File samba.changes of Package samba-4.22-heimdal-dc
-------------------------------------------------------------------
Fri Aug 22 07:09:48 UTC 2025 - macke d <mdbuild@use.startmail.com>
-
==============================
Release Notes for Samba 4.22.4
August 21, 2025
==============================
This is the latest stable release of the Samba 4.22 release series.
Changes since 4.22.3
--------------------
o Ralph Boehme <slow@samba.org>
* BUG 14981: netr_LogonSamLogonEx returns NR_STATUS_ACCESS_DENIED with
SysvolReady=0.
* BUG 15844: getpwuid does not shift to new DC when current DC is down.
* BUG 15876: Windows security hardening locks out schannel'ed netlogon dc
calls like netr_DsRGetDCName-
* BUG 15881: Unresponsive second DC can cause idmapping failure when using
idmap_ad-
o Günther Deschner <gd@samba.org>
* BUG 15840: kinit command is failing with Missing cache Error.
o Pavel Filipenský <pfilipensky@samba.org>
* BUG 15891: Figuring out the DC name from IP address fails and breaks
fork_domain_child().
o Volker Lendecke <vl@samba.org>
* BUG 15816: vfs_streams_depot fstatat broken.
* BUG 15892: Delayed leader broadcast can block ctdb forever.
o Stefan Metzmacher <metze@samba.org>
* BUG 14981: netr_LogonSamLogonEx returns NR_STATUS_ACCESS_DENIED with
SysvolReady=0.
o Rabinarayan Panigrahi <rapanigr@redhat.com>
* BUG 15663: Apparently there is a conflict between shadow_copy2 module and
virusfilter (action quarantine).
o Aleksandr Sharov <asharov@redhat.com>
* BUG 15877: Fix handling of empty GPO link.
o Srinivas Rao V <Srinivas.Rao.V@ibm.com>
* BUG 15880: SMB ACL inheritance doesn't work for files created.
-------------------------------------------------------------------
Tue Jul 8 07:52:55 UTC 2025 - macke d <mdbuild@use.startmail.com>
- ==============================
Release Notes for Samba 4.22.3
July 07, 2025
==============================
This is the latest stable release of the Samba 4.22 release series.
Important Change in Upcoming Microsoft Update
---------------------------------------------
On 8th of July, Microsoft will release an important security update for
Active Directory Domain Controllers for Windows Server versions prior to
2025.
This update includes a change to the Microsoft RPC Netlogon protocol,
which improves security by tightening access checks for a set of RPC
requests. Samba running as domain members in these environments will be
impacted by this change if a specific configuration is used, see below
for which configuration is affected.
Windows Server version 2025 is already equipped with these specific
security hardenings, and Microsoft is now planning to deploy them to all
supported Windows Server versions down to Windows Server 2008.
Who is affected?
Samba installations acting as member servers in Windows AD domains will
be affected if they are configured to use the 'ad' idmapping backend.
Samba servers not using this configuration will not be affected by the
change – at least to our current knowledge and understanding of the
change – and no further action is required.
Current versions of Samba with the affected configuration will no longer
function correctly once the Microsoft update has been applied. Users
will not be able to connect to the SMB service provided by Samba for any
domain configured to use the 'ad' idmapping backend.
See https://bugzilla.samba.org/show_bug.cgi?id=15876.
Changes since 4.22.2
--------------------
o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* BUG 15854: samba-tool cannot add user to group whose name is exactly 16
characters long.
o Günther Deschner <gd@samba.org>
* BUG 15876: Windows security hardening locks out schannel'ed netlogon dc
calls like netr_DsRGetDCName.
o Stefan Metzmacher <metze@samba.org>
* BUG 15876: Windows security hardening locks out schannel'ed netlogon dc
calls like netr_DsRGetDCName.
o Andreas Schneider <asn@samba.org>
* BUG 15869: Startup messages of rpc deamons fills /var/log/messages.
-------------------------------------------------------------------
Thu Jun 5 15:57:32 UTC 2025 - macke d <mdbuild@use.startmail.com>
- ==============================
Release Notes for Samba 4.22.2
June 05, 2025
==============================
This is the latest stable release of the Samba 4.22 release series.
It contains the security-relevant bugfix CVE-2025-0620:
smbd doesn't pick up group membership changes
when re-authenticating an expired SMB session
https://www.samba.org/samba/security/CVE-2025-0620.html
Description of CVE-2025-0620
-----------------------------
With Kerberos authentication SMB sessions typically have an
associated lifetime, requiring re-authentication by the
client when the session expires. As part of the
re-authentication, Samba receives the current group
membership information and is expected to reflect this
change in further SMB request processing.
For historic reasons, Samba maintains a cache of
associations between a user's impersonation information and
connected shares. A recent change in this cache caused Samba
to not reflect group membership changes from session
re-authentication when processing further SMB requests.
As a result, when an administrator removes a user from a
particular group in Active Directory, this change will not
become effective unless the user disconnects from the server
and establishes a new connection.
Changes since 4.22.1
--------------------
o Ralph Boehme <slow@samba.org>
* BUG 15707: (CVE-2025-0620) [SECURITY] CVE-2025-0620: smbd doesn't pick up
group membership changes when re-authenticating an expired SMB
session.
* BUG 15861: Profile sync fails due to Directory Leases.
o Pavel Filipenský <pfilipensky@samba.org>
* BUG 15727: net ad join fails with "Failed to join domain: failed to create
kerberos keytab".
o Stefan Metzmacher <metze@samba.org>
* BUG 15851: dcerpcd not able to bind to listening port.
o Anoop C S <anoopcs@samba.org>
* BUG 15819: vfs_ceph_snapshots fails to list snapshots for entries at any
level beyond share root.
o Martin Schwenke <mschwenke@ddn.com>
* BUG 15858: CTDB does not put nodes running NFS into grace on graceful
shutdown.
-------------------------------------------------------------------
Thu Apr 17 20:16:37 UTC 2025 - macke d <mdbuild@use.startmail.com>
- ==============================
Release Notes for Samba 4.22.1
April 17, 2025
==============================
This is the latest stable release of the Samba 4.22 release series.
Changes since 4.22.0
--------------------
o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* BUG 15774: Running "gpo manage motd set" twice fails with backtrace.
* BUG 15829: samba-tool gpo backup creates entity backups it can't read.
* BUG 15839: gp_cert_auto_enroll_ext.py has problem unpacking GUIDs with
prepended 0's.
o Ralph Boehme <slow@samba.org>
* BUG 15767: Deadlock between two smbd processes.
* BUG 15823: Subnet based interfaces definition not listening on all covered
IP addresses.
* BUG 15836: PANIC: assert failed at source3/smbd/smb2_oplock.c(156):
sconn->oplocks.exclusive_open>=0.
o Pavel Filipenský <pfilipensky@samba.org>
* BUG 15727: net ad join fails with "Failed to join domain: failed to create
kerberos keytab".
o Andreas Hasenack <andreas.hasenack@canonical.com>
* BUG 15774: Running "gpo manage motd set" twice fails with backtrace.
o Xavi Hernandez <xhernandez@redhat.com>
* BUG 15822: Enable support for cephfs case insensitive behavior.
o Volker Lendecke <vl@samba.org>
* BUG 15791: Remove of file or directory not possible with vfs_acl_tdb.
* BUG 15841: Wide link issue in samba 4.22.
o Stefan Metzmacher <metze@samba.org>
* BUG 15767: Deadlock between two smbd processes.
* BUG 15845: NT_STATUS_INVALID_PARAMETER: Can't create folders on share of an
exfat file system.
* BUG 15849: Lease code is not endian-safe.
o Anoop C S <anoopcs@samba.org>
* BUG 15818: vfs_ceph_new module does not work with other modules for
snapshot management.
* BUG 15834: vfs_ceph_new: Add path based fallback for SMB_VFS_FCHOWN,
SMB_VFS_FCHMOD and SMB_VFS_FNTIMES.
o Shachar Sharon <ssharon@redhat.com>
* BUG 15810: Add async io API from libcephfs to ceph_new VFS module.
-------------------------------------------------------------------
Thu Mar 6 15:56:32 UTC 2025 - macke d <mdbuild@use.startmail.com>
- ==============================
Release Notes for Samba 4.22.0
March 06, 2025
==============================
This is the first stable release of the Samba 4.22 release series.
Please read the release notes carefully before upgrading.
NEW FEATURES/CHANGES
====================
SMB3 Directory Leases
---------------------
Starting with Samba 4.22 SMB3 Directory Leases are supported. The new global
option "smb3 directory leases" controls whether the feature is enabled or
not. By default, SMB3 Directory Leases are enabled on non-clustered Samba and
disabled on clustered Samba, based on the "clustering" option. See man smb.conf
for more details.
SMB3 Directory Leases allow clients to cache directory listings and, depending
on the workload, result in a decent reduction in SMB requests from clients.
Netlogon Ping over LDAP and LDAPS
---------------------------------
Samba must query domain controller information via simple queries on
the AD rootdse's netlogon attribute. Typically this is done via
connectionless LDAP, using UDP on port 389. The same information is
also available via classic LDAP rootdse queries over TCP. Samba can
now be configured to use TCP via the new "client netlogon ping
protocol" parameter to enable running in environments where firewalls
completely block port 389 or UDP traffic to domain controllers.
Experimental Himmelblaud Authentication in Samba
------------------------------------------------
Samba now includes experimental support for Azure Entra ID authentication via
`himmelblaud`, located in the `rust/` directory. This implementation provides
basic authentication and is configured through `smb.conf`, utilizing options
such as `realm`, `winbindd_socket_directory`, and `template_homedir`. New global
parameters include `himmelblaud_sfa_fallback`, `himmelblaud_hello_enabled`, and
`himmelblaud_hsm_pin_path`.
To enable, configure Samba with `--enable-rust --with-himmelblau`.
AD DC schema upgrade and provision performance improvements
-----------------------------------------------------------
By increasing the LDB index cache size for certain offline operations
that are likely to require large transactions, these are now several
times faster.
REMOVED FEATURES
================
The "nmbd proxy logon" feature was removed. This was used before
Samba4 acquired a NBT server.
The parameter "cldap port" has been removed. CLDAP runs over UDP port
389, we don't see a reason why this should ever be changed to a
different port. Moreover, we had several places in the code where
Samba did not respect this parameter, so the behaviour was at least
inconsistent.
fruit:posix_rename
------------------
This option of the vfs_fruit VFS module that could be used to enable POSIX
directory rename behaviour for OS X clients has been removed as it could result
in severe problems for Windows clients.
As a possible workaround it is possible to prevent creation of .DS_Store files
(a Finder thingy to store directory view settings) on network mounts by running
$ defaults write com.apple.desktopservices DSDontWriteNetworkStores true
on the Mac.
smb.conf changes
================
Parameter Name Description Default
-------------- ----------- -------
smb3 directory leases New Auto
vfs mkdir use tmp name New Auto
client netlogon ping protocol New cldap
himmelblaud hello enabled New no
himmelblaud hsm pin path New default hsm pin path
himmelblaud sfa fallback New no
client use krb5 netlogon Experimental no
reject aes netlogon servers Experimental no
server reject aes schannel Experimental no
server support krb5 netlogon Experimental no
fruit:posix_rename Removed
cldap port Removed
CHANGES SINCE 4.22.0rc4
=======================
o Ralph Boehme <slow@samba.org>
* BUG 15801: `NT_STATUS_ACCESS_DENIED making remote directory` on OpenBSD.
o Anoop C S <anoopcs@samba.org>
* BUG 15797: Unable to connect to CephFS subvolume shares with
vfs_shadow_copy2.
o Stefan Metzmacher <metze@samba.org>
* BUG 15801: `NT_STATUS_ACCESS_DENIED making remote directory` on OpenBSD.
o Martin Schwenke <mschwenke@ddn.com>
* BUG 15820: Incorrect FSF address in ctdb pcp scripts.
o Andrea Venturoli <ml@netfence.it>
* BUG 15804: "samba-tool domain backup offline" hangs.
CHANGES SINCE 4.22.0rc3
=======================
o Stefan Metzmacher <metze@samba.org>
* BUG 15815: client use krb5 netlogon is experimental and should not be used
in production.
CHANGES SINCE 4.22.0rc2
=======================
o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* BUG 15738: Creation of GPOs applicable to more than one group is impossible
with Samba 4.20.0 and later.
o Björn Baumbach <bb@sernet.de>
* BUG 15806: samba-tool acl commands broken for relative path names
* BUG 15807: pysmbd seg faults when file is not found.
o Ralph Boehme <slow@samba.org>
* BUG 15796: Spotlight search results don't show file size and creation date.
o Pavel Filipenský <pfilipensky@samba.org>
* BUG 15759: net ads create/join/winbind producing unix dysfunctional
keytabs.
o Volker Lendecke <vl@samba.org>
* BUG 15806: samba-tool acl commands broken for relative path names.
* BUG 15807: pysmbd seg faults when file is not found.
o Stefan Metzmacher <metze@samba.org>
* BUG 15680: Trust domains are not created.
o Andreas Schneider <asn@samba.org>
* BUG 15680: Trust domains are not created.
o Shweta Sodani <ssodani@redhat.com>
* BUG 15703: General improvements for vfs_ceph_new module.
CHANGES SINCE 4.22.0rc1
=======================
o Björn Baumbach <bb@sernet.de>
* BUG 15798: libnet4: seg fault after dc lookup failure
KNOWN ISSUES
============
https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.22#Release_blocking_bugs
