestamp fields.

o  Günther Deschner 
   * BUG 14699: Fix gcc11 compiler issues.

o  Pavel Filipenský 
   * BUG 14718: docs-xml: Update smbcacls manpage.
   * BUG 14719: docs: Update list of available commands in rpcclient.

o  Volker Lendecke 
   * BUG 14475: ctdb: Fix a crash in run_proc_signal_handler().

o  Andreas Schneider 
   * BUG 14695: s3:winbind: For 'security = ADS' require realm/workgroup to be
 set.
   * BUG 14699: lib:replace: Do not build strndup test with gcc 11 or newer.


###
Reporting bugs & Development Discussion
###

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).


==
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==




Download Details


The uncompressed tarballs and patch files have been signed
using GnuPG (ID AA99442FB680B620).  The source code can be downloaded
from:

https://download.samba.org/pub/samba/stable/

The release notes are available online at:

https://www.samba.org/samba/history/samba-4.14.5.html

Our Code, Our Bugs, Our Responsibility.
(https://bugzilla.samba.org/)

--Enjoy
    The Samba Team


signature.asc
Description: PGP signature

[Announce] Samba 4.13.9 Available for Download

[Karolin Seeger via samba-announce]

Release Announcements
-

This is the latest stable release of the Samba 4.13 release series.


Changes since 4.13.8


o  Jeremy Allison 
   * BUG 14696: s3: smbd: SMB1 SMBsplwr doesn't send a reply packet on success.

o  Andrew Bartlett 
   * BUG 14689: Add documentation for dsdb_group_audit and dsdb_group_json_audit
 to "log level", synchronise "log level" in smb.conf with the code.

o  Ralph Boehme 
   * BUG 14672: Fix smbd panic when two clients open same file.
   * BUG 14675: Fix memory leak in the RPC server. 
   * BUG 14679: s3: smbd: Fix deferred renames.

o  Samuel Cabrero 
   * BUG 14675: s3-iremotewinspool: Set the per-request memory context.

o  Volker Lendecke 
   * BUG 14675: rpc_server3: Fix a memleak for internal pipes.

o  Stefan Metzmacher 
   * BUG 11899: third_party: Update socket_wrapper to version 1.3.2.
   * BUG 14640: third_party: Update socket_wrapper to version 1.3.3.


o  Christof Schmitt 
   * BUG 14663: idmap_rfc2307 and idmap_nss return wrong mapping for uid/gid
 conflict.

o  Martin Schwenke https://bugzilla.samba.org/).


==
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==




Download Details


The uncompressed tarballs and patch files have been signed
using GnuPG (ID AA99442FB680B620).  The source code can be downloaded
from:

https://download.samba.org/pub/samba/stable/

The release notes are available online at:

https://www.samba.org/samba/history/samba-4.13.9.html

Our Code, Our Bugs, Our Responsibility.
(https://bugzilla.samba.org/)

--Enjoy
    The Samba Team


signature.asc
Description: PGP signature

[Announce] Samba 4.14.4, 4.13.8 and 4.12.15 Security Releases Available

[Karolin Seeger via samba-announce]

Release Announcements
-

These are security releases in order to address the following defect:

o CVE-2021-20254: Negative idmap cache entries can cause incorrect group entries
  in the Samba file server process token.


===
Details
===

o  CVE-2021-20254:
   The Samba smbd file server must map Windows group identities (SIDs) into unix
   group ids (gids). The code that performs this had a flaw that could allow it
   to read data beyond the end of the array in the case where a negative cache
   entry had been added to the mapping cache. This could cause the calling code
   to return those values into the process token that stores the group
   membership for a user.

   Most commonly this flaw caused the calling code to crash, but an alert user
   (Peter Eriksson, IT Department, Linköping University) found this flaw by
   noticing an unprivileged user was able to delete a file within a network
   share that they should have been disallowed access to.

   Analysis of the code paths has not allowed us to discover a way for a
   remote user to be able to trigger this flaw reproducibly or on demand,
   but this CVE has been issued out of an abundance of caution.


Changes
---

o  Volker Lendecke 
   * BUG 14571: CVE-2021-20254: Fix buffer overrun in sids_to_unixids().


###
Reporting bugs & Development Discussion
###

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).


==
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==




Download Details


The uncompressed tarballs and patch files have been signed
using GnuPG (ID AA99442FB680B620).  The source code can be downloaded
from:

https://download.samba.org/pub/samba/stable/

The release notes are available online at:

https://www.samba.org/samba/history/samba-4.14.4.html
https://www.samba.org/samba/history/samba-4.13.8.html
https://www.samba.org/samba/history/samba-4.12.15.html

Our Code, Our Bugs, Our Responsibility.
(https://bugzilla.samba.org/)

--Enjoy
The Samba Team


signature.asc
Description: PGP signature

[Announce] Samba 4.14.3 Available for Download

[Karolin Seeger via samba-announce]

Release Announcements
-

This is the latest stable release of the Samba 4.14 release series.


Changes since 4.14.2


o  Trever L. Adams 
   * BUG 14671: s3:modules:vfs_virusfilter: Recent New_VFS changes break
 vfs_virusfilter_openat.

o  Andrew Bartlett 
   * BUG 14586: build: Notice if flex is missing at configure time.

o  Ralph Boehme 
   * BUG 14672: Fix smbd panic when two clients open same file.
   * BUG 14675: Fix memory leak in the RPC server.
   * BUG 14679: s3: smbd: fix deferred renames.

o  Samuel Cabrero 
   * BUG 14675: s3-iremotewinspool: Set the per-request memory context.

o  Volker Lendecke 
   * BUG 14675: Fix memory leak in the RPC server.

o  Stefan Metzmacher 
   * BUG 11899: third_party: Update socket_wrapper to version 1.3.2.
   * BUG 14640: third_party: Update socket_wrapper to version 1.3.3.

o  David Mulder 
   * BUG 14665: samba-gpupdate: Test that sysvol paths download in
 case-insensitive way.

o  Sachin Prabhu 
   * BUG 14662: smbd: Ensure errno is preserved across fsp destructor.

o  Christof Schmitt 
   * BUG 14663: idmap_rfc2307 and idmap_nss return wrong mapping for uid/gid
 conflict.

o  Martin Schwenke 
   * BUG 14288: build: Only add -Wl,--as-needed when supported.


###
Reporting bugs & Development Discussion
###

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).


==
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==




Download Details


The uncompressed tarballs and patch files have been signed
using GnuPG (ID AA99442FB680B620).  The source code can be downloaded
from:

https://download.samba.org/pub/samba/stable/

The release notes are available online at:

https://www.samba.org/samba/history/samba-4.14.3.html

Our Code, Our Bugs, Our Responsibility.
(https://bugzilla.samba.org/)

--Enjoy
The Samba Team


signature.asc
Description: PGP signature

[Announce] Samba 4.14.2 (4.14.1), 4.13.7 (4.13.6) and 4.12.14 (4.12.13) Security Releases

[Karolin Seeger via samba-announce]

Release Announcements
-

These are security releases in order to address the following defects:

o CVE-2020-27840: Heap corruption via crafted DN strings.
o CVE-2021-20277: Out of bounds read in AD DC LDAP server.


===
Details
===

o  CVE-2020-27840:
   An anonymous attacker can crash the Samba AD DC LDAP server by sending easily
   crafted DNs as part of a bind request. More serious heap corruption is likely
   also possible.

o  CVE-2021-20277:
   User-controlled LDAP filter strings against the AD DC LDAP server may crash
   the LDAP server.

For more details, please refer to the security advisories.


###
Reporting bugs & Development Discussion
###

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).


==
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==




Download Details


The uncompressed tarballs and patch files have been signed
using GnuPG (ID AA99442FB680B620).  The source code can be downloaded
from:

https://download.samba.org/pub/samba/stable/

The release notes are available online at:

https://www.samba.org/samba/history/samba-4.14.2.html
https://www.samba.org/samba/history/samba-4.13.7.html
https://www.samba.org/samba/history/samba-4.12.14.html

Our Code, Our Bugs, Our Responsibility.
(https://bugzilla.samba.org/)

--Enjoy
The Samba Team


signature.asc
Description: PGP signature

Re: Heads-up: Security Releases ahead!

[Karolin Seeger via samba-announce]

Am 17.03.21 um 11:57 schrieb Karolin Seeger via samba-announce:
> this is a heads-up that there will be Samba security updates
> on Wednesday, May 24th. Please make sure that your Samba AD DCs
> will be updated immediately after the release!

Wednesday, March 24th 2021, of course, sorry!

Karolin

-- 
Karolin Seeger  https://samba.org/~kseeger/
Release Manager Samba Team  https://samba.org
Team Lead Samba SerNet  https://sernet.de

Heads-up: Security Releases ahead!

[Karolin Seeger via samba-announce]

Hi,

this is a heads-up that there will be Samba security updates
on Wednesday, May 24th. Please make sure that your Samba AD DCs
will be updated immediately after the release!

Impacted components:

o AD DC LDAP Server (CVSS 7.5, high)

Cheers,
Karolin

-- 
Karolin Seeger  https://samba.org/~kseeger/
Release Manager Samba Team  https://samba.org
Team Lead Samba SerNet  https://sernet.de

[Announce] Samba 4.12.12 Available for Download

[Karolin Seeger via samba-announce]

Release Announcements
-

This is the latest stable release of the Samba 4.12 release series.
Please note that this will be the last bugfix release of the Samba 4.12 release
series. There will be Security Releases only beyond this point.


New GPG key 
=== 

The GPG release key for Samba releases changed from:

pub   dsa1024/6F33915B6568B7EA 2007-02-04 [SC] [expires: 2021-02-05]
  Key fingerprint = 52FB C0B8 6D95 4B08 4332  4CDC 6F33 915B 6568 B7EA  
uid [  full  ] Samba Distribution Verification Key 

sub   elg2048/9C6ED163DA6DFB44 2007-02-04 [E] [expires: 2021-02-05] 

to the following new key:   

pub   rsa4096/AA99442FB680B620 2020-12-21 [SC] [expires: 2022-12-21]
  Key fingerprint = 81F5 E283 2BD2 545A 1897  B713 AA99 442F B680 B620  
uid [ultimate] Samba Distribution Verification Key 

sub   rsa4096/97EF9386FBFD4002 2020-12-21 [E] [expires: 2022-12-21] 

Starting from Jan 21th 2021, all Samba releases will be signed with the new key.

See also GPG_AA99442FB680B620_replaces_6F33915B6568B7EA.txt


Changes since 4.12.11
-

o  Trever L. Adams 
   * BUG 14634: s3:modules:vfs_virusfilter: Recent talloc changes cause infinite
 start-up failure.

o  Jeremy Allison 
   * BUG 13992: SAMBA RPC share error.
   * BUG 14612: s3: smbd: Add call to conn_setup_case_options() to
 create_conn_struct_as_root().

o  Ralph Boehme 
   * BUG 14602: s3/auth: Implement "winbind:ignore domains".
   * BUG 14612: build: Remove smbd_conn private library.

o  Peter Eriksson 
   * BUG 14648: s3: VFS: nfs4_acls. Add missing TALLOC_FREE(frame) in error
 path.

o  Björn Jacke 
   * BUG 14624: classicupgrade: Treat old never expires value right.

o  Volker Lendecke 
   * BUG 1463: g_lock: Fix uninitalized variable reads.

o  Stefan Metzmacher 
   * BUG 13898: s3:pysmbd: Fix fd leak in py_smbd_create_file().
   * BUG 14607: Work around special SMB2 IOCTL response behavior of NetApp
 Ontap 7.3.7.

o  Andreas Schneider 
   * BUG 14625: Fix smbd share mode double free crash.

o  Paul Wise 
   * BUG 12505: HEIMDAL: krb5_storage_free(NULL) should work.


###
Reporting bugs & Development Discussion
###

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).


==
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==




Download Details


The uncompressed tarballs and patch files have been signed
using GnuPG (ID AA99442FB680B620).  The source code can be downloaded
from:

https://download.samba.org/pub/samba/stable/

The release notes are available online at:

https://www.samba.org/samba/history/samba-4.12.12.html

Our Code, Our Bugs, Our Responsibility.
(https://bugzilla.samba.org/)

--Enjoy
    The Samba Team


signature.asc
Description: PGP signature