File samba.changes of Package samba-4.23-mit-fs
-------------------------------------------------------------------
Fri Nov 7 14:56:20 UTC 2025 - macke d <mdbuild@use.startmail.com>
- ==============================
Release Notes for Samba 4.23.3
November 07, 2025
==============================
This is the latest stable release of the Samba 4.23 release series.
Changes since 4.23.2
--------------------
o Ralph Boehme <slow@samba.org>
* BUG 15926: Samba 4.22 breaks Time Machine.
* BUG 15927: Spotlight search restriction for shares incomplete and default
search searches in too many attributes.
* BUG 15930: Searching for numbers doesn't work with Spotlight.
* BUG 15931: rpcd_mdssvc may crash because name mangling is not initialized.
* BUG 15933: Only increment lease epoch if a lease was granted.
o Pavel Filipenský <pfilipensky@samba.org>
* BUG 15940: vfs_recycle does not update mtime.
* BUG 15943: samba-log-parser fails with UnicodeDecodeError: 'utf-8' codec
can't decode byte.
o Martin Schwenke <mschwenke@ddn.com>
* BUG 15935: Crash in ctdbd on failed updateip.
-------------------------------------------------------------------
Mon Oct 20 09:02:13 UTC 2025 - macke d <mdbuild@use.startmail.com>
- ==============================
Release Notes for Samba 4.23.2
October 15, 2025
==============================
This is a security release in order to address the following defects:
o CVE-2025-9640: Uninitialized memory disclosure via vfs_streams_xattr.
https://www.samba.org/samba/security/CVE-2025-9640.html
o CVE-2025-10230: Command injection via WINS server hook script.
https://www.samba.org/samba/security/CVE-2025-10230.html
Changes since 4.23.1
--------------------
o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* BUG 15903: CVE-2025-10230.
o Andrew Walker <andrew.walker@truenas.com>
* BUG 15885: CVE-2025-9640.
-------------------------------------------------------------------
Mon Sep 29 07:33:11 UTC 2025 - macke d <mdbuild@use.startmail.com>
- ==============================
Release Notes for Samba 4.23.1
September 26, 2025
==============================
This is the latest stable release of the Samba 4.23 release series.
Changes since 4.23.0
--------------------
o Alexander Bokovoy <ab@samba.org>
* BUG 15920: Incomplete bind configuration causes DLZ plugin to crash.
o Volker Lendecke <vl@samba.org>
* BUG 15914: winbind can crash at startup.
o Anoop C S <anoopcs@samba.org>
* BUG 15919: vfs_ceph_new should not use ceph_ll_nonblocking_readv_writev for
fsync_send.
o Andreas Schneider <asn@samba.org>
* BUG 15904: CTDB does not support PCP 7.0.0.
o Martin Schwenke <mschwenke@ddn.com>
* BUG 15921: CTDB_SOCKET can be used even when CTDB_TEST_MODE is not set.
o Shachar Sharon <ssharon@redhat.com>
* BUG 15919: vfs_ceph_new should not use ceph_ll_nonblocking_readv_writev for
fsync_send.
-------------------------------------------------------------------
Wed Sep 24 15:53:11 UTC 2025 - macke d <mdbuild@use.startmail.com>
- ==============================
Release Notes for Samba 4.23.0
September 12, 2025
==============================
This is the first stable release of the Samba 4.23 release series.
Please read the release notes carefully before upgrading.
NEW FEATURES/CHANGES
====================
Enable SMB3 Unix Extensions by default
--------------------------------------
Starting with Samba 4.23, the SMB3 UNIX Extensions are enabled by
default. These extensions provide first-class support for POSIX semantics
over SMB3, allowing UNIX and Linux clients to access file services with
features such as proper POSIX permissions, symlink handling, hardlinks,
and special file types.
Enabling this feature by default improves interoperability for UNIX/Linux
clients without requiring additional configuration. Windows clients that
do not support the extensions will continue to function normally, by
using standard SMB3 behavior.
Add support for SMB3 over QUIC
------------------------------
The new "client smb transports" and "server smb transport"
allow a more flexible configuration for the used tcp
sockets.
It also got the ability specify "quic" as possible transport.
If quic should be used in addition to the defaults something
like "server smb transports = +quic" can be used.
For the client quic only works with name based uncs,
ip address based uncs are not supported.
Note for the server 'quic' requires the quic.ko kernel module
for Linux from https://github.com/lxin/quic (tested with Linux 6.14).
Future Linux versions may support it natively, here's the
branch that will hopefully accepted upstream soon:
https://github.com/lxin/net-next/commits/quic/
For the client side there's a fallback to the userspace ngtcp2
library if the quic kernel module is not available.
Check the smb.conf manpage for additional hints
about the "client smb transports" and "server smb transport"
options and interactions with tls related options.
Modern write time update logic
------------------------------
Samba 4.23 changes file timestamp handling to match modern Windows servers.
Earlier releases used delayed write time updates, where last_write_time was
only refreshed after a short idle period. Now Samba applies immediate
timestamp updates consistent with modern Windows 10/Server 2016 or newer.
Initial version of smb_prometheus_endpoint
------------------------------------------
Samba 4.23 introduces the smb_prometheus_endpoint utility, which exports
Samba server metrics in Prometheus-compatible format. This enables seamless
integration of Samba performance and status monitoring into existing
Prometheus and Grafana environments. For usage and configuration details,
refer to the new smb_prometheus_endpoint man page.
samba-tool domain backup --no-secrets avoids confidential attributes
--------------------------------------------------------------------
The --no-secrets option creates a back-up without secret attributes
(e.g. passwords), suitable for use in a lab domain. Until now it could
still contain confidential attributes, including BitLocker recovery
data and KDS root keys. Objects in the classes msKds-ProvRootKey,
msFVE-RecoveryInformation, and msTPM-InformationObject will now be
entirely removed from the backup, as these objects are required by
schema to have confidential attributes and are no use without them.
CTDB changes
------------
CTDB now supports loading tunables from
/etc/ctdb/tunables.d/*.tunables, in addition to the standard
/etc/ctdb/tunables.conf. See the ctdb-tunables(7) manual page for
more details. Note that the above locations are examples - the
actual location of these files will depend on compile time
configuration.
It isn't expected that many users will require a directory of tunables
files, since most users do not need to change tunables from their
default values. However, this allows vendors to ship their required
tunables settings (for example, in one or more files marked "do not
edit") while still allowing local administrators to add their own
tunables settings (in one or more separate files).
Per-share profiling stats
-------------------------
Starting with Samba 4.23, users can collect profile counters at a
per-share level. This feature requires building Samba with profiling
data enabled and adding an appropriate `smb.conf` parameter for
specific shares. It's particularly useful for deployments with a large
number of active shares, allowing administrators to monitor individual
share activity and identify potential bottlenecks or hot-spots. When
enabled, users can inspect current per-share profile information
("Extended Profile") using the standard `smbstatus` utility.
Currently, this functionality is supported only by the default and
`ceph_new` VFS modules.
REMOVED FEATURES
================
smb.conf changes
================
Parameter Name Description Default
-------------- ----------- -------
smbd profiling share New no
client smb transports New tcp, nbt
server smb transports New tcp, nbt
winbind varlink service New no
CHANGES SINCE 4.23.0rc4
=======================
o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* BUG 15911: samba.tests.safe_tarfile fails on Python 3.13 with additional
security fixes for tarfile support.
o Alexander Bokovoy <ab@samba.org>
* BUG 15904: CTDB does not support PCP 7.0.0.
o Pavel Filipenský <pfilipensky@samba.org>
* BUG 15905: samba-4.21 fails to join AD when multiple DCs are returned.
o Volker Lendecke <vl@samba.org>
* BUG 15908: Uninitialized read leads to hanging rpcd_spoolss.
o Andreas Schneider <asn@samba.org>
* BUG 15905: samba-4.21 fails to join AD when multiple DCs are returned.
* BUG 15907: Stack buffer overflow in samba3.smb2.dirlease.fileserver.
CHANGES SINCE 4.23.0rc3
=======================
o Alexander Bokovoy <ab@samba.org>
* BUG 15902: Regression in gssproxy support in 4.23.rc1+.
o MikeLiu <mikeliu@qnap.com>
* BUG 15900: 'net ads group' failed to list domain groups.
CHANGES SINCE 4.23.0rc2
=======================
o Ralph Boehme <slow@samba.org>
* BUG 15843: macOS Finder client DFS broken on 4.22.0.
o Stefan Metzmacher <metze@samba.org>
* BUG 15899: Self-signed certificates don't have X509v3 Subject Alternative
Name for DNS.
o Andreas Schneider <asn@samba.org>
* BUG 15893: Improve handling of principals and realms in client tools.
CHANGES SINCE 4.23.0rc1
=======================
o Björn Baumbach <bb@sernet.de>
* BUG 15896: libquic build fixes.
o Ralph Boehme <slow@samba.org>
* BUG 15844: getpwuid does not shift to new DC when current DC is down.
* BUG 15876: Windows security hardening locks out schannel'ed netlogon dc
calls like netr_DsRGetDCName.
o Gary Lockyer <gary@catalyst.net.nz>
* BUG 15896: libquic build fixes.
KNOWN ISSUES
============
https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.23#Release_blocking_bugs
-------------------------------------------------------------------
Fri Aug 22 07:10:32 UTC 2025 - macke d <mdbuild@use.startmail.com>
-
==============================
Release Notes for Samba 4.22.4
August 21, 2025
==============================
This is the latest stable release of the Samba 4.22 release series.
Changes since 4.22.3
--------------------
o Ralph Boehme <slow@samba.org>
* BUG 14981: netr_LogonSamLogonEx returns NR_STATUS_ACCESS_DENIED with
SysvolReady=0.
* BUG 15844: getpwuid does not shift to new DC when current DC is down.
* BUG 15876: Windows security hardening locks out schannel'ed netlogon dc
calls like netr_DsRGetDCName-
* BUG 15881: Unresponsive second DC can cause idmapping failure when using
idmap_ad-
o Günther Deschner <gd@samba.org>
* BUG 15840: kinit command is failing with Missing cache Error.
o Pavel Filipenský <pfilipensky@samba.org>
* BUG 15891: Figuring out the DC name from IP address fails and breaks
fork_domain_child().
o Volker Lendecke <vl@samba.org>
* BUG 15816: vfs_streams_depot fstatat broken.
* BUG 15892: Delayed leader broadcast can block ctdb forever.
o Stefan Metzmacher <metze@samba.org>
* BUG 14981: netr_LogonSamLogonEx returns NR_STATUS_ACCESS_DENIED with
SysvolReady=0.
o Rabinarayan Panigrahi <rapanigr@redhat.com>
* BUG 15663: Apparently there is a conflict between shadow_copy2 module and
virusfilter (action quarantine).
o Aleksandr Sharov <asharov@redhat.com>
* BUG 15877: Fix handling of empty GPO link.
o Srinivas Rao V <Srinivas.Rao.V@ibm.com>
* BUG 15880: SMB ACL inheritance doesn't work for files created.
-------------------------------------------------------------------
Tue Jul 8 07:54:08 UTC 2025 - macke d <mdbuild@use.startmail.com>
- ==============================
Release Notes for Samba 4.22.3
July 07, 2025
==============================
This is the latest stable release of the Samba 4.22 release series.
Important Change in Upcoming Microsoft Update
---------------------------------------------
On 8th of July, Microsoft will release an important security update for
Active Directory Domain Controllers for Windows Server versions prior to
2025.
This update includes a change to the Microsoft RPC Netlogon protocol,
which improves security by tightening access checks for a set of RPC
requests. Samba running as domain members in these environments will be
impacted by this change if a specific configuration is used, see below
for which configuration is affected.
Windows Server version 2025 is already equipped with these specific
security hardenings, and Microsoft is now planning to deploy them to all
supported Windows Server versions down to Windows Server 2008.
Who is affected?
Samba installations acting as member servers in Windows AD domains will
be affected if they are configured to use the 'ad' idmapping backend.
Samba servers not using this configuration will not be affected by the
change – at least to our current knowledge and understanding of the
change – and no further action is required.
Current versions of Samba with the affected configuration will no longer
function correctly once the Microsoft update has been applied. Users
will not be able to connect to the SMB service provided by Samba for any
domain configured to use the 'ad' idmapping backend.
See https://bugzilla.samba.org/show_bug.cgi?id=15876.
Changes since 4.22.2
--------------------
o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* BUG 15854: samba-tool cannot add user to group whose name is exactly 16
characters long.
o Günther Deschner <gd@samba.org>
* BUG 15876: Windows security hardening locks out schannel'ed netlogon dc
calls like netr_DsRGetDCName.
o Stefan Metzmacher <metze@samba.org>
* BUG 15876: Windows security hardening locks out schannel'ed netlogon dc
calls like netr_DsRGetDCName.
o Andreas Schneider <asn@samba.org>
* BUG 15869: Startup messages of rpc deamons fills /var/log/messages.
-------------------------------------------------------------------
Thu Jun 5 15:56:13 UTC 2025 - macke d <mdbuild@use.startmail.com>
- ==============================
Release Notes for Samba 4.22.2
June 05, 2025
==============================
This is the latest stable release of the Samba 4.22 release series.
It contains the security-relevant bugfix CVE-2025-0620:
smbd doesn't pick up group membership changes
when re-authenticating an expired SMB session
https://www.samba.org/samba/security/CVE-2025-0620.html
Description of CVE-2025-0620
-----------------------------
With Kerberos authentication SMB sessions typically have an
associated lifetime, requiring re-authentication by the
client when the session expires. As part of the
re-authentication, Samba receives the current group
membership information and is expected to reflect this
change in further SMB request processing.
For historic reasons, Samba maintains a cache of
associations between a user's impersonation information and
connected shares. A recent change in this cache caused Samba
to not reflect group membership changes from session
re-authentication when processing further SMB requests.
As a result, when an administrator removes a user from a
particular group in Active Directory, this change will not
become effective unless the user disconnects from the server
and establishes a new connection.
Changes since 4.22.1
--------------------
o Ralph Boehme <slow@samba.org>
* BUG 15707: (CVE-2025-0620) [SECURITY] CVE-2025-0620: smbd doesn't pick up
group membership changes when re-authenticating an expired SMB
session.
* BUG 15861: Profile sync fails due to Directory Leases.
o Pavel Filipenský <pfilipensky@samba.org>
* BUG 15727: net ad join fails with "Failed to join domain: failed to create
kerberos keytab".
o Stefan Metzmacher <metze@samba.org>
* BUG 15851: dcerpcd not able to bind to listening port.
o Anoop C S <anoopcs@samba.org>
* BUG 15819: vfs_ceph_snapshots fails to list snapshots for entries at any
level beyond share root.
o Martin Schwenke <mschwenke@ddn.com>
* BUG 15858: CTDB does not put nodes running NFS into grace on graceful
shutdown.
-------------------------------------------------------------------
Thu Apr 17 20:15:38 UTC 2025 - macke d <mdbuild@use.startmail.com>
- ==============================
Release Notes for Samba 4.22.1
April 17, 2025
==============================
This is the latest stable release of the Samba 4.22 release series.
Changes since 4.22.0
--------------------
o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* BUG 15774: Running "gpo manage motd set" twice fails with backtrace.
* BUG 15829: samba-tool gpo backup creates entity backups it can't read.
* BUG 15839: gp_cert_auto_enroll_ext.py has problem unpacking GUIDs with
prepended 0's.
o Ralph Boehme <slow@samba.org>
* BUG 15767: Deadlock between two smbd processes.
* BUG 15823: Subnet based interfaces definition not listening on all covered
IP addresses.
* BUG 15836: PANIC: assert failed at source3/smbd/smb2_oplock.c(156):
sconn->oplocks.exclusive_open>=0.
o Pavel Filipenský <pfilipensky@samba.org>
* BUG 15727: net ad join fails with "Failed to join domain: failed to create
kerberos keytab".
o Andreas Hasenack <andreas.hasenack@canonical.com>
* BUG 15774: Running "gpo manage motd set" twice fails with backtrace.
o Xavi Hernandez <xhernandez@redhat.com>
* BUG 15822: Enable support for cephfs case insensitive behavior.
o Volker Lendecke <vl@samba.org>
* BUG 15791: Remove of file or directory not possible with vfs_acl_tdb.
* BUG 15841: Wide link issue in samba 4.22.
o Stefan Metzmacher <metze@samba.org>
* BUG 15767: Deadlock between two smbd processes.
* BUG 15845: NT_STATUS_INVALID_PARAMETER: Can't create folders on share of an
exfat file system.
* BUG 15849: Lease code is not endian-safe.
o Anoop C S <anoopcs@samba.org>
* BUG 15818: vfs_ceph_new module does not work with other modules for
snapshot management.
* BUG 15834: vfs_ceph_new: Add path based fallback for SMB_VFS_FCHOWN,
SMB_VFS_FCHMOD and SMB_VFS_FNTIMES.
o Shachar Sharon <ssharon@redhat.com>
* BUG 15810: Add async io API from libcephfs to ceph_new VFS module.
-------------------------------------------------------------------
Thu Mar 6 15:54:23 UTC 2025 - macke d <mdbuild@use.startmail.com>
- ==============================
Release Notes for Samba 4.22.0
March 06, 2025
==============================
This is the first stable release of the Samba 4.22 release series.
Please read the release notes carefully before upgrading.
NEW FEATURES/CHANGES
====================
SMB3 Directory Leases
---------------------
Starting with Samba 4.22 SMB3 Directory Leases are supported. The new global
option "smb3 directory leases" controls whether the feature is enabled or
not. By default, SMB3 Directory Leases are enabled on non-clustered Samba and
disabled on clustered Samba, based on the "clustering" option. See man smb.conf
for more details.
SMB3 Directory Leases allow clients to cache directory listings and, depending
on the workload, result in a decent reduction in SMB requests from clients.
Netlogon Ping over LDAP and LDAPS
---------------------------------
Samba must query domain controller information via simple queries on
the AD rootdse's netlogon attribute. Typically this is done via
connectionless LDAP, using UDP on port 389. The same information is
also available via classic LDAP rootdse queries over TCP. Samba can
now be configured to use TCP via the new "client netlogon ping
protocol" parameter to enable running in environments where firewalls
completely block port 389 or UDP traffic to domain controllers.
Experimental Himmelblaud Authentication in Samba
------------------------------------------------
Samba now includes experimental support for Azure Entra ID authentication via
`himmelblaud`, located in the `rust/` directory. This implementation provides
basic authentication and is configured through `smb.conf`, utilizing options
such as `realm`, `winbindd_socket_directory`, and `template_homedir`. New global
parameters include `himmelblaud_sfa_fallback`, `himmelblaud_hello_enabled`, and
`himmelblaud_hsm_pin_path`.
To enable, configure Samba with `--enable-rust --with-himmelblau`.
AD DC schema upgrade and provision performance improvements
-----------------------------------------------------------
By increasing the LDB index cache size for certain offline operations
that are likely to require large transactions, these are now several
times faster.
REMOVED FEATURES
================
The "nmbd proxy logon" feature was removed. This was used before
Samba4 acquired a NBT server.
The parameter "cldap port" has been removed. CLDAP runs over UDP port
389, we don't see a reason why this should ever be changed to a
different port. Moreover, we had several places in the code where
Samba did not respect this parameter, so the behaviour was at least
inconsistent.
fruit:posix_rename
------------------
This option of the vfs_fruit VFS module that could be used to enable POSIX
directory rename behaviour for OS X clients has been removed as it could result
in severe problems for Windows clients.
As a possible workaround it is possible to prevent creation of .DS_Store files
(a Finder thingy to store directory view settings) on network mounts by running
$ defaults write com.apple.desktopservices DSDontWriteNetworkStores true
on the Mac.
smb.conf changes
================
Parameter Name Description Default
-------------- ----------- -------
smb3 directory leases New Auto
vfs mkdir use tmp name New Auto
client netlogon ping protocol New cldap
himmelblaud hello enabled New no
himmelblaud hsm pin path New default hsm pin path
himmelblaud sfa fallback New no
client use krb5 netlogon Experimental no
reject aes netlogon servers Experimental no
server reject aes schannel Experimental no
server support krb5 netlogon Experimental no
fruit:posix_rename Removed
cldap port Removed
CHANGES SINCE 4.22.0rc4
=======================
o Ralph Boehme <slow@samba.org>
* BUG 15801: `NT_STATUS_ACCESS_DENIED making remote directory` on OpenBSD.
o Anoop C S <anoopcs@samba.org>
* BUG 15797: Unable to connect to CephFS subvolume shares with
vfs_shadow_copy2.
o Stefan Metzmacher <metze@samba.org>
* BUG 15801: `NT_STATUS_ACCESS_DENIED making remote directory` on OpenBSD.
o Martin Schwenke <mschwenke@ddn.com>
* BUG 15820: Incorrect FSF address in ctdb pcp scripts.
o Andrea Venturoli <ml@netfence.it>
* BUG 15804: "samba-tool domain backup offline" hangs.
CHANGES SINCE 4.22.0rc3
=======================
o Stefan Metzmacher <metze@samba.org>
* BUG 15815: client use krb5 netlogon is experimental and should not be used
in production.
CHANGES SINCE 4.22.0rc2
=======================
o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* BUG 15738: Creation of GPOs applicable to more than one group is impossible
with Samba 4.20.0 and later.
o Björn Baumbach <bb@sernet.de>
* BUG 15806: samba-tool acl commands broken for relative path names
* BUG 15807: pysmbd seg faults when file is not found.
o Ralph Boehme <slow@samba.org>
* BUG 15796: Spotlight search results don't show file size and creation date.
o Pavel Filipenský <pfilipensky@samba.org>
* BUG 15759: net ads create/join/winbind producing unix dysfunctional
keytabs.
o Volker Lendecke <vl@samba.org>
* BUG 15806: samba-tool acl commands broken for relative path names.
* BUG 15807: pysmbd seg faults when file is not found.
o Stefan Metzmacher <metze@samba.org>
* BUG 15680: Trust domains are not created.
o Andreas Schneider <asn@samba.org>
* BUG 15680: Trust domains are not created.
o Shweta Sodani <ssodani@redhat.com>
* BUG 15703: General improvements for vfs_ceph_new module.
CHANGES SINCE 4.22.0rc1
=======================
o Björn Baumbach <bb@sernet.de>
* BUG 15798: libnet4: seg fault after dc lookup failure
KNOWN ISSUES
============
https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.22#Release_blocking_bugs
