1 ==============================
2 Release Notes for Samba 4.17.4
4 ==============================
7 This is the latest stable release of the Samba 4.17 release series.
8 It also contains security changes in order to address the following defects:
11 o CVE-2022-37966: This is the Samba CVE for the Windows Kerberos
12 RC4-HMAC Elevation of Privilege Vulnerability
13 disclosed by Microsoft on Nov 8 2022.
15 A Samba Active Directory DC will issue weak rc4-hmac
16 session keys for use between modern clients and servers
17 despite all modern Kerberos implementations supporting
18 the aes256-cts-hmac-sha1-96 cipher.
20 On Samba Active Directory DCs and members
21 'kerberos encryption types = legacy' would force
22 rc4-hmac as a client even if the server supports
23 aes128-cts-hmac-sha1-96 and/or aes256-cts-hmac-sha1-96.
25 https://www.samba.org/samba/security/CVE-2022-37966.html
27 o CVE-2022-37967: This is the Samba CVE for the Windows
28 Kerberos Elevation of Privilege Vulnerability
29 disclosed by Microsoft on Nov 8 2022.
31 A service account with the special constrained
32 delegation permission could forge a more powerful
33 ticket than the one it was presented with.
35 https://www.samba.org/samba/security/CVE-2022-37967.html
37 o CVE-2022-38023: The "RC4" protection of the NetLogon Secure channel uses the
38 same algorithms as rc4-hmac cryptography in Kerberos,
39 and so must also be assumed to be weak.
41 https://www.samba.org/samba/security/CVE-2022-38023.html
43 Note that there are several important behavior changes
44 included in this release, which may cause compatibility problems
45 interacting with system still expecting the former behavior.
46 Please read the advisories of CVE-2022-37966,
47 CVE-2022-37967 and CVE-2022-38023 carefully!
49 samba-tool got a new 'domain trust modify' subcommand
50 -----------------------------------------------------
52 This allows "msDS-SupportedEncryptionTypes" to be changed
53 on trustedDomain objects. Even against remote DCs (including Windows)
54 using the --local-dc-ipaddress= (and other --local-dc-* options).
55 See 'samba-tool domain trust modify --help' for further details.
60 Parameter Name Description Default
61 -------------- ----------- -------
62 allow nt4 crypto Deprecated no
63 allow nt4 crypto:COMPUTERACCOUNT New
64 kdc default domain supported enctypes New (see manpage)
65 kdc supported enctypes New (see manpage)
66 kdc force enable rc4 weak session keys New No
67 reject md5 clients New Default, Deprecated Yes
68 reject md5 servers New Default, Deprecated Yes
69 server schannel Deprecated Yes
70 server schannel require seal New, Deprecated Yes
71 server schannel require seal:COMPUTERACCOUNT New
72 winbind sealed pipes Deprecated Yes
77 o Jeremy Allison <jra@samba.org>
78 * BUG 15224: pam_winbind uses time_t and pointers assuming they are of the
81 o Andrew Bartlett <abartlet@samba.org>
82 * BUG 14929: CVE-2022-44640 [SECURITY] Upstream Heimdal free of
83 user-controlled pointer in FAST.
84 * BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry.
85 * BUG 15237: CVE-2022-37966.
86 * BUG 15258: filter-subunit is inefficient with large numbers of knownfails.
88 o Ralph Boehme <slow@samba.org>
89 * BUG 15240: CVE-2022-38023.
90 * BUG 15252: smbd allows setting FILE_ATTRIBUTE_TEMPORARY on directories.
92 o Stefan Metzmacher <metze@samba.org>
93 * BUG 13135: The KDC logic arround msDs-supportedEncryptionTypes differs from
95 * BUG 14611: CVE-2021-20251 [SECURITY] Bad password count not incremented
97 * BUG 15203: CVE-2022-42898 [SECURITY] krb5_pac_parse() buffer parsing
99 * BUG 15206: libnet: change_password() doesn't work with
100 dcerpc_samr_ChangePasswordUser4().
101 * BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry.
102 * BUG 15230: Memory leak in snprintf replacement functions.
103 * BUG 15237: CVE-2022-37966.
104 * BUG 15240: CVE-2022-38023.
105 * BUG 15253: RODC doesn't reset badPwdCount reliable via an RWDC
106 (CVE-2021-20251 regression).
108 o Noel Power <noel.power@suse.com>
109 * BUG 15224: pam_winbind uses time_t and pointers assuming they are of the
112 o Anoop C S <anoopcs@samba.org>
113 * BUG 15198: Prevent EBADF errors with vfs_glusterfs.
115 o Andreas Schneider <asn@samba.org>
116 * BUG 15237: CVE-2022-37966.
117 * BUG 15243: %U for include directive doesn't work for share listing
119 * BUG 15257: Stack smashing in net offlinejoin requestodj.
121 o Joseph Sutton <josephsutton@catalyst.net.nz>
122 * BUG 15197: Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue.
123 * BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry.
124 * BUG 15231: CVE-2022-37967.
125 * BUG 15237: CVE-2022-37966.
127 o Nicolas Williams <nico@twosigma.com>
128 * BUG 14929: CVE-2022-44640 [SECURITY] Upstream Heimdal free of
129 user-controlled pointer in FAST.
133 #######################################
134 Reporting bugs & Development Discussion
135 #######################################
137 Please discuss this release on the samba-technical mailing list or by
138 joining the #samba-technical:matrix.org matrix room, or
139 #samba-technical IRC channel on irc.libera.chat.
142 If you do report problems then please try to send high quality
143 feedback. If you don't provide vital information to help us track down
144 the problem then you will probably be ignored. All bug reports should
145 be filed under the Samba 4.1 and newer product in the project's Bugzilla
146 database (https://bugzilla.samba.org/).
149 ======================================================================
150 == Our Code, Our Bugs, Our Responsibility.
152 ======================================================================
155 Release notes for older releases follow:
156 ----------------------------------------
157 ==============================
158 Release Notes for Samba 4.17.3
160 ==============================
163 This is a security release in order to address the following defects:
166 o CVE-2022-42898: Samba's Kerberos libraries and AD DC failed to guard against
167 integer overflows when parsing a PAC on a 32-bit system, which
168 allowed an attacker with a forged PAC to corrupt the heap.
169 https://www.samba.org/samba/security/CVE-2022-42898.html
173 o Joseph Sutton <josephsutton@catalyst.net.nz>
174 * BUG 15203: CVE-2022-42898
176 o Nicolas Williams <nico@twosigma.com>
177 * BUG 15203: CVE-2022-42898
180 #######################################
181 Reporting bugs & Development Discussion
182 #######################################
184 Please discuss this release on the samba-technical mailing list or by
185 joining the #samba-technical:matrix.org matrix room, or
186 #samba-technical IRC channel on irc.libera.chat.
189 If you do report problems then please try to send high quality
190 feedback. If you don't provide vital information to help us track down
191 the problem then you will probably be ignored. All bug reports should
192 be filed under the Samba 4.1 and newer product in the project's Bugzilla
193 database (https://bugzilla.samba.org/).
196 ======================================================================
197 == Our Code, Our Bugs, Our Responsibility.
199 ======================================================================
202 ----------------------------------------------------------------------
203 ==============================
204 Release Notes for Samba 4.17.2
206 ==============================
209 This is a security release in order to address the following defects:
211 o CVE-2022-3437: There is a limited write heap buffer overflow in the GSSAPI
212 unwrap_des() and unwrap_des3() routines of Heimdal (included
214 https://www.samba.org/samba/security/CVE-2022-3437.html
216 o CVE-2022-3592: A malicious client can use a symlink to escape the exported
218 https://www.samba.org/samba/security/CVE-2022-3592.html
223 o Volker Lendecke <vl@samba.org>
224 * BUG 15207: CVE-2022-3592.
226 o Joseph Sutton <josephsutton@catalyst.net.nz>
227 * BUG 15134: CVE-2022-3437.
230 #######################################
231 Reporting bugs & Development Discussion
232 #######################################
234 Please discuss this release on the samba-technical mailing list or by
235 joining the #samba-technical:matrix.org matrix room, or
236 #samba-technical IRC channel on irc.libera.chat.
238 If you do report problems then please try to send high quality
239 feedback. If you don't provide vital information to help us track down
240 the problem then you will probably be ignored. All bug reports should
241 be filed under the Samba 4.1 and newer product in the project's Bugzilla
242 database (https://bugzilla.samba.org/).
245 ======================================================================
246 == Our Code, Our Bugs, Our Responsibility.
248 ======================================================================
251 ----------------------------------------------------------------------
252 ==============================
253 Release Notes for Samba 4.17.1
255 ==============================
258 This is the latest stable release of the Samba 4.17 release series.
264 o Jeremy Allison <jra@samba.org>
265 * BUG 14611: CVE-2021-20251 [SECURITY] Bad password count not incremented
267 * BUG 15174: smbXsrv_connection_shutdown_send result leaked.
268 * BUG 15182: Flush on a named stream never completes.
269 * BUG 15195: Permission denied calling SMBC_getatr when file not exists.
271 o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
272 * BUG 15189: Samba 4.5 sometimes cannot be upgraded to Samba 4.6 or later
273 over DRS: WERROR_DS_DRA_MISSING_PARENT due to faulty GET_ANC.
274 * BUG 15191: pytest: add file removal helpers for TestCaseInTempDir.
276 o Andrew Bartlett <abartlet@samba.org>
277 * BUG 14611: CVE-2021-20251 [SECURITY] Bad password count not incremented
279 * BUG 15189: Samba 4.5 sometimes cannot be upgraded to Samba 4.6 or later.
280 over DRS: WERROR_DS_DRA_MISSING_PARENT due to faulty GET_ANC.
282 o Ralph Boehme <slow@samba.org>
283 * BUG 15182: Flush on a named stream never completes.
285 o Volker Lendecke <vl@samba.org>
286 * BUG 15151: vfs_gpfs silently garbles timestamps > year 2106.
288 o Gary Lockyer <gary@catalyst.net.nz>
289 * BUG 14611: CVE-2021-20251 [SECURITY] Bad password count not incremented
292 o Stefan Metzmacher <metze@samba.org>
293 * BUG 15200: multi-channel socket passing may hit a race if one of the
294 involved processes already existed.
295 * BUG 15201: memory leak on temporary of struct imessaging_post_state and
296 struct tevent_immediate on struct imessaging_context (in
297 rpcd_spoolss and maybe others).
299 o Noel Power <noel.power@suse.com>
300 * BUG 15205: Since popt1.19 various use after free errors using result of
301 poptGetArg are now exposed.
303 o Anoop C S <anoopcs@samba.org>
304 * BUG 15192: Remove special case for O_CREAT in SMB_VFS_OPENAT from
307 o Andreas Schneider <asn@samba.org>
308 * BUG 15169: GETPWSID in memory cache grows indefinetly with each NTLM auth.
310 o Joseph Sutton <josephsutton@catalyst.net.nz>
311 * BUG 14611: CVE-2021-20251 [SECURITY] Bad password count not incremented
315 #######################################
316 Reporting bugs & Development Discussion
317 #######################################
319 Please discuss this release on the samba-technical mailing list or by
320 joining the #samba-technical:matrix.org matrix room, or
321 #samba-technical IRC channel on irc.libera.chat.
324 If you do report problems then please try to send high quality
325 feedback. If you don't provide vital information to help us track down
326 the problem then you will probably be ignored. All bug reports should
327 be filed under the Samba 4.1 and newer product in the project's Bugzilla
328 database (https://bugzilla.samba.org/).
331 ======================================================================
332 == Our Code, Our Bugs, Our Responsibility.
334 ======================================================================
337 ----------------------------------------------------------------------
338 ==============================
339 Release Notes for Samba 4.17.0
341 ==============================
344 This is the first stable release of the Samba 4.17 release series.
345 Please read the release notes carefully before upgrading.
351 SMB Server performance improvements
352 -----------------------------------
354 The security improvements in recent releases
355 (4.13, 4.14, 4.15, 4.16), mainly as protection against symlink races,
356 caused performance regressions for meta data heavy workloads.
358 With 4.17 the situation improved a lot again:
360 - Pathnames given by a client are devided into dirname and basename.
361 The amount of syscalls to validate dirnames is reduced to 2 syscalls
362 (openat, close) per component. On modern Linux kernels (>= 5.6) smbd
363 makes use of the openat2() syscall with RESOLVE_NO_SYMLINKS,
364 in order to just use 2 syscalls (openat2, close) for the whole dirname.
366 - Contended path based operations used to generate a lot of unsolicited
367 wakeup events causing thundering herd problems, which lead to masive
368 latencies for some clients. These events are now avoided in order
369 to provide stable latencies and much higher throughput of open/close
372 Configure without the SMB1 Server
373 ---------------------------------
375 It is now possible to configure Samba without support for
376 the SMB1 protocol in smbd. This can be selected at configure
377 time with either of the options:
380 --without-smb1-server
382 By default (without either of these options set) Samba
383 is configured to include SMB1 support (i.e. --with-smb1-server
384 is the default). When Samba is configured without SMB1 support,
385 none of the SMB1 code is included inside smbd except the minimal
386 stub code needed to allow a client to connect as SMB1 and immediately
387 negotiate the selected protocol into SMB2 (as a Windows server also
390 None of the SMB1-only smb.conf parameters are removed when
391 configured without SMB1, but these parameters are ignored by
392 the smbd server. This allows deployment without having to change
393 an existing smb.conf file.
395 This option allows sites, OEMs and integrators to configure Samba
396 to remove the old and insecure SMB1 protocol from their products.
398 Note that the Samba client libraries still support SMB1 connections
399 even when Samba is configured as --without-smb1-server. This is
400 to ensure maximum compatibility with environments containing old
403 Bronze bit and S4U support now also with MIT Kerberos 1.20
404 ----------------------------------------------------------
406 In 2020 Microsoft Security Response Team received another Kerberos-related
407 report. Eventually, that led to a security update of the CVE-2020-17049,
408 Kerberos KDC Security Feature Bypass Vulnerability, also known as a ‘Bronze
409 Bit’. With this vulnerability, a compromised service that is configured to use
410 Kerberos constrained delegation feature could tamper with a service ticket that
411 is not valid for delegation to force the KDC to accept it.
413 With the release of MIT Kerberos 1.20, Samba AD DC is able able to mitigate the
414 ‘Bronze Bit’ attack. MIT Kerberos KDC's KDB (Kerberos Database Driver) API was
415 changed to allow passing more details between KDC and KDB components. When built
416 against MIT Kerberos, Samba AD DC supports MIT Kerberos 1.19 and 1.20 versions
417 but 'Bronze Bit' mitigation is provided only with MIT Kerberos 1.20.
419 In addition to fixing the ‘Bronze Bit’ issue, Samba AD DC now fully supports
420 S4U2Self and S4U2Proxy Kerberos extensions.
422 Note the default (Heimdal-based) KDC was already fixed in 2021,
423 see https://bugzilla.samba.org/show_bug.cgi?id=14642
425 Resource Based Constrained Delegation (RBCD) support
426 ----------------------------------------------------
428 Samba AD DC built with MIT Kerberos 1.20 offers RBCD support now. With MIT
429 Kerberos 1.20 we have complete RBCD support passing Sambas S4U testsuite.
431 samba-tool delegation got the 'add-principal' and 'del-principal' subcommands
432 in order to manage RBCD.
434 To complete RBCD support and make it useful to Administrators we added the
435 Asserted Identity [1] SID into the PAC for constrained delegation. This is
436 available for Samba AD compiled with MIT Kerberos 1.20.
438 Note the default (Heimdal-based) KDC does not support RBCD yet.
440 [1] https://docs.microsoft.com/en-us/windows-server/security/kerberos/kerberos-constrained-delegation-overview
442 Customizable DNS listening port
443 -------------------------------
445 It is now possible to set a custom listening port for the builtin DNS service,
446 making easy to host another DNS on the same system that would bind to the
447 default port and forward the domain-specific queries to Samba using the custom
448 port. This is the opposite configuration of setting a forwarder in Samba.
450 It makes possible to use another DNS server as a front and forward to Samba.
452 Dynamic DNS updates may not be proxied by the front DNS server when forwarding
453 to Samba. Dynamic DNS update proxying depends on the features of the other DNS
454 server used as a front.
459 * When Samba is configured with both --with-cluster-support and
460 --systemd-install-services then a systemd service file for CTDB will
463 * ctdbd_wrapper has been removed. ctdbd is now started directly from
464 a systemd service file or init script.
466 * The syntax for the ctdb.tunables configuration file has been
467 relaxed. However, trailing garbage after the value, including
468 comments, is no longer permitted. Please see ctdb-tunables(7) for
471 Operation without the (unsalted) NT password hash
472 -------------------------------------------------
474 When Samba is configured with 'nt hash store = never' then Samba will
475 no longer store the (unsalted) NT password hash for users in Active
476 Directory. (Trust accounts, like computers, domain controllers and
477 inter-domain trusts are not impacted).
479 In the next version of Samba the default for 'nt hash store' will
480 change from 'always' to 'auto', where it will follow (behave as 'nt
481 hash store = never' when 'ntlm auth = disabled' is set.
483 Security-focused deployments of Samba that have eliminated NTLM from
484 their networks will find setting 'ntlm auth = disabled' with 'nt hash
485 store = always' as a useful way to improve compliance with
486 best-practice guidance on password storage (which is to always use an
489 Note that when 'nt hash store = never' is set, then arcfour-hmac-md5
490 Kerberos keys will not be available for users who subsequently change
491 their password, as these keys derive their values from NT hashes. AES
492 keys are stored by default for all deployments of Samba with Domain
493 Functional Level 2008 or later, are supported by all modern clients,
494 and are much more secure.
496 Finally, also note that password history in Active Directory is stored
497 in nTPwdHistory using a series of NT hash values. Therefore the full
498 password history feature is not available in this mode.
500 To provide some protection against password re-use previous Kerberos
501 hash values (the current, old and older values are already stored) are
502 used, providing a history length of 3.
504 There is one small limitation of this workaround: Changing the
505 sAMAccountName, userAccountControl or userPrincipalName of an account
506 can cause the Kerberos password salt to change. This means that after
507 *both* an account rename and a password change, only the current
508 password will be recognised for password history purposes.
510 Python API for smbconf
511 ----------------------
513 Samba's smbconf library provides a generic frontend to various
514 configuration backends (plain text file, registry) as a C library. A
515 new Python wrapper, importable as 'samba.smbconf' is available. An
516 additional module, 'samba.samba3.smbconf', is also available to enable
517 registry backend support. These libraries allow Python programs to
518 read, and optionally write, Samba configuration natively.
520 JSON support for smbstatus
521 --------------------------
523 It is now possible to print detailed information in JSON format in
524 the smbstatus program using the new option --json. The JSON output
525 covers all the existing text output including sessions, connections,
526 open files, byte-range locks, notifies and profile data with all
527 low-level information maintained by Samba in the respective databases.
529 Protected Users security group
530 ------------------------------
532 Samba AD DC now includes support for the Protected Users security
533 group introduced in Windows Server 2012 R2. The feature reduces the
534 attack surface of user accounts by preventing the use of weak
535 encryption types. It also mitigates the effects of credential theft by
536 limiting credential lifetime and scope.
538 The protections are intended for user accounts only, and service or
539 computer accounts should not be added to the Protected Users
540 group. User accounts added to the group are granted the following
541 security protections:
543 * NTLM authentication is disabled.
544 * Kerberos ticket-granting tickets (TGTs) encrypted with RC4 are
545 not issued to or accepted from affected principals. Tickets
546 encrypted with AES, and service tickets encrypted with RC4, are
547 not affected by this restriction.
548 * The lifetime of Kerberos TGTs is restricted to a maximum of four
550 * Kerberos constrained and unconstrained delegation is disabled.
552 If the Protected Users group is not already present in the domain, it
553 can be created with 'samba-tool group add'. The new '--special'
554 parameter must be specified, with 'Protected Users' as the name of the
555 group. An example command invocation is:
557 samba-tool group add 'Protected Users' --special
559 or against a remote server:
561 samba-tool group add 'Protected Users' --special -H ldap://dc1.example.com -U Administrator
563 The Protected Users group is identified in the domain by its having a
564 RID of 525. Thus, it should only be created with samba-tool and the
565 '--special' parameter, as above, so that it has the required RID
566 to function correctly.
572 LanMan Authentication and password storage removed from the AD DC
573 -----------------------------------------------------------------
575 The storage and authentication with LanMan passwords has been entirely
576 removed from the Samba AD DC, even when "lanman auth = yes" is set.
582 Parameter Name Description Default
583 -------------- ----------- -------
584 dns port New default 53
585 fruit:zero_file_id New default yes
586 nt hash store New parameter always
587 smb1 unix extensions Replaces "unix extensions"
588 volume serial number New parameter -1
589 winbind debug traceid New parameter no
592 CHANGES SINCE 4.17.0rc4
593 =======================
595 o Ralph Boehme <slow@samba.org>
596 * BUG 15126: acl_xattr VFS module may unintentionally use filesystem
597 permissions instead of ACL from xattr.
598 * BUG 15153: Missing SMB2-GETINFO access checks from MS-SMB2 3.3.5.20.1.
599 * BUG 15161: assert failed: !is_named_stream(smb_fname)") at
600 ../../lib/util/fault.c:197.
602 o Volker Lendecke <vl@samba.org>
603 * BUG 15126: acl_xattr VFS module may unintentionally use filesystem
604 permissions instead of ACL from xattr.
605 * BUG 15161: assert failed: !is_named_stream(smb_fname)") at
606 ../../lib/util/fault.c:197.
608 o Stefan Metzmacher <metze@samba.org>
609 * BUG 15159: Cross-node multi-channel reconnects result in SMB2 Negotiate
610 returning NT_STATUS_NOT_SUPPORTED.
612 o Noel Power <noel.power@suse.com>
613 * BUG 15160: winbind at info level debug can coredump when processing
617 CHANGES SINCE 4.17.0rc3
618 =======================
620 o Anoop C S <anoopcs@samba.org>
621 * BUG 15157: Make use of glfs_*at() API calls in vfs_glusterfs.
624 CHANGES SINCE 4.17.0rc2
625 =======================
627 o Jeremy Allison <jra@samba.org>
628 * BUG 15128: Possible use after free of connection_struct when iterating
629 smbd_server_connection->connections.
631 o Christian Ambach <ambi@samba.org>
632 * BUG 15145: `net usershare add` fails with flag works with --long but fails
635 o Ralph Boehme <slow@samba.org>
636 * BUG 15126: acl_xattr VFS module may unintentionally use filesystem
637 permissions instead of ACL from xattr.
639 o Stefan Metzmacher <metze@samba.org>
640 * BUG 15125: Performance regression on contended path based operations.
641 * BUG 15148: Missing READ_LEASE break could cause data corruption.
643 o Andreas Schneider <asn@samba.org>
644 * BUG 15141: libsamba-errors uses a wrong version number.
646 o Joseph Sutton <josephsutton@catalyst.net.nz>
647 * BUG 15152: SMB1 negotiation can fail to handle connection errors.
650 CHANGES SINCE 4.17.0rc1
651 =======================
653 o Jeremy Allison <jra@samba.org>
654 * BUG 15143: New filename parser doesn't check veto files smb.conf parameter.
655 * BUG 15144: 4.17.rc1 still uses symlink-race prone unix_convert()
656 * BUG 15146: Backport fileserver related changed to 4.17.0rc2
658 o Jule Anger <janger@samba.org>
659 * BUG 15147: Manpage for smbstatus json is missing
661 o Volker Lendecke <vl@samba.org>
662 * BUG 15146: Backport fileserver related changed to 4.17.0rc2
664 o Stefan Metzmacher <metze@samba.org>
665 * BUG 15125: Performance regression on contended path based operations
666 * BUG 15146: Backport fileserver related changed to 4.17.0rc2
668 o Andreas Schneider <asn@samba.org>
669 * BUG 15140: Fix issues found by coverity in smbstatus json code
670 * BUG 15146: Backport fileserver related changed to 4.17.0rc2
676 https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.17#Release_blocking_bugs
679 #######################################
680 Reporting bugs & Development Discussion
681 #######################################
683 Please discuss this release on the samba-technical mailing list or by
684 joining the #samba-technical:matrix.org matrix room, or
685 #samba-technical IRC channel on irc.libera.chat
687 If you do report problems then please try to send high quality
688 feedback. If you don't provide vital information to help us track down
689 the problem then you will probably be ignored. All bug reports should
690 be filed under the Samba 4.1 and newer product in the project's Bugzilla
691 database (https://bugzilla.samba.org/).
694 ======================================================================
695 == Our Code, Our Bugs, Our Responsibility.
697 ======================================================================