1 ==============================
2 Release Notes for Samba 4.13.5
4 ==============================
7 This is the latest stable release of the Samba 4.13 release series.
13 o Trever L. Adams <trever.adams@gmail.com>
14 * BUG 14634: s3:modules:vfs_virusfilter: Recent talloc changes cause infinite
17 o Jeremy Allison <jra@samba.org>
18 * BUG 13992: s3: libsmb: Add missing cli_tdis() in error path if encryption
19 setup failed on temp proxy connection.
20 * BUG 14604: smbd: In conn_force_tdis_done() when forcing a connection closed
21 force a full reload of services.
23 o Andrew Bartlett <abartlet@samba.org>
24 * BUG 14593: dbcheck: Check Deleted Objects and reduce noise in reports about
27 o Ralph Boehme <slow@samba.org
28 * BUG 14503: s3: Fix fcntl waf configure check.
29 * BUG 14602: s3/auth: Implement "winbind:ignore domains".
30 * BUG 14617: smbd: Use fsp->conn->session_info for the initial
31 delete-on-close token.
33 o Peter Eriksson <pen@lysator.liu.se>
34 * BUG 14648: s3: VFS: nfs4_acls. Add missing TALLOC_FREE(frame) in error
37 o Björn Jacke <bj@sernet.de>
38 * BUG 14624: classicupgrade: Treat old never expires value right.
40 o Volker Lendecke <vl@samba.org>
41 * BUG 14636: g_lock: Fix uninitalized variable reads.
43 o Stefan Metzmacher <metze@samba.org>
44 * BUG 13898: s3:pysmbd: Fix fd leak in py_smbd_create_file().
46 o Andreas Schneider <asn@samba.org>
47 * BUG 14625: lib:util: Avoid free'ing our own pointer.
49 o Paul Wise <pabs3@bonedaddy.net>
50 * BUG 12505: HEIMDAL: krb5_storage_free(NULL) should work.
53 #######################################
54 Reporting bugs & Development Discussion
55 #######################################
57 Please discuss this release on the samba-technical mailing list or by
58 joining the #samba-technical IRC channel on irc.freenode.net.
60 If you do report problems then please try to send high quality
61 feedback. If you don't provide vital information to help us track down
62 the problem then you will probably be ignored. All bug reports should
63 be filed under the Samba 4.1 and newer product in the project's Bugzilla
64 database (https://bugzilla.samba.org/).
67 ======================================================================
68 == Our Code, Our Bugs, Our Responsibility.
70 ======================================================================
73 Release notes for older releases follow:
74 ----------------------------------------
77 ==============================
78 Release Notes for Samba 4.13.4
80 ==============================
83 This is the latest stable release of the Samba 4.13 release series.
89 o Jeremy Allison <jra@samba.org>
90 * BUG 14607: Work around special SMB2 IOCTL response behavior of NetApp Ontap
92 * BUG 14612: Temporary DFS share setup doesn't set case parameters in the
93 same way as a regular share definition does.
95 o Dimitry Andric <dimitry@andric.com>
96 * BUG 14605: lib: Avoid declaring zero-length VLAs in various messaging
99 o Andrew Bartlett <abartlet@samba.org>
100 * BUG 14579: Do not create an empty DB when accessing a sam.ldb.
102 o Ralph Boehme <slow@samba.org>
103 * BUG 14596: vfs_fruit may close wrong backend fd.
104 * BUG 14612: Temporary DFS share setup doesn't set case parameters in the
105 same way as a regular share definition does.
107 o Arne Kreddig <arne@kreddig.net>
108 * BUG 14606: vfs_virusfilter: Allocate separate memory for config char*.
110 o Stefan Metzmacher <metze@samba.org>
111 * BUG 14596: vfs_fruit may close wrong backend fd.
112 * BUG 14607: Work around special SMB2 IOCTL response behavior of NetApp Ontap
115 o Andreas Schneider <asn@samba.org>
116 * BUG 14601: The cache directory for the user gencache should be created
119 o Martin Schwenke <martin@meltin.net>
120 * BUG 14594: Be more flexible with repository names in CentOS 8 test
124 #######################################
125 Reporting bugs & Development Discussion
126 #######################################
128 Please discuss this release on the samba-technical mailing list or by
129 joining the #samba-technical IRC channel on irc.freenode.net.
131 If you do report problems then please try to send high quality
132 feedback. If you don't provide vital information to help us track down
133 the problem then you will probably be ignored. All bug reports should
134 be filed under the Samba 4.1 and newer product in the project's Bugzilla
135 database (https://bugzilla.samba.org/).
138 ======================================================================
139 == Our Code, Our Bugs, Our Responsibility.
141 ======================================================================
144 ----------------------------------------------------------------------
147 ==============================
148 Release Notes for Samba 4.13.3
150 ==============================
153 This is the latest stable release of the Samba 4.13 release series.
159 o Jeremy Allison <jra@samba.org>
160 * BUG 14210: libcli: smb2: Never print length if smb2_signing_key_valid()
161 fails for crypto blob.
162 * BUG 14486: s3: modules: gluster. Fix the error I made in preventing talloc
163 leaks from a function.
164 * BUG 14515: s3: smbd: Don't overwrite contents of fsp->aio_requests[0] with
165 NULL via TALLOC_FREE().
166 * BUG 14568: s3: spoolss: Make parameters in call to user_ok_token() match
168 * BUG 14590: s3: smbd: Quiet log messages from usershares for an unknown
171 o Ralph Boehme <slow@samba.org>
172 * BUG 14248: samba process does not honor max log size.
173 * BUG 14587: vfs_zfsacl: Add missing inherited flag on hidden "magic"
176 o Isaac Boukris <iboukris@gmail.com>
177 * BUG 13124: s3-libads: Pass timeout to open_socket_out in ms.
179 o Günther Deschner <gd@samba.org>
180 * BUG 14486: s3-vfs_glusterfs: Always disable write-behind translator.
182 o Volker Lendecke <vl@samba.org>
183 * BUG 14517: smbclient: Fix recursive mget.
184 * BUG 14581: clitar: Use do_list()'s recursion in clitar.c.
186 o Anoop C S <anoopcs@samba.org>
187 * BUG 14486: manpages/vfs_glusterfs: Mention silent skipping of write-behind
189 * BUG 14573: vfs_shadow_copy2: Preserve all open flags assuming ROFS.
191 o Jones Syue <jonessyue@qnap.com>
192 * BUG 14514: interface: Fix if_index is not parsed correctly.
195 #######################################
196 Reporting bugs & Development Discussion
197 #######################################
199 Please discuss this release on the samba-technical mailing list or by
200 joining the #samba-technical IRC channel on irc.freenode.net.
202 If you do report problems then please try to send high quality
203 feedback. If you don't provide vital information to help us track down
204 the problem then you will probably be ignored. All bug reports should
205 be filed under the Samba 4.1 and newer product in the project's Bugzilla
206 database (https://bugzilla.samba.org/).
209 ======================================================================
210 == Our Code, Our Bugs, Our Responsibility.
212 ======================================================================
215 ---------------------------------------------------------------------- ==============================
216 Release Notes for Samba 4.13.2
218 ==============================
221 This is the latest stable release of the Samba 4.13 release series.
223 Major enhancements include:
224 o BUG 14537: ctdb-common: Avoid aliasing errors during code optimization.
225 o BUG 14486: vfs_glusterfs: Avoid data corruption with the write-behind
233 The GlusterFS write-behind performance translator, when used with Samba, could
234 be a source of data corruption. The translator, while processing a write call,
235 immediately returns success but continues writing the data to the server in the
236 background. This can cause data corruption when two clients relying on Samba to
237 provide data consistency are operating on the same file.
239 The write-behind translator is enabled by default on GlusterFS.
240 The vfs_glusterfs plugin will check for the presence of the translator and
241 refuse to connect if detected. Please disable the write-behind translator for
242 the GlusterFS volume to allow the plugin to connect to the volume.
248 o Jeremy Allison <jra@samba.org>
249 * BUG 14486: s3: modules: vfs_glusterfs: Fix leak of char
250 **lines onto mem_ctx on return.
252 o Ralph Boehme <slow@samba.org>
253 * BUG 14471: RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special.
255 o Alexander Bokovoy <ab@samba.org>
256 * BUG 14538: smb.conf.5: Add clarification how configuration changes
258 * BUG 14552: daemons: Report status to systemd even when running in
260 * BUG 14553: DNS Resolver: Support both dnspython before and after 2.0.0.
262 o Günther Deschner <gd@samba.org>
263 * BUG 14486: s3-vfs_glusterfs: Refuse connection when write-behind xlator is
266 o Amitay Isaacs <amitay@gmail.com>
267 * BUG 14487: provision: Add support for BIND 9.16.x.
268 * BUG 14537: ctdb-common: Avoid aliasing errors during code optimization.
269 * BUG 14541: libndr: Avoid assigning duplicate versions to symbols.
271 o Björn Jacke <bjacke@samba.org>
272 * BUG 14522: docs: Fix default value of spoolss:architecture.
274 o Laurent Menase <laurent.menase@hpe.com>
275 * BUG 14388: winbind: Fix a memleak.
277 o Stefan Metzmacher <metze@samba.org>
278 * BUG 14531: s4:dsdb:acl_read: Implement "List Object" mode feature.
280 o Sachin Prabhu <sprabhu@redhat.com>
281 * BUG 14486: docs-xml/manpages: Add warning about write-behind translator for
284 o Khem Raj <raj.khem@gmail.com>
285 * nsswitch/nsstest.c: Avoid nss function conflicts with glibc nss.h.
287 o Anoop C S <anoopcs@samba.org>
288 * BUG 14530: vfs_shadow_copy2: Avoid closing snapsdir twice.
290 o Andreas Schneider <asn@samba.org>
291 * BUG 14547: third_party: Update resolv_wrapper to version 1.1.7.
292 * BUG 14550: examples:auth: Do not install example plugin.
294 o Martin Schwenke <martin@meltin.net>
295 * BUG 14513: ctdb-recoverd: Drop unnecessary and broken code.
297 o Andrew Walker <awalker@ixsystems.com>
298 * BUG 14471: RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special.
301 #######################################
302 Reporting bugs & Development Discussion
303 #######################################
305 Please discuss this release on the samba-technical mailing list or by
306 joining the #samba-technical IRC channel on irc.freenode.net.
308 If you do report problems then please try to send high quality
309 feedback. If you don't provide vital information to help us track down
310 the problem then you will probably be ignored. All bug reports should
311 be filed under the Samba 4.1 and newer product in the project's Bugzilla
312 database (https://bugzilla.samba.org/).
315 ======================================================================
316 == Our Code, Our Bugs, Our Responsibility.
318 ======================================================================
321 ----------------------------------------------------------------------
324 ==============================
325 Release Notes for Samba 4.13.1
327 ==============================
330 This is a security release in order to address the following defects:
332 o CVE-2020-14318: Missing handle permissions check in SMB1/2/3 ChangeNotify.
333 o CVE-2020-14323: Unprivileged user can crash winbind.
334 o CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with easily
343 The SMB1/2/3 protocols have a concept of "ChangeNotify", where a client can
344 request file name notification on a directory handle when a condition such as
345 "new file creation" or "file size change" or "file timestamp update" occurs.
347 A missing permissions check on a directory handle requesting ChangeNotify
348 meant that a client with a directory handle open only for
349 FILE_READ_ATTRIBUTES (minimal access rights) could be used to obtain change
350 notify replies from the server. These replies contain information that should
351 not be available to directory handles open for FILE_READ_ATTRIBUTE only.
354 winbind in version 3.6 and later implements a request to translate multiple
355 Windows SIDs into names in one request. This was done for performance
356 reasons: The Microsoft RPC call domain controllers offer to do this
357 translation, so it was an obvious extension to also offer this batch
358 operation on the winbind unix domain stream socket that is available to local
359 processes on the Samba server.
361 Due to improper input validation a hand-crafted packet can make winbind
362 perform a NULL pointer dereference and thus crash.
365 Some DNS records (such as MX and NS records) usually contain data in the
366 additional section. Samba's dnsserver RPC pipe (which is an administrative
367 interface not used in the DNS server itself) made an error in handling the
368 case where there are no records present: instead of noticing the lack of
369 records, it dereferenced uninitialised memory, causing the RPC server to
370 crash. This RPC server, which also serves protocols other than dnsserver,
371 will be restarted after a short delay, but it is easy for an authenticated
372 non-admin attacker to crash it again as soon as it returns. The Samba DNS
373 server itself will continue to operate, but many RPC services will not.
375 For more details, please refer to the security advisories.
381 o Jeremy Allison <jra@samba.org>
382 * BUG 14434: CVE-2020-14318: s3: smbd: Ensure change notifies can't get set
383 unless the directory handle is open for SEC_DIR_LIST.
385 o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
386 * BUG 12795: CVE-2020-14383: Remote crash after adding NS or MX records using
388 * BUG 14472: CVE-2020-14383: Remote crash after adding MX records.
390 o Volker Lendecke <vl@samba.org>
391 * BUG 14436: CVE-2020-14323: winbind: Fix invalid lookupsids DoS.
394 #######################################
395 Reporting bugs & Development Discussion
396 #######################################
398 Please discuss this release on the samba-technical mailing list or by
399 joining the #samba-technical IRC channel on irc.freenode.net.
401 If you do report problems then please try to send high quality
402 feedback. If you don't provide vital information to help us track down
403 the problem then you will probably be ignored. All bug reports should
404 be filed under the Samba 4.1 and newer product in the project's Bugzilla
405 database (https://bugzilla.samba.org/).
408 ======================================================================
409 == Our Code, Our Bugs, Our Responsibility.
411 ======================================================================
414 ----------------------------------------------------------------------
417 ==============================
418 Release Notes for Samba 4.13.0
420 ==============================
423 This is the first stable release of the Samba 4.13 release series.
424 Please read the release notes carefully before upgrading.
430 Please avoid to set "server schannel = no" and "server schannel= auto" on all
431 Samba domain controllers due to the wellknown ZeroLogon issue.
433 For details please see
434 https://www.samba.org/samba/security/CVE-2020-1472.html.
440 Python 3.6 or later required
441 ----------------------------
443 Samba's minimum runtime requirement for python was raised to Python
444 3.5 with samba 4.12. Samba 4.13 raises this minimum version to Python
445 3.6 both to access new features and because this is the oldest version
446 we test with in our CI infrastructure.
448 This is also the last release where it will be possible to build Samba
449 (just the file server) with Python versions 2.6 and 2.7.
451 As Python 2.7 has been End Of Life upstream since April 2020, Samba
452 is dropping ALL Python 2.x support in the NEXT release.
454 Samba 4.14 to be released in March 2021 will require Python 3.6 or
457 wide links functionality
458 ------------------------
460 For this release, the code implementing the insecure "wide links = yes"
461 functionality has been moved out of the core smbd code and into a separate
462 VFS module, vfs_widelinks. Currently this vfs module is implicitly loaded
463 by smbd as the last but one module before vfs_default if "wide links = yes"
464 is enabled on the share (note, the existing restrictions on enabling wide
465 links around the SMB1 "unix extensions" and the "allow insecure wide links"
466 parameters are still in force). The implicit loading was done to allow
467 existing users of "wide links = yes" to keep this functionality without
468 having to make a change to existing working smb.conf files.
470 Please note that the Samba developers recommend changing any Samba
471 installations that currently use "wide links = yes" to use bind mounts
472 as soon as possible, as "wide links = yes" is an inherently insecure
473 configuration which we would like to remove from Samba. Moving the
474 feature into a VFS module allows this to be done in a cleaner way
477 A future release to be determined will remove this implicit linkage,
478 causing administrators who need this functionality to have to explicitly
479 add the vfs_widelinks module into the "vfs objects =" parameter lists.
480 The release notes will be updated to note this change when it occurs.
482 NT4-like 'classic' Samba domain controllers
483 -------------------------------------------
485 Samba 4.13 deprecates Samba's original domain controller mode.
487 Sites using Samba as a Domain Controller should upgrade from the
488 NT4-like 'classic' Domain Controller to a Samba Active Directory DC
489 to ensure full operation with modern windows clients.
491 SMBv1 only protocol options deprecated
492 --------------------------------------
494 A number of smb.conf parameters for less-secure authentication methods
495 which are only possible over SMBv1 are deprecated in this release.
501 The deprecated "ldap ssl ads" smb.conf option has been removed.
507 Parameter Name Description Default
508 -------------- ----------- -------
510 smb2 disable lock sequence checking Added No
511 smb2 disable oplock break retry Added No
512 domain logons Deprecated no
513 raw NTLMv2 auth Deprecated no
514 client plaintext auth Deprecated no
515 client NTLMv2 auth Deprecated yes
516 client lanman auth Deprecated no
517 client use spnego Deprecated yes
518 server require schannel:COMPUTER Added
521 CHANGES SINCE 4.13.0rc5
522 =======================
524 o Jeremy Allison <jra@samba.org>
525 * BUG 14497: CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Protect
526 netr_ServerPasswordSet2 against unencrypted passwords.
528 o Günther Deschner <gd@samba.org>
529 * BUG 14497: CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Support
530 "server require schannel:WORKSTATION$ = no" about unsecure configurations.
532 o Gary Lockyer <gary@catalyst.net.nz>
533 * BUG 14497: CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated bytes in
536 o Stefan Metzmacher <metze@samba.org>
537 * BUG 14497: CVE-2020-1472(ZeroLogon): libcli/auth: Reject weak client
538 challenges in netlogon_creds_server_init()
539 "server require schannel:WORKSTATION$ = no".
542 CHANGES SINCE 4.13.0rc4
543 =======================
545 o Andreas Schneider <asn@samba.org>
546 * BUG 14399: waf: Only use gnutls_aead_cipher_encryptv2() for GnuTLS >
548 * BUG 14467: s3:smbd: Fix %U substitutions if it contains a domain name.
549 * BUG 14479: The created krb5.conf for 'net ads join' doesn't have a domain
552 o Stefan Metzmacher <metze@samba.org>
553 * BUG 14482: Fix build problem if libbsd-dev is not installed.
556 CHANGES SINCE 4.13.0rc3
557 =======================
559 o David Disseldorp <ddiss@samba.org>
560 * BUG 14437: build: Toggle vfs_snapper using "--with-shared-modules".
562 o Volker Lendecke <vl@samba.org>
563 * BUG 14465: idmap_ad does not deal properly with a RFC4511 section 4.4.1
566 o Stefan Metzmacher <metze@samba.org>
567 * BUG 14428: PANIC: Assert failed in get_lease_type().
568 * BUG 14465: idmap_ad does not deal properly with a RFC4511 section 4.4.1
572 CHANGES SINCE 4.13.0rc2
573 =======================
575 o Andrew Bartlett <abartlet@samba.org>
576 * BUG 14460: Deprecate domain logons, SMBv1 things.
578 o Günther Deschner <gd@samba.org>
579 * BUG 14318: docs: Add missing winexe manpage.
581 o Christof Schmitt <cs@samba.org>
582 * BUG 14166: util: Allow symlinks in directory_create_or_exist.
584 o Martin Schwenke <martin@meltin.net>
585 * BUG 14466: ctdb disable/enable can fail due to race condition.
588 CHANGES SINCE 4.13.0rc1
589 =======================
591 o Andrew Bartlett <abartlet@samba.org>
592 * BUG 14450: dbcheck: Allow a dangling forward link outside our known NCs.
594 o Isaac Boukris <iboukris@gmail.com>
595 * BUG 14462: Remove deprecated "ldap ssl ads" smb.conf option.
597 o Volker Lendecke <vl@samba.org>
598 * BUG 14435: winbind: Fix lookuprids cache problem.
600 o Stefan Metzmacher <metze@samba.org>
601 * BUG 14354: kdc:db-glue: Ignore KRB5_PROG_ETYPE_NOSUPP also for
604 o Andreas Schneider <asn@samba.org>
605 * BUG 14358: docs: Fix documentation for require_membership_of of
608 o Martin Schwenke <martin@meltin.net>
609 * BUG 14444: ctdb-scripts: Use nfsconf as a last resort get nfsd thread
616 https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.13#Release_blocking_bugs
619 #######################################
620 Reporting bugs & Development Discussion
621 #######################################
623 Please discuss this release on the samba-technical mailing list or by
624 joining the #samba-technical IRC channel on irc.freenode.net.
626 If you do report problems then please try to send high quality
627 feedback. If you don't provide vital information to help us track down
628 the problem then you will probably be ignored. All bug reports should
629 be filed under the Samba 4.1 and newer product in the project's Bugzilla
630 database (https://bugzilla.samba.org/).
633 ======================================================================
634 == Our Code, Our Bugs, Our Responsibility.
636 ======================================================================