1 ==============================
2 Release Notes for Samba 4.12.2
4 ==============================
7 This is a security release in order to address the following defects:
9 o CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ
10 o CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC
18 A client combining the 'ASQ' and 'Paged Results' LDAP controls can cause a
19 use-after-free in Samba's AD DC LDAP server.
21 A deeply nested filter in an un-authenticated LDAP search can exhaust the
22 LDAP server's stack memory causing a SIGSEGV.
24 For more details, please refer to the security advisories.
30 o Andrew Bartlett <abartlet@samba.org>
31 * BUG 14331: CVE-2020-10700: Fix use-after-free in AD DC LDAP server when
32 ASQ and paged_results combined.
34 o Gary Lockyer <gary@catalyst.net.nz>
35 * BUG 20454: CVE-2020-10704: Fix LDAP Denial of Service (stack overflow) in
39 #######################################
40 Reporting bugs & Development Discussion
41 #######################################
43 Please discuss this release on the samba-technical mailing list or by
44 joining the #samba-technical IRC channel on irc.freenode.net.
46 If you do report problems then please try to send high quality
47 feedback. If you don't provide vital information to help us track down
48 the problem then you will probably be ignored. All bug reports should
49 be filed under the Samba 4.1 and newer product in the project's Bugzilla
50 database (https://bugzilla.samba.org/).
53 ======================================================================
54 == Our Code, Our Bugs, Our Responsibility.
56 ======================================================================
59 Release notes for older releases follow:
60 ----------------------------------------
62 ==============================
63 Release Notes for Samba 4.12.1
65 ==============================
68 This is the latest stable release of the Samba 4.12 release series.
74 o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
75 * BUG 14295: nmblib: Avoid undefined behaviour in handle_name_ptrs().
77 o Björn Baumbach <bb@sernet.de>
78 * BUG 14296: samba-tool group: Handle group names with special chars
81 o Ralph Boehme <slow@samba.org>
82 * BUG 14293: Add missing check for DMAPI offline status in async DOS
84 * BUG 14295: Starting ctdb node that was powered off hard before results in
86 * BUG 14307: smbd: Ignore set NTACL requests which contain S-1-5-88 NFS ACEs.
87 * BUG 14316: vfs_recycle: Prevent flooding the log if we're called on
90 o Günther Deschner <gd@samba.org>
91 * BUG 14313: librpc: Fix IDL for svcctl_ChangeServiceConfigW.
92 * BUG 14327: nsswitch: Fix use-after-free causing segfault in
95 o Art M. Gallagher <repos@artmg.net>
96 * BUG 13622: fruit:time machine max size is broken on arm.
98 o Amitay Isaacs <amitay@gmail.com>
99 * BUG 14294: CTDB recovery corner cases can cause record resurrection and
102 o Noel Power <noel.power@suse.com>
103 * BUG 14332: s3/utils: Fix double free error with smbtree.
105 o Martin Schwenke <martin@meltin.net>
106 * BUG 14294: CTDB recovery corner cases can cause record resurrection and
108 * BUG 14295: Starting ctdb node that was powered off hard before results in
110 * BUG 14324: CTDB recovery daemon can crash due to dereference of NULL
114 #######################################
115 Reporting bugs & Development Discussion
116 #######################################
118 Please discuss this release on the samba-technical mailing list or by
119 joining the #samba-technical IRC channel on irc.freenode.net.
121 If you do report problems then please try to send high quality
122 feedback. If you don't provide vital information to help us track down
123 the problem then you will probably be ignored. All bug reports should
124 be filed under the Samba 4.1 and newer product in the project's Bugzilla
125 database (https://bugzilla.samba.org/).
128 ======================================================================
129 == Our Code, Our Bugs, Our Responsibility.
131 ======================================================================
134 ----------------------------------------------------------------------
137 ==============================
138 Release Notes for Samba 4.12.0
140 ==============================
143 This is the first stable release of the Samba 4.12 release series.
144 Please read the release notes carefully before upgrading.
153 Samba's minimum runtime requirement for python was raised to Python
154 3.4 with samba 4.11. Samba 4.12 raises this minimum version to Python
155 3.5 both to access new features and because this is the oldest version
156 we test with in our CI infrastructure.
158 (Build time support for the file server with Python 2.6 has not
161 Removing in-tree cryptography: GnuTLS 3.4.7 required
162 ----------------------------------------------------
164 Samba is making efforts to remove in-tree cryptographic functionality,
165 and to instead rely on externally maintained libraries. To this end,
166 Samba has chosen GnuTLS as our standard cryptographic provider.
168 Samba now requires GnuTLS 3.4.7 to be installed (including development
169 headers at build time) for all configurations, not just the Samba AD
172 Thanks to this work Samba no longer ships an in-tree DES
173 implementation and on GnuTLS 3.6.5 or later Samba will include no
174 in-tree cryptography other than the MD4 hash and that
175 implemented in our copy of Heimdal.
177 Using GnuTLS for SMB3 encryption you will notice huge performance and copy
178 speed improvements. Tests with the CIFS Kernel client from Linux Kernel 5.3
179 show a 3x speed improvement for writing and a 2.5x speed improvement for reads!
181 NOTE WELL: The use of GnuTLS means that Samba will honour the
182 system-wide 'FIPS mode' (a reference to the US FIPS-140 cryptographic
183 standard) and so will not operate in many still common situations if
184 this system-wide parameter is in effect, as many of our protocols rely
185 on outdated cryptography.
187 A future Samba version will mitigate this to some extent where good
188 cryptography effectively wraps bad cryptography, but for now that above
191 zlib library is now required to build Samba
192 -------------------------------------------
194 Samba no longer includes a local copy of zlib in our source tarball.
195 By removing this we do not need to ship (even where we did not
196 build) the old, broken zip encryption code found there.
198 New Spotlight backend for Elasticsearch
199 ---------------------------------------
201 Support for the macOS specific Spotlight search protocol has been enhanced
202 significantly. Starting with 4.12 Samba supports using Elasticsearch as search
203 backend. Various new parameters have been added to configure this:
205 spotlight backend = noindex | elasticsearch | tracker
206 elasticsearch:address = ADDRESS
207 elasticsearch:port = PORT
208 elasticsearch:use tls = BOOLEAN
209 elasticsearch:index = INDEXNAME
210 elasticsearch:mappings = PATH
211 elasticsearch:max results = NUMBER
213 Samba also ships a Spotlight client command "mdfind" which can be used to search
214 any SMB server that runs the Spotlight RPC service. See the manpage of mdfind
217 Note that when upgrading existing installations that are using the previous
218 default Spotlight backend Gnome Tracker must explicitly set "spotlight backend =
219 tracker" as the new default is "noindex".
221 'net ads kerberos pac save' and 'net eventlog export'
222 -----------------------------------------------------
224 The 'net ads kerberos pac save' and 'net eventlog export' tools will
225 no longer silently overwrite an existing file during data export. If
226 the filename given exits, an error will be shown.
231 A large number of fuzz targets have been added to Samba, and Samba has
232 been registered in Google's oss-fuzz cloud fuzzing service. In
233 particular, we now have good fuzzing coverage of our generated NDR
236 A large number of issues have been found and fixed thanks to this
239 'samba-tool' improvements add contacts as member to groups
240 ----------------------------------------------------------
242 Previously 'samba-tool group addmemers' can just add users, groups and
243 computers as members to groups. But also contacts can be members of
244 groups. Samba 4.12 adds the functionality to add contacts to
245 groups. Since contacts have no sAMAccountName, it's possible that
246 there are more than one contact with the same name in different
247 organizational units. Therefore it's necessary to have an option to
248 handle group members by their DN.
250 To get the DN of an object there is now the "--full-dn" option available
251 for all necessary commands.
253 The MS Windows UI allows to search for specific types of group members
254 when searching for new members for a group. This feature is included
255 here with the new samba-tool group addmembers "--object-type=OBJECTYPE"
256 option. The different types are selected accordingly to the Windows
257 UI. The default samba-toole behaviour shouldn't be changed.
259 Allow filtering by OU or subtree in samba-tool
260 ----------------------------------------------
262 A new "--base-dn" and "--member-base-dn" option is added to relevant
263 samba-tool user, group and ou management commands to allow operation
264 on just one part of the AD tree, such as a single OU.
272 Samba now uses a sentinel value based on utimensat(2) UTIME_OMIT to denote
273 to-be-ignored timestamp variables passed to the SMB_VFS_NTIMES() VFS function.
275 VFS modules can check whether any of the time values inside a struct
276 smb_file_time is to be ignored by calling is_omit_timespec() on the value.
278 'io_uring' vfs module
279 ---------------------
281 The module makes use of the new io_uring infrastructure
282 (intruduced in Linux 5.1), see https://lwn.net/Articles/776703/
284 Currently this implements SMB_VFS_{PREAD,PWRITE,FSYNC}_SEND/RECV
285 and avoids the overhead of the userspace threadpool in the default
286 vfs backend. See also vfs_io_uring(8).
288 In order to build the module you need the liburing userspace library
289 and its developement headers installed, see
290 https://git.kernel.dk/cgit/liburing/
292 At runtime you'll need a Linux kernel with version 5.1 or higher.
293 Note that 5.4.14 and 5.4.15 have a regression that breaks the Samba
294 module! The regression was fixed in Linux 5.4.16 again.
296 MS-DFS changes in the VFS
297 -------------------------
299 This release changes set getting and setting of MS-DFS redirects
300 on the filesystem to go through two new VFS functions:
302 SMB_VFS_CREATE_DFS_PATHAT()
303 SMB_VFS_READ_DFS_PATHAT()
305 instead of smbd explicitly storing MS-DFS redirects inside
306 symbolic links on the filesystem. The underlying default
307 implementations of this has not changed, the redirects are
308 still stored inside symbolic links on the filesystem, but
309 moving the creation and reading of these links into the VFS
310 as first-class functions now allows alternate methods of
311 storing them (maybe in extended attributes) for OEMs who
312 don't want to mis-use filesystem symbolic links in this
319 * The ctdb_mutex_fcntl_helper periodically re-checks the lock file
321 The re-check period is specified using a 2nd argument to this
322 helper. The default re-check period is 5s.
324 If the file no longer exists or the inode number changes then the
325 helper exits. This triggers an election.
331 The smb.conf parameter "write cache size" has been removed.
333 Since the in-memory write caching code was written, our write path has
334 changed significantly. In particular we have gained very flexible
335 support for async I/O, with the new linux io_uring interface in
336 development. The old write cache concept which cached data in main
337 memory followed by a blocking pwrite no longer gives any improvement
338 on modern systems, and may make performance worse on memory-contrained
339 systems, so this functionality should not be enabled in core smbd
342 In addition, it complicated the write code, which is a performance
345 If required for specialist purposes, it can be recreated as a VFS
348 Retiring DES encryption types in Kerberos.
349 ------------------------------------------
350 With this release, support for DES encryption types has been removed from
351 Samba, and setting DES_ONLY flag for an account will cause Kerberos
352 authentication to fail for that account (see RFC-6649).
354 Samba-DC: DES keys no longer saved in DB.
355 -----------------------------------------
356 When a new password is set for an account, Samba DC will store random keys
357 in DB instead of DES keys derived from the password. If the account is being
358 migrated to Windbows or to an older version of Samba in order to use DES keys,
359 the password must be reset to make it work.
361 Heimdal-DC: removal of weak-crypto.
362 -----------------------------------
363 Following removal of DES encryption types from Samba, the embedded Heimdal
364 build has been updated to not compile weak crypto code (HEIM_WEAK_CRYPTO).
366 vfs_netatalk: The netatalk VFS module has been removed.
367 -------------------------------------------------------
369 The netatalk VFS module has been removed. It was unmaintained and is not needed
372 BIND9_FLATFILE deprecated
373 -------------------------
375 The BIND9_FLATFILE DNS backend is deprecated in this release and will
376 be removed in the future. This was only practically useful on a single
377 domain controller or under expert care and supervision.
379 This release removes the 'rndc command' smb.conf parameter, which
380 supported this configuration by writing out a list of DCs permitted to
381 make changes to the DNS Zone and nudging the 'named' server if a new
382 DC was added to the domain. Administrators using BIND9_FLATFILE will
383 need to maintain this manually from now on.
389 Parameter Name Description Default
390 -------------- ----------- -------
392 elasticsearch:address New localhost
393 elasticsearch:port New 9200
394 elasticsearch:use tls New No
395 elasticsearch:index New _all
396 elasticsearch:mappings New DATADIR/elasticsearch_mappings.json
397 elasticsearch:max results New 100
398 nfs4:acedup Changed default merge
400 write cache size Removed
401 spotlight backend New noindex
404 CHANGES SINCE 4.12.0rc4
405 =======================
407 o Andrew Bartlett <abartlet@samba.org>
408 * BUG 14258: dsdb: Correctly handle memory in objectclass_attrs.
411 CHANGES SINCE 4.12.0rc3
412 =======================
414 o Jeremy Allison <jra@samba.org>
415 * BUG 14269: s3: DFS: Don't allow link deletion on a read-only share.
417 o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
418 * BUG 14284: pidl/wscript: configure should insist on Parse::Yapp::Driver.
420 o Andrew Bartlett <abartlet@samba.org>
421 * BUG 14270: ldb: Fix search with scope ONE and small result sets.
422 * BUG 14284: build: Do not check if system perl modules should be bundled.
424 o Volker Lendecke <vl@samba.org>
425 * BUG 14285: smbd fails to handle EINTR from open(2) properly.
427 o Stefan Metzmacher <metze@samba.org>
428 * BUG 14270: ldb: version 2.1.1.
431 CHANGES SINCE 4.12.0rc2
432 =======================
434 o Jeremy Allison <jra@samba.org>
435 * BUG 14282: Set getting and setting of MS-DFS redirects on the filesystem
436 to go through two new VFS functions SMB_VFS_CREATE_DFS_PATHAT() and
437 SMB_VFS_READ_DFS_PATHAT().
439 o Andrew Bartlett <abartlet@samba.org>
440 * BUG 14255: bootstrap: Remove un-used dependency python3-crypto.
442 o Volker Lendecke <vl@samba.org>
443 * BUG 14247: Fix CID 1458418 and 1458420.
444 * BUG 14281: lib: Fix a shutdown crash with "clustering = yes".
446 o Stefan Metzmacher <metze@samba.org>
447 * BUG 14247: Winbind member (source3) fails local SAM auth with empty domain
449 * BUG 14265: winbindd: Handle missing idmap in getgrgid().
450 * BUG 14271: Don't use forward declaration for GnuTLS typedefs.
451 * BUG 14280: Add io_uring vfs module.
453 o Andreas Schneider <asn@samba.org>
454 * BUG 14250: libcli:smb: Improve check for gnutls_aead_cipher_(en|de)cryptv2.
457 CHANGES SINCE 4.12.0rc1
458 =======================
460 o Jeremy Allison <jra@samba.org>
461 * BUG 14239: s3: lib: nmblib. Clean up and harden nmb packet processing.
463 o Andreas Schneider <asn@samba.org>
464 * BUG 14253: lib:util: Log mkdir error on correct debug levels.
470 https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.12#Release_blocking_bugs
473 #######################################
474 Reporting bugs & Development Discussion
475 #######################################
477 Please discuss this release on the samba-technical mailing list or by
478 joining the #samba-technical IRC channel on irc.freenode.net.
480 If you do report problems then please try to send high quality
481 feedback. If you don't provide vital information to help us track down
482 the problem then you will probably be ignored. All bug reports should
483 be filed under the Samba 4.1 and newer product in the project's Bugzilla
484 database (https://bugzilla.samba.org/).
487 ======================================================================
488 == Our Code, Our Bugs, Our Responsibility.
490 ======================================================================