-Release Announcements
-=====================
+ ==============================
+ Release Notes for Samba 4.13.7
+ March 24, 2021
+ ==============================
-This is the first preview release of Samba 4.9. This is *not*
-intended for production environments and is designed for testing
-purposes only. Please report any defects via the Samba bug reporting
-system at https://bugzilla.samba.org/.
-Samba 4.9 will be the next version of the Samba suite.
+This is a follow-up release to depend on the correct ldb version. This is only
+needed when building against a system ldb library.
+This is a security release in order to address the following defects:
-UPGRADING
-=========
+o CVE-2020-27840: Heap corruption via crafted DN strings.
+o CVE-2021-20277: Out of bounds read in AD DC LDAP server.
-NEW FEATURES/CHANGES
-====================
+=======
+Details
+=======
+
+o CVE-2020-27840:
+ An anonymous attacker can crash the Samba AD DC LDAP server by sending easily
+ crafted DNs as part of a bind request. More serious heap corruption is likely
+ also possible.
+
+o CVE-2021-20277:
+ User-controlled LDAP filter strings against the AD DC LDAP server may crash
+ the LDAP server.
+
+For more details, please refer to the security advisories.
+
+
+Changes since 4.13.6
+--------------------
+
+o Release with dependency on ldb version 2.2.1.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+
+
+ ==============================
+ Release Notes for Samba 4.13.6
+ March 24, 2021
+ ==============================
+
+
+This is a security release in order to address the following defects:
+
+o CVE-2020-27840: Heap corruption via crafted DN strings.
+o CVE-2021-20277: Out of bounds read in AD DC LDAP server.
+
+
+=======
+Details
+=======
+
+o CVE-2020-27840:
+ An anonymous attacker can crash the Samba AD DC LDAP server by sending easily
+ crafted DNs as part of a bind request. More serious heap corruption is likely
+ also possible.
+
+o CVE-2021-20277:
+ User-controlled LDAP filter strings against the AD DC LDAP server may crash
+ the LDAP server.
+
+For more details, please refer to the security advisories.
+
+
+Changes since 4.13.5
+--------------------
+
+o Andrew Bartlett <abartlet@samba.org>
+ * BUG 14655: CVE-2021-20277: Fix out of bounds read in ldb_handler_fold.
+
+o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
+ * BUG 14595: CVE-2020-27840: Fix unauthenticated remote heap corruption via
+ bad DNs.
+ * BUG 14655: CVE-2021-20277: Fix out of bounds read in ldb_handler_fold.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+----------------------------------------------------------------------
+
+
+ ==============================
+ Release Notes for Samba 4.13.5
+ March 09, 2021
+ ==============================
+
+
+This is the latest stable release of the Samba 4.13 release series.
+
+
+Changes since 4.13.4
+--------------------
+o Trever L. Adams <trever.adams@gmail.com>
+ * BUG 14634: s3:modules:vfs_virusfilter: Recent talloc changes cause infinite
+ start-up failure.
-net ads setspn
----------------
+o Jeremy Allison <jra@samba.org>
+ * BUG 13992: s3: libsmb: Add missing cli_tdis() in error path if encryption
+ setup failed on temp proxy connection.
+ * BUG 14604: smbd: In conn_force_tdis_done() when forcing a connection closed
+ force a full reload of services.
-There is a new 'net ads setspn' sub command for managing Windows SPN(s)
-on the AD. This command aims to give the basic functionality that is
-provided on windows by 'setspn.exe' e.g. ability to add, delete and list
-Windows SPN(s) stored in a Windows AD Computer object.
+o Andrew Bartlett <abartlet@samba.org>
+ * BUG 14593: dbcheck: Check Deleted Objects and reduce noise in reports about
+ expired tombstones.
-The format of the command is:
+o Ralph Boehme <slow@samba.org
+ * BUG 14503: s3: Fix fcntl waf configure check.
+ * BUG 14602: s3/auth: Implement "winbind:ignore domains".
+ * BUG 14617: smbd: Use fsp->conn->session_info for the initial
+ delete-on-close token.
-net ads setspn list [machine]
-net ads setspn [add | delete ] SPN [machine]
+o Peter Eriksson <pen@lysator.liu.se>
+ * BUG 14648: s3: VFS: nfs4_acls. Add missing TALLOC_FREE(frame) in error
+ path.
-'machine' is the name of the computer account on the AD that is to be managed.
-If 'machine' is not specified the name of the 'client' running the command
-is used instead.
+o Björn Jacke <bj@sernet.de>
+ * BUG 14624: classicupgrade: Treat old never expires value right.
-The format of a Windows SPN is
- 'serviceclass/host:port/servicename' (servicename and port are optional)
+o Volker Lendecke <vl@samba.org>
+ * BUG 14636: g_lock: Fix uninitalized variable reads.
-serviceclass/host is generally sufficient to specify a host based service.
+o Stefan Metzmacher <metze@samba.org>
+ * BUG 13898: s3:pysmbd: Fix fd leak in py_smbd_create_file().
-net ads keytab changes
-----------------------
-net ads keytab add no longer attempts to convert the passed serviceclass
-(e.g. nfs, html etc.) into a Windows SPN which is added to the Windows AD
-computer object. By default just the keytab file is modified.
+o Andreas Schneider <asn@samba.org>
+ * BUG 14625: lib:util: Avoid free'ing our own pointer.
-A new keytab subcommand 'add_update_ads' has been added to preserve the
-legacy behaviour. However the new 'net ads setspn add' subcommand should
-really be used instead.
+o Paul Wise <pabs3@bonedaddy.net>
+ * BUG 12505: HEIMDAL: krb5_storage_free(NULL) should work.
-net ads keytab create no longer tries to generate SPN(s) from existing
-entries in a keytab file. If it is required to add Windows SPN(s) then
-'net ads setspn add' should be used instead.
-Local authorization plugin for MIT Kerberos
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+----------------------------------------------------------------------
+
+
+ ==============================
+ Release Notes for Samba 4.13.4
+ January 26, 2021
+ ==============================
+
+
+This is the latest stable release of the Samba 4.13 release series.
+
+
+Changes since 4.13.3
+--------------------
+
+o Jeremy Allison <jra@samba.org>
+ * BUG 14607: Work around special SMB2 IOCTL response behavior of NetApp Ontap
+ 7.3.7.
+ * BUG 14612: Temporary DFS share setup doesn't set case parameters in the
+ same way as a regular share definition does.
+
+o Dimitry Andric <dimitry@andric.com>
+ * BUG 14605: lib: Avoid declaring zero-length VLAs in various messaging
+ functions.
+
+o Andrew Bartlett <abartlet@samba.org>
+ * BUG 14579: Do not create an empty DB when accessing a sam.ldb.
+
+o Ralph Boehme <slow@samba.org>
+ * BUG 14596: vfs_fruit may close wrong backend fd.
+ * BUG 14612: Temporary DFS share setup doesn't set case parameters in the
+ same way as a regular share definition does.
+
+o Arne Kreddig <arne@kreddig.net>
+ * BUG 14606: vfs_virusfilter: Allocate separate memory for config char*.
+
+o Stefan Metzmacher <metze@samba.org>
+ * BUG 14596: vfs_fruit may close wrong backend fd.
+ * BUG 14607: Work around special SMB2 IOCTL response behavior of NetApp Ontap
+ 7.3.7.
+
+o Andreas Schneider <asn@samba.org>
+ * BUG 14601: The cache directory for the user gencache should be created
+ recursively.
+
+o Martin Schwenke <martin@meltin.net>
+ * BUG 14594: Be more flexible with repository names in CentOS 8 test
+ environments.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+----------------------------------------------------------------------
+
+
+ ==============================
+ Release Notes for Samba 4.13.3
+ December 15, 2020
+ ==============================
+
+
+This is the latest stable release of the Samba 4.13 release series.
+
+
+Changes since 4.13.2
+--------------------
+
+o Jeremy Allison <jra@samba.org>
+ * BUG 14210: libcli: smb2: Never print length if smb2_signing_key_valid()
+ fails for crypto blob.
+ * BUG 14486: s3: modules: gluster. Fix the error I made in preventing talloc
+ leaks from a function.
+ * BUG 14515: s3: smbd: Don't overwrite contents of fsp->aio_requests[0] with
+ NULL via TALLOC_FREE().
+ * BUG 14568: s3: spoolss: Make parameters in call to user_ok_token() match
+ all other uses.
+ * BUG 14590: s3: smbd: Quiet log messages from usershares for an unknown
+ share.
+
+o Ralph Boehme <slow@samba.org>
+ * BUG 14248: samba process does not honor max log size.
+ * BUG 14587: vfs_zfsacl: Add missing inherited flag on hidden "magic"
+ everyone@ ACE.
+
+o Isaac Boukris <iboukris@gmail.com>
+ * BUG 13124: s3-libads: Pass timeout to open_socket_out in ms.
+
+o Günther Deschner <gd@samba.org>
+ * BUG 14486: s3-vfs_glusterfs: Always disable write-behind translator.
+
+o Volker Lendecke <vl@samba.org>
+ * BUG 14517: smbclient: Fix recursive mget.
+ * BUG 14581: clitar: Use do_list()'s recursion in clitar.c.
+
+o Anoop C S <anoopcs@samba.org>
+ * BUG 14486: manpages/vfs_glusterfs: Mention silent skipping of write-behind
+ translator.
+ * BUG 14573: vfs_shadow_copy2: Preserve all open flags assuming ROFS.
+
+o Jones Syue <jonessyue@qnap.com>
+ * BUG 14514: interface: Fix if_index is not parsed correctly.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+---------------------------------------------------------------------- ==============================
+ Release Notes for Samba 4.13.2
+ November 03, 2020
+ ==============================
+
+
+This is the latest stable release of the Samba 4.13 release series.
+
+Major enhancements include:
+ o BUG 14537: ctdb-common: Avoid aliasing errors during code optimization.
+ o BUG 14486: vfs_glusterfs: Avoid data corruption with the write-behind
+ translator.
+
+
+=======
+Details
+=======
+
+The GlusterFS write-behind performance translator, when used with Samba, could
+be a source of data corruption. The translator, while processing a write call,
+immediately returns success but continues writing the data to the server in the
+background. This can cause data corruption when two clients relying on Samba to
+provide data consistency are operating on the same file.
+
+The write-behind translator is enabled by default on GlusterFS.
+The vfs_glusterfs plugin will check for the presence of the translator and
+refuse to connect if detected. Please disable the write-behind translator for
+the GlusterFS volume to allow the plugin to connect to the volume.
+
+
+Changes since 4.13.1
+--------------------
+
+o Jeremy Allison <jra@samba.org>
+ * BUG 14486: s3: modules: vfs_glusterfs: Fix leak of char
+ **lines onto mem_ctx on return.
+
+o Ralph Boehme <slow@samba.org>
+ * BUG 14471: RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special.
+
+o Alexander Bokovoy <ab@samba.org>
+ * BUG 14538: smb.conf.5: Add clarification how configuration changes
+ reflected by Samba.
+ * BUG 14552: daemons: Report status to systemd even when running in
+ foreground.
+ * BUG 14553: DNS Resolver: Support both dnspython before and after 2.0.0.
+
+o Günther Deschner <gd@samba.org>
+ * BUG 14486: s3-vfs_glusterfs: Refuse connection when write-behind xlator is
+ present.
+
+o Amitay Isaacs <amitay@gmail.com>
+ * BUG 14487: provision: Add support for BIND 9.16.x.
+ * BUG 14537: ctdb-common: Avoid aliasing errors during code optimization.
+ * BUG 14541: libndr: Avoid assigning duplicate versions to symbols.
+
+o Björn Jacke <bjacke@samba.org>
+ * BUG 14522: docs: Fix default value of spoolss:architecture.
+
+o Laurent Menase <laurent.menase@hpe.com>
+ * BUG 14388: winbind: Fix a memleak.
+
+o Stefan Metzmacher <metze@samba.org>
+ * BUG 14531: s4:dsdb:acl_read: Implement "List Object" mode feature.
+
+o Sachin Prabhu <sprabhu@redhat.com>
+ * BUG 14486: docs-xml/manpages: Add warning about write-behind translator for
+ vfs_glusterfs.
+
+o Khem Raj <raj.khem@gmail.com>
+ * nsswitch/nsstest.c: Avoid nss function conflicts with glibc nss.h.
+
+o Anoop C S <anoopcs@samba.org>
+ * BUG 14530: vfs_shadow_copy2: Avoid closing snapsdir twice.
+
+o Andreas Schneider <asn@samba.org>
+ * BUG 14547: third_party: Update resolv_wrapper to version 1.1.7.
+ * BUG 14550: examples:auth: Do not install example plugin.
+
+o Martin Schwenke <martin@meltin.net>
+ * BUG 14513: ctdb-recoverd: Drop unnecessary and broken code.
+
+o Andrew Walker <awalker@ixsystems.com>
+ * BUG 14471: RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+----------------------------------------------------------------------
+
+
+ ==============================
+ Release Notes for Samba 4.13.1
+ October 29, 2020
+ ==============================
+
+
+This is a security release in order to address the following defects:
+
+o CVE-2020-14318: Missing handle permissions check in SMB1/2/3 ChangeNotify.
+o CVE-2020-14323: Unprivileged user can crash winbind.
+o CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with easily
+ crafted records.
+
+
+=======
+Details
+=======
+
+o CVE-2020-14318:
+ The SMB1/2/3 protocols have a concept of "ChangeNotify", where a client can
+ request file name notification on a directory handle when a condition such as
+ "new file creation" or "file size change" or "file timestamp update" occurs.
+
+ A missing permissions check on a directory handle requesting ChangeNotify
+ meant that a client with a directory handle open only for
+ FILE_READ_ATTRIBUTES (minimal access rights) could be used to obtain change
+ notify replies from the server. These replies contain information that should
+ not be available to directory handles open for FILE_READ_ATTRIBUTE only.
+
+o CVE-2020-14323:
+ winbind in version 3.6 and later implements a request to translate multiple
+ Windows SIDs into names in one request. This was done for performance
+ reasons: The Microsoft RPC call domain controllers offer to do this
+ translation, so it was an obvious extension to also offer this batch
+ operation on the winbind unix domain stream socket that is available to local
+ processes on the Samba server.
+
+ Due to improper input validation a hand-crafted packet can make winbind
+ perform a NULL pointer dereference and thus crash.
+
+o CVE-2020-14383:
+ Some DNS records (such as MX and NS records) usually contain data in the
+ additional section. Samba's dnsserver RPC pipe (which is an administrative
+ interface not used in the DNS server itself) made an error in handling the
+ case where there are no records present: instead of noticing the lack of
+ records, it dereferenced uninitialised memory, causing the RPC server to
+ crash. This RPC server, which also serves protocols other than dnsserver,
+ will be restarted after a short delay, but it is easy for an authenticated
+ non-admin attacker to crash it again as soon as it returns. The Samba DNS
+ server itself will continue to operate, but many RPC services will not.
+
+For more details, please refer to the security advisories.
+
+
+Changes since 4.13.0
+--------------------
+
+o Jeremy Allison <jra@samba.org>
+ * BUG 14434: CVE-2020-14318: s3: smbd: Ensure change notifies can't get set
+ unless the directory handle is open for SEC_DIR_LIST.
+
+o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
+ * BUG 12795: CVE-2020-14383: Remote crash after adding NS or MX records using
+ 'samba-tool'.
+ * BUG 14472: CVE-2020-14383: Remote crash after adding MX records.
+
+o Volker Lendecke <vl@samba.org>
+ * BUG 14436: CVE-2020-14323: winbind: Fix invalid lookupsids DoS.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+----------------------------------------------------------------------
+
+
+ ==============================
+ Release Notes for Samba 4.13.0
+ September 22, 2020
+ ==============================
+
+
+This is the first stable release of the Samba 4.13 release series.
+Please read the release notes carefully before upgrading.
+
+
+ZeroLogon
+=========
+
+Please avoid to set "server schannel = no" and "server schannel= auto" on all
+Samba domain controllers due to the wellknown ZeroLogon issue.
+
+For details please see
+https://www.samba.org/samba/security/CVE-2020-1472.html.
+
+
+NEW FEATURES/CHANGES
+====================
+
+Python 3.6 or later required
+----------------------------
+
+Samba's minimum runtime requirement for python was raised to Python
+3.5 with samba 4.12. Samba 4.13 raises this minimum version to Python
+3.6 both to access new features and because this is the oldest version
+we test with in our CI infrastructure.
+
+This is also the last release where it will be possible to build Samba
+(just the file server) with Python versions 2.6 and 2.7.
+
+As Python 2.7 has been End Of Life upstream since April 2020, Samba
+is dropping ALL Python 2.x support in the NEXT release.
+
+Samba 4.14 to be released in March 2021 will require Python 3.6 or
+later to build.
+
+wide links functionality
+------------------------
+
+For this release, the code implementing the insecure "wide links = yes"
+functionality has been moved out of the core smbd code and into a separate
+VFS module, vfs_widelinks. Currently this vfs module is implicitly loaded
+by smbd as the last but one module before vfs_default if "wide links = yes"
+is enabled on the share (note, the existing restrictions on enabling wide
+links around the SMB1 "unix extensions" and the "allow insecure wide links"
+parameters are still in force). The implicit loading was done to allow
+existing users of "wide links = yes" to keep this functionality without
+having to make a change to existing working smb.conf files.
+
+Please note that the Samba developers recommend changing any Samba
+installations that currently use "wide links = yes" to use bind mounts
+as soon as possible, as "wide links = yes" is an inherently insecure
+configuration which we would like to remove from Samba. Moving the
+feature into a VFS module allows this to be done in a cleaner way
+in future.
+
+A future release to be determined will remove this implicit linkage,
+causing administrators who need this functionality to have to explicitly
+add the vfs_widelinks module into the "vfs objects =" parameter lists.
+The release notes will be updated to note this change when it occurs.
+
+NT4-like 'classic' Samba domain controllers
-------------------------------------------
-This plugin controls the relationship between Kerberos principals and AD
-accounts through winbind. The module receives the Kerberos principal and the
-local account name as inputs and can then check if they match. This can resolve
-issues with canonicalized names returned by Kerberos within AD. If the user
-tries to log in as 'alice', but the samAccountName is set to ALICE (uppercase),
-Kerberos would return ALICE as the username. Kerberos would not be able to map
-'alice' to 'ALICE' in this case and auth would fail. With this plugin account
-names can be correctly mapped. This only applies to GSSAPI authentication,
-not for the getting the initial ticket granting ticket.
-
-VFS audit modules
------------------
-
-The vfs_full_audit module has changed it's default set of monitored successful
-and failed operations from "all" to "none". That helps to prevent potential
-denial of service caused by simple addition of the module to the VFS objects.
-
-Also, modules vfs_audit, vfs_ext_audit and vfs_full_audit now accept any valid
-syslog(3) facility, in accordance with the manual page.
-
-Database audit support
-----------------------
-
-Changes to the Samba AD's sam.ldb database are now logged to Samba's debug log
-under the "dsdb_audit" debug class and "dsdb_json_audit" for JSON formatted log
-entries.
-
-Transaction commits and roll backs are now logged to Samba's debug logs under
-the "dsdb_transaction_audit" debug class and "dsdb_transaction_json_audit" for
-JSON formatted log entries.
-
-Password change audit support
------------------------------
-
-Password changes in the AD DC are now logged to Samba's debug logs under the
-"dsdb_password_audit" debug class and "dsdb_password_json_audit" for JSON
-formatted log entries.
-
-Group membership change audit support
--------------------------------------
-
-Group membership changes on the AD DC are now logged to
-Samba's debug log under the "dsdb_group_audit" debug class and
-"dsdb_group_json_audit" for JSON formatted log entries.
-
-Log Authentication duration
----------------------------
-
-For NTLM and Kerberos KDC authentication, the authentication duration is now
-logged. Note that the duration is only included in the JSON formatted log
-entries.
-
-New Experimental LMDB LDB backend
----------------------------------
-
-A new experimental LDB backend using LMDB is now available. This allows
-databases larger than 4Gb (Currently the limit is set to 6Gb, but this will be
-increased in a future release). To enable lmdb, provision or join a domain using
-the --backend-store=mdb option.
-
-This requires that a version of lmdb greater than 0.9.16 is installed and that
-samba has not been built with the --without-ldb-lmdb option.
-
-Please note this is an experimental feature and is not recommended for
-production deployments.
-
-Password Settings Objects
--------------------------
-Support has been added for Password Settings Objects (PSOs). This AD feature is
-also known as Fine-Grained Password Policies (FGPP).
-
-PSOs allow AD administrators to override the domain password policy settings
-for specific users, or groups of users. For example, PSOs can force certain
-users to have longer password lengths, or relax the complexity constraints for
-other users, and so on. PSOs can be applied to groups or to individual users.
-When multiple PSOs apply to the same user, essentially the PSO with the best
-precedence takes effect.
-
-PSOs can be configured and applied to users/groups using the 'samba-tool domain
-passwordsettings pso' set of commands.
-
-Domain backup and restore
--------------------------
-A new samba-tool command has been added that allows administrators to create a
-backup-file of their domain DB. In the event of a catastrophic failure of the
-domain, this backup-file can be used to restore Samba services.
-
-The new 'samba-tool domain backup online' command takes a snapshot of the
-domain DB from a given DC. In the event of a catastrophic DB failure, all DCs
-in the domain should be taken offline, and the backup-file can then be used to
-recreate a fresh new DC, using the 'samba-tool domain backup restore' command.
-Once the backed-up domain DB has been restored on the new DC, other DCs can
-then subsequently be joined to the new DC, in order to repopulate the Samba
-network.
-
-Domain rename tool
-------------------
-Basic support has been added for renaming a Samba domain. The rename feature is
-designed for the following cases:
-1). Running a temporary alternate domain, in the event of a catastrophic
-failure of the regular domain. Using a completely different domain name and
-realm means that the original domain and the renamed domain can both run at the
-same time, without interfering with each other. This is an advantage over
-creating a regular 'online' backup - it means the renamed/alternate domain can
-provide core Samba network services, while trouble-shooting the fault on the
-original domain can be done in parallel.
-2). Creating a realistic lab domain or pre-production domain for testing.
-
-Note that the renamed tool is currently not intended to support a long-term
-rename of the production domain. Currently renaming the GPOs is not supported
-and would need to be done manually.
-
-The domain rename is done in two steps: first, the 'samba-tool domain backup
-rename' command will clone the domain DB, renaming it in the process, and
-producing a backup-file. Then, the 'samba-tool domain backup restore' command
-takes the backup-file and restores the renamed DB to disk on a fresh DC.
+Samba 4.13 deprecates Samba's original domain controller mode.
-New samba-tool options for diagnosing DRS replication issues
-------------------------------------------------------------
-
-The 'samba-tool drs showrepl' command has two new options controlling
-the output. With --summary, the command says very little when DRS
-replication is working well. With --json, JSON is produced. These
-options are intended for human and machine audiences, respectively.
-
-The 'samba-tool visualize uptodateness' visualizes replication lag as
-a heat-map matrix based on the DRS uptodateness vectors. This will
-show you if (but not why) changes are failing to replicate to some DCs.
-
-Automatic site coverage and GetDCName improvements
---------------------------------------------------
-
-Samba's AD DC now automatically claims otherwise empty sites based on
-which DC is the nearest in the replication topology.
-
-This, combined with efforts to correctly identify the client side in
-the GetDCName Netlogon call will improve service to sites without a
-local DC.
-
-Improved samba-tool computer command
-------------------------------------
-
-The 'samba-tool computer' command allow manipulation of computer
-accounts including creating a new computer and resetting the password.
-This allows an 'offline join' of a member server or workstation to the
-Samba AD domain.
-
-Samba performance tool now operates against Microsoft Windows AD
-----------------------------------------------------------------
-
-The Samba AD performance testing tool traffic_reply can now operate
-against a Windows based AD domain. Previously it only operated
-correctly against Samba.
-
-DNS entries are now cleaned up during DC demote
------------------------------------------------
-
-DNS records are now cleaned up as part of the 'samba-tool domain
-demote' including both the default and --remove-other-dead-server
-modes.
-
-Additionally DNS records can be automatically cleaned up for a given
-name with the 'samba-tool dns cleanup' command, which aids in cleaning
-up partially removed DCs.
-
-Samba now tested with CI GitLab
--------------------------------
-
-Samba developers now have pre-commit testing available in GitLab,
-giving reviewers confidence that the submitted patches pass a full CI
-before being submitted to the Samba Team's own autobuild system.
-
-Dynamic DNS record scavenging support
--------------------------------------
-
-It is now possible to enable scavenging of DNS Zones to remove DNS
-records that were dynamically created and have not been touched in
-some time.
-
-This support should however only be enabled on new zones or new
-installations. Sadly old Samba versions suffer from BUG 12451 and
-mark dynamic DNS records as static and static records as dynamic.
-While a dbcheck rule may be able to find these in the future,
-currently a reliable test has not been devised.
-
-Finally, there is not currently a command-line tool to enable this
-feature, currently it should be enabled from the DNS Manager tool from
-Windows. Also the feature needs to have been enabled by setting the smb.conf
-parameter "dns zone scavenging = yes".
+Sites using Samba as a Domain Controller should upgrade from the
+NT4-like 'classic' Domain Controller to a Samba Active Directory DC
+to ensure full operation with modern windows clients.
+
+SMBv1 only protocol options deprecated
+--------------------------------------
+
+A number of smb.conf parameters for less-secure authentication methods
+which are only possible over SMBv1 are deprecated in this release.
REMOVED FEATURES
================
+The deprecated "ldap ssl ads" smb.conf option has been removed.
smb.conf changes
================
-As the most popular Samba install platforms (Linux and FreeBSD) both
-support extended attributes by default, the parameters "map readonly",
-"store dos attributes" and "ea support" have had their defaults changed
-to allow better Windows fileserver compatibility in a default install.
+ Parameter Name Description Default
+ -------------- ----------- -------
+ ldap ssl ads Removed
+ smb2 disable lock sequence checking Added No
+ smb2 disable oplock break retry Added No
+ domain logons Deprecated no
+ raw NTLMv2 auth Deprecated no
+ client plaintext auth Deprecated no
+ client NTLMv2 auth Deprecated yes
+ client lanman auth Deprecated no
+ client use spnego Deprecated yes
+ server require schannel:COMPUTER Added
+
+
+CHANGES SINCE 4.13.0rc5
+=======================
+
+o Jeremy Allison <jra@samba.org>
+ * BUG 14497: CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Protect
+ netr_ServerPasswordSet2 against unencrypted passwords.
+
+o Günther Deschner <gd@samba.org>
+ * BUG 14497: CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Support
+ "server require schannel:WORKSTATION$ = no" about unsecure configurations.
+
+o Gary Lockyer <gary@catalyst.net.nz>
+ * BUG 14497: CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated bytes in
+ client challenge.
+
+o Stefan Metzmacher <metze@samba.org>
+ * BUG 14497: CVE-2020-1472(ZeroLogon): libcli/auth: Reject weak client
+ challenges in netlogon_creds_server_init()
+ "server require schannel:WORKSTATION$ = no".
+
+
+CHANGES SINCE 4.13.0rc4
+=======================
+
+o Andreas Schneider <asn@samba.org>
+ * BUG 14399: waf: Only use gnutls_aead_cipher_encryptv2() for GnuTLS >
+ 3.6.14.
+ * BUG 14467: s3:smbd: Fix %U substitutions if it contains a domain name.
+ * BUG 14479: The created krb5.conf for 'net ads join' doesn't have a domain
+ entry.
+
+o Stefan Metzmacher <metze@samba.org>
+ * BUG 14482: Fix build problem if libbsd-dev is not installed.
+
+
+CHANGES SINCE 4.13.0rc3
+=======================
+
+o David Disseldorp <ddiss@samba.org>
+ * BUG 14437: build: Toggle vfs_snapper using "--with-shared-modules".
+
+o Volker Lendecke <vl@samba.org>
+ * BUG 14465: idmap_ad does not deal properly with a RFC4511 section 4.4.1
+ response.
+
+o Stefan Metzmacher <metze@samba.org>
+ * BUG 14428: PANIC: Assert failed in get_lease_type().
+ * BUG 14465: idmap_ad does not deal properly with a RFC4511 section 4.4.1
+ response.
+
+
+CHANGES SINCE 4.13.0rc2
+=======================
+
+o Andrew Bartlett <abartlet@samba.org>
+ * BUG 14460: Deprecate domain logons, SMBv1 things.
+
+o Günther Deschner <gd@samba.org>
+ * BUG 14318: docs: Add missing winexe manpage.
+
+o Christof Schmitt <cs@samba.org>
+ * BUG 14166: util: Allow symlinks in directory_create_or_exist.
+
+o Martin Schwenke <martin@meltin.net>
+ * BUG 14466: ctdb disable/enable can fail due to race condition.
+
+
+CHANGES SINCE 4.13.0rc1
+=======================
+
+o Andrew Bartlett <abartlet@samba.org>
+ * BUG 14450: dbcheck: Allow a dangling forward link outside our known NCs.
+
+o Isaac Boukris <iboukris@gmail.com>
+ * BUG 14462: Remove deprecated "ldap ssl ads" smb.conf option.
- Parameter Name Description Default
- -------------- ----------- -------
- map readonly Default changed no
- store dos attributes Default changed yes
- ea support Default changed yes
- full_audit:success Default changed none
- full_audit:failure Default changed none
+o Volker Lendecke <vl@samba.org>
+ * BUG 14435: winbind: Fix lookuprids cache problem.
-VFS interface changes
-=====================
+o Stefan Metzmacher <metze@samba.org>
+ * BUG 14354: kdc:db-glue: Ignore KRB5_PROG_ETYPE_NOSUPP also for
+ Primary:Kerberos.
-The VFS ABI interface version has changed to 39. Function changes
-are:
+o Andreas Schneider <asn@samba.org>
+ * BUG 14358: docs: Fix documentation for require_membership_of of
+ pam_winbind.conf.
-SMB_VFS_FSYNC: Removed: Only async versions are used.
-SMB_VFS_READ: Removed: Only PREAD or async versions are used.
-SMB_VFS_WRITE: Removed: Only PWRITE or async versions are used.
-SMB_VFS_CHMOD_ACL: Removed: Only CHMOD is used.
-SMB_VFS_FCHMOD_ACL: Removed: Only FCHMOD is used.
+o Martin Schwenke <martin@meltin.net>
+ * BUG 14444: ctdb-scripts: Use nfsconf as a last resort get nfsd thread
+ count.
-Any external VFS modules will need to be updated to match these
-changes in order to work with 4.9.x.
KNOWN ISSUES
============
-https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.9#Release_blocking_bugs
+https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.13#Release_blocking_bugs
#######################################