1 ==============================
2 Release Notes for Samba 4.18.7
4 ==============================
7 This is the latest stable release of the Samba 4.18 release series.
13 o Jeremy Allison <jra@samba.org>
14 * BUG 15419: Weird filename can cause assert to fail in
15 openat_pathref_fsp_nosymlink().
16 * BUG 15423: use-after-free in aio_del_req_from_fsp during smbd shutdown
17 after failed IPC FSCTL_PIPE_TRANSCEIVE.
18 * BUG 15432: TREE_CONNECT without SETUP causes smbd to use uninitialized
21 o Andrew Bartlett <abartlet@samba.org>
22 * BUG 15401: Avoid infinite loop in initial user sync with Azure AD Connect.
23 * BUG 15407: Samba replication logs show (null) DN.
25 o Ralph Boehme <slow@samba.org>
26 * BUG 15463: macOS mdfind returns only 50 results.
28 o Remi Collet <rcollet@redhat.com>
29 * BUG 14808: smbc_getxattr() return value is incorrect.
31 o Volker Lendecke <vl@samba.org>
32 * BUG 15481: GETREALFILENAME_CACHE can modify incoming new filename with
33 previous cache entry value.
35 o Stefan Metzmacher <metze@samba.org>
36 * BUG 15464: libnss_winbind causes memory corruption since samba-4.18,
37 impacts sendmail, zabbix, potentially more.
39 o MikeLiu <mikeliu@qnap.com>
40 * BUG 15453: File doesn't show when user doesn't have permission if
41 aio_pthread is loaded.
43 o Martin Schwenke <mschwenke@ddn.com>
44 * BUG 15451: ctdb_killtcp fails to work with --enable-pcap and libpcap ≥
47 o Joseph Sutton <josephsutton@catalyst.net.nz>
48 * BUG 15476: The KDC in 4.18 (and older) is not able to accept tickets with
49 empty claims pac blobs (from Samba 4.19 or Windows).
50 * BUG 15477: The heimdal KDC doesn't detect s4u2self correctly when fast is
54 #######################################
55 Reporting bugs & Development Discussion
56 #######################################
58 Please discuss this release on the samba-technical mailing list or by
59 joining the #samba-technical:matrix.org matrix room, or
60 #samba-technical IRC channel on irc.libera.chat.
62 If you do report problems then please try to send high quality
63 feedback. If you don't provide vital information to help us track down
64 the problem then you will probably be ignored. All bug reports should
65 be filed under the Samba 4.1 and newer product in the project's Bugzilla
66 database (https://bugzilla.samba.org/).
69 ======================================================================
70 == Our Code, Our Bugs, Our Responsibility.
72 ======================================================================
75 Release notes for older releases follow:
76 ----------------------------------------
77 ==============================
78 Release Notes for Samba 4.18.6
80 ==============================
83 This is the latest stable release of the Samba 4.18 release series.
89 o Jeremy Allison <jra@samba.org>
90 * BUG 15420: reply_sesssetup_and_X() can dereference uninitialized tmp
92 * BUG 15430: Missing return in reply_exit_done().
94 o Andrew Bartlett <abartlet@samba.org>
95 * BUG 15289: post-exec password redaction for samba-tool is more reliable for
96 fully random passwords as it no longer uses regular expressions
97 containing the password value itself.
98 * BUG 9959: Windows client join fails if a second container CN=System exists
101 o Ralph Boehme <slow@samba.org>
102 * BUG 15342: Spotlight sometimes returns no results on latest macOS.
103 * BUG 15417: Renaming results in NT_STATUS_SHARING_VIOLATION if previously
104 attempted to remove the destination.
105 * BUG 15427: Spotlight results return wrong date in result list.
107 o Günther Deschner <gd@samba.org>
108 * BUG 15414: "net offlinejoin provision" does not work as non-root user.
110 o Pavel Filipenský <pfilipensky@samba.org>
111 * BUG 15400: rpcserver no longer accepts double backslash in dfs pathname.
112 * BUG 15433: cm_prepare_connection() calls close(fd) for the second time.
114 o Stefan Metzmacher <metze@samba.org>
115 * BUG 15346: 2-3min delays at reconnect with smb2_validate_sequence_number:
117 * BUG 15441: samba-tool ntacl get segfault if aio_pthread appended.
118 * BUG 15446: DCERPC_PKT_CO_CANCEL and DCERPC_PKT_ORPHANED can't be parsed.
120 o Noel Power <noel.power@suse.com>
121 * BUG 15390: Python tarfile extraction needs change to avoid a warning
122 (CVE-2007-4559 mitigation).
123 * BUG 15435: Regression DFS not working with widelinks = true.
125 o Arvid Requate <requate@univention.de>
126 * BUG 9959: Windows client join fails if a second container CN=System exists
129 o Jones Syue <jonessyue@qnap.com>
130 * BUG 15441: samba-tool ntacl get segfault if aio_pthread appended.
131 * BUG 15449: mdssvc: Do an early talloc_free() in _mdssvc_open().
134 #######################################
135 Reporting bugs & Development Discussion
136 #######################################
138 Please discuss this release on the samba-technical mailing list or by
139 joining the #samba-technical:matrix.org matrix room, or
140 #samba-technical IRC channel on irc.libera.chat.
142 If you do report problems then please try to send high quality
143 feedback. If you don't provide vital information to help us track down
144 the problem then you will probably be ignored. All bug reports should
145 be filed under the Samba 4.1 and newer product in the project's Bugzilla
146 database (https://bugzilla.samba.org/).
149 ======================================================================
150 == Our Code, Our Bugs, Our Responsibility.
152 ======================================================================
155 ----------------------------------------------------------------------
156 ==============================
157 Release Notes for Samba 4.18.5
159 ==============================
162 This is a security release in order to address the following defects:
164 o CVE-2022-2127: When winbind is used for NTLM authentication, a maliciously
165 crafted request can trigger an out-of-bounds read in winbind
166 and possibly crash it.
167 https://www.samba.org/samba/security/CVE-2022-2127.html
169 o CVE-2023-3347: SMB2 packet signing is not enforced if an admin configured
170 "server signing = required" or for SMB2 connections to Domain
171 Controllers where SMB2 packet signing is mandatory.
172 https://www.samba.org/samba/security/CVE-2023-3347.html
174 o CVE-2023-34966: An infinite loop bug in Samba's mdssvc RPC service for
175 Spotlight can be triggered by an unauthenticated attacker by
176 issuing a malformed RPC request.
177 https://www.samba.org/samba/security/CVE-2023-34966.html
179 o CVE-2023-34967: Missing type validation in Samba's mdssvc RPC service for
180 Spotlight can be used by an unauthenticated attacker to
181 trigger a process crash in a shared RPC mdssvc worker process.
182 https://www.samba.org/samba/security/CVE-2023-34967.html
184 o CVE-2023-34968: As part of the Spotlight protocol Samba discloses the server-
185 side absolute path of shares and files and directories in
187 https://www.samba.org/samba/security/CVE-2023-34968.html
193 o Ralph Boehme <slow@samba.org>
194 * BUG 15072: CVE-2022-2127.
195 * BUG 15340: CVE-2023-34966.
196 * BUG 15341: CVE-2023-34967.
197 * BUG 15388: CVE-2023-34968.
198 * BUG 15397: CVE-2023-3347.
200 o Volker Lendecke <vl@samba.org>
201 * BUG 15072: CVE-2022-2127.
203 o Stefan Metzmacher <metze@samba.org>
204 * BUG 15418: Secure channel faulty since Windows 10/11 update 07/2023.
207 #######################################
208 Reporting bugs & Development Discussion
209 #######################################
211 Please discuss this release on the samba-technical mailing list or by
212 joining the #samba-technical:matrix.org matrix room, or
213 #samba-technical IRC channel on irc.libera.chat.
215 If you do report problems then please try to send high quality
216 feedback. If you don't provide vital information to help us track down
217 the problem then you will probably be ignored. All bug reports should
218 be filed under the Samba 4.1 and newer product in the project's Bugzilla
219 database (https://bugzilla.samba.org/).
222 ======================================================================
223 == Our Code, Our Bugs, Our Responsibility.
225 ======================================================================
228 ----------------------------------------------------------------------
229 ==============================
230 Release Notes for Samba 4.18.4
232 ==============================
235 This is the latest stable release of the Samba 4.18 release series.
241 o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
242 * BUG 15404: Backport --pidl-developer fixes.
244 o Samuel Cabrero <scabrero@samba.org>
245 * BUG 14030: Named crashes on DLZ zone update.
247 o Björn Jacke <bj@sernet.de>
248 * BUG 2312: smbcacls and smbcquotas do not check // before the server.
250 o Volker Lendecke <vl@samba.org>
251 * BUG 15382: cli_list loops 100% CPU against pre-lanman2 servers.
252 * BUG 15391: smbclient leaks fds with showacls.
253 * BUG 15402: smbd returns NOT_FOUND when creating files on a r/o filesystem.
255 o Stefan Metzmacher <metze@samba.org>
256 * BUG 15355: NSS_WRAPPER_HOSTNAME doesn't match NSS_WRAPPER_HOSTS entry and
257 causes test timeouts.
259 o Noel Power <noel.power@suse.com>
260 * BUG 15384: net ads lookup (with unspecified realm) fails.
262 o Christof Schmitt <cs@samba.org>
263 * BUG 15381: Register Samba processes with GPFS.
265 o Andreas Schneider <asn@samba.org>
266 * BUG 15390: Python tarfile extraction needs change to avoid a warning
267 (CVE-2007-4559 mitigation).
268 * BUG 15398: The winbind child segfaults when listing users with `winbind
269 scan trusted domains = yes`.
271 o Jones Syue <jonessyue@qnap.com>
272 * BUG 15383: Remove comments about deprecated 'write cache size'.
273 * BUG 15403: smbget memory leak if failed to download files recursively.
276 #######################################
277 Reporting bugs & Development Discussion
278 #######################################
280 Please discuss this release on the samba-technical mailing list or by
281 joining the #samba-technical:matrix.org matrix room, or
282 #samba-technical IRC channel on irc.libera.chat.
284 If you do report problems then please try to send high quality
285 feedback. If you don't provide vital information to help us track down
286 the problem then you will probably be ignored. All bug reports should
287 be filed under the Samba 4.1 and newer product in the project's Bugzilla
288 database (https://bugzilla.samba.org/).
291 ======================================================================
292 == Our Code, Our Bugs, Our Responsibility.
294 ======================================================================
297 ----------------------------------------------------------------------
298 ==============================
299 Release Notes for Samba 4.18.3
301 ==============================
304 This is the latest stable release of the Samba 4.18 release series.
310 o Ralph Boehme <slow@samba.org>
311 * BUG 15375: Symlinks to files can have random DOS mode information in a
313 * BUG 15378: vfs_fruit might cause a failing open for delete.
315 o Volker Lendecke <vl@samba.org>
316 * BUG 15361: winbind recurses into itself via rpcd_lsad.
317 * BUG 15366: wbinfo -u fails on ad dc with >1000 users.
319 o Stefan Metzmacher <metze@samba.org>
320 * BUG 15338: DS ACEs might be inherited to unrelated object classes.
321 * BUG 15362: a lot of messages: get_static_share_mode_data:
322 get_static_share_mode_data_fn failed: NT_STATUS_NOT_FOUND.
323 * BUG 15374: aes256 smb3 encryption algorithms are not allowed in
326 o Andreas Schneider <asn@samba.org>
327 * BUG 15360: Setting veto files = /.*/ break listing directories.
329 o Joseph Sutton <josephsutton@catalyst.net.nz>
330 * BUG 15363: "samba-tool domain provision" does not run interactive mode if
331 no arguments are given.
333 o Nathaniel W. Turner <nturner@exagrid.com>
334 * BUG 15325: dsgetdcname: assumes local system uses IPv4.
337 #######################################
338 Reporting bugs & Development Discussion
339 #######################################
341 Please discuss this release on the samba-technical mailing list or by
342 joining the #samba-technical:matrix.org matrix room, or
343 #samba-technical IRC channel on irc.libera.chat.
345 If you do report problems then please try to send high quality
346 feedback. If you don't provide vital information to help us track down
347 the problem then you will probably be ignored. All bug reports should
348 be filed under the Samba 4.1 and newer product in the project's Bugzilla
349 database (https://bugzilla.samba.org/).
352 ======================================================================
353 == Our Code, Our Bugs, Our Responsibility.
355 ======================================================================
358 ----------------------------------------------------------------------
359 ==============================
360 Release Notes for Samba 4.18.2
362 ==============================
365 This is the latest stable release of the Samba 4.18 release series.
371 o Jeremy Allison <jra@samba.org>
372 * BUG 15302: Log flood: smbd_calculate_access_mask_fsp: Access denied:
373 message level should be lower.
374 * BUG 15306: Floating point exception (FPE) via cli_pull_send at
375 source3/libsmb/clireadwrite.c.
377 o Andrew Bartlett <abartlet@samba.org>
378 * BUG 15328: test_tstream_more_tcp_user_timeout_spin fails intermittently on
379 Rackspace GitLab runners.
380 * BUG 15329: Reduce flapping of ridalloc test.
381 * BUG 15351: large_ldap test is unreliable.
383 o Ralph Boehme <slow@samba.org>
384 * BUG 15143: New filename parser doesn't check veto files smb.conf parameter.
385 * BUG 15354: mdssvc may crash when initializing.
387 o Volker Lendecke <vl@samba.org>
388 * BUG 15313: large directory optimization broken for non-lcomp path elements.
389 * BUG 15357: streams_depot fails to create streams.
390 * BUG 15358: shadow_copy2 and streams_depot don't play well together.
392 o Rob van der Linde <rob@catalyst.net.nz>
393 * BUG 15316: Flapping tests in samba_tool_drs_show_repl.py.
395 o Stefan Metzmacher <metze@samba.org>
396 * BUG 15317: winbindd idmap child contacts the domain controller without a
398 * BUG 15318: idmap_autorid may fail to map sids of trusted domains for the
400 * BUG 15319: idmap_hash doesn't use ID_TYPE_BOTH for reverse mappings.
401 * BUG 15323: net ads search -P doesn't work against servers in other domains.
402 * BUG 15353: Temporary smbXsrv_tcon_global.tdb can't be parsed.
404 o Joseph Sutton <josephsutton@catalyst.net.nz>
405 * BUG 15316: Flapping tests in samba_tool_drs_show_repl.py.
406 * BUG 15343: Tests use depricated and removed methods like
410 #######################################
411 Reporting bugs & Development Discussion
412 #######################################
414 Please discuss this release on the samba-technical mailing list or by
415 joining the #samba-technical:matrix.org matrix room, or
416 #samba-technical IRC channel on irc.libera.chat.
418 If you do report problems then please try to send high quality
419 feedback. If you don't provide vital information to help us track down
420 the problem then you will probably be ignored. All bug reports should
421 be filed under the Samba 4.1 and newer product in the project's Bugzilla
422 database (https://bugzilla.samba.org/).
425 ======================================================================
426 == Our Code, Our Bugs, Our Responsibility.
428 ======================================================================
431 ----------------------------------------------------------------------
432 ==============================
433 Release Notes for Samba 4.18.1
435 ==============================
438 This is a security release in order to address the following defects:
440 o CVE-2023-0225: An incomplete access check on dnsHostName allows authenticated
441 but otherwise unprivileged users to delete this attribute from
442 any object in the directory.
443 https://www.samba.org/samba/security/CVE-2023-0225.html
445 o CVE-2023-0922: The Samba AD DC administration tool, when operating against a
446 remote LDAP server, will by default send new or reset
447 passwords over a signed-only connection.
448 https://www.samba.org/samba/security/CVE-2023-0922.html
450 o CVE-2023-0614: The fix in 4.6.16, 4.7.9, 4.8.4 and 4.9.7 for CVE-2018-10919
451 Confidential attribute disclosure via LDAP filters was
452 insufficient and an attacker may be able to obtain
453 confidential BitLocker recovery keys from a Samba AD DC.
454 Installations with such secrets in their Samba AD should
455 assume they have been obtained and need replacing.
456 https://www.samba.org/samba/security/CVE-2023-0614.html
462 o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
463 * BUG 15276: CVE-2023-0225.
465 o Andrew Bartlett <abartlet@samba.org>
466 * BUG 15270: CVE-2023-0614.
467 * BUG 15331: ldb wildcard matching makes excessive allocations.
468 * BUG 15332: large_ldap test is inefficient.
470 o Rob van der Linde <rob@catalyst.net.nz>
471 * BUG 15315: CVE-2023-0922.
473 o Joseph Sutton <josephsutton@catalyst.net.nz>
474 * BUG 15270: CVE-2023-0614.
475 * BUG 15276: CVE-2023-0225.
478 #######################################
479 Reporting bugs & Development Discussion
480 #######################################
482 Please discuss this release on the samba-technical mailing list or by
483 joining the #samba-technical:matrix.org matrix room, or
484 #samba-technical IRC channel on irc.libera.chat.
486 If you do report problems then please try to send high quality
487 feedback. If you don't provide vital information to help us track down
488 the problem then you will probably be ignored. All bug reports should
489 be filed under the Samba 4.1 and newer product in the project's Bugzilla
490 database (https://bugzilla.samba.org/).
493 ======================================================================
494 == Our Code, Our Bugs, Our Responsibility.
496 ======================================================================
499 ----------------------------------------------------------------------
500 ==============================
501 Release Notes for Samba 4.18.0
503 ==============================
505 This is the first stable release of the Samba 4.18 release series.
506 Please read the release notes carefully before upgrading.
511 SMB Server performance improvements
512 -----------------------------------
514 The security improvements in recent releases
515 (4.13, 4.14, 4.15, 4.16), mainly as protection against symlink races,
516 caused performance regressions for metadata heavy workloads.
518 While 4.17 already improved the situation quite a lot,
519 with 4.18 the locking overhead for contended path based operations
520 is reduced by an additional factor of ~ 3 compared to 4.17.
521 It means the throughput of open/close
522 operations reached the level of 4.12 again.
524 More succinct samba-tool error messages
525 ---------------------------------------
527 Historically samba-tool has reported user error or misconfiguration by
528 means of a Python traceback, showing you where in its code it noticed
529 something was wrong, but not always exactly what is amiss. Now it
530 tries harder to identify the true cause and restrict its output to
531 describing that. Particular cases include:
533 * a username or password is incorrect
534 * an ldb database filename is wrong (including in smb.conf)
535 * samba-tool dns: various zones or records do not exist
536 * samba-tool ntacl: certain files are missing
537 * the network seems to be down
538 * bad --realm or --debug arguments
540 Accessing the old samba-tool messages
541 -------------------------------------
543 This is not new, but users are reminded they can get the full Python
544 stack trace, along with other noise, by using the argument '-d3'.
545 This may be useful when searching the web.
547 The intention is that when samba-tool encounters an unrecognised
548 problem (especially a bug), it will still output a Python traceback.
549 If you encounter a problem that has been incorrectly identified by
550 samba-tool, please report it on https://bugzilla.samba.org.
552 Colour output with samba-tool --color
553 -------------------------------------
555 For some time a few samba-tool commands have had a --color=yes|no|auto
556 option, which determines whether the command outputs ANSI colour
557 codes. Now all samba-tool commands support this option, which now also
558 accepts 'always' and 'force' for 'yes', 'never' and 'none' for 'no',
559 and 'tty' and 'if-tty' for 'auto' (this more closely matches
560 convention). With --color=auto, or when --color is omitted, colour
561 codes are only used when output is directed to a terminal.
563 Most commands have very little colour in any case. For those that
564 already used it, the defaults have changed slightly.
566 * samba-tool drs showrepl: default is now 'auto', not 'no'
568 * samba-tool visualize: the interactions between --color-scheme,
569 --color, and --output have changed slightly. When --color-scheme is
570 set it overrides --color for the purpose of the output diagram, but
571 not for other output like error messages.
573 New samba-tool dsacl subcommand for deleting ACES
574 -------------------------------------------------
576 The samba-tool dsacl tool can now delete entries in directory access
577 control lists. The interface for 'samba-tool dsacl delete' is similar
578 to that of 'samba-tool dsacl set', with the difference being that the
579 ACEs described by the --sddl argument are deleted rather than added.
581 No colour with NO_COLOR environment variable
582 --------------------------------------------
584 With both samba-tool --color=auto (see above) and some other places
585 where we use ANSI colour codes, the NO_COLOR environment variable will
586 disable colour output. See https://no-color.org/ for a description of
587 this variable. `samba-tool --color=always` will use colour regardless
590 New wbinfo option --change-secret-at
591 ------------------------------------
593 The wbinfo command has a new option, --change-secret-at=<DOMAIN CONTROLLER>
594 which forces the trust account password to be changed at a specified domain
595 controller. If the specified domain controller cannot be contacted the
596 password change fails rather than trying other DCs.
598 New option to change the NT ACL default location
599 ------------------------------------------------
601 Usually the NT ACLs are stored in the security.NTACL extended
602 attribute (xattr) of files and directories. The new
603 "acl_xattr:security_acl_name" option allows to redefine the default
604 location. The default "security.NTACL" is a protected location, which
605 means the content of the security.NTACL attribute is not accessible
606 from normal users outside of Samba. When this option is set to use a
607 user-defined value, e.g. user.NTACL then any user can potentially
608 access and overwrite this information. The module prevents access to
609 this xattr over SMB, but the xattr may still be accessed by other
610 means (eg local access, SSH, NFS). This option must only be used when
611 this consequence is clearly understood and when specific precautions
612 are taken to avoid compromising the ACL content.
614 Azure Active Directory / Office365 synchronisation improvements
615 --------------------------------------------------------------
617 Use of the Azure AD Connect cloud sync tool is now supported for
618 password hash synchronisation, allowing Samba AD Domains to synchronise
619 passwords with this popular cloud environment.
628 Parameter Name Description Default
629 -------------- ----------- -------
630 acl_xattr:security_acl_name New security.NTACL
634 CHANGES SINCE 4.18.0rc4
635 =======================
637 o Jeremy Allison <jra@samba.org>
638 * BUG 15314: streams_xattr is creating unexpected locks on folders.
640 o Volker Lendecke <vl@samba.org>
641 * BUG 15310: New samba-dcerpc architecture does not scale gracefully.
644 CHANGES SINCE 4.18.0rc3
645 =======================
647 o Andreas Schneider <asn@samba.org>
648 * BUG 15308: Avoid that tests fail because other tests didn't do cleanup on
651 o baixiangcpp <baixiangcpp@gmail.com>
652 * BUG 15311: fd_load() function implicitly closes the fd where it should not.
655 CHANGES SINCE 4.18.0rc2
656 =======================
658 o Jeremy Allison <jra@samba.org>
659 * BUG 15301: Improve file_modtime() and issues around smb3 unix test.
661 o Ralph Boehme <slow@samba.org>
662 * BUG 15299: Spotlight doesn't work with latest macOS Ventura.
664 o Stefan Metzmacher <metze@samba.org>
665 * BUG 15298: Build failure on solaris with tevent 0.14.0 (and ldb 2.7.0).
666 (tevent 0.14.1 and ldb 2.7.1 are already released...)
668 o John Mulligan <jmulligan@redhat.com>
669 * BUG 15307: vfs_ceph incorrectly uses fsp_get_io_fd() instead of
670 fsp_get_pathref_fd() in close and fstat.
672 o Andreas Schneider <asn@samba.org>
673 * BUG 15291: test_chdir_cache.sh doesn't work with SMBD_DONT_LOG_STDOUT=1.
674 * BUG 15301: Improve file_modtime() and issues around smb3 unix test.
677 CHANGES SINCE 4.18.0rc1
678 =======================
680 o Andrew Bartlett <abartlet@samba.org>
681 * BUG 10635: Office365 azure Password Sync not working.
683 o Stefan Metzmacher <metze@samba.org>
684 * BUG 15286: auth3_generate_session_info_pac leaks wbcAuthUserInfo.
686 o Noel Power <noel.power@suse.com>
687 * BUG 15293: With clustering enabled samba-bgqd can core dump due to use
694 https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.18#Release_blocking_bugs
697 #######################################
698 Reporting bugs & Development Discussion
699 #######################################
701 Please discuss this release on the samba-technical mailing list or by
702 joining the #samba-technical:matrix.org matrix room, or
703 #samba-technical IRC channel on irc.libera.chat
705 If you do report problems then please try to send high quality
706 feedback. If you don't provide vital information to help us track down
707 the problem then you will probably be ignored. All bug reports should
708 be filed under the Samba 4.1 and newer product in the project's Bugzilla
709 database (https://bugzilla.samba.org/).
712 ======================================================================
713 == Our Code, Our Bugs, Our Responsibility.
715 ======================================================================