1 =============================
2 Release Notes for Samba 4.4.5
4 =============================
7 This is a security release in order to address the following defect:
9 o CVE-2016-2119 (Client side SMB2/3 required signing can be downgraded)
16 It's possible for an attacker to downgrade the required signing for
17 an SMB2/3 client connection, by injecting the SMB2_SESSION_FLAG_IS_GUEST
18 or SMB2_SESSION_FLAG_IS_NULL flags.
20 This means that the attacker can impersonate a server being connected to by
21 Samba, and return malicious results.
23 The primary concern is with winbindd, as it uses DCERPC over SMB2 when talking
24 to domain controllers as a member server, and trusted domains as a domain
25 controller. These DCE/RPC connections were intended to protected by the
26 combination of "client ipc signing" and
27 "client ipc max protocol" in their effective default settings
28 ("mandatory" and "SMB3_11").
30 Additionally, management tools like net, samba-tool and rpcclient use DCERPC
31 over SMB2/3 connections.
33 By default, other tools in Samba are unprotected, but rarely they are
34 configured to use smb signing, via the "client signing" parameter (the default
35 is "if_required"). Even more rarely the "client max protocol" is set to SMB2,
36 rather than the NT1 default.
38 If both these conditions are met, then this issue would also apply to these
39 other tools, including command line tools like smbcacls, smbcquota, smbclient,
40 smbget and applications using libsmbclient.
46 o Stefan Metzmacher <metze@samba.org>
47 * BUG 11860: CVE-2016-2119: Fix client side SMB2 signing downgrade.
48 * BUG 11948: Total dcerpc response payload more than 0x400000.
51 #######################################
52 Reporting bugs & Development Discussion
53 #######################################
55 Please discuss this release on the samba-technical mailing list or by
56 joining the #samba-technical IRC channel on irc.freenode.net.
58 If you do report problems then please try to send high quality
59 feedback. If you don't provide vital information to help us track down
60 the problem then you will probably be ignored. All bug reports should
61 be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
62 database (https://bugzilla.samba.org/).
65 ======================================================================
66 == Our Code, Our Bugs, Our Responsibility.
68 ======================================================================
71 Release notes for older releases follow:
72 ----------------------------------------
74 =============================
75 Release Notes for Samba 4.4.4
77 =============================
80 This is the latest stable release of Samba 4.4.
86 o Michael Adam <obnox@samba.org>
87 * BUG 11809: SMB3 multichannel: Add implementation of missing channel sequence
89 * BUG 11919: smbd:close: Only remove kernel share modes if they had been
91 * BUG 11930: notifyd: Prevent NULL deref segfault in notifyd_peer_destructor.
93 o Jeremy Allison <jra@samba.org>
94 * BUG 10618: s3: auth: Move the declaration of struct dom_sid tmp_sid to
97 o Christian Ambach <ambi@samba.org>
98 * BUG 10796: s3:rpcclient: Make '--pw-nt-hash' option work.
99 * BUG 11354: s3:libsmb/clifile: Use correct value for MaxParameterCount for
101 * BUG 11438: Fix case sensitivity issues over SMB2 or above.
103 o Ralph Boehme <slow@samba.org>
104 * BUG 1703: s3:libnet:libnet_join: Add netbios aliases as SPNs.
105 * BUG 11721: vfs_fruit: Add an option that allows disabling POSIX rename
108 o Alexander Bokovoy <ab@samba.org>
109 * BUG 11936: s3-smbd: Support systemd 230.
111 o Ira Cooper <ira@samba.org>
112 * BUG 11907: source3: Honor the core soft limit of the OS.
114 o Günther Deschner <gd@samba.org>
115 * BUG 11809: SMB3 multichannel: Add implementation of missing channel sequence
117 * BUG 11864: s3:client:smbspool_krb5_wrapper: Fix the non clearenv build.
118 * BUG 11906: s3-kerberos: Avoid entering a password change dialogue also when
121 o Robin Hack <hack.robin@gmail.com>
122 * BUG 11890: ldb-samba/ldb_matching_rules: Fix CID 1349424 - Uninitialized
125 o Volker Lendecke <vl@samba.org>
126 * BUG 11844: dbwrap_ctdb: Fix ENOENT->NT_STATUS_NOT_FOUND.
128 o Robin McCorkell <robin@mccorkell.me.uk>
129 * BUG 11276: Correctly set cli->raw_status for libsmbclient in SMB2 code.
131 o Stefan Metzmacher <metze@samba.org>
132 * BUG 11910: s3:smbd: Fix anonymous authentication if signing is mandatory.
133 * BUG 11912: libcli/auth: Let msrpc_parse() return talloc'ed empty strings.
134 * BUG 11914: Fix NTLM Authentication issue with squid.
135 * BUG 11927: s3:rpcclient: make use of SMB_SIGNING_IPC_DEFAULT.
137 o Luca Olivetti <luca@wetron.es>
138 * BUG 11530: pdb: Fix segfault in pdb_ldap for missing gecos.
140 o Rowland Penny <rpenny@samba.org>
141 * BUG 11613: Allow 'samba-tool fsmo' to cope with empty or missing fsmo
144 o Anoop C S <anoopcs@redhat.com>
145 * BUG 11907: packaging: Set default limit for core file size in service
148 o Andreas Schneider <asn@samba.org>
149 * BUG 11922: s3-net: Convert the key_name to UTF8 during migration.
150 * BUG 11935: s3-smbspool: Log to stderr.
152 o Uri Simchoni <uri@samba.org>
153 * BUG 11900: heimdal: Encode/decode kvno as signed integer.
154 * BUG 11931: s3-quotas: Fix sysquotas_4B quota fetching for BSD.
155 * BUG 11937: smbd: dfree: Ignore quota if not enforced.
157 o Raghavendra Talur <rtalur@redhat.com>
158 * BUG 11907: init: Set core file size to unlimited by default.
160 o Hemanth Thummala <hemanth.thummala@nutanix.com>
161 * BUG 11934: Fix memory leak in share mode locking.
164 #######################################
165 Reporting bugs & Development Discussion
166 #######################################
168 Please discuss this release on the samba-technical mailing list or by
169 joining the #samba-technical IRC channel on irc.freenode.net.
171 If you do report problems then please try to send high quality
172 feedback. If you don't provide vital information to help us track down
173 the problem then you will probably be ignored. All bug reports should
174 be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
175 database (https://bugzilla.samba.org/).
178 ======================================================================
179 == Our Code, Our Bugs, Our Responsibility.
181 ======================================================================
184 ----------------------------------------------------------------------
187 =============================
188 Release Notes for Samba 4.4.3
190 =============================
193 This is the latest stable release of Samba 4.4.
195 This release fixes some regressions introduced by the last security fixes.
196 Please see bug https://bugzilla.samba.org/show_bug.cgi?id=11849 for a list of
197 bugs addressing these regressions and more information.
203 o Michael Adam <obnox@samba.org>
204 * BUG 11786: idmap_hash: Only allow the hash module for default idmap config.
206 o Jeremy Allison <jra@samba.org>
207 * BUG 11822: s3: libsmb: Fix error where short name length was read as 2
210 o Andrew Bartlett <abartlet@samba.org>
211 * BUG 11789: Fix returning of ldb.MessageElement.
213 o Ralph Boehme <slow@samba.org>
214 * BUG 11855: cleanupd: Restart as needed.
216 o Günther Deschner <gd@samba.org>
217 * BUG 11786: s3:winbindd:idmap: check loadparm in domain_has_idmap_config()
219 * BUG 11789: libsmb/pysmb: Add pytalloc-util dependency to fix the build.
221 o Volker Lendecke <vl@samba.org>
222 * BUG 11786: winbind: Fix CID 1357100: Unchecked return value.
223 * BUG 11816: nwrap: Fix the build on Solaris.
224 * BUG 11827: vfs_catia: Fix memleak.
225 * BUG 11878: smbd: Avoid large reads beyond EOF.
227 o Stefan Metzmacher <metze@samba.org>
228 * BUG 11789: s3:wscript: pylibsmb depends on pycredentials.
229 * BUG 11841: Fix NT_STATUS_ACCESS_DENIED when accessing Windows public share.
230 * BUG 11847: Only validate MIC if "map to guest" is not being used.
231 * BUG 11849: auth/ntlmssp: Add ntlmssp_{client,server}:force_old_spnego
233 * BUG 11850: NetAPP SMB servers don't negotiate NTLMSSP_SIGN.
234 * BUG 11858: Allow anonymous smb connections.
235 * BUG 11870: Fix ads_sasl_spnego_gensec_bind(KRB5).
236 * BUG 11872: Fix 'wbinfo -u' and 'net ads search'.
238 o Tom Mortensen <tomm@lime-technology.com>
239 * BUG 11875: nss_wins: Fix the hostent setup.
241 o Garming Sam <garming@catalyst.net.nz>
242 * BUG 11789: build: Mark explicit dependencies on pytalloc-util.
244 o Partha Sarathi <partha@exablox.com>
245 * BUG 11819: Fix the smb2_setinfo to handle FS info types and FSQUOTA
248 o Jorge Schrauwen <sjorge@blackdot.be>
249 * BUG 11816: configure: Don't check for inotify on illumos.
251 o Uri Simchoni <uri@samba.org>
252 * BUG 11806: vfs_acl_common: Avoid setting POSIX ACLs if "ignore system acls"
254 * BUG 11815: smbcquotas: print "NO LIMIT" only if returned quota value is 0.
255 * BUG 11852: libads: Record session expiry for spnego sasl binds.
257 o Hemanth Thummala <hemanth.thummala@nutanix.com>
258 * BUG 11840: Mask general purpose signals for notifyd.
261 #######################################
262 Reporting bugs & Development Discussion
263 #######################################
265 Please discuss this release on the samba-technical mailing list or by
266 joining the #samba-technical IRC channel on irc.freenode.net.
268 If you do report problems then please try to send high quality
269 feedback. If you don't provide vital information to help us track down
270 the problem then you will probably be ignored. All bug reports should
271 be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
272 database (https://bugzilla.samba.org/).
275 ======================================================================
276 == Our Code, Our Bugs, Our Responsibility.
278 ======================================================================
281 ----------------------------------------------------------------------
284 =============================
285 Release Notes for Samba 4.4.2
287 =============================
289 This is a security release containing one additional
290 regression fix for the security release 4.4.1.
292 This fixes a regression that prevents things like 'net ads join'
293 from working against a Windows 2003 domain.
298 o Stefan Metzmacher <metze@samba.org>
299 * Bug 11804 - prerequisite backports for the security release on
303 -----------------------------------------------------------------------
306 =============================
307 Release Notes for Samba 4.4.1
309 =============================
312 This is a security release in order to address the following CVEs:
314 o CVE-2015-5370 (Multiple errors in DCE-RPC code)
316 o CVE-2016-2110 (Man in the middle attacks possible with NTLMSSP)
318 o CVE-2016-2111 (NETLOGON Spoofing Vulnerability)
320 o CVE-2016-2112 (LDAP client and server don't enforce integrity)
322 o CVE-2016-2113 (Missing TLS certificate validation)
324 o CVE-2016-2114 ("server signing = mandatory" not enforced)
326 o CVE-2016-2115 (SMB IPC traffic is not integrity protected)
328 o CVE-2016-2118 (SAMR and LSA man in the middle attacks possible)
330 The number of changes are rather huge for a security release,
331 compared to typical security releases.
333 Given the number of problems and the fact that they are all related
334 to man in the middle attacks we decided to fix them all at once
335 instead of splitting them.
337 In order to prevent the man in the middle attacks it was required
338 to change the (default) behavior for some protocols. Please see the
339 "New smb.conf options" and "Behavior changes" sections below.
347 Versions of Samba from 3.6.0 to 4.4.0 inclusive are vulnerable to
348 denial of service attacks (crashes and high cpu consumption)
349 in the DCE-RPC client and server implementations. In addition,
350 errors in validation of the DCE-RPC packets can lead to a downgrade
351 of a secure connection to an insecure one.
353 While we think it is unlikely, there's a nonzero chance for
354 a remote code execution attack against the client components,
355 which are used by smbd, winbindd and tools like net, rpcclient and
356 others. This may gain root access to the attacker.
358 The above applies all possible server roles Samba can operate in.
360 Note that versions before 3.6.0 had completely different marshalling
361 functions for the generic DCE-RPC layer. It's quite possible that
362 that code has similar problems!
364 The downgrade of a secure connection to an insecure one may
365 allow an attacker to take control of Active Directory object
366 handles created on a connection created from an Administrator
367 account and re-use them on the now non-privileged connection,
368 compromising the security of the Samba AD-DC.
372 There are several man in the middle attacks possible with
373 NTLMSSP authentication.
375 E.g. NTLMSSP_NEGOTIATE_SIGN and NTLMSSP_NEGOTIATE_SEAL
376 can be cleared by a man in the middle.
378 This was by protocol design in earlier Windows versions.
380 Windows Server 2003 RTM and Vista RTM introduced a way
381 to protect against the trivial downgrade.
383 See MsvAvFlags and flag 0x00000002 in
384 https://msdn.microsoft.com/en-us/library/cc236646.aspx
386 This new feature also implies support for a mechlistMIC
387 when used within SPNEGO, which may prevent downgrades
388 from other SPNEGO mechs, e.g. Kerberos, if sign or
389 seal is finally negotiated.
391 The Samba implementation doesn't enforce the existence of
392 required flags, which were requested by the application layer,
393 e.g. LDAP or SMB1 encryption (via the unix extensions).
394 As a result a man in the middle can take over the connection.
395 It is also possible to misguide client and/or
396 server to send unencrypted traffic even if encryption
397 was explicitly requested.
399 LDAP (with NTLMSSP authentication) is used as a client
400 by various admin tools of the Samba project,
401 e.g. "net", "samba-tool", "ldbsearch", "ldbedit", ...
403 As an active directory member server LDAP is also used
404 by the winbindd service when connecting to domain controllers.
406 Samba also offers an LDAP server when running as
407 active directory domain controller.
409 The NTLMSSP authentication used by the SMB1 encryption
410 is protected by smb signing, see CVE-2015-5296.
414 It's basically the same as CVE-2015-0005 for Windows:
416 The NETLOGON service in Microsoft Windows Server 2003 SP2,
417 Windows Server 2008 SP2 and R2 SP1, and Windows Server 2012 Gold
418 and R2, when a Domain Controller is configured, allows remote
419 attackers to spoof the computer name of a secure channel's
420 endpoint, and obtain sensitive session information, by running a
421 crafted application and leveraging the ability to sniff network
422 traffic, aka "NETLOGON Spoofing Vulnerability".
424 The vulnerability in Samba is worse as it doesn't require
425 credentials of a computer account in the domain.
427 This only applies to Samba running as classic primary domain controller,
428 classic backup domain controller or active directory domain controller.
430 The security patches introduce a new option called "raw NTLMv2 auth"
431 ("yes" or "no") for the [global] section in smb.conf.
432 Samba (the smbd process) will reject client using raw NTLMv2
433 without using NTLMSSP.
435 Note that this option also applies to Samba running as
436 standalone server and member server.
438 You should also consider using "lanman auth = no" (which is already the default)
439 and "ntlm auth = no". Have a look at the smb.conf manpage for further details,
440 as they might impact compatibility with older clients. These also
441 apply for all server roles.
445 Samba uses various LDAP client libraries, a builtin one and/or the system
446 ldap libraries (typically openldap).
448 As active directory domain controller Samba also provides an LDAP server.
450 Samba takes care of doing SASL (GSS-SPNEGO) authentication with Kerberos or NTLMSSP
451 for LDAP connections, including possible integrity (sign) and privacy (seal)
454 Samba has support for an option called "client ldap sasl wrapping" since version
455 3.2.0. Its default value has changed from "plain" to "sign" with version 4.2.0.
457 Tools using the builtin LDAP client library do not obey the
458 "client ldap sasl wrapping" option. This applies to tools like:
459 "samba-tool", "ldbsearch", "ldbedit" and more. Some of them have command line
460 options like "--sign" and "--encrypt". With the security update they will
461 also obey the "client ldap sasl wrapping" option as default.
463 In all cases, even if explicitly request via "client ldap sasl wrapping",
464 "--sign" or "--encrypt", the protection can be downgraded by a man in the
467 The LDAP server doesn't have an option to enforce strong authentication
468 yet. The security patches will introduce a new option called
469 "ldap server require strong auth", possible values are "no",
470 "allow_sasl_over_tls" and "yes".
472 As the default behavior was as "no" before, you may
473 have to explicitly change this option until all clients have
474 been adjusted to handle LDAP_STRONG_AUTH_REQUIRED errors.
475 Windows clients and Samba member servers already use
476 integrity protection.
480 Samba has support for TLS/SSL for some protocols:
481 ldap and http, but currently certificates are not
482 validated at all. While we have a "tls cafile" option,
483 the configured certificate is not used to validate
484 the server certificate.
486 This applies to ldaps:// connections triggered by tools like:
487 "ldbsearch", "ldbedit" and more. Note that it only applies
488 to the ldb tools when they are built as part of Samba or with Samba
489 extensions installed, which means the Samba builtin LDAP client library is
492 It also applies to dcerpc client connections using ncacn_http (with https://),
493 which are only used by the openchange project. Support for ncacn_http
494 was introduced in version 4.2.0.
496 The security patches will introduce a new option called
497 "tls verify peer". Possible values are "no_check", "ca_only",
498 "ca_and_name_if_available", "ca_and_name" and "as_strict_as_possible".
500 If you use the self-signed certificates which are auto-generated
501 by Samba, you won't have a crl file and need to explicitly
502 set "tls verify peer = ca_and_name".
506 Due to a regression introduced in Samba 4.0.0,
507 an explicit "server signing = mandatory" in the [global] section
508 of the smb.conf was not enforced for clients using the SMB1 protocol.
510 As a result it does not enforce smb signing and allows man in the middle attacks.
512 This problem applies to all possible server roles:
513 standalone server, member server, classic primary domain controller,
514 classic backup domain controller and active directory domain controller.
516 In addition, when Samba is configured with "server role = active directory domain controller"
517 the effective default for the "server signing" option should be "mandatory".
519 During the early development of Samba 4 we had a new experimental
520 file server located under source4/smb_server. But before
521 the final 4.0.0 release we switched back to the file server
524 But the logic for the correct default of "server signing" was not
525 ported correctly ported.
527 Note that the default for server roles other than active directory domain
528 controller, is "off" because of performance reasons.
532 Samba has an option called "client signing", this is turned off by default
533 for performance reasons on file transfers.
535 This option is also used when using DCERPC with ncacn_np.
537 In order to get integrity protection for ipc related communication
538 by default the "client ipc signing" option is introduced.
539 The effective default for this new option is "mandatory".
541 In order to be compatible with more SMB server implementations,
542 the following additional options are introduced:
543 "client ipc min protocol" ("NT1" by default) and
544 "client ipc max protocol" (the highest support SMB2/3 dialect by default).
545 These options overwrite the "client min protocol" and "client max protocol"
546 options, because the default for "client max protocol" is still "NT1".
547 The reason for this is the fact that all SMB2/3 support SMB signing,
548 while there are still SMB1 implementations which don't offer SMB signing
549 by default (this includes Samba versions before 4.0.0).
551 Note that winbindd (in versions 4.2.0 and higher) enforces SMB signing
552 against active directory domain controllers despite of the
553 "client signing" and "client ipc signing" options.
555 o CVE-2016-2118 (a.k.a. BADLOCK):
557 The Security Account Manager Remote Protocol [MS-SAMR] and the
558 Local Security Authority (Domain Policy) Remote Protocol [MS-LSAD]
559 are both vulnerable to man in the middle attacks. Both are application level
560 protocols based on the generic DCE 1.1 Remote Procedure Call (DCERPC) protocol.
562 These protocols are typically available on all Windows installations
563 as well as every Samba server. They are used to maintain
564 the Security Account Manager Database. This applies to all
565 roles, e.g. standalone, domain member, domain controller.
567 Any authenticated DCERPC connection a client initiates against a server
568 can be used by a man in the middle to impersonate the authenticated user
569 against the SAMR or LSAD service on the server.
571 The client chosen application protocol, auth type (e.g. Kerberos or NTLMSSP)
572 and auth level (NONE, CONNECT, PKT_INTEGRITY, PKT_PRIVACY) do not matter
573 in this case. A man in the middle can change auth level to CONNECT
574 (which means authentication without message protection) and take over
577 As a result, a man in the middle is able to get read/write access to the
578 Security Account Manager Database, which reveals all passwords
579 and any other potential sensitive information.
581 Samba running as an active directory domain controller is additionally
582 missing checks to enforce PKT_PRIVACY for the
583 Directory Replication Service Remote Protocol [MS-DRSR] (drsuapi)
584 and the BackupKey Remote Protocol [MS-BKRP] (backupkey).
585 The Domain Name Service Server Management Protocol [MS-DNSP] (dnsserver)
586 is not enforcing at least PKT_INTEGRITY.
592 allow dcerpc auth level connect (G)
594 This option controls whether DCERPC services are allowed to be used with
595 DCERPC_AUTH_LEVEL_CONNECT, which provides authentication, but no per
596 message integrity nor privacy protection.
598 Some interfaces like samr, lsarpc and netlogon have a hard-coded default
599 of no and epmapper, mgmt and rpcecho have a hard-coded default of yes.
601 The behavior can be overwritten per interface name (e.g. lsarpc,
602 netlogon, samr, srvsvc, winreg, wkssvc ...) by using
603 'allow dcerpc auth level connect:interface = yes' as option.
605 This option yields precedence to the implementation specific restrictions.
606 E.g. the drsuapi and backupkey protocols require DCERPC_AUTH_LEVEL_PRIVACY.
607 The dnsserver protocol requires DCERPC_AUTH_LEVEL_INTEGRITY.
609 Default: allow dcerpc auth level connect = no
611 Example: allow dcerpc auth level connect = yes
613 client ipc signing (G)
615 This controls whether the client is allowed or required to use
616 SMB signing for IPC$ connections as DCERPC transport. Possible
617 values are auto, mandatory and disabled.
619 When set to mandatory or default, SMB signing is required.
621 When set to auto, SMB signing is offered, but not enforced and
622 if set to disabled, SMB signing is not offered either.
624 Connections from winbindd to Active Directory Domain Controllers
625 always enforce signing.
627 Default: client ipc signing = default
629 client ipc max protocol (G)
631 The value of the parameter (a string) is the highest protocol level that will
632 be supported for IPC$ connections as DCERPC transport.
634 Normally this option should not be set as the automatic negotiation phase
635 in the SMB protocol takes care of choosing the appropriate protocol.
637 The value default refers to the latest supported protocol, currently SMB3_11.
639 See client max protocol for a full list of available protocols.
640 The values CORE, COREPLUS, LANMAN1, LANMAN2 are silently upgraded to NT1.
642 Default: client ipc max protocol = default
644 Example: client ipc max protocol = SMB2_10
646 client ipc min protocol (G)
648 This setting controls the minimum protocol version that the will be
649 attempted to use for IPC$ connections as DCERPC transport.
651 Normally this option should not be set as the automatic negotiation phase
652 in the SMB protocol takes care of choosing the appropriate protocol.
654 The value default refers to the higher value of NT1 and the
655 effective value of "client min protocol".
657 See client max protocol for a full list of available protocols.
658 The values CORE, COREPLUS, LANMAN1, LANMAN2 are silently upgraded to NT1.
660 Default: client ipc min protocol = default
662 Example: client ipc min protocol = SMB3_11
664 ldap server require strong auth (G)
666 The ldap server require strong auth defines whether the
667 ldap server requires ldap traffic to be signed or
668 signed and encrypted (sealed). Possible values are no,
669 allow_sasl_over_tls and yes.
671 A value of no allows simple and sasl binds over all transports.
673 A value of allow_sasl_over_tls allows simple and sasl binds (without sign or seal)
674 over TLS encrypted connections. Unencrypted connections only
675 allow sasl binds with sign or seal.
677 A value of yes allows only simple binds over TLS encrypted connections.
678 Unencrypted connections only allow sasl binds with sign or seal.
680 Default: ldap server require strong auth = yes
684 This parameter determines whether or not smbd(8) will allow SMB1 clients
685 without extended security (without SPNEGO) to use NTLMv2 authentication.
687 If this option, lanman auth and ntlm auth are all disabled, then only
688 clients with SPNEGO support will be permitted. That means NTLMv2 is only
689 supported within NTLMSSP.
691 Default: raw NTLMv2 auth = no
695 This controls if and how strict the client will verify the peer's
696 certificate and name. Possible values are (in increasing order): no_check,
697 ca_only, ca_and_name_if_available, ca_and_name and as_strict_as_possible.
699 When set to no_check the certificate is not verified at all,
700 which allows trivial man in the middle attacks.
702 When set to ca_only the certificate is verified to be signed from a ca
703 specified in the "tls ca file" option. Setting "tls ca file" to a valid file
704 is required. The certificate lifetime is also verified. If the "tls crl file"
705 option is configured, the certificate is also verified against
708 When set to ca_and_name_if_available all checks from ca_only are performed.
709 In addition, the peer hostname is verified against the certificate's
710 name, if it is provided by the application layer and not given as
711 an ip address string.
713 When set to ca_and_name all checks from ca_and_name_if_available are performed.
714 In addition the peer hostname needs to be provided and even an ip
715 address is checked against the certificate's name.
717 When set to as_strict_as_possible all checks from ca_and_name are performed.
718 In addition the "tls crl file" needs to be configured. Future versions
719 of Samba may implement additional checks.
721 Default: tls verify peer = as_strict_as_possible
723 tls priority (G) (backported from Samba 4.3 to Samba 4.2)
725 This option can be set to a string describing the TLS protocols to be
726 supported in the parts of Samba that use GnuTLS, specifically the AD DC.
728 The default turns off SSLv3, as this protocol is no longer considered
729 secure after CVE-2014-3566 (otherwise known as POODLE) impacted SSLv3 use
730 in HTTPS applications.
732 The valid options are described in the GNUTLS Priority-Strings
733 documentation at http://gnutls.org/manual/html_node/Priority-Strings.html
735 Default: tls priority = NORMAL:-VERS-SSL3.0
741 o The default auth level for authenticated binds has changed from
742 DCERPC_AUTH_LEVEL_CONNECT to DCERPC_AUTH_LEVEL_INTEGRITY.
743 That means ncacn_ip_tcp:server is now implicitly the same
744 as ncacn_ip_tcp:server[sign] and offers a similar protection
745 as ncacn_np:server, which relies on smb signing.
747 o The following constraints are applied to SMB1 connections:
749 - "client lanman auth = yes" is now consistently
750 required for authenticated connections using the
751 SMB1 LANMAN2 dialect.
752 - "client ntlmv2 auth = yes" and "client use spnego = yes"
753 (both the default values), require extended security (SPNEGO)
754 support from the server. That means NTLMv2 is only used within
757 o Tools like "samba-tool", "ldbsearch", "ldbedit" and more obey the
758 default of "client ldap sasl wrapping = sign". Even with
759 "client ldap sasl wrapping = plain" they will automatically upgrade
760 to "sign" when getting LDAP_STRONG_AUTH_REQUIRED from the LDAP
766 o Jeremy Allison <jra@samba.org>
767 * Bug 11344 - CVE-2015-5370: Multiple errors in DCE-RPC code.
769 o Christian Ambach <ambi@samba.org>
770 * Bug 11804 - prerequisite backports for the security release on
773 o Ralph Boehme <slow@samba.org>
774 * Bug 11644 - CVE-2016-2112: The LDAP client and server don't enforce
775 integrity protection.
777 o Günther Deschner <gd@samba.org>
778 * Bug 11749 - CVE-2016-2111: NETLOGON Spoofing Vulnerability.
780 * Bug 11804 - prerequisite backports for the security release on
783 o Volker Lendecke <vl@samba.org>
784 * Bug 11804 - prerequisite backports for the security release on
787 o Stefan Metzmacher <metze@samba.org>
788 * Bug 11344 - CVE-2015-5370: Multiple errors in DCE-RPC code.
790 * Bug 11616 - CVE-2016-2118: SAMR and LSA man in the middle attacks possible.
792 * Bug 11644 - CVE-2016-2112: The LDAP client and server doesn't enforce
793 integrity protection.
795 * Bug 11687 - CVE-2016-2114: "server signing = mandatory" not enforced.
797 * Bug 11688 - CVE-2016-2110: Man in the middle attacks possible with NTLMSSP.
799 * Bug 11749 - CVE-2016-2111: NETLOGON Spoofing Vulnerability.
801 * Bug 11752 - CVE-2016-2113: Missing TLS certificate validation allows man in
804 * Bug 11756 - CVE-2016-2115: SMB client connections for IPC traffic are not
807 * Bug 11804 - prerequisite backports for the security release on
811 #######################################
812 Reporting bugs & Development Discussion
813 #######################################
815 Please discuss this release on the samba-technical mailing list or by
816 joining the #samba-technical IRC channel on irc.freenode.net.
818 If you do report problems then please try to send high quality
819 feedback. If you don't provide vital information to help us track down
820 the problem then you will probably be ignored. All bug reports should
821 be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
822 database (https://bugzilla.samba.org/).
825 ======================================================================
826 == Our Code, Our Bugs, Our Responsibility.
828 ======================================================================
831 ----------------------------------------------------------------------
834 =============================
835 Release Notes for Samba 4.4.0
837 =============================
840 This is the first stable release of the Samba 4.4 release series.
852 Asynchronous flush requests
853 ---------------------------
855 Flush requests from SMB2/3 clients are handled asynchronously and do
856 not block the processing of other requests. Note that 'strict sync'
857 has to be set to 'yes' for Samba to honor flush requests from SMB
863 Remove '--with-aio-support' configure option. We no longer would ever prefer
864 POSIX-RT aio, use pthread_aio instead.
869 The 'samba-tool sites' subcommand can now be run against another server by
870 specifying an LDB URL using the '-H' option and not against the local database
871 only (which is still the default when no URL is given).
873 samba-tool domain demote
874 ------------------------
876 Add '--remove-other-dead-server' option to 'samba-tool domain demote'
877 subcommand. The new version of this tool now can remove another DC that is
878 itself offline. The '--remove-other-dead-server' removes as many references
879 to the DC as possible.
881 samba-tool drs clone-dc-database
882 --------------------------------
884 Replicate an initial clone of domain, but do not join it.
885 This is developed for debugging purposes, but not for setting up another DC.
890 Add '--set-nt-hash' option to pdbedit to update user password from nt-hash
891 hexstring. 'pdbedit -vw' shows also password hashes.
896 'smbstatus' was enhanced to show the state of signing and encryption for
901 The -u and -p options for user and password were replaced by the -U option that
902 accepts username[%password] as in many other tools of the Samba suite.
903 Similary, smbgetrc files do not accept username and password options any more,
904 only a single "user" option which also accepts user%password combinations.
905 The -P option was removed.
910 Add a GnuTLS based backupkey implementation.
915 Using the '--offline-logon' enables ntlm_auth to use cached passwords when the
918 Allow '--password' force a local password check for ntlm-server-1 mode.
923 A new VFS module called vfs_offline has been added to mark all files in the
924 share as offline. It can be useful for shares mounted on top of a remote file
925 system (either through a samba VFS module or via FUSE).
930 The Samba KCC has been improved, but is still disabled by default.
935 There were several improvements concerning the Samba DNS server.
940 There were some improvements in the Active Directory area.
945 The WINS nsswitch module has been rewritten to address memory issues and to
946 simplify the code. The module now uses libwbclient to do WINS queries. This
947 means that winbind needs to be running in order to resolve WINS names using
948 the nss_wins module. This does not affect smbd.
953 * CTDB now uses a newly implemented parallel database recovery scheme
954 that avoids deadlocks with smbd.
956 In certain circumstances CTDB and smbd could deadlock. The new
957 recovery implementation avoid this. It also provides improved
958 recovery performance.
960 * All files are now installed into and referred to by the paths
961 configured at build time. Therefore, CTDB will now work properly
962 when installed into the default location at /usr/local.
964 * Public CTDB header files are no longer installed, since Samba and
965 CTDB are built from within the same source tree.
967 * CTDB_DBDIR can now be set to tmpfs[:<tmpfs-options>]
969 This will cause volatile TDBs to be located in a tmpfs. This can
970 help to avoid performance problems associated with contention on the
971 disk where volatile TDBs are usually stored. See ctdbd.conf(5) for
974 * Configuration variable CTDB_NATGW_SLAVE_ONLY is no longer used.
975 Instead, nodes should be annotated with the "slave-only" option in
976 the CTDB NAT gateway nodes file. This file must be consistent
977 across nodes in a NAT gateway group. See ctdbd.conf(5) for more
980 * New event script 05.system allows various system resources to be
983 This can be helpful for explaining poor performance or unexpected
984 behaviour. New configuration variables are
985 CTDB_MONITOR_FILESYSTEM_USAGE, CTDB_MONITOR_MEMORY_USAGE and
986 CTDB_MONITOR_SWAP_USAGE. Default values cause warnings to be
987 logged. See the SYSTEM RESOURCE MONITORING CONFIGURATION in
988 ctdbd.conf(5) for more information.
990 The memory, swap and filesystem usage monitoring previously found in
991 00.ctdb and 40.fs_use is no longer available. Therefore,
992 configuration variables CTDB_CHECK_FS_USE, CTDB_MONITOR_FREE_MEMORY,
993 CTDB_MONITOR_FREE_MEMORY_WARN and CTDB_CHECK_SWAP_IS_NOT_USED are
996 * The 62.cnfs eventscript has been removed. To get a similar effect
997 just do something like this:
999 mmaddcallback ctdb-disable-on-quorumLoss \
1000 --command /usr/bin/ctdb \
1001 --event quorumLoss --parms "disable"
1003 mmaddcallback ctdb-enable-on-quorumReached \
1004 --command /usr/bin/ctdb \
1005 --event quorumReached --parms "enable"
1007 * The CTDB tunable parameter EventScriptTimeoutCount has been renamed
1008 to MonitorTimeoutCount
1010 It has only ever been used to limit timed-out monitor events.
1012 Configurations containing CTDB_SET_EventScriptTimeoutCount=<n> will
1013 cause CTDB to fail at startup. Useful messages will be logged.
1015 * The commandline option "-n all" to CTDB tool has been removed.
1017 The option was not uniformly implemented for all the commands.
1018 Instead of command "ctdb ip -n all", use "ctdb ip all".
1020 * All CTDB current manual pages are now correctly installed
1023 EXPERIMENTAL FEATURES
1024 =====================
1029 Samba 4.4.0 adds *experimental* support for SMB3 Multi-Channel.
1030 Multi-Channel is an SMB3 protocol feature that allows the client
1031 to bind multiple transport connections into one authenticated
1032 SMB session. This allows for increased fault tolerance and
1033 throughput. The client chooses transport connections as reported
1034 by the server and also chooses over which of the bound transport
1035 connections to send traffic. I/O operations for a given file
1036 handle can span multiple network connections this way.
1037 An SMB multi-channel session will be valid as long as at least
1038 one of its channels are up.
1040 In Samba, multi-channel can be enabled by setting the new
1041 smb.conf option "server multi channel support" to "yes".
1042 It is disabled by default.
1044 Samba has to report interface speeds and some capabilities to
1045 the client. On Linux, Samba can auto-detect the speed of an
1046 interface. But to support other platforms, and in order to be
1047 able to manually override the detected values, the "interfaces"
1048 smb.conf option has been given an extended syntax, by which an
1049 interface specification can additionally carry speed and
1050 capability information. The extended syntax looks like this
1051 for setting the speed to 1 gigabit per second:
1053 interfaces = 192.168.1.42;speed=1000000000
1055 This extension should be used with care and are mainly intended
1056 for testing. See the smb.conf manual page for details.
1058 CAVEAT: While this should be working without problems mostly,
1059 there are still corner cases in the treatment of channel failures
1060 that may result in DATA CORRUPTION when these race conditions hit.
1063 NOT RECOMMENDED TO USE MULTI-CHANNEL IN PRODUCTION
1065 at this stage. This situation can be expected to improve during
1066 the life-time of the 4.4 release. Feed-back from test-setups is
1076 Several public headers are not installed any longer. They are made for internal
1077 use only. More public headers will very likely be removed in future releases.
1079 The following headers are not installed any longer:
1080 dlinklist.h, gen_ndr/epmapper.h, gen_ndr/mgmt.h, gen_ndr/ndr_atsvc_c.h,
1081 gen_ndr/ndr_epmapper_c.h, gen_ndr/ndr_epmapper.h, gen_ndr/ndr_mgmt_c.h,
1082 gen_ndr/ndr_mgmt.h,gensec.h, ldap_errors.h, ldap_message.h, ldap_ndr.h,
1083 ldap-util.h, pytalloc.h, read_smb.h, registry.h, roles.h, samba_util.h,
1084 smb2_constants.h, smb2_create_blob.h, smb2.h, smb2_lease.h, smb2_signing.h,
1085 smb_cli.h, smb_cliraw.h, smb_common.h, smb_composite.h, smb_constants.h,
1086 smb_raw.h, smb_raw_interfaces.h, smb_raw_signing.h, smb_raw_trans2.h,
1087 smb_request.h, smb_seal.h, smb_signing.h, smb_unix_ext.h, smb_util.h,
1088 torture.h, tstream_smbXcli_np.h.
1090 vfs_smb_traffic_analyzer
1091 ------------------------
1093 The SMB traffic analyzer VFS module has been removed, because it is not
1094 maintained any longer and not widely used.
1099 The scannedonly VFS module has been removed, because it is not maintained
1105 Parameter Name Description Default
1106 -------------- ----------- -------
1107 aio max threads New 100
1108 ldap page size Changed default 1000
1109 server multi channel support New No
1110 interfaces Extended syntax
1119 CHANGES SINCE 4.4.0rc5
1120 ======================
1122 o Michael Adam <obnox@samba.org>
1123 * BUG 11796: smbd: Enable multi-channel if 'server multi channel support =
1126 o Günther Deschner <gd@samba.org>
1127 * BUG 11802: lib/socket/interfaces: Fix some uninitialied bytes.
1129 o Uri Simchoni <uri@samba.org>
1130 * BUG 11798: build: Fix build when '--without-quota' specified.
1133 CHANGES SINCE 4.4.0rc4
1134 ======================
1136 o Andrew Bartlett <abartlet@samba.org>
1137 * BUG 11780: mkdir can return ACCESS_DENIED incorrectly on create race.
1138 * BUG 11783: Mismatch between local and remote attribute ids lets
1139 replication fail with custom schema.
1140 * BUG 11789: Talloc: Version 2.1.6.
1142 o Ira Cooper <ira@samba.org>
1143 * BUG 11774: vfs_glusterfs: Fix use after free in AIO callback.
1145 o Günther Deschner <gd@samba.org>
1146 * BUG 11755: Fix net join.
1148 o Amitay Isaacs <amitay@gmail.com>
1149 * BUG 11770: Reset TCP Connections during IP failover.
1151 o Justin Maggard <jmaggard10@gmail.com>
1152 * BUG 11773: s3:smbd: Add negprot remote arch detection for OSX.
1154 o Stefan Metzmacher <metze@samba.org>
1155 * BUG 11772: ldb: Version 1.1.26.
1156 * BUG 11782: "trustdom_list_done: Got invalid trustdom response" message
1159 o Uri Simchoni <uri@samba.org>
1160 * BUG 11769: libnet: Make Kerberos domain join site-aware.
1161 * BUG 11788: Quota is not supported on Solaris 10.
1164 CHANGES SINCE 4.4.0rc3
1165 ======================
1167 o Jeremy Allison <jra@samba.org>
1168 * BUG 11648: CVE-2015-7560: Getting and setting Windows ACLs on symlinks can
1169 change permissions on link target.
1171 o Christian Ambach <ambi@samba.org>
1172 * BUG 11767: s3:utils/smbget: Fix option parsing.
1174 o Alberto Maria Fiaschi <alberto.fiaschi@estar.toscana.it>
1175 * BUG 8093: Access based share enum: handle permission set in configuration
1178 o Stefan Metzmacher <metze@samba.org>
1179 * BUG 11702: s3:clispnego: Fix confusing warning in spnego_gen_krb5_wrap().
1180 * BUG 11742: tevent: version 0.9.28: Fix memory leak when old signal action
1182 * BUG 11755: s3:libads: setup the msDS-SupportedEncryptionTypes attribute on
1184 * BUGs 11128, 11686: CVE-2016-0771: Read of uninitialized memory DNS TXT
1187 o Garming Sam <garming@catalyst.net.nz>
1188 * BUGs 11128, 11686: CVE-2016-0771: Read of uninitialized memory DNS TXT
1191 o Uri Simchoni <uri@samba.org>
1192 * BUG 11691: winbindd: Return trust parameters when listing trusts.
1193 * BUG 11753: smbd: Ignore SVHDX create context.
1194 * BUG 11763: passdb: Add linefeed to debug message.
1197 CHANGES SINCE 4.4.0rc2
1198 ======================
1200 o Michael Adam <obnox@samba.org>
1201 * BUG 11723: lib:socket: Fix CID 1350010: Integer OVERFLOW_BEFORE_WIDEN.
1202 * BUG 11735: lib:socket: Fix CID 1350009: Fix illegal memory accesses
1203 (BUFFER_SIZE_WARNING).
1205 o Jeremy Allison <jra@samba.org>
1206 * BUG 10489: s3: smbd: posix_acls: Fix check for setting u:g:o entry on a
1207 filesystem with no ACL support.
1209 o Christian Ambach <ambi@samba.org>
1210 * BUG 11700: s3:utils/smbget: Set default blocksize.
1212 o Anoop C S <anoopcs@redhat.com>
1213 * BUG 11734: lib/socket: Fix improper use of default interface speed.
1215 o Ralph Boehme <slow@samba.org>
1216 * BUG 11714: lib/tsocket: Work around sockets not supporting FIONREAD.
1218 o Volker Lendecke <vl@samba.org>
1219 * BUG 11724: smbd: Fix CID 1351215 Improper use of negative value.
1220 * BUG 11725: smbd: Fix CID 1351216 Dereference null return value.
1221 * BUG 11732: param: Fix str_list_v3 to accept ; again.
1223 o Noel Power <noel.power@suse.com>
1224 * BUG 11738: libcli: Fix debug message, print sid string for new_ace trustee.
1226 o Jose A. Rivera <jarrpa@samba.org>
1227 * BUG 11727: s3:smbd:open: Skip redundant call to file_set_dosmode when
1228 creating a new file.
1230 o Andreas Schneider <asn@samba.org>
1231 * BUG 11730: docs: Add manpage for cifsdd.
1232 * BUG 11739: Fix installation path of Samba helper binaries.
1234 o Berend De Schouwer <berend.de.schouwer@gmail.com>
1235 * BUG 11643: docs: Add example for domain logins to smbspool man page.
1237 o Martin Schwenke <martin@meltin.net>
1238 * BUG 11719: ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."
1240 o Hemanth Thummala <hemanth.thummala@nutanix.com>
1241 * BUG 11708: loadparm: Fix memory leak issue.
1242 * BUG 11740: Fix memory leak in loadparm.
1245 CHANGES SINCE 4.4.0rc1
1246 ======================
1248 o Michael Adam <obnox@samba.org>
1249 * BUG 11715: s3:vfs:glusterfs: Fix build after quota changes.
1251 o Jeremy Allison <jra@samba.org>
1252 * BUG 11703: s3: smbd: Fix timestamp rounding inside SMB2 create.
1254 o Christian Ambach <ambi@samba.org>
1255 * BUG 11700: Streamline 'smbget' options with the rest of the Samba utils.
1257 o Günther Deschner <gd@samba.org>
1258 * BUG 11696: ctdb: Do not provide a useless pkgconfig file for ctdb.
1260 o Stefan Metzmacher <metze@samba.org>
1261 * BUG 11699: Crypto.Cipher.ARC4 is not available on some platforms, fallback
1262 to M2Crypto.RC4.RC4 then.
1264 o Amitay Isaacs <amitay@gmail.com>
1265 * BUG 11705: Sockets with htons(IPPROTO_RAW) and CVE-2015-8543.
1267 o Andreas Schneider <asn@samba.org>
1268 * BUG 11690: docs: Add smbspool_krb5_wrapper manpage.
1270 o Uri Simchoni <uri@samba.org>
1271 * BUG 11681: smbd: Show correct disk size for different quota and dfree block
1275 #######################################
1276 Reporting bugs & Development Discussion
1277 #######################################
1279 Please discuss this release on the samba-technical mailing list or by
1280 joining the #samba-technical IRC channel on irc.freenode.net.
1282 If you do report problems then please try to send high quality
1283 feedback. If you don't provide vital information to help us track down
1284 the problem then you will probably be ignored. All bug reports should
1285 be filed under the Samba 4.1 and newer product in the project's Bugzilla
1286 database (https://bugzilla.samba.org/).
1289 ======================================================================
1290 == Our Code, Our Bugs, Our Responsibility.
1292 ======================================================================