The branch, master has been updated via 991aa81 NEWS[4.16.0]: Samba 4.16.0 Available for Download from 39744b6 NEWS[4.15.6]: Samba 4.15.6 Available for Download
https://git.samba.org/?p=samba-web.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 991aa81600207208619bd72ae9cdc1d99b292a7c Author: Jule Anger <jan...@samba.org> Date: Mon Mar 21 13:14:55 2022 +0100 NEWS[4.16.0]: Samba 4.16.0 Available for Download Signed-off-by: Jule Anger <jan...@samba.org> ----------------------------------------------------------------------- Summary of changes: history/samba-4.16.0.html | 425 +++++++++++++++++++++++ posted_news/20220321-121540.4.16.0.body.html | 12 + posted_news/20220321-121540.4.16.0.headline.html | 3 + 3 files changed, 440 insertions(+) create mode 100644 history/samba-4.16.0.html create mode 100644 posted_news/20220321-121540.4.16.0.body.html create mode 100644 posted_news/20220321-121540.4.16.0.headline.html Changeset truncated at 500 lines: diff --git a/history/samba-4.16.0.html b/history/samba-4.16.0.html new file mode 100644 index 0000000..13ffe37 --- /dev/null +++ b/history/samba-4.16.0.html @@ -0,0 +1,425 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml"> +<head> +<title>Samba 4.16.0 - Release Notes</title> +</head> +<body> +<H2>Samba 4.16.0 Available for Download</H2> +<p> +<a href="https://download.samba.org/pub/samba/stable/samba-4.16.0.tar.gz">Samba 4.16.0 (gzipped)</a><br> +<a href="https://download.samba.org/pub/samba/stable/samba-4.16.0.tar.asc">Signature</a> +</p> +<p> +<pre> + ============================== + Release Notes for Samba 4.16.0 + March 21, 2022 + ============================== + +This is the first stable release of the Samba 4.16 release series. +Please read the release notes carefully before upgrading. + + +NEW FEATURES/CHANGES +==================== + +New samba-dcerpcd binary to provide DCERPC in the member server setup +--------------------------------------------------------------------- + +In order to make it much easier to break out the DCERPC services +from smbd, a new samba-dcerpcd binary has been created. + +samba-dcerpcd can be used in two ways. In the normal case without +startup script modification it is invoked on demand from smbd or +winbind --np-helper to serve DCERPC over named pipes. Note that +in order to run in this mode the smb.conf [global] section has +a new parameter "rpc start on demand helpers = [true|false]". +This parameter is set to "true" by default, meaning no changes to +smb.conf files are needed to run samba-dcerpcd on demand as a named +pipe helper. + +It can also be used in a standalone mode where it is started +separately from smbd or winbind but this requires changes to system +startup scripts, and in addition a change to smb.conf, setting the new +[global] parameter "rpc start on demand helpers = false". If "rpc +start on demand helpers" is not set to false, samba-dcerpcd will +refuse to start in standalone mode. + +Note that when Samba is run in the Active Directory Domain Controller +mode the samba binary that provides the AD code will still provide its +normal DCERPC services whilst allowing samba-dcerpcd to provide +services like SRVSVC in the same way that smbd used to in this +configuration. + +The parameters that allowed some smbd-hosted services to be started +externally are now gone (detailed below) as this is now the default +setting. + +samba-dcerpcd can also be useful for use outside of the Samba +framework, for example, use with the Linux kernel SMB2 server ksmbd or +possibly other SMB2 server implementations. + +Heimdal-8.0pre used for Samba Internal Kerberos, adds FAST support +------------------------------------------------------------------ + +Samba has since Samba 4.0 included a snapshot of the Heimdal Kerberos +implementation. This snapshot has now been updated and will closely +match what will be released as Heimdal 8.0 shortly. + +This is a major update, previously we used a snapshot of Heimdal from +2011, and brings important new Kerberos security features such as +Kerberos request armoring, known as FAST. This tunnels ticket +requests and replies that might be encrypted with a weak password +inside a wrapper built with a stronger password, say from a machine +account. + +In Heimdal and MIT modes Samba's KDC now supports FAST, for the +support of non-Windows clients. + +Windows clients will not use this feature however, as they do not +attempt to do so against a server not advertising domain Functional +Level 2012. Samba users are of course free to modify how Samba +advertises itself, but use with Windows clients is not supported "out +of the box". + +Finally, Samba also uses a per-KDC, not per-realm 'cookie' to secure part of +the FAST protocol. A future version will align this more closely with +Microsoft AD behaviour. + +If FAST needs to be disabled on your Samba KDC, set + + kdc enable fast = no + +in the smb.conf. + +The Samba project wishes to thank the numerous developers who have put +in a massive effort to make this possible over many years. In +particular we thank Stefan Metzmacher, Joseph Sutton, Gary Lockyer, +Isaac Boukris and Andrew Bartlett. Samba's developers in turn thank +their employers and in turn their customers who have supported this +effort over many years. + +Certificate Auto Enrollment +--------------------------- + +Certificate Auto Enrollment allows devices to enroll for certificates from +Active Directory Certificate Services. It is enabled by Group Policy. +To enable Certificate Auto Enrollment, Samba's group policy will need to be +enabled by setting the smb.conf option `apply group policies` to Yes. Samba +Certificate Auto Enrollment depends on certmonger, the cepces certmonger +plugin, and sscep. Samba uses sscep to download the CA root chain, then uses +certmonger paired with cepces to monitor the host certificate templates. +Certificates are installed in /var/lib/samba/certs and private keys are +installed in /var/lib/samba/private/certs. + +Ability to add ports to dns forwarder addresses in internal DNS backend +----------------------------------------------------------------------- + +The internal DNS server of Samba forwards queries non-AD zones to one or more +configured forwarders. Up until now it has been assumed that these forwarders +listen on port 53. Starting with this version it is possible to configure the +port using host:port notation. See smb.conf for more details. Existing setups +are not affected, as the default port is 53. + +CTDB changes +------------ + +* The "recovery master" role has been renamed "leader" + + Documentation and logs now refer to "leader". + + The following ctdb tool command names have changed: + + recmaster -> leader + setrecmasterrole -> setleaderrole + + Command output has changed for the following commands: + + status + getcapabilities + + The "[legacy] -> recmaster capability" configuration option has been + renamed and moved to the cluster section, so this is now: + + [cluster] -> leader capability + +* The "recovery lock" has been renamed "cluster lock" + + Documentation and logs now refer to "cluster lock". + + The "[cluster] -> recovery lock" configuration option has been + deprecated and will be removed in a future version. Please use + "[cluster] -> cluster lock" instead. + + If the cluster lock is enabled then traditional elections are not + done and leader elections use a race for the cluster lock. This + avoids various conditions where a node is elected leader but can not + take the cluster lock. Such conditions included: + + - At startup, a node elects itself leader of its own cluster before + connecting to other nodes + + - Cluster filesystem failover is slow + + The abbreviation "reclock" is still used in many places, because a + better abbreviation eludes us (i.e. "clock" is obvious bad) and + changing all instances would require a lot of churn. If the + abbreviation "reclock" for "cluster lock" is confusing, please + consider mentally prefixing it with "really excellent". + +* CTDB now uses leader broadcasts and an associated timeout to + determine if an election is required + + The leader broadcast timeout can be configured via new configuration + option + + [cluster] -> leader timeout + + This specifies the number of seconds without leader broadcasts + before a node calls an election. The default is 5. + + +REMOVED FEATURES +================ + +Older SMB1 protocol SMBCopy command removed +------------------------------------------- + +SMB is a nearly 30-year old protocol, and some protocol commands that +while supported in all versions, have not seen widespread use. + +One of those is SMBCopy, a feature for a server-side copy of a file. +This feature has been so unmaintained that Samba has no testsuite for +it. + +The SMB1 command SMB_COM_COPY (SMB1 command number 0x29) was +introduced in the LAN Manager 1.0 dialect and it was rendered obsolete +in the NT LAN Manager dialect. + +Therefore it has been removed from the Samba smbd server. + +We do note that a fully supported and tested server-side copy is +present in SMB2, and can be accessed with "scopy" subcommand in +smbclient) + +SMB1 server-side wildcard expansion removed +------------------------------------------- + +Server-side wildcard expansion is another feature that sounds useful, +but is also rarely used and has become problematic - imposing extra +work on the server (both in terms of code and CPU time). + +In actual OS design, wildcard expansion is handled in the local shell, +not at the remote server using SMB wildcard syntax (which is not shell +syntax). + +In Samba 4.16 the ability to process file name wildcards in requests +using the SMB1 commands SMB_COM_RENAME (SMB1 command number 0x7), +SMB_COM_NT_RENAME (SMB1 command number 0xA5) and SMB_COM_DELETE (SMB1 +command number 0x6) has been removed. + +SMB1 protocol has been deprecated, particularly older dialects +-------------------------------------------------------------- + +We take this opportunity to remind that we have deprecated and +disabled by default, but not removed, the whole SMB1 protocol since +Samba 4.11. If needed for security purposes or code maintenance we +will continue to remove older protocol commands and dialects that are +unused or have been replaced in more modern SMB1 versions. + +We specifically deprecate the older dialects older than "NT LM 0.12" +(also known as "NT LANMAN 1.0" and "NT1"). + +Please note that "NT LM 0.12" is the dialect used by software as old +as Windows 95, Windows NT and Samba 2.0, so this deprecation applies +to DOS and similar era clients. + +We do reassure that that 'simple' operation of older clients than +these (eg DOS) will, while untested, continue for the near future, our +purpose is not to cripple use of Samba in unique situations, but to +reduce the maintaince burden. + +Eventually SMB1 as a whole will be removed, but no broader change is +announced for 4.16. + +In the rare case where the above changes cause incompatibilities, +users requiring support for these features will need to use older +versions of Samba. + +No longer using Linux mandatory locks for sharemodes +==================================================== + +smbd mapped sharemodes to Linux mandatory locks. This code in the Linux kernel +was broken for a long time, and is planned to be removed with Linux 5.15. This +Samba release removes the usage of mandatory locks for sharemodes and the +"kernel share modes" config parameter is changed to default to "no". The Samba +VFS interface is kept, so that file-system specific VFS modules can still use +private calls for enforcing sharemodes. + + +smb.conf changes +================ + + Parameter Name Description Default + -------------- ----------- ------- + kernel share modes New default No + dns forwarder Changed + rpc_daemon Removed + rpc_server Removed + rpc start on demand helpers Added true + + +CHANGES SINCE 4.16.0rc5 +======================= + +o Andrew Bartlett <abart...@samba.org> + * BUG 15000: Memory leak in FAST cookie handling. + +o Elia Geretto <elia.f.gere...@gmail.com> + * BUG 14983: NT_STATUS_ACCESS_DENIED translates into EPERM instead of EACCES + in SMBC_server_internal. + +o Stefan Metzmacher <me...@samba.org> + * BUG 13879: Simple bind doesn't work against an RODC (with non-preloaded + users). + * BUG 14641: Crash of winbind on RODC. + * BUG 15001: LDAP simple binds should honour "old password allowed period". + * BUG 15002: S4U2Self requests don't work against servers without FAST + support. + * BUG 15003: wbinfo -a doesn't work reliable with upn names. + * BUG 15005: A cross-realm kerberos client exchanges fail using KDCs with and + without FAST. + * BUG 15015: PKINIT: hdb_samba4_audit: Unhandled hdb_auth_status=9 => + INTERNAL_ERROR. + +o Garming Sam <garm...@catalyst.net.nz> + * BUG 13879: Simple bind doesn't work against an RODC (with non-preloaded + users). + +o Andreas Schneider <a...@samba.org> + * BUG 15016: Regression: create krb5 conf = yes doesn't work with a single + KDC. + +o Joseph Sutton <josephsut...@catalyst.net.nz> + * BUG 15015: PKINIT: hdb_samba4_audit: Unhandled hdb_auth_status=9 => + INTERNAL_ERROR. + + +CHANGES SINCE 4.16.0rc4 +======================= + +o Jeremy Allison <j...@samba.org> + * BUG 14737: Samba does not response STATUS_INVALID_PARAMETER when opening 2 + objects with same lease key. + +o Jule Anger <jan...@samba.org> + * BUG 14999: Listing shares with smbstatus no longer works. + +o Douglas Bagnall <douglas.bagn...@catalyst.net.nz> + * BUG 14996: Fix ldap simple bind with TLS auditing. + +o Andrew Bartlett <abart...@samba.org> + * BUG 14995: Use Heimdal 8.0 (pre) rather than an earlier snapshot. + +o Volker Lendecke <v...@samba.org> + * BUG 14989: Fix a use-after-free in SMB1 server. + +o Stefan Metzmacher <me...@samba.org> + * BUG 14865: Uncached logon on RODC always fails once. + * BUG 14984: Changing the machine password against an RODC likely destroys + the domain join. + * BUG 14993: authsam_make_user_info_dc() steals memory from its struct + ldb_message *msg argument. + * BUG 14995: Use Heimdal 8.0 (pre) rather than an earlier snapshot. + +o Joseph Sutton <josephsut...@catalyst.net.nz> + * BUG 14995: Use Heimdal 8.0 (pre) rather than an earlier snapshot. + + +CHANGES SINCE 4.16.0rc3 +======================= + +o Samuel Cabrero <scabr...@suse.de> + * BUG 14979: Problem when winbind renews Kerberos. + +o Björn Jacke <b...@sernet.de> + * BUG 13631: DFS fix for AIX broken. + * BUG 14974: Solaris and AIX acl modules: wrong function arguments. + * BUG 7239: Function aixacl_sys_acl_get_file not declared / coredump. + +o Andreas Schneider <a...@samba.org> + * BUG 14967: Samba autorid fails to map AD users if id rangesize fits in the + id range only once. + +o Martin Schwenke <mar...@meltin.net> + * BUG 14958: CTDB can get stuck in election and recovery. + + +CHANGES SINCE 4.16.0rc2 +======================= + +o Jeremy Allison <j...@samba.org> + * BUG 14169: Renaming file on DFS root fails with + NT_STATUS_OBJECT_PATH_NOT_FOUND. + * BUG 14938: NT error code is not set when overwriting a file during rename + in libsmbclient. + +o Ralph Boehme <s...@samba.org> + * BUG 14674: net ads info shows LDAP Server: 0.0.0.0 depending on contacted + server. + +o Pavel Filipenský <pfili...@redhat.com> + * BUG 14971: virusfilter_vfs_openat: Not scanned: Directory or special file. + +o Volker Lendecke <v...@samba.org> + * BUG 14900: Regression: Samba 4.15.2 on macOS segfaults intermittently + during strcpy in tdbsam_getsampwnam. + * BUG 14975: Fix a crash in vfs_full_audit - CREATE_FILE can free a used fsp. + +o Stefan Metzmacher <me...@samba.org> + * BUG 14968: smb2_signing_decrypt_pdu() may not decrypt with + gnutls_aead_cipher_decrypt() from gnutls before 3.5.2. + +o Andreas Schneider <a...@samba.org> + * BUG 14960: SDB uses HDB flags directly which can lead to unwanted side + effects. + + +CHANGES SINCE 4.16.0rc1 +======================= + +o Jeremy Allison <j...@samba.org> + * BUG 14911: CVE-2021-44141: UNIX extensions in SMB1 disclose whether the + outside target of a symlink exists. + +o Ralph Boehme <s...@samba.org> + * BUG 14914: CVE-2021-44142: Out-of-Bound Read/Write on Samba vfs_fruit + module. + * BUG 14961: install elasticsearch_mappings.json + +o FeRD (Frank Dana) <ferd...@gmail.com> + * BUG 14947: samba-bgqd still notifying systemd, triggering log warnings + without NotifyAccess=all. + +o Stefan Metzmacher <me...@samba.org> + * BUG 14867: Printing no longer works on Windows 7 with 2021-10 monthly + rollup patch. + * BUG 14956: ndr_push_string() adds implicit termination for + STR_NOTERM|REMAINING empty strings. + +o Joseph Sutton <josephsut...@catalyst.net.nz> + * BUG 14950: CVE-2022-0336: Re-adding an SPN skips subsequent SPN conflict + checks. + + +KNOWN ISSUES +============ + +https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.16#Release_blocking_bugs + + +</pre> +</p> +</body> +</html> diff --git a/posted_news/20220321-121540.4.16.0.body.html b/posted_news/20220321-121540.4.16.0.body.html new file mode 100644 index 0000000..a67c43c --- /dev/null +++ b/posted_news/20220321-121540.4.16.0.body.html @@ -0,0 +1,12 @@ +<!-- BEGIN: posted_news/20220321-121540.4.16.0.body.html --> +<h5><a name="4.16.0">21 March 2022</a></h5> +<p class=headline>Samba 4.16.0 Available for Download</p> +<p> +This is the latest stable release of the Samba 4.16 release series. +</p> +<p> +The uncompressed tarball has been signed using GnuPG (ID AA99442FB680B620). +The source code can be <a href="https://download.samba.org/pub/samba/stable/samba-4.16.0.tar.gz">downloaded now</a>. +See <a href="https://www.samba.org/samba/history/samba-4.16.0.html">the release notes for more info</a>. +</p> +<!-- END: posted_news/20220321-121540.4.16.0.body.html --> diff --git a/posted_news/20220321-121540.4.16.0.headline.html b/posted_news/20220321-121540.4.16.0.headline.html new file mode 100644 index 0000000..7ec08ff --- /dev/null +++ b/posted_news/20220321-121540.4.16.0.headline.html @@ -0,0 +1,3 @@ +<!-- BEGIN: posted_news/20220321-121540.4.16.0.headline.html --> +<li> 21 March 2022 <a href="#4.16.0">Samba 4.16.0 Available for Download</a></li> +<!-- END: posted_news/20220321-121540.4.16.0.headline.html --> -- Samba Website Repository