| blob | 9cb58de2a61ed55006563ec6364cdfba39b4fe3f |
1 ==============================
2 Release Notes for Samba 4.15.4
3 January 19, 2022
4 ==============================
7 This is the latest stable release of the Samba 4.15 release series.
10 Changes since 4.15.3
11 --------------------
13 o Jeremy Allison <jra@samba.org>
14 * BUG 14928: Duplicate SMB file_ids leading to Windows client cache
15 poisoning.
16 * BUG 14939: smbclient -L doesn't set "client max protocol" to NT1 before
17 calling the "Reconnecting with SMB1 for workgroup listing" path.
18 * BUG 14944: Missing pop_sec_ctx() in error path inside close_directory().
20 o Pavel Filipenský <pfilipen@redhat.com>
21 * BUG 14940: Cross device copy of the crossrename module always fails.
22 * BUG 14941: symlinkat function from VFS cap module always fails with an
23 error.
24 * BUG 14942: Fix possible fsp pointer deference.
26 o Volker Lendecke <vl@samba.org>
27 * BUG 14934: kill_tcp_connections does not work.
29 o Stefan Metzmacher <metze@samba.org>
30 * BUG 14932: Failed to parse NTLMv2_RESPONSE length 95 - Buffer Size Error -
31 NT_STATUS_BUFFER_TOO_SMALL.
32 * BUG 14935: Can't connect to Windows shares not requiring authentication
33 using KDE/Gnome.
35 o Andreas Schneider <asn@samba.org>
36 * BUG 14945: "smbd --build-options" no longer works without an smb.conf file.
38 o Jones Syue <jonessyue@qnap.com>
39 * BUG 14928: Duplicate SMB file_ids leading to Windows client cache
40 poisoning.
43 #######################################
44 Reporting bugs & Development Discussion
45 #######################################
47 Please discuss this release on the samba-technical mailing list or by
48 joining the #samba-technical IRC channel on irc.libera.chat or the
49 #samba-technical:matrix.org matrix channel.
51 If you do report problems then please try to send high quality
52 feedback. If you don't provide vital information to help us track down
53 the problem then you will probably be ignored. All bug reports should
54 be filed under the Samba 4.1 and newer product in the project's Bugzilla
55 database (https://bugzilla.samba.org/).
58 ======================================================================
59 == Our Code, Our Bugs, Our Responsibility.
60 == The Samba Team
61 ======================================================================
64 Release notes for older releases follow:
65 ----------------------------------------
66 ==============================
67 Release Notes for Samba 4.15.3
68 December 08, 2021
69 ==============================
72 This is the latest stable release of the Samba 4.15 release series.
74 Important Notes
75 ===============
77 There have been a few regressions in the security release 4.15.2:
79 o CVE-2020-25717: A user on the domain can become root on domain members.
80 https://www.samba.org/samba/security/CVE-2020-25717.html
81 PLEASE [RE-]READ!
82 The instructions have been updated and some workarounds
83 initially adviced for 4.15.2 are no longer required and
84 should be reverted in most cases.
86 o BUG-14902: User with multiple spaces (eg Fred<space><space>Nurk) become
87 un-deletable. While this release should fix this bug, it is
88 adviced to have a look at the bug report for more detailed
89 information, see https://bugzilla.samba.org/show_bug.cgi?id=14902.
91 Changes since 4.15.2
92 --------------------
94 o Jeremy Allison <jra@samba.org>
95 * BUG 14878: Recursive directory delete with veto files is broken in 4.15.0.
96 * BUG 14879: A directory containing dangling symlinks cannot be deleted by
97 SMB2 alone when they are the only entry in the directory.
98 * BUG 14892: SIGSEGV in rmdir_internals/synthetic_pathref - dirfsp is used
99 uninitialized in rmdir_internals().
101 o Andrew Bartlett <abartlet@samba.org>
102 * BUG 14694: MaxQueryDuration not honoured in Samba AD DC LDAP.
103 * BUG 14901: The CVE-2020-25717 username map [script] advice has undesired
104 side effects for the local nt token.
105 * BUG 14902: User with multiple spaces (eg Fred<space><space>Nurk) become
106 un-deletable.
108 o Ralph Boehme <slow@samba.org>
109 * BUG 14127: Avoid storing NTTIME_THAW (-2) as value on disk.
110 * BUG 14882: smbXsrv_client_global record validation leads to crash if
111 existing record points at non-existing process.
112 * BUG 14890: Crash in vfs_fruit asking for fsp_get_io_fd() for an XATTR call.
113 * BUG 14897: Samba process doesn't log to logfile.
114 * BUG 14907: set_ea_dos_attribute() fallback calling
115 get_file_handle_for_metadata() triggers locking.tdb assert.
116 * BUG 14922: Kerberos authentication on standalone server in MIT realm
117 broken.
118 * BUG 14923: Segmentation fault when joining the domain.
120 o Alexander Bokovoy <ab@samba.org>
121 * BUG 14903: Support for ROLE_IPA_DC is incomplete.
123 o Günther Deschner <gd@samba.org>
124 * BUG 14767: rpcclient cannot connect to ncacn_ip_tcp services anymore
125 * BUG 14893: winexe crashes since 4.15.0 after popt parsing.
127 o Volker Lendecke <vl@samba.org>
128 * BUG 14908: net ads status -P broken in a clustered environment.
130 o Stefan Metzmacher <metze@samba.org>
131 * BUG 14788: Memory leak if ioctl(FSCTL_VALIDATE_NEGOTIATE_INFO) fails before
132 smbd_smb2_ioctl_send.
133 * BUG 14882: smbXsrv_client_global record validation leads to crash if
134 existing record points at non-existing process.
135 * BUG 14899: winbindd doesn't start when "allow trusted domains" is off.
136 * BUG 14901: The CVE-2020-25717 username map [script] advice has undesired
137 side effects for the local nt token.
139 o Andreas Schneider <asn@samba.org>
140 * BUG 14767: rpcclient cannot connect to ncacn_ip_tcp services anymore.
141 * BUG 14883: smbclient login without password using '-N' fails with
142 NT_STATUS_INVALID_PARAMETER on Samba AD DC.
143 * BUG 14912: A schannel client incorrectly detects a downgrade connecting to
144 an AES only server.
145 * BUG 14921: Possible null pointer dereference in winbind.
147 o Andreas Schneider <asn@cryptomilk.org>
148 * BUG 14846: Fix -k legacy option for client tools like smbclient, rpcclient,
149 net, etc.
151 o Martin Schwenke <martin@meltin.net>
152 * BUG 14872: Add Debian 11 CI bootstrap support.
154 o Joseph Sutton <josephsutton@catalyst.net.nz>
155 * BUG 14694: MaxQueryDuration not honoured in Samba AD DC LDAP.
156 * BUG 14901: The CVE-2020-25717 username map [script] advice has undesired
157 side effects for the local nt token.
159 o Andrew Walker <awalker@ixsystems.com>
160 * BUG 14888: Crash in recycle_unlink_internal().
163 #######################################
164 Reporting bugs & Development Discussion
165 #######################################
167 Please discuss this release on the samba-technical mailing list or by
168 joining the #samba-technical IRC channel on irc.freenode.net.
170 If you do report problems then please try to send high quality
171 feedback. If you don't provide vital information to help us track down
172 the problem then you will probably be ignored. All bug reports should
173 be filed under the Samba 4.1 and newer product in the project's Bugzilla
174 database (https://bugzilla.samba.org/).
177 ======================================================================
178 == Our Code, Our Bugs, Our Responsibility.
179 == The Samba Team
180 ======================================================================
183 ----------------------------------------------------------------------
184 ==============================
185 Release Notes for Samba 4.15.2
186 November 9, 2021
187 ==============================
190 This is a security release in order to address the following defects:
192 o CVE-2016-2124: SMB1 client connections can be downgraded to plaintext
193 authentication.
194 https://www.samba.org/samba/security/CVE-2016-2124.html
196 o CVE-2020-25717: A user on the domain can become root on domain members.
197 https://www.samba.org/samba/security/CVE-2020-25717.html
198 (PLEASE READ! There are important behaviour changes described)
200 o CVE-2020-25718: Samba AD DC did not correctly sandbox Kerberos tickets issued
201 by an RODC.
202 https://www.samba.org/samba/security/CVE-2020-25718.html
204 o CVE-2020-25719: Samba AD DC did not always rely on the SID and PAC in Kerberos
205 tickets.
206 https://www.samba.org/samba/security/CVE-2020-25719.html
208 o CVE-2020-25721: Kerberos acceptors need easy access to stable AD identifiers
209 (eg objectSid).
210 https://www.samba.org/samba/security/CVE-2020-25721.html
212 o CVE-2020-25722: Samba AD DC did not do suffienct access and conformance
213 checking of data stored.
214 https://www.samba.org/samba/security/CVE-2020-25722.html
216 o CVE-2021-3738: Use after free in Samba AD DC RPC server.
217 https://www.samba.org/samba/security/CVE-2021-3738.html
219 o CVE-2021-23192: Subsequent DCE/RPC fragment injection vulnerability.
220 https://www.samba.org/samba/security/CVE-2021-23192.html
223 Changes since 4.15.1
224 --------------------
226 o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
227 * CVE-2020-25722
229 o Andrew Bartlett <abartlet@samba.org>
230 * CVE-2020-25718
231 * CVE-2020-25719
232 * CVE-2020-25721
233 * CVE-2020-25722
235 o Ralph Boehme <slow@samba.org>
236 * CVE-2020-25717
238 o Alexander Bokovoy <ab@samba.org>
239 * CVE-2020-25717
241 o Samuel Cabrero <scabrero@samba.org>
242 * CVE-2020-25717
244 o Nadezhda Ivanova <nivanova@symas.com>
245 * CVE-2020-25722
247 o Stefan Metzmacher <metze@samba.org>
248 * CVE-2016-2124
249 * CVE-2020-25717
250 * CVE-2020-25719
251 * CVE-2020-25722
252 * CVE-2021-23192
253 * CVE-2021-3738
255 o Andreas Schneider <asn@samba.org>
256 * CVE-2020-25719
258 o Joseph Sutton <josephsutton@catalyst.net.nz>
259 * CVE-2020-17049
260 * CVE-2020-25718
261 * CVE-2020-25719
262 * CVE-2020-25721
263 * CVE-2020-25722
264 * MS CVE-2020-17049
267 #######################################
268 Reporting bugs & Development Discussion
269 #######################################
271 Please discuss this release on the samba-technical mailing list or by
272 joining the #samba-technical IRC channel on irc.libera.chat or the
273 #samba-technical:matrix.org matrix channel.
275 If you do report problems then please try to send high quality
276 feedback. If you don't provide vital information to help us track down
277 the problem then you will probably be ignored. All bug reports should
278 be filed under the Samba 4.1 and newer product in the project's Bugzilla
279 database (https://bugzilla.samba.org/).
282 ======================================================================
283 == Our Code, Our Bugs, Our Responsibility.
284 == The Samba Team
285 ======================================================================
288 ----------------------------------------------------------------------
291 ==============================
292 Release Notes for Samba 4.15.1
293 October 27, 2021
294 ==============================
297 This is the latest stable release of the Samba 4.15 release series.
300 Changes since 4.15.0
301 --------------------
303 o Jeremy Allison <jra@samba.org>
304 * BUG 14682: vfs_shadow_copy2: core dump in make_relative_path.
305 * BUG 14685: Log clutter from filename_convert_internal.
306 * BUG 14862: MacOSX compilation fixes.
308 o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
309 * BUG 14868: rodc_rwdc test flaps.
311 o Andrew Bartlett <abartlet@samba.org>
312 * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze
313 bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded
314 Heimdal.
315 * BUG 14836: Python ldb.msg_diff() memory handling failure.
316 * BUG 14845: "in" operator on ldb.Message is case sensitive.
317 * BUG 14848: Release LDB 2.4.1 for Samba 4.15.1.
318 * BUG 14854: samldb_krbtgtnumber_available() looks for incorrect string.
319 * BUG 14871: Fix Samba support for UF_NO_AUTH_DATA_REQUIRED.
320 * BUG 14874: Allow special chars like "@" in samAccountName when generating
321 the salt.
323 o Ralph Boehme <slow@samba.org>
324 * BUG 14826: Correctly ignore comments in CTDB public addresses file.
326 o Isaac Boukris <iboukris@gmail.com>
327 * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze
328 bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded
329 Heimdal.
331 o Viktor Dukhovni <viktor@twosigma.com>
332 * BUG 12998: Fix transit path validation.
334 o Pavel Filipenský <pfilipen@redhat.com>
335 * BUG 14852: Fix that child winbindd logs to log.winbindd instead of
336 log.wb-<DOMAIN>.
338 o Luke Howard <lukeh@padl.com>
339 * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze
340 bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded
341 Heimdal.
343 o Stefan Metzmacher <metze@samba.org>
344 * BUG 14855: SMB3 cancel requests should only include the MID together with
345 AsyncID when AES-128-GMAC is used.
347 o Alex Richardson <Alexander.Richardson@cl.cam.ac.uk>
348 * BUG 14862: MacOSX compilation fixes.
350 o Andreas Schneider <asn@samba.org>
351 * BUG 14870: Prepare to operate with MIT krb5 >= 1.20.
353 o Martin Schwenke <martin@meltin.net>
354 * BUG 14826: Correctly ignore comments in CTDB public addresses file.
356 o Joseph Sutton <josephsutton@catalyst.net.nz>
357 * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze
358 bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded
359 Heimdal.
360 * BUG 14836: Python ldb.msg_diff() memory handling failure.
361 * BUG 14845: "in" operator on ldb.Message is case sensitive.
362 * BUG 14864: Heimdal prefers RC4 over AES for machine accounts.
363 * BUG 14868: rodc_rwdc test flaps.
364 * BUG 14871: Fix Samba support for UF_NO_AUTH_DATA_REQUIRED.
365 * BUG 14874: Allow special chars like "@" in samAccountName when generating
366 the salt.
368 o Nicolas Williams <nico@twosigma.com>
369 * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze
370 bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded
371 Heimdal.
374 #######################################
375 Reporting bugs & Development Discussion
376 #######################################
378 Please discuss this release on the samba-technical mailing list or by
379 joining the #samba-technical IRC channel on irc.freenode.net.
381 If you do report problems then please try to send high quality
382 feedback. If you don't provide vital information to help us track down
383 the problem then you will probably be ignored. All bug reports should
384 be filed under the Samba 4.1 and newer product in the project's Bugzilla
385 database (https://bugzilla.samba.org/).
388 ======================================================================
389 == Our Code, Our Bugs, Our Responsibility.
390 == The Samba Team
391 ======================================================================
394 ----------------------------------------------------------------------
396 ==============================
397 Release Notes for Samba 4.15.0
398 September 20, 2021
399 ==============================
402 This is the first stable release of the Samba 4.15 release series.
403 Please read the release notes carefully before upgrading.
406 Removed SMB (development) dialects
407 ==================================
409 The following SMB (development) dialects are no longer
410 supported: SMB2_22, SMB2_24 and SMB3_10. They are were
411 only supported by Windows technical preview builds.
412 They used to be useful in order to test against the
413 latest Windows versions, but it's no longer useful
414 to have them. If you have them explicitly specified
415 in your smb.conf or an the command line,
416 you need to replace them like this:
417 - SMB2_22 => SMB3_00
418 - SMB2_24 => SMB3_00
419 - SMB3_10 => SMB3_11
420 Note that it's typically not useful to specify
421 "client max protocol" or "server max protocol"
422 explicitly to a specific dialect, just leave
423 them unspecified or specify the value "default".
425 New GPG key
426 ===========
428 The GPG release key for Samba releases changed from:
430 pub dsa1024/6F33915B6568B7EA 2007-02-04 [SC] [expires: 2021-02-05]
431 Key fingerprint = 52FB C0B8 6D95 4B08 4332 4CDC 6F33 915B 6568 B7EA
432 uid [ full ] Samba Distribution Verification Key <samba-bugs@samba.org>
433 sub elg2048/9C6ED163DA6DFB44 2007-02-04 [E] [expires: 2021-02-05]
435 to the following new key:
437 pub rsa4096/AA99442FB680B620 2020-12-21 [SC] [expires: 2022-12-21]
438 Key fingerprint = 81F5 E283 2BD2 545A 1897 B713 AA99 442F B680 B620
439 uid [ultimate] Samba Distribution Verification Key <samba-bugs@samba.org>
440 sub rsa4096/97EF9386FBFD4002 2020-12-21 [E] [expires: 2022-12-21]
442 Starting from Jan 21th 2021, all Samba releases will be signed with the new key.
444 See also GPG_AA99442FB680B620_replaces_6F33915B6568B7EA.txt
446 New minimum version for the experimental MIT KDC
447 ================================================
449 The build of the AD DC using the system MIT Kerberos, an
450 experimental feature, now requires MIT Kerberos 1.19. An up-to-date
451 Fedora 34 has this version and has backported fixes for the KDC crash
452 bugs CVE-2021-37750 and CVE-2021-36222
455 NEW FEATURES/CHANGES
456 ====================
458 VFS
459 ---
461 The effort to modernize Samba's VFS interface is complete and Samba 4.15.0 ships
462 with a modernized VFS designed for the post SMB1 world.
464 For details please refer to the documentation at source3/modules/The_New_VFS.txt
465 or visit the <https://wiki.samba.org/index.php/The_New_VFS>.
468 Bind DLZ: add the ability to set allow/deny lists for zone transfer clients
469 ---------------------------------------------------------------------------
471 Up to now, any client could use a DNS zone transfer request to the
472 bind server, and get an answer from Samba. Now the default behaviour
473 will be to deny those request. Two new options have been added to
474 manage the list of authorized/denied clients for zone transfer
475 requests. In order to be accepted, the request must be issued by a
476 client that is in the allow list and NOT in the deny list.
479 "server multi channel support" no longer experimental
480 -----------------------------------------------------
482 This option is enabled by default starting with 4.15 (on Linux and FreeBSD).
483 Due to dependencies on kernel APIs of Linux or FreeBSD, it's only possible
484 to use this feature on Linux and FreeBSD for now.
487 samba-tool available without the ad-dc
488 --------------------------------------
490 The 'samba-tool' command is now available when samba is configured
491 "--without-ad-dc". Not all features will work, and some ad-dc specific options
492 have been disabled. The 'samba-tool domain' options, for example, are limited
493 when no ad-dc is present. Samba must still be built with ads in order to enable
494 'samba-tool'.
497 Improved command line user experience
498 -------------------------------------
500 Samba utilities did not consistently implement their command line interface. A
501 number of options were requiring to specify values in one tool and not in the
502 other, some options meant different in different tools.
504 These should be stories of the past now. A new command line parser has been
505 implemented with sanity checking. Also the command line interface has been
506 simplified and provides better control for encryption, signing and kerberos.
508 Previously many tools silently ignored unknown options. To prevent unexpected
509 behaviour all tools will now consistently reject unknown options.
511 Also several command line options have a smb.conf variable to control the
512 default now.
514 All tools are now logging to stderr by default. You can use "--debug-stdout" to
515 change the behavior. All servers will log to stderr at early startup until logging
516 is setup to go to a file by default.
518 ### Common parser:
520 Options added:
521 --client-protection=off|sign|encrypt
523 Options renamed:
524 --kerberos -> --use-kerberos=required|desired|off
525 --krb5-ccache -> --use-krb5-ccache=CCACHE
526 --scope -> --netbios-scope=SCOPE
527 --use-ccache -> --use-winbind-ccache
529 Options removed:
530 -e|--encrypt
531 -C removed from --use-winbind-ccache
532 -i removed from --netbios-scope
533 -S|--signing
536 ### Duplicates in command line utils
538 ldbadd/ldbdel/ldbedit/ldbmodify/ldbrename/ldbsearch:
539 -e is still available as an alias for --editor,
540 as it used to be.
541 -s is no longer reported as an alias for --configfile,
542 it never worked that way as it was shadowed by '-s' for '--scope'.
544 ndrdump:
545 -l is not available for --load-dso anymore
547 net:
548 -l is not available for --long anymore
550 sharesec:
551 -V is not available for --viewsddl anymore
553 smbcquotas:
554 --user -> --quota-user
556 nmbd:
557 --log-stdout -> --debug-stdout
559 smbd:
560 --log-stdout -> --debug-stdout
562 winbindd:
563 --log-stdout -> --debug-stdout
566 Scanning of trusted domains and enterprise principals
567 -----------------------------------------------------
569 As an artifact from the NT4 times, we still scanned the list of trusted domains
570 on winbindd startup. This is wrong as we never can get a full picture in Active
571 Directory. It is time to change the default value to "No". Also with this change
572 we always use enterprise principals for Kerberos so that the DC will be able
573 to redirect ticket requests to the right DC. This is e.g. needed for one way
574 trusts. The options `winbind use krb5 enterprise principals` and
575 `winbind scan trusted domains` will be deprecated in one of the next releases.
578 Support for Offline Domain Join (ODJ)
579 -------------------------------------
581 The net utility is now able to support the offline domain join feature
582 as known from the Windows djoin.exe command for many years. Samba's
583 implementation is accessible via the 'net offlinejoin' subcommand. It
584 can provision computers and request offline joining for both Windows
585 and Unix machines. It is also possible to provision computers from
586 Windows (using djoin.exe) and use the generated data in Samba's 'net'
587 utility. The existing options for the provisioning and joining steps
588 are documented in the net(8) manpage.
591 'samba-tool dns zoneoptions' for aging control
592 ----------------------------------------------
594 The 'samba-tool dns zoneoptions' command can be used to turn aging on
595 and off, alter the refresh and no-refresh periods, and manipulate the
596 timestamps of existing records.
598 To turn aging on for a zone, you can use something like this:
600 samba-tool dns zoneoptions --aging=1 --refreshinterval=306600
602 which turns on aging and ensures no records less than five years old
603 are aged out and scavenged. After aging has been on for sufficient
604 time for records to be renewed, the command
606 samba-tool dns zoneoptions --refreshinterval=168
608 will set the refresh period to the standard seven days. Using this two
609 step process will help prevent the temporary loss of dynamic records
610 if scavenging happens before their first renewal.
613 Marking old records as static or dynamic with 'samba-tool'
614 ----------------------------------------------------------
616 A bug in Samba versions prior to 4.9 meant records that were meant to
617 be static were marked as dynamic and vice versa. To fix the timestamps
618 in these domains, it is possible to use the following options,
619 preferably before turning aging on.
621 --mark-old-records-static
622 --mark-records-dynamic-regex
623 --mark-records-static-regex
625 The "--mark-old-records-static" option will make records older than the
626 specified date static (that is, with a zero timestamp). For example,
627 if you upgraded to Samba 4.9 in November 2018, you could use ensure no
628 old records will be mistakenly interpreted as dynamic using the
629 following option:
631 samba-tool dns zoneoptions --mark-old-records-static=2018-11-30
633 Then, if you know that that will have marked some records as static
634 that should be dynamic, and you know which those are due to your
635 naming scheme, you can use commands like:
637 samba-tool dns zoneoptions --mark-records-dynamic-regex='\w+-desktop'
639 where '\w+-desktop' is a perl-compatible regular expression that will
640 match 'bob-desktop', 'alice-desktop', and so on.
642 These options are deliberately long and cumbersome to type, so people
643 have a chance to think before they get to the end. You can make a
644 mess if you get it wrong.
646 All 'samba-tool dns zoneoptions' modes can be given a "--dry-run/-n"
647 argument that allows you to inspect the likely results before going
648 ahead.
650 NOTE: for aging to work, you need to have "dns zone scavenging = yes"
651 set in the smb.conf of at least one server.
654 DNS tombstones are now deleted as appropriate
655 ---------------------------------------------
657 When all the records for a DNS name have been deleted, the node is put
658 in a tombstoned state (separate from general AD object tombstoning,
659 which deleted nodes also go through). These tombstones should be
660 cleaned up periodically. Due to a conflation of scavenging and
661 tombstoning, we have only been deleting tombstones when aging is
662 enabled.
664 If you have a lot of tombstoned DNS nodes (that is, DNS names for
665 which you have removed all the records), cleaning up these DNS
666 tombstones may take a noticeable time.
669 DNS tombstones use a consistent timestamp format
670 ------------------------------------------------
672 DNS records use an hours-since-1601 timestamp format except for in the
673 case of tombstone records where a 100-nanosecond-intervals-since-1601
674 format is used (this latter format being the most common in Windows).
675 We had mixed that up, which might have had strange effects in zones
676 where aging was enabled (and hence tombstone timestamps were used).
679 samba-tool dns update and RPC changes
680 -------------------------------------
682 The dnsserver DCERPC pipe can be used by 'samba-tool' and Windows tools
683 to manipulate dns records on the remote server. A bug in Samba meant
684 it was not possible to update an existing DNS record to change the
685 TTL. The general behaviour of RPC updates is now closer to that of
686 Windows.
688 'samba-tool dns update' is now a bit more careful in rejecting and
689 warning you about malformed IPv4 and IPv6 addresses.
691 CVE-2021-3671: Crash in Heimdal KDC and updated security release policy
692 -----------------------------------------------------------------------
694 An unuthenticated user can crash the AD DC KDC by omitting the server
695 name in a TGS-REQ. Per Samba's updated security process a specific
696 security release was not made for this issue as it is a recoverable
697 Denial Of Service.
699 See https://wiki.samba.org/index.php/Samba_Security_Proces
701 samba-tool domain backup offline with the LMDB backend
702 ------------------------------------------------------
704 samba-tool domain backup offline, when operating with the LMDB backend
705 now correctly takes out locks against concurrent modification of the
706 database during the backup. If you use this tool on a Samba AD DC
707 using LMDB, you should upgrade to this release for safer backups.
709 REMOVED FEATURES
710 ================
712 Tru64 ACL support has been removed from this release. The last
713 supported release of Tru64 UNIX was in 2012.
715 NIS support has been removed from this release. This is not
716 available in Linux distributions anymore.
718 The DLZ DNS plugin is no longer built for Bind versions 9.8 and 9.9,
719 which have been out of support since 2018.
722 smb.conf changes
723 ================
725 Parameter Name Description Default
726 -------------- ----------- -------
727 client use kerberos New desired
728 client max protocol Values Removed
729 client min protocol Values Removed
730 client protection New default
731 client smb3 signing algorithms New see man smb.conf
732 client smb3 encryption algorithms New see man smb.conf
733 preopen:posix-basic-regex New No
734 preopen:nomatch_log_level New 5
735 preopen:match_log_level New 5
736 preopen:nodigits_log_level New 1
737 preopen:founddigits_log_level New 3
738 preopen:reset_log_level New 5
739 preopen:push_log_level New 3
740 preopen:queue_log_level New 10
741 server max protocol Values Removed
742 server min protocol Values Removed
743 server multi channel support Changed Yes (on Linux and FreeBSD)
744 server smb3 signing algorithms New see man smb.conf
745 server smb3 encryption algorithms New see man smb.conf
746 winbind use krb5 enterprise principals Changed Yes
747 winbind scan trusted domains Changed No
750 CHANGES SINCE 4.15.0rc6
751 =======================
753 o Andrew Bartlett <abartlet@samba.org>
754 * BUG 14791: All the ways to specify a password are not documented.
756 o Ralph Boehme <slow@samba.org>
757 * BUG 14790: vfs_btrfs compression support broken.
758 * BUG 14828: Problems with commandline parsing.
759 * BUG 14829: smbd crashes when "ea support" is set to no.
761 o Stefan Metzmacher <metze@samba.org>
762 * BUG 14825: "{client,server} smb3 {signing,encryption} algorithms" should
763 use the same strings as smbstatus output.
764 * BUG 14828: Problems with commandline parsing.
766 o Alex Richardson <Alexander.Richardson@cl.cam.ac.uk>
767 * BUG 8773: smbd fails to run as root because it belongs to more than 16
768 groups on MacOS X.
770 o Martin Schwenke <martin@meltin.net>
771 * BUG 14784: Fix CTDB flag/status update race conditions.
774 CHANGES SINCE 4.15.0rc5
775 =======================
777 o Andrew Bartlett <abartlet@samba.org>
778 * BUG 14806: Address a signifcant performance regression in database access
779 in the AD DC since Samba 4.12.
780 * BUG 14807: Fix performance regression in lsa_LookupSids3/LookupNames4 since
781 Samba 4.9 by using an explicit database handle cache.
782 * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
783 server name in a TGS-REQ.
784 * BUG 14818: Address flapping samba_tool_drs_showrepl test.
785 * BUG 14819: Address flapping dsdb_schema_attributes test.
787 o Luke Howard <lukeh@padl.com>
788 * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
789 server name in a TGS-REQ.
791 o Gary Lockyer <gary@catalyst.net.nz>
792 * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
793 server name in a TGS-REQ.
795 o Andreas Schneider <asn@samba.org>
796 * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
797 server name in a TGS-REQ.
799 o Joseph Sutton <josephsutton@catalyst.net.nz>
800 * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
801 server name in a TGS-REQ.
804 CHANGES SINCE 4.15.0rc4
805 =======================
807 o Jeremy Allison <jra@samba.org>
808 * BUG 14809: Shares with variable substitutions cause core dump upon
809 connection from MacOS Big Sur 11.5.2.
810 * BUG 14816: Fix pathref open of a filesystem fifo in the DISABLE_OPATH
811 build.
813 o Andrew Bartlett <abartlet@samba.org>
814 * BUG 14815: A subset of tests from Samba's selftest system were not being
815 run, while others were run twice.
817 o Ralph Boehme <slow@samba.org>
818 * BUG 14771: Some VFS operations on pathref (O_PATH) handles fail on GPFS.
819 * BUG 14787: net conf list crashes when run as normal user,
820 * BUG 14803: smbd/winbindd started in daemon mode generate output on
821 stderr/stdout.
822 * BUG 14804: winbindd can crash because idmap child state is not fully
823 initialized.
825 o Stefan Metzmacher <metze@samba.org>
826 * BUG 14771: Some VFS operations on pathref (O_PATH) handles fail on GPFS.
829 CHANGES SINCE 4.15.0rc3
830 =======================
832 o Bjoern Jacke <bj@sernet.de>
833 * BUG 14800: util_sock: fix assignment of sa_socklen.
836 CHANGES SINCE 4.15.0rc2
837 =======================
839 o Jeremy Allison <jra@samba.org>
840 * BUG 14760: vfs_streams_depot directory creation permissions and store
841 location problems.
842 * BUG 14766: vfs_ceph openat() doesn't cope with dirfsp != AT_FDCW.
843 * BUG 14769: smbd panic on force-close share during offload write.
844 * BUG 14805: OpenDir() loses the correct errno return.
846 o Ralph Boehme <slow@samba.org>
847 * BUG 14795: copy_file_range() may fail with EOPNOTSUPP.
849 o Stefan Metzmacher <metze@samba.org>
850 * BUG 14793: Start the SMB encryption as soon as possible.
852 o Andreas Schneider <asn@samba.org>
853 * BUG 14779: Winbind should not start if the socket path is too long.
855 o Noel Power <noel.power@suse.com>
856 * BUG 14760: vfs_streams_depot directory creation permissions and store
857 location problems.
860 CHANGES SINCE 4.15.0rc1
861 =======================
863 o Andreas Schneider <asn@samba.org>
864 * BUG 14768: smbd/winbind should load the registry if configured
865 * BUG 14777: do not quote passed argument of configure script
866 * BUG 14779: Winbind should not start if the socket path is too long
868 o Stefan Metzmacher <metze@samba.org>
869 * BUG 14607: tree connect failed: NT_STATUS_INVALID_PARAMETER
870 * BUG 14764: aes-256-gcm and aes-256-ccm doesn't work in the server
872 o Ralph Boehme <slow@samba.org>
873 * BUG 14700: file owner not available when file unredable
875 o Jeremy Allison <jra@samba.org>
876 * BUG 14607: tree connect failed: NT_STATUS_INVALID_PARAMETER
877 * BUG 14759: 4.15rc can leak meta-data about the directory containing the
878 share path
881 KNOWN ISSUES
882 ============
884 https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.15#Release_blocking_bugs
887 #######################################
888 Reporting bugs & Development Discussion
889 #######################################
891 Please discuss this release on the samba-technical mailing list or by
892 joining the #samba-technical IRC channel on irc.libera.chat or the
893 #samba-technical:matrix.org matrix channel.
895 If you do report problems then please try to send high quality
896 feedback. If you don't provide vital information to help us track down
897 the problem then you will probably be ignored. All bug reports should
898 be filed under the Samba 4.1 and newer product in the project's Bugzilla
899 database (https://bugzilla.samba.org/).
902 ======================================================================
903 == Our Code, Our Bugs, Our Responsibility.
904 == The Samba Team
905 ======================================================================