File samba.changes of Package samba-4.21-mit-fs
-------------------------------------------------------------------
Tue Jul 8 07:51:10 UTC 2025 - macke d <mdbuild@use.startmail.com>
- ==============================
Release Notes for Samba 4.21.7
July 07, 2025
==============================
This is the latest stable release of the Samba 4.21 release series.
Important Change in Upcoming Microsoft Update
---------------------------------------------
On 8th of July, Microsoft will release an important security update for
Active Directory Domain Controllers for Windows Server versions prior to
2025.
This update includes a change to the Microsoft RPC Netlogon protocol,
which improves security by tightening access checks for a set of RPC
requests. Samba running as domain members in these environments will be
impacted by this change if a specific configuration is used, see below
for which configuration is affected.
Windows Server version 2025 is already equipped with these specific
security hardenings, and Microsoft is now planning to deploy them to all
supported Windows Server versions down to Windows Server 2008.
Who is affected?
Samba installations acting as member servers in Windows AD domains will
be affected if they are configured to use the 'ad' idmapping backend.
Samba servers not using this configuration will not be affected by the
change – at least to our current knowledge and understanding of the
change – and no further action is required.
Current versions of Samba with the affected configuration will no longer
function correctly once the Microsoft update has been applied. Users
will not be able to connect to the SMB service provided by Samba for any
domain configured to use the 'ad' idmapping backend.
See https://bugzilla.samba.org/show_bug.cgi?id=15876.
Changes since 4.21.6
--------------------
o Günther Deschner <gd@samba.org>
* BUG 15876: Windows security hardening locks out schannel'ed netlogon dc
calls like netr_DsRGetDCName.
o Stefan Metzmacher <metze@samba.org>
* BUG 15680: Trust domains are not created.
* BUG 15876: Windows security hardening locks out schannel'ed netlogon dc
calls like netr_DsRGetDCName.
o Andreas Schneider <asn@samba.org>
* BUG 15680: Trust domains are not created.
* BUG 15869: Startup messages of rpc deamons fills /var/log/messages.
-------------------------------------------------------------------
Tue Jun 3 07:44:08 UTC 2025 - macke d <mdbuild@use.startmail.com>
- ==============================
Release Notes for Samba 4.21.6
June 03, 2025
==============================
This is the latest stable release of the Samba 4.21 release series.
It contains the security-relevant bugfix CVE-2025-0620:
smbd doesn't pick up group membership changes
when re-authenticating an expired SMB session:
https://www.samba.org/samba/security/CVE-2025-0620.html
Description of CVE-2025-0620
-----------------------------
With Kerberos authentication SMB sessions typically have an
associated lifetime, requiring re-authentication by the
client when the session expires. As part of the
re-authentication, Samba receives the current group
membership information and is expected to reflect this
change in further SMB request processing.
For historic reasons, Samba maintains a cache of
associations between a user's impersonation information and
connected shares. A recent change in this cache caused Samba
to not reflect group membership changes from session
re-authentication when processing further SMB requests.
As a result, when an administrator removes a user from a
particular group in Active Directory, this change will not
become effective unless the user disconnects from the server
and establishes a new connection.
Changes since 4.21.5
--------------------
o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* BUG 15774: Running "gpo manage motd set" twice fails with backtrace.
* BUG 15829: samba-tool gpo backup creates entity backups it can't read.
* BUG 15839: gp_cert_auto_enroll_ext.py has problem unpacking GUIDs with
prepended 0's.
o Ralph Boehme <slow@samba.org>
* BUG 15707: CVE-2025-0620 [SECURITY] smbd doesn't pick up group membership
changes when re-authenticating an expired SMB session.
* BUG 15767: Deadlock between two smbd processes.
o Pavel Filipenský <pfilipensky@samba.org>
* BUG 15727: net ad join fails with "Failed to join domain: failed to create
kerberos keytab".
o Andreas Hasenack <andreas.hasenack@canonical.com>
* BUG 15774: Running "gpo manage motd set" twice fails with backtrace.
o Volker Lendecke <vl@samba.org>
* BUG 15841: Wide link issue in samba 4.22.
o Stefan Metzmacher <metze@samba.org>
* BUG 15767: Deadlock between two smbd processes.
* BUG 15851: dcerpcd not able to bind to listening port.
o Anoop C S <anoopcs@samba.org>
* BUG 15819: vfs_ceph_snapshots fails to list snapshots for entries at any
level beyond share root.
o Martin Schwenke <mschwenke@ddn.com>
* BUG 15858: CTDB does not put nodes running NFS into grace on graceful
shutdown.
-------------------------------------------------------------------
Mon Mar 31 15:31:32 UTC 2025 - macke d <mdbuild@use.startmail.com>
- ==============================
Release Notes for Samba 4.21.5
March 31, 2025
==============================
This is the latest stable release of the Samba 4.21 release series.
Changes since 4.21.4
--------------------
o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* BUG 15795: ldb index cache is too small on known large transactions
(schemaupgrade, provision).
o Ralph Boehme <slow@samba.org>
* BUG 15822: Enable support for cephfs case insensitive behavior.
* BUG 15823: Subnet based interfaces definition not listening on all covered
IP addresses.
o Pavel Filipenský <pfilipensky@samba.org>
* BUG 15727: net ad join fails with "Failed to join domain: failed to create
kerberos keytab".
o Xavi Hernandez <xhernandez@redhat.com>
* BUG 15822: Enable support for cephfs case insensitive behavior.
o Volker Lendecke <vl@samba.org>
* BUG 15791: Remove of file or directory not possible with vfs_acl_tdb.
o Andrýas Leroux <aleroux@tranquil.it>
* BUG 15795: ldb index cache is too small on known large transactions
(schemaupgrade, provision).
o Anoop C S <anoopcs@samba.org>
* BUG 15797: Unable to connect to CephFS subvolume shares with
vfs_shadow_copy2.
* BUG 15810: Add async io API from libcephfs to ceph_new VFS module.
* BUG 15818: vfs_ceph_new module does not work with other modules for
snapshot management.
* BUG 15822: Enable support for cephfs case insensitive behavior.
* BUG 15834: vfs_ceph_new: Add path based fallback for SMB_VFS_FCHOWN,
SMB_VFS_FCHMOD and SMB_VFS_FNTIMES.
o Martin Schwenke <mschwenke@ddn.com>
* BUG 15820: Incorrect FSF address in ctdb pcp scripts.
o Shachar Sharon <ssharon@redhat.com>
* BUG 15810: Add async io API from libcephfs to ceph_new VFS module.
o Andrea Venturoli <ml@netfence.it>
* BUG 15804: "samba-tool domain backup offline" hangs.
-------------------------------------------------------------------
Mon Feb 17 15:55:15 UTC 2025 - macke d <mdbuild@use.startmail.com>
- ==============================
2 Release Notes for Samba 4.21.4
3 February 17, 2025
4 ==============================
5
6
7 This is the latest stable release of the Samba 4.21 release series.
8
9
10 Changes since 4.21.3
11 --------------------
12
13 o Vinit Agnihotri <vagnihot@redhat.com>
14 * BUG 15780: Increasing slowness of sharesec performance with high number of
15 registry shares.
16
17 o Jeremy Allison <jra@samba.org>
18 * BUG 15782: winbindd shows memleak in kerberos_decode_pac.
19
20 o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
21 * BUG 15738: Creation of GPOs applicable to more than one group is impossible
22 with Samba 4.20.0 and later.
23 * BUG 15756: Replace `crypt` module in
24 python/samba/netcmd/user/readpasswords/common.py.
25
26 o Ralph Boehme <slow@samba.org>
27 * BUG 15151: vfs_gpfs silently garbles timestamps > year 2106.
28 * BUG 15796: Spotlight search results don't show file size and creation date.
29
30 o Guenther Deschner <gd@samba.org>
31 * BUG 15703: General improvements for vfs_ceph_new module.
32 * BUG 15777: net offlinejoin not working correctly.
33 * BUG 15780: Increasing slowness of sharesec performance with high number of
34 registry shares.
35
36 o Pavel Filipenský <pfilipensky@samba.org>
37 * BUG 15759: net ads create/join/winbind producing unix dysfunctional
38 keytabs.
39
40 o Stefan Metzmacher <metze@samba.org>
41 * BUG 14213: Windows Explorer crashes on S-1-22-* Unix-SIDs when accessing
42 security tab.
43 * BUG 15769: The values from hresult_errstr_const and hresult_errstr are
44 reversed in 4.20 and 4.21.
45 * BUG 15778: Kerberos referral tickets are generated for principals in our
46 domain if we have a trust to a top level domain.
47 * BUG 15783: NETLOGON_NTLMV2_ENABLED is missing in the SamLogon* user_flags
48 field.
49
50 o Anoop C S <anoopcs@samba.org>
51 * BUG 15703: General improvements for vfs_ceph_new module.
52
53 o Andreas Schneider <asn@samba.org>
54 * BUG 15784: Regression: stack-use-after-return in crypt_as_best_we_can().
55 * BUG 15788: libreplace:readline: gcc 15 complains about incompatible pointer
56 types.
57
58 o Shachar Sharon <ssharon@redhat.com>
59 * BUG 15703: General improvements for vfs_ceph_new module.
60
61 o Shweta Sodani <ssodani@redhat.com>
62 * BUG 15703: General improvements for vfs_ceph_new module.
-------------------------------------------------------------------
Mon Jan 6 15:59:46 UTC 2025 - macke d <mdbuild@use.startmail.com>
-
==============================
Release Notes for Samba 4.21.3
January 06, 2025
==============================
This is the latest stable release of the Samba 4.21 release series.
Changes since 4.21.2
--------------------
o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* BUG 15701: More possible replication loops against Azure AD.
o Ralph Boehme <slow@samba.org>
* BUG 15697: Compound rename from Mac clients can fail with
NT_STATUS_INTERNAL_ERROR if the file has a lease.
o Pavel Filipenský <pfilipensky@samba.org>
* BUG 15724: vfs crossrename seems not work correctly.
* BUG 6750: After 'machine password timeout' /etc/krb5.keytab is not updated.
o Volker Lendecke <vl@samba.org>
* BUG 15771: Memory leak wbcCtxLookupSid.
o Stefan Metzmacher <metze@samba.org>
* BUG 15765: Fix heap-user-after-free with association groups.
o Andreas Schneider <asn@samba.org>
* BUG 15758: Segfault in vfs_btrfs.
o Martin Schwenke <mschwenke@ddn.com>
* BUG 15755: Avoid event failure race when disabling an event script.
o Jones Syue <jonessyue@qnap.com>
* BUG 15724: vfs crossrename seems not work correctly.
-------------------------------------------------------------------
Tue Nov 26 07:29:30 UTC 2024 - macke d <mdbuild@use.startmail.com>
==============================
Release Notes for Samba 4.21.2
November 25, 2024
==============================
This is the latest stable release of the Samba 4.21 release series.
Changes since 4.21.1
--------------------
o Ralph Boehme <slow@samba.org>
* BUG 15732: smbd fails to correctly check sharemode against OVERWRITE
dispositions.
* BUG 15754: Panic in close_directory.
o Pavel Filipenský <pfilipensky@samba.org>
* BUG 15752: winexe no longer works with samba 4.21.
o Stefan Metzmacher <metze@samba.org>
* BUG 14356: protocol error - Unclear debug message "pad length mismatch" for
invalid bind packet.
* BUG 15425: NetrGetLogonCapabilities QueryLevel 2 needs to be implemented.
* BUG 15740: gss_accept_sec_context() from Heimdal does not imply
GSS_C_MUTUAL_FLAG with GSS_C_DCE_STYLE.
* BUG 15749: winbindd should call process_set_title() for locator child.
o Martin Schwenke <mschwenke@ddn.com>
* BUG 15320: Update CTDB to track all TCP connections to public IP addresses.
-------------------------------------------------------------------
Wed Oct 16 13:27:55 UTC 2024 - macke d <mdbuild@use.startmail.com>
- ==============================
Release Notes for Samba 4.21.1
October 14, 2024
==============================
This is the latest stable release of the Samba 4.21 release series.
Changes since 4.21.0
--------------------
o Ralph Boehme <slow@samba.org>
* BUG 15624: DH reconnect error handling can lead to stale sharemode entries.
* BUG 15695: "inherit permissions = yes" triggers assert() in vfs_default
when creating a stream.
o Alexander Bokovoy <ab@samba.org>
* BUG 15715: Samba 4.21.0 broke FreeIPA domain member integration.
o Andréas Leroux <aleroux@tranquil.it>
* BUG 15692: Missing conversion for msDS-UserTGTLifetime, msDS-
ComputerTGTLifetime and msDS-ServiceTGTLifetime on "samba-tool
domain auth policy modify".
o Stefan Metzmacher <metze@samba.org>
* BUG 15280: irpc_destructor may crash during shutdown.
* BUG 15624: DH reconnect error handling can lead to stale sharemode entries.
* BUG 15649: Durable handle is not granted when a previous OPEN exists with
NoOplock.
* BUG 15651: Durable handle is granted but reconnect fails.
* BUG 15708: Disconnected durable handles with RH lease should not be purged
by a new non conflicting open.
* BUG 15714: net ads testjoin and other commands use the wrong secrets.tdb in
a cluster.
* BUG 15726: 4.21 using --with-system-mitkrb5 requires MIT krb5 1.16 as rfc
8009 etypes are used.
o Christof Schmitt <cs@samba.org>
* BUG 15730: VFS_OPEN_HOW_WITH_BACKUP_INTENT breaks shadow_copy2.
o Andreas Schneider <asn@samba.org>
* BUG 15643: Samba 4.20.0 DLZ module crashes BIND on startup.
* BUG 15721: Cannot build libldb lmdb backend on a build without AD DC.
o Jones Syue <jonessyue@qnap.com>
* BUG 15706: Consistent log level for sighup handler.
-------------------------------------------------------------------
Mon Sep 2 13:46:02 UTC 2024 - macke d <mdbuild@use.startmail.com>
- ==============================
Release Notes for Samba 4.21.0
September 02, 2024
==============================
This is the first stable release of the Samba 4.21 release series.
Please read the release notes carefully before upgrading.
Hardening of "valid users", "invalid users", "read list" and "write list"
=========================================================================
In previous versions of Samba, if a user or group name in either of the
mentioned options could not be resolved to a valid SID, the user (or group)
would be skipped without any notification. This could result in unexpected and
insecure behaviour. Starting with this version of Samba, if any user or group
name in any of the options cannot be resolved due to a communication error with
a domain controller, Samba will log an error and the tree connect will fail.
Non existing users (or groups) are ignored.
LDAP TLS/SASL channel binding support
=====================================
The ldap server supports SASL binds with
kerberos or NTLMSSP over TLS connections
now (either ldaps or starttls).
Setups where 'ldap server require strong auth = allow_sasl_over_tls'
was required before, can now most likely move to the
default of 'ldap server require strong auth = yes'.
If SASL binds without correct tls channel bindings are required
'ldap server require strong auth = allow_sasl_without_tls_channel_bindings'
should be used now, as 'allow_sasl_over_tls' will generate a
warning in every start of 'samba', as well as '[samba-tool ]testparm'.
This is similar to LdapEnforceChannelBinding under
HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
on Windows.
All client tools using ldaps also include the correct
channel bindings now.
NEW FEATURES/CHANGES
====================
LDB no longer a standalone tarball
----------------------------------
LDB, Samba's LDAP-like local database and the power behind the Samba
AD DC, is no longer available to build as a distinct tarball, but is
instead provided as an optional public library.
If you need ldb as a public library, say to build sssd, then use
./configure --private-libraries='!ldb'
This re-integration allows LDB tests to use the Samba's full selftest
system, including our knownfail infrastructure, and decreases the work
required during security releases as a coordinated release of the ldb
tarball is not also required.
This approach has been demonstrated already in Debian, which is already
building Samba and LDB is this way.
As part of this work, the pyldb-util public library, not known to be
used by any other software, is made private to Samba.
LDB Module API Python bindings removed
--------------------------------------
The LDB Modules API, which we do not promise a stable ABI or API for,
was wrapped in python in early LDB development. However that wrapping
never took into account later changes, and so has not worked for a
number of years. Samba 4.21 and LDB 2.10 removes this unused and
broken feature.
Changes in LDB handling of Unicode
----------------------------------
Developers using LDB up to version 2.9 could call ldb_set_utf8_fns()
to determine how LDB handled casefolding. This is used internally by
string comparison functions. In LDB 2.10 this function is deprecated,
and ldb_set_utf8_functions() is preferred. The new function allows a
direct comparison function to be set as well as a casefold function.
This improves performance and allows for more robust handling of
degenerate cases. The function should be called just after ldb_init(),
with the following arguments:
ldb_set_utf8_functions(ldb, /* the struct ldb_ctx LDB object */
context_variable /* possibly NULL */
casefold_function,
case_insensitive_comparison_function);
The default behaviour of LDB remains to perform ASCII casefolding
only, as if in the "C" locale. Recent versions have become
increasingly consistent in this.
Some Samba public libraries made private by default
---------------------------------------------------
The following Samba C libraries are currently made public due to their
use by OpenChange or for historical reasons that are no longer clear.
dcerpc-samr, samba-policy, tevent-util, dcerpc, samba-hostconfig,
samba-credentials, dcerpc_server, samdb
The libraries used by the OpenChange client now private, but can be
made public (like ldb above) with:
./configure --private-libraries='!dcerpc,!samba-hostconfig,!samba-credentials,!ldb'
The C libraries without any known user or used only for the OpenChange
server (a dead project) may be made private entirely in a future Samba
version.
If you use a Samba library in this list, please be in touch with the
samba-technical mailing list.
Using ldaps from 'winbindd' and 'net ads'
-----------------------------------------
Beginning with Samba 3.0.22 the 'ldap ssl = start tls' option also
impacted LDAP connections to active directory domain controllers.
Using the STARTTLS operation on LDAP port 389 connections. Starting
with Samba 3.5.0 'ldap ssl ads = yes' was required in addition in
order let to 'ldap ssl = start tls' have any effect on those
connections.
'ldap ssl ads' was deprecated with Samba 4.8.0 and removed together
with the whole functionality in Samba 4.14.0, because it didn't support
tls channel bindings required for the sasl authentication.
The functionality is now re-added using the correct channel bindings
based on the gnutls based tls implementation we already have, instead
of using the tls layer provided by openldap. This makes it available
and consistent with all LDAP client libraries we use and implement on
our own.
The 'client ldap sasl wrapping' option gained the two new possible values:
'starttls' (using STARTTLS on tcp port 389)
and
'ldaps' (using TLS directly on tcp port 636).
If you had 'ldap ssl = start tls' and 'ldap ssl ads = yes'
before, you can now use 'client ldap sasl wrapping = starttls'
in order to get STARTTLS on tcp port 389.
As we no longer use the openldap tls layer it is required to configure the
correct certificate trusts with at least one of the following options:
'tls trust system cas', 'tls ca directories' or 'tls cafile'.
While 'tls verify peer' and 'tls crlfile' are also relevant,
see 'man smb.conf' for further details.
New DNS hostname config option
------------------------------
To get `net ads dns register` working correctly running manually or during a
domain join a special entry in /etc/hosts was required. This not really
documented and thus the DNS registration mostly didn't work. With the new option
the default is [netbios name].[realm] which should be correct in the majority of
use cases.
We will also use the value to create service principal names during a Kerberos
authentication and DNS functions.
This is not supported in samba-tool yet.
Samba AD will rotate expired passwords on smartcard-required accounts
---------------------------------------------------------------------
Traditionally in AD, accounts set to be "smart card require for logon"
will have a password for NTLM fallback and local profile encryption
(Windows DPAPI). This password previously would not expire.
Matching Windows behaviour, when the DC in a FL 2016 domain and the
msDS-ExpirePasswordsOnSmartCardOnlyAccounts attribute on the domain
root is set to TRUE, Samba will now expire these passwords and rotate
them shortly before they expire.
Note that the password expiry time must be set to twice the TGT lifetime for
smooth operation, e.g. daily expiry given a default 10 hour TGT
lifetime, as the password is only rotated in the second half of its
life. Again, this matches the Windows behaviour.
Provided the default 2016 schema is used, new Samba domains
provisioned with Samba 4.21 will have this enabled once the domain
functional level is set to 2016.
NOTE: Domains upgraded from older Samba versions will not have this
set, even after the functional level preparation, matching the
behaviour of upgraded Windows AD domains.
Per-user and group "veto files" and "hide files"
------------------------------------------------
"veto files" and "hide files" can optionally be restricted to certain users and
groups. To apply a veto or hide directive to a filename for a specific user or
group, a parametric option like this can be used:
hide files : USERNAME = /somefile.txt/
veto files : GROUPNAME = /otherfile.txt/
For details consult the updated smb.conf manpage.
Automatic keytab update after machine password change
-----------------------------------------------------
When machine account password is updated, either by winbind doing regular
updates or manually (e.g. net ads changetrustpw), now winbind will also support
update of keytab entries in case you use newly added option
'sync machine password to keytab'.
The new parameter allows you to describe what keytabs and how should be updated.
From smb.conf(5) manpage - each keytab can have exactly one of these four forms:
account_name
sync_spns
spn_prefixes=value1[,value2[...]]
spns=value1[,value2[...]]
The functionaity provided by the removed commands "net ads keytab
add/delete/add_update_ads" can be achieved via the 'sync machine password to
keytab' as in these examples:
"net ads keytab add wurst/brot@REALM"
- this command is not adding <principal> to AD, so the best fit can be specifier
"spns"
- add to smb.conf:
sync machine password to keytab = /path/to/keytab1:spns=wurst/brot@REALM:machine_password
- run:
"net ads keytab create"
"net ads keytab delete wurst/brot@REALM"
- remove the principal (or the whole keytab line if there was just one)
- run:
"net ads keytab create"
"net ads keytab add_update_ads wurst/brot@REALM"
- this command was adding the principal to AD, so for this case use a keytab
with specifier sync_spns
- add to smb.conf:
sync machine password to keytab = /path/to/keytab2:sync_spns:machine_password
- run:
"net ads setspn add wurst/brot@REALM" # this adds the principal to AD
"net ads keytab create" # this sync it from AD to local keytab
A new parameter 'sync machine password script' allows to specify external script
that will be triggered after the automatic keytab update. If keytabs should be
generated in clustered environments it is recommended to update them on all
nodes. Check in smb.conf(5) the scripts winbind_ctdb_updatekeytab.sh and
46.update-keytabs.script in section 'sync machine password script' for details.
For detailed information check the smb.conf(5) and net(8) manpages.
New cephfs VFS module
---------------------
Introduce new vfs-to-cephfs bridge which uses libcephfs low-level APIs (instead
of path-based operations in the existing module). It allows users to pass
explicit user-credentials per call (including supplementary groups), as well as
faster operations using inode and file-handle caching on the Samba side.
Configuration is identical to existing module, but using 'ceph_new' instead of
'ceph' for the relevant smb.conf entries. This new module is expected to
deprecate and replace the old one in next major release.
Group Managed Service Accounts
------------------------------
Samba 4.21 adds support for gMSAs (Group Managed Service Accounts),
completing support for Functional Level 2012.
The purpose of a gMSA is to allow a single host, or a cluster of
hosts, to share access to an automatically rotating password, avoiding
the weak static service passwords that are often the entrypoint of
attackers to AD domains. Each server has a strong and regularly
rotated password, which is used to access the gMSA account of (e.g.)
the database server.
Samba provides management and client tools, allowing services on Unix
hosts to access the current and next gMSA passwords, as well as obtain
a credentials cache.
Samba 4.20 announced the client-side tools for this feature. To avoid
duplication and provide consistency, the existing commands for
password viewing have been extended, so these commands operate both on
a gMSA (with credentials, over LDAP, specify -H) and locally for
accounts that have a compatible password (e.g. plaintext via GPG,
compatible hash)
samba-tool user getpassword
samba-tool user get-kerberos-ticket
samba-tool domain exportkeytab
An example command, which gets the NT hash for use with NTLM, is
samba-tool user getpassword -H ldap://server --machine-pass \
TestUser1 --attributes=unicodePwd
Kerberos is a better choice (gMSA accounts should not use LDAP simple
binds, for reasons of both security and compatibility). Use
samba-tool user get-kerberos-ticket -H ldap://server --machine-pass \
TestUser1 --output-krb5-ccache=/srv/service/krb5_ccache
gMSAs disclose a current and previous password. To access the previous
NT hash, use:
samba-tool user getpassword -H ldap://server --machine-pass TestUser1 \
--attrs=unicodePwd;previous=1
To access the previous password as UTF8, use:
samba-tool user getpassword -H ldap://server --machine-pass TestUser1 \
--attributes=pwdLastSet,virtualClearTextUTF8;previous=1
However, Windows tools for dealing with gMSAs tend to use Active
Directory Web Services (ADWS) from Powershell for setting up the
accounts, and this separate protocol is not supported by Samba 4.21.
Samba-tool commands for handling gMSA (KDS) root keys
-----------------------------------------------------
Group managed service accounts rotate passwords based on root keys,
which can be managed using samba-tool, with commands such as
samba-tool domain kds root_key create
samba-tool domain kds root_key list
Samba will create a new root key for new domains at provision time,
but users of gMSA accounts on upgraded domains will need to first
create a root key.
RFC 8070 PKINIT "Freshness extension" supported in the Heimdal KDC
------------------------------------------------------------------
The Heimdal KDC will recognise when a client provides proof that they
hold the hardware token used for smart-card authentication 'now' and
has not used a saved future-dated reply. Samba 4.21 now matches
Windows and will assign an extra SID to the user in this case,
allowing sensitive resources to be additionally protected.
Only Windows clients are known to support the client side of this
feature at this time.
New samba-tool Authentication Policy management command structure
-----------------------------------------------------------------
As foreshadowed in the Samba 4.20 release notes, the "samba-tool
domain auth policy" commands have been reworked to be more intuitive
based on user feedback and reflection.
Support for key features of AD Domain/Forest Functional Level 2012R2
--------------------------------------------------------------------
Combined with other changes in recent versions (such as claims support
in 4.20), Samba can now claim Functional Level 2012R2 support.
Build system
------------
In previous versions of Samba, packagers of Samba would set their
package-specific version strings using a patch to the
SAMBA_VERSION_VENDOR_SUFFIX line in the ./VERSION file. Now that is
achieved by using --vendor-suffix (at configure time), allowing this
to be more easily scripted. Vendors are encouraged to include their
name and full package version to assist with upstream debugging.
More deterministic builds
-------------------------
Samba builds are now more reproducible, providing better assurance
that the Samba binaries you run are the same as what is expected from
the source code. If locale settings are not changed, the same objects
will be produced from each compilation run. If Samba is built in a
different path, the object code will remain the same, but DWARF
debugging sections will change (while remaining functionally
equivalent).
See https://reproducible-builds.org/ for more information on this
industry-wide effort and
https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/samba.html
for the status in Debian.
Improved command-line redaction
-------------------------------
There are several options that can be used with Samba tools for
specifying secrets. Although this is best avoided, when these options
are used, Samba will redact the secrets in /proc, so that they won't
be seen in ps or top. This is now carried out more thoroughly,
redacting more options. There is a race inherent in this, and the
passwords will be visible for a short time. The secrets are also not
removed from .bash_history and similar files.
REMOVED FEATURES
================
Following commands are removed:
net ads keytab add <principal>
net ads keytab delete <principal>
net ads keytab add_update_ads
smb.conf changes
================
Parameter Name Description Default
-------------- ----------- -------
client ldap sasl wrapping new values
client use spnego principal removed
ldap server require strong auth new values
tls trust system cas new
tls ca directories new
dns hostname client dns name [netbios name].[realm]
valid users Hardening
invalid users Hardening
read list Hardening
write list Hardening
veto files Added per-user and per-group vetos
hide files Added per-user and per-group hides
sync machine password to keytab keytabs
sync machine password script script
CHANGES SINCE 4.21.0rc4
=======================
o David Disseldorp <ddiss@samba.org>
* BUG 15699: Incorrect FSCTL_QUERY_ALLOCATED_RANGES response when truncated.
o Noel Power <noel.power@suse.com>
* BUG 15702: Bad variable definition for ParseTuple causing test failure for
Smb3UnixTests.test_create_context_reparse.
o Shachar Sharon <ssharon@redhat.com>
* BUG 15686: Add new vfs_ceph module (based on low level API).
CHANGES SINCE 4.21.0rc3
=======================
o Pavel Filipenský <pfilipensky@samba.org>
* BUG 15698: samba-tool can not load the default configuration file.
o Shachar Sharon <ssharon@redhat.com>
* BUG 15700: Crash when readlinkat fails.
CHANGES SINCE 4.21.0rc2
=======================
o Pavel Filipenský <pfilipensky@samba.org>
* BUG 15689: Can't add/delete special keys to keytab for nfs, cifs, http etc.
o Stefan Metzmacher <metze@samba.org>
* BUG 15696: Compound SMB2 requests don't return
NT_STATUS_NETWORK_SESSION_EXPIRED for all requests, confuses
MacOSX clients.
o Anoop C S <anoopcs@samba.org>
* BUG 15689: Can't add/delete special keys to keytab for nfs, cifs, http etc.
CHANGES SINCE 4.21.0rc1
=======================
o Andreas Schneider <asn@samba.org>
* BUG 15673: --version-* options are still not ergonomic, and they reject
tilde characters.
o Anoop C S <anoopcs@samba.org>
* BUG 15686: Add new vfs_ceph module (based on low level API)
o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* BUG 15673: --version-* options are still not ergonomic, and they reject
tilde characters.
o Jennifer Sutton <jennifersutton@catalyst.net.nz>
* BUG 15690: ldb_version.h is missing from ldb public library
o Pavel Filipenský <pfilipensky@samba.org>
* BUG 15689: Can not add/delete special keys to keytab for nfs, cifs, http etc
o Shachar Sharon <ssharon@redhat.com>
* BUG 15686: Add new vfs_ceph module (based on low level API)
o Stefan Metzmacher <metze@samba.org>
* BUG 15673: --version-* options are still not ergonomic, and they reject
tilde characters.
* BUG 15687: undefined reference to winbind_lookup_name_ex
* BUG 15688: per user veto and hide file syntax is to complex
* BUG 15689: Can not add/delete special keys to keytab for nfs, cifs, http etc
o Volker Lendecke <vl@samba.org>
* BUG 15688: per user veto and hide file syntax is to complex
KNOWN ISSUES
============
https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.21#Release_blocking_bugs
-------------------------------------------------------------------
Tue Aug 6 12:16:51 UTC 2024 - macke d <mdbuild@use.startmail.com>
- ==============================
Release Notes for Samba 4.20.4
August 06, 2024
==============================
This is the latest stable release of the Samba 4.20 release series.
Changes since 4.20.3
--------------------
This only fixes a regression in library version strings in Samba
4.20.3, see: https://bugzilla.samba.org/show_bug.cgi?id=15673
If you compiled Samba from the sources and don't have other
applications relying on Samba's public libraries, there's
no reason to upgrade from 4.20.3 to 4.20.4.
o Andreas Schneider <asn@samba.org>
* BUG 15673: --version-* options are still not ergonomic, and they reject
tilde characters.
o Stefan Metzmacher <metze@samba.org>
* BUG 15673: --version-* options are still not ergonomic, and they reject
tilde characters.
-------------------------------------------------------------------
Sun Aug 4 11:54:45 UTC 2024 - macke d <mdbuild@use.startmail.com>
- ==============================
Release Notes for Samba 4.20.3
August 02, 2024
==============================
This is the latest stable release of the Samba 4.20 release series.
LDAP TLS/SASL channel binding support
-------------------------------------
The ldap server supports SASL binds with
kerberos or NTLMSSP over TLS connections
now (either ldaps or starttls).
Setups where 'ldap server require strong auth = allow_sasl_over_tls'
was required before, can now most likely move to the
default of 'ldap server require strong auth = yes'.
If SASL binds without correct tls channel bindings are required
'ldap server require strong auth = allow_sasl_without_tls_channel_bindings'
should be used now, as 'allow_sasl_over_tls' will generate a
warning in every start of 'samba', as well as '[samba-tool ]testparm'.
This is similar to LdapEnforceChannelBinding under
HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
on Windows.
All client tools using ldaps also include the correct
channel bindings now.
smb.conf changes
================
Parameter Name Description Default
-------------- ----------- -------
ldap server require strong auth new values
Changes since 4.20.2
--------------------
o Andreas Schneider <asn@samba.org>
* BUG 15683: Running samba-bgqd a a standalone systemd service does not work.
o Andrew Bartlett <abartlet@samba.org>
* BUG 15655: When claims enabled with heimdal kerberos, unable to log on to a
Windows computer when user account need to change their own password.
o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* BUG 15671: Invalid client warning about command line passwords.
* BUG 15672: Version string is truncated in manpages.
* BUG 15673: --version-* options are still not ergonomic, and they reject
tilde characters.
* BUG 15674: cmdline_burn does not always burn secrets.
* BUG 15685: Samba does not parse SDDL found in defaultSecurityDescriptor in
AD_DS_Classes_Windows_Server_v1903.ldf.
o Jo Sutton <josutton@catalyst.net.nz>
* BUG 15655: When claims enabled with heimdal kerberos, unable to log on to a
Windows computer when user account need to change their own password.
o Pavel Filipenský <pfilipensky@samba.org>
* BUG 15660: The images don\'t build after the git security release and
CentOS 8 Stream is EOL.
o Ralph Boehme <slow@samba.org>
* BUG 15676: Fix clock skew error message and memory cache clock skew
recovery.
o Stefan Metzmacher <metze@samba.org>
* BUG 15603: Heimdal ignores _gsskrb5_decapsulate errors in
init_sec_context/repl_mutual.
* BUG 15621: s4:ldap_server: does not support tls channel bindings
for sasl binds.
o Xavi Hernandez <xhernandez@redhat.com>
* BUG 15678: CTDB socket output queues may suffer unbounded delays under some
special conditions.
-------------------------------------------------------------------
Thu Jun 20 09:02:35 UTC 2024 - macke d <mdbuild@use.startmail.com>
- ==============================
Release Notes for Samba 4.20.2
June 19, 2024
==============================
This is the latest stable release of the Samba 4.20 release series.
Changes since 4.20.1
--------------------
o Jeremy Allison <jra@samba.org>
* BUG 15662: vfs_widelinks with DFS shares breaks case insensitivity.
o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* BUG 13213: Samba build is not reproducible.
* BUG 15569: ldb qsort might r/w out of bounds with an intransitive compare
function.
* BUG 15625: Many qsort() comparison functions are non-transitive, which can
lead to out-of-bounds access in some circumstances.
o Andrew Bartlett <abartlet@samba.org>
* BUG 15638: Need to change gitlab-ci.yml tags in all branches to avoid CI
bill.
* BUG 15654: We have added new options --vendor-name and --vendor-patch-
revision arguments to ./configure to allow distributions and packagers to
put their name in the Samba version string so that when debugging Samba the
source of the binary is obvious.
o Günther Deschner <gd@samba.org>
* BUG 15665: CTDB RADOS mutex helper misses namespace support.
o Stefan Metzmacher <metze@samba.org>
* BUG 13019: Dynamic DNS updates with the internal DNS are not working.
* BUG 14981: netr_LogonSamLogonEx returns NR_STATUS_ACCESS_DENIED with
SysvolReady=0.
* BUG 15412: Anonymous smb3 signing/encryption should be allowed (similar to
Windows Server 2022).
* BUG 15573: Panic in dreplsrv_op_pull_source_apply_changes_trigger.
* BUG 15620: s4:nbt_server: does not provide unexpected handling, so winbindd
can't use nmb requests instead cldap.
* BUG 15642: winbindd, net ads join and other things don't work on an ipv6
only host.
* BUG 15659: Segmentation fault when deleting files in vfs_recycle.
* BUG 15664: Panic in vfs_offload_token_db_fetch_fsp().
* BUG 15666: "client use kerberos" and --use-kerberos is ignored for the
machine account.
o Noel Power <noel.power@suse.com>
* BUG 15435: Regression DFS not working with widelinks = true.
o Andreas Schneider <asn@samba.org>
* BUG 15633: samba-gpupdate - Invalid NtVer in netlogon_samlogon_response.
* BUG 15653: idmap_ad creates an incorrect local krb5.conf in case of trusted
domain lookups.
* BUG 15660: The images don't build after the git security release and CentOS
8 Stream is EOL.
-------------------------------------------------------------------
Wed May 8 09:12:57 UTC 2024 - macke d <mdbuild@use.startmail.com>
- ==============================
Release Notes for Samba 4.20.1
May 08, 2024
==============================
This is the latest stable release of the Samba 4.20 release series.
Changes since 4.20.0
--------------------
o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* BUG 15630: dns update debug message is too noisy.
o Alexander Bokovoy <ab@samba.org>
* BUG 15635: Do not fail PAC validation for RFC8009 checksums types.
o Pavel Filipenský <pfilipensky@samba.org>
* BUG 15605: Improve performance of lookup_groupmem() in idmap_ad.
o Anna Popova <popova.anna235@gmail.com>
* BUG 15636: Smbcacls incorrectly propagates inheritance with Inherit-Only
flag.
o Noel Power <noel.power@suse.com>
* BUG 15611: http library doesn't support 'chunked transfer encoding'.
o Andreas Schneider <asn@samba.org>
* BUG 15600: Provide a systemd service file for the background queue daemon.
-------------------------------------------------------------------
Mon Apr 8 09:35:24 UTC 2024 - macke d <mdbuild@use.startmail.com>
- ==============================
Release Notes for Samba 4.19.6
April 08, 2024
==============================
This is the latest stable release of the Samba 4.19 release series.
Changes since 4.19.5
--------------------
o Ralph Boehme <slow@samba.org>
* BUG 15527: fd_handle_destructor() panics within an smbd_smb2_close() if
vfs_stat_fsp() fails in fd_close().
o Guenther Deschner <gd@samba.org>
* BUG 15588: samba-gpupdate: Correctly implement site support.
o Noel Power <noel.power@suse.com>
* BUG 15527: fd_handle_destructor() panics within an smbd_smb2_close() if
vfs_stat_fsp() fails in fd_close().
o Andreas Schneider <asn@samba.org>
* BUG 15588: samba-gpupdate: Correctly implement site support.
* BUG 15599: libgpo: Segfault in python bindings.
o Martin Schwenke <mschwenke@ddn.com>
* BUG 15580: Packet marshalling push support missing for
CTDB_CONTROL_TCP_CLIENT_DISCONNECTED and
CTDB_CONTROL_TCP_CLIENT_PASSED.
-------------------------------------------------------------------
Tue Feb 20 10:08:23 UTC 2024 - macke d <mdbuild@use.startmail.com>
- ==============================
Release Notes for Samba 4.19.5
February 19, 2024
==============================
This is the latest stable release of the Samba 4.19 release series.
Changes since 4.19.4
--------------------
o Ralph Boehme <slow@samba.org>
* BUG 13688: Windows 2016 fails to restore previous version of a file from a
shadow_copy2 snapshot.
* BUG 15549: Symlinks on AIX are broken in 4.19 (and a few version before
that).
o Bjoern Jacke <bj@sernet.de>
* BUG 12421: Fake directory create times has no effect.
o Björn Jacke <bjacke@samba.org>
* BUG 15550: ctime mixed up with mtime by smbd.
o David Mulder <dmulder@samba.org>
* BUG 15548: samba-gpupdate --rsop fails if machine is not in a site.
o Gabriel Nagy <gabriel.nagy@canonical.com>
* BUG 15557: gpupdate: The root cert import when NDES is not available is
broken.
o Andreas Schneider <asn@samba.org>
* BUG 15552: samba-gpupdate should print a useful message if cepces-submit
can't be found.
* BUG 15558: samba-gpupdate logging doesn't work.
o Jones Syue <jonessyue@qnap.com>
* BUG 15555: smbpasswd reset permissions only if not 0600.
-------------------------------------------------------------------
Mon Jan 8 14:55:14 UTC 2024 - macke d <mdbuild@use.startmail.com>
- ==============================
Release Notes for Samba 4.19.4
January 08, 2024
==============================
This is the latest stable release of the Samba 4.19 release series.
Changes since 4.19.3
--------------------
o Samuel Cabrero <scabrero@samba.org>
* BUG 13577: net changesecretpw cannot set the machine account password if
secrets.tdb is empty.
o Björn Jacke <bjacke@samba.org>
* BUG 15540: For generating doc, take, if defined, env XML_CATALOG_FILES.
* BUG 15541: Trivial C typo in nsswitch/winbind_nss_netbsd.c.
* BUG 15542: vfs_linux_xfs is incorrectly named.
o Björn Jacke <bj@sernet.de>
* BUG 15377: systemd stumbled over copyright-message at smbd startup.
o Volker Lendecke <vl@samba.org>
* BUG 15505: Following intermediate abolute share-local symlinks is broken.
* BUG 15523: ctdb RELEASE_IP causes a crash in release_ip if a connection to
a non-public address disconnects first.
* BUG 15544: shadow_copy2 broken when current fileset's directories are
removed.
o Stefan Metzmacher <metze@samba.org>
* BUG 15377: systemd stumbled over copyright-message at smbd startup.
* BUG 15523: ctdb RELEASE_IP causes a crash in release_ip if a connection to
a non-public address disconnects first.
* BUG 15534: smbd does not detect ctdb public ipv6 addresses for multichannel
exclusion.
o Andreas Schneider <asn@samba.org>
* BUG 15469: 'force user = localunixuser' doesn't work if 'allow trusted
domains = no' is set.
* BUG 15525: smbget debug logging doesn't work.
* BUG 15532: smget: username in the smburl and interactive password entry
doesn't work.
* BUG 15538: smbget auth function doesn't set values for password prompt
correctly.
o Martin Schwenke <mschwenke@ddn.com>
* BUG 15523: ctdb RELEASE_IP causes a crash in release_ip if a connection to
a non-public address disconnects first.
o Shachar Sharon <ssharon@redhat.com>
* BUG 15440: Unable to copy and write files from clients to Ceph cluster via
SMB Linux gateway with Ceph VFS module.
o Jones Syue <jonessyue@qnap.com>
* BUG 15547: Multichannel refresh network information.
-------------------------------------------------------------------
Mon Nov 27 13:37:52 UTC 2023 - macke d <mdbuild@use.startmail.com>
- ==============================
Release Notes for Samba 4.19.3
November 27, 2023
==============================
This is the latest stable release of the Samba 4.19 release series.
It contains the security-relevant bugfix CVE-2018-14628:
Wrong ntSecurityDescriptor values for "CN=Deleted Objects"
allow read of object tombstones over LDAP
(Administrator action required!)
https://www.samba.org/samba/security/CVE-2018-14628.html
Description of CVE-2018-14628
-----------------------------
All versions of Samba from 4.0.0 onwards are vulnerable to an
information leak (compared with the established behaviour of
Microsoft's Active Directory) when Samba is an Active Directory Domain
Controller.
When a domain was provisioned with an unpatched Samba version,
the ntSecurityDescriptor is simply inherited from Domain/Partition-HEAD-Object
instead of being very strict (as on a Windows provisioned domain).
This means also non privileged users can use the
LDAP_SERVER_SHOW_DELETED_OID control in order to view,
the names and preserved attributes of deleted objects.
No information that was hidden before the deletion is visible, but in
with the correct ntSecurityDescriptor value in place the whole object
is also not visible without administrative rights.
There is no further vulnerability associated with this error, merely an
information disclosure.
Action required in order to resolve CVE-2018-14628!
---------------------------------------------------
The patched Samba does NOT protect existing domains!
The administrator needs to run the following command
(on only one domain controller)
in order to apply the protection to an existing domain:
samba-tool dbcheck --cross-ncs --attrs=nTSecurityDescriptor --fix
The above requires manual interaction in order to review the
changes before they are applied. Typicall question look like this:
Reset nTSecurityDescriptor on CN=Deleted Objects,DC=samba,DC=org back to provision default?
Owner mismatch: SY (in ref) DA(in current)
Group mismatch: SY (in ref) DA(in current)
Part dacl is different between reference and current here is the detail:
(A;;LCRPLORC;;;AU) ACE is not present in the reference
(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY) ACE is not present in the reference
(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DA) ACE is not present in the reference
(A;;CCDCLCSWRPWPSDRCWDWO;;;SY) ACE is not present in the current
(A;;LCRP;;;BA) ACE is not present in the current
[y/N/all/none] y
Fixed attribute 'nTSecurityDescriptor' of 'CN=Deleted Objects,DC=samba,DC=org'
The change should be confirmed with 'y' for all objects starting with
'CN=Deleted Objects'.
Changes since 4.19.2
--------------------
o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* BUG 15520: sid_strings test broken by unix epoch > 1700000000.
o Ralph Boehme <slow@samba.org>
* BUG 15487: smbd crashes if asked to return full information on close of a
stream handle with delete on close disposition set.
* BUG 15521: smbd: fix close order of base_fsp and stream_fsp in
smb_fname_fsp_destructor().
o Pavel Filipenský <pfilipensky@samba.org>
* BUG 15499: Improve logging for failover scenarios.
o Björn Jacke <bj@sernet.de>
* BUG 15093: Files without "read attributes" NFS4 ACL permission are not
listed in directories.
o Stefan Metzmacher <metze@samba.org>
* BUG 13595: CVE-2018-14628 [SECURITY] Deleted Object tombstones visible in
AD LDAP to normal users.
* BUG 15492: Kerberos TGS-REQ with User2User does not work for normal
accounts.
o Christof Schmitt <cs@samba.org>
* BUG 15507: vfs_gpfs stat calls fail due to file system permissions.
o Andreas Schneider <asn@samba.org>
* BUG 15513: Samba doesn't build with Python 3.12.
-------------------------------------------------------------------
Mon Oct 16 14:29:13 UTC 2023 - macke d <mdbuild@use.startmail.com>
- ==============================
Release Notes for Samba 4.19.2
October 16, 2023
==============================
This is the latest stable release of the Samba 4.19 release series.
Changes since 4.19.1
--------------------
o Jeremy Allison <jra@samba.org>
* BUG 15423: Use-after-free in aio_del_req_from_fsp during smbd shutdown
after failed IPC FSCTL_PIPE_TRANSCEIVE.
* BUG 15426: clidfs.c do_connect() missing a "return" after a cli_shutdown()
call.
o Ralph Boehme <slow@samba.org>
* BUG 15463: macOS mdfind returns only 50 results.
o Volker Lendecke <vl@samba.org>
* BUG 15481: GETREALFILENAME_CACHE can modify incoming new filename with
previous cache entry value.
o Stefan Metzmacher <metze@samba.org>
* BUG 15464: libnss_winbind causes memory corruption since samba-4.18,
impacts sendmail, zabbix, potentially more.
o Martin Schwenke <mschwenke@ddn.com>
* BUG 15479: ctdbd: setproctitle not initialized messages flooding logs.
o Joseph Sutton <josephsutton@catalyst.net.nz>
* BUG 15491: CVE-2023-5568 Heap buffer overflow with freshness tokens in the
Heimdal KDC in Samba 4.19
* BUG 15477: The heimdal KDC doesn't detect s4u2self correctly when fast is
in use.
-------------------------------------------------------------------
Tue Oct 10 15:49:11 UTC 2023 - macke d <mdbuild@use.startmail.com>
- ==============================
Release Notes for Samba 4.19.1
October 10, 2023
==============================
This is a security release in order to address the following defects:
o CVE-2023-3961: Unsanitized pipe names allow SMB clients to connect as root to
existing unix domain sockets on the file system.
https://www.samba.org/samba/security/CVE-2023-3961.html
o CVE-2023-4091: SMB client can truncate files to 0 bytes by opening files with
OVERWRITE disposition when using the acl_xattr Samba VFS
module with the smb.conf setting
"acl_xattr:ignore system acls = yes"
https://www.samba.org/samba/security/CVE-2023-4091.html
o CVE-2023-4154: An RODC and a user with the GET_CHANGES right can view all
attributes, including secrets and passwords. Additionally,
the access check fails open on error conditions.
https://www.samba.org/samba/security/CVE-2023-4154.html
o CVE-2023-42669: Calls to the rpcecho server on the AD DC can request that the
server block for a user-defined amount of time, denying
service.
https://www.samba.org/samba/security/CVE-2023-42669.html
o CVE-2023-42670: Samba can be made to start multiple incompatible RPC
listeners, disrupting service on the AD DC.
https://www.samba.org/samba/security/CVE-2023-42670.html
Changes since 4.19.0
--------------------
o Jeremy Allison <jra@samba.org>
* BUG 15422: CVE-2023-3961.
o Andrew Bartlett <abartlet@samba.org>
* BUG 15424: CVE-2023-4154.
* BUG 15473: CVE-2023-42670.
* BUG 15474: CVE-2023-42669.
o Ralph Boehme <slow@samba.org>
* BUG 15439: CVE-2023-4091.
-------------------------------------------------------------------
Tue Oct 10 15:49:00 UTC 2023 - macke d <mdbuild@use.startmail.com>
==============================
Release Notes for Samba 4.19.0
September 04, 2023
==============================
This is the first stable release of the Samba 4.19 release series.
Please read the release notes carefully before upgrading.
NEW FEATURES/CHANGES
====================
Migrated smbget to use common command line parser
-------------------------------------------------
The smbget utility implemented its own command line parsing logic. After
discovering an issue we decided to migrate it to use the common command line
parser. This has some advantages as you get all the feature it provides like
Kerberos authentication. The downside is that breaks the options interface.
The support for smbgetrc has been removed. You can use an authentication file
if needed, this is documented in the manpage.
Please check the smbget manpage or --help output.
gpupdate changes
----------------
The libgpo.get_gpo_list function has been deprecated in favor of
an implementation written in python. The new function can be imported via
`import samba.gp`. The python implementation connects to Active Directory
using the SamDB module, instead of ADS (which is what libgpo uses).
Improved winbind logging and a new tool for parsing the winbind logs
--------------------------------------------------------------------
Winbind logs (if smb.conf 'winbind debug traceid = yes' is set) contain new
trace header fields 'traceid' and 'depth'. Field 'traceid' allows to track the
trace records belonging to the same request. Field 'depth' allows to track the
request nesting level. A new tool samba-log-parser is added for better log
parsing.
AD database prepared to FL 2016 standards for new domains
---------------------------------------------------------
While Samba still provides only Functional Level 2008R2 by default,
Samba as an AD DC will now, in provision ensure that the blank
database is already prepared for Functional Level 2016, with AD Schema
2019.
This preparation is of the default objects in the database, adding
containers for Authentication Policies, Authentication Silos and AD
claims in particular. These DB objects must be updated to allow
operation of the new features found in higher functional levels.
Kerberos Claims, Authentication Silos and NTLM authentication policies
----------------------------------------------------------------------
An initial, partial implementation of Active Directory Functional
Level 2012, 2012R2 and 2016 is available in this release.
In particular Samba will issue Active Directory "Claims" in the PAC,
for member servers that support these, and honour in-directory
configuration for Authentication Policies and Authentication Silos.
The primary limitation is that while Samba can read and write claims
in the directory, and populate the PAC, Samba does not yet use them
for access control decisions.
While we continue to develop these features, existing domains can
test the feature by selecting the functional level in provision or
raising the DC functional level by setting
ad dc functional level = 2016
in the smb.conf
The smb.conf file on each DC must have 'ad dc functional level = 2016'
set to have the partially complete feature available. This will also,
at first startup, update the server's own AD entry with the configured
functional level.
For new domains, add these parameters to 'samba-tool provision'
--option="ad dc functional level = 2016" --function-level=2016
The second option, setting the overall domain functional level
indicates that all DCs should be at this functional level.
To raise the domain functional level of an existing domain, after
updating the smb.conf and restarting Samba run
samba-tool domain schemaupgrade --schema=2019
samba-tool domain functionalprep --function-level=2016
samba-tool domain level raise --domain-level=2016 --forest-level=2016
Improved KDC Auditing
---------------------
As part of the auditing required to allow successful deployment of
Authentication Policies and Authentication Silos, our KDC now provides
Samba-style JSON audit logging of all issued Kerberos tickets,
including if they would fail a policy that is not yet enforced.
Additionally most failures are audited, (after the initial
pre-validation of the request).
Kerberos Armoring (FAST) Support for Windows clients
----------------------------------------------------
In domains where the domain controller functional level is set, as
above, to 2012, 2012_R2 or 2016, Windows clients will, if configured
via GPO, use FAST to protect user passwords between (in particular) a
workstation and the KDC on the AD DC. This is a significant security
improvement, as weak passwords in an AS-REQ are no longer available
for offline attack.
Claims compression in the AD PAC
--------------------------------
Samba as an AD DC will compress "AD claims" using the same compression
algorithm as Microsoft Windows.
Resource SID compression in the AD PAC
--------------------------------------
Samba as an AD DC will now correctly populate the various PAC group
membership buffers, splitting global and local groups correctly.
Additionally, Samba marshals Resource SIDs, being local groups in the
member server's own domain, to only consume a header and 4 bytes per
group in the PAC, not a full-length SID worth of space each. This is
known as "Resource SID compression".
Resource Based Constrained Delegation (RBCD) support in both MIT and Heimdal
-----------------------------------------------------------------------------
Samba AD DC built with MIT Kerberos (1.20 and later) has offered RBCD
support since Samba 4.17. Samba 4.19 brings this feature to the
default Heimdal KDC.
Samba 4.17 added to samba-tool delegation the 'add-principal' and
'del-principal' subcommands in order to manage RBCD, and the database
changes made by these tools are now honoured by the Heimdal KDC once
Samba is upgraded.
Likewise, now both MIT (1.20 and later) and Heimdal KDCs add the
Asserted Identity [1] SID into the PAC for constrained delegation.
[1] https://docs.microsoft.com/en-us/windows-server/security/kerberos/kerberos-constrained-delegation-overview
New samba-tool support for silos, claims, sites and subnets.
------------------------------------------------------------
samba-tool can now list, show, add and manipulate Authentication Silos
(silos) and Active Directory Authentication Claims (claims).
samba-tool can now list and show Active Directory sites and subnets.
A new Object Relational Model (ORM) based architecture, similar to
that used with Django, has been built to make adding new samba-tool
subcommands simpler and more consistent, with JSON output available
standard on these new commands.
Updated GnuTLS requirement / in-tree cryptography removal
----------------------------------------------------------
Samba requires GnuTLS 3.6.13 and prefers GnuTLS 3.6.14 or later.
This has allowed Samba to remove all of our in-tree cryptography,
except that found in our Heimdal import. Samba's runtime cryptography
needs are now all provided by GnuTLS.
(The GnuTLS vesion requirement is raised to 3.7.2 on systems without
the Linux getrandom())
We also use Python's cryptography module for our testing.
The use of well known cryptography libraries makes Samba easier for
end-users to validate and deploy, and for distributors to ship. This
is the end of a very long journey for Samba.
Updated Heimdal import
----------------------
Samba's Heimdal branch (known as lorikeet-heimdal) has been updated to
the current pre-8.0 (master) tree from upstream Heimdal, ensuring that
this vendored copy, included in our release remains as close as
possible to the current upstream code.
Revocation support in Heimdal KDC for PKINIT certificates
---------------------------------------------------------
Samba will now correctly honour the revocation of 'smart card'
certificates used for PKINIT Kerberos authentication.
This list is reloaded each time the file changes, so no further action
other than replacing the file is required. The additional krb5.conf
option is:
[kdc]
pkinit_revoke = FILE:/path/to/crl.pem
Information on the "Smart Card login" feature as a whole is at:
https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login
Protocol level testsuite for (Smart Card Logon) PKINIT
------------------------------------------------------
Previously Samba's PKINIT support in the KDC was tested by use of
shell scripts around the client tools of MIT or Heimdal Kerberos.
Samba's independently written python testsuite has been extended to
validate KDC behaviour for PKINIT.
Require encrypted connection to modify unicodePwd on the AD DC
--------------------------------------------------------------
Setting the password on an AD account on should never be attempted
over a plaintext or signed-only LDAP connection. If the unicodePwd
(or userPassword) attribute is modified without encryption (as seen by
Samba), the request will be rejected. This is to encourage the
administrator to use an encrypted connection in the future.
NOTE WELL: If Samba is accessed via a TLS frontend or load balancer,
the LDAP request will be regarded as plaintext.
Samba AD TLS Certificates can be reloaded
-----------------------------------------
The TLS certificates used for Samba's AD DC LDAP server were
previously only read on startup, and this meant that when then expired
it was required to restart Samba, disrupting service to other users.
smbcontrol ldap_server reload-certs
This will now allow these certificates to be reloaded 'on the fly'
================
REMOVED FEATURES
================
smb.conf changes
================
Parameter Name Description Default
-------------- ----------- -------
winbind debug traceid Add traceid No
directory name cache size Removed
