1 ===============================
2 Release Notes for Samba 4.17.11
4 ===============================
7 This is the latest stable release of the Samba 4.17 release series.
13 o Jeremy Allison <jra@samba.org>
14 * BUG 15419: Weird filename can cause assert to fail in
15 openat_pathref_fsp_nosymlink().
16 * BUG 15420: reply_sesssetup_and_X() can dereference uninitialized tmp
18 * BUG 15430: Missing return in reply_exit_done().
19 * BUG 15432: TREE_CONNECT without SETUP causes smbd to use uninitialized
22 o Andrew Bartlett <abartlet@samba.org>
23 * BUG 15401: Improve GetNChanges to address some (but not all "Azure AD
24 Connect") syncronisation tool looping during the initial user sync phase.
25 * BUG 15407: Samba replication logs show (null) DN.
26 * BUG 9959: Windows client join fails if a second container CN=System exists
29 o Ralph Boehme <slow@samba.org>
30 * BUG 15342: Spotlight sometimes returns no results on latest macOS.
31 * BUG 15417: Renaming results in NT_STATUS_SHARING_VIOLATION if previously
32 attempted to remove the destination.
33 * BUG 15427: Spotlight results return wrong date in result list.
34 * BUG 15463: macOS mdfind returns only 50 results.
36 o Volker Lendecke <vl@samba.org>
37 * BUG 15346: 2-3min delays at reconnect with smb2_validate_sequence_number:
40 o Stefan Metzmacher <metze@samba.org>
41 * BUG 15346: 2-3min delays at reconnect with smb2_validate_sequence_number:
43 * BUG 15441: samba-tool ntacl get segfault if aio_pthread appended.
44 * BUG 15446: DCERPC_PKT_CO_CANCEL and DCERPC_PKT_ORPHANED can't be parsed.
46 o MikeLiu <mikeliu@qnap.com>
47 * BUG 15453: File doesn't show when user doesn't have permission if
48 aio_pthread is loaded.
50 o Noel Power <noel.power@suse.com>
51 * BUG 15384: net ads lookup (with unspecified realm) fails
52 * BUG 15435: Regression DFS not working with widelinks = true.
54 o Arvid Requate <requate@univention.de>
55 * BUG 9959: Windows client join fails if a second container CN=System exists
58 o Martin Schwenke <mschwenke@ddn.com>
59 * BUG 15451: ctdb_killtcp fails to work with --enable-pcap and libpcap ≥
62 o Jones Syue <jonessyue@qnap.com>
63 * BUG 15441: samba-tool ntacl get segfault if aio_pthread appended.
64 * BUG 15449: mdssvc: Do an early talloc_free() in _mdssvc_open().
67 #######################################
68 Reporting bugs & Development Discussion
69 #######################################
71 Please discuss this release on the samba-technical mailing list or by
72 joining the #samba-technical:matrix.org matrix room, or
73 #samba-technical IRC channel on irc.libera.chat.
75 If you do report problems then please try to send high quality
76 feedback. If you don't provide vital information to help us track down
77 the problem then you will probably be ignored. All bug reports should
78 be filed under the Samba 4.1 and newer product in the project's Bugzilla
79 database (https://bugzilla.samba.org/).
82 ======================================================================
83 == Our Code, Our Bugs, Our Responsibility.
85 ======================================================================
88 Release notes for older releases follow:
89 ----------------------------------------
90 ===============================
91 Release Notes for Samba 4.17.10
93 ===============================
96 This is a security release in order to address the following defects:
98 o CVE-2022-2127: When winbind is used for NTLM authentication, a maliciously
99 crafted request can trigger an out-of-bounds read in winbind
100 and possibly crash it.
101 https://www.samba.org/samba/security/CVE-2022-2127.html
103 o CVE-2023-3347: SMB2 packet signing is not enforced if an admin configured
104 "server signing = required" or for SMB2 connections to Domain
105 Controllers where SMB2 packet signing is mandatory.
106 https://www.samba.org/samba/security/CVE-2023-3347.html
108 o CVE-2023-34966: An infinite loop bug in Samba's mdssvc RPC service for
109 Spotlight can be triggered by an unauthenticated attacker by
110 issuing a malformed RPC request.
111 https://www.samba.org/samba/security/CVE-2023-34966.html
113 o CVE-2023-34967: Missing type validation in Samba's mdssvc RPC service for
114 Spotlight can be used by an unauthenticated attacker to
115 trigger a process crash in a shared RPC mdssvc worker process.
116 https://www.samba.org/samba/security/CVE-2023-34967.html
118 o CVE-2023-34968: As part of the Spotlight protocol Samba discloses the server-
119 side absolute path of shares and files and directories in
121 https://www.samba.org/samba/security/CVE-2023-34968.html
127 o Ralph Boehme <slow@samba.org>
128 * BUG 15072: CVE-2022-2127.
129 * BUG 15340: CVE-2023-34966.
130 * BUG 15341: CVE-2023-34967.
131 * BUG 15388: CVE-2023-34968.
132 * BUG 15397: CVE-2023-3347.
134 o Volker Lendecke <vl@samba.org>
135 * BUG 15072: CVE-2022-2127.
137 o Stefan Metzmacher <metze@samba.org>
138 * BUG 15418: Secure channel faulty since Windows 10/11 update 07/2023.
141 #######################################
142 Reporting bugs & Development Discussion
143 #######################################
145 Please discuss this release on the samba-technical mailing list or by
146 joining the #samba-technical:matrix.org matrix room, or
147 #samba-technical IRC channel on irc.libera.chat.
149 If you do report problems then please try to send high quality
150 feedback. If you don't provide vital information to help us track down
151 the problem then you will probably be ignored. All bug reports should
152 be filed under the Samba 4.1 and newer product in the project's Bugzilla
153 database (https://bugzilla.samba.org/).
156 ======================================================================
157 == Our Code, Our Bugs, Our Responsibility.
159 ======================================================================
162 ----------------------------------------------------------------------
163 ==============================
164 Release Notes for Samba 4.17.9
166 ==============================
169 This is the latest stable release of the Samba 4.17 release series.
175 o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
176 * BUG 15404: Backport --pidl-developer fixes.
178 o Ralph Boehme <slow@samba.org>
179 * BUG 15275: smbd_scavenger crashes when service smbd is stopped.
180 * BUG 15378: vfs_fruit might cause a failing open for delete.
182 o Samuel Cabrero <scabrero@samba.org>
183 * BUG 14030: named crashes on DLZ zone update.
185 o Volker Lendecke <vl@samba.org>
186 * BUG 15361: winbind recurses into itself via rpcd_lsad.
187 * BUG 15382: cli_list loops 100% CPU against pre-lanman2 servers.
188 * BUG 15391: smbclient leaks fds with showacls.
190 o Stefan Metzmacher <metze@samba.org>
191 * BUG 15374: aes256 smb3 encryption algorithms are not allowed in
193 * BUG 15413: winbindd gets stuck on NT_STATUS_RPC_SEC_PKG_ERROR.
195 o Jones Syue <jonessyue@qnap.com>
196 * BUG 15403: smbget memory leak if failed to download files recursively.
199 #######################################
200 Reporting bugs & Development Discussion
201 #######################################
203 Please discuss this release on the samba-technical mailing list or by
204 joining the #samba-technical:matrix.org matrix room, or
205 #samba-technical IRC channel on irc.libera.chat.
207 If you do report problems then please try to send high quality
208 feedback. If you don't provide vital information to help us track down
209 the problem then you will probably be ignored. All bug reports should
210 be filed under the Samba 4.1 and newer product in the project's Bugzilla
211 database (https://bugzilla.samba.org/).
214 ======================================================================
215 == Our Code, Our Bugs, Our Responsibility.
217 ======================================================================
220 ----------------------------------------------------------------------
221 ==============================
222 Release Notes for Samba 4.17.8
224 ==============================
227 This is the latest stable release of the Samba 4.17 release series.
233 o Jeremy Allison <jra@samba.org>
234 * BUG 15302: log flood: smbd_calculate_access_mask_fsp: Access denied:
235 message level should be lower.
236 * BUG 15306: Floating point exception (FPE) via cli_pull_send at
237 source3/libsmb/clireadwrite.c.
239 o Andrew Bartlett <abartlet@samba.org>
240 * BUG 15328: test_tstream_more_tcp_user_timeout_spin fails intermittently on
241 Rackspace GitLab runners.
242 * BUG 15329: Reduce flapping of ridalloc test.
243 * BUG 15351: large_ldap test is unreliable.
245 o Ralph Boehme <slow@samba.org>
246 * BUG 15143: New filename parser doesn't check veto files smb.conf parameter.
247 * BUG 15354: mdssvc may crash when initializing.
249 o Volker Lendecke <vl@samba.org>
250 * BUG 15313: Large directory optimization broken for non-lcomp path elements.
251 * BUG 15357: streams_depot fails to create streams.
252 * BUG 15358: shadow_copy2 and streams_depot don't play well together.
253 * BUG 15366: wbinfo -u fails on ad dc with >1000 users.
255 o Stefan Metzmacher <metze@samba.org>
256 * BUG 15317: winbindd idmap child contacts the domain controller without a
258 * BUG 15318: idmap_autorid may fail to map sids of trusted domains for the
260 * BUG 15319: idmap_hash doesn't use ID_TYPE_BOTH for reverse mappings.
261 * BUG 15323: net ads search -P doesn't work against servers in other domains.
262 * BUG 15338: DS ACEs might be inherited to unrelated object classes.
263 * BUG 15353: Temporary smbXsrv_tcon_global.tdb can't be parsed.
265 o Andreas Schneider <asn@samba.org>
266 * BUG 15360: Setting veto files = /.*/ break listing directories.
268 o Joseph Sutton <josephsutton@catalyst.net.nz>
269 * BUG 14810: CVE-2020-25720 [SECURITY] Create Child permission should not
270 allow full write to all attributes (additional changes).
271 * BUG 15329: Reduce flapping of ridalloc test.
273 o Nathaniel W. Turner <nturner@exagrid.com>
274 * BUG 15325: dsgetdcname: assumes local system uses IPv4.
277 #######################################
278 Reporting bugs & Development Discussion
279 #######################################
281 Please discuss this release on the samba-technical mailing list or by
282 joining the #samba-technical:matrix.org matrix room, or
283 #samba-technical IRC channel on irc.libera.chat.
285 If you do report problems then please try to send high quality
286 feedback. If you don't provide vital information to help us track down
287 the problem then you will probably be ignored. All bug reports should
288 be filed under the Samba 4.1 and newer product in the project's Bugzilla
289 database (https://bugzilla.samba.org/).
292 ======================================================================
293 == Our Code, Our Bugs, Our Responsibility.
295 ======================================================================
298 ----------------------------------------------------------------------
299 ==============================
300 Release Notes for Samba 4.17.7
302 ==============================
305 This is a security release in order to address the following defects:
307 o CVE-2023-0225: An incomplete access check on dnsHostName allows authenticated
308 but otherwise unprivileged users to delete this attribute from
309 any object in the directory.
310 https://www.samba.org/samba/security/CVE-2023-0225.html
312 o CVE-2023-0922: The Samba AD DC administration tool, when operating against a
313 remote LDAP server, will by default send new or reset
314 passwords over a signed-only connection.
315 https://www.samba.org/samba/security/CVE-2023-0922.html
317 o CVE-2023-0614: The fix in 4.6.16, 4.7.9, 4.8.4 and 4.9.7 for CVE-2018-10919
318 Confidential attribute disclosure via LDAP filters was
319 insufficient and an attacker may be able to obtain
320 confidential BitLocker recovery keys from a Samba AD DC.
321 Installations with such secrets in their Samba AD should
322 assume they have been obtained and need replacing.
323 https://www.samba.org/samba/security/CVE-2023-0614.html
329 o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
330 * BUG 15276: CVE-2023-0225.
332 o Andrew Bartlett <abartlet@samba.org>
333 * BUG 15270: CVE-2023-0614.
334 * BUG 15331: ldb wildcard matching makes excessive allocations.
335 * BUG 15332: large_ldap test is inefficient.
337 o Rob van der Linde <rob@catalyst.net.nz>
338 * BUG 15315: CVE-2023-0922.
340 o Joseph Sutton <josephsutton@catalyst.net.nz>
341 * BUG 14810: CVE-2020-25720 [SECURITY] Create Child permission should not
342 allow full write to all attributes (additional changes).
343 * BUG 15270: CVE-2023-0614.
344 * BUG 15276: CVE-2023-0225.
347 #######################################
348 Reporting bugs & Development Discussion
349 #######################################
351 Please discuss this release on the samba-technical mailing list or by
352 joining the #samba-technical:matrix.org matrix room, or
353 #samba-technical IRC channel on irc.libera.chat.
355 If you do report problems then please try to send high quality
356 feedback. If you don't provide vital information to help us track down
357 the problem then you will probably be ignored. All bug reports should
358 be filed under the Samba 4.1 and newer product in the project's Bugzilla
359 database (https://bugzilla.samba.org/).
362 ======================================================================
363 == Our Code, Our Bugs, Our Responsibility.
365 ======================================================================
368 ----------------------------------------------------------------------
369 ==============================
370 Release Notes for Samba 4.17.6
372 ==============================
375 This is the latest stable release of the Samba 4.17 release series.
381 o Jeremy Allison <jra@samba.org>
382 * BUG 15314: streams_xattr is creating unexpected locks on folders.
384 o Andrew Bartlett <abartlet@samba.org>
385 * BUG 10635: Use of the Azure AD Connect cloud sync tool is now supported for
386 password hash synchronisation, allowing Samba AD Domains to synchronise
387 passwords with this popular cloud environment.
389 o Ralph Boehme <slow@samba.org>
390 * BUG 15299: Spotlight doesn't work with latest macOS Ventura.
392 o Volker Lendecke <vl@samba.org>
393 * BUG 15310: New samba-dcerpc architecture does not scale gracefully.
395 o John Mulligan <jmulligan@redhat.com>
396 * BUG 15307: vfs_ceph incorrectly uses fsp_get_io_fd() instead of
397 fsp_get_pathref_fd() in close and fstat.
399 o Noel Power <noel.power@suse.com>
400 * BUG 15293: With clustering enabled samba-bgqd can core dump due to use
403 o baixiangcpp <baixiangcpp@gmail.com>
404 * BUG 15311: fd_load() function implicitly closes the fd where it should not.
407 #######################################
408 Reporting bugs & Development Discussion
409 #######################################
411 Please discuss this release on the samba-technical mailing list or by
412 joining the #samba-technical:matrix.org matrix room, or
413 #samba-technical IRC channel on irc.libera.chat.
416 If you do report problems then please try to send high quality
417 feedback. If you don't provide vital information to help us track down
418 the problem then you will probably be ignored. All bug reports should
419 be filed under the Samba 4.1 and newer product in the project's Bugzilla
420 database (https://bugzilla.samba.org/).
423 ======================================================================
424 == Our Code, Our Bugs, Our Responsibility.
426 ======================================================================
429 ----------------------------------------------------------------------
430 ==============================
431 Release Notes for Samba 4.17.5
433 ==============================
436 This is the latest stable release of the Samba 4.17 release series.
442 o Jeremy Allison <jra@samba.org>
443 * BUG 14808: smbc_getxattr() return value is incorrect.
444 * BUG 15172: Compound SMB2 FLUSH+CLOSE requests from MacOSX are not handled
446 * BUG 15210: synthetic_pathref AFP_AfpInfo failed errors.
447 * BUG 15226: samba-tool gpo listall fails IPv6 only - finddcs() fails to find
448 DC when there is only an AAAA record for the DC in DNS.
449 * BUG 15236: smbd crashes if an FSCTL request is done on a stream handle.
450 * BUG 15277: DFS links don't work anymore on Mac clients since 4.17.
451 * BUG 15283: vfs_virusfilter segfault on access, directory edgecase
452 (accessing NULL value).
454 o Samuel Cabrero <scabrero@samba.org>
455 * BUG 15240: CVE-2022-38023 [SECURITY] Samba should refuse RC4 (aka md5)
456 based SChannel on NETLOGON (additional changes).
458 o Volker Lendecke <vl@samba.org>
459 * BUG 15243: %U for include directive doesn't work for share listing
461 * BUG 15266: Shares missing from netshareenum response in samba 4.17.4.
462 * BUG 15269: ctdb: use-after-free in run_proc.
464 o Stefan Metzmacher <metze@samba.org>
465 * BUG 15243: %U for include directive doesn't work for share listing
467 * BUG 15266: Shares missing from netshareenum response in samba 4.17.4.
468 * BUG 15280: irpc_destructor may crash during shutdown.
469 * BUG 15286: auth3_generate_session_info_pac leaks wbcAuthUserInfo.
471 o Andreas Schneider <asn@samba.org>
472 * BUG 15268: smbclient segfaults with use after free on an optimized build.
474 o Jones Syue <jonessyue@qnap.com>
475 * BUG 15282: smbstatus leaking files in msg.sock and msg.lock.
477 o Andrew Walker <awalker@ixsystems.com>
478 * BUG 15164: Leak in wbcCtxPingDc2.
479 * BUG 15265: Access based share enum does not work in Samba 4.16+.
480 * BUG 15267: Crash during share enumeration.
481 * BUG 15271: rep_listxattr on FreeBSD does not properly check for reads off
482 end of returned buffer.
484 o Florian Weimer <fweimer@redhat.com>
485 * BUG 15281: Avoid relying on C89 features in a few places.
488 #######################################
489 Reporting bugs & Development Discussion
490 #######################################
492 Please discuss this release on the samba-technical mailing list or by
493 joining the #samba-technical:matrix.org matrix room, or
494 #samba-technical IRC channel on irc.libera.chat.
497 If you do report problems then please try to send high quality
498 feedback. If you don't provide vital information to help us track down
499 the problem then you will probably be ignored. All bug reports should
500 be filed under the Samba 4.1 and newer product in the project's Bugzilla
501 database (https://bugzilla.samba.org/).
504 ======================================================================
505 == Our Code, Our Bugs, Our Responsibility.
507 ======================================================================
510 ----------------------------------------------------------------------
511 ==============================
512 Release Notes for Samba 4.17.4
514 ==============================
517 This is the latest stable release of the Samba 4.17 release series.
518 It also contains security changes in order to address the following defects:
521 o CVE-2022-37966: This is the Samba CVE for the Windows Kerberos
522 RC4-HMAC Elevation of Privilege Vulnerability
523 disclosed by Microsoft on Nov 8 2022.
525 A Samba Active Directory DC will issue weak rc4-hmac
526 session keys for use between modern clients and servers
527 despite all modern Kerberos implementations supporting
528 the aes256-cts-hmac-sha1-96 cipher.
530 On Samba Active Directory DCs and members
531 'kerberos encryption types = legacy' would force
532 rc4-hmac as a client even if the server supports
533 aes128-cts-hmac-sha1-96 and/or aes256-cts-hmac-sha1-96.
535 https://www.samba.org/samba/security/CVE-2022-37966.html
537 o CVE-2022-37967: This is the Samba CVE for the Windows
538 Kerberos Elevation of Privilege Vulnerability
539 disclosed by Microsoft on Nov 8 2022.
541 A service account with the special constrained
542 delegation permission could forge a more powerful
543 ticket than the one it was presented with.
545 https://www.samba.org/samba/security/CVE-2022-37967.html
547 o CVE-2022-38023: The "RC4" protection of the NetLogon Secure channel uses the
548 same algorithms as rc4-hmac cryptography in Kerberos,
549 and so must also be assumed to be weak.
551 https://www.samba.org/samba/security/CVE-2022-38023.html
553 Note that there are several important behavior changes
554 included in this release, which may cause compatibility problems
555 interacting with system still expecting the former behavior.
556 Please read the advisories of CVE-2022-37966,
557 CVE-2022-37967 and CVE-2022-38023 carefully!
559 samba-tool got a new 'domain trust modify' subcommand
560 -----------------------------------------------------
562 This allows "msDS-SupportedEncryptionTypes" to be changed
563 on trustedDomain objects. Even against remote DCs (including Windows)
564 using the --local-dc-ipaddress= (and other --local-dc-* options).
565 See 'samba-tool domain trust modify --help' for further details.
570 Parameter Name Description Default
571 -------------- ----------- -------
572 allow nt4 crypto Deprecated no
573 allow nt4 crypto:COMPUTERACCOUNT New
574 kdc default domain supported enctypes New (see manpage)
575 kdc supported enctypes New (see manpage)
576 kdc force enable rc4 weak session keys New No
577 reject md5 clients New Default, Deprecated Yes
578 reject md5 servers New Default, Deprecated Yes
579 server schannel Deprecated Yes
580 server schannel require seal New, Deprecated Yes
581 server schannel require seal:COMPUTERACCOUNT New
582 winbind sealed pipes Deprecated Yes
587 o Jeremy Allison <jra@samba.org>
588 * BUG 15224: pam_winbind uses time_t and pointers assuming they are of the
591 o Andrew Bartlett <abartlet@samba.org>
592 * BUG 14929: CVE-2022-44640 [SECURITY] Upstream Heimdal free of
593 user-controlled pointer in FAST.
594 * BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry.
595 * BUG 15237: CVE-2022-37966.
596 * BUG 15258: filter-subunit is inefficient with large numbers of knownfails.
598 o Ralph Boehme <slow@samba.org>
599 * BUG 15240: CVE-2022-38023.
600 * BUG 15252: smbd allows setting FILE_ATTRIBUTE_TEMPORARY on directories.
602 o Stefan Metzmacher <metze@samba.org>
603 * BUG 13135: The KDC logic arround msDs-supportedEncryptionTypes differs from
605 * BUG 14611: CVE-2021-20251 [SECURITY] Bad password count not incremented
607 * BUG 15203: CVE-2022-42898 [SECURITY] krb5_pac_parse() buffer parsing
609 * BUG 15206: libnet: change_password() doesn't work with
610 dcerpc_samr_ChangePasswordUser4().
611 * BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry.
612 * BUG 15230: Memory leak in snprintf replacement functions.
613 * BUG 15237: CVE-2022-37966.
614 * BUG 15240: CVE-2022-38023.
615 * BUG 15253: RODC doesn't reset badPwdCount reliable via an RWDC
616 (CVE-2021-20251 regression).
618 o Noel Power <noel.power@suse.com>
619 * BUG 15224: pam_winbind uses time_t and pointers assuming they are of the
622 o Anoop C S <anoopcs@samba.org>
623 * BUG 15198: Prevent EBADF errors with vfs_glusterfs.
625 o Andreas Schneider <asn@samba.org>
626 * BUG 15237: CVE-2022-37966.
627 * BUG 15243: %U for include directive doesn't work for share listing
629 * BUG 15257: Stack smashing in net offlinejoin requestodj.
631 o Joseph Sutton <josephsutton@catalyst.net.nz>
632 * BUG 15197: Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue.
633 * BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry.
634 * BUG 15231: CVE-2022-37967.
635 * BUG 15237: CVE-2022-37966.
637 o Nicolas Williams <nico@twosigma.com>
638 * BUG 14929: CVE-2022-44640 [SECURITY] Upstream Heimdal free of
639 user-controlled pointer in FAST.
643 #######################################
644 Reporting bugs & Development Discussion
645 #######################################
647 Please discuss this release on the samba-technical mailing list or by
648 joining the #samba-technical:matrix.org matrix room, or
649 #samba-technical IRC channel on irc.libera.chat.
652 If you do report problems then please try to send high quality
653 feedback. If you don't provide vital information to help us track down
654 the problem then you will probably be ignored. All bug reports should
655 be filed under the Samba 4.1 and newer product in the project's Bugzilla
656 database (https://bugzilla.samba.org/).
659 ======================================================================
660 == Our Code, Our Bugs, Our Responsibility.
662 ======================================================================
665 ----------------------------------------------------------------------
666 ==============================
667 Release Notes for Samba 4.17.3
669 ==============================
672 This is a security release in order to address the following defects:
675 o CVE-2022-42898: Samba's Kerberos libraries and AD DC failed to guard against
676 integer overflows when parsing a PAC on a 32-bit system, which
677 allowed an attacker with a forged PAC to corrupt the heap.
678 https://www.samba.org/samba/security/CVE-2022-42898.html
682 o Joseph Sutton <josephsutton@catalyst.net.nz>
683 * BUG 15203: CVE-2022-42898
685 o Nicolas Williams <nico@twosigma.com>
686 * BUG 15203: CVE-2022-42898
689 #######################################
690 Reporting bugs & Development Discussion
691 #######################################
693 Please discuss this release on the samba-technical mailing list or by
694 joining the #samba-technical:matrix.org matrix room, or
695 #samba-technical IRC channel on irc.libera.chat.
698 If you do report problems then please try to send high quality
699 feedback. If you don't provide vital information to help us track down
700 the problem then you will probably be ignored. All bug reports should
701 be filed under the Samba 4.1 and newer product in the project's Bugzilla
702 database (https://bugzilla.samba.org/).
705 ======================================================================
706 == Our Code, Our Bugs, Our Responsibility.
708 ======================================================================
711 ----------------------------------------------------------------------
712 ==============================
713 Release Notes for Samba 4.17.2
715 ==============================
718 This is a security release in order to address the following defects:
720 o CVE-2022-3437: There is a limited write heap buffer overflow in the GSSAPI
721 unwrap_des() and unwrap_des3() routines of Heimdal (included
723 https://www.samba.org/samba/security/CVE-2022-3437.html
725 o CVE-2022-3592: A malicious client can use a symlink to escape the exported
727 https://www.samba.org/samba/security/CVE-2022-3592.html
732 o Volker Lendecke <vl@samba.org>
733 * BUG 15207: CVE-2022-3592.
735 o Joseph Sutton <josephsutton@catalyst.net.nz>
736 * BUG 15134: CVE-2022-3437.
739 #######################################
740 Reporting bugs & Development Discussion
741 #######################################
743 Please discuss this release on the samba-technical mailing list or by
744 joining the #samba-technical:matrix.org matrix room, or
745 #samba-technical IRC channel on irc.libera.chat.
747 If you do report problems then please try to send high quality
748 feedback. If you don't provide vital information to help us track down
749 the problem then you will probably be ignored. All bug reports should
750 be filed under the Samba 4.1 and newer product in the project's Bugzilla
751 database (https://bugzilla.samba.org/).
754 ======================================================================
755 == Our Code, Our Bugs, Our Responsibility.
757 ======================================================================
760 ----------------------------------------------------------------------
761 ==============================
762 Release Notes for Samba 4.17.1
764 ==============================
767 This is the latest stable release of the Samba 4.17 release series.
773 o Jeremy Allison <jra@samba.org>
774 * BUG 14611: CVE-2021-20251 [SECURITY] Bad password count not incremented
776 * BUG 15174: smbXsrv_connection_shutdown_send result leaked.
777 * BUG 15182: Flush on a named stream never completes.
778 * BUG 15195: Permission denied calling SMBC_getatr when file not exists.
780 o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
781 * BUG 15189: Samba 4.5 sometimes cannot be upgraded to Samba 4.6 or later
782 over DRS: WERROR_DS_DRA_MISSING_PARENT due to faulty GET_ANC.
783 * BUG 15191: pytest: add file removal helpers for TestCaseInTempDir.
785 o Andrew Bartlett <abartlet@samba.org>
786 * BUG 14611: CVE-2021-20251 [SECURITY] Bad password count not incremented
788 * BUG 15189: Samba 4.5 sometimes cannot be upgraded to Samba 4.6 or later.
789 over DRS: WERROR_DS_DRA_MISSING_PARENT due to faulty GET_ANC.
791 o Ralph Boehme <slow@samba.org>
792 * BUG 15182: Flush on a named stream never completes.
794 o Volker Lendecke <vl@samba.org>
795 * BUG 15151: vfs_gpfs silently garbles timestamps > year 2106.
797 o Gary Lockyer <gary@catalyst.net.nz>
798 * BUG 14611: CVE-2021-20251 [SECURITY] Bad password count not incremented
801 o Stefan Metzmacher <metze@samba.org>
802 * BUG 15200: multi-channel socket passing may hit a race if one of the
803 involved processes already existed.
804 * BUG 15201: memory leak on temporary of struct imessaging_post_state and
805 struct tevent_immediate on struct imessaging_context (in
806 rpcd_spoolss and maybe others).
808 o Noel Power <noel.power@suse.com>
809 * BUG 15205: Since popt1.19 various use after free errors using result of
810 poptGetArg are now exposed.
812 o Anoop C S <anoopcs@samba.org>
813 * BUG 15192: Remove special case for O_CREAT in SMB_VFS_OPENAT from
816 o Andreas Schneider <asn@samba.org>
817 * BUG 15169: GETPWSID in memory cache grows indefinetly with each NTLM auth.
819 o Joseph Sutton <josephsutton@catalyst.net.nz>
820 * BUG 14611: CVE-2021-20251 [SECURITY] Bad password count not incremented
824 #######################################
825 Reporting bugs & Development Discussion
826 #######################################
828 Please discuss this release on the samba-technical mailing list or by
829 joining the #samba-technical:matrix.org matrix room, or
830 #samba-technical IRC channel on irc.libera.chat.
833 If you do report problems then please try to send high quality
834 feedback. If you don't provide vital information to help us track down
835 the problem then you will probably be ignored. All bug reports should
836 be filed under the Samba 4.1 and newer product in the project's Bugzilla
837 database (https://bugzilla.samba.org/).
840 ======================================================================
841 == Our Code, Our Bugs, Our Responsibility.
843 ======================================================================
846 ----------------------------------------------------------------------
847 ==============================
848 Release Notes for Samba 4.17.0
850 ==============================
853 This is the first stable release of the Samba 4.17 release series.
854 Please read the release notes carefully before upgrading.
860 SMB Server performance improvements
861 -----------------------------------
863 The security improvements in recent releases
864 (4.13, 4.14, 4.15, 4.16), mainly as protection against symlink races,
865 caused performance regressions for meta data heavy workloads.
867 With 4.17 the situation improved a lot again:
869 - Pathnames given by a client are devided into dirname and basename.
870 The amount of syscalls to validate dirnames is reduced to 2 syscalls
871 (openat, close) per component. On modern Linux kernels (>= 5.6) smbd
872 makes use of the openat2() syscall with RESOLVE_NO_SYMLINKS,
873 in order to just use 2 syscalls (openat2, close) for the whole dirname.
875 - Contended path based operations used to generate a lot of unsolicited
876 wakeup events causing thundering herd problems, which lead to masive
877 latencies for some clients. These events are now avoided in order
878 to provide stable latencies and much higher throughput of open/close
881 Configure without the SMB1 Server
882 ---------------------------------
884 It is now possible to configure Samba without support for
885 the SMB1 protocol in smbd. This can be selected at configure
886 time with either of the options:
889 --without-smb1-server
891 By default (without either of these options set) Samba
892 is configured to include SMB1 support (i.e. --with-smb1-server
893 is the default). When Samba is configured without SMB1 support,
894 none of the SMB1 code is included inside smbd except the minimal
895 stub code needed to allow a client to connect as SMB1 and immediately
896 negotiate the selected protocol into SMB2 (as a Windows server also
899 None of the SMB1-only smb.conf parameters are removed when
900 configured without SMB1, but these parameters are ignored by
901 the smbd server. This allows deployment without having to change
902 an existing smb.conf file.
904 This option allows sites, OEMs and integrators to configure Samba
905 to remove the old and insecure SMB1 protocol from their products.
907 Note that the Samba client libraries still support SMB1 connections
908 even when Samba is configured as --without-smb1-server. This is
909 to ensure maximum compatibility with environments containing old
912 Bronze bit and S4U support now also with MIT Kerberos 1.20
913 ----------------------------------------------------------
915 In 2020 Microsoft Security Response Team received another Kerberos-related
916 report. Eventually, that led to a security update of the CVE-2020-17049,
917 Kerberos KDC Security Feature Bypass Vulnerability, also known as a ‘Bronze
918 Bit’. With this vulnerability, a compromised service that is configured to use
919 Kerberos constrained delegation feature could tamper with a service ticket that
920 is not valid for delegation to force the KDC to accept it.
922 With the release of MIT Kerberos 1.20, Samba AD DC is able able to mitigate the
923 ‘Bronze Bit’ attack. MIT Kerberos KDC's KDB (Kerberos Database Driver) API was
924 changed to allow passing more details between KDC and KDB components. When built
925 against MIT Kerberos, Samba AD DC supports MIT Kerberos 1.19 and 1.20 versions
926 but 'Bronze Bit' mitigation is provided only with MIT Kerberos 1.20.
928 In addition to fixing the ‘Bronze Bit’ issue, Samba AD DC now fully supports
929 S4U2Self and S4U2Proxy Kerberos extensions.
931 Note the default (Heimdal-based) KDC was already fixed in 2021,
932 see https://bugzilla.samba.org/show_bug.cgi?id=14642
934 Resource Based Constrained Delegation (RBCD) support
935 ----------------------------------------------------
937 Samba AD DC built with MIT Kerberos 1.20 offers RBCD support now. With MIT
938 Kerberos 1.20 we have complete RBCD support passing Sambas S4U testsuite.
940 samba-tool delegation got the 'add-principal' and 'del-principal' subcommands
941 in order to manage RBCD.
943 To complete RBCD support and make it useful to Administrators we added the
944 Asserted Identity [1] SID into the PAC for constrained delegation. This is
945 available for Samba AD compiled with MIT Kerberos 1.20.
947 Note the default (Heimdal-based) KDC does not support RBCD yet.
949 [1] https://docs.microsoft.com/en-us/windows-server/security/kerberos/kerberos-constrained-delegation-overview
951 Customizable DNS listening port
952 -------------------------------
954 It is now possible to set a custom listening port for the builtin DNS service,
955 making easy to host another DNS on the same system that would bind to the
956 default port and forward the domain-specific queries to Samba using the custom
957 port. This is the opposite configuration of setting a forwarder in Samba.
959 It makes possible to use another DNS server as a front and forward to Samba.
961 Dynamic DNS updates may not be proxied by the front DNS server when forwarding
962 to Samba. Dynamic DNS update proxying depends on the features of the other DNS
963 server used as a front.
968 * When Samba is configured with both --with-cluster-support and
969 --systemd-install-services then a systemd service file for CTDB will
972 * ctdbd_wrapper has been removed. ctdbd is now started directly from
973 a systemd service file or init script.
975 * The syntax for the ctdb.tunables configuration file has been
976 relaxed. However, trailing garbage after the value, including
977 comments, is no longer permitted. Please see ctdb-tunables(7) for
980 Operation without the (unsalted) NT password hash
981 -------------------------------------------------
983 When Samba is configured with 'nt hash store = never' then Samba will
984 no longer store the (unsalted) NT password hash for users in Active
985 Directory. (Trust accounts, like computers, domain controllers and
986 inter-domain trusts are not impacted).
988 In the next version of Samba the default for 'nt hash store' will
989 change from 'always' to 'auto', where it will follow (behave as 'nt
990 hash store = never' when 'ntlm auth = disabled' is set.
992 Security-focused deployments of Samba that have eliminated NTLM from
993 their networks will find setting 'ntlm auth = disabled' with 'nt hash
994 store = always' as a useful way to improve compliance with
995 best-practice guidance on password storage (which is to always use an
998 Note that when 'nt hash store = never' is set, then arcfour-hmac-md5
999 Kerberos keys will not be available for users who subsequently change
1000 their password, as these keys derive their values from NT hashes. AES
1001 keys are stored by default for all deployments of Samba with Domain
1002 Functional Level 2008 or later, are supported by all modern clients,
1003 and are much more secure.
1005 Finally, also note that password history in Active Directory is stored
1006 in nTPwdHistory using a series of NT hash values. Therefore the full
1007 password history feature is not available in this mode.
1009 To provide some protection against password re-use previous Kerberos
1010 hash values (the current, old and older values are already stored) are
1011 used, providing a history length of 3.
1013 There is one small limitation of this workaround: Changing the
1014 sAMAccountName, userAccountControl or userPrincipalName of an account
1015 can cause the Kerberos password salt to change. This means that after
1016 *both* an account rename and a password change, only the current
1017 password will be recognised for password history purposes.
1019 Python API for smbconf
1020 ----------------------
1022 Samba's smbconf library provides a generic frontend to various
1023 configuration backends (plain text file, registry) as a C library. A
1024 new Python wrapper, importable as 'samba.smbconf' is available. An
1025 additional module, 'samba.samba3.smbconf', is also available to enable
1026 registry backend support. These libraries allow Python programs to
1027 read, and optionally write, Samba configuration natively.
1029 JSON support for smbstatus
1030 --------------------------
1032 It is now possible to print detailed information in JSON format in
1033 the smbstatus program using the new option --json. The JSON output
1034 covers all the existing text output including sessions, connections,
1035 open files, byte-range locks, notifies and profile data with all
1036 low-level information maintained by Samba in the respective databases.
1038 Protected Users security group
1039 ------------------------------
1041 Samba AD DC now includes support for the Protected Users security
1042 group introduced in Windows Server 2012 R2. The feature reduces the
1043 attack surface of user accounts by preventing the use of weak
1044 encryption types. It also mitigates the effects of credential theft by
1045 limiting credential lifetime and scope.
1047 The protections are intended for user accounts only, and service or
1048 computer accounts should not be added to the Protected Users
1049 group. User accounts added to the group are granted the following
1050 security protections:
1052 * NTLM authentication is disabled.
1053 * Kerberos ticket-granting tickets (TGTs) encrypted with RC4 are
1054 not issued to or accepted from affected principals. Tickets
1055 encrypted with AES, and service tickets encrypted with RC4, are
1056 not affected by this restriction.
1057 * The lifetime of Kerberos TGTs is restricted to a maximum of four
1059 * Kerberos constrained and unconstrained delegation is disabled.
1061 If the Protected Users group is not already present in the domain, it
1062 can be created with 'samba-tool group add'. The new '--special'
1063 parameter must be specified, with 'Protected Users' as the name of the
1064 group. An example command invocation is:
1066 samba-tool group add 'Protected Users' --special
1068 or against a remote server:
1070 samba-tool group add 'Protected Users' --special -H ldap://dc1.example.com -U Administrator
1072 The Protected Users group is identified in the domain by its having a
1073 RID of 525. Thus, it should only be created with samba-tool and the
1074 '--special' parameter, as above, so that it has the required RID
1075 to function correctly.
1081 LanMan Authentication and password storage removed from the AD DC
1082 -----------------------------------------------------------------
1084 The storage and authentication with LanMan passwords has been entirely
1085 removed from the Samba AD DC, even when "lanman auth = yes" is set.
1091 Parameter Name Description Default
1092 -------------- ----------- -------
1093 dns port New default 53
1094 fruit:zero_file_id New default yes
1095 nt hash store New parameter always
1096 smb1 unix extensions Replaces "unix extensions"
1097 volume serial number New parameter -1
1098 winbind debug traceid New parameter no
1101 CHANGES SINCE 4.17.0rc4
1102 =======================
1104 o Ralph Boehme <slow@samba.org>
1105 * BUG 15126: acl_xattr VFS module may unintentionally use filesystem
1106 permissions instead of ACL from xattr.
1107 * BUG 15153: Missing SMB2-GETINFO access checks from MS-SMB2 3.3.5.20.1.
1108 * BUG 15161: assert failed: !is_named_stream(smb_fname)") at
1109 ../../lib/util/fault.c:197.
1111 o Volker Lendecke <vl@samba.org>
1112 * BUG 15126: acl_xattr VFS module may unintentionally use filesystem
1113 permissions instead of ACL from xattr.
1114 * BUG 15161: assert failed: !is_named_stream(smb_fname)") at
1115 ../../lib/util/fault.c:197.
1117 o Stefan Metzmacher <metze@samba.org>
1118 * BUG 15159: Cross-node multi-channel reconnects result in SMB2 Negotiate
1119 returning NT_STATUS_NOT_SUPPORTED.
1121 o Noel Power <noel.power@suse.com>
1122 * BUG 15160: winbind at info level debug can coredump when processing
1123 wb_lookupusergroups.
1126 CHANGES SINCE 4.17.0rc3
1127 =======================
1129 o Anoop C S <anoopcs@samba.org>
1130 * BUG 15157: Make use of glfs_*at() API calls in vfs_glusterfs.
1133 CHANGES SINCE 4.17.0rc2
1134 =======================
1136 o Jeremy Allison <jra@samba.org>
1137 * BUG 15128: Possible use after free of connection_struct when iterating
1138 smbd_server_connection->connections.
1140 o Christian Ambach <ambi@samba.org>
1141 * BUG 15145: `net usershare add` fails with flag works with --long but fails
1144 o Ralph Boehme <slow@samba.org>
1145 * BUG 15126: acl_xattr VFS module may unintentionally use filesystem
1146 permissions instead of ACL from xattr.
1148 o Stefan Metzmacher <metze@samba.org>
1149 * BUG 15125: Performance regression on contended path based operations.
1150 * BUG 15148: Missing READ_LEASE break could cause data corruption.
1152 o Andreas Schneider <asn@samba.org>
1153 * BUG 15141: libsamba-errors uses a wrong version number.
1155 o Joseph Sutton <josephsutton@catalyst.net.nz>
1156 * BUG 15152: SMB1 negotiation can fail to handle connection errors.
1159 CHANGES SINCE 4.17.0rc1
1160 =======================
1162 o Jeremy Allison <jra@samba.org>
1163 * BUG 15143: New filename parser doesn't check veto files smb.conf parameter.
1164 * BUG 15144: 4.17.rc1 still uses symlink-race prone unix_convert()
1165 * BUG 15146: Backport fileserver related changed to 4.17.0rc2
1167 o Jule Anger <janger@samba.org>
1168 * BUG 15147: Manpage for smbstatus json is missing
1170 o Volker Lendecke <vl@samba.org>
1171 * BUG 15146: Backport fileserver related changed to 4.17.0rc2
1173 o Stefan Metzmacher <metze@samba.org>
1174 * BUG 15125: Performance regression on contended path based operations
1175 * BUG 15146: Backport fileserver related changed to 4.17.0rc2
1177 o Andreas Schneider <asn@samba.org>
1178 * BUG 15140: Fix issues found by coverity in smbstatus json code
1179 * BUG 15146: Backport fileserver related changed to 4.17.0rc2
1185 https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.17#Release_blocking_bugs
1188 #######################################
1189 Reporting bugs & Development Discussion
1190 #######################################
1192 Please discuss this release on the samba-technical mailing list or by
1193 joining the #samba-technical:matrix.org matrix room, or
1194 #samba-technical IRC channel on irc.libera.chat
1196 If you do report problems then please try to send high quality
1197 feedback. If you don't provide vital information to help us track down
1198 the problem then you will probably be ignored. All bug reports should
1199 be filed under the Samba 4.1 and newer product in the project's Bugzilla
1200 database (https://bugzilla.samba.org/).
1203 ======================================================================
1204 == Our Code, Our Bugs, Our Responsibility.
1206 ======================================================================