1 =============================
2 Release Notes for Samba 4.3.8
4 =============================
6 This is a security release containing one additional
7 regression fix for the security release 4.3.7.
9 This fixes a regression that prevents things like 'net ads join'
10 from working against a Windows 2003 domain.
15 o Stefan Metzmacher <metze@samba.org>
16 * Bug 11804 - prerequisite backports for the security release on
19 Release notes for the original 4.3.7 release follows:
20 -----------------------------------------------------
22 =============================
23 Release Notes for Samba 4.3.7
25 =============================
28 This is a security release in order to address the following CVEs:
30 o CVE-2015-5370 (Multiple errors in DCE-RPC code)
32 o CVE-2016-2110 (Man in the middle attacks possible with NTLMSSP)
34 o CVE-2016-2111 (NETLOGON Spoofing Vulnerability)
36 o CVE-2016-2112 (LDAP client and server don't enforce integrity)
38 o CVE-2016-2113 (Missing TLS certificate validation)
40 o CVE-2016-2114 ("server signing = mandatory" not enforced)
42 o CVE-2016-2115 (SMB IPC traffic is not integrity protected)
44 o CVE-2016-2118 (SAMR and LSA man in the middle attacks possible)
46 The number of changes are rather huge for a security release,
47 compared to typical security releases.
49 Given the number of problems and the fact that they are all related
50 to man in the middle attacks we decided to fix them all at once
51 instead of splitting them.
53 In order to prevent the man in the middle attacks it was required
54 to change the (default) behavior for some protocols. Please see the
55 "New smb.conf options" and "Behavior changes" sections below.
63 Versions of Samba from 3.6.0 to 4.4.0 inclusive are vulnerable to
64 denial of service attacks (crashes and high cpu consumption)
65 in the DCE-RPC client and server implementations. In addition,
66 errors in validation of the DCE-RPC packets can lead to a downgrade
67 of a secure connection to an insecure one.
69 While we think it is unlikely, there's a nonzero chance for
70 a remote code execution attack against the client components,
71 which are used by smbd, winbindd and tools like net, rpcclient and
72 others. This may gain root access to the attacker.
74 The above applies all possible server roles Samba can operate in.
76 Note that versions before 3.6.0 had completely different marshalling
77 functions for the generic DCE-RPC layer. It's quite possible that
78 that code has similar problems!
80 The downgrade of a secure connection to an insecure one may
81 allow an attacker to take control of Active Directory object
82 handles created on a connection created from an Administrator
83 account and re-use them on the now non-privileged connection,
84 compromising the security of the Samba AD-DC.
88 There are several man in the middle attacks possible with
89 NTLMSSP authentication.
91 E.g. NTLMSSP_NEGOTIATE_SIGN and NTLMSSP_NEGOTIATE_SEAL
92 can be cleared by a man in the middle.
94 This was by protocol design in earlier Windows versions.
96 Windows Server 2003 RTM and Vista RTM introduced a way
97 to protect against the trivial downgrade.
99 See MsvAvFlags and flag 0x00000002 in
100 https://msdn.microsoft.com/en-us/library/cc236646.aspx
102 This new feature also implies support for a mechlistMIC
103 when used within SPNEGO, which may prevent downgrades
104 from other SPNEGO mechs, e.g. Kerberos, if sign or
105 seal is finally negotiated.
107 The Samba implementation doesn't enforce the existence of
108 required flags, which were requested by the application layer,
109 e.g. LDAP or SMB1 encryption (via the unix extensions).
110 As a result a man in the middle can take over the connection.
111 It is also possible to misguide client and/or
112 server to send unencrypted traffic even if encryption
113 was explicitly requested.
115 LDAP (with NTLMSSP authentication) is used as a client
116 by various admin tools of the Samba project,
117 e.g. "net", "samba-tool", "ldbsearch", "ldbedit", ...
119 As an active directory member server LDAP is also used
120 by the winbindd service when connecting to domain controllers.
122 Samba also offers an LDAP server when running as
123 active directory domain controller.
125 The NTLMSSP authentication used by the SMB1 encryption
126 is protected by smb signing, see CVE-2015-5296.
130 It's basically the same as CVE-2015-0005 for Windows:
132 The NETLOGON service in Microsoft Windows Server 2003 SP2,
133 Windows Server 2008 SP2 and R2 SP1, and Windows Server 2012 Gold
134 and R2, when a Domain Controller is configured, allows remote
135 attackers to spoof the computer name of a secure channel's
136 endpoint, and obtain sensitive session information, by running a
137 crafted application and leveraging the ability to sniff network
138 traffic, aka "NETLOGON Spoofing Vulnerability".
140 The vulnerability in Samba is worse as it doesn't require
141 credentials of a computer account in the domain.
143 This only applies to Samba running as classic primary domain controller,
144 classic backup domain controller or active directory domain controller.
146 The security patches introduce a new option called "raw NTLMv2 auth"
147 ("yes" or "no") for the [global] section in smb.conf.
148 Samba (the smbd process) will reject client using raw NTLMv2
149 without using NTLMSSP.
151 Note that this option also applies to Samba running as
152 standalone server and member server.
154 You should also consider using "lanman auth = no" (which is already the default)
155 and "ntlm auth = no". Have a look at the smb.conf manpage for further details,
156 as they might impact compatibility with older clients. These also
157 apply for all server roles.
161 Samba uses various LDAP client libraries, a builtin one and/or the system
162 ldap libraries (typically openldap).
164 As active directory domain controller Samba also provides an LDAP server.
166 Samba takes care of doing SASL (GSS-SPNEGO) authentication with Kerberos or NTLMSSP
167 for LDAP connections, including possible integrity (sign) and privacy (seal)
170 Samba has support for an option called "client ldap sasl wrapping" since version
171 3.2.0. Its default value has changed from "plain" to "sign" with version 4.2.0.
173 Tools using the builtin LDAP client library do not obey the
174 "client ldap sasl wrapping" option. This applies to tools like:
175 "samba-tool", "ldbsearch", "ldbedit" and more. Some of them have command line
176 options like "--sign" and "--encrypt". With the security update they will
177 also obey the "client ldap sasl wrapping" option as default.
179 In all cases, even if explicitly request via "client ldap sasl wrapping",
180 "--sign" or "--encrypt", the protection can be downgraded by a man in the
183 The LDAP server doesn't have an option to enforce strong authentication
184 yet. The security patches will introduce a new option called
185 "ldap server require strong auth", possible values are "no",
186 "allow_sasl_over_tls" and "yes".
188 As the default behavior was as "no" before, you may
189 have to explicitly change this option until all clients have
190 been adjusted to handle LDAP_STRONG_AUTH_REQUIRED errors.
191 Windows clients and Samba member servers already use
192 integrity protection.
196 Samba has support for TLS/SSL for some protocols:
197 ldap and http, but currently certificates are not
198 validated at all. While we have a "tls cafile" option,
199 the configured certificate is not used to validate
200 the server certificate.
202 This applies to ldaps:// connections triggered by tools like:
203 "ldbsearch", "ldbedit" and more. Note that it only applies
204 to the ldb tools when they are built as part of Samba or with Samba
205 extensions installed, which means the Samba builtin LDAP client library is
208 It also applies to dcerpc client connections using ncacn_http (with https://),
209 which are only used by the openchange project. Support for ncacn_http
210 was introduced in version 4.2.0.
212 The security patches will introduce a new option called
213 "tls verify peer". Possible values are "no_check", "ca_only",
214 "ca_and_name_if_available", "ca_and_name" and "as_strict_as_possible".
216 If you use the self-signed certificates which are auto-generated
217 by Samba, you won't have a crl file and need to explicitly
218 set "tls verify peer = ca_and_name".
222 Due to a regression introduced in Samba 4.0.0,
223 an explicit "server signing = mandatory" in the [global] section
224 of the smb.conf was not enforced for clients using the SMB1 protocol.
226 As a result it does not enforce smb signing and allows man in the middle attacks.
228 This problem applies to all possible server roles:
229 standalone server, member server, classic primary domain controller,
230 classic backup domain controller and active directory domain controller.
232 In addition, when Samba is configured with "server role = active directory domain controller"
233 the effective default for the "server signing" option should be "mandatory".
235 During the early development of Samba 4 we had a new experimental
236 file server located under source4/smb_server. But before
237 the final 4.0.0 release we switched back to the file server
240 But the logic for the correct default of "server signing" was not
241 ported correctly ported.
243 Note that the default for server roles other than active directory domain
244 controller, is "off" because of performance reasons.
248 Samba has an option called "client signing", this is turned off by default
249 for performance reasons on file transfers.
251 This option is also used when using DCERPC with ncacn_np.
253 In order to get integrity protection for ipc related communication
254 by default the "client ipc signing" option is introduced.
255 The effective default for this new option is "mandatory".
257 In order to be compatible with more SMB server implementations,
258 the following additional options are introduced:
259 "client ipc min protocol" ("NT1" by default) and
260 "client ipc max protocol" (the highest support SMB2/3 dialect by default).
261 These options overwrite the "client min protocol" and "client max protocol"
262 options, because the default for "client max protocol" is still "NT1".
263 The reason for this is the fact that all SMB2/3 support SMB signing,
264 while there are still SMB1 implementations which don't offer SMB signing
265 by default (this includes Samba versions before 4.0.0).
267 Note that winbindd (in versions 4.2.0 and higher) enforces SMB signing
268 against active directory domain controllers despite of the
269 "client signing" and "client ipc signing" options.
271 o CVE-2016-2118 (a.k.a. BADLOCK):
273 The Security Account Manager Remote Protocol [MS-SAMR] and the
274 Local Security Authority (Domain Policy) Remote Protocol [MS-LSAD]
275 are both vulnerable to man in the middle attacks. Both are application level
276 protocols based on the generic DCE 1.1 Remote Procedure Call (DCERPC) protocol.
278 These protocols are typically available on all Windows installations
279 as well as every Samba server. They are used to maintain
280 the Security Account Manager Database. This applies to all
281 roles, e.g. standalone, domain member, domain controller.
283 Any authenticated DCERPC connection a client initiates against a server
284 can be used by a man in the middle to impersonate the authenticated user
285 against the SAMR or LSAD service on the server.
287 The client chosen application protocol, auth type (e.g. Kerberos or NTLMSSP)
288 and auth level (NONE, CONNECT, PKT_INTEGRITY, PKT_PRIVACY) do not matter
289 in this case. A man in the middle can change auth level to CONNECT
290 (which means authentication without message protection) and take over
293 As a result, a man in the middle is able to get read/write access to the
294 Security Account Manager Database, which reveals all passwords
295 and any other potential sensitive information.
297 Samba running as an active directory domain controller is additionally
298 missing checks to enforce PKT_PRIVACY for the
299 Directory Replication Service Remote Protocol [MS-DRSR] (drsuapi)
300 and the BackupKey Remote Protocol [MS-BKRP] (backupkey).
301 The Domain Name Service Server Management Protocol [MS-DNSP] (dnsserver)
302 is not enforcing at least PKT_INTEGRITY.
308 allow dcerpc auth level connect (G)
310 This option controls whether DCERPC services are allowed to be used with
311 DCERPC_AUTH_LEVEL_CONNECT, which provides authentication, but no per
312 message integrity nor privacy protection.
314 Some interfaces like samr, lsarpc and netlogon have a hard-coded default
315 of no and epmapper, mgmt and rpcecho have a hard-coded default of yes.
317 The behavior can be overwritten per interface name (e.g. lsarpc,
318 netlogon, samr, srvsvc, winreg, wkssvc ...) by using
319 'allow dcerpc auth level connect:interface = yes' as option.
321 This option yields precedence to the implementation specific restrictions.
322 E.g. the drsuapi and backupkey protocols require DCERPC_AUTH_LEVEL_PRIVACY.
323 The dnsserver protocol requires DCERPC_AUTH_LEVEL_INTEGRITY.
325 Default: allow dcerpc auth level connect = no
327 Example: allow dcerpc auth level connect = yes
329 client ipc signing (G)
331 This controls whether the client is allowed or required to use
332 SMB signing for IPC$ connections as DCERPC transport. Possible
333 values are auto, mandatory and disabled.
335 When set to mandatory or default, SMB signing is required.
337 When set to auto, SMB signing is offered, but not enforced and
338 if set to disabled, SMB signing is not offered either.
340 Connections from winbindd to Active Directory Domain Controllers
341 always enforce signing.
343 Default: client ipc signing = default
345 client ipc max protocol (G)
347 The value of the parameter (a string) is the highest protocol level that will
348 be supported for IPC$ connections as DCERPC transport.
350 Normally this option should not be set as the automatic negotiation phase
351 in the SMB protocol takes care of choosing the appropriate protocol.
353 The value default refers to the latest supported protocol, currently SMB3_11.
355 See client max protocol for a full list of available protocols.
356 The values CORE, COREPLUS, LANMAN1, LANMAN2 are silently upgraded to NT1.
358 Default: client ipc max protocol = default
360 Example: client ipc max protocol = SMB2_10
362 client ipc min protocol (G)
364 This setting controls the minimum protocol version that the will be
365 attempted to use for IPC$ connections as DCERPC transport.
367 Normally this option should not be set as the automatic negotiation phase
368 in the SMB protocol takes care of choosing the appropriate protocol.
370 The value default refers to the higher value of NT1 and the
371 effective value of "client min protocol".
373 See client max protocol for a full list of available protocols.
374 The values CORE, COREPLUS, LANMAN1, LANMAN2 are silently upgraded to NT1.
376 Default: client ipc min protocol = default
378 Example: client ipc min protocol = SMB3_11
380 ldap server require strong auth (G)
382 The ldap server require strong auth defines whether the
383 ldap server requires ldap traffic to be signed or
384 signed and encrypted (sealed). Possible values are no,
385 allow_sasl_over_tls and yes.
387 A value of no allows simple and sasl binds over all transports.
389 A value of allow_sasl_over_tls allows simple and sasl binds (without sign or seal)
390 over TLS encrypted connections. Unencrypted connections only
391 allow sasl binds with sign or seal.
393 A value of yes allows only simple binds over TLS encrypted connections.
394 Unencrypted connections only allow sasl binds with sign or seal.
396 Default: ldap server require strong auth = yes
400 This parameter determines whether or not smbd(8) will allow SMB1 clients
401 without extended security (without SPNEGO) to use NTLMv2 authentication.
403 If this option, lanman auth and ntlm auth are all disabled, then only
404 clients with SPNEGO support will be permitted. That means NTLMv2 is only
405 supported within NTLMSSP.
407 Default: raw NTLMv2 auth = no
411 This controls if and how strict the client will verify the peer's
412 certificate and name. Possible values are (in increasing order): no_check,
413 ca_only, ca_and_name_if_available, ca_and_name and as_strict_as_possible.
415 When set to no_check the certificate is not verified at all,
416 which allows trivial man in the middle attacks.
418 When set to ca_only the certificate is verified to be signed from a ca
419 specified in the "tls ca file" option. Setting "tls ca file" to a valid file
420 is required. The certificate lifetime is also verified. If the "tls crl file"
421 option is configured, the certificate is also verified against
424 When set to ca_and_name_if_available all checks from ca_only are performed.
425 In addition, the peer hostname is verified against the certificate's
426 name, if it is provided by the application layer and not given as
427 an ip address string.
429 When set to ca_and_name all checks from ca_and_name_if_available are performed.
430 In addition the peer hostname needs to be provided and even an ip
431 address is checked against the certificate's name.
433 When set to as_strict_as_possible all checks from ca_and_name are performed.
434 In addition the "tls crl file" needs to be configured. Future versions
435 of Samba may implement additional checks.
437 Default: tls verify peer = as_strict_as_possible
439 tls priority (G) (backported from Samba 4.3 to Samba 4.2)
441 This option can be set to a string describing the TLS protocols to be
442 supported in the parts of Samba that use GnuTLS, specifically the AD DC.
444 The default turns off SSLv3, as this protocol is no longer considered
445 secure after CVE-2014-3566 (otherwise known as POODLE) impacted SSLv3 use
446 in HTTPS applications.
448 The valid options are described in the GNUTLS Priority-Strings
449 documentation at http://gnutls.org/manual/html_node/Priority-Strings.html
451 Default: tls priority = NORMAL:-VERS-SSL3.0
457 o The default auth level for authenticated binds has changed from
458 DCERPC_AUTH_LEVEL_CONNECT to DCERPC_AUTH_LEVEL_INTEGRITY.
459 That means ncacn_ip_tcp:server is now implicitly the same
460 as ncacn_ip_tcp:server[sign] and offers a similar protection
461 as ncacn_np:server, which relies on smb signing.
463 o The following constraints are applied to SMB1 connections:
465 - "client lanman auth = yes" is now consistently
466 required for authenticated connections using the
467 SMB1 LANMAN2 dialect.
468 - "client ntlmv2 auth = yes" and "client use spnego = yes"
469 (both the default values), require extended security (SPNEGO)
470 support from the server. That means NTLMv2 is only used within
473 o Tools like "samba-tool", "ldbsearch", "ldbedit" and more obey the
474 default of "client ldap sasl wrapping = sign". Even with
475 "client ldap sasl wrapping = plain" they will automatically upgrade
476 to "sign" when getting LDAP_STRONG_AUTH_REQUIRED from the LDAP
482 o Jeremy Allison <jra@samba.org>
483 * Bug 11344 - CVE-2015-5370: Multiple errors in DCE-RPC code.
485 * Bug 11804 - prerequisite backports for the security release on
488 o Christian Ambach <ambi@samba.org>
489 * Bug 11804 - prerequisite backports for the security release on
492 o Ralph Boehme <slow@samba.org>
493 * Bug 11644 - CVE-2016-2112: The LDAP client and server don't enforce
494 integrity protection.
496 o Günther Deschner <gd@samba.org>
497 * Bug 11749 - CVE-2016-2111: NETLOGON Spoofing Vulnerability.
499 * Bug 11804 - prerequisite backports for the security release on
502 o Björn Jacke <bj@sernet.de>
503 * Bug 11804 - prerequisite backports for the security release on
506 o Volker Lendecke <vl@samba.org>
507 * Bug 11804 - prerequisite backports for the security release on
510 o Stefan Metzmacher <metze@samba.org>
511 * Bug 11344 - CVE-2015-5370: Multiple errors in DCE-RPC code.
513 * Bug 11616 - CVE-2016-2118: SAMR and LSA man in the middle attacks possible.
515 * Bug 11644 - CVE-2016-2112: The LDAP client and server doesn't enforce
516 integrity protection.
518 * Bug 11687 - CVE-2016-2114: "server signing = mandatory" not enforced.
520 * Bug 11688 - CVE-2016-2110: Man in the middle attacks possible with NTLMSSP.
522 * Bug 11749 - CVE-2016-2111: NETLOGON Spoofing Vulnerability.
524 * Bug 11752 - CVE-2016-2113: Missing TLS certificate validation allows man in
527 * Bug 11756 - CVE-2016-2115: SMB client connections for IPC traffic are not
530 * Bug 11804 - prerequisite backports for the security release on
533 o Richard Sharpe <rsharpe@samba.org>
534 * Bug 11804 - prerequisite backports for the security release on
538 #######################################
539 Reporting bugs & Development Discussion
540 #######################################
542 Please discuss this release on the samba-technical mailing list or by
543 joining the #samba-technical IRC channel on irc.freenode.net.
545 If you do report problems then please try to send high quality
546 feedback. If you don't provide vital information to help us track down
547 the problem then you will probably be ignored. All bug reports should
548 be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
549 database (https://bugzilla.samba.org/).
552 ======================================================================
553 == Our Code, Our Bugs, Our Responsibility.
555 ======================================================================
558 Release notes for older releases follow:
559 ----------------------------------------
562 =============================
563 Release Notes for Samba 4.3.6
565 =============================
568 This is a security release in order to address the following CVEs:
570 o CVE-2015-7560 (Incorrect ACL get/set allowed on symlink path)
571 o CVE-2016-0771 (Out-of-bounds read in internal DNS server)
578 All versions of Samba from 3.2.0 to 4.4.0rc3 inclusive are vulnerable to
579 a malicious client overwriting the ownership of ACLs using symlinks.
581 An authenticated malicious client can use SMB1 UNIX extensions to
582 create a symlink to a file or directory, and then use non-UNIX SMB1
583 calls to overwrite the contents of the ACL on the file or directory
587 All versions of Samba from 4.0.0 to 4.4.0rc3 inclusive, when deployed as
588 an AD DC and choose to run the internal DNS server, are vulnerable to an
589 out-of-bounds read issue during DNS TXT record handling caused by users
590 with permission to modify DNS records.
592 A malicious client can upload a specially constructed DNS TXT record,
593 resulting in a remote denial-of-service attack. As long as the affected
594 TXT record remains undisturbed in the Samba database, a targeted DNS
595 query may continue to trigger this exploit.
597 While unlikely, the out-of-bounds read may bypass safety checks and
598 allow leakage of memory from the server in the form of a DNS TXT reply.
600 By default only authenticated accounts can upload DNS records,
601 as "allow dns updates = secure only" is the default.
602 Any other value would allow anonymous clients to trigger this
603 bug, which is a much higher risk.
609 o Jeremy Allison <jra@samba.org>
610 * BUG 11648: CVE-2015-7560: Getting and setting Windows ACLs on symlinks can
611 change permissions on link target.
613 o Garming Sam <garming@catalyst.net.nz>
614 * BUGs 11128, 11686: CVE-2016-0771: Read of uninitialized memory DNS TXT
617 o Stefan Metzmacher <metze@samba.org>
618 * BUGs 11128, 11686: CVE-2016-0771: Read of uninitialized memory DNS TXT
622 #######################################
623 Reporting bugs & Development Discussion
624 #######################################
626 Please discuss this release on the samba-technical mailing list or by
627 joining the #samba-technical IRC channel on irc.freenode.net.
629 If you do report problems then please try to send high quality
630 feedback. If you don't provide vital information to help us track down
631 the problem then you will probably be ignored. All bug reports should
632 be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
633 database (https://bugzilla.samba.org/).
636 ======================================================================
637 == Our Code, Our Bugs, Our Responsibility.
639 ======================================================================
642 Older release notes to follow:
643 ------------------------------
645 =============================
646 Release Notes for Samba 4.3.5
648 =============================
651 This is the latest stable release of Samba 4.3.
657 o Jeremy Allison <jra@samba.org>
658 * BUG 10489: s3: smbd: posix_acls: Fix check for setting u:g:o entry on a
659 filesystem with no ACL support.
660 * BUG 11703: s3: smbd: Fix timestamp rounding inside SMB2 create.
662 o Christian Ambach <ambi@samba.org>
663 * BUG 6482: s3:utils/smbget: Fix recursive download.
664 * BUG 11400: s3:smbd/oplock: Obey kernel oplock setting when releasing
667 o Alexander Bokovoy <ab@samba.org>
668 * BUG 11693: s3-parm: Clean up defaults when removing global parameters.
670 o Ralph Boehme <slow@samba.org>
671 * BUG 11684: s3:smbd: Ignore initial allocation size for directory creation.
672 * BUG 11714: lib/tsocket: Work around sockets not supporting FIONREAD.
674 o Amitay Isaacs <amitay@gmail.com>
675 * BUG 11705: ctdb: Remove error messages after kernel security update
678 o Volker Lendecke <vl@samba.org>
679 * BUG 11732: param: Fix str_list_v3 to accept ";" again.
681 o Stefan Metzmacher <metze@samba.org>
682 * BUG 11699: Use M2Crypto.RC4.RC4 on platforms without Crypto.Cipher.ARC4.
684 o Jose A. Rivera <jarrpa@samba.org>
685 * BUG 11727: s3:smbd:open: Skip redundant call to file_set_dosmode when
688 o Christof Schmitt <cs@samba.org>
689 * BUG 11670: winbindd: Handle expired sessions correctly.
691 o Andreas Schneider <asn@samba.org>
692 * BUG 11690: s3-client: Add a KRB5 wrapper for smbspool.
694 o Uri Simchoni <uri@samba.org>
695 * BUG 11580: vfs_shadow_copy2: Fix case where snapshots are outside the
697 * BUG 11662: smbclient: Query disk usage relative to current directory.
698 * BUG 11681: smbd: Show correct disk size for different quota and dfree block
700 * BUG 11682: smbcacls: Fix uninitialized variable.
702 o Martin Schwenke <martin@meltin.net>
703 * BUG 11719: ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ...".
705 o Hemanth Thummala <hemanth.thummala@nutanix.com>
706 * BUG 11708: loadparm: Fix memory leak issue.
709 #######################################
710 Reporting bugs & Development Discussion
711 #######################################
713 Please discuss this release on the samba-technical mailing list or by
714 joining the #samba-technical IRC channel on irc.freenode.net.
716 If you do report problems then please try to send high quality
717 feedback. If you don't provide vital information to help us track down
718 the problem then you will probably be ignored. All bug reports should
719 be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
720 database (https://bugzilla.samba.org/).
723 ======================================================================
724 == Our Code, Our Bugs, Our Responsibility.
726 ======================================================================
729 ----------------------------------------------------------------------
732 =============================
733 Release Notes for Samba 4.3.4
735 =============================
738 This is the latest stable release of Samba 4.3.
744 o Michael Adam <obnox@samba.org>
745 * BUG 11619: doc: Fix a typo in the smb.conf manpage, explanation of idmap
747 * BUG 11647: s3:smbd: Fix a corner case of the symlink verification.
749 o Jeremy Allison <jra@samba.org>
750 * BUG 11624: s3: libsmb: Correctly initialize the list head when keeping a
751 list of primary followed by DFS connections.
752 * BUG 11625: Reduce the memory footprint of empty string options.
754 o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
755 * BUG 11659: Update lastLogon and lastLogonTimestamp.
757 o Ralph Boehme <slow@samba.org>
758 * BUG 11065: vfs_fruit: Enable POSIX directory rename semantics.
759 * BUG 11466: Copying files with vfs_fruit fails when using vfs_streams_xattr
760 without stream prefix and type suffix.
761 * BUG 11645: smbd: Make "hide dot files" option work with "store dos
764 o Günther Deschner <gd@samba.org>
765 * BUG 11639: lib/async_req: Do not install async_connect_send_test.
767 o Stefan Metzmacher <metze@samba.org>
768 * BUG 11394: Crash: Bad talloc magic value - access after free.
770 o Rowland Penny <repenny241155@gmail.com>
771 * BUG 11613: samba-tool: Fix uncaught exception if no fSMORoleOwner
774 o Karolin Seeger <kseeger@samba.org>
775 * BUG 11619: docs: Fix some typos in the idmap backend section.
776 * BUG 11641: docs: Fix typos in man vfs_gpfs.
778 o Uri Simchoni <uri@samba.org>
779 * BUG 11649: smbd: Do not disable "store dos attributes" on-the-fly.
782 #######################################
783 Reporting bugs & Development Discussion
784 #######################################
786 Please discuss this release on the samba-technical mailing list or by
787 joining the #samba-technical IRC channel on irc.freenode.net.
789 If you do report problems then please try to send high quality
790 feedback. If you don't provide vital information to help us track down
791 the problem then you will probably be ignored. All bug reports should
792 be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
793 database (https://bugzilla.samba.org/).
796 ======================================================================
797 == Our Code, Our Bugs, Our Responsibility.
799 ======================================================================
802 ----------------------------------------------------------------------
805 =============================
806 Release Notes for Samba 4.3.3
808 =============================
811 This is a security release in order to address the following CVEs:
813 o CVE-2015-3223 (Denial of service in Samba Active Directory
815 o CVE-2015-5252 (Insufficient symlink verification in smbd)
816 o CVE-2015-5299 (Missing access control check in shadow copy
818 o CVE-2015-5296 (Samba client requesting encryption vulnerable
820 o CVE-2015-8467 (Denial of service attack against Windows
821 Active Directory server)
822 o CVE-2015-5330 (Remote memory read in Samba LDAP server)
824 Please note that if building against a system libldb, the required
825 version has been bumped to ldb-1.1.24. This is needed to ensure
826 we build against a system ldb library that contains the fixes
827 for CVE-2015-5330 and CVE-2015-3223.
834 All versions of Samba from 4.0.0 to 4.3.2 inclusive (resp. all
835 ldb versions up to 1.1.23 inclusive) are vulnerable to
836 a denial of service attack in the samba daemon LDAP server.
838 A malicious client can send packets that cause the LDAP server in the
839 samba daemon process to become unresponsive, preventing the server
840 from servicing any other requests.
842 This flaw is not exploitable beyond causing the code to loop expending
846 All versions of Samba from 3.0.0 to 4.3.2 inclusive are vulnerable to
847 a bug in symlink verification, which under certain circumstances could
848 allow client access to files outside the exported share path.
850 If a Samba share is configured with a path that shares a common path
851 prefix with another directory on the file system, the smbd daemon may
852 allow the client to follow a symlink pointing to a file or directory
853 in that other directory, even if the share parameter "wide links" is
854 set to "no" (the default).
857 All versions of Samba from 3.2.0 to 4.3.2 inclusive are vulnerable to
858 a missing access control check in the vfs_shadow_copy2 module. When
859 looking for the shadow copy directory under the share path the current
860 accessing user should have DIRECTORY_LIST access rights in order to
861 view the current snapshots.
863 This was not being checked in the affected versions of Samba.
866 Versions of Samba from 3.2.0 to 4.3.2 inclusive do not ensure that
867 signing is negotiated when creating an encrypted client connection to
870 Without this a man-in-the-middle attack could downgrade the connection
871 and connect using the supplied credentials as an unsigned, unencrypted
875 Samba, operating as an AD DC, is sometimes operated in a domain with a
876 mix of Samba and Windows Active Directory Domain Controllers.
878 All versions of Samba from 4.0.0 to 4.3.2 inclusive, when deployed as
879 an AD DC in the same domain with Windows DCs, could be used to
880 override the protection against the MS15-096 / CVE-2015-2535 security
883 Prior to MS16-096 it was possible to bypass the quota of machine
884 accounts a non-administrative user could create. Pure Samba domains
885 are not impacted, as Samba does not implement the
886 SeMachineAccountPrivilege functionality to allow non-administrator
887 users to create new computer objects.
890 All versions of Samba from 4.0.0 to 4.3.2 inclusive (resp. all
891 ldb versions up to 1.1.23 inclusive) are vulnerable to
892 a remote memory read attack in the samba daemon LDAP server.
894 A malicious client can send packets that cause the LDAP server in the
895 samba daemon process to return heap memory beyond the length of the
898 This memory may contain data that the client should not be allowed to
899 see, allowing compromise of the server.
901 The memory may either be returned to the client in an error string, or
902 stored in the database by a suitabily privileged user. If untrusted
903 users can create objects in your database, please confirm that all DN
904 and name attributes are reasonable.
910 o Andrew Bartlett <abartlet@samba.org>
911 * BUG 11552: CVE-2015-8467: samdb: Match MS15-096 behaviour for
914 o Jeremy Allison <jra@samba.org>
915 * BUG 11325: CVE-2015-3223: Fix LDAP \00 search expression attack DoS.
916 * BUG 11395: CVE-2015-5252: Fix insufficient symlink verification (file
917 access outside the share).
918 * BUG 11529: CVE-2015-5299: s3-shadow-copy2: Fix missing access check on
921 o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
922 * BUG 11599: CVE-2015-5330: Fix remote read memory exploit in LDB.
924 o Stefan Metzmacher <metze@samba.org>
925 * BUG 11536: CVE-2015-5296: Add man in the middle protection when forcing
926 smb encryption on the client side.
929 #######################################
930 Reporting bugs & Development Discussion
931 #######################################
933 Please discuss this release on the samba-technical mailing list or by
934 joining the #samba-technical IRC channel on irc.freenode.net.
936 If you do report problems then please try to send high quality
937 feedback. If you don't provide vital information to help us track down
938 the problem then you will probably be ignored. All bug reports should
939 be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
940 database (https://bugzilla.samba.org/).
943 ======================================================================
944 == Our Code, Our Bugs, Our Responsibility.
946 ======================================================================
949 ----------------------------------------------------------------------
952 =============================
953 Release Notes for Samba 4.3.2
955 =============================
958 This is the latest stable release of Samba 4.3.
964 o Michael Adam <obnox@samba.org>
965 * BUG 11577: ctdb: Open the RO tracking db with perms 0600 instead of 0000.
967 o Jeremy Allison <jra@samba.org>
968 * BUG 11452: s3-smbd: Fix old DOS client doing wildcard delete - gives an
969 attribute type of zero.
970 * BUG 11565: auth: gensec: Fix a memory leak.
971 * BUG 11566: lib: util: Make non-critical message a warning.
972 * BUG 11589: s3: smbd: If EAs are turned off on a share don't allow an SMB2
973 create containing them.
974 * BUG 11615: s3: smbd: have_file_open_below() fails to enumerate open files
975 below an open directory handle.
977 o Ralph Boehme <slow@samba.org>
978 * BUG 11562: s4:lib/messaging: Use correct path for names.tdb.
979 * BUG 11564: async_req: Fix non-blocking connect().
981 o Volker Lendecke <vl@samba.org>
982 * BUG 11243: vfs_gpfs: Re-enable share modes.
983 * BUG 11570: smbd: Send SMB2 oplock breaks unencrypted.
984 * BUG 11612: winbind: Fix crash on invalid idmap configs.
986 o YvanM <yvan.masson@openmailbox.org>
987 * BUG 11584: manpage: Correct small typo error.
989 o Stefan Metzmacher <metze@samba.org>
990 * BUG 11327: dcerpc.idl: Accept invalid dcerpc_bind_nak pdus.
991 * BUG 11581: s3:smb2_server: Make the logic of SMB2_CANCEL DLIST_REMOVE()
994 o Marc Muehlfeld <mmuehlfeld@samba.org>
995 * BUG 9912: Changing log level of two entries to DBG_NOTICE.
996 * BUG 11581: s3-smbd: Fix use after issue in smbd_smb2_request_dispatch().
998 o Noel Power <noel.power@suse.com>
999 * BUG 11569: Fix winbindd crashes with samlogon for trusted domain user.
1000 * BUG 11597: Backport some valgrind fixes from upstream master.
1002 o Andreas Schneider <asn@samba.org
1003 * BUG 11563: Fix segfault of 'net ads (join|leave) -S INVALID' with
1006 o Tom Schulz <schulz@adi.com>
1007 * BUG 11511: Add libreplace dependency to texpect, fixes a linking error on
1009 * BUG 11512: s4: Fix linking of 'smbtorture' on Solaris.
1011 o Uri Simchoni <uri@samba.org>
1012 * BUG 11608: auth: Consistent handling of well-known alias as primary gid.
1014 #######################################
1015 Reporting bugs & Development Discussion
1016 #######################################
1018 Please discuss this release on the samba-technical mailing list or by
1019 joining the #samba-technical IRC channel on irc.freenode.net.
1021 If you do report problems then please try to send high quality
1022 feedback. If you don't provide vital information to help us track down
1023 the problem then you will probably be ignored. All bug reports should
1024 be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
1025 database (https://bugzilla.samba.org/).
1028 ======================================================================
1029 == Our Code, Our Bugs, Our Responsibility.
1031 ======================================================================
1034 ----------------------------------------------------------------------
1037 =============================
1038 Release Notes for Samba 4.3.1
1040 =============================
1043 This is the latest stable release of Samba 4.3.
1046 Changes since 4.3.0:
1047 --------------------
1049 o Jeremy Allison <jra@samba.org>
1050 * BUG 10252: s3: smbd: Fix our access-based enumeration on "hide unreadable"
1052 * BUG 10634: smbd: Fix file name buflen and padding in notify repsonse.
1053 * BUG 11486: s3: smbd: Fix mkdir race condition.
1054 * BUG 11522: s3: smbd: Fix opening/creating :stream files on the root share
1056 * BUG 11535: s3: smbd: Fix NULL pointer bug introduced by previous 'raw'
1057 * stream fix (bug #11522).
1058 * BUG 11555: s3: lsa: lookup_name() logic for unqualified (no DOMAIN\
1059 component) names is incorrect.
1061 o Ralph Boehme <slow@samba.org>
1062 * BUG 11535: s3: smbd: Fix a crash in unix_convert().
1063 * BUG 11543: vfs_fruit: Return value of ad_pack in vfs_fruit.c.
1064 * BUG 11549: s3:locking: Initialize lease pointer in
1065 share_mode_traverse_fn().
1066 * BUG 11550: s3:smbstatus: Add stream name to share_entry_forall().
1067 * BUG 11555: s3:lib: Validate domain name in lookup_wellknown_name().
1069 o Günther Deschner <gd@samba.org>
1070 * BUG 11038: kerberos: Make sure we only use prompter type when available.
1072 o Volker Lendecke <vl@samba.org>
1073 * BUG 11038: winbind: Fix 100% loop.
1074 * BUG 11053: source3/lib/msghdr.c: Fix compiling error on Solaris.
1076 o Stefan Metzmacher <metze@samba.org>
1077 * BUG 11316: s3:ctdbd_conn: make sure we destroy tevent_fd before closing
1079 * BUG 11515: s4:lib/messaging: Use 'msg.lock' and 'msg.sock' for messaging
1081 * BUG 11526: lib/param: Fix hiding of FLAG_SYNONYM values.
1083 o Björn Jacke <bj@sernet.de>
1084 * BUG 10365: nss_winbind: Fix hang on Solaris on big groups.
1085 * BUG 11355: build: Use as-needed linker flag also on OpenBSD.
1087 o Har Gagan Sahai <SHarGagan@novell.com>
1088 * BUG 11509: s3: dfs: Fix a crash when the dfs targets are disabled.
1090 o Andreas Schneider <asn@samba.org>
1091 * BUG 11502: pam_winbind: Fix a segfault if initialization fails.
1093 o Uri Simchoni <uri@samba.org>
1094 * BUG 11528: net: Fix a crash with 'net ads keytab create'.
1095 * BUG 11547: vfs_commit: set the fd on open before calling SMB_VFS_FSTAT.
1097 #######################################
1098 Reporting bugs & Development Discussion
1099 #######################################
1101 Please discuss this release on the samba-technical mailing list or by
1102 joining the #samba-technical IRC channel on irc.freenode.net.
1104 If you do report problems then please try to send high quality
1105 feedback. If you don't provide vital information to help us track down
1106 the problem then you will probably be ignored. All bug reports should
1107 be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
1108 database (https://bugzilla.samba.org/).
1111 ======================================================================
1112 == Our Code, Our Bugs, Our Responsibility.
1114 ======================================================================
1117 ----------------------------------------------------------------------
1120 =============================
1121 Release Notes for Samba 4.3.0
1123 =============================
1126 This is the first stable release of Samba 4.3.
1132 Read the "New FileChangeNotify subsystem" and "smb.conf changes" sections
1142 The logging code now supports logging to multiple backends. In
1143 addition to the previously available syslog and file backends, the
1144 backends for logging to the systemd-journal, lttng and gpfs have been
1145 added. Please consult the section for the 'logging' parameter in the
1146 smb.conf manpage for details.
1151 Support for Apple's Spotlight has been added by integrating with Gnome
1154 For detailed instructions how to build and setup Samba for Spotlight,
1155 please see the Samba wiki: <https://wiki.samba.org/index.php/Spotlight>
1157 New FileChangeNotify subsystem
1158 ------------------------------
1160 Samba now contains a new subsystem to do FileChangeNotify. The
1161 previous system used a central database, notify_index.tdb, to store
1162 all notification requests. In particular in a cluster this turned out
1163 to be a major bottleneck, because some hot records need to be bounced
1164 back and forth between nodes on every change event like a new created
1167 The new FileChangeNotify subsystem works with a central daemon per
1168 node. Every FileChangeNotify request and every event are handled by an
1169 asynchronous message from smbd to the notify daemon. The notify daemon
1170 maintains a database of all FileChangeNotify requests in memory and
1171 will distribute the notify events accordingly. This database is
1172 asynchronously distributed in the cluster by the notify daemons.
1174 The notify daemon is supposed to scale a lot better than the previous
1175 implementation. The functional advantage is cross-node kernel change
1176 notify: Files created via NFS will be seen by SMB clients on other
1177 nodes per FileChangeNotify, despite the fact that popular cluster file
1178 systems do not offer cross-node inotify.
1180 Two changes to the configuration were required for this new subsystem:
1181 The parameters "change notify" and "kernel change notify" are not
1182 per-share anymore but must be set globally. So it is no longer
1183 possible to enable or disable notify per share, the notify daemon has
1184 no notion of a share, it only works on absolute paths.
1186 New SMB profiling code
1187 ----------------------
1189 The code for SMB (SMB1, SMB2 and SMB3) profiling uses a tdb instead
1190 of sysv IPC shared memory. This avoids performance problems and NUMA
1191 effects. The profile stats are a bit more detailed than before.
1193 Improved DCERPC man in the middle detection for kerberos
1194 --------------------------------------------------------
1196 The gssapi based kerberos backends for gensec have support for
1197 DCERPC header signing when using DCERPC_AUTH_LEVEL_PRIVACY.
1199 SMB signing required in winbindd by default
1200 -------------------------------------------
1202 The effective value for "client signing" is required
1203 by default for winbindd, if the primary domain uses active directory.
1205 Experimental NTDB was removed
1206 -----------------------------
1208 The experimental NTDB library introduced in Samba 4.0 has been
1211 Improved support for trusted domains (as AD DC)
1212 -----------------------------------------------
1214 The support for trusted domains/forests has improved a lot.
1216 samba-tool got "domain trust" subcommands to manage trusts:
1218 create - Create a domain or forest trust.
1219 delete - Delete a domain trust.
1220 list - List domain trusts.
1221 namespaces - Manage forest trust namespaces.
1222 show - Show trusted domain details.
1223 validate - Validate a domain trust.
1225 External trusts between individual domains work in both ways
1226 (inbound and outbound). The same applies to root domains of
1227 a forest trust. The transitive routing into the other forest
1228 is fully functional for kerberos, but not yet supported for NTLMSSP.
1230 While a lot of things are working fine, there are currently a few limitations:
1232 - Both sides of the trust need to fully trust each other!
1233 - No SID filtering rules are applied at all!
1234 - This means DCs of domain A can grant domain admin rights
1236 - It's not possible to add users/groups of a trusted domain
1242 Both client and server have support for SMB 3.1.1 now.
1244 This is the dialect introduced with Windows 10, it improves the secure
1245 negotiation of SMB dialects and features.
1247 There's also a new optinal encryption algorithm aes-gcm-128,
1248 but for now this is only selected as fallback and aes-ccm-128
1249 is preferred because of the better performance. This might change
1250 in future versions when hardware encryption will be supported.
1251 See https://bugzilla.samba.org/show_bug.cgi?id=11451.
1253 New smbclient subcommands
1254 -------------------------
1256 - Query a directory for change notifications: notify <dir name>
1257 - Server side copy: scopy <source filename> <destination filename>
1259 New rpcclient subcommands
1260 -------------------------
1262 netshareenumall - Enumerate all shares
1263 netsharegetinfo - Get Share Info
1264 netsharesetinfo - Set Share Info
1265 netsharesetdfsflags - Set DFS flags
1266 netfileenum - Enumerate open files
1267 netnamevalidate - Validate sharename
1268 netfilegetsec - Get File security
1269 netsessdel - Delete Session
1270 netsessenum - Enumerate Sessions
1271 netdiskenum - Enumerate Disks
1272 netconnenum - Enumerate Connections
1273 netshareadd - Add share
1274 netsharedel - Delete share
1279 idmap_script - see 'man 8 idmap_script'
1280 vfs_unityed_media - see 'man 8 vfs_unityed_media'
1281 vfs_shell_snap - see 'man 8 vfs_shell_snap'
1283 New sparsely connected replia graph (Improved KCC)
1284 --------------------------------------------------
1286 The Knowledge Consistency Checker (KCC) maintains a replication graph
1287 for DCs across an AD network. The existing Samba KCC uses a fully
1288 connected graph, so that each DC replicates from all the others, which
1289 does not scale well with large networks. In 4.3 there is an
1290 experimental new KCC that creates a sparsely connected replication
1291 graph and closely follows Microsoft's specification. It is turned off
1292 by default. To use the new KCC, set "kccsrv:samba_kcc=true" in
1293 smb.conf and let us know how it goes. You should consider doing this
1294 if you are making a large new network. For small networks there is
1295 little benefit and you can always switch over at a later date.
1297 Configurable TLS protocol support, with better defaults
1298 -------------------------------------------------------
1300 The "tls priority" option can be used to change the supported TLS
1301 protocols. The default is to disable SSLv3, which is no longer
1304 Samba-tool now supports all 7 FSMO roles
1305 -------------------------------------------------------
1307 Previously "samba-tool fsmo" could only show, transfer or seize the
1308 five well-known FSMO roles:
1311 Domain Naming Master
1314 Infrastructure Master
1316 It can now also show, transfer or seize the DNS infrastructure roles:
1318 DomainDnsZones Infrastructure Master
1319 ForestDnsZones Infrastructure Master
1321 CTDB logging changes
1322 --------------------
1324 The destination for CTDB logging is now set via a single new
1325 configuration variable CTDB_LOGGING. This replaces CTDB_LOGFILE and
1326 CTDB_SYSLOG, which have both been removed. See ctdbd.conf(5) for
1327 details of CTDB_LOGGING.
1329 CTDB no longer runs a separate logging daemon.
1331 CTDB NFS support changes
1332 ------------------------
1334 CTDB's NFS service management has been combined into a single 60.nfs
1335 event script. This updated 60.nfs script now uses a call-out to
1336 interact with different NFS implementations. See the CTDB_NFS_CALLOUT
1337 option in the ctdbd.conf(5) manual page for details. A default
1338 call-out is provided to interact with the Linux kernel NFS
1339 implementation. The 60.ganesha event script has been removed - a
1340 sample call-out is provided for NFS Ganesha, based on this script.
1342 The method of configuring NFS RPC checks has been improved. See
1343 ctdb/config/nfs-checks.d/README for details.
1345 Improved Cross-Compiling Support
1346 --------------------------------
1348 A new "hybrid" build configuration mode is added to improve
1349 cross-compilation support.
1351 A common challenge in cross-compilation is that of obtaining the results
1352 of tests that have to run on the target, during the configuration
1353 phase of the build. The Samba build system already supports the following
1356 - Executing configure tests using the --cross-execute parameter
1357 - Obtaining the results from an answers file using the --cross-answers
1360 The first method has the drawback of inaccurate results if the tests are
1361 run using an emulator, or a need to be connected to a running target
1362 while building, if the tests are to be run on an actual target. The
1363 second method presents a challenge of figuring out the test results.
1365 The new hybrid mode runs the tests and records the result in an answer file.
1366 To activate this mode, use both --cross-execute and --cross-answers in the
1367 same configure invocation. This mode can be activated once against a
1368 running target, and then the generated answers file can be used in
1371 Also supplied is an example script that can be used as the
1372 cross-execute program. This script copies the test to a running target
1373 and runs the test on the target, obtaining the result. The obtained
1374 results are more accurate than running the test with an emulator, because
1375 they reflect the exact kernel and system libraries that exist on the
1378 Improved Sparse File Support
1379 ----------------------------
1380 Support for the FSCTL_SET_ZERO_DATA and FSCTL_QUERY_ALLOCATED_RANGES
1381 SMB2 requests has been added to the smbd file server.
1382 This allows for clients to deallocate (hole punch) regions within a
1383 sparse file, and check which portions of a file are allocated.
1386 ######################################################################
1393 Parameter Name Description Default
1394 -------------- ----------- -------
1396 msdfs shuffle referrals New no
1397 smbd profiling level New off
1399 tls priority New NORMAL:-VERS-SSL3.0
1401 change notify Changed to [global]
1402 kernel change notify Changed to [global]
1403 client max protocol Changed default SMB3_11
1404 server max protocol Changed default SMB3_11
1409 vfs_notify_fam - see section 'New FileChangeNotify subsystem'.
1418 CHANGES SINCE 4.2.0rc4
1419 ======================
1421 o Andrew Bartlett <abartlet@samba.org>
1422 * Bug 10973: No objectClass found in replPropertyMetaData on ordinary
1423 objects (non-deleted)
1424 * Bug 11429: Python bindings don't check integer types
1425 * Bug 11430: Python bindings don't check array sizes
1427 o Ralph Boehme <slow@samba.org>
1428 * Bug 11467: Handling of 0 byte resource fork stream
1430 o Volker Lendecke <vl@samba.org>
1431 * Bug 11488: AD samr GetGroupsForUser fails for users with "()" in
1434 o Stefan Metzmacher <metze@samba.org>
1435 * Bug 11429: Python bindings don't check integer types
1437 o Matthieu Patou <mat@matws.net>
1438 * Bug 10973: No objectClass found in replPropertyMetaData on ordinary
1439 objects (non-deleted)
1442 CHANGES SINCE 4.2.0rc3
1443 ======================
1445 o Ralph Boehme <slow@samba.org>
1446 * Bug 11444: Crash in notify_remove caused by change notify = no
1448 o Günther Deschner <gd@samba.org>
1449 * Bug 11411: smbtorture does not build when configured --with-system-mitkrb5
1451 o Volker Lendecke <vl@samba.org>
1452 * Bug 11455: fix recursion problem in rep_strtoll in lib/replace/replace.c
1453 * Bug 11464: xid2sid gives inconsistent results
1454 * Bug 11465: ctdb: Fix the build on FreeBSD 10.1
1456 o Roel van Meer <roel@1afa.com>
1457 * Bug 11427: nmbd incorrectly matches netbios names as own name
1459 o Stefan Metzmacher <metze@samba.org>
1460 * Bug 11451: Poor SMB3 encryption performance with AES-GCM
1461 * Bug 11458: --bundled-libraries=!ldb,!pyldb,!pyldb-util doesn't
1462 disable ldb build and install
1464 o Andreas Schneider <asn@samba.org>
1465 * Bug 9862: Samba "map to guest = Bad uid" doesn't work
1468 CHANGES SINCE 4.3.0rc2
1469 ======================
1471 o Andrew Bartlett <abartlet@samba.org>
1472 * Bug 11436: samba-tool uncaught exception error
1473 * Bug 10493: revert LDAP extended rule 1.2.840.113556.1.4.1941
1474 LDAP_MATCHING_RULE_IN_CHAIN changes
1476 o Ralph Boehme <slow@samba.org>
1477 * Bug 11278: Stream names with colon don't work with
1478 fruit:encoding = native
1479 * Bug 11426: net share allowedusers crashes
1481 o Amitay Isaacs <amitay@gmail.com>
1482 * Bug 11432: Fix crash in nested ctdb banning
1483 * Bug 11434: Cannot build ctdbpmda
1484 * Bug 11431: CTDB's eventscript error handling is broken
1486 o Stefan Metzmacher <metze@samba.org>
1487 * Bug 11451: Poor SMB3 encryption performance with AES-GCM (part1)
1488 * Bug 11316: tevent_fd needs to be destroyed before closing the fd
1490 o Arvid Requate <requate@univention.de>
1491 * Bug 11291: NetApp joined to a Samba/ADDC cannot resolve SIDs
1493 o Martin Schwenke <martin@meltin.net>
1494 * Bug 11432: Fix crash in nested ctdb banning
1497 CHANGES SINCE 4.3.0rc1
1498 ======================
1500 o Jeremy Allison <jra@samba.org>
1501 * BUG 11359: strsep is not available on Solaris
1503 o Björn Baumbach <bb@sernet.de>
1504 * BUG 11421: Build with GPFS support is broken
1506 o Justin Maggard <jmaggard@netgear.com>
1507 * BUG 11320: "force group" with local group not working
1509 o Martin Schwenke <martin@meltin.net>
1510 * BUG 11424: Build broken with --disable-python
1513 #######################################
1514 Reporting bugs & Development Discussion
1515 #######################################
1517 Please discuss this release on the samba-technical mailing list or by
1518 joining the #samba-technical IRC channel on irc.freenode.net.
1520 If you do report problems then please try to send high quality
1521 feedback. If you don't provide vital information to help us track down
1522 the problem then you will probably be ignored. All bug reports should
1523 be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
1524 database (https://bugzilla.samba.org/).
1527 ======================================================================
1528 == Our Code, Our Bugs, Our Responsibility.
1530 ======================================================================