1 ==============================
2 Release Notes for Samba 4.15.0
4 ==============================
7 This is the first stable release of the Samba 4.15 release series.
8 Please read the release notes carefully before upgrading.
11 Removed SMB (development) dialects
12 ==================================
14 The following SMB (development) dialects are no longer
15 supported: SMB2_22, SMB2_24 and SMB3_10. They are were
16 only supported by Windows technical preview builds.
17 They used to be useful in order to test against the
18 latest Windows versions, but it's no longer useful
19 to have them. If you have them explicitly specified
20 in your smb.conf or an the command line,
21 you need to replace them like this:
25 Note that it's typically not useful to specify
26 "client max protocol" or "server max protocol"
27 explicitly to a specific dialect, just leave
28 them unspecified or specify the value "default".
33 The GPG release key for Samba releases changed from:
35 pub dsa1024/6F33915B6568B7EA 2007-02-04 [SC] [expires: 2021-02-05]
36 Key fingerprint = 52FB C0B8 6D95 4B08 4332 4CDC 6F33 915B 6568 B7EA
37 uid [ full ] Samba Distribution Verification Key <samba-bugs@samba.org>
38 sub elg2048/9C6ED163DA6DFB44 2007-02-04 [E] [expires: 2021-02-05]
40 to the following new key:
42 pub rsa4096/AA99442FB680B620 2020-12-21 [SC] [expires: 2022-12-21]
43 Key fingerprint = 81F5 E283 2BD2 545A 1897 B713 AA99 442F B680 B620
44 uid [ultimate] Samba Distribution Verification Key <samba-bugs@samba.org>
45 sub rsa4096/97EF9386FBFD4002 2020-12-21 [E] [expires: 2022-12-21]
47 Starting from Jan 21th 2021, all Samba releases will be signed with the new key.
49 See also GPG_AA99442FB680B620_replaces_6F33915B6568B7EA.txt
51 New minimum version for the experimental MIT KDC
52 ================================================
54 The build of the AD DC using the system MIT Kerberos, an
55 experimental feature, now requires MIT Kerberos 1.19. An up-to-date
56 Fedora 34 has this version and has backported fixes for the KDC crash
57 bugs CVE-2021-37750 and CVE-2021-36222
66 The effort to modernize Samba's VFS interface is complete and Samba 4.15.0 ships
67 with a modernized VFS designed for the post SMB1 world.
69 For details please refer to the documentation at source3/modules/The_New_VFS.txt
70 or visit the <https://wiki.samba.org/index.php/The_New_VFS>.
73 Bind DLZ: add the ability to set allow/deny lists for zone transfer clients
74 ---------------------------------------------------------------------------
76 Up to now, any client could use a DNS zone transfer request to the
77 bind server, and get an answer from Samba. Now the default behaviour
78 will be to deny those request. Two new options have been added to
79 manage the list of authorized/denied clients for zone transfer
80 requests. In order to be accepted, the request must be issued by a
81 client that is in the allow list and NOT in the deny list.
84 "server multi channel support" no longer experimental
85 -----------------------------------------------------
87 This option is enabled by default starting with 4.15 (on Linux and FreeBSD).
88 Due to dependencies on kernel APIs of Linux or FreeBSD, it's only possible
89 to use this feature on Linux and FreeBSD for now.
92 samba-tool available without the ad-dc
93 --------------------------------------
95 The 'samba-tool' command is now available when samba is configured
96 "--without-ad-dc". Not all features will work, and some ad-dc specific options
97 have been disabled. The 'samba-tool domain' options, for example, are limited
98 when no ad-dc is present. Samba must still be built with ads in order to enable
102 Improved command line user experience
103 -------------------------------------
105 Samba utilities did not consistently implement their command line interface. A
106 number of options were requiring to specify values in one tool and not in the
107 other, some options meant different in different tools.
109 These should be stories of the past now. A new command line parser has been
110 implemented with sanity checking. Also the command line interface has been
111 simplified and provides better control for encryption, signing and kerberos.
113 Previously many tools silently ignored unknown options. To prevent unexpected
114 behaviour all tools will now consistently reject unknown options.
116 Also several command line options have a smb.conf variable to control the
119 All tools are now logging to stderr by default. You can use "--debug-stdout" to
120 change the behavior. All servers will log to stderr at early startup until logging
121 is setup to go to a file by default.
126 --client-protection=off|sign|encrypt
129 --kerberos -> --use-kerberos=required|desired|off
130 --krb5-ccache -> --use-krb5-ccache=CCACHE
131 --scope -> --netbios-scope=SCOPE
132 --use-ccache -> --use-winbind-ccache
136 -C removed from --use-winbind-ccache
137 -i removed from --netbios-scope
141 ### Duplicates in command line utils
143 ldbadd/ldbdel/ldbedit/ldbmodify/ldbrename/ldbsearch:
144 -e is still available as an alias for --editor,
146 -s is no longer reported as an alias for --configfile,
147 it never worked that way as it was shadowed by '-s' for '--scope'.
150 -l is not available for --load-dso anymore
153 -l is not available for --long anymore
156 -V is not available for --viewsddl anymore
159 --user -> --quota-user
162 --log-stdout -> --debug-stdout
165 --log-stdout -> --debug-stdout
168 --log-stdout -> --debug-stdout
171 Scanning of trusted domains and enterprise principals
172 -----------------------------------------------------
174 As an artifact from the NT4 times, we still scanned the list of trusted domains
175 on winbindd startup. This is wrong as we never can get a full picture in Active
176 Directory. It is time to change the default value to "No". Also with this change
177 we always use enterprise principals for Kerberos so that the DC will be able
178 to redirect ticket requests to the right DC. This is e.g. needed for one way
179 trusts. The options `winbind use krb5 enterprise principals` and
180 `winbind scan trusted domains` will be deprecated in one of the next releases.
183 Support for Offline Domain Join (ODJ)
184 -------------------------------------
186 The net utility is now able to support the offline domain join feature
187 as known from the Windows djoin.exe command for many years. Samba's
188 implementation is accessible via the 'net offlinejoin' subcommand. It
189 can provision computers and request offline joining for both Windows
190 and Unix machines. It is also possible to provision computers from
191 Windows (using djoin.exe) and use the generated data in Samba's 'net'
192 utility. The existing options for the provisioning and joining steps
193 are documented in the net(8) manpage.
196 'samba-tool dns zoneoptions' for aging control
197 ----------------------------------------------
199 The 'samba-tool dns zoneoptions' command can be used to turn aging on
200 and off, alter the refresh and no-refresh periods, and manipulate the
201 timestamps of existing records.
203 To turn aging on for a zone, you can use something like this:
205 samba-tool dns zoneoptions --aging=1 --refreshinterval=306600
207 which turns on aging and ensures no records less than five years old
208 are aged out and scavenged. After aging has been on for sufficient
209 time for records to be renewed, the command
211 samba-tool dns zoneoptions --refreshinterval=168
213 will set the refresh period to the standard seven days. Using this two
214 step process will help prevent the temporary loss of dynamic records
215 if scavenging happens before their first renewal.
218 Marking old records as static or dynamic with 'samba-tool'
219 ----------------------------------------------------------
221 A bug in Samba versions prior to 4.9 meant records that were meant to
222 be static were marked as dynamic and vice versa. To fix the timestamps
223 in these domains, it is possible to use the following options,
224 preferably before turning aging on.
226 --mark-old-records-static
227 --mark-records-dynamic-regex
228 --mark-records-static-regex
230 The "--mark-old-records-static" option will make records older than the
231 specified date static (that is, with a zero timestamp). For example,
232 if you upgraded to Samba 4.9 in November 2018, you could use ensure no
233 old records will be mistakenly interpreted as dynamic using the
236 samba-tool dns zoneoptions --mark-old-records-static=2018-11-30
238 Then, if you know that that will have marked some records as static
239 that should be dynamic, and you know which those are due to your
240 naming scheme, you can use commands like:
242 samba-tool dns zoneoptions --mark-records-dynamic-regex='\w+-desktop'
244 where '\w+-desktop' is a perl-compatible regular expression that will
245 match 'bob-desktop', 'alice-desktop', and so on.
247 These options are deliberately long and cumbersome to type, so people
248 have a chance to think before they get to the end. You can make a
249 mess if you get it wrong.
251 All 'samba-tool dns zoneoptions' modes can be given a "--dry-run/-n"
252 argument that allows you to inspect the likely results before going
255 NOTE: for aging to work, you need to have "dns zone scavenging = yes"
256 set in the smb.conf of at least one server.
259 DNS tombstones are now deleted as appropriate
260 ---------------------------------------------
262 When all the records for a DNS name have been deleted, the node is put
263 in a tombstoned state (separate from general AD object tombstoning,
264 which deleted nodes also go through). These tombstones should be
265 cleaned up periodically. Due to a conflation of scavenging and
266 tombstoning, we have only been deleting tombstones when aging is
269 If you have a lot of tombstoned DNS nodes (that is, DNS names for
270 which you have removed all the records), cleaning up these DNS
271 tombstones may take a noticeable time.
274 DNS tombstones use a consistent timestamp format
275 ------------------------------------------------
277 DNS records use an hours-since-1601 timestamp format except for in the
278 case of tombstone records where a 100-nanosecond-intervals-since-1601
279 format is used (this latter format being the most common in Windows).
280 We had mixed that up, which might have had strange effects in zones
281 where aging was enabled (and hence tombstone timestamps were used).
284 samba-tool dns update and RPC changes
285 -------------------------------------
287 The dnsserver DCERPC pipe can be used by 'samba-tool' and Windows tools
288 to manipulate dns records on the remote server. A bug in Samba meant
289 it was not possible to update an existing DNS record to change the
290 TTL. The general behaviour of RPC updates is now closer to that of
293 'samba-tool dns update' is now a bit more careful in rejecting and
294 warning you about malformed IPv4 and IPv6 addresses.
296 CVE-2021-3671: Crash in Heimdal KDC and updated security release policy
297 -----------------------------------------------------------------------
299 An unuthenticated user can crash the AD DC KDC by omitting the server
300 name in a TGS-REQ. Per Samba's updated security process a specific
301 security release was not made for this issue as it is a recoverable
304 See https://wiki.samba.org/index.php/Samba_Security_Proces
306 samba-tool domain backup offline with the LMDB backend
307 ------------------------------------------------------
309 samba-tool domain backup offline, when operating with the LMDB backend
310 now correctly takes out locks against concurrent modification of the
311 database during the backup. If you use this tool on a Samba AD DC
312 using LMDB, you should upgrade to this release for safer backups.
317 Tru64 ACL support has been removed from this release. The last
318 supported release of Tru64 UNIX was in 2012.
320 NIS support has been removed from this release. This is not
321 available in Linux distributions anymore.
323 The DLZ DNS plugin is no longer built for Bind versions 9.8 and 9.9,
324 which have been out of support since 2018.
330 Parameter Name Description Default
331 -------------- ----------- -------
332 client use kerberos New desired
333 client max protocol Values Removed
334 client min protocol Values Removed
335 client protection New default
336 client smb3 signing algorithms New see man smb.conf
337 client smb3 encryption algorithms New see man smb.conf
338 preopen:posix-basic-regex New No
339 preopen:nomatch_log_level New 5
340 preopen:match_log_level New 5
341 preopen:nodigits_log_level New 1
342 preopen:founddigits_log_level New 3
343 preopen:reset_log_level New 5
344 preopen:push_log_level New 3
345 preopen:queue_log_level New 10
346 server max protocol Values Removed
347 server min protocol Values Removed
348 server multi channel support Changed Yes (on Linux and FreeBSD)
349 server smb3 signing algorithms New see man smb.conf
350 server smb3 encryption algorithms New see man smb.conf
351 winbind use krb5 enterprise principals Changed Yes
352 winbind scan trusted domains Changed No
355 CHANGES SINCE 4.15.0rc6
356 =======================
358 o Andrew Bartlett <abartlet@samba.org>
359 * BUG 14791: All the ways to specify a password are not documented.
361 o Ralph Boehme <slow@samba.org>
362 * BUG 14790: vfs_btrfs compression support broken.
363 * BUG 14828: Problems with commandline parsing.
364 * BUG 14829: smbd crashes when "ea support" is set to no.
366 o Stefan Metzmacher <metze@samba.org>
367 * BUG 14825: "{client,server} smb3 {signing,encryption} algorithms" should
368 use the same strings as smbstatus output.
369 * BUG 14828: Problems with commandline parsing.
371 o Alex Richardson <Alexander.Richardson@cl.cam.ac.uk>
372 * BUG 8773: smbd fails to run as root because it belongs to more than 16
375 o Martin Schwenke <martin@meltin.net>
376 * BUG 14784: Fix CTDB flag/status update race conditions.
379 CHANGES SINCE 4.15.0rc5
380 =======================
382 o Andrew Bartlett <abartlet@samba.org>
383 * BUG 14806: Address a signifcant performance regression in database access
384 in the AD DC since Samba 4.12.
385 * BUG 14807: Fix performance regression in lsa_LookupSids3/LookupNames4 since
386 Samba 4.9 by using an explicit database handle cache.
387 * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
388 server name in a TGS-REQ.
389 * BUG 14818: Address flapping samba_tool_drs_showrepl test.
390 * BUG 14819: Address flapping dsdb_schema_attributes test.
392 o Luke Howard <lukeh@padl.com>
393 * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
394 server name in a TGS-REQ.
396 o Gary Lockyer <gary@catalyst.net.nz>
397 * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
398 server name in a TGS-REQ.
400 o Andreas Schneider <asn@samba.org>
401 * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
402 server name in a TGS-REQ.
404 o Joseph Sutton <josephsutton@catalyst.net.nz>
405 * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
406 server name in a TGS-REQ.
409 CHANGES SINCE 4.15.0rc4
410 =======================
412 o Jeremy Allison <jra@samba.org>
413 * BUG 14809: Shares with variable substitutions cause core dump upon
414 connection from MacOS Big Sur 11.5.2.
415 * BUG 14816: Fix pathref open of a filesystem fifo in the DISABLE_OPATH
418 o Andrew Bartlett <abartlet@samba.org>
419 * BUG 14815: A subset of tests from Samba's selftest system were not being
420 run, while others were run twice.
422 o Ralph Boehme <slow@samba.org>
423 * BUG 14771: Some VFS operations on pathref (O_PATH) handles fail on GPFS.
424 * BUG 14787: net conf list crashes when run as normal user,
425 * BUG 14803: smbd/winbindd started in daemon mode generate output on
427 * BUG 14804: winbindd can crash because idmap child state is not fully
430 o Stefan Metzmacher <metze@samba.org>
431 * BUG 14771: Some VFS operations on pathref (O_PATH) handles fail on GPFS.
434 CHANGES SINCE 4.15.0rc3
435 =======================
437 o Bjoern Jacke <bj@sernet.de>
438 * BUG 14800: util_sock: fix assignment of sa_socklen.
441 CHANGES SINCE 4.15.0rc2
442 =======================
444 o Jeremy Allison <jra@samba.org>
445 * BUG 14760: vfs_streams_depot directory creation permissions and store
447 * BUG 14766: vfs_ceph openat() doesn't cope with dirfsp != AT_FDCW.
448 * BUG 14769: smbd panic on force-close share during offload write.
449 * BUG 14805: OpenDir() loses the correct errno return.
451 o Ralph Boehme <slow@samba.org>
452 * BUG 14795: copy_file_range() may fail with EOPNOTSUPP.
454 o Stefan Metzmacher <metze@samba.org>
455 * BUG 14793: Start the SMB encryption as soon as possible.
457 o Andreas Schneider <asn@samba.org>
458 * BUG 14779: Winbind should not start if the socket path is too long.
460 o Noel Power <noel.power@suse.com>
461 * BUG 14760: vfs_streams_depot directory creation permissions and store
465 CHANGES SINCE 4.15.0rc1
466 =======================
468 o Andreas Schneider <asn@samba.org>
469 * BUG 14768: smbd/winbind should load the registry if configured
470 * BUG 14777: do not quote passed argument of configure script
471 * BUG 14779: Winbind should not start if the socket path is too long
473 o Stefan Metzmacher <metze@samba.org>
474 * BUG 14607: tree connect failed: NT_STATUS_INVALID_PARAMETER
475 * BUG 14764: aes-256-gcm and aes-256-ccm doesn't work in the server
477 o Ralph Boehme <slow@samba.org>
478 * BUG 14700: file owner not available when file unredable
480 o Jeremy Allison <jra@samba.org>
481 * BUG 14607: tree connect failed: NT_STATUS_INVALID_PARAMETER
482 * BUG 14759: 4.15rc can leak meta-data about the directory containing the
489 https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.15#Release_blocking_bugs
492 #######################################
493 Reporting bugs & Development Discussion
494 #######################################
496 Please discuss this release on the samba-technical mailing list or by
497 joining the #samba-technical IRC channel on irc.libera.chat or the
498 #samba-technical:matrix.org matrix channel.
500 If you do report problems then please try to send high quality
501 feedback. If you don't provide vital information to help us track down
502 the problem then you will probably be ignored. All bug reports should
503 be filed under the Samba 4.1 and newer product in the project's Bugzilla
504 database (https://bugzilla.samba.org/).
507 ======================================================================
508 == Our Code, Our Bugs, Our Responsibility.
510 ======================================================================