1 ==============================
2 Release Notes for Samba 4.13.0
4 ==============================
7 This is the first stable release of the Samba 4.13 release series.
8 Please read the release notes carefully before upgrading.
14 Please avoid to set "server schannel = no" and "server schannel= auto" on all
15 Samba domain controllers due to the wellknown ZeroLogon issue.
17 For details please see
18 https://www.samba.org/samba/security/CVE-2020-1472.html.
24 Python 3.6 or later required
25 ----------------------------
27 Samba's minimum runtime requirement for python was raised to Python
28 3.5 with samba 4.12. Samba 4.13 raises this minimum version to Python
29 3.6 both to access new features and because this is the oldest version
30 we test with in our CI infrastructure.
32 This is also the last release where it will be possible to build Samba
33 (just the file server) with Python versions 2.6 and 2.7.
35 As Python 2.7 has been End Of Life upstream since April 2020, Samba
36 is dropping ALL Python 2.x support in the NEXT release.
38 Samba 4.14 to be released in March 2021 will require Python 3.6 or
41 wide links functionality
42 ------------------------
44 For this release, the code implementing the insecure "wide links = yes"
45 functionality has been moved out of the core smbd code and into a separate
46 VFS module, vfs_widelinks. Currently this vfs module is implicitly loaded
47 by smbd as the last but one module before vfs_default if "wide links = yes"
48 is enabled on the share (note, the existing restrictions on enabling wide
49 links around the SMB1 "unix extensions" and the "allow insecure wide links"
50 parameters are still in force). The implicit loading was done to allow
51 existing users of "wide links = yes" to keep this functionality without
52 having to make a change to existing working smb.conf files.
54 Please note that the Samba developers recommend changing any Samba
55 installations that currently use "wide links = yes" to use bind mounts
56 as soon as possible, as "wide links = yes" is an inherently insecure
57 configuration which we would like to remove from Samba. Moving the
58 feature into a VFS module allows this to be done in a cleaner way
61 A future release to be determined will remove this implicit linkage,
62 causing administrators who need this functionality to have to explicitly
63 add the vfs_widelinks module into the "vfs objects =" parameter lists.
64 The release notes will be updated to note this change when it occurs.
66 NT4-like 'classic' Samba domain controllers
67 -------------------------------------------
69 Samba 4.13 deprecates Samba's original domain controller mode.
71 Sites using Samba as a Domain Controller should upgrade from the
72 NT4-like 'classic' Domain Controller to a Samba Active Directory DC
73 to ensure full operation with modern windows clients.
75 SMBv1 only protocol options deprecated
76 --------------------------------------
78 A number of smb.conf parameters for less-secure authentication methods
79 which are only possible over SMBv1 are deprecated in this release.
85 The deprecated "ldap ssl ads" smb.conf option has been removed.
91 Parameter Name Description Default
92 -------------- ----------- -------
94 smb2 disable lock sequence checking Added No
95 smb2 disable oplock break retry Added No
96 domain logons Deprecated no
97 raw NTLMv2 auth Deprecated no
98 client plaintext auth Deprecated no
99 client NTLMv2 auth Deprecated yes
100 client lanman auth Deprecated no
101 client use spnego Deprecated yes
102 server require schannel:COMPUTER Added
105 CHANGES SINCE 4.13.0rc5
106 =======================
108 o Jeremy Allison <jra@samba.org>
109 * BUG 14497: CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Protect
110 netr_ServerPasswordSet2 against unencrypted passwords.
112 o Günther Deschner <gd@samba.org>
113 * BUG 14497: CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Support
114 "server require schannel:WORKSTATION$ = no" about unsecure configurations.
116 o Gary Lockyer <gary@catalyst.net.nz>
117 * BUG 14497: CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated bytes in
120 o Stefan Metzmacher <metze@samba.org>
121 * BUG 14497: CVE-2020-1472(ZeroLogon): libcli/auth: Reject weak client
122 challenges in netlogon_creds_server_init()
123 "server require schannel:WORKSTATION$ = no".
126 CHANGES SINCE 4.13.0rc4
127 =======================
129 o Andreas Schneider <asn@samba.org>
130 * BUG 14399: waf: Only use gnutls_aead_cipher_encryptv2() for GnuTLS >
132 * BUG 14467: s3:smbd: Fix %U substitutions if it contains a domain name.
133 * BUG 14479: The created krb5.conf for 'net ads join' doesn't have a domain
136 o Stefan Metzmacher <metze@samba.org>
137 * BUG 14482: Fix build problem if libbsd-dev is not installed.
140 CHANGES SINCE 4.13.0rc3
141 =======================
143 o David Disseldorp <ddiss@samba.org>
144 * BUG 14437: build: Toggle vfs_snapper using "--with-shared-modules".
146 o Volker Lendecke <vl@samba.org>
147 * BUG 14465: idmap_ad does not deal properly with a RFC4511 section 4.4.1
150 o Stefan Metzmacher <metze@samba.org>
151 * BUG 14428: PANIC: Assert failed in get_lease_type().
152 * BUG 14465: idmap_ad does not deal properly with a RFC4511 section 4.4.1
156 CHANGES SINCE 4.13.0rc2
157 =======================
159 o Andrew Bartlett <abartlet@samba.org>
160 * BUG 14460: Deprecate domain logons, SMBv1 things.
162 o Günther Deschner <gd@samba.org>
163 * BUG 14318: docs: Add missing winexe manpage.
165 o Christof Schmitt <cs@samba.org>
166 * BUG 14166: util: Allow symlinks in directory_create_or_exist.
168 o Martin Schwenke <martin@meltin.net>
169 * BUG 14466: ctdb disable/enable can fail due to race condition.
172 CHANGES SINCE 4.13.0rc1
173 =======================
175 o Andrew Bartlett <abartlet@samba.org>
176 * BUG 14450: dbcheck: Allow a dangling forward link outside our known NCs.
178 o Isaac Boukris <iboukris@gmail.com>
179 * BUG 14462: Remove deprecated "ldap ssl ads" smb.conf option.
181 o Volker Lendecke <vl@samba.org>
182 * BUG 14435: winbind: Fix lookuprids cache problem.
184 o Stefan Metzmacher <metze@samba.org>
185 * BUG 14354: kdc:db-glue: Ignore KRB5_PROG_ETYPE_NOSUPP also for
188 o Andreas Schneider <asn@samba.org>
189 * BUG 14358: docs: Fix documentation for require_membership_of of
192 o Martin Schwenke <martin@meltin.net>
193 * BUG 14444: ctdb-scripts: Use nfsconf as a last resort get nfsd thread
200 https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.13#Release_blocking_bugs
203 #######################################
204 Reporting bugs & Development Discussion
205 #######################################
207 Please discuss this release on the samba-technical mailing list or by
208 joining the #samba-technical IRC channel on irc.freenode.net.
210 If you do report problems then please try to send high quality
211 feedback. If you don't provide vital information to help us track down
212 the problem then you will probably be ignored. All bug reports should
213 be filed under the Samba 4.1 and newer product in the project's Bugzilla
214 database (https://bugzilla.samba.org/).
217 ======================================================================
218 == Our Code, Our Bugs, Our Responsibility.
220 ======================================================================