1 ===============================
2 Release Notes for Samba 4.12.13
4 ===============================
7 This is a security release in order to address the following defects:
9 o CVE-2020-27840: Heap corruption via crafted DN strings.
10 o CVE-2021-20277: Out of bounds read in AD DC LDAP server.
18 An anonymous attacker can crash the Samba AD DC LDAP server by sending easily
19 crafted DNs as part of a bind request. More serious heap corruption is likely
23 User-controlled LDAP filter strings against the AD DC LDAP server may crash
26 For more details, please refer to the security advisories.
32 o Andrew Bartlett <abartlet@samba.org>
33 * BUG 14655: CVE-2021-20277: Fix out of bounds read in ldb_handler_fold.
35 o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
36 * BUG 14595: CVE-2020-27840: Fix unauthenticated remote heap corruption via
38 * BUG 14655: CVE-2021-20277: Fix out of bounds read in ldb_handler_fold.
41 #######################################
42 Reporting bugs & Development Discussion
43 #######################################
45 Please discuss this release on the samba-technical mailing list or by
46 joining the #samba-technical IRC channel on irc.freenode.net.
48 If you do report problems then please try to send high quality
49 feedback. If you don't provide vital information to help us track down
50 the problem then you will probably be ignored. All bug reports should
51 be filed under the Samba 4.1 and newer product in the project's Bugzilla
52 database (https://bugzilla.samba.org/).
55 ======================================================================
56 == Our Code, Our Bugs, Our Responsibility.
58 ======================================================================
61 Release notes for older releases follow:
62 ----------------------------------------
65 ===============================
66 Release Notes for Samba 4.12.12
68 ===============================
71 This is the latest stable release of the Samba 4.12 release series.
72 Please note that this will be the last bugfix release of the Samba 4.12 release
73 series. There will be Security Releases only beyond this point.
79 o Trever L. Adams <trever.adams@gmail.com>
80 * BUG 14634: s3:modules:vfs_virusfilter: Recent talloc changes cause infinite
83 o Jeremy Allison <jra@samba.org>
84 * BUG 13992: SAMBA RPC share error.
85 * BUG 14612: s3: smbd: Add call to conn_setup_case_options() to
86 create_conn_struct_as_root().
88 o Ralph Boehme <slow@samba.org>
89 * BUG 14602: s3/auth: Implement "winbind:ignore domains".
90 * BUG 14612: build: Remove smbd_conn private library.
92 o Peter Eriksson <pen@lysator.liu.se>
93 * BUG 14648: s3: VFS: nfs4_acls. Add missing TALLOC_FREE(frame) in error
96 o Björn Jacke <bj@sernet.de>
97 * BUG 14624: classicupgrade: Treat old never expires value right.
99 o Volker Lendecke <vl@samba.org>
100 * BUG 14636: g_lock: Fix uninitalized variable reads.
102 o Stefan Metzmacher <metze@samba.org>
103 * BUG 13898: s3:pysmbd: Fix fd leak in py_smbd_create_file().
104 * BUG 14607: Work around special SMB2 IOCTL response behavior of NetApp
107 o Andreas Schneider <asn@samba.org>
108 * BUG 14625: Fix smbd share mode double free crash.
110 o Paul Wise <pabs3@bonedaddy.net>
111 * BUG 12505: HEIMDAL: krb5_storage_free(NULL) should work.
114 #######################################
115 Reporting bugs & Development Discussion
116 #######################################
118 Please discuss this release on the samba-technical mailing list or by
119 joining the #samba-technical IRC channel on irc.freenode.net.
121 If you do report problems then please try to send high quality
122 feedback. If you don't provide vital information to help us track down
123 the problem then you will probably be ignored. All bug reports should
124 be filed under the Samba 4.1 and newer product in the project's Bugzilla
125 database (https://bugzilla.samba.org/).
128 ======================================================================
129 == Our Code, Our Bugs, Our Responsibility.
131 ======================================================================
134 ----------------------------------------------------------------------
137 ===============================
138 Release Notes for Samba 4.12.11
140 ===============================
143 This is the latest stable release of the Samba 4.12 release series.
146 Changes since 4.12.10
147 ---------------------
149 o Jeremy Allison <jra@samba.org>
150 * BUG 14210: libcli: smb2: Never print length if smb2_signing_key_valid()
151 fails for crypto blob.
152 * BUG 14486: s3: modules: gluster. Fix the error I made in preventing talloc
153 leaks from a function.
154 * BUG 14515: s3: smbd: Don't overwrite contents of fsp->aio_requests[0] with
155 NULL via TALLOC_FREE().
156 * BUG 14568: s3: spoolss: Make parameters in call to user_ok_token() match
158 * BUG 14590: s3: smbd: Quiet log messages from usershares for an unknown
161 o Dimitry Andric <dimitry@andric.com>
162 * BUG 14605: lib: Avoid declaring zero-length VLAs in various messaging
165 o Andrew Bartlett <abartlet@samba.org>
166 * BUG 14579: Do not create an empty DB when accessing a sam.ldb.
168 o Ralph Boehme <slow@samba.org>
169 * BUG 14248: samba process does not honor "max log size".
170 * BUG 14587: vfs_zfsacl: add missing inherited flag on hidden "magic"
172 * BUG 14596: vfs_fruit may close wrong backend fd.
174 o Günther Deschner <gd@samba.org>
175 * BUG 14486: s3-vfs_glusterfs: always disable write-behind translator.
177 o Arne Kreddig <arne@kreddig.net>
178 * BUG 14606: vfs_virusfilter: Allocate separate memory for config char*.
180 o Stefan Metzmacher <metze@samba.org>
181 * BUG 14596: vfs_fruit may close wrong backend fd.
183 o Anoop C S <anoopcs@samba.org>
184 * BUG 14486: manpages/vfs_glusterfs: Mention silent skipping of write-behind
186 * BUG 14573: vfs_shadow_copy2: Preserve all open flags assuming ROFS.
188 o Andreas Schneider <asn@samba.org>
189 * BUG 14601: s3:lib: Create the cache path of user gencache recursively.
191 o Martin Schwenke <martin@meltin.net>
192 * BUG 14594: Be more flexible with repository names in CentOS 8 test
195 o Jones Syue <jonessyue@qnap.com>
196 * BUG 14514: interface: Fix if_index is not parsed correctly.
199 #######################################
200 Reporting bugs & Development Discussion
201 #######################################
203 Please discuss this release on the samba-technical mailing list or by
204 joining the #samba-technical IRC channel on irc.freenode.net.
206 If you do report problems then please try to send high quality
207 feedback. If you don't provide vital information to help us track down
208 the problem then you will probably be ignored. All bug reports should
209 be filed under the Samba 4.1 and newer product in the project's Bugzilla
210 database (https://bugzilla.samba.org/).
213 ======================================================================
214 == Our Code, Our Bugs, Our Responsibility.
216 ======================================================================
219 ----------------------------------------------------------------------
222 ===============================
223 Release Notes for Samba 4.12.10
225 ===============================
228 This is the latest stable release of the Samba 4.12 release series.
230 Major enhancements include:
232 o BUG 14537: ctdb-common: Avoid aliasing errors during code optimization.
233 o BUG 14486: vfs_glusterfs: Avoid data corruption with the write-behind
241 The GlusterFS write-behind performance translator, when used with Samba, could
242 be a source of data corruption. The translator, while processing a write call,
243 immediately returns success but continues writing the data to the server in the
244 background. This can cause data corruption when two clients relying on Samba to
245 provide data consistency are operating on the same file.
247 The write-behind translator is enabled by default on GlusterFS.
248 The vfs_glusterfs plugin will check for the presence of the translator and
249 refuse to connect if detected. Please disable the write-behind translator for
250 the GlusterFS volume to allow the plugin to connect to the volume.
256 o Jeremy Allison <jra@samba.org>
257 * BUG 14486: s3: modules: vfs_glusterfs: Fix leak of char
258 **lines onto mem_ctx on return.
260 o Ralph Boehme <slow@samba.org>
261 * BUG 14471: RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special.
263 o Alexander Bokovoy <ab@samba.org>
264 * BUG 14538: smb.conf.5: Add clarification how configuration changes
267 o Günther Deschner <gd@samba.org>
268 * BUG 14486: s3-vfs_glusterfs: Refuse connection when write-behind xlator is
270 * winexe:: Add configure option to control whether to build it
273 o Amitay Isaacs <amitay@gmail.com>
274 * BUG 14487: Latest version of Bind9 is now 9.20.
275 * BUG 14537: ctdb-common: Avoid aliasing errors during code optimization.
277 o Stefan Metzmacher <metze@samba.org>
278 * BUG 14531: s4:dsdb:acl_read: Implement "List Object" mode feature.
280 o Sachin Prabhu <sprabhu@redhat.com>
281 * BUG 14486: docs-xml/manpages: Add warning about write-behind translator for
284 o Khem Raj <raj.khem@gmail.com>
285 * nsswitch/nsstest.c: Avoid nss function conflicts with glibc nss.h.
287 o Martin Schwenke <martin@meltin.net>
288 * BUG 14513: ctdb disable/enable can still fail due to race condition.
290 o Andrew Walker <awalker@ixsystems.com>
291 * BUG 14471: RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special.
294 #######################################
295 Reporting bugs & Development Discussion
296 #######################################
298 Please discuss this release on the samba-technical mailing list or by
299 joining the #samba-technical IRC channel on irc.freenode.net.
301 If you do report problems then please try to send high quality
302 feedback. If you don't provide vital information to help us track down
303 the problem then you will probably be ignored. All bug reports should
304 be filed under the Samba 4.1 and newer product in the project's Bugzilla
305 database (https://bugzilla.samba.org/).
308 ======================================================================
309 == Our Code, Our Bugs, Our Responsibility.
311 ======================================================================
314 ----------------------------------------------------------------------
317 ==============================
318 Release Notes for Samba 4.12.9
320 ==============================
323 This is a security release in order to address the following defects:
325 o CVE-2020-14318: Missing handle permissions check in SMB1/2/3 ChangeNotify.
326 o CVE-2020-14323: Unprivileged user can crash winbind.
327 o CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with easily
336 The SMB1/2/3 protocols have a concept of "ChangeNotify", where a client can
337 request file name notification on a directory handle when a condition such as
338 "new file creation" or "file size change" or "file timestamp update" occurs.
340 A missing permissions check on a directory handle requesting ChangeNotify
341 meant that a client with a directory handle open only for
342 FILE_READ_ATTRIBUTES (minimal access rights) could be used to obtain change
343 notify replies from the server. These replies contain information that should
344 not be available to directory handles open for FILE_READ_ATTRIBUTE only.
347 winbind in version 3.6 and later implements a request to translate multiple
348 Windows SIDs into names in one request. This was done for performance
349 reasons: The Microsoft RPC call domain controllers offer to do this
350 translation, so it was an obvious extension to also offer this batch
351 operation on the winbind unix domain stream socket that is available to local
352 processes on the Samba server.
354 Due to improper input validation a hand-crafted packet can make winbind
355 perform a NULL pointer dereference and thus crash.
358 Some DNS records (such as MX and NS records) usually contain data in the
359 additional section. Samba's dnsserver RPC pipe (which is an administrative
360 interface not used in the DNS server itself) made an error in handling the
361 case where there are no records present: instead of noticing the lack of
362 records, it dereferenced uninitialised memory, causing the RPC server to
363 crash. This RPC server, which also serves protocols other than dnsserver,
364 will be restarted after a short delay, but it is easy for an authenticated
365 non-admin attacker to crash it again as soon as it returns. The Samba DNS
366 server itself will continue to operate, but many RPC services will not.
368 For more details, please refer to the security advisories.
374 o Jeremy Allison <jra@samba.org>
375 * BUG 14434: CVE-2020-14318: s3: smbd: Ensure change notifies can't get set
376 unless the directory handle is open for SEC_DIR_LIST.
378 o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
379 * BUG 12795: CVE-2020-14383: Remote crash after adding NS or MX records using
381 * BUG 14472: CVE-2020-14383: Remote crash after adding MX records.
383 o Volker Lendecke <vl@samba.org>
384 * BUG 14436: CVE-2020-14323: winbind: Fix invalid lookupsids DoS.
387 #######################################
388 Reporting bugs & Development Discussion
389 #######################################
391 Please discuss this release on the samba-technical mailing list or by
392 joining the #samba-technical IRC channel on irc.freenode.net.
394 If you do report problems then please try to send high quality
395 feedback. If you don't provide vital information to help us track down
396 the problem then you will probably be ignored. All bug reports should
397 be filed under the Samba 4.1 and newer product in the project's Bugzilla
398 database (https://bugzilla.samba.org/).
401 ======================================================================
402 == Our Code, Our Bugs, Our Responsibility.
404 ======================================================================
407 ----------------------------------------------------------------------
410 ==============================
411 Release Notes for Samba 4.12.8
413 ==============================
416 This is the latest stable release of the Samba 4.12 release series.
422 o Günther Deschner <gd@samba.org>
423 * BUG 14318: docs: Add missing winexe manpage.
425 o Volker Lendecke <vl@samba.org>
426 * BUG 14465: idmap_ad does not deal properly with a RFC4511 section 4.4.1
429 o Laurent Menase <laurent.menase@hpe.com>
430 * BUG 14388: winbind: Fix a memleak.
432 o Stefan Metzmacher <metze@samba.org>
433 * BUG 14465: idmap_ad does not deal properly with a RFC4511 section 4.4.1
435 * BUG 14482: Compilation of heimdal tree fails if libbsd is not installed.
437 o Christof Schmitt <cs@samba.org>
438 * BUG 14166: util: Allow symlinks in directory_create_or_exist.
440 o Andreas Schneider <asn@samba.org>
441 * BUG 14399: waf: Only use gnutls_aead_cipher_encryptv2() for GnuTLS >
443 * BUG 14467: s3:smbd: Fix %U substitutions if it contains a domain name.
445 o Martin Schwenke <martin@meltin.net>
446 * BUG 14466: ctdb disable/enable can fail due to race condition.
449 #######################################
450 Reporting bugs & Development Discussion
451 #######################################
453 Please discuss this release on the samba-technical mailing list or by
454 joining the #samba-technical IRC channel on irc.freenode.net.
456 If you do report problems then please try to send high quality
457 feedback. If you don't provide vital information to help us track down
458 the problem then you will probably be ignored. All bug reports should
459 be filed under the Samba 4.1 and newer product in the project's Bugzilla
460 database (https://bugzilla.samba.org/).
463 ======================================================================
464 == Our Code, Our Bugs, Our Responsibility.
466 ======================================================================
469 ----------------------------------------------------------------------
472 ==============================
473 Release Notes for Samba 4.12.7
475 ==============================
478 This is a security release in order to address the following defect:
480 o CVE-2020-1472: Unauthenticated domain takeover via netlogon ("ZeroLogon").
482 The following applies to Samba used as domain controller only (most
483 seriously the Active Directory DC, but also the classic/NT4-style DC).
485 Installations running Samba as a file server only are not directly
486 affected by this flaw, though they may need configuration changes to
487 continue to talk to domain controllers (see "file servers and domain
490 The netlogon protocol contains a flaw that allows an authentication
491 bypass. This was reported and patched by Microsoft as CVE-2020-1472.
492 Since the bug is a protocol level flaw, and Samba implements the
493 protocol, Samba is also vulnerable.
495 However, since version 4.8 (released in March 2018), the default
496 behaviour of Samba has been to insist on a secure netlogon channel,
497 which is a sufficient fix against the known exploits. This default is
498 equivalent to having 'server schannel = yes' in the smb.conf.
500 Therefore versions 4.8 and above are not vulnerable unless they have
501 the smb.conf lines 'server schannel = no' or 'server schannel = auto'.
503 Samba versions 4.7 and below are vulnerable unless they have 'server
504 schannel = yes' in the smb.conf.
506 Note each domain controller needs the correct settings in its smb.conf.
508 Vendors supporting Samba 4.7 and below are advised to patch their
509 installations and packages to add this line to the [global] section if
512 The 'server schannel = yes' smb.conf line is equivalent to Microsoft's
513 'FullSecureChannelProtection=1' registry key, the introduction of
514 which we understand forms the core of Microsoft's fix.
516 Some domains employ third-party software that will not work with a
517 'server schannel = yes'. For these cases patches are available that
518 allow specific machines to use insecure netlogon. For example, the
521 server schannel = yes
522 server require schannel:triceratops$ = no
523 server require schannel:greywacke$ = no
525 will allow only "triceratops$" and "greywacke$" to avoid schannel.
527 More details can be found here:
528 https://www.samba.org/samba/security/CVE-2020-1472.html
534 o Jeremy Allison <jra@samba.org>
535 * BUG 14497: CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Protect
536 netr_ServerPasswordSet2 against unencrypted passwords.
538 o Günther Deschner <gd@samba.org>
539 * BUG 14497: CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Support
540 "server require schannel:WORKSTATION$ = no" about unsecure configurations.
542 o Gary Lockyer <gary@catalyst.net.nz>
543 * BUG 14497: CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated bytes in
546 o Stefan Metzmacher <metze@samba.org>
547 * BUG 14497: CVE-2020-1472(ZeroLogon): libcli/auth: Reject weak client
548 challenges in netlogon_creds_server_init()
549 "server require schannel:WORKSTATION$ = no".
552 #######################################
553 Reporting bugs & Development Discussion
554 #######################################
556 Please discuss this release on the samba-technical mailing list or by
557 joining the #samba-technical IRC channel on irc.freenode.net.
559 If you do report problems then please try to send high quality
560 feedback. If you don't provide vital information to help us track down
561 the problem then you will probably be ignored. All bug reports should
562 be filed under the Samba 4.1 and newer product in the project's Bugzilla
563 database (https://bugzilla.samba.org/).
566 ======================================================================
567 == Our Code, Our Bugs, Our Responsibility.
569 ======================================================================
572 ----------------------------------------------------------------------
575 ==============================
576 Release Notes for Samba 4.12.6
578 ==============================
581 This is the latest stable release of the Samba 4.12 release series.
587 o Jeremy Allison <jra@samba.org>
588 * BUG 14403: s3: libsmb: Fix SMB2 client rename bug to a Windows server.
590 o Andrew Bartlett <abartlet@samba.org>
591 * BUG 14424: dsdb: Allow "password hash userPassword schemes = CryptSHA256"
593 * BUG 14450: dbcheck: Allow a dangling forward link outside our known NCs.
595 o Ralph Boehme <slow@samba.org>
596 * BUG 14426: lib/debug: Set the correct default backend loglevel to
598 * BUG 14428: PANIC: Assert failed in get_lease_type().
600 o Bjoern Jacke <bjacke@samba.org>
601 * BUG 14422: util: Fix build on AIX by fixing the order of replace.h include.
603 o Volker Lendecke <vl@samba.org>
604 * BUG 14355: srvsvc_NetFileEnum asserts with open files.
606 o Stefan Metzmacher <metze@samba.org>
607 * BUG 14354: KDC breaks with DES keys still in the database and
608 msDS-SupportedEncryptionTypes 31 indicating support for it.
609 * BUG 14427: s3:smbd: Make sure vfs_ChDir() always sets
610 conn->cwd_fsp->fh->fd = AT_FDCWD.
611 * BUG 14428: PANIC: Assert failed in get_lease_type().
613 o Andreas Schneider <asn@samba.org>
614 * BUG 14358: docs: Fix documentation for require_membership_of of
617 o Martin Schwenke <martin@meltin.net>
618 * BUG 14444: ctdb-scripts: Use nfsconf utility for variable values in CTDB
621 o Andrew Walker <awalker@ixsystems.com>
622 * BUG 14425: s3:winbind:idmap_ad: Make failure to get attrnames for schema
626 #######################################
627 Reporting bugs & Development Discussion
628 #######################################
630 Please discuss this release on the samba-technical mailing list or by
631 joining the #samba-technical IRC channel on irc.freenode.net.
633 If you do report problems then please try to send high quality
634 feedback. If you don't provide vital information to help us track down
635 the problem then you will probably be ignored. All bug reports should
636 be filed under the Samba 4.1 and newer product in the project's Bugzilla
637 database (https://bugzilla.samba.org/).
640 ======================================================================
641 == Our Code, Our Bugs, Our Responsibility.
643 ======================================================================
646 ----------------------------------------------------------------------
649 ==============================
650 Release Notes for Samba 4.12.5
652 ==============================
655 This is the latest stable release of the Samba 4.12 release series.
661 o Jeremy Allison <jra@samba.org>
662 * BUG 14301: Fix smbd panic on force-close share during async io.
663 * BUG 14374: Fix segfault when using SMBC_opendir_ctx() routine for share
664 folder that contains incorrect symbols in any file name.
665 * BUG 14391: Fix DFS links.
667 o Andrew Bartlett <abartlet@samba.org>
668 * BUG 14310: Can't use DNS functionality after a Windows DC has been in
671 o Alexander Bokovoy <ab@samba.org>
672 * BUG 14413: ldapi search to FreeIPA crashes.
674 o Isaac Boukris <iboukris@gmail.com>
675 * BUG 14396: Add net-ads-join dnshostname=fqdn option.
676 * BUG 14406: Fix adding msDS-AdditionalDnsHostName to keytab with Windows DC.
678 o Björn Jacke <bj@sernet.de>
679 * BUG 14386: docs-xml: Update list of posible VFS operations for
682 o Volker Lendecke <vl@samba.org>
683 * BUG 14382: winbindd: Fix a use-after-free when winbind clients exit.
685 o Andreas Schneider <asn@samba.org>
686 * BUG 14370: Client tools are not able to read gencache anymore.
689 #######################################
690 Reporting bugs & Development Discussion
691 #######################################
693 Please discuss this release on the samba-technical mailing list or by
694 joining the #samba-technical IRC channel on irc.freenode.net.
696 If you do report problems then please try to send high quality
697 feedback. If you don't provide vital information to help us track down
698 the problem then you will probably be ignored. All bug reports should
699 be filed under the Samba 4.1 and newer product in the project's Bugzilla
700 database (https://bugzilla.samba.org/).
703 ======================================================================
704 == Our Code, Our Bugs, Our Responsibility.
706 ======================================================================
709 ----------------------------------------------------------------------
712 ==============================
713 Release Notes for Samba 4.12.4
715 ==============================
718 This is a security release in order to address the following defects:
720 o CVE-2020-10730: NULL pointer de-reference and use-after-free in Samba AD DC
721 LDAP Server with ASQ, VLV and paged_results.
722 o CVE-2020-10745: Parsing and packing of NBT and DNS packets can consume
724 o CVE-2020-10760: LDAP Use-after-free in Samba AD DC Global Catalog with
725 paged_results and VLV.
726 o CVE-2020-14303: Empty UDP packet DoS in Samba AD DC nbtd.
734 A client combining the 'ASQ' and 'VLV' LDAP controls can cause a NULL pointer
735 de-reference and further combinations with the LDAP paged_results feature can
736 give a use-after-free in Samba's AD DC LDAP server.
738 o CVE-2020-10745: Parsing and packing of NBT and DNS packets can consume
742 The use of the paged_results or VLV controls against the Global Catalog LDAP
743 server on the AD DC will cause a use-after-free.
746 The AD DC NBT server in Samba 4.0 will enter a CPU spin and not process
747 further requests once it receives an empty (zero-length) UDP packet to
750 For more details, please refer to the security advisories.
756 o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
757 * BUG 14378: CVE-2020-10745: Invalid DNS or NBT queries containing dots use
758 several seconds of CPU each.
760 o Andrew Bartlett <abartlet@samba.org>
761 * BUG 14364: CVE-2020-10730: NULL de-reference in AD DC LDAP server when ASQ
763 * BUG 14402: CVE-2020-10760: Fix use-after-free in AD DC Global Catalog LDAP
764 server with paged_result or VLV.
765 * BUG 14417: CVE-2020-14303: Fix endless loop from empty UDP packet sent to
768 o Gary Lockyer <gary@catalyst.net.nz>
769 * BUG 14364: CVE-2020-10730: NULL de-reference in AD DC LDAP server when ASQ
770 and VLV combined, ldb: Bump version to 2.1.4.
773 #######################################
774 Reporting bugs & Development Discussion
775 #######################################
777 Please discuss this release on the samba-technical mailing list or by
778 joining the #samba-technical IRC channel on irc.freenode.net.
780 If you do report problems then please try to send high quality
781 feedback. If you don't provide vital information to help us track down
782 the problem then you will probably be ignored. All bug reports should
783 be filed under the Samba 4.1 and newer product in the project's Bugzilla
784 database (https://bugzilla.samba.org/).
787 ======================================================================
788 == Our Code, Our Bugs, Our Responsibility.
790 ======================================================================
793 ----------------------------------------------------------------------
796 ==============================
797 Release Notes for Samba 4.12.3
799 ==============================
802 This is the latest stable release of the Samba 4.12 release series.
808 o Jeremy Allison <jra@samba.org>
809 * BUG 14301: Fix smbd panic on force-close share during async io.
810 * BUG 14343: s3: vfs_full_audit: Add missing fcntl entry in vfs_op_names[]
812 * BUG 14361: vfs_io_uring: Fix data corruption with Windows clients.
813 * BUG 14372: Fix smbd crashes when MacOS Catalina connects if iconv
814 initialization fails.
816 o Ralph Boehme <slow@samba.org>
817 * BUG 14150: Exporting from macOS Adobe Illustrator creates multiple copies.
818 * BUG 14256: smbd does a chdir() twice per request.
819 * BUG 14320: smbd mistakenly updates a file's write-time on close.
820 * BUG 14350: vfs_shadow_copy2: implement case canonicalisation in
821 shadow_copy2_get_real_filename().
822 * BUG 14375: Fix Windows 7 clients problem after upgrading samba file server.
824 o Alexander Bokovoy <ab@samba.org>
825 * BUG 14359: s3: Pass DCE RPC handle type to create_policy_hnd.
827 o Isaac Boukris <iboukris@gmail.com>
828 * BUG 14155: Fix uxsuccess test with new MIT krb5 library 1.18.
829 * BUG 14342: mit-kdc: Explicitly reject S4U requests.
831 o Anoop C S <anoopcs@redhat.com>
832 * BUG 14352: dbwrap_watch: Set rec->value_valid while returning nested
833 share_mode_do_locked().
835 o Amit Kumar <amitkuma@redhat.com>
836 * BUG 14345: lib:util: Fix smbclient -l basename dir.
838 o Volker Lendecke <vl@samba.org>
839 * BUG 14336: s3:libads: Fix ads_get_upn().
840 * BUG 14348: ctdb: Fix a memleak.
841 * BUG 14366: Malicous SMB1 server can crash libsmbclient.
843 o Gary Lockyer <gary@catalyst.net.nz>
844 * BUG 14330: ldb: Bump version to 2.1.3, LMDB databases can grow without
847 o Stefan Metzmacher <metze@samba.org>
848 * BUG 14361: vfs_io_uring: Fix data corruption with Windows clients.
850 o Noel Power <noel.power@suse.com>
851 * BUG 14344: s3/librpc/crypto: Fix double free with unresolved credential
854 o Andreas Schneider <asn@samba.org>
855 * BUG 14358: docs-xml: Fix usernames in pam_winbind manpages.
858 #######################################
859 Reporting bugs & Development Discussion
860 #######################################
862 Please discuss this release on the samba-technical mailing list or by
863 joining the #samba-technical IRC channel on irc.freenode.net.
865 If you do report problems then please try to send high quality
866 feedback. If you don't provide vital information to help us track down
867 the problem then you will probably be ignored. All bug reports should
868 be filed under the Samba 4.1 and newer product in the project's Bugzilla
869 database (https://bugzilla.samba.org/).
872 ======================================================================
873 == Our Code, Our Bugs, Our Responsibility.
875 ======================================================================
878 ----------------------------------------------------------------------
881 ==============================
882 Release Notes for Samba 4.12.2
884 ==============================
887 This is a security release in order to address the following defects:
889 o CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ
890 o CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC
898 A client combining the 'ASQ' and 'Paged Results' LDAP controls can cause a
899 use-after-free in Samba's AD DC LDAP server.
901 A deeply nested filter in an un-authenticated LDAP search can exhaust the
902 LDAP server's stack memory causing a SIGSEGV.
904 For more details, please refer to the security advisories.
910 o Andrew Bartlett <abartlet@samba.org>
911 * BUG 14331: CVE-2020-10700: Fix use-after-free in AD DC LDAP server when
912 ASQ and paged_results combined.
914 o Gary Lockyer <gary@catalyst.net.nz>
915 * BUG 20454: CVE-2020-10704: Fix LDAP Denial of Service (stack overflow) in
919 #######################################
920 Reporting bugs & Development Discussion
921 #######################################
923 Please discuss this release on the samba-technical mailing list or by
924 joining the #samba-technical IRC channel on irc.freenode.net.
926 If you do report problems then please try to send high quality
927 feedback. If you don't provide vital information to help us track down
928 the problem then you will probably be ignored. All bug reports should
929 be filed under the Samba 4.1 and newer product in the project's Bugzilla
930 database (https://bugzilla.samba.org/).
933 ======================================================================
934 == Our Code, Our Bugs, Our Responsibility.
936 ======================================================================
939 ----------------------------------------------------------------------
942 ==============================
943 Release Notes for Samba 4.12.1
945 ==============================
948 This is the latest stable release of the Samba 4.12 release series.
954 o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
955 * BUG 14295: nmblib: Avoid undefined behaviour in handle_name_ptrs().
957 o Björn Baumbach <bb@sernet.de>
958 * BUG 14296: samba-tool group: Handle group names with special chars
961 o Ralph Boehme <slow@samba.org>
962 * BUG 14293: Add missing check for DMAPI offline status in async DOS
964 * BUG 14295: Starting ctdb node that was powered off hard before results in
966 * BUG 14307: smbd: Ignore set NTACL requests which contain S-1-5-88 NFS ACEs.
967 * BUG 14316: vfs_recycle: Prevent flooding the log if we're called on
970 o Günther Deschner <gd@samba.org>
971 * BUG 14313: librpc: Fix IDL for svcctl_ChangeServiceConfigW.
972 * BUG 14327: nsswitch: Fix use-after-free causing segfault in
975 o Art M. Gallagher <repos@artmg.net>
976 * BUG 13622: fruit:time machine max size is broken on arm.
978 o Amitay Isaacs <amitay@gmail.com>
979 * BUG 14294: CTDB recovery corner cases can cause record resurrection and
982 o Noel Power <noel.power@suse.com>
983 * BUG 14332: s3/utils: Fix double free error with smbtree.
985 o Martin Schwenke <martin@meltin.net>
986 * BUG 14294: CTDB recovery corner cases can cause record resurrection and
988 * BUG 14295: Starting ctdb node that was powered off hard before results in
990 * BUG 14324: CTDB recovery daemon can crash due to dereference of NULL
994 #######################################
995 Reporting bugs & Development Discussion
996 #######################################
998 Please discuss this release on the samba-technical mailing list or by
999 joining the #samba-technical IRC channel on irc.freenode.net.
1001 If you do report problems then please try to send high quality
1002 feedback. If you don't provide vital information to help us track down
1003 the problem then you will probably be ignored. All bug reports should
1004 be filed under the Samba 4.1 and newer product in the project's Bugzilla
1005 database (https://bugzilla.samba.org/).
1008 ======================================================================
1009 == Our Code, Our Bugs, Our Responsibility.
1011 ======================================================================
1014 ----------------------------------------------------------------------
1017 ==============================
1018 Release Notes for Samba 4.12.0
1020 ==============================
1023 This is the first stable release of the Samba 4.12 release series.
1024 Please read the release notes carefully before upgrading.
1027 NEW FEATURES/CHANGES
1028 ====================
1033 Samba's minimum runtime requirement for python was raised to Python
1034 3.4 with samba 4.11. Samba 4.12 raises this minimum version to Python
1035 3.5 both to access new features and because this is the oldest version
1036 we test with in our CI infrastructure.
1038 (Build time support for the file server with Python 2.6 has not
1041 Removing in-tree cryptography: GnuTLS 3.4.7 required
1042 ----------------------------------------------------
1044 Samba is making efforts to remove in-tree cryptographic functionality,
1045 and to instead rely on externally maintained libraries. To this end,
1046 Samba has chosen GnuTLS as our standard cryptographic provider.
1048 Samba now requires GnuTLS 3.4.7 to be installed (including development
1049 headers at build time) for all configurations, not just the Samba AD
1052 Thanks to this work Samba no longer ships an in-tree DES
1053 implementation and on GnuTLS 3.6.5 or later Samba will include no
1054 in-tree cryptography other than the MD4 hash and that
1055 implemented in our copy of Heimdal.
1057 Using GnuTLS for SMB3 encryption you will notice huge performance and copy
1058 speed improvements. Tests with the CIFS Kernel client from Linux Kernel 5.3
1059 show a 3x speed improvement for writing and a 2.5x speed improvement for reads!
1061 NOTE WELL: The use of GnuTLS means that Samba will honour the
1062 system-wide 'FIPS mode' (a reference to the US FIPS-140 cryptographic
1063 standard) and so will not operate in many still common situations if
1064 this system-wide parameter is in effect, as many of our protocols rely
1065 on outdated cryptography.
1067 A future Samba version will mitigate this to some extent where good
1068 cryptography effectively wraps bad cryptography, but for now that above
1071 zlib library is now required to build Samba
1072 -------------------------------------------
1074 Samba no longer includes a local copy of zlib in our source tarball.
1075 By removing this we do not need to ship (even where we did not
1076 build) the old, broken zip encryption code found there.
1078 New Spotlight backend for Elasticsearch
1079 ---------------------------------------
1081 Support for the macOS specific Spotlight search protocol has been enhanced
1082 significantly. Starting with 4.12 Samba supports using Elasticsearch as search
1083 backend. Various new parameters have been added to configure this:
1085 spotlight backend = noindex | elasticsearch | tracker
1086 elasticsearch:address = ADDRESS
1087 elasticsearch:port = PORT
1088 elasticsearch:use tls = BOOLEAN
1089 elasticsearch:index = INDEXNAME
1090 elasticsearch:mappings = PATH
1091 elasticsearch:max results = NUMBER
1093 Samba also ships a Spotlight client command "mdfind" which can be used to search
1094 any SMB server that runs the Spotlight RPC service. See the manpage of mdfind
1097 Note that when upgrading existing installations that are using the previous
1098 default Spotlight backend Gnome Tracker must explicitly set "spotlight backend =
1099 tracker" as the new default is "noindex".
1101 'net ads kerberos pac save' and 'net eventlog export'
1102 -----------------------------------------------------
1104 The 'net ads kerberos pac save' and 'net eventlog export' tools will
1105 no longer silently overwrite an existing file during data export. If
1106 the filename given exits, an error will be shown.
1111 A large number of fuzz targets have been added to Samba, and Samba has
1112 been registered in Google's oss-fuzz cloud fuzzing service. In
1113 particular, we now have good fuzzing coverage of our generated NDR
1116 A large number of issues have been found and fixed thanks to this
1119 'samba-tool' improvements add contacts as member to groups
1120 ----------------------------------------------------------
1122 Previously 'samba-tool group addmemers' can just add users, groups and
1123 computers as members to groups. But also contacts can be members of
1124 groups. Samba 4.12 adds the functionality to add contacts to
1125 groups. Since contacts have no sAMAccountName, it's possible that
1126 there are more than one contact with the same name in different
1127 organizational units. Therefore it's necessary to have an option to
1128 handle group members by their DN.
1130 To get the DN of an object there is now the "--full-dn" option available
1131 for all necessary commands.
1133 The MS Windows UI allows to search for specific types of group members
1134 when searching for new members for a group. This feature is included
1135 here with the new samba-tool group addmembers "--object-type=OBJECTYPE"
1136 option. The different types are selected accordingly to the Windows
1137 UI. The default samba-toole behaviour shouldn't be changed.
1139 Allow filtering by OU or subtree in samba-tool
1140 ----------------------------------------------
1142 A new "--base-dn" and "--member-base-dn" option is added to relevant
1143 samba-tool user, group and ou management commands to allow operation
1144 on just one part of the AD tree, such as a single OU.
1152 Samba now uses a sentinel value based on utimensat(2) UTIME_OMIT to denote
1153 to-be-ignored timestamp variables passed to the SMB_VFS_NTIMES() VFS function.
1155 VFS modules can check whether any of the time values inside a struct
1156 smb_file_time is to be ignored by calling is_omit_timespec() on the value.
1158 'io_uring' vfs module
1159 ---------------------
1161 The module makes use of the new io_uring infrastructure
1162 (intruduced in Linux 5.1), see https://lwn.net/Articles/776703/
1164 Currently this implements SMB_VFS_{PREAD,PWRITE,FSYNC}_SEND/RECV
1165 and avoids the overhead of the userspace threadpool in the default
1166 vfs backend. See also vfs_io_uring(8).
1168 In order to build the module you need the liburing userspace library
1169 and its developement headers installed, see
1170 https://git.kernel.dk/cgit/liburing/
1172 At runtime you'll need a Linux kernel with version 5.1 or higher.
1173 Note that 5.4.14 and 5.4.15 have a regression that breaks the Samba
1174 module! The regression was fixed in Linux 5.4.16 again.
1176 MS-DFS changes in the VFS
1177 -------------------------
1179 This release changes set getting and setting of MS-DFS redirects
1180 on the filesystem to go through two new VFS functions:
1182 SMB_VFS_CREATE_DFS_PATHAT()
1183 SMB_VFS_READ_DFS_PATHAT()
1185 instead of smbd explicitly storing MS-DFS redirects inside
1186 symbolic links on the filesystem. The underlying default
1187 implementations of this has not changed, the redirects are
1188 still stored inside symbolic links on the filesystem, but
1189 moving the creation and reading of these links into the VFS
1190 as first-class functions now allows alternate methods of
1191 storing them (maybe in extended attributes) for OEMs who
1192 don't want to mis-use filesystem symbolic links in this
1199 * The ctdb_mutex_fcntl_helper periodically re-checks the lock file
1201 The re-check period is specified using a 2nd argument to this
1202 helper. The default re-check period is 5s.
1204 If the file no longer exists or the inode number changes then the
1205 helper exits. This triggers an election.
1211 The smb.conf parameter "write cache size" has been removed.
1213 Since the in-memory write caching code was written, our write path has
1214 changed significantly. In particular we have gained very flexible
1215 support for async I/O, with the new linux io_uring interface in
1216 development. The old write cache concept which cached data in main
1217 memory followed by a blocking pwrite no longer gives any improvement
1218 on modern systems, and may make performance worse on memory-contrained
1219 systems, so this functionality should not be enabled in core smbd
1222 In addition, it complicated the write code, which is a performance
1225 If required for specialist purposes, it can be recreated as a VFS
1228 Retiring DES encryption types in Kerberos.
1229 ------------------------------------------
1230 With this release, support for DES encryption types has been removed from
1231 Samba, and setting DES_ONLY flag for an account will cause Kerberos
1232 authentication to fail for that account (see RFC-6649).
1234 Samba-DC: DES keys no longer saved in DB.
1235 -----------------------------------------
1236 When a new password is set for an account, Samba DC will store random keys
1237 in DB instead of DES keys derived from the password. If the account is being
1238 migrated to Windbows or to an older version of Samba in order to use DES keys,
1239 the password must be reset to make it work.
1241 Heimdal-DC: removal of weak-crypto.
1242 -----------------------------------
1243 Following removal of DES encryption types from Samba, the embedded Heimdal
1244 build has been updated to not compile weak crypto code (HEIM_WEAK_CRYPTO).
1246 vfs_netatalk: The netatalk VFS module has been removed.
1247 -------------------------------------------------------
1249 The netatalk VFS module has been removed. It was unmaintained and is not needed
1252 BIND9_FLATFILE deprecated
1253 -------------------------
1255 The BIND9_FLATFILE DNS backend is deprecated in this release and will
1256 be removed in the future. This was only practically useful on a single
1257 domain controller or under expert care and supervision.
1259 This release removes the 'rndc command' smb.conf parameter, which
1260 supported this configuration by writing out a list of DCs permitted to
1261 make changes to the DNS Zone and nudging the 'named' server if a new
1262 DC was added to the domain. Administrators using BIND9_FLATFILE will
1263 need to maintain this manually from now on.
1269 Parameter Name Description Default
1270 -------------- ----------- -------
1272 elasticsearch:address New localhost
1273 elasticsearch:port New 9200
1274 elasticsearch:use tls New No
1275 elasticsearch:index New _all
1276 elasticsearch:mappings New DATADIR/elasticsearch_mappings.json
1277 elasticsearch:max results New 100
1278 nfs4:acedup Changed default merge
1279 rndc command Removed
1280 write cache size Removed
1281 spotlight backend New noindex
1284 CHANGES SINCE 4.12.0rc4
1285 =======================
1287 o Andrew Bartlett <abartlet@samba.org>
1288 * BUG 14258: dsdb: Correctly handle memory in objectclass_attrs.
1291 CHANGES SINCE 4.12.0rc3
1292 =======================
1294 o Jeremy Allison <jra@samba.org>
1295 * BUG 14269: s3: DFS: Don't allow link deletion on a read-only share.
1297 o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
1298 * BUG 14284: pidl/wscript: configure should insist on Parse::Yapp::Driver.
1300 o Andrew Bartlett <abartlet@samba.org>
1301 * BUG 14270: ldb: Fix search with scope ONE and small result sets.
1302 * BUG 14284: build: Do not check if system perl modules should be bundled.
1304 o Volker Lendecke <vl@samba.org>
1305 * BUG 14285: smbd fails to handle EINTR from open(2) properly.
1307 o Stefan Metzmacher <metze@samba.org>
1308 * BUG 14270: ldb: version 2.1.1.
1311 CHANGES SINCE 4.12.0rc2
1312 =======================
1314 o Jeremy Allison <jra@samba.org>
1315 * BUG 14282: Set getting and setting of MS-DFS redirects on the filesystem
1316 to go through two new VFS functions SMB_VFS_CREATE_DFS_PATHAT() and
1317 SMB_VFS_READ_DFS_PATHAT().
1319 o Andrew Bartlett <abartlet@samba.org>
1320 * BUG 14255: bootstrap: Remove un-used dependency python3-crypto.
1322 o Volker Lendecke <vl@samba.org>
1323 * BUG 14247: Fix CID 1458418 and 1458420.
1324 * BUG 14281: lib: Fix a shutdown crash with "clustering = yes".
1326 o Stefan Metzmacher <metze@samba.org>
1327 * BUG 14247: Winbind member (source3) fails local SAM auth with empty domain
1329 * BUG 14265: winbindd: Handle missing idmap in getgrgid().
1330 * BUG 14271: Don't use forward declaration for GnuTLS typedefs.
1331 * BUG 14280: Add io_uring vfs module.
1333 o Andreas Schneider <asn@samba.org>
1334 * BUG 14250: libcli:smb: Improve check for gnutls_aead_cipher_(en|de)cryptv2.
1337 CHANGES SINCE 4.12.0rc1
1338 =======================
1340 o Jeremy Allison <jra@samba.org>
1341 * BUG 14239: s3: lib: nmblib. Clean up and harden nmb packet processing.
1343 o Andreas Schneider <asn@samba.org>
1344 * BUG 14253: lib:util: Log mkdir error on correct debug levels.
1350 https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.12#Release_blocking_bugs
1353 #######################################
1354 Reporting bugs & Development Discussion
1355 #######################################
1357 Please discuss this release on the samba-technical mailing list or by
1358 joining the #samba-technical IRC channel on irc.freenode.net.
1360 If you do report problems then please try to send high quality
1361 feedback. If you don't provide vital information to help us track down
1362 the problem then you will probably be ignored. All bug reports should
1363 be filed under the Samba 4.1 and newer product in the project's Bugzilla
1364 database (https://bugzilla.samba.org/).
1367 ======================================================================
1368 == Our Code, Our Bugs, Our Responsibility.
1370 ======================================================================