1 =============================
2 Release Notes for Samba 4.4.3
4 =============================
7 This is the latest stable release of Samba 4.4.
13 o Michael Adam <obnox@samba.org>
14 * BUG 11786: idmap_hash: Only allow the hash module for default idmap config.
16 o Jeremy Allison <jra@samba.org>
17 * BUG 11822: s3: libsmb: Fix error where short name length was read as 2
20 o Andrew Bartlett <abartlet@samba.org>
21 * BUG 11789: Fix returning of ldb.MessageElement.
23 o Ralph Boehme <slow@samba.org>
24 * BUG 11855: cleanupd: Restart as needed.
26 o Günther Deschner <gd@samba.org>
27 * BUG 11786: s3:winbindd:idmap: check loadparm in domain_has_idmap_config()
29 * BUG 11789: libsmb/pysmb: Add pytalloc-util dependency to fix the build.
31 o Volker Lendecke <vl@samba.org>
32 * BUG 11786: winbind: Fix CID 1357100: Unchecked return value.
33 * BUG 11816: nwrap: Fix the build on Solaris.
34 * BUG 11827: vfs_catia: Fix memleak.
35 * BUG 11878: smbd: Avoid large reads beyond EOF.
37 o Stefan Metzmacher <metze@samba.org>
38 * BUG 11789: s3:wscript: pylibsmb depends on pycredentials.
40 o Tom Mortensen <tomm@lime-technology.com>
41 * BUG 11875: nss_wins: Fix the hostent setup.
43 o Garming Sam <garming@catalyst.net.nz>
44 * BUG 11789: build: Mark explicit dependencies on pytalloc-util.
46 o Partha Sarathi <partha@exablox.com>
47 * BUG 11819: Fix the smb2_setinfo to handle FS info types and FSQUOTA
50 o Jorge Schrauwen <sjorge@blackdot.be>
51 * BUG 11816: configure: Don't check for inotify on illumos.
53 o Uri Simchoni <uri@samba.org>
54 * BUG 11806: vfs_acl_common: Avoid setting POSIX ACLs if "ignore system acls"
56 * BUG 11815: smbcquotas: print "NO LIMIT" only if returned quota value is 0.
57 * BUG 11852: libads: Record session expiry for spnego sasl binds.
60 #######################################
61 Reporting bugs & Development Discussion
62 #######################################
64 Please discuss this release on the samba-technical mailing list or by
65 joining the #samba-technical IRC channel on irc.freenode.net.
67 If you do report problems then please try to send high quality
68 feedback. If you don't provide vital information to help us track down
69 the problem then you will probably be ignored. All bug reports should
70 be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
71 database (https://bugzilla.samba.org/).
74 ======================================================================
75 == Our Code, Our Bugs, Our Responsibility.
77 ======================================================================
80 Release notes for older releases follow:
81 ----------------------------------------
83 =============================
84 Release Notes for Samba 4.4.2
86 =============================
88 This is a security release containing one additional
89 regression fix for the security release 4.4.1.
91 This fixes a regression that prevents things like 'net ads join'
92 from working against a Windows 2003 domain.
97 o Stefan Metzmacher <metze@samba.org>
98 * Bug 11804 - prerequisite backports for the security release on
102 -----------------------------------------------------------------------
105 =============================
106 Release Notes for Samba 4.4.1
108 =============================
111 This is a security release in order to address the following CVEs:
113 o CVE-2015-5370 (Multiple errors in DCE-RPC code)
115 o CVE-2016-2110 (Man in the middle attacks possible with NTLMSSP)
117 o CVE-2016-2111 (NETLOGON Spoofing Vulnerability)
119 o CVE-2016-2112 (LDAP client and server don't enforce integrity)
121 o CVE-2016-2113 (Missing TLS certificate validation)
123 o CVE-2016-2114 ("server signing = mandatory" not enforced)
125 o CVE-2016-2115 (SMB IPC traffic is not integrity protected)
127 o CVE-2016-2118 (SAMR and LSA man in the middle attacks possible)
129 The number of changes are rather huge for a security release,
130 compared to typical security releases.
132 Given the number of problems and the fact that they are all related
133 to man in the middle attacks we decided to fix them all at once
134 instead of splitting them.
136 In order to prevent the man in the middle attacks it was required
137 to change the (default) behavior for some protocols. Please see the
138 "New smb.conf options" and "Behavior changes" sections below.
146 Versions of Samba from 3.6.0 to 4.4.0 inclusive are vulnerable to
147 denial of service attacks (crashes and high cpu consumption)
148 in the DCE-RPC client and server implementations. In addition,
149 errors in validation of the DCE-RPC packets can lead to a downgrade
150 of a secure connection to an insecure one.
152 While we think it is unlikely, there's a nonzero chance for
153 a remote code execution attack against the client components,
154 which are used by smbd, winbindd and tools like net, rpcclient and
155 others. This may gain root access to the attacker.
157 The above applies all possible server roles Samba can operate in.
159 Note that versions before 3.6.0 had completely different marshalling
160 functions for the generic DCE-RPC layer. It's quite possible that
161 that code has similar problems!
163 The downgrade of a secure connection to an insecure one may
164 allow an attacker to take control of Active Directory object
165 handles created on a connection created from an Administrator
166 account and re-use them on the now non-privileged connection,
167 compromising the security of the Samba AD-DC.
171 There are several man in the middle attacks possible with
172 NTLMSSP authentication.
174 E.g. NTLMSSP_NEGOTIATE_SIGN and NTLMSSP_NEGOTIATE_SEAL
175 can be cleared by a man in the middle.
177 This was by protocol design in earlier Windows versions.
179 Windows Server 2003 RTM and Vista RTM introduced a way
180 to protect against the trivial downgrade.
182 See MsvAvFlags and flag 0x00000002 in
183 https://msdn.microsoft.com/en-us/library/cc236646.aspx
185 This new feature also implies support for a mechlistMIC
186 when used within SPNEGO, which may prevent downgrades
187 from other SPNEGO mechs, e.g. Kerberos, if sign or
188 seal is finally negotiated.
190 The Samba implementation doesn't enforce the existence of
191 required flags, which were requested by the application layer,
192 e.g. LDAP or SMB1 encryption (via the unix extensions).
193 As a result a man in the middle can take over the connection.
194 It is also possible to misguide client and/or
195 server to send unencrypted traffic even if encryption
196 was explicitly requested.
198 LDAP (with NTLMSSP authentication) is used as a client
199 by various admin tools of the Samba project,
200 e.g. "net", "samba-tool", "ldbsearch", "ldbedit", ...
202 As an active directory member server LDAP is also used
203 by the winbindd service when connecting to domain controllers.
205 Samba also offers an LDAP server when running as
206 active directory domain controller.
208 The NTLMSSP authentication used by the SMB1 encryption
209 is protected by smb signing, see CVE-2015-5296.
213 It's basically the same as CVE-2015-0005 for Windows:
215 The NETLOGON service in Microsoft Windows Server 2003 SP2,
216 Windows Server 2008 SP2 and R2 SP1, and Windows Server 2012 Gold
217 and R2, when a Domain Controller is configured, allows remote
218 attackers to spoof the computer name of a secure channel's
219 endpoint, and obtain sensitive session information, by running a
220 crafted application and leveraging the ability to sniff network
221 traffic, aka "NETLOGON Spoofing Vulnerability".
223 The vulnerability in Samba is worse as it doesn't require
224 credentials of a computer account in the domain.
226 This only applies to Samba running as classic primary domain controller,
227 classic backup domain controller or active directory domain controller.
229 The security patches introduce a new option called "raw NTLMv2 auth"
230 ("yes" or "no") for the [global] section in smb.conf.
231 Samba (the smbd process) will reject client using raw NTLMv2
232 without using NTLMSSP.
234 Note that this option also applies to Samba running as
235 standalone server and member server.
237 You should also consider using "lanman auth = no" (which is already the default)
238 and "ntlm auth = no". Have a look at the smb.conf manpage for further details,
239 as they might impact compatibility with older clients. These also
240 apply for all server roles.
244 Samba uses various LDAP client libraries, a builtin one and/or the system
245 ldap libraries (typically openldap).
247 As active directory domain controller Samba also provides an LDAP server.
249 Samba takes care of doing SASL (GSS-SPNEGO) authentication with Kerberos or NTLMSSP
250 for LDAP connections, including possible integrity (sign) and privacy (seal)
253 Samba has support for an option called "client ldap sasl wrapping" since version
254 3.2.0. Its default value has changed from "plain" to "sign" with version 4.2.0.
256 Tools using the builtin LDAP client library do not obey the
257 "client ldap sasl wrapping" option. This applies to tools like:
258 "samba-tool", "ldbsearch", "ldbedit" and more. Some of them have command line
259 options like "--sign" and "--encrypt". With the security update they will
260 also obey the "client ldap sasl wrapping" option as default.
262 In all cases, even if explicitly request via "client ldap sasl wrapping",
263 "--sign" or "--encrypt", the protection can be downgraded by a man in the
266 The LDAP server doesn't have an option to enforce strong authentication
267 yet. The security patches will introduce a new option called
268 "ldap server require strong auth", possible values are "no",
269 "allow_sasl_over_tls" and "yes".
271 As the default behavior was as "no" before, you may
272 have to explicitly change this option until all clients have
273 been adjusted to handle LDAP_STRONG_AUTH_REQUIRED errors.
274 Windows clients and Samba member servers already use
275 integrity protection.
279 Samba has support for TLS/SSL for some protocols:
280 ldap and http, but currently certificates are not
281 validated at all. While we have a "tls cafile" option,
282 the configured certificate is not used to validate
283 the server certificate.
285 This applies to ldaps:// connections triggered by tools like:
286 "ldbsearch", "ldbedit" and more. Note that it only applies
287 to the ldb tools when they are built as part of Samba or with Samba
288 extensions installed, which means the Samba builtin LDAP client library is
291 It also applies to dcerpc client connections using ncacn_http (with https://),
292 which are only used by the openchange project. Support for ncacn_http
293 was introduced in version 4.2.0.
295 The security patches will introduce a new option called
296 "tls verify peer". Possible values are "no_check", "ca_only",
297 "ca_and_name_if_available", "ca_and_name" and "as_strict_as_possible".
299 If you use the self-signed certificates which are auto-generated
300 by Samba, you won't have a crl file and need to explicitly
301 set "tls verify peer = ca_and_name".
305 Due to a regression introduced in Samba 4.0.0,
306 an explicit "server signing = mandatory" in the [global] section
307 of the smb.conf was not enforced for clients using the SMB1 protocol.
309 As a result it does not enforce smb signing and allows man in the middle attacks.
311 This problem applies to all possible server roles:
312 standalone server, member server, classic primary domain controller,
313 classic backup domain controller and active directory domain controller.
315 In addition, when Samba is configured with "server role = active directory domain controller"
316 the effective default for the "server signing" option should be "mandatory".
318 During the early development of Samba 4 we had a new experimental
319 file server located under source4/smb_server. But before
320 the final 4.0.0 release we switched back to the file server
323 But the logic for the correct default of "server signing" was not
324 ported correctly ported.
326 Note that the default for server roles other than active directory domain
327 controller, is "off" because of performance reasons.
331 Samba has an option called "client signing", this is turned off by default
332 for performance reasons on file transfers.
334 This option is also used when using DCERPC with ncacn_np.
336 In order to get integrity protection for ipc related communication
337 by default the "client ipc signing" option is introduced.
338 The effective default for this new option is "mandatory".
340 In order to be compatible with more SMB server implementations,
341 the following additional options are introduced:
342 "client ipc min protocol" ("NT1" by default) and
343 "client ipc max protocol" (the highest support SMB2/3 dialect by default).
344 These options overwrite the "client min protocol" and "client max protocol"
345 options, because the default for "client max protocol" is still "NT1".
346 The reason for this is the fact that all SMB2/3 support SMB signing,
347 while there are still SMB1 implementations which don't offer SMB signing
348 by default (this includes Samba versions before 4.0.0).
350 Note that winbindd (in versions 4.2.0 and higher) enforces SMB signing
351 against active directory domain controllers despite of the
352 "client signing" and "client ipc signing" options.
354 o CVE-2016-2118 (a.k.a. BADLOCK):
356 The Security Account Manager Remote Protocol [MS-SAMR] and the
357 Local Security Authority (Domain Policy) Remote Protocol [MS-LSAD]
358 are both vulnerable to man in the middle attacks. Both are application level
359 protocols based on the generic DCE 1.1 Remote Procedure Call (DCERPC) protocol.
361 These protocols are typically available on all Windows installations
362 as well as every Samba server. They are used to maintain
363 the Security Account Manager Database. This applies to all
364 roles, e.g. standalone, domain member, domain controller.
366 Any authenticated DCERPC connection a client initiates against a server
367 can be used by a man in the middle to impersonate the authenticated user
368 against the SAMR or LSAD service on the server.
370 The client chosen application protocol, auth type (e.g. Kerberos or NTLMSSP)
371 and auth level (NONE, CONNECT, PKT_INTEGRITY, PKT_PRIVACY) do not matter
372 in this case. A man in the middle can change auth level to CONNECT
373 (which means authentication without message protection) and take over
376 As a result, a man in the middle is able to get read/write access to the
377 Security Account Manager Database, which reveals all passwords
378 and any other potential sensitive information.
380 Samba running as an active directory domain controller is additionally
381 missing checks to enforce PKT_PRIVACY for the
382 Directory Replication Service Remote Protocol [MS-DRSR] (drsuapi)
383 and the BackupKey Remote Protocol [MS-BKRP] (backupkey).
384 The Domain Name Service Server Management Protocol [MS-DNSP] (dnsserver)
385 is not enforcing at least PKT_INTEGRITY.
391 allow dcerpc auth level connect (G)
393 This option controls whether DCERPC services are allowed to be used with
394 DCERPC_AUTH_LEVEL_CONNECT, which provides authentication, but no per
395 message integrity nor privacy protection.
397 Some interfaces like samr, lsarpc and netlogon have a hard-coded default
398 of no and epmapper, mgmt and rpcecho have a hard-coded default of yes.
400 The behavior can be overwritten per interface name (e.g. lsarpc,
401 netlogon, samr, srvsvc, winreg, wkssvc ...) by using
402 'allow dcerpc auth level connect:interface = yes' as option.
404 This option yields precedence to the implementation specific restrictions.
405 E.g. the drsuapi and backupkey protocols require DCERPC_AUTH_LEVEL_PRIVACY.
406 The dnsserver protocol requires DCERPC_AUTH_LEVEL_INTEGRITY.
408 Default: allow dcerpc auth level connect = no
410 Example: allow dcerpc auth level connect = yes
412 client ipc signing (G)
414 This controls whether the client is allowed or required to use
415 SMB signing for IPC$ connections as DCERPC transport. Possible
416 values are auto, mandatory and disabled.
418 When set to mandatory or default, SMB signing is required.
420 When set to auto, SMB signing is offered, but not enforced and
421 if set to disabled, SMB signing is not offered either.
423 Connections from winbindd to Active Directory Domain Controllers
424 always enforce signing.
426 Default: client ipc signing = default
428 client ipc max protocol (G)
430 The value of the parameter (a string) is the highest protocol level that will
431 be supported for IPC$ connections as DCERPC transport.
433 Normally this option should not be set as the automatic negotiation phase
434 in the SMB protocol takes care of choosing the appropriate protocol.
436 The value default refers to the latest supported protocol, currently SMB3_11.
438 See client max protocol for a full list of available protocols.
439 The values CORE, COREPLUS, LANMAN1, LANMAN2 are silently upgraded to NT1.
441 Default: client ipc max protocol = default
443 Example: client ipc max protocol = SMB2_10
445 client ipc min protocol (G)
447 This setting controls the minimum protocol version that the will be
448 attempted to use for IPC$ connections as DCERPC transport.
450 Normally this option should not be set as the automatic negotiation phase
451 in the SMB protocol takes care of choosing the appropriate protocol.
453 The value default refers to the higher value of NT1 and the
454 effective value of "client min protocol".
456 See client max protocol for a full list of available protocols.
457 The values CORE, COREPLUS, LANMAN1, LANMAN2 are silently upgraded to NT1.
459 Default: client ipc min protocol = default
461 Example: client ipc min protocol = SMB3_11
463 ldap server require strong auth (G)
465 The ldap server require strong auth defines whether the
466 ldap server requires ldap traffic to be signed or
467 signed and encrypted (sealed). Possible values are no,
468 allow_sasl_over_tls and yes.
470 A value of no allows simple and sasl binds over all transports.
472 A value of allow_sasl_over_tls allows simple and sasl binds (without sign or seal)
473 over TLS encrypted connections. Unencrypted connections only
474 allow sasl binds with sign or seal.
476 A value of yes allows only simple binds over TLS encrypted connections.
477 Unencrypted connections only allow sasl binds with sign or seal.
479 Default: ldap server require strong auth = yes
483 This parameter determines whether or not smbd(8) will allow SMB1 clients
484 without extended security (without SPNEGO) to use NTLMv2 authentication.
486 If this option, lanman auth and ntlm auth are all disabled, then only
487 clients with SPNEGO support will be permitted. That means NTLMv2 is only
488 supported within NTLMSSP.
490 Default: raw NTLMv2 auth = no
494 This controls if and how strict the client will verify the peer's
495 certificate and name. Possible values are (in increasing order): no_check,
496 ca_only, ca_and_name_if_available, ca_and_name and as_strict_as_possible.
498 When set to no_check the certificate is not verified at all,
499 which allows trivial man in the middle attacks.
501 When set to ca_only the certificate is verified to be signed from a ca
502 specified in the "tls ca file" option. Setting "tls ca file" to a valid file
503 is required. The certificate lifetime is also verified. If the "tls crl file"
504 option is configured, the certificate is also verified against
507 When set to ca_and_name_if_available all checks from ca_only are performed.
508 In addition, the peer hostname is verified against the certificate's
509 name, if it is provided by the application layer and not given as
510 an ip address string.
512 When set to ca_and_name all checks from ca_and_name_if_available are performed.
513 In addition the peer hostname needs to be provided and even an ip
514 address is checked against the certificate's name.
516 When set to as_strict_as_possible all checks from ca_and_name are performed.
517 In addition the "tls crl file" needs to be configured. Future versions
518 of Samba may implement additional checks.
520 Default: tls verify peer = as_strict_as_possible
522 tls priority (G) (backported from Samba 4.3 to Samba 4.2)
524 This option can be set to a string describing the TLS protocols to be
525 supported in the parts of Samba that use GnuTLS, specifically the AD DC.
527 The default turns off SSLv3, as this protocol is no longer considered
528 secure after CVE-2014-3566 (otherwise known as POODLE) impacted SSLv3 use
529 in HTTPS applications.
531 The valid options are described in the GNUTLS Priority-Strings
532 documentation at http://gnutls.org/manual/html_node/Priority-Strings.html
534 Default: tls priority = NORMAL:-VERS-SSL3.0
540 o The default auth level for authenticated binds has changed from
541 DCERPC_AUTH_LEVEL_CONNECT to DCERPC_AUTH_LEVEL_INTEGRITY.
542 That means ncacn_ip_tcp:server is now implicitly the same
543 as ncacn_ip_tcp:server[sign] and offers a similar protection
544 as ncacn_np:server, which relies on smb signing.
546 o The following constraints are applied to SMB1 connections:
548 - "client lanman auth = yes" is now consistently
549 required for authenticated connections using the
550 SMB1 LANMAN2 dialect.
551 - "client ntlmv2 auth = yes" and "client use spnego = yes"
552 (both the default values), require extended security (SPNEGO)
553 support from the server. That means NTLMv2 is only used within
556 o Tools like "samba-tool", "ldbsearch", "ldbedit" and more obey the
557 default of "client ldap sasl wrapping = sign". Even with
558 "client ldap sasl wrapping = plain" they will automatically upgrade
559 to "sign" when getting LDAP_STRONG_AUTH_REQUIRED from the LDAP
565 o Jeremy Allison <jra@samba.org>
566 * Bug 11344 - CVE-2015-5370: Multiple errors in DCE-RPC code.
568 o Christian Ambach <ambi@samba.org>
569 * Bug 11804 - prerequisite backports for the security release on
572 o Ralph Boehme <slow@samba.org>
573 * Bug 11644 - CVE-2016-2112: The LDAP client and server don't enforce
574 integrity protection.
576 o Günther Deschner <gd@samba.org>
577 * Bug 11749 - CVE-2016-2111: NETLOGON Spoofing Vulnerability.
579 * Bug 11804 - prerequisite backports for the security release on
582 o Volker Lendecke <vl@samba.org>
583 * Bug 11804 - prerequisite backports for the security release on
586 o Stefan Metzmacher <metze@samba.org>
587 * Bug 11344 - CVE-2015-5370: Multiple errors in DCE-RPC code.
589 * Bug 11616 - CVE-2016-2118: SAMR and LSA man in the middle attacks possible.
591 * Bug 11644 - CVE-2016-2112: The LDAP client and server doesn't enforce
592 integrity protection.
594 * Bug 11687 - CVE-2016-2114: "server signing = mandatory" not enforced.
596 * Bug 11688 - CVE-2016-2110: Man in the middle attacks possible with NTLMSSP.
598 * Bug 11749 - CVE-2016-2111: NETLOGON Spoofing Vulnerability.
600 * Bug 11752 - CVE-2016-2113: Missing TLS certificate validation allows man in
603 * Bug 11756 - CVE-2016-2115: SMB client connections for IPC traffic are not
606 * Bug 11804 - prerequisite backports for the security release on
610 #######################################
611 Reporting bugs & Development Discussion
612 #######################################
614 Please discuss this release on the samba-technical mailing list or by
615 joining the #samba-technical IRC channel on irc.freenode.net.
617 If you do report problems then please try to send high quality
618 feedback. If you don't provide vital information to help us track down
619 the problem then you will probably be ignored. All bug reports should
620 be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
621 database (https://bugzilla.samba.org/).
624 ======================================================================
625 == Our Code, Our Bugs, Our Responsibility.
627 ======================================================================
630 ----------------------------------------------------------------------
633 =============================
634 Release Notes for Samba 4.4.0
636 =============================
639 This is the first stable release of the Samba 4.4 release series.
651 Asynchronous flush requests
652 ---------------------------
654 Flush requests from SMB2/3 clients are handled asynchronously and do
655 not block the processing of other requests. Note that 'strict sync'
656 has to be set to 'yes' for Samba to honor flush requests from SMB
662 Remove '--with-aio-support' configure option. We no longer would ever prefer
663 POSIX-RT aio, use pthread_aio instead.
668 The 'samba-tool sites' subcommand can now be run against another server by
669 specifying an LDB URL using the '-H' option and not against the local database
670 only (which is still the default when no URL is given).
672 samba-tool domain demote
673 ------------------------
675 Add '--remove-other-dead-server' option to 'samba-tool domain demote'
676 subcommand. The new version of this tool now can remove another DC that is
677 itself offline. The '--remove-other-dead-server' removes as many references
678 to the DC as possible.
680 samba-tool drs clone-dc-database
681 --------------------------------
683 Replicate an initial clone of domain, but do not join it.
684 This is developed for debugging purposes, but not for setting up another DC.
689 Add '--set-nt-hash' option to pdbedit to update user password from nt-hash
690 hexstring. 'pdbedit -vw' shows also password hashes.
695 'smbstatus' was enhanced to show the state of signing and encryption for
700 The -u and -p options for user and password were replaced by the -U option that
701 accepts username[%password] as in many other tools of the Samba suite.
702 Similary, smbgetrc files do not accept username and password options any more,
703 only a single "user" option which also accepts user%password combinations.
704 The -P option was removed.
709 Add a GnuTLS based backupkey implementation.
714 Using the '--offline-logon' enables ntlm_auth to use cached passwords when the
717 Allow '--password' force a local password check for ntlm-server-1 mode.
722 A new VFS module called vfs_offline has been added to mark all files in the
723 share as offline. It can be useful for shares mounted on top of a remote file
724 system (either through a samba VFS module or via FUSE).
729 The Samba KCC has been improved, but is still disabled by default.
734 There were several improvements concerning the Samba DNS server.
739 There were some improvements in the Active Directory area.
744 The WINS nsswitch module has been rewritten to address memory issues and to
745 simplify the code. The module now uses libwbclient to do WINS queries. This
746 means that winbind needs to be running in order to resolve WINS names using
747 the nss_wins module. This does not affect smbd.
752 * CTDB now uses a newly implemented parallel database recovery scheme
753 that avoids deadlocks with smbd.
755 In certain circumstances CTDB and smbd could deadlock. The new
756 recovery implementation avoid this. It also provides improved
757 recovery performance.
759 * All files are now installed into and referred to by the paths
760 configured at build time. Therefore, CTDB will now work properly
761 when installed into the default location at /usr/local.
763 * Public CTDB header files are no longer installed, since Samba and
764 CTDB are built from within the same source tree.
766 * CTDB_DBDIR can now be set to tmpfs[:<tmpfs-options>]
768 This will cause volatile TDBs to be located in a tmpfs. This can
769 help to avoid performance problems associated with contention on the
770 disk where volatile TDBs are usually stored. See ctdbd.conf(5) for
773 * Configuration variable CTDB_NATGW_SLAVE_ONLY is no longer used.
774 Instead, nodes should be annotated with the "slave-only" option in
775 the CTDB NAT gateway nodes file. This file must be consistent
776 across nodes in a NAT gateway group. See ctdbd.conf(5) for more
779 * New event script 05.system allows various system resources to be
782 This can be helpful for explaining poor performance or unexpected
783 behaviour. New configuration variables are
784 CTDB_MONITOR_FILESYSTEM_USAGE, CTDB_MONITOR_MEMORY_USAGE and
785 CTDB_MONITOR_SWAP_USAGE. Default values cause warnings to be
786 logged. See the SYSTEM RESOURCE MONITORING CONFIGURATION in
787 ctdbd.conf(5) for more information.
789 The memory, swap and filesystem usage monitoring previously found in
790 00.ctdb and 40.fs_use is no longer available. Therefore,
791 configuration variables CTDB_CHECK_FS_USE, CTDB_MONITOR_FREE_MEMORY,
792 CTDB_MONITOR_FREE_MEMORY_WARN and CTDB_CHECK_SWAP_IS_NOT_USED are
795 * The 62.cnfs eventscript has been removed. To get a similar effect
796 just do something like this:
798 mmaddcallback ctdb-disable-on-quorumLoss \
799 --command /usr/bin/ctdb \
800 --event quorumLoss --parms "disable"
802 mmaddcallback ctdb-enable-on-quorumReached \
803 --command /usr/bin/ctdb \
804 --event quorumReached --parms "enable"
806 * The CTDB tunable parameter EventScriptTimeoutCount has been renamed
807 to MonitorTimeoutCount
809 It has only ever been used to limit timed-out monitor events.
811 Configurations containing CTDB_SET_EventScriptTimeoutCount=<n> will
812 cause CTDB to fail at startup. Useful messages will be logged.
814 * The commandline option "-n all" to CTDB tool has been removed.
816 The option was not uniformly implemented for all the commands.
817 Instead of command "ctdb ip -n all", use "ctdb ip all".
819 * All CTDB current manual pages are now correctly installed
822 EXPERIMENTAL FEATURES
823 =====================
828 Samba 4.4.0 adds *experimental* support for SMB3 Multi-Channel.
829 Multi-Channel is an SMB3 protocol feature that allows the client
830 to bind multiple transport connections into one authenticated
831 SMB session. This allows for increased fault tolerance and
832 throughput. The client chooses transport connections as reported
833 by the server and also chooses over which of the bound transport
834 connections to send traffic. I/O operations for a given file
835 handle can span multiple network connections this way.
836 An SMB multi-channel session will be valid as long as at least
837 one of its channels are up.
839 In Samba, multi-channel can be enabled by setting the new
840 smb.conf option "server multi channel support" to "yes".
841 It is disabled by default.
843 Samba has to report interface speeds and some capabilities to
844 the client. On Linux, Samba can auto-detect the speed of an
845 interface. But to support other platforms, and in order to be
846 able to manually override the detected values, the "interfaces"
847 smb.conf option has been given an extended syntax, by which an
848 interface specification can additionally carry speed and
849 capability information. The extended syntax looks like this
850 for setting the speed to 1 gigabit per second:
852 interfaces = 192.168.1.42;speed=1000000000
854 This extension should be used with care and are mainly intended
855 for testing. See the smb.conf manual page for details.
857 CAVEAT: While this should be working without problems mostly,
858 there are still corner cases in the treatment of channel failures
859 that may result in DATA CORRUPTION when these race conditions hit.
862 NOT RECOMMENDED TO USE MULTI-CHANNEL IN PRODUCTION
864 at this stage. This situation can be expected to improve during
865 the life-time of the 4.4 release. Feed-back from test-setups is
875 Several public headers are not installed any longer. They are made for internal
876 use only. More public headers will very likely be removed in future releases.
878 The following headers are not installed any longer:
879 dlinklist.h, gen_ndr/epmapper.h, gen_ndr/mgmt.h, gen_ndr/ndr_atsvc_c.h,
880 gen_ndr/ndr_epmapper_c.h, gen_ndr/ndr_epmapper.h, gen_ndr/ndr_mgmt_c.h,
881 gen_ndr/ndr_mgmt.h,gensec.h, ldap_errors.h, ldap_message.h, ldap_ndr.h,
882 ldap-util.h, pytalloc.h, read_smb.h, registry.h, roles.h, samba_util.h,
883 smb2_constants.h, smb2_create_blob.h, smb2.h, smb2_lease.h, smb2_signing.h,
884 smb_cli.h, smb_cliraw.h, smb_common.h, smb_composite.h, smb_constants.h,
885 smb_raw.h, smb_raw_interfaces.h, smb_raw_signing.h, smb_raw_trans2.h,
886 smb_request.h, smb_seal.h, smb_signing.h, smb_unix_ext.h, smb_util.h,
887 torture.h, tstream_smbXcli_np.h.
889 vfs_smb_traffic_analyzer
890 ------------------------
892 The SMB traffic analyzer VFS module has been removed, because it is not
893 maintained any longer and not widely used.
898 The scannedonly VFS module has been removed, because it is not maintained
904 Parameter Name Description Default
905 -------------- ----------- -------
906 aio max threads New 100
907 ldap page size Changed default 1000
908 server multi channel support New No
909 interfaces Extended syntax
918 CHANGES SINCE 4.4.0rc5
919 ======================
921 o Michael Adam <obnox@samba.org>
922 * BUG 11796: smbd: Enable multi-channel if 'server multi channel support =
925 o Günther Deschner <gd@samba.org>
926 * BUG 11802: lib/socket/interfaces: Fix some uninitialied bytes.
928 o Uri Simchoni <uri@samba.org>
929 * BUG 11798: build: Fix build when '--without-quota' specified.
932 CHANGES SINCE 4.4.0rc4
933 ======================
935 o Andrew Bartlett <abartlet@samba.org>
936 * BUG 11780: mkdir can return ACCESS_DENIED incorrectly on create race.
937 * BUG 11783: Mismatch between local and remote attribute ids lets
938 replication fail with custom schema.
939 * BUG 11789: Talloc: Version 2.1.6.
941 o Ira Cooper <ira@samba.org>
942 * BUG 11774: vfs_glusterfs: Fix use after free in AIO callback.
944 o Günther Deschner <gd@samba.org>
945 * BUG 11755: Fix net join.
947 o Amitay Isaacs <amitay@gmail.com>
948 * BUG 11770: Reset TCP Connections during IP failover.
950 o Justin Maggard <jmaggard10@gmail.com>
951 * BUG 11773: s3:smbd: Add negprot remote arch detection for OSX.
953 o Stefan Metzmacher <metze@samba.org>
954 * BUG 11772: ldb: Version 1.1.26.
955 * BUG 11782: "trustdom_list_done: Got invalid trustdom response" message
958 o Uri Simchoni <uri@samba.org>
959 * BUG 11769: libnet: Make Kerberos domain join site-aware.
960 * BUG 11788: Quota is not supported on Solaris 10.
963 CHANGES SINCE 4.4.0rc3
964 ======================
966 o Jeremy Allison <jra@samba.org>
967 * BUG 11648: CVE-2015-7560: Getting and setting Windows ACLs on symlinks can
968 change permissions on link target.
970 o Christian Ambach <ambi@samba.org>
971 * BUG 11767: s3:utils/smbget: Fix option parsing.
973 o Alberto Maria Fiaschi <alberto.fiaschi@estar.toscana.it>
974 * BUG 8093: Access based share enum: handle permission set in configuration
977 o Stefan Metzmacher <metze@samba.org>
978 * BUG 11702: s3:clispnego: Fix confusing warning in spnego_gen_krb5_wrap().
979 * BUG 11742: tevent: version 0.9.28: Fix memory leak when old signal action
981 * BUG 11755: s3:libads: setup the msDS-SupportedEncryptionTypes attribute on
983 * BUGs 11128, 11686: CVE-2016-0771: Read of uninitialized memory DNS TXT
986 o Garming Sam <garming@catalyst.net.nz>
987 * BUGs 11128, 11686: CVE-2016-0771: Read of uninitialized memory DNS TXT
990 o Uri Simchoni <uri@samba.org>
991 * BUG 11691: winbindd: Return trust parameters when listing trusts.
992 * BUG 11753: smbd: Ignore SVHDX create context.
993 * BUG 11763: passdb: Add linefeed to debug message.
996 CHANGES SINCE 4.4.0rc2
997 ======================
999 o Michael Adam <obnox@samba.org>
1000 * BUG 11723: lib:socket: Fix CID 1350010: Integer OVERFLOW_BEFORE_WIDEN.
1001 * BUG 11735: lib:socket: Fix CID 1350009: Fix illegal memory accesses
1002 (BUFFER_SIZE_WARNING).
1004 o Jeremy Allison <jra@samba.org>
1005 * BUG 10489: s3: smbd: posix_acls: Fix check for setting u:g:o entry on a
1006 filesystem with no ACL support.
1008 o Christian Ambach <ambi@samba.org>
1009 * BUG 11700: s3:utils/smbget: Set default blocksize.
1011 o Anoop C S <anoopcs@redhat.com>
1012 * BUG 11734: lib/socket: Fix improper use of default interface speed.
1014 o Ralph Boehme <slow@samba.org>
1015 * BUG 11714: lib/tsocket: Work around sockets not supporting FIONREAD.
1017 o Volker Lendecke <vl@samba.org>
1018 * BUG 11724: smbd: Fix CID 1351215 Improper use of negative value.
1019 * BUG 11725: smbd: Fix CID 1351216 Dereference null return value.
1020 * BUG 11732: param: Fix str_list_v3 to accept ; again.
1022 o Noel Power <noel.power@suse.com>
1023 * BUG 11738: libcli: Fix debug message, print sid string for new_ace trustee.
1025 o Jose A. Rivera <jarrpa@samba.org>
1026 * BUG 11727: s3:smbd:open: Skip redundant call to file_set_dosmode when
1027 creating a new file.
1029 o Andreas Schneider <asn@samba.org>
1030 * BUG 11730: docs: Add manpage for cifsdd.
1031 * BUG 11739: Fix installation path of Samba helper binaries.
1033 o Berend De Schouwer <berend.de.schouwer@gmail.com>
1034 * BUG 11643: docs: Add example for domain logins to smbspool man page.
1036 o Martin Schwenke <martin@meltin.net>
1037 * BUG 11719: ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."
1039 o Hemanth Thummala <hemanth.thummala@nutanix.com>
1040 * BUG 11708: loadparm: Fix memory leak issue.
1041 * BUG 11740: Fix memory leak in loadparm.
1044 CHANGES SINCE 4.4.0rc1
1045 ======================
1047 o Michael Adam <obnox@samba.org>
1048 * BUG 11715: s3:vfs:glusterfs: Fix build after quota changes.
1050 o Jeremy Allison <jra@samba.org>
1051 * BUG 11703: s3: smbd: Fix timestamp rounding inside SMB2 create.
1053 o Christian Ambach <ambi@samba.org>
1054 * BUG 11700: Streamline 'smbget' options with the rest of the Samba utils.
1056 o Günther Deschner <gd@samba.org>
1057 * BUG 11696: ctdb: Do not provide a useless pkgconfig file for ctdb.
1059 o Stefan Metzmacher <metze@samba.org>
1060 * BUG 11699: Crypto.Cipher.ARC4 is not available on some platforms, fallback
1061 to M2Crypto.RC4.RC4 then.
1063 o Amitay Isaacs <amitay@gmail.com>
1064 * BUG 11705: Sockets with htons(IPPROTO_RAW) and CVE-2015-8543.
1066 o Andreas Schneider <asn@samba.org>
1067 * BUG 11690: docs: Add smbspool_krb5_wrapper manpage.
1069 o Uri Simchoni <uri@samba.org>
1070 * BUG 11681: smbd: Show correct disk size for different quota and dfree block
1074 #######################################
1075 Reporting bugs & Development Discussion
1076 #######################################
1078 Please discuss this release on the samba-technical mailing list or by
1079 joining the #samba-technical IRC channel on irc.freenode.net.
1081 If you do report problems then please try to send high quality
1082 feedback. If you don't provide vital information to help us track down
1083 the problem then you will probably be ignored. All bug reports should
1084 be filed under the Samba 4.1 and newer product in the project's Bugzilla
1085 database (https://bugzilla.samba.org/).
1088 ======================================================================
1089 == Our Code, Our Bugs, Our Responsibility.
1091 ======================================================================