1 =============================
2 Release Notes for Samba 4.4.8
4 =============================
7 This is a security release in order to address the following defects:
9 o CVE-2016-2123 (Samba NDR Parsing ndr_pull_dnsp_name Heap-based Buffer
10 Overflow Remote Code Execution Vulnerability).
11 o CVE-2016-2125 (Unconditional privilege delegation to Kerberos servers in
13 o CVE-2016-2126 (Flaws in Kerberos PAC validation can trigger privilege
21 The Samba routine ndr_pull_dnsp_name contains an integer wrap problem,
22 leading to an attacker-controlled memory overwrite. ndr_pull_dnsp_name
23 parses data from the Samba Active Directory ldb database. Any user
24 who can write to the dnsRecord attribute over LDAP can trigger this
27 By default, all authenticated LDAP users can write to the dnsRecord
28 attribute on new DNS objects. This makes the defect a remote privilege
32 Samba client code always requests a forwardable ticket
33 when using Kerberos authentication. This means the
34 target server, which must be in the current or trusted
35 domain/realm, is given a valid general purpose Kerberos
36 "Ticket Granting Ticket" (TGT), which can be used to
37 fully impersonate the authenticated user or service.
40 A remote, authenticated, attacker can cause the winbindd process
41 to crash using a legitimate Kerberos ticket due to incorrect
42 handling of the arcfour-hmac-md5 PAC checksum.
44 A local service with access to the winbindd privileged pipe can
45 cause winbindd to cache elevated access permissions.
51 o Volker Lendecke <vl@samba.org>
52 * BUG 12409: CVE-2016-2123: Fix DNS vuln ZDI-CAN-3995.
54 o Stefan Metzmacher <metze@samba.org>
55 * BUG 12445: CVE-2016-2125: Don't send delegated credentials to all servers.
56 * BUG 12446: CVE-2016-2126: auth/kerberos: Only allow known checksum types in
60 #######################################
61 Reporting bugs & Development Discussion
62 #######################################
64 Please discuss this release on the samba-technical mailing list or by
65 joining the #samba-technical IRC channel on irc.freenode.net.
67 If you do report problems then please try to send high quality
68 feedback. If you don't provide vital information to help us track down
69 the problem then you will probably be ignored. All bug reports should
70 be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
71 database (https://bugzilla.samba.org/).
74 ======================================================================
75 == Our Code, Our Bugs, Our Responsibility.
77 ======================================================================
80 Release notes for older releases follow:
81 ----------------------------------------
83 =============================
84 Release Notes for Samba 4.4.7
86 =============================
89 This is the latest stable release of Samba 4.4.
91 Major enhancements in Samba 4.4.7 include:
93 o Let winbindd discard expired kerberos tickets when built against
94 (internal) heimdal (BUG #12369).
95 o REGRESSION: smbd segfaults on startup, tevent context being freed
102 o Jeremy Allison <jra@samba.org>
103 * BUG 11259: smbd contacts a domain controller for each session.
104 * BUG 12283: REGRESSION: smbd segfaults on startup, tevent context being
106 * BUG 12291: source3/lib/msghdr: Fix syntax error before or at: ;.
107 * BUG 12381: s3: cldap: cldap_multi_netlogon_send() fails with one bad IPv6
110 o Christian Ambach <ambi@samba.org>
111 * BUG 9945: Setting specific logger levels in smb.conf makes 'samba-tool drs
114 o Björn Baumbach <bb@sernet.de>
115 * BUG 8618: s3-printing: Fix migrate printer code.
117 o Ralph Boehme <slow@samba.org>
118 * BUG 12261: s3/smbd: Set FILE_ATTRIBUTE_DIRECTORY as necessary.
120 o Günther Deschner <gd@samba.org>
121 * BUG 12285: "DriverVersion" registry backend parsing incorrect in spoolss.
123 o David Disseldorp <ddiss@samba.org>
124 * BUG 12144: smbd/ioctl: Match WS2016 ReFS get compression behaviour.
126 o Amitay Isaacs <amitay@gmail.com>
127 * BUG 12287: CTDB PID file handling is too weak.
129 o Volker Lendecke <vl@samba.org>
130 * BUG 12045: gencache: Bail out of stabilize if we can not get the allrecord
132 * BUG 12283: glusterfs: Avoid tevent_internal.h.
133 * BUG 12374: spoolss: Fix caching of printername->sharename.
135 o Stefan Metzmacher <metze@samba.org>
136 * BUG 12283: REGRESSION: smbd segfaults on startup, tevent context being
138 * BUG 12369: Let winbindd discard expired kerberos tickets when built against
141 o Noel Power <noel.power@suse.com>
142 * BUG 12298: s3/winbindd: Using default domain with user@domain.com format
145 o Jose A. Rivera <jarrpa@samba.org>
146 * BUG 12362: ctdb-scripts: Avoid dividing by zero in memory calculation.
148 o Anoop C S <anoopcs@redhat.com>
149 * BUG 12377: vfs_glusterfs: Fix a memory leak in connect path.
151 o Andreas Schneider <asn@samba.org>
152 * BUG 12269: nss_wins has incorrect function definitions for gethostbyname*.
153 * BUG 12276: s3-lib: Fix %G substitution in AD member environment.
154 * BUG 12364: s3-utils: Fix loading smb.conf in smbcquotas.
156 o Martin Schwenke <martin@meltin.net>
157 * BUG 12287: CTDB PID file handling is too weak.
158 * BUG 12362: ctdb-scripts: Fix incorrect variable reference.
161 #######################################
162 Reporting bugs & Development Discussion
163 #######################################
165 Please discuss this release on the samba-technical mailing list or by
166 joining the #samba-technical IRC channel on irc.freenode.net.
168 If you do report problems then please try to send high quality
169 feedback. If you don't provide vital information to help us track down
170 the problem then you will probably be ignored. All bug reports should
171 be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
172 database (https://bugzilla.samba.org/).
175 ======================================================================
176 == Our Code, Our Bugs, Our Responsibility.
178 ======================================================================
181 ----------------------------------------------------------------------
184 =============================
185 Release Notes for Samba 4.4.6
187 =============================
190 This is the latest stable release of Samba 4.4.
196 o Michael Adam <obnox@samba.org>
197 * BUG 11977: libnet: Ignore realm setting for domain security joins to AD
198 domains if 'winbind rpc only = true'.
199 * BUG 12155: idmap: Centrally check that unix IDs returned by the idmap
200 backends are in range.
202 o Jeremy Allison <jra@samba.org>
203 * BUG 11838: s4: ldb: Ignore case of "range" in sscanf as we've already
204 checked for its presence.
205 * BUG 11845: Incorrect bytecount in ReadAndX smb1 response.
206 * BUG 11955: lib: Fix uninitialized read in msghdr_copy.
207 * BUG 11959: s3: krb5: keytab - The done label can be jumped to with context
209 * BUG 11986: s3: libsmb: Correctly trim a trailing \\ character in
210 cli_smb2_create_fnum_send() when passing a pathname to SMB2 create.
211 * BUG 12021: Fix smbd crash (Signal 4) on File Delete.
212 * BUG 12135: libgpo: Correctly use the 'server' parameter after parsing it
214 * BUG 12139: s3: oplock: Fix race condition when closing an oplocked file.
215 * BUG 12272: Fix messaging subsystem crash.
217 o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
218 * BUG 11750: gcc6 fails to build internal heimdal.
220 o Andrew Bartlett <abartlet@samba.org>
221 * BUG 11991: build: Build less of Samba when building
222 '--without-ntvfs-fileserver'.
223 * BUG 12026: build: Always build eventlog6. This is not a duplicate of
225 * BUG 12154: ldb-samba: Add "secret" as a value to hide in LDIF files.
226 * BUG 12178: dbcheck: Abandon dbcheck if we get an error during a
229 o Ralph Boehme <slow@samba.org>
230 * BUG 10008: dbwrap_ctdb: Treat empty records in ltdb as non-existing.
231 * BUG 11520: Fix DNS secure updates.
232 * BUG 11961: idmap_autorid allocates ids for unknown SIDs from other
234 * BUG 11992: s3/smbd: Only use stored dos attributes for
235 open_match_attributes() check.
236 * BUG 12005: smbd: Ignore ctdb tombstone records in
237 fetch_share_mode_unlocked_parser().
238 * BUG 12016: cleanupd terminates main smbd on exit.
239 * BUG 12028: vfs_acl_xattr: Objects without NT ACL xattr.
240 * BUG 12105: async_req: Make async_connect_send() "reentrant".
241 * BUG 12177: vfs_acl_common: Fix unexpected synthesized default ACL from
243 * BUG 12181: vfs_acl_xattr|tdb: Enforced settings when
244 "ignore system acls = yes".
246 o Alexander Bokovoy <ab@samba.org>
247 * BUG 11975: libnet_join: use sitename if it was set by pre-join detection.
249 o Günther Deschner <gd@samba.org>
250 * BUG 11977: s3-libnet: Print error string even on successful completion of
253 o Amitay Isaacs <amitay@gmail.com>
254 * BUG 11940: CTDB fails to recover large database.
255 * BUG 11941: CTDB does not ban misbehaving nodes during recovery.
256 * BUG 11946: Samba and CTDB packages both have tevent-unix-util dependency.
257 * BUG 11956: ctdb-recoverd: Avoid duplicate recoverd event in parallel
259 * BUG 12158: CTDB release IP fixes.
260 * BUG 12259: ctdb-protocol: Fix marshalling for GET_DB_SEQNUM control
262 * BUG 12271: CTDB recovery does not terminate if no node is banned due to
264 * BUG 12275: ctdb-recovery-helper: Add missing initialisation of ban_credits.
266 o Volker Lendecke <vl@samba.org>
267 * BUG 12268: smbd: Reset O_NONBLOCK on open files.
269 o Stefan Metzmacher <metze@samba.org>
270 * BUG 11948: dcerpc.idl: Remove unused DCERPC_NCACN_PAYLOAD_MAX_SIZE.
271 * BUG 11982: Invalid auth_pad_length is not ignored for BIND_* and ALTER_*
273 * BUG 11994: gensec/spnego: Work around missing server mechListMIC in SMB
275 * BUG 12007: libads: Ensure the right ccache is used during spnego bind.
276 * BUG 12018: python/remove_dc: Handle dnsNode objects without dnsRecord
278 * BUG 12129: samba-tool/ldapcmp: Ignore differences of whenChanged.
280 o Marc Muehlfeld <mmuehlfeld@samba.org>
281 * BUG 12023: man: Wrong option for parameter ldap ssl in smb.conf man page.
283 o Andreas Schneider <asn@samba.org>
284 * BUG 11936: libutil: Support systemd 230.
285 * BUG 11999: s3-winbind: Fix memory leak with each cached credential login.
286 * BUG 12104: ctdb-waf: Move ctdb tests to libexec directory.
287 * BUG 12175: s3-util: Fix asking for username and password in smbget.
289 o Martin Schwenke <martin@meltin.net>
290 * BUG 12104: ctdb-packaging: Move ctdb tests to libexec directory.
291 * BUG 12110: ctdb-daemon: Fix several Coverity IDs.
292 * BUG 12158: CTDB release IP fixes.
293 * BUG 12161: Fix CTDB cumulative takeover timeout.
294 * BUG 12180: Fix CTDB crashes running eventscripts.
296 o Uri Simchoni <uri@samba.org>
297 * BUG 12006: auth: Fix a memory leak in gssapi_get_session_key().
298 * BUG 12145: smbd: If inherit owner is enabled, the free disk on a folder
299 should take the owner's quota into account.
300 * BUG 12149: smbd: Allow reading files based on FILE_EXECUTE access right.
301 * BUG 12172: Fix access of snapshot folders via SMB1.
303 o Lorinczy Zsigmond <lzsiga@freemail.c3.hu>
304 * BUG 11947: lib: replace: snprintf: Fix length calculation for hex/octal
308 #######################################
309 Reporting bugs & Development Discussion
310 #######################################
312 Please discuss this release on the samba-technical mailing list or by
313 joining the #samba-technical IRC channel on irc.freenode.net.
315 If you do report problems then please try to send high quality
316 feedback. If you don't provide vital information to help us track down
317 the problem then you will probably be ignored. All bug reports should
318 be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
319 database (https://bugzilla.samba.org/).
322 ======================================================================
323 == Our Code, Our Bugs, Our Responsibility.
325 ======================================================================
328 ----------------------------------------------------------------------
331 =============================
332 Release Notes for Samba 4.4.5
334 =============================
337 This is a security release in order to address the following defect:
339 o CVE-2016-2119 (Client side SMB2/3 required signing can be downgraded)
346 It's possible for an attacker to downgrade the required signing for
347 an SMB2/3 client connection, by injecting the SMB2_SESSION_FLAG_IS_GUEST
348 or SMB2_SESSION_FLAG_IS_NULL flags.
350 This means that the attacker can impersonate a server being connected to by
351 Samba, and return malicious results.
353 The primary concern is with winbindd, as it uses DCERPC over SMB2 when talking
354 to domain controllers as a member server, and trusted domains as a domain
355 controller. These DCE/RPC connections were intended to protected by the
356 combination of "client ipc signing" and
357 "client ipc max protocol" in their effective default settings
358 ("mandatory" and "SMB3_11").
360 Additionally, management tools like net, samba-tool and rpcclient use DCERPC
361 over SMB2/3 connections.
363 By default, other tools in Samba are unprotected, but rarely they are
364 configured to use smb signing, via the "client signing" parameter (the default
365 is "if_required"). Even more rarely the "client max protocol" is set to SMB2,
366 rather than the NT1 default.
368 If both these conditions are met, then this issue would also apply to these
369 other tools, including command line tools like smbcacls, smbcquota, smbclient,
370 smbget and applications using libsmbclient.
376 o Stefan Metzmacher <metze@samba.org>
377 * BUG 11860: CVE-2016-2119: Fix client side SMB2 signing downgrade.
378 * BUG 11948: Total dcerpc response payload more than 0x400000.
381 #######################################
382 Reporting bugs & Development Discussion
383 #######################################
385 Please discuss this release on the samba-technical mailing list or by
386 joining the #samba-technical IRC channel on irc.freenode.net.
388 If you do report problems then please try to send high quality
389 feedback. If you don't provide vital information to help us track down
390 the problem then you will probably be ignored. All bug reports should
391 be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
392 database (https://bugzilla.samba.org/).
395 ======================================================================
396 == Our Code, Our Bugs, Our Responsibility.
398 ======================================================================
401 ----------------------------------------------------------------------
404 =============================
405 Release Notes for Samba 4.4.4
407 =============================
410 This is the latest stable release of Samba 4.4.
416 o Michael Adam <obnox@samba.org>
417 * BUG 11809: SMB3 multichannel: Add implementation of missing channel sequence
419 * BUG 11919: smbd:close: Only remove kernel share modes if they had been
421 * BUG 11930: notifyd: Prevent NULL deref segfault in notifyd_peer_destructor.
423 o Jeremy Allison <jra@samba.org>
424 * BUG 10618: s3: auth: Move the declaration of struct dom_sid tmp_sid to
425 function level scope.
427 o Christian Ambach <ambi@samba.org>
428 * BUG 10796: s3:rpcclient: Make '--pw-nt-hash' option work.
429 * BUG 11354: s3:libsmb/clifile: Use correct value for MaxParameterCount for
431 * BUG 11438: Fix case sensitivity issues over SMB2 or above.
433 o Ralph Boehme <slow@samba.org>
434 * BUG 1703: s3:libnet:libnet_join: Add netbios aliases as SPNs.
435 * BUG 11721: vfs_fruit: Add an option that allows disabling POSIX rename
438 o Alexander Bokovoy <ab@samba.org>
439 * BUG 11936: s3-smbd: Support systemd 230.
441 o Ira Cooper <ira@samba.org>
442 * BUG 11907: source3: Honor the core soft limit of the OS.
444 o Günther Deschner <gd@samba.org>
445 * BUG 11809: SMB3 multichannel: Add implementation of missing channel sequence
447 * BUG 11864: s3:client:smbspool_krb5_wrapper: Fix the non clearenv build.
448 * BUG 11906: s3-kerberos: Avoid entering a password change dialogue also when
451 o Robin Hack <hack.robin@gmail.com>
452 * BUG 11890: ldb-samba/ldb_matching_rules: Fix CID 1349424 - Uninitialized
455 o Volker Lendecke <vl@samba.org>
456 * BUG 11844: dbwrap_ctdb: Fix ENOENT->NT_STATUS_NOT_FOUND.
458 o Robin McCorkell <robin@mccorkell.me.uk>
459 * BUG 11276: Correctly set cli->raw_status for libsmbclient in SMB2 code.
461 o Stefan Metzmacher <metze@samba.org>
462 * BUG 11910: s3:smbd: Fix anonymous authentication if signing is mandatory.
463 * BUG 11912: libcli/auth: Let msrpc_parse() return talloc'ed empty strings.
464 * BUG 11914: Fix NTLM Authentication issue with squid.
465 * BUG 11927: s3:rpcclient: make use of SMB_SIGNING_IPC_DEFAULT.
467 o Luca Olivetti <luca@wetron.es>
468 * BUG 11530: pdb: Fix segfault in pdb_ldap for missing gecos.
470 o Rowland Penny <rpenny@samba.org>
471 * BUG 11613: Allow 'samba-tool fsmo' to cope with empty or missing fsmo
474 o Anoop C S <anoopcs@redhat.com>
475 * BUG 11907: packaging: Set default limit for core file size in service
478 o Andreas Schneider <asn@samba.org>
479 * BUG 11922: s3-net: Convert the key_name to UTF8 during migration.
480 * BUG 11935: s3-smbspool: Log to stderr.
482 o Uri Simchoni <uri@samba.org>
483 * BUG 11900: heimdal: Encode/decode kvno as signed integer.
484 * BUG 11931: s3-quotas: Fix sysquotas_4B quota fetching for BSD.
485 * BUG 11937: smbd: dfree: Ignore quota if not enforced.
487 o Raghavendra Talur <rtalur@redhat.com>
488 * BUG 11907: init: Set core file size to unlimited by default.
490 o Hemanth Thummala <hemanth.thummala@nutanix.com>
491 * BUG 11934: Fix memory leak in share mode locking.
494 #######################################
495 Reporting bugs & Development Discussion
496 #######################################
498 Please discuss this release on the samba-technical mailing list or by
499 joining the #samba-technical IRC channel on irc.freenode.net.
501 If you do report problems then please try to send high quality
502 feedback. If you don't provide vital information to help us track down
503 the problem then you will probably be ignored. All bug reports should
504 be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
505 database (https://bugzilla.samba.org/).
508 ======================================================================
509 == Our Code, Our Bugs, Our Responsibility.
511 ======================================================================
514 ----------------------------------------------------------------------
517 =============================
518 Release Notes for Samba 4.4.3
520 =============================
523 This is the latest stable release of Samba 4.4.
525 This release fixes some regressions introduced by the last security fixes.
526 Please see bug https://bugzilla.samba.org/show_bug.cgi?id=11849 for a list of
527 bugs addressing these regressions and more information.
533 o Michael Adam <obnox@samba.org>
534 * BUG 11786: idmap_hash: Only allow the hash module for default idmap config.
536 o Jeremy Allison <jra@samba.org>
537 * BUG 11822: s3: libsmb: Fix error where short name length was read as 2
540 o Andrew Bartlett <abartlet@samba.org>
541 * BUG 11789: Fix returning of ldb.MessageElement.
543 o Ralph Boehme <slow@samba.org>
544 * BUG 11855: cleanupd: Restart as needed.
546 o Günther Deschner <gd@samba.org>
547 * BUG 11786: s3:winbindd:idmap: check loadparm in domain_has_idmap_config()
549 * BUG 11789: libsmb/pysmb: Add pytalloc-util dependency to fix the build.
551 o Volker Lendecke <vl@samba.org>
552 * BUG 11786: winbind: Fix CID 1357100: Unchecked return value.
553 * BUG 11816: nwrap: Fix the build on Solaris.
554 * BUG 11827: vfs_catia: Fix memleak.
555 * BUG 11878: smbd: Avoid large reads beyond EOF.
557 o Stefan Metzmacher <metze@samba.org>
558 * BUG 11789: s3:wscript: pylibsmb depends on pycredentials.
559 * BUG 11841: Fix NT_STATUS_ACCESS_DENIED when accessing Windows public share.
560 * BUG 11847: Only validate MIC if "map to guest" is not being used.
561 * BUG 11849: auth/ntlmssp: Add ntlmssp_{client,server}:force_old_spnego
563 * BUG 11850: NetAPP SMB servers don't negotiate NTLMSSP_SIGN.
564 * BUG 11858: Allow anonymous smb connections.
565 * BUG 11870: Fix ads_sasl_spnego_gensec_bind(KRB5).
566 * BUG 11872: Fix 'wbinfo -u' and 'net ads search'.
568 o Tom Mortensen <tomm@lime-technology.com>
569 * BUG 11875: nss_wins: Fix the hostent setup.
571 o Garming Sam <garming@catalyst.net.nz>
572 * BUG 11789: build: Mark explicit dependencies on pytalloc-util.
574 o Partha Sarathi <partha@exablox.com>
575 * BUG 11819: Fix the smb2_setinfo to handle FS info types and FSQUOTA
578 o Jorge Schrauwen <sjorge@blackdot.be>
579 * BUG 11816: configure: Don't check for inotify on illumos.
581 o Uri Simchoni <uri@samba.org>
582 * BUG 11806: vfs_acl_common: Avoid setting POSIX ACLs if "ignore system acls"
584 * BUG 11815: smbcquotas: print "NO LIMIT" only if returned quota value is 0.
585 * BUG 11852: libads: Record session expiry for spnego sasl binds.
587 o Hemanth Thummala <hemanth.thummala@nutanix.com>
588 * BUG 11840: Mask general purpose signals for notifyd.
591 #######################################
592 Reporting bugs & Development Discussion
593 #######################################
595 Please discuss this release on the samba-technical mailing list or by
596 joining the #samba-technical IRC channel on irc.freenode.net.
598 If you do report problems then please try to send high quality
599 feedback. If you don't provide vital information to help us track down
600 the problem then you will probably be ignored. All bug reports should
601 be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
602 database (https://bugzilla.samba.org/).
605 ======================================================================
606 == Our Code, Our Bugs, Our Responsibility.
608 ======================================================================
611 ----------------------------------------------------------------------
614 =============================
615 Release Notes for Samba 4.4.2
617 =============================
619 This is a security release containing one additional
620 regression fix for the security release 4.4.1.
622 This fixes a regression that prevents things like 'net ads join'
623 from working against a Windows 2003 domain.
628 o Stefan Metzmacher <metze@samba.org>
629 * Bug 11804 - prerequisite backports for the security release on
633 -----------------------------------------------------------------------
636 =============================
637 Release Notes for Samba 4.4.1
639 =============================
642 This is a security release in order to address the following CVEs:
644 o CVE-2015-5370 (Multiple errors in DCE-RPC code)
646 o CVE-2016-2110 (Man in the middle attacks possible with NTLMSSP)
648 o CVE-2016-2111 (NETLOGON Spoofing Vulnerability)
650 o CVE-2016-2112 (LDAP client and server don't enforce integrity)
652 o CVE-2016-2113 (Missing TLS certificate validation)
654 o CVE-2016-2114 ("server signing = mandatory" not enforced)
656 o CVE-2016-2115 (SMB IPC traffic is not integrity protected)
658 o CVE-2016-2118 (SAMR and LSA man in the middle attacks possible)
660 The number of changes are rather huge for a security release,
661 compared to typical security releases.
663 Given the number of problems and the fact that they are all related
664 to man in the middle attacks we decided to fix them all at once
665 instead of splitting them.
667 In order to prevent the man in the middle attacks it was required
668 to change the (default) behavior for some protocols. Please see the
669 "New smb.conf options" and "Behavior changes" sections below.
677 Versions of Samba from 3.6.0 to 4.4.0 inclusive are vulnerable to
678 denial of service attacks (crashes and high cpu consumption)
679 in the DCE-RPC client and server implementations. In addition,
680 errors in validation of the DCE-RPC packets can lead to a downgrade
681 of a secure connection to an insecure one.
683 While we think it is unlikely, there's a nonzero chance for
684 a remote code execution attack against the client components,
685 which are used by smbd, winbindd and tools like net, rpcclient and
686 others. This may gain root access to the attacker.
688 The above applies all possible server roles Samba can operate in.
690 Note that versions before 3.6.0 had completely different marshalling
691 functions for the generic DCE-RPC layer. It's quite possible that
692 that code has similar problems!
694 The downgrade of a secure connection to an insecure one may
695 allow an attacker to take control of Active Directory object
696 handles created on a connection created from an Administrator
697 account and re-use them on the now non-privileged connection,
698 compromising the security of the Samba AD-DC.
702 There are several man in the middle attacks possible with
703 NTLMSSP authentication.
705 E.g. NTLMSSP_NEGOTIATE_SIGN and NTLMSSP_NEGOTIATE_SEAL
706 can be cleared by a man in the middle.
708 This was by protocol design in earlier Windows versions.
710 Windows Server 2003 RTM and Vista RTM introduced a way
711 to protect against the trivial downgrade.
713 See MsvAvFlags and flag 0x00000002 in
714 https://msdn.microsoft.com/en-us/library/cc236646.aspx
716 This new feature also implies support for a mechlistMIC
717 when used within SPNEGO, which may prevent downgrades
718 from other SPNEGO mechs, e.g. Kerberos, if sign or
719 seal is finally negotiated.
721 The Samba implementation doesn't enforce the existence of
722 required flags, which were requested by the application layer,
723 e.g. LDAP or SMB1 encryption (via the unix extensions).
724 As a result a man in the middle can take over the connection.
725 It is also possible to misguide client and/or
726 server to send unencrypted traffic even if encryption
727 was explicitly requested.
729 LDAP (with NTLMSSP authentication) is used as a client
730 by various admin tools of the Samba project,
731 e.g. "net", "samba-tool", "ldbsearch", "ldbedit", ...
733 As an active directory member server LDAP is also used
734 by the winbindd service when connecting to domain controllers.
736 Samba also offers an LDAP server when running as
737 active directory domain controller.
739 The NTLMSSP authentication used by the SMB1 encryption
740 is protected by smb signing, see CVE-2015-5296.
744 It's basically the same as CVE-2015-0005 for Windows:
746 The NETLOGON service in Microsoft Windows Server 2003 SP2,
747 Windows Server 2008 SP2 and R2 SP1, and Windows Server 2012 Gold
748 and R2, when a Domain Controller is configured, allows remote
749 attackers to spoof the computer name of a secure channel's
750 endpoint, and obtain sensitive session information, by running a
751 crafted application and leveraging the ability to sniff network
752 traffic, aka "NETLOGON Spoofing Vulnerability".
754 The vulnerability in Samba is worse as it doesn't require
755 credentials of a computer account in the domain.
757 This only applies to Samba running as classic primary domain controller,
758 classic backup domain controller or active directory domain controller.
760 The security patches introduce a new option called "raw NTLMv2 auth"
761 ("yes" or "no") for the [global] section in smb.conf.
762 Samba (the smbd process) will reject client using raw NTLMv2
763 without using NTLMSSP.
765 Note that this option also applies to Samba running as
766 standalone server and member server.
768 You should also consider using "lanman auth = no" (which is already the default)
769 and "ntlm auth = no". Have a look at the smb.conf manpage for further details,
770 as they might impact compatibility with older clients. These also
771 apply for all server roles.
775 Samba uses various LDAP client libraries, a builtin one and/or the system
776 ldap libraries (typically openldap).
778 As active directory domain controller Samba also provides an LDAP server.
780 Samba takes care of doing SASL (GSS-SPNEGO) authentication with Kerberos or NTLMSSP
781 for LDAP connections, including possible integrity (sign) and privacy (seal)
784 Samba has support for an option called "client ldap sasl wrapping" since version
785 3.2.0. Its default value has changed from "plain" to "sign" with version 4.2.0.
787 Tools using the builtin LDAP client library do not obey the
788 "client ldap sasl wrapping" option. This applies to tools like:
789 "samba-tool", "ldbsearch", "ldbedit" and more. Some of them have command line
790 options like "--sign" and "--encrypt". With the security update they will
791 also obey the "client ldap sasl wrapping" option as default.
793 In all cases, even if explicitly request via "client ldap sasl wrapping",
794 "--sign" or "--encrypt", the protection can be downgraded by a man in the
797 The LDAP server doesn't have an option to enforce strong authentication
798 yet. The security patches will introduce a new option called
799 "ldap server require strong auth", possible values are "no",
800 "allow_sasl_over_tls" and "yes".
802 As the default behavior was as "no" before, you may
803 have to explicitly change this option until all clients have
804 been adjusted to handle LDAP_STRONG_AUTH_REQUIRED errors.
805 Windows clients and Samba member servers already use
806 integrity protection.
810 Samba has support for TLS/SSL for some protocols:
811 ldap and http, but currently certificates are not
812 validated at all. While we have a "tls cafile" option,
813 the configured certificate is not used to validate
814 the server certificate.
816 This applies to ldaps:// connections triggered by tools like:
817 "ldbsearch", "ldbedit" and more. Note that it only applies
818 to the ldb tools when they are built as part of Samba or with Samba
819 extensions installed, which means the Samba builtin LDAP client library is
822 It also applies to dcerpc client connections using ncacn_http (with https://),
823 which are only used by the openchange project. Support for ncacn_http
824 was introduced in version 4.2.0.
826 The security patches will introduce a new option called
827 "tls verify peer". Possible values are "no_check", "ca_only",
828 "ca_and_name_if_available", "ca_and_name" and "as_strict_as_possible".
830 If you use the self-signed certificates which are auto-generated
831 by Samba, you won't have a crl file and need to explicitly
832 set "tls verify peer = ca_and_name".
836 Due to a regression introduced in Samba 4.0.0,
837 an explicit "server signing = mandatory" in the [global] section
838 of the smb.conf was not enforced for clients using the SMB1 protocol.
840 As a result it does not enforce smb signing and allows man in the middle attacks.
842 This problem applies to all possible server roles:
843 standalone server, member server, classic primary domain controller,
844 classic backup domain controller and active directory domain controller.
846 In addition, when Samba is configured with "server role = active directory domain controller"
847 the effective default for the "server signing" option should be "mandatory".
849 During the early development of Samba 4 we had a new experimental
850 file server located under source4/smb_server. But before
851 the final 4.0.0 release we switched back to the file server
854 But the logic for the correct default of "server signing" was not
855 ported correctly ported.
857 Note that the default for server roles other than active directory domain
858 controller, is "off" because of performance reasons.
862 Samba has an option called "client signing", this is turned off by default
863 for performance reasons on file transfers.
865 This option is also used when using DCERPC with ncacn_np.
867 In order to get integrity protection for ipc related communication
868 by default the "client ipc signing" option is introduced.
869 The effective default for this new option is "mandatory".
871 In order to be compatible with more SMB server implementations,
872 the following additional options are introduced:
873 "client ipc min protocol" ("NT1" by default) and
874 "client ipc max protocol" (the highest support SMB2/3 dialect by default).
875 These options overwrite the "client min protocol" and "client max protocol"
876 options, because the default for "client max protocol" is still "NT1".
877 The reason for this is the fact that all SMB2/3 support SMB signing,
878 while there are still SMB1 implementations which don't offer SMB signing
879 by default (this includes Samba versions before 4.0.0).
881 Note that winbindd (in versions 4.2.0 and higher) enforces SMB signing
882 against active directory domain controllers despite of the
883 "client signing" and "client ipc signing" options.
885 o CVE-2016-2118 (a.k.a. BADLOCK):
887 The Security Account Manager Remote Protocol [MS-SAMR] and the
888 Local Security Authority (Domain Policy) Remote Protocol [MS-LSAD]
889 are both vulnerable to man in the middle attacks. Both are application level
890 protocols based on the generic DCE 1.1 Remote Procedure Call (DCERPC) protocol.
892 These protocols are typically available on all Windows installations
893 as well as every Samba server. They are used to maintain
894 the Security Account Manager Database. This applies to all
895 roles, e.g. standalone, domain member, domain controller.
897 Any authenticated DCERPC connection a client initiates against a server
898 can be used by a man in the middle to impersonate the authenticated user
899 against the SAMR or LSAD service on the server.
901 The client chosen application protocol, auth type (e.g. Kerberos or NTLMSSP)
902 and auth level (NONE, CONNECT, PKT_INTEGRITY, PKT_PRIVACY) do not matter
903 in this case. A man in the middle can change auth level to CONNECT
904 (which means authentication without message protection) and take over
907 As a result, a man in the middle is able to get read/write access to the
908 Security Account Manager Database, which reveals all passwords
909 and any other potential sensitive information.
911 Samba running as an active directory domain controller is additionally
912 missing checks to enforce PKT_PRIVACY for the
913 Directory Replication Service Remote Protocol [MS-DRSR] (drsuapi)
914 and the BackupKey Remote Protocol [MS-BKRP] (backupkey).
915 The Domain Name Service Server Management Protocol [MS-DNSP] (dnsserver)
916 is not enforcing at least PKT_INTEGRITY.
922 allow dcerpc auth level connect (G)
924 This option controls whether DCERPC services are allowed to be used with
925 DCERPC_AUTH_LEVEL_CONNECT, which provides authentication, but no per
926 message integrity nor privacy protection.
928 Some interfaces like samr, lsarpc and netlogon have a hard-coded default
929 of no and epmapper, mgmt and rpcecho have a hard-coded default of yes.
931 The behavior can be overwritten per interface name (e.g. lsarpc,
932 netlogon, samr, srvsvc, winreg, wkssvc ...) by using
933 'allow dcerpc auth level connect:interface = yes' as option.
935 This option yields precedence to the implementation specific restrictions.
936 E.g. the drsuapi and backupkey protocols require DCERPC_AUTH_LEVEL_PRIVACY.
937 The dnsserver protocol requires DCERPC_AUTH_LEVEL_INTEGRITY.
939 Default: allow dcerpc auth level connect = no
941 Example: allow dcerpc auth level connect = yes
943 client ipc signing (G)
945 This controls whether the client is allowed or required to use
946 SMB signing for IPC$ connections as DCERPC transport. Possible
947 values are auto, mandatory and disabled.
949 When set to mandatory or default, SMB signing is required.
951 When set to auto, SMB signing is offered, but not enforced and
952 if set to disabled, SMB signing is not offered either.
954 Connections from winbindd to Active Directory Domain Controllers
955 always enforce signing.
957 Default: client ipc signing = default
959 client ipc max protocol (G)
961 The value of the parameter (a string) is the highest protocol level that will
962 be supported for IPC$ connections as DCERPC transport.
964 Normally this option should not be set as the automatic negotiation phase
965 in the SMB protocol takes care of choosing the appropriate protocol.
967 The value default refers to the latest supported protocol, currently SMB3_11.
969 See client max protocol for a full list of available protocols.
970 The values CORE, COREPLUS, LANMAN1, LANMAN2 are silently upgraded to NT1.
972 Default: client ipc max protocol = default
974 Example: client ipc max protocol = SMB2_10
976 client ipc min protocol (G)
978 This setting controls the minimum protocol version that the will be
979 attempted to use for IPC$ connections as DCERPC transport.
981 Normally this option should not be set as the automatic negotiation phase
982 in the SMB protocol takes care of choosing the appropriate protocol.
984 The value default refers to the higher value of NT1 and the
985 effective value of "client min protocol".
987 See client max protocol for a full list of available protocols.
988 The values CORE, COREPLUS, LANMAN1, LANMAN2 are silently upgraded to NT1.
990 Default: client ipc min protocol = default
992 Example: client ipc min protocol = SMB3_11
994 ldap server require strong auth (G)
996 The ldap server require strong auth defines whether the
997 ldap server requires ldap traffic to be signed or
998 signed and encrypted (sealed). Possible values are no,
999 allow_sasl_over_tls and yes.
1001 A value of no allows simple and sasl binds over all transports.
1003 A value of allow_sasl_over_tls allows simple and sasl binds (without sign or seal)
1004 over TLS encrypted connections. Unencrypted connections only
1005 allow sasl binds with sign or seal.
1007 A value of yes allows only simple binds over TLS encrypted connections.
1008 Unencrypted connections only allow sasl binds with sign or seal.
1010 Default: ldap server require strong auth = yes
1014 This parameter determines whether or not smbd(8) will allow SMB1 clients
1015 without extended security (without SPNEGO) to use NTLMv2 authentication.
1017 If this option, lanman auth and ntlm auth are all disabled, then only
1018 clients with SPNEGO support will be permitted. That means NTLMv2 is only
1019 supported within NTLMSSP.
1021 Default: raw NTLMv2 auth = no
1025 This controls if and how strict the client will verify the peer's
1026 certificate and name. Possible values are (in increasing order): no_check,
1027 ca_only, ca_and_name_if_available, ca_and_name and as_strict_as_possible.
1029 When set to no_check the certificate is not verified at all,
1030 which allows trivial man in the middle attacks.
1032 When set to ca_only the certificate is verified to be signed from a ca
1033 specified in the "tls ca file" option. Setting "tls ca file" to a valid file
1034 is required. The certificate lifetime is also verified. If the "tls crl file"
1035 option is configured, the certificate is also verified against
1038 When set to ca_and_name_if_available all checks from ca_only are performed.
1039 In addition, the peer hostname is verified against the certificate's
1040 name, if it is provided by the application layer and not given as
1041 an ip address string.
1043 When set to ca_and_name all checks from ca_and_name_if_available are performed.
1044 In addition the peer hostname needs to be provided and even an ip
1045 address is checked against the certificate's name.
1047 When set to as_strict_as_possible all checks from ca_and_name are performed.
1048 In addition the "tls crl file" needs to be configured. Future versions
1049 of Samba may implement additional checks.
1051 Default: tls verify peer = as_strict_as_possible
1053 tls priority (G) (backported from Samba 4.3 to Samba 4.2)
1055 This option can be set to a string describing the TLS protocols to be
1056 supported in the parts of Samba that use GnuTLS, specifically the AD DC.
1058 The default turns off SSLv3, as this protocol is no longer considered
1059 secure after CVE-2014-3566 (otherwise known as POODLE) impacted SSLv3 use
1060 in HTTPS applications.
1062 The valid options are described in the GNUTLS Priority-Strings
1063 documentation at http://gnutls.org/manual/html_node/Priority-Strings.html
1065 Default: tls priority = NORMAL:-VERS-SSL3.0
1071 o The default auth level for authenticated binds has changed from
1072 DCERPC_AUTH_LEVEL_CONNECT to DCERPC_AUTH_LEVEL_INTEGRITY.
1073 That means ncacn_ip_tcp:server is now implicitly the same
1074 as ncacn_ip_tcp:server[sign] and offers a similar protection
1075 as ncacn_np:server, which relies on smb signing.
1077 o The following constraints are applied to SMB1 connections:
1079 - "client lanman auth = yes" is now consistently
1080 required for authenticated connections using the
1081 SMB1 LANMAN2 dialect.
1082 - "client ntlmv2 auth = yes" and "client use spnego = yes"
1083 (both the default values), require extended security (SPNEGO)
1084 support from the server. That means NTLMv2 is only used within
1087 o Tools like "samba-tool", "ldbsearch", "ldbedit" and more obey the
1088 default of "client ldap sasl wrapping = sign". Even with
1089 "client ldap sasl wrapping = plain" they will automatically upgrade
1090 to "sign" when getting LDAP_STRONG_AUTH_REQUIRED from the LDAP
1093 Changes since 4.4.0:
1094 ====================
1096 o Jeremy Allison <jra@samba.org>
1097 * Bug 11344 - CVE-2015-5370: Multiple errors in DCE-RPC code.
1099 o Christian Ambach <ambi@samba.org>
1100 * Bug 11804 - prerequisite backports for the security release on
1103 o Ralph Boehme <slow@samba.org>
1104 * Bug 11644 - CVE-2016-2112: The LDAP client and server don't enforce
1105 integrity protection.
1107 o Günther Deschner <gd@samba.org>
1108 * Bug 11749 - CVE-2016-2111: NETLOGON Spoofing Vulnerability.
1110 * Bug 11804 - prerequisite backports for the security release on
1113 o Volker Lendecke <vl@samba.org>
1114 * Bug 11804 - prerequisite backports for the security release on
1117 o Stefan Metzmacher <metze@samba.org>
1118 * Bug 11344 - CVE-2015-5370: Multiple errors in DCE-RPC code.
1120 * Bug 11616 - CVE-2016-2118: SAMR and LSA man in the middle attacks possible.
1122 * Bug 11644 - CVE-2016-2112: The LDAP client and server doesn't enforce
1123 integrity protection.
1125 * Bug 11687 - CVE-2016-2114: "server signing = mandatory" not enforced.
1127 * Bug 11688 - CVE-2016-2110: Man in the middle attacks possible with NTLMSSP.
1129 * Bug 11749 - CVE-2016-2111: NETLOGON Spoofing Vulnerability.
1131 * Bug 11752 - CVE-2016-2113: Missing TLS certificate validation allows man in
1134 * Bug 11756 - CVE-2016-2115: SMB client connections for IPC traffic are not
1135 integrity protected.
1137 * Bug 11804 - prerequisite backports for the security release on
1141 #######################################
1142 Reporting bugs & Development Discussion
1143 #######################################
1145 Please discuss this release on the samba-technical mailing list or by
1146 joining the #samba-technical IRC channel on irc.freenode.net.
1148 If you do report problems then please try to send high quality
1149 feedback. If you don't provide vital information to help us track down
1150 the problem then you will probably be ignored. All bug reports should
1151 be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
1152 database (https://bugzilla.samba.org/).
1155 ======================================================================
1156 == Our Code, Our Bugs, Our Responsibility.
1158 ======================================================================
1161 ----------------------------------------------------------------------
1164 =============================
1165 Release Notes for Samba 4.4.0
1167 =============================
1170 This is the first stable release of the Samba 4.4 release series.
1179 NEW FEATURES/CHANGES
1180 ====================
1182 Asynchronous flush requests
1183 ---------------------------
1185 Flush requests from SMB2/3 clients are handled asynchronously and do
1186 not block the processing of other requests. Note that 'strict sync'
1187 has to be set to 'yes' for Samba to honor flush requests from SMB
1193 Remove '--with-aio-support' configure option. We no longer would ever prefer
1194 POSIX-RT aio, use pthread_aio instead.
1199 The 'samba-tool sites' subcommand can now be run against another server by
1200 specifying an LDB URL using the '-H' option and not against the local database
1201 only (which is still the default when no URL is given).
1203 samba-tool domain demote
1204 ------------------------
1206 Add '--remove-other-dead-server' option to 'samba-tool domain demote'
1207 subcommand. The new version of this tool now can remove another DC that is
1208 itself offline. The '--remove-other-dead-server' removes as many references
1209 to the DC as possible.
1211 samba-tool drs clone-dc-database
1212 --------------------------------
1214 Replicate an initial clone of domain, but do not join it.
1215 This is developed for debugging purposes, but not for setting up another DC.
1220 Add '--set-nt-hash' option to pdbedit to update user password from nt-hash
1221 hexstring. 'pdbedit -vw' shows also password hashes.
1226 'smbstatus' was enhanced to show the state of signing and encryption for
1227 sessions and shares.
1231 The -u and -p options for user and password were replaced by the -U option that
1232 accepts username[%password] as in many other tools of the Samba suite.
1233 Similary, smbgetrc files do not accept username and password options any more,
1234 only a single "user" option which also accepts user%password combinations.
1235 The -P option was removed.
1240 Add a GnuTLS based backupkey implementation.
1245 Using the '--offline-logon' enables ntlm_auth to use cached passwords when the
1248 Allow '--password' force a local password check for ntlm-server-1 mode.
1253 A new VFS module called vfs_offline has been added to mark all files in the
1254 share as offline. It can be useful for shares mounted on top of a remote file
1255 system (either through a samba VFS module or via FUSE).
1260 The Samba KCC has been improved, but is still disabled by default.
1265 There were several improvements concerning the Samba DNS server.
1270 There were some improvements in the Active Directory area.
1272 WINS nsswitch module
1273 --------------------
1275 The WINS nsswitch module has been rewritten to address memory issues and to
1276 simplify the code. The module now uses libwbclient to do WINS queries. This
1277 means that winbind needs to be running in order to resolve WINS names using
1278 the nss_wins module. This does not affect smbd.
1283 * CTDB now uses a newly implemented parallel database recovery scheme
1284 that avoids deadlocks with smbd.
1286 In certain circumstances CTDB and smbd could deadlock. The new
1287 recovery implementation avoid this. It also provides improved
1288 recovery performance.
1290 * All files are now installed into and referred to by the paths
1291 configured at build time. Therefore, CTDB will now work properly
1292 when installed into the default location at /usr/local.
1294 * Public CTDB header files are no longer installed, since Samba and
1295 CTDB are built from within the same source tree.
1297 * CTDB_DBDIR can now be set to tmpfs[:<tmpfs-options>]
1299 This will cause volatile TDBs to be located in a tmpfs. This can
1300 help to avoid performance problems associated with contention on the
1301 disk where volatile TDBs are usually stored. See ctdbd.conf(5) for
1304 * Configuration variable CTDB_NATGW_SLAVE_ONLY is no longer used.
1305 Instead, nodes should be annotated with the "slave-only" option in
1306 the CTDB NAT gateway nodes file. This file must be consistent
1307 across nodes in a NAT gateway group. See ctdbd.conf(5) for more
1310 * New event script 05.system allows various system resources to be
1313 This can be helpful for explaining poor performance or unexpected
1314 behaviour. New configuration variables are
1315 CTDB_MONITOR_FILESYSTEM_USAGE, CTDB_MONITOR_MEMORY_USAGE and
1316 CTDB_MONITOR_SWAP_USAGE. Default values cause warnings to be
1317 logged. See the SYSTEM RESOURCE MONITORING CONFIGURATION in
1318 ctdbd.conf(5) for more information.
1320 The memory, swap and filesystem usage monitoring previously found in
1321 00.ctdb and 40.fs_use is no longer available. Therefore,
1322 configuration variables CTDB_CHECK_FS_USE, CTDB_MONITOR_FREE_MEMORY,
1323 CTDB_MONITOR_FREE_MEMORY_WARN and CTDB_CHECK_SWAP_IS_NOT_USED are
1326 * The 62.cnfs eventscript has been removed. To get a similar effect
1327 just do something like this:
1329 mmaddcallback ctdb-disable-on-quorumLoss \
1330 --command /usr/bin/ctdb \
1331 --event quorumLoss --parms "disable"
1333 mmaddcallback ctdb-enable-on-quorumReached \
1334 --command /usr/bin/ctdb \
1335 --event quorumReached --parms "enable"
1337 * The CTDB tunable parameter EventScriptTimeoutCount has been renamed
1338 to MonitorTimeoutCount
1340 It has only ever been used to limit timed-out monitor events.
1342 Configurations containing CTDB_SET_EventScriptTimeoutCount=<n> will
1343 cause CTDB to fail at startup. Useful messages will be logged.
1345 * The commandline option "-n all" to CTDB tool has been removed.
1347 The option was not uniformly implemented for all the commands.
1348 Instead of command "ctdb ip -n all", use "ctdb ip all".
1350 * All CTDB current manual pages are now correctly installed
1353 EXPERIMENTAL FEATURES
1354 =====================
1359 Samba 4.4.0 adds *experimental* support for SMB3 Multi-Channel.
1360 Multi-Channel is an SMB3 protocol feature that allows the client
1361 to bind multiple transport connections into one authenticated
1362 SMB session. This allows for increased fault tolerance and
1363 throughput. The client chooses transport connections as reported
1364 by the server and also chooses over which of the bound transport
1365 connections to send traffic. I/O operations for a given file
1366 handle can span multiple network connections this way.
1367 An SMB multi-channel session will be valid as long as at least
1368 one of its channels are up.
1370 In Samba, multi-channel can be enabled by setting the new
1371 smb.conf option "server multi channel support" to "yes".
1372 It is disabled by default.
1374 Samba has to report interface speeds and some capabilities to
1375 the client. On Linux, Samba can auto-detect the speed of an
1376 interface. But to support other platforms, and in order to be
1377 able to manually override the detected values, the "interfaces"
1378 smb.conf option has been given an extended syntax, by which an
1379 interface specification can additionally carry speed and
1380 capability information. The extended syntax looks like this
1381 for setting the speed to 1 gigabit per second:
1383 interfaces = 192.168.1.42;speed=1000000000
1385 This extension should be used with care and are mainly intended
1386 for testing. See the smb.conf manual page for details.
1388 CAVEAT: While this should be working without problems mostly,
1389 there are still corner cases in the treatment of channel failures
1390 that may result in DATA CORRUPTION when these race conditions hit.
1393 NOT RECOMMENDED TO USE MULTI-CHANNEL IN PRODUCTION
1395 at this stage. This situation can be expected to improve during
1396 the life-time of the 4.4 release. Feed-back from test-setups is
1406 Several public headers are not installed any longer. They are made for internal
1407 use only. More public headers will very likely be removed in future releases.
1409 The following headers are not installed any longer:
1410 dlinklist.h, gen_ndr/epmapper.h, gen_ndr/mgmt.h, gen_ndr/ndr_atsvc_c.h,
1411 gen_ndr/ndr_epmapper_c.h, gen_ndr/ndr_epmapper.h, gen_ndr/ndr_mgmt_c.h,
1412 gen_ndr/ndr_mgmt.h,gensec.h, ldap_errors.h, ldap_message.h, ldap_ndr.h,
1413 ldap-util.h, pytalloc.h, read_smb.h, registry.h, roles.h, samba_util.h,
1414 smb2_constants.h, smb2_create_blob.h, smb2.h, smb2_lease.h, smb2_signing.h,
1415 smb_cli.h, smb_cliraw.h, smb_common.h, smb_composite.h, smb_constants.h,
1416 smb_raw.h, smb_raw_interfaces.h, smb_raw_signing.h, smb_raw_trans2.h,
1417 smb_request.h, smb_seal.h, smb_signing.h, smb_unix_ext.h, smb_util.h,
1418 torture.h, tstream_smbXcli_np.h.
1420 vfs_smb_traffic_analyzer
1421 ------------------------
1423 The SMB traffic analyzer VFS module has been removed, because it is not
1424 maintained any longer and not widely used.
1429 The scannedonly VFS module has been removed, because it is not maintained
1435 Parameter Name Description Default
1436 -------------- ----------- -------
1437 aio max threads New 100
1438 ldap page size Changed default 1000
1439 server multi channel support New No
1440 interfaces Extended syntax
1449 CHANGES SINCE 4.4.0rc5
1450 ======================
1452 o Michael Adam <obnox@samba.org>
1453 * BUG 11796: smbd: Enable multi-channel if 'server multi channel support =
1456 o Günther Deschner <gd@samba.org>
1457 * BUG 11802: lib/socket/interfaces: Fix some uninitialied bytes.
1459 o Uri Simchoni <uri@samba.org>
1460 * BUG 11798: build: Fix build when '--without-quota' specified.
1463 CHANGES SINCE 4.4.0rc4
1464 ======================
1466 o Andrew Bartlett <abartlet@samba.org>
1467 * BUG 11780: mkdir can return ACCESS_DENIED incorrectly on create race.
1468 * BUG 11783: Mismatch between local and remote attribute ids lets
1469 replication fail with custom schema.
1470 * BUG 11789: Talloc: Version 2.1.6.
1472 o Ira Cooper <ira@samba.org>
1473 * BUG 11774: vfs_glusterfs: Fix use after free in AIO callback.
1475 o Günther Deschner <gd@samba.org>
1476 * BUG 11755: Fix net join.
1478 o Amitay Isaacs <amitay@gmail.com>
1479 * BUG 11770: Reset TCP Connections during IP failover.
1481 o Justin Maggard <jmaggard10@gmail.com>
1482 * BUG 11773: s3:smbd: Add negprot remote arch detection for OSX.
1484 o Stefan Metzmacher <metze@samba.org>
1485 * BUG 11772: ldb: Version 1.1.26.
1486 * BUG 11782: "trustdom_list_done: Got invalid trustdom response" message
1489 o Uri Simchoni <uri@samba.org>
1490 * BUG 11769: libnet: Make Kerberos domain join site-aware.
1491 * BUG 11788: Quota is not supported on Solaris 10.
1494 CHANGES SINCE 4.4.0rc3
1495 ======================
1497 o Jeremy Allison <jra@samba.org>
1498 * BUG 11648: CVE-2015-7560: Getting and setting Windows ACLs on symlinks can
1499 change permissions on link target.
1501 o Christian Ambach <ambi@samba.org>
1502 * BUG 11767: s3:utils/smbget: Fix option parsing.
1504 o Alberto Maria Fiaschi <alberto.fiaschi@estar.toscana.it>
1505 * BUG 8093: Access based share enum: handle permission set in configuration
1508 o Stefan Metzmacher <metze@samba.org>
1509 * BUG 11702: s3:clispnego: Fix confusing warning in spnego_gen_krb5_wrap().
1510 * BUG 11742: tevent: version 0.9.28: Fix memory leak when old signal action
1512 * BUG 11755: s3:libads: setup the msDS-SupportedEncryptionTypes attribute on
1514 * BUGs 11128, 11686: CVE-2016-0771: Read of uninitialized memory DNS TXT
1517 o Garming Sam <garming@catalyst.net.nz>
1518 * BUGs 11128, 11686: CVE-2016-0771: Read of uninitialized memory DNS TXT
1521 o Uri Simchoni <uri@samba.org>
1522 * BUG 11691: winbindd: Return trust parameters when listing trusts.
1523 * BUG 11753: smbd: Ignore SVHDX create context.
1524 * BUG 11763: passdb: Add linefeed to debug message.
1527 CHANGES SINCE 4.4.0rc2
1528 ======================
1530 o Michael Adam <obnox@samba.org>
1531 * BUG 11723: lib:socket: Fix CID 1350010: Integer OVERFLOW_BEFORE_WIDEN.
1532 * BUG 11735: lib:socket: Fix CID 1350009: Fix illegal memory accesses
1533 (BUFFER_SIZE_WARNING).
1535 o Jeremy Allison <jra@samba.org>
1536 * BUG 10489: s3: smbd: posix_acls: Fix check for setting u:g:o entry on a
1537 filesystem with no ACL support.
1539 o Christian Ambach <ambi@samba.org>
1540 * BUG 11700: s3:utils/smbget: Set default blocksize.
1542 o Anoop C S <anoopcs@redhat.com>
1543 * BUG 11734: lib/socket: Fix improper use of default interface speed.
1545 o Ralph Boehme <slow@samba.org>
1546 * BUG 11714: lib/tsocket: Work around sockets not supporting FIONREAD.
1548 o Volker Lendecke <vl@samba.org>
1549 * BUG 11724: smbd: Fix CID 1351215 Improper use of negative value.
1550 * BUG 11725: smbd: Fix CID 1351216 Dereference null return value.
1551 * BUG 11732: param: Fix str_list_v3 to accept ; again.
1553 o Noel Power <noel.power@suse.com>
1554 * BUG 11738: libcli: Fix debug message, print sid string for new_ace trustee.
1556 o Jose A. Rivera <jarrpa@samba.org>
1557 * BUG 11727: s3:smbd:open: Skip redundant call to file_set_dosmode when
1558 creating a new file.
1560 o Andreas Schneider <asn@samba.org>
1561 * BUG 11730: docs: Add manpage for cifsdd.
1562 * BUG 11739: Fix installation path of Samba helper binaries.
1564 o Berend De Schouwer <berend.de.schouwer@gmail.com>
1565 * BUG 11643: docs: Add example for domain logins to smbspool man page.
1567 o Martin Schwenke <martin@meltin.net>
1568 * BUG 11719: ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."
1570 o Hemanth Thummala <hemanth.thummala@nutanix.com>
1571 * BUG 11708: loadparm: Fix memory leak issue.
1572 * BUG 11740: Fix memory leak in loadparm.
1575 CHANGES SINCE 4.4.0rc1
1576 ======================
1578 o Michael Adam <obnox@samba.org>
1579 * BUG 11715: s3:vfs:glusterfs: Fix build after quota changes.
1581 o Jeremy Allison <jra@samba.org>
1582 * BUG 11703: s3: smbd: Fix timestamp rounding inside SMB2 create.
1584 o Christian Ambach <ambi@samba.org>
1585 * BUG 11700: Streamline 'smbget' options with the rest of the Samba utils.
1587 o Günther Deschner <gd@samba.org>
1588 * BUG 11696: ctdb: Do not provide a useless pkgconfig file for ctdb.
1590 o Stefan Metzmacher <metze@samba.org>
1591 * BUG 11699: Crypto.Cipher.ARC4 is not available on some platforms, fallback
1592 to M2Crypto.RC4.RC4 then.
1594 o Amitay Isaacs <amitay@gmail.com>
1595 * BUG 11705: Sockets with htons(IPPROTO_RAW) and CVE-2015-8543.
1597 o Andreas Schneider <asn@samba.org>
1598 * BUG 11690: docs: Add smbspool_krb5_wrapper manpage.
1600 o Uri Simchoni <uri@samba.org>
1601 * BUG 11681: smbd: Show correct disk size for different quota and dfree block
1605 #######################################
1606 Reporting bugs & Development Discussion
1607 #######################################
1609 Please discuss this release on the samba-technical mailing list or by
1610 joining the #samba-technical IRC channel on irc.freenode.net.
1612 If you do report problems then please try to send high quality
1613 feedback. If you don't provide vital information to help us track down
1614 the problem then you will probably be ignored. All bug reports should
1615 be filed under the Samba 4.1 and newer product in the project's Bugzilla
1616 database (https://bugzilla.samba.org/).
1619 ======================================================================
1620 == Our Code, Our Bugs, Our Responsibility.
1622 ======================================================================