1 ==============================
2 Release Notes for Samba 4.19.3
4 ==============================
7 This is the latest stable release of the Samba 4.19 release series.
8 It contains the security-relevant bugfix CVE-2018-14628:
10 Wrong ntSecurityDescriptor values for "CN=Deleted Objects"
11 allow read of object tombstones over LDAP
12 (Administrator action required!)
13 https://www.samba.org/samba/security/CVE-2018-14628.html
16 Description of CVE-2018-14628
17 -----------------------------
19 All versions of Samba from 4.0.0 onwards are vulnerable to an
20 information leak (compared with the established behaviour of
21 Microsoft's Active Directory) when Samba is an Active Directory Domain
24 When a domain was provisioned with an unpatched Samba version,
25 the ntSecurityDescriptor is simply inherited from Domain/Partition-HEAD-Object
26 instead of being very strict (as on a Windows provisioned domain).
28 This means also non privileged users can use the
29 LDAP_SERVER_SHOW_DELETED_OID control in order to view,
30 the names and preserved attributes of deleted objects.
32 No information that was hidden before the deletion is visible, but in
33 with the correct ntSecurityDescriptor value in place the whole object
34 is also not visible without administrative rights.
36 There is no further vulnerability associated with this error, merely an
37 information disclosure.
39 Action required in order to resolve CVE-2018-14628!
40 ---------------------------------------------------
42 The patched Samba does NOT protect existing domains!
44 The administrator needs to run the following command
45 (on only one domain controller)
46 in order to apply the protection to an existing domain:
48 samba-tool dbcheck --cross-ncs --attrs=nTSecurityDescriptor --fix
50 The above requires manual interaction in order to review the
51 changes before they are applied. Typicall question look like this:
53 Reset nTSecurityDescriptor on CN=Deleted Objects,DC=samba,DC=org back to provision default?
54 Owner mismatch: SY (in ref) DA(in current)
55 Group mismatch: SY (in ref) DA(in current)
56 Part dacl is different between reference and current here is the detail:
57 (A;;LCRPLORC;;;AU) ACE is not present in the reference
58 (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY) ACE is not present in the reference
59 (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DA) ACE is not present in the reference
60 (A;;CCDCLCSWRPWPSDRCWDWO;;;SY) ACE is not present in the current
61 (A;;LCRP;;;BA) ACE is not present in the current
63 Fixed attribute 'nTSecurityDescriptor' of 'CN=Deleted Objects,DC=samba,DC=org'
65 The change should be confirmed with 'y' for all objects starting with
72 o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
73 * BUG 15520: sid_strings test broken by unix epoch > 1700000000.
75 o Ralph Boehme <slow@samba.org>
76 * BUG 15487: smbd crashes if asked to return full information on close of a
77 stream handle with delete on close disposition set.
78 * BUG 15521: smbd: fix close order of base_fsp and stream_fsp in
79 smb_fname_fsp_destructor().
81 o Pavel Filipenský <pfilipensky@samba.org>
82 * BUG 15499: Improve logging for failover scenarios.
84 o Björn Jacke <bj@sernet.de>
85 * BUG 15093: Files without "read attributes" NFS4 ACL permission are not
86 listed in directories.
88 o Stefan Metzmacher <metze@samba.org>
89 * BUG 13595: CVE-2018-14628 [SECURITY] Deleted Object tombstones visible in
90 AD LDAP to normal users.
91 * BUG 15492: Kerberos TGS-REQ with User2User does not work for normal
94 o Christof Schmitt <cs@samba.org>
95 * BUG 15507: vfs_gpfs stat calls fail due to file system permissions.
97 o Andreas Schneider <asn@samba.org>
98 * BUG 15513: Samba doesn't build with Python 3.12.
101 #######################################
102 Reporting bugs & Development Discussion
103 #######################################
105 Please discuss this release on the samba-technical mailing list or by
106 joining the #samba-technical:matrix.org matrix room, or
107 #samba-technical IRC channel on irc.libera.chat.
109 If you do report problems then please try to send high quality
110 feedback. If you don't provide vital information to help us track down
111 the problem then you will probably be ignored. All bug reports should
112 be filed under the Samba 4.1 and newer product in the project's Bugzilla
113 database (https://bugzilla.samba.org/).
116 ======================================================================
117 == Our Code, Our Bugs, Our Responsibility.
119 ======================================================================
122 Release notes for older releases follow:
123 ----------------------------------------
124 ==============================
125 Release Notes for Samba 4.19.2
127 ==============================
130 This is the latest stable release of the Samba 4.19 release series.
136 o Jeremy Allison <jra@samba.org>
137 * BUG 15423: Use-after-free in aio_del_req_from_fsp during smbd shutdown
138 after failed IPC FSCTL_PIPE_TRANSCEIVE.
139 * BUG 15426: clidfs.c do_connect() missing a "return" after a cli_shutdown()
142 o Ralph Boehme <slow@samba.org>
143 * BUG 15463: macOS mdfind returns only 50 results.
145 o Volker Lendecke <vl@samba.org>
146 * BUG 15481: GETREALFILENAME_CACHE can modify incoming new filename with
147 previous cache entry value.
149 o Stefan Metzmacher <metze@samba.org>
150 * BUG 15464: libnss_winbind causes memory corruption since samba-4.18,
151 impacts sendmail, zabbix, potentially more.
153 o Martin Schwenke <mschwenke@ddn.com>
154 * BUG 15479: ctdbd: setproctitle not initialized messages flooding logs.
156 o Joseph Sutton <josephsutton@catalyst.net.nz>
157 * BUG 15491: CVE-2023-5568 Heap buffer overflow with freshness tokens in the
158 Heimdal KDC in Samba 4.19
159 * BUG 15477: The heimdal KDC doesn't detect s4u2self correctly when fast is
163 #######################################
164 Reporting bugs & Development Discussion
165 #######################################
167 Please discuss this release on the samba-technical mailing list or by
168 joining the #samba-technical:matrix.org matrix room, or
169 #samba-technical IRC channel on irc.libera.chat.
171 If you do report problems then please try to send high quality
172 feedback. If you don't provide vital information to help us track down
173 the problem then you will probably be ignored. All bug reports should
174 be filed under the Samba 4.1 and newer product in the project's Bugzilla
175 database (https://bugzilla.samba.org/).
178 ======================================================================
179 == Our Code, Our Bugs, Our Responsibility.
181 ======================================================================
184 ----------------------------------------------------------------------
185 ==============================
186 Release Notes for Samba 4.19.1
188 ==============================
191 This is a security release in order to address the following defects:
194 o CVE-2023-3961: Unsanitized pipe names allow SMB clients to connect as root to
195 existing unix domain sockets on the file system.
196 https://www.samba.org/samba/security/CVE-2023-3961.html
198 o CVE-2023-4091: SMB client can truncate files to 0 bytes by opening files with
199 OVERWRITE disposition when using the acl_xattr Samba VFS
200 module with the smb.conf setting
201 "acl_xattr:ignore system acls = yes"
202 https://www.samba.org/samba/security/CVE-2023-4091.html
204 o CVE-2023-4154: An RODC and a user with the GET_CHANGES right can view all
205 attributes, including secrets and passwords. Additionally,
206 the access check fails open on error conditions.
207 https://www.samba.org/samba/security/CVE-2023-4154.html
209 o CVE-2023-42669: Calls to the rpcecho server on the AD DC can request that the
210 server block for a user-defined amount of time, denying
212 https://www.samba.org/samba/security/CVE-2023-42669.html
214 o CVE-2023-42670: Samba can be made to start multiple incompatible RPC
215 listeners, disrupting service on the AD DC.
216 https://www.samba.org/samba/security/CVE-2023-42670.html
222 o Jeremy Allison <jra@samba.org>
223 * BUG 15422: CVE-2023-3961.
225 o Andrew Bartlett <abartlet@samba.org>
226 * BUG 15424: CVE-2023-4154.
227 * BUG 15473: CVE-2023-42670.
228 * BUG 15474: CVE-2023-42669.
230 o Ralph Boehme <slow@samba.org>
231 * BUG 15439: CVE-2023-4091.
234 #######################################
235 Reporting bugs & Development Discussion
236 #######################################
238 Please discuss this release on the samba-technical mailing list or by
239 joining the #samba-technical:matrix.org matrix room, or
240 #samba-technical IRC channel on irc.libera.chat.
242 If you do report problems then please try to send high quality
243 feedback. If you don't provide vital information to help us track down
244 the problem then you will probably be ignored. All bug reports should
245 be filed under the Samba 4.1 and newer product in the project's Bugzilla
246 database (https://bugzilla.samba.org/).
249 ======================================================================
250 == Our Code, Our Bugs, Our Responsibility.
252 ======================================================================
255 ----------------------------------------------------------------------
256 ==============================
257 Release Notes for Samba 4.19.0
259 ==============================
261 This is the first stable release of the Samba 4.19 release series.
262 Please read the release notes carefully before upgrading.
267 Migrated smbget to use common command line parser
268 -------------------------------------------------
270 The smbget utility implemented its own command line parsing logic. After
271 discovering an issue we decided to migrate it to use the common command line
272 parser. This has some advantages as you get all the feature it provides like
273 Kerberos authentication. The downside is that breaks the options interface.
274 The support for smbgetrc has been removed. You can use an authentication file
275 if needed, this is documented in the manpage.
277 Please check the smbget manpage or --help output.
282 The libgpo.get_gpo_list function has been deprecated in favor of
283 an implementation written in python. The new function can be imported via
284 `import samba.gp`. The python implementation connects to Active Directory
285 using the SamDB module, instead of ADS (which is what libgpo uses).
287 Improved winbind logging and a new tool for parsing the winbind logs
288 --------------------------------------------------------------------
290 Winbind logs (if smb.conf 'winbind debug traceid = yes' is set) contain new
291 trace header fields 'traceid' and 'depth'. Field 'traceid' allows to track the
292 trace records belonging to the same request. Field 'depth' allows to track the
293 request nesting level. A new tool samba-log-parser is added for better log
296 AD database prepared to FL 2016 standards for new domains
297 ---------------------------------------------------------
299 While Samba still provides only Functional Level 2008R2 by default,
300 Samba as an AD DC will now, in provision ensure that the blank
301 database is already prepared for Functional Level 2016, with AD Schema
304 This preparation is of the default objects in the database, adding
305 containers for Authentication Policies, Authentication Silos and AD
306 claims in particular. These DB objects must be updated to allow
307 operation of the new features found in higher functional levels.
309 Kerberos Claims, Authentication Silos and NTLM authentication policies
310 ----------------------------------------------------------------------
312 An initial, partial implementation of Active Directory Functional
313 Level 2012, 2012R2 and 2016 is available in this release.
315 In particular Samba will issue Active Directory "Claims" in the PAC,
316 for member servers that support these, and honour in-directory
317 configuration for Authentication Policies and Authentication Silos.
319 The primary limitation is that while Samba can read and write claims
320 in the directory, and populate the PAC, Samba does not yet use them
321 for access control decisions.
323 While we continue to develop these features, existing domains can
324 test the feature by selecting the functional level in provision or
325 raising the DC functional level by setting
327 ad dc functional level = 2016
331 The smb.conf file on each DC must have 'ad dc functional level = 2016'
332 set to have the partially complete feature available. This will also,
333 at first startup, update the server's own AD entry with the configured
336 For new domains, add these parameters to 'samba-tool provision'
338 --option="ad dc functional level = 2016" --function-level=2016
340 The second option, setting the overall domain functional level
341 indicates that all DCs should be at this functional level.
343 To raise the domain functional level of an existing domain, after
344 updating the smb.conf and restarting Samba run
345 samba-tool domain schemaupgrade --schema=2019
346 samba-tool domain functionalprep --function-level=2016
347 samba-tool domain level raise --domain-level=2016 --forest-level=2016
349 Improved KDC Auditing
350 ---------------------
352 As part of the auditing required to allow successful deployment of
353 Authentication Policies and Authentication Silos, our KDC now provides
354 Samba-style JSON audit logging of all issued Kerberos tickets,
355 including if they would fail a policy that is not yet enforced.
356 Additionally most failures are audited, (after the initial
357 pre-validation of the request).
359 Kerberos Armoring (FAST) Support for Windows clients
360 ----------------------------------------------------
362 In domains where the domain controller functional level is set, as
363 above, to 2012, 2012_R2 or 2016, Windows clients will, if configured
364 via GPO, use FAST to protect user passwords between (in particular) a
365 workstation and the KDC on the AD DC. This is a significant security
366 improvement, as weak passwords in an AS-REQ are no longer available
369 Claims compression in the AD PAC
370 --------------------------------
372 Samba as an AD DC will compress "AD claims" using the same compression
373 algorithm as Microsoft Windows.
375 Resource SID compression in the AD PAC
376 --------------------------------------
378 Samba as an AD DC will now correctly populate the various PAC group
379 membership buffers, splitting global and local groups correctly.
381 Additionally, Samba marshals Resource SIDs, being local groups in the
382 member server's own domain, to only consume a header and 4 bytes per
383 group in the PAC, not a full-length SID worth of space each. This is
384 known as "Resource SID compression".
386 Resource Based Constrained Delegation (RBCD) support in both MIT and Heimdal
387 -----------------------------------------------------------------------------
389 Samba AD DC built with MIT Kerberos (1.20 and later) has offered RBCD
390 support since Samba 4.17. Samba 4.19 brings this feature to the
393 Samba 4.17 added to samba-tool delegation the 'add-principal' and
394 'del-principal' subcommands in order to manage RBCD, and the database
395 changes made by these tools are now honoured by the Heimdal KDC once
398 Likewise, now both MIT (1.20 and later) and Heimdal KDCs add the
399 Asserted Identity [1] SID into the PAC for constrained delegation.
401 [1] https://docs.microsoft.com/en-us/windows-server/security/kerberos/kerberos-constrained-delegation-overview
403 New samba-tool support for silos, claims, sites and subnets.
404 ------------------------------------------------------------
406 samba-tool can now list, show, add and manipulate Authentication Silos
407 (silos) and Active Directory Authentication Claims (claims).
409 samba-tool can now list and show Active Directory sites and subnets.
411 A new Object Relational Model (ORM) based architecture, similar to
412 that used with Django, has been built to make adding new samba-tool
413 subcommands simpler and more consistent, with JSON output available
414 standard on these new commands.
416 Updated GnuTLS requirement / in-tree cryptography removal
417 ----------------------------------------------------------
419 Samba requires GnuTLS 3.6.13 and prefers GnuTLS 3.6.14 or later.
421 This has allowed Samba to remove all of our in-tree cryptography,
422 except that found in our Heimdal import. Samba's runtime cryptography
423 needs are now all provided by GnuTLS.
425 (The GnuTLS vesion requirement is raised to 3.7.2 on systems without
426 the Linux getrandom())
428 We also use Python's cryptography module for our testing.
430 The use of well known cryptography libraries makes Samba easier for
431 end-users to validate and deploy, and for distributors to ship. This
432 is the end of a very long journey for Samba.
434 Updated Heimdal import
435 ----------------------
437 Samba's Heimdal branch (known as lorikeet-heimdal) has been updated to
438 the current pre-8.0 (master) tree from upstream Heimdal, ensuring that
439 this vendored copy, included in our release remains as close as
440 possible to the current upstream code.
442 Revocation support in Heimdal KDC for PKINIT certificates
443 ---------------------------------------------------------
445 Samba will now correctly honour the revocation of 'smart card'
446 certificates used for PKINIT Kerberos authentication.
448 This list is reloaded each time the file changes, so no further action
449 other than replacing the file is required. The additional krb5.conf
453 pkinit_revoke = FILE:/path/to/crl.pem
455 Information on the "Smart Card login" feature as a whole is at:
456 https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login
458 Protocol level testsuite for (Smart Card Logon) PKINIT
459 ------------------------------------------------------
461 Previously Samba's PKINIT support in the KDC was tested by use of
462 shell scripts around the client tools of MIT or Heimdal Kerberos.
463 Samba's independently written python testsuite has been extended to
464 validate KDC behaviour for PKINIT.
466 Require encrypted connection to modify unicodePwd on the AD DC
467 --------------------------------------------------------------
469 Setting the password on an AD account on should never be attempted
470 over a plaintext or signed-only LDAP connection. If the unicodePwd
471 (or userPassword) attribute is modified without encryption (as seen by
472 Samba), the request will be rejected. This is to encourage the
473 administrator to use an encrypted connection in the future.
475 NOTE WELL: If Samba is accessed via a TLS frontend or load balancer,
476 the LDAP request will be regarded as plaintext.
478 Samba AD TLS Certificates can be reloaded
479 -----------------------------------------
481 The TLS certificates used for Samba's AD DC LDAP server were
482 previously only read on startup, and this meant that when then expired
483 it was required to restart Samba, disrupting service to other users.
485 smbcontrol ldap_server reload-certs
487 This will now allow these certificates to be reloaded 'on the fly'
497 Parameter Name Description Default
498 -------------- ----------- -------
499 winbind debug traceid Add traceid No
500 directory name cache size Removed
503 CHANGES SINCE 4.19.0rc4
504 =======================
506 o MikeLiu <mikeliu@qnap.com>
507 * BUG 15453: File doesn't show when user doesn't have permission if
508 aio_pthread is loaded.
510 o Martin Schwenke <mschwenke@ddn.com>
511 * BUG 15451: ctdb_killtcp fails to work with --enable-pcap and libpcap ≥
515 CHANGES SINCE 4.19.0rc3
516 =======================
518 o Martin Schwenke <mschwenke@ddn.com>
519 * BUG 15460: Logging to stdout/stderr with DEBUG_SYSLOG_FORMAT_ALWAYS can log
522 o Joseph Sutton <josephsutton@catalyst.net.nz>
523 * BUG 15458: ‘samba-tool domain level raise’ fails unless given a URL.
526 CHANGES SINCE 4.19.0rc2
527 =======================
529 o Jeremy Allison <jra@samba.org>
530 * BUG 15420: reply_sesssetup_and_X() can dereference uninitialized tmp
532 * BUG 15430: missing return in reply_exit_done().
533 * BUG 15432: TREE_CONNECT without SETUP causes smbd to use uninitialized
536 o Andrew Bartlett <abartlet@samba.org>
537 * BUG 15401: Avoid infinite loop in initial user sync with Azure AD Connect
538 when synchronising a large Samba AD domain.
539 * BUG 15407: Samba replication logs show (null) DN.
541 o Stefan Metzmacher <metze@samba.org>
542 * BUG 15346: 2-3min delays at reconnect with smb2_validate_sequence_number:
544 * BUG 15446: DCERPC_PKT_CO_CANCEL and DCERPC_PKT_ORPHANED can't be parsed.
546 o Martin Schwenke <mschwenke@ddn.com>
547 * BUG 15438: CID 1539212 causes real issue when output contains only
550 o Joseph Sutton <josephsutton@catalyst.net.nz>
551 * BUG 15452: KDC encodes INT64 claims incorrectly.
553 o Jones Syue <jonessyue@qnap.com>
554 * BUG 15449: mdssvc: Do an early talloc_free() in _mdssvc_open().
557 CHANGES SINCE 4.19.0rc1
558 =======================
560 o Andrew Bartlett <abartlet@samba.org>
561 * BUG 9959: Windows client join fails if a second container CN=System exists
564 o Noel Power <noel.power@suse.com>
565 * BUG 15435: regression DFS not working with widelinks = true.
567 o Arvid Requate <requate@univention.de>
568 * BUG 9959: Windows client join fails if a second container CN=System exists
571 o Joseph Sutton <josephsutton@catalyst.net.nz>
572 * BUG 15443: Heimdal fails to build on 32-bit FreeBSD.
574 o Jones Syue <jonessyue@qnap.com>
575 * BUG 15441: samba-tool ntacl get segfault if aio_pthread appended.
581 https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.19#Release_blocking_bugs
584 #######################################
585 Reporting bugs & Development Discussion
586 #######################################
588 Please discuss this release on the samba-technical mailing list or by
589 joining the #samba-technical:matrix.org matrix room, or
590 #samba-technical IRC channel on irc.libera.chat
592 If you do report problems then please try to send high quality
593 feedback. If you don't provide vital information to help us track down
594 the problem then you will probably be ignored. All bug reports should
595 be filed under the Samba 4.1 and newer product in the project's Bugzilla
596 database (https://bugzilla.samba.org/).
599 ======================================================================
600 == Our Code, Our Bugs, Our Responsibility.
602 ======================================================================