1 ==============================
2 Release Notes for Samba 4.13.2
4 ==============================
7 This is the latest stable release of the Samba 4.13 release series.
9 Major enhancements include:
10 o BUG 14537: ctdb-common: Avoid aliasing errors during code optimization.
11 o BUG 14486: vfs_glusterfs: Avoid data corruption with the write-behind
19 The GlusterFS write-behind performance translator, when used with Samba, could
20 be a source of data corruption. The translator, while processing a write call,
21 immediately returns success but continues writing the data to the server in the
22 background. This can cause data corruption when two clients relying on Samba to
23 provide data consistency are operating on the same file.
25 The write-behind translator is enabled by default on GlusterFS.
26 The vfs_glusterfs plugin will check for the presence of the translator and
27 refuse to connect if detected. Please disable the write-behind translator for
28 the GlusterFS volume to allow the plugin to connect to the volume.
34 o Jeremy Allison <jra@samba.org>
35 * BUG 14486: s3: modules: vfs_glusterfs: Fix leak of char
36 **lines onto mem_ctx on return.
38 o Ralph Boehme <slow@samba.org>
39 * BUG 14471: RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special.
41 o Alexander Bokovoy <ab@samba.org>
42 * BUG 14538: smb.conf.5: Add clarification how configuration changes
44 * BUG 14552: daemons: Report status to systemd even when running in
46 * BUG 14553: DNS Resolver: Support both dnspython before and after 2.0.0.
48 o Günther Deschner <gd@samba.org>
49 * BUG 14486: s3-vfs_glusterfs: Refuse connection when write-behind xlator is
52 o Amitay Isaacs <amitay@gmail.com>
53 * BUG 14487: provision: Add support for BIND 9.16.x.
54 * BUG 14537: ctdb-common: Avoid aliasing errors during code optimization.
55 * BUG 14541: libndr: Avoid assigning duplicate versions to symbols.
57 o Björn Jacke <bjacke@samba.org>
58 * BUG 14522: docs: Fix default value of spoolss:architecture.
60 o Laurent Menase <laurent.menase@hpe.com>
61 * BUG 14388: winbind: Fix a memleak.
63 o Stefan Metzmacher <metze@samba.org>
64 * BUG 14531: s4:dsdb:acl_read: Implement "List Object" mode feature.
66 o Sachin Prabhu <sprabhu@redhat.com>
67 * BUG 14486: docs-xml/manpages: Add warning about write-behind translator for
70 o Khem Raj <raj.khem@gmail.com>
71 * nsswitch/nsstest.c: Avoid nss function conflicts with glibc nss.h.
73 o Anoop C S <anoopcs@samba.org>
74 * BUG 14530: vfs_shadow_copy2: Avoid closing snapsdir twice.
76 o Andreas Schneider <asn@samba.org>
77 * BUG 14547: third_party: Update resolv_wrapper to version 1.1.7.
78 * BUG 14550: examples:auth: Do not install example plugin.
80 o Martin Schwenke <martin@meltin.net>
81 * BUG 14513: ctdb-recoverd: Drop unnecessary and broken code.
83 o Andrew Walker <awalker@ixsystems.com>
84 * BUG 14471: RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special.
87 #######################################
88 Reporting bugs & Development Discussion
89 #######################################
91 Please discuss this release on the samba-technical mailing list or by
92 joining the #samba-technical IRC channel on irc.freenode.net.
94 If you do report problems then please try to send high quality
95 feedback. If you don't provide vital information to help us track down
96 the problem then you will probably be ignored. All bug reports should
97 be filed under the Samba 4.1 and newer product in the project's Bugzilla
98 database (https://bugzilla.samba.org/).
101 ======================================================================
102 == Our Code, Our Bugs, Our Responsibility.
104 ======================================================================
107 Release notes for older releases follow:
108 ----------------------------------------
110 ==============================
111 Release Notes for Samba 4.13.1
113 ==============================
116 This is a security release in order to address the following defects:
118 o CVE-2020-14318: Missing handle permissions check in SMB1/2/3 ChangeNotify.
119 o CVE-2020-14323: Unprivileged user can crash winbind.
120 o CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with easily
129 The SMB1/2/3 protocols have a concept of "ChangeNotify", where a client can
130 request file name notification on a directory handle when a condition such as
131 "new file creation" or "file size change" or "file timestamp update" occurs.
133 A missing permissions check on a directory handle requesting ChangeNotify
134 meant that a client with a directory handle open only for
135 FILE_READ_ATTRIBUTES (minimal access rights) could be used to obtain change
136 notify replies from the server. These replies contain information that should
137 not be available to directory handles open for FILE_READ_ATTRIBUTE only.
140 winbind in version 3.6 and later implements a request to translate multiple
141 Windows SIDs into names in one request. This was done for performance
142 reasons: The Microsoft RPC call domain controllers offer to do this
143 translation, so it was an obvious extension to also offer this batch
144 operation on the winbind unix domain stream socket that is available to local
145 processes on the Samba server.
147 Due to improper input validation a hand-crafted packet can make winbind
148 perform a NULL pointer dereference and thus crash.
151 Some DNS records (such as MX and NS records) usually contain data in the
152 additional section. Samba's dnsserver RPC pipe (which is an administrative
153 interface not used in the DNS server itself) made an error in handling the
154 case where there are no records present: instead of noticing the lack of
155 records, it dereferenced uninitialised memory, causing the RPC server to
156 crash. This RPC server, which also serves protocols other than dnsserver,
157 will be restarted after a short delay, but it is easy for an authenticated
158 non-admin attacker to crash it again as soon as it returns. The Samba DNS
159 server itself will continue to operate, but many RPC services will not.
161 For more details, please refer to the security advisories.
167 o Jeremy Allison <jra@samba.org>
168 * BUG 14434: CVE-2020-14318: s3: smbd: Ensure change notifies can't get set
169 unless the directory handle is open for SEC_DIR_LIST.
171 o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
172 * BUG 12795: CVE-2020-14383: Remote crash after adding NS or MX records using
174 * BUG 14472: CVE-2020-14383: Remote crash after adding MX records.
176 o Volker Lendecke <vl@samba.org>
177 * BUG 14436: CVE-2020-14323: winbind: Fix invalid lookupsids DoS.
180 #######################################
181 Reporting bugs & Development Discussion
182 #######################################
184 Please discuss this release on the samba-technical mailing list or by
185 joining the #samba-technical IRC channel on irc.freenode.net.
187 If you do report problems then please try to send high quality
188 feedback. If you don't provide vital information to help us track down
189 the problem then you will probably be ignored. All bug reports should
190 be filed under the Samba 4.1 and newer product in the project's Bugzilla
191 database (https://bugzilla.samba.org/).
194 ======================================================================
195 == Our Code, Our Bugs, Our Responsibility.
197 ======================================================================
200 ----------------------------------------------------------------------
203 ==============================
204 Release Notes for Samba 4.13.0
206 ==============================
209 This is the first stable release of the Samba 4.13 release series.
210 Please read the release notes carefully before upgrading.
216 Please avoid to set "server schannel = no" and "server schannel= auto" on all
217 Samba domain controllers due to the wellknown ZeroLogon issue.
219 For details please see
220 https://www.samba.org/samba/security/CVE-2020-1472.html.
226 Python 3.6 or later required
227 ----------------------------
229 Samba's minimum runtime requirement for python was raised to Python
230 3.5 with samba 4.12. Samba 4.13 raises this minimum version to Python
231 3.6 both to access new features and because this is the oldest version
232 we test with in our CI infrastructure.
234 This is also the last release where it will be possible to build Samba
235 (just the file server) with Python versions 2.6 and 2.7.
237 As Python 2.7 has been End Of Life upstream since April 2020, Samba
238 is dropping ALL Python 2.x support in the NEXT release.
240 Samba 4.14 to be released in March 2021 will require Python 3.6 or
243 wide links functionality
244 ------------------------
246 For this release, the code implementing the insecure "wide links = yes"
247 functionality has been moved out of the core smbd code and into a separate
248 VFS module, vfs_widelinks. Currently this vfs module is implicitly loaded
249 by smbd as the last but one module before vfs_default if "wide links = yes"
250 is enabled on the share (note, the existing restrictions on enabling wide
251 links around the SMB1 "unix extensions" and the "allow insecure wide links"
252 parameters are still in force). The implicit loading was done to allow
253 existing users of "wide links = yes" to keep this functionality without
254 having to make a change to existing working smb.conf files.
256 Please note that the Samba developers recommend changing any Samba
257 installations that currently use "wide links = yes" to use bind mounts
258 as soon as possible, as "wide links = yes" is an inherently insecure
259 configuration which we would like to remove from Samba. Moving the
260 feature into a VFS module allows this to be done in a cleaner way
263 A future release to be determined will remove this implicit linkage,
264 causing administrators who need this functionality to have to explicitly
265 add the vfs_widelinks module into the "vfs objects =" parameter lists.
266 The release notes will be updated to note this change when it occurs.
268 NT4-like 'classic' Samba domain controllers
269 -------------------------------------------
271 Samba 4.13 deprecates Samba's original domain controller mode.
273 Sites using Samba as a Domain Controller should upgrade from the
274 NT4-like 'classic' Domain Controller to a Samba Active Directory DC
275 to ensure full operation with modern windows clients.
277 SMBv1 only protocol options deprecated
278 --------------------------------------
280 A number of smb.conf parameters for less-secure authentication methods
281 which are only possible over SMBv1 are deprecated in this release.
287 The deprecated "ldap ssl ads" smb.conf option has been removed.
293 Parameter Name Description Default
294 -------------- ----------- -------
296 smb2 disable lock sequence checking Added No
297 smb2 disable oplock break retry Added No
298 domain logons Deprecated no
299 raw NTLMv2 auth Deprecated no
300 client plaintext auth Deprecated no
301 client NTLMv2 auth Deprecated yes
302 client lanman auth Deprecated no
303 client use spnego Deprecated yes
304 server require schannel:COMPUTER Added
307 CHANGES SINCE 4.13.0rc5
308 =======================
310 o Jeremy Allison <jra@samba.org>
311 * BUG 14497: CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Protect
312 netr_ServerPasswordSet2 against unencrypted passwords.
314 o Günther Deschner <gd@samba.org>
315 * BUG 14497: CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Support
316 "server require schannel:WORKSTATION$ = no" about unsecure configurations.
318 o Gary Lockyer <gary@catalyst.net.nz>
319 * BUG 14497: CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated bytes in
322 o Stefan Metzmacher <metze@samba.org>
323 * BUG 14497: CVE-2020-1472(ZeroLogon): libcli/auth: Reject weak client
324 challenges in netlogon_creds_server_init()
325 "server require schannel:WORKSTATION$ = no".
328 CHANGES SINCE 4.13.0rc4
329 =======================
331 o Andreas Schneider <asn@samba.org>
332 * BUG 14399: waf: Only use gnutls_aead_cipher_encryptv2() for GnuTLS >
334 * BUG 14467: s3:smbd: Fix %U substitutions if it contains a domain name.
335 * BUG 14479: The created krb5.conf for 'net ads join' doesn't have a domain
338 o Stefan Metzmacher <metze@samba.org>
339 * BUG 14482: Fix build problem if libbsd-dev is not installed.
342 CHANGES SINCE 4.13.0rc3
343 =======================
345 o David Disseldorp <ddiss@samba.org>
346 * BUG 14437: build: Toggle vfs_snapper using "--with-shared-modules".
348 o Volker Lendecke <vl@samba.org>
349 * BUG 14465: idmap_ad does not deal properly with a RFC4511 section 4.4.1
352 o Stefan Metzmacher <metze@samba.org>
353 * BUG 14428: PANIC: Assert failed in get_lease_type().
354 * BUG 14465: idmap_ad does not deal properly with a RFC4511 section 4.4.1
358 CHANGES SINCE 4.13.0rc2
359 =======================
361 o Andrew Bartlett <abartlet@samba.org>
362 * BUG 14460: Deprecate domain logons, SMBv1 things.
364 o Günther Deschner <gd@samba.org>
365 * BUG 14318: docs: Add missing winexe manpage.
367 o Christof Schmitt <cs@samba.org>
368 * BUG 14166: util: Allow symlinks in directory_create_or_exist.
370 o Martin Schwenke <martin@meltin.net>
371 * BUG 14466: ctdb disable/enable can fail due to race condition.
374 CHANGES SINCE 4.13.0rc1
375 =======================
377 o Andrew Bartlett <abartlet@samba.org>
378 * BUG 14450: dbcheck: Allow a dangling forward link outside our known NCs.
380 o Isaac Boukris <iboukris@gmail.com>
381 * BUG 14462: Remove deprecated "ldap ssl ads" smb.conf option.
383 o Volker Lendecke <vl@samba.org>
384 * BUG 14435: winbind: Fix lookuprids cache problem.
386 o Stefan Metzmacher <metze@samba.org>
387 * BUG 14354: kdc:db-glue: Ignore KRB5_PROG_ETYPE_NOSUPP also for
390 o Andreas Schneider <asn@samba.org>
391 * BUG 14358: docs: Fix documentation for require_membership_of of
394 o Martin Schwenke <martin@meltin.net>
395 * BUG 14444: ctdb-scripts: Use nfsconf as a last resort get nfsd thread
402 https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.13#Release_blocking_bugs
405 #######################################
406 Reporting bugs & Development Discussion
407 #######################################
409 Please discuss this release on the samba-technical mailing list or by
410 joining the #samba-technical IRC channel on irc.freenode.net.
412 If you do report problems then please try to send high quality
413 feedback. If you don't provide vital information to help us track down
414 the problem then you will probably be ignored. All bug reports should
415 be filed under the Samba 4.1 and newer product in the project's Bugzilla
416 database (https://bugzilla.samba.org/).
419 ======================================================================
420 == Our Code, Our Bugs, Our Responsibility.
422 ======================================================================