1 ==============================
2 Release Notes for Samba 4.17.7
4 ==============================
7 This is a security release in order to address the following defects:
9 o CVE-2023-0225: An incomplete access check on dnsHostName allows authenticated
10 but otherwise unprivileged users to delete this attribute from
11 any object in the directory.
12 https://www.samba.org/samba/security/CVE-2023-0225.html
14 o CVE-2023-0922: The Samba AD DC administration tool, when operating against a
15 remote LDAP server, will by default send new or reset
16 passwords over a signed-only connection.
17 https://www.samba.org/samba/security/CVE-2023-0922.html
19 o CVE-2023-0614: The fix in 4.6.16, 4.7.9, 4.8.4 and 4.9.7 for CVE-2018-10919
20 Confidential attribute disclosure via LDAP filters was
21 insufficient and an attacker may be able to obtain
22 confidential BitLocker recovery keys from a Samba AD DC.
23 Installations with such secrets in their Samba AD should
24 assume they have been obtained and need replacing.
25 https://www.samba.org/samba/security/CVE-2023-0614.html
31 o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
32 * BUG 15276: CVE-2023-0225.
34 o Andrew Bartlett <abartlet@samba.org>
35 * BUG 15270: CVE-2023-0614.
36 * BUG 15331: ldb wildcard matching makes excessive allocations.
37 * BUG 15332: large_ldap test is inefficient.
39 o Rob van der Linde <rob@catalyst.net.nz>
40 * BUG 15315: CVE-2023-0922.
42 o Joseph Sutton <josephsutton@catalyst.net.nz>
43 * BUG 14810: CVE-2020-25720 [SECURITY] Create Child permission should not
44 allow full write to all attributes (additional changes).
45 * BUG 15270: CVE-2023-0614.
46 * BUG 15276: CVE-2023-0225.
49 #######################################
50 Reporting bugs & Development Discussion
51 #######################################
53 Please discuss this release on the samba-technical mailing list or by
54 joining the #samba-technical:matrix.org matrix room, or
55 #samba-technical IRC channel on irc.libera.chat.
57 If you do report problems then please try to send high quality
58 feedback. If you don't provide vital information to help us track down
59 the problem then you will probably be ignored. All bug reports should
60 be filed under the Samba 4.1 and newer product in the project's Bugzilla
61 database (https://bugzilla.samba.org/).
64 ======================================================================
65 == Our Code, Our Bugs, Our Responsibility.
67 ======================================================================
70 Release notes for older releases follow:
71 ----------------------------------------
72 ==============================
73 Release Notes for Samba 4.17.6
75 ==============================
78 This is the latest stable release of the Samba 4.17 release series.
84 o Jeremy Allison <jra@samba.org>
85 * BUG 15314: streams_xattr is creating unexpected locks on folders.
87 o Andrew Bartlett <abartlet@samba.org>
88 * BUG 10635: Use of the Azure AD Connect cloud sync tool is now supported for
89 password hash synchronisation, allowing Samba AD Domains to synchronise
90 passwords with this popular cloud environment.
92 o Ralph Boehme <slow@samba.org>
93 * BUG 15299: Spotlight doesn't work with latest macOS Ventura.
95 o Volker Lendecke <vl@samba.org>
96 * BUG 15310: New samba-dcerpc architecture does not scale gracefully.
98 o John Mulligan <jmulligan@redhat.com>
99 * BUG 15307: vfs_ceph incorrectly uses fsp_get_io_fd() instead of
100 fsp_get_pathref_fd() in close and fstat.
102 o Noel Power <noel.power@suse.com>
103 * BUG 15293: With clustering enabled samba-bgqd can core dump due to use
106 o baixiangcpp <baixiangcpp@gmail.com>
107 * BUG 15311: fd_load() function implicitly closes the fd where it should not.
110 #######################################
111 Reporting bugs & Development Discussion
112 #######################################
114 Please discuss this release on the samba-technical mailing list or by
115 joining the #samba-technical:matrix.org matrix room, or
116 #samba-technical IRC channel on irc.libera.chat.
119 If you do report problems then please try to send high quality
120 feedback. If you don't provide vital information to help us track down
121 the problem then you will probably be ignored. All bug reports should
122 be filed under the Samba 4.1 and newer product in the project's Bugzilla
123 database (https://bugzilla.samba.org/).
126 ======================================================================
127 == Our Code, Our Bugs, Our Responsibility.
129 ======================================================================
132 ----------------------------------------------------------------------
133 ==============================
134 Release Notes for Samba 4.17.5
136 ==============================
139 This is the latest stable release of the Samba 4.17 release series.
145 o Jeremy Allison <jra@samba.org>
146 * BUG 14808: smbc_getxattr() return value is incorrect.
147 * BUG 15172: Compound SMB2 FLUSH+CLOSE requests from MacOSX are not handled
149 * BUG 15210: synthetic_pathref AFP_AfpInfo failed errors.
150 * BUG 15226: samba-tool gpo listall fails IPv6 only - finddcs() fails to find
151 DC when there is only an AAAA record for the DC in DNS.
152 * BUG 15236: smbd crashes if an FSCTL request is done on a stream handle.
153 * BUG 15277: DFS links don't work anymore on Mac clients since 4.17.
154 * BUG 15283: vfs_virusfilter segfault on access, directory edgecase
155 (accessing NULL value).
157 o Samuel Cabrero <scabrero@samba.org>
158 * BUG 15240: CVE-2022-38023 [SECURITY] Samba should refuse RC4 (aka md5)
159 based SChannel on NETLOGON (additional changes).
161 o Volker Lendecke <vl@samba.org>
162 * BUG 15243: %U for include directive doesn't work for share listing
164 * BUG 15266: Shares missing from netshareenum response in samba 4.17.4.
165 * BUG 15269: ctdb: use-after-free in run_proc.
167 o Stefan Metzmacher <metze@samba.org>
168 * BUG 15243: %U for include directive doesn't work for share listing
170 * BUG 15266: Shares missing from netshareenum response in samba 4.17.4.
171 * BUG 15280: irpc_destructor may crash during shutdown.
172 * BUG 15286: auth3_generate_session_info_pac leaks wbcAuthUserInfo.
174 o Andreas Schneider <asn@samba.org>
175 * BUG 15268: smbclient segfaults with use after free on an optimized build.
177 o Jones Syue <jonessyue@qnap.com>
178 * BUG 15282: smbstatus leaking files in msg.sock and msg.lock.
180 o Andrew Walker <awalker@ixsystems.com>
181 * BUG 15164: Leak in wbcCtxPingDc2.
182 * BUG 15265: Access based share enum does not work in Samba 4.16+.
183 * BUG 15267: Crash during share enumeration.
184 * BUG 15271: rep_listxattr on FreeBSD does not properly check for reads off
185 end of returned buffer.
187 o Florian Weimer <fweimer@redhat.com>
188 * BUG 15281: Avoid relying on C89 features in a few places.
191 #######################################
192 Reporting bugs & Development Discussion
193 #######################################
195 Please discuss this release on the samba-technical mailing list or by
196 joining the #samba-technical:matrix.org matrix room, or
197 #samba-technical IRC channel on irc.libera.chat.
200 If you do report problems then please try to send high quality
201 feedback. If you don't provide vital information to help us track down
202 the problem then you will probably be ignored. All bug reports should
203 be filed under the Samba 4.1 and newer product in the project's Bugzilla
204 database (https://bugzilla.samba.org/).
207 ======================================================================
208 == Our Code, Our Bugs, Our Responsibility.
210 ======================================================================
213 ----------------------------------------------------------------------
214 ==============================
215 Release Notes for Samba 4.17.4
217 ==============================
220 This is the latest stable release of the Samba 4.17 release series.
221 It also contains security changes in order to address the following defects:
224 o CVE-2022-37966: This is the Samba CVE for the Windows Kerberos
225 RC4-HMAC Elevation of Privilege Vulnerability
226 disclosed by Microsoft on Nov 8 2022.
228 A Samba Active Directory DC will issue weak rc4-hmac
229 session keys for use between modern clients and servers
230 despite all modern Kerberos implementations supporting
231 the aes256-cts-hmac-sha1-96 cipher.
233 On Samba Active Directory DCs and members
234 'kerberos encryption types = legacy' would force
235 rc4-hmac as a client even if the server supports
236 aes128-cts-hmac-sha1-96 and/or aes256-cts-hmac-sha1-96.
238 https://www.samba.org/samba/security/CVE-2022-37966.html
240 o CVE-2022-37967: This is the Samba CVE for the Windows
241 Kerberos Elevation of Privilege Vulnerability
242 disclosed by Microsoft on Nov 8 2022.
244 A service account with the special constrained
245 delegation permission could forge a more powerful
246 ticket than the one it was presented with.
248 https://www.samba.org/samba/security/CVE-2022-37967.html
250 o CVE-2022-38023: The "RC4" protection of the NetLogon Secure channel uses the
251 same algorithms as rc4-hmac cryptography in Kerberos,
252 and so must also be assumed to be weak.
254 https://www.samba.org/samba/security/CVE-2022-38023.html
256 Note that there are several important behavior changes
257 included in this release, which may cause compatibility problems
258 interacting with system still expecting the former behavior.
259 Please read the advisories of CVE-2022-37966,
260 CVE-2022-37967 and CVE-2022-38023 carefully!
262 samba-tool got a new 'domain trust modify' subcommand
263 -----------------------------------------------------
265 This allows "msDS-SupportedEncryptionTypes" to be changed
266 on trustedDomain objects. Even against remote DCs (including Windows)
267 using the --local-dc-ipaddress= (and other --local-dc-* options).
268 See 'samba-tool domain trust modify --help' for further details.
273 Parameter Name Description Default
274 -------------- ----------- -------
275 allow nt4 crypto Deprecated no
276 allow nt4 crypto:COMPUTERACCOUNT New
277 kdc default domain supported enctypes New (see manpage)
278 kdc supported enctypes New (see manpage)
279 kdc force enable rc4 weak session keys New No
280 reject md5 clients New Default, Deprecated Yes
281 reject md5 servers New Default, Deprecated Yes
282 server schannel Deprecated Yes
283 server schannel require seal New, Deprecated Yes
284 server schannel require seal:COMPUTERACCOUNT New
285 winbind sealed pipes Deprecated Yes
290 o Jeremy Allison <jra@samba.org>
291 * BUG 15224: pam_winbind uses time_t and pointers assuming they are of the
294 o Andrew Bartlett <abartlet@samba.org>
295 * BUG 14929: CVE-2022-44640 [SECURITY] Upstream Heimdal free of
296 user-controlled pointer in FAST.
297 * BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry.
298 * BUG 15237: CVE-2022-37966.
299 * BUG 15258: filter-subunit is inefficient with large numbers of knownfails.
301 o Ralph Boehme <slow@samba.org>
302 * BUG 15240: CVE-2022-38023.
303 * BUG 15252: smbd allows setting FILE_ATTRIBUTE_TEMPORARY on directories.
305 o Stefan Metzmacher <metze@samba.org>
306 * BUG 13135: The KDC logic arround msDs-supportedEncryptionTypes differs from
308 * BUG 14611: CVE-2021-20251 [SECURITY] Bad password count not incremented
310 * BUG 15203: CVE-2022-42898 [SECURITY] krb5_pac_parse() buffer parsing
312 * BUG 15206: libnet: change_password() doesn't work with
313 dcerpc_samr_ChangePasswordUser4().
314 * BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry.
315 * BUG 15230: Memory leak in snprintf replacement functions.
316 * BUG 15237: CVE-2022-37966.
317 * BUG 15240: CVE-2022-38023.
318 * BUG 15253: RODC doesn't reset badPwdCount reliable via an RWDC
319 (CVE-2021-20251 regression).
321 o Noel Power <noel.power@suse.com>
322 * BUG 15224: pam_winbind uses time_t and pointers assuming they are of the
325 o Anoop C S <anoopcs@samba.org>
326 * BUG 15198: Prevent EBADF errors with vfs_glusterfs.
328 o Andreas Schneider <asn@samba.org>
329 * BUG 15237: CVE-2022-37966.
330 * BUG 15243: %U for include directive doesn't work for share listing
332 * BUG 15257: Stack smashing in net offlinejoin requestodj.
334 o Joseph Sutton <josephsutton@catalyst.net.nz>
335 * BUG 15197: Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue.
336 * BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry.
337 * BUG 15231: CVE-2022-37967.
338 * BUG 15237: CVE-2022-37966.
340 o Nicolas Williams <nico@twosigma.com>
341 * BUG 14929: CVE-2022-44640 [SECURITY] Upstream Heimdal free of
342 user-controlled pointer in FAST.
346 #######################################
347 Reporting bugs & Development Discussion
348 #######################################
350 Please discuss this release on the samba-technical mailing list or by
351 joining the #samba-technical:matrix.org matrix room, or
352 #samba-technical IRC channel on irc.libera.chat.
355 If you do report problems then please try to send high quality
356 feedback. If you don't provide vital information to help us track down
357 the problem then you will probably be ignored. All bug reports should
358 be filed under the Samba 4.1 and newer product in the project's Bugzilla
359 database (https://bugzilla.samba.org/).
362 ======================================================================
363 == Our Code, Our Bugs, Our Responsibility.
365 ======================================================================
368 ----------------------------------------------------------------------
369 ==============================
370 Release Notes for Samba 4.17.3
372 ==============================
375 This is a security release in order to address the following defects:
378 o CVE-2022-42898: Samba's Kerberos libraries and AD DC failed to guard against
379 integer overflows when parsing a PAC on a 32-bit system, which
380 allowed an attacker with a forged PAC to corrupt the heap.
381 https://www.samba.org/samba/security/CVE-2022-42898.html
385 o Joseph Sutton <josephsutton@catalyst.net.nz>
386 * BUG 15203: CVE-2022-42898
388 o Nicolas Williams <nico@twosigma.com>
389 * BUG 15203: CVE-2022-42898
392 #######################################
393 Reporting bugs & Development Discussion
394 #######################################
396 Please discuss this release on the samba-technical mailing list or by
397 joining the #samba-technical:matrix.org matrix room, or
398 #samba-technical IRC channel on irc.libera.chat.
401 If you do report problems then please try to send high quality
402 feedback. If you don't provide vital information to help us track down
403 the problem then you will probably be ignored. All bug reports should
404 be filed under the Samba 4.1 and newer product in the project's Bugzilla
405 database (https://bugzilla.samba.org/).
408 ======================================================================
409 == Our Code, Our Bugs, Our Responsibility.
411 ======================================================================
414 ----------------------------------------------------------------------
415 ==============================
416 Release Notes for Samba 4.17.2
418 ==============================
421 This is a security release in order to address the following defects:
423 o CVE-2022-3437: There is a limited write heap buffer overflow in the GSSAPI
424 unwrap_des() and unwrap_des3() routines of Heimdal (included
426 https://www.samba.org/samba/security/CVE-2022-3437.html
428 o CVE-2022-3592: A malicious client can use a symlink to escape the exported
430 https://www.samba.org/samba/security/CVE-2022-3592.html
435 o Volker Lendecke <vl@samba.org>
436 * BUG 15207: CVE-2022-3592.
438 o Joseph Sutton <josephsutton@catalyst.net.nz>
439 * BUG 15134: CVE-2022-3437.
442 #######################################
443 Reporting bugs & Development Discussion
444 #######################################
446 Please discuss this release on the samba-technical mailing list or by
447 joining the #samba-technical:matrix.org matrix room, or
448 #samba-technical IRC channel on irc.libera.chat.
450 If you do report problems then please try to send high quality
451 feedback. If you don't provide vital information to help us track down
452 the problem then you will probably be ignored. All bug reports should
453 be filed under the Samba 4.1 and newer product in the project's Bugzilla
454 database (https://bugzilla.samba.org/).
457 ======================================================================
458 == Our Code, Our Bugs, Our Responsibility.
460 ======================================================================
463 ----------------------------------------------------------------------
464 ==============================
465 Release Notes for Samba 4.17.1
467 ==============================
470 This is the latest stable release of the Samba 4.17 release series.
476 o Jeremy Allison <jra@samba.org>
477 * BUG 14611: CVE-2021-20251 [SECURITY] Bad password count not incremented
479 * BUG 15174: smbXsrv_connection_shutdown_send result leaked.
480 * BUG 15182: Flush on a named stream never completes.
481 * BUG 15195: Permission denied calling SMBC_getatr when file not exists.
483 o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
484 * BUG 15189: Samba 4.5 sometimes cannot be upgraded to Samba 4.6 or later
485 over DRS: WERROR_DS_DRA_MISSING_PARENT due to faulty GET_ANC.
486 * BUG 15191: pytest: add file removal helpers for TestCaseInTempDir.
488 o Andrew Bartlett <abartlet@samba.org>
489 * BUG 14611: CVE-2021-20251 [SECURITY] Bad password count not incremented
491 * BUG 15189: Samba 4.5 sometimes cannot be upgraded to Samba 4.6 or later.
492 over DRS: WERROR_DS_DRA_MISSING_PARENT due to faulty GET_ANC.
494 o Ralph Boehme <slow@samba.org>
495 * BUG 15182: Flush on a named stream never completes.
497 o Volker Lendecke <vl@samba.org>
498 * BUG 15151: vfs_gpfs silently garbles timestamps > year 2106.
500 o Gary Lockyer <gary@catalyst.net.nz>
501 * BUG 14611: CVE-2021-20251 [SECURITY] Bad password count not incremented
504 o Stefan Metzmacher <metze@samba.org>
505 * BUG 15200: multi-channel socket passing may hit a race if one of the
506 involved processes already existed.
507 * BUG 15201: memory leak on temporary of struct imessaging_post_state and
508 struct tevent_immediate on struct imessaging_context (in
509 rpcd_spoolss and maybe others).
511 o Noel Power <noel.power@suse.com>
512 * BUG 15205: Since popt1.19 various use after free errors using result of
513 poptGetArg are now exposed.
515 o Anoop C S <anoopcs@samba.org>
516 * BUG 15192: Remove special case for O_CREAT in SMB_VFS_OPENAT from
519 o Andreas Schneider <asn@samba.org>
520 * BUG 15169: GETPWSID in memory cache grows indefinetly with each NTLM auth.
522 o Joseph Sutton <josephsutton@catalyst.net.nz>
523 * BUG 14611: CVE-2021-20251 [SECURITY] Bad password count not incremented
527 #######################################
528 Reporting bugs & Development Discussion
529 #######################################
531 Please discuss this release on the samba-technical mailing list or by
532 joining the #samba-technical:matrix.org matrix room, or
533 #samba-technical IRC channel on irc.libera.chat.
536 If you do report problems then please try to send high quality
537 feedback. If you don't provide vital information to help us track down
538 the problem then you will probably be ignored. All bug reports should
539 be filed under the Samba 4.1 and newer product in the project's Bugzilla
540 database (https://bugzilla.samba.org/).
543 ======================================================================
544 == Our Code, Our Bugs, Our Responsibility.
546 ======================================================================
549 ----------------------------------------------------------------------
550 ==============================
551 Release Notes for Samba 4.17.0
553 ==============================
556 This is the first stable release of the Samba 4.17 release series.
557 Please read the release notes carefully before upgrading.
563 SMB Server performance improvements
564 -----------------------------------
566 The security improvements in recent releases
567 (4.13, 4.14, 4.15, 4.16), mainly as protection against symlink races,
568 caused performance regressions for meta data heavy workloads.
570 With 4.17 the situation improved a lot again:
572 - Pathnames given by a client are devided into dirname and basename.
573 The amount of syscalls to validate dirnames is reduced to 2 syscalls
574 (openat, close) per component. On modern Linux kernels (>= 5.6) smbd
575 makes use of the openat2() syscall with RESOLVE_NO_SYMLINKS,
576 in order to just use 2 syscalls (openat2, close) for the whole dirname.
578 - Contended path based operations used to generate a lot of unsolicited
579 wakeup events causing thundering herd problems, which lead to masive
580 latencies for some clients. These events are now avoided in order
581 to provide stable latencies and much higher throughput of open/close
584 Configure without the SMB1 Server
585 ---------------------------------
587 It is now possible to configure Samba without support for
588 the SMB1 protocol in smbd. This can be selected at configure
589 time with either of the options:
592 --without-smb1-server
594 By default (without either of these options set) Samba
595 is configured to include SMB1 support (i.e. --with-smb1-server
596 is the default). When Samba is configured without SMB1 support,
597 none of the SMB1 code is included inside smbd except the minimal
598 stub code needed to allow a client to connect as SMB1 and immediately
599 negotiate the selected protocol into SMB2 (as a Windows server also
602 None of the SMB1-only smb.conf parameters are removed when
603 configured without SMB1, but these parameters are ignored by
604 the smbd server. This allows deployment without having to change
605 an existing smb.conf file.
607 This option allows sites, OEMs and integrators to configure Samba
608 to remove the old and insecure SMB1 protocol from their products.
610 Note that the Samba client libraries still support SMB1 connections
611 even when Samba is configured as --without-smb1-server. This is
612 to ensure maximum compatibility with environments containing old
615 Bronze bit and S4U support now also with MIT Kerberos 1.20
616 ----------------------------------------------------------
618 In 2020 Microsoft Security Response Team received another Kerberos-related
619 report. Eventually, that led to a security update of the CVE-2020-17049,
620 Kerberos KDC Security Feature Bypass Vulnerability, also known as a ‘Bronze
621 Bit’. With this vulnerability, a compromised service that is configured to use
622 Kerberos constrained delegation feature could tamper with a service ticket that
623 is not valid for delegation to force the KDC to accept it.
625 With the release of MIT Kerberos 1.20, Samba AD DC is able able to mitigate the
626 ‘Bronze Bit’ attack. MIT Kerberos KDC's KDB (Kerberos Database Driver) API was
627 changed to allow passing more details between KDC and KDB components. When built
628 against MIT Kerberos, Samba AD DC supports MIT Kerberos 1.19 and 1.20 versions
629 but 'Bronze Bit' mitigation is provided only with MIT Kerberos 1.20.
631 In addition to fixing the ‘Bronze Bit’ issue, Samba AD DC now fully supports
632 S4U2Self and S4U2Proxy Kerberos extensions.
634 Note the default (Heimdal-based) KDC was already fixed in 2021,
635 see https://bugzilla.samba.org/show_bug.cgi?id=14642
637 Resource Based Constrained Delegation (RBCD) support
638 ----------------------------------------------------
640 Samba AD DC built with MIT Kerberos 1.20 offers RBCD support now. With MIT
641 Kerberos 1.20 we have complete RBCD support passing Sambas S4U testsuite.
643 samba-tool delegation got the 'add-principal' and 'del-principal' subcommands
644 in order to manage RBCD.
646 To complete RBCD support and make it useful to Administrators we added the
647 Asserted Identity [1] SID into the PAC for constrained delegation. This is
648 available for Samba AD compiled with MIT Kerberos 1.20.
650 Note the default (Heimdal-based) KDC does not support RBCD yet.
652 [1] https://docs.microsoft.com/en-us/windows-server/security/kerberos/kerberos-constrained-delegation-overview
654 Customizable DNS listening port
655 -------------------------------
657 It is now possible to set a custom listening port for the builtin DNS service,
658 making easy to host another DNS on the same system that would bind to the
659 default port and forward the domain-specific queries to Samba using the custom
660 port. This is the opposite configuration of setting a forwarder in Samba.
662 It makes possible to use another DNS server as a front and forward to Samba.
664 Dynamic DNS updates may not be proxied by the front DNS server when forwarding
665 to Samba. Dynamic DNS update proxying depends on the features of the other DNS
666 server used as a front.
671 * When Samba is configured with both --with-cluster-support and
672 --systemd-install-services then a systemd service file for CTDB will
675 * ctdbd_wrapper has been removed. ctdbd is now started directly from
676 a systemd service file or init script.
678 * The syntax for the ctdb.tunables configuration file has been
679 relaxed. However, trailing garbage after the value, including
680 comments, is no longer permitted. Please see ctdb-tunables(7) for
683 Operation without the (unsalted) NT password hash
684 -------------------------------------------------
686 When Samba is configured with 'nt hash store = never' then Samba will
687 no longer store the (unsalted) NT password hash for users in Active
688 Directory. (Trust accounts, like computers, domain controllers and
689 inter-domain trusts are not impacted).
691 In the next version of Samba the default for 'nt hash store' will
692 change from 'always' to 'auto', where it will follow (behave as 'nt
693 hash store = never' when 'ntlm auth = disabled' is set.
695 Security-focused deployments of Samba that have eliminated NTLM from
696 their networks will find setting 'ntlm auth = disabled' with 'nt hash
697 store = always' as a useful way to improve compliance with
698 best-practice guidance on password storage (which is to always use an
701 Note that when 'nt hash store = never' is set, then arcfour-hmac-md5
702 Kerberos keys will not be available for users who subsequently change
703 their password, as these keys derive their values from NT hashes. AES
704 keys are stored by default for all deployments of Samba with Domain
705 Functional Level 2008 or later, are supported by all modern clients,
706 and are much more secure.
708 Finally, also note that password history in Active Directory is stored
709 in nTPwdHistory using a series of NT hash values. Therefore the full
710 password history feature is not available in this mode.
712 To provide some protection against password re-use previous Kerberos
713 hash values (the current, old and older values are already stored) are
714 used, providing a history length of 3.
716 There is one small limitation of this workaround: Changing the
717 sAMAccountName, userAccountControl or userPrincipalName of an account
718 can cause the Kerberos password salt to change. This means that after
719 *both* an account rename and a password change, only the current
720 password will be recognised for password history purposes.
722 Python API for smbconf
723 ----------------------
725 Samba's smbconf library provides a generic frontend to various
726 configuration backends (plain text file, registry) as a C library. A
727 new Python wrapper, importable as 'samba.smbconf' is available. An
728 additional module, 'samba.samba3.smbconf', is also available to enable
729 registry backend support. These libraries allow Python programs to
730 read, and optionally write, Samba configuration natively.
732 JSON support for smbstatus
733 --------------------------
735 It is now possible to print detailed information in JSON format in
736 the smbstatus program using the new option --json. The JSON output
737 covers all the existing text output including sessions, connections,
738 open files, byte-range locks, notifies and profile data with all
739 low-level information maintained by Samba in the respective databases.
741 Protected Users security group
742 ------------------------------
744 Samba AD DC now includes support for the Protected Users security
745 group introduced in Windows Server 2012 R2. The feature reduces the
746 attack surface of user accounts by preventing the use of weak
747 encryption types. It also mitigates the effects of credential theft by
748 limiting credential lifetime and scope.
750 The protections are intended for user accounts only, and service or
751 computer accounts should not be added to the Protected Users
752 group. User accounts added to the group are granted the following
753 security protections:
755 * NTLM authentication is disabled.
756 * Kerberos ticket-granting tickets (TGTs) encrypted with RC4 are
757 not issued to or accepted from affected principals. Tickets
758 encrypted with AES, and service tickets encrypted with RC4, are
759 not affected by this restriction.
760 * The lifetime of Kerberos TGTs is restricted to a maximum of four
762 * Kerberos constrained and unconstrained delegation is disabled.
764 If the Protected Users group is not already present in the domain, it
765 can be created with 'samba-tool group add'. The new '--special'
766 parameter must be specified, with 'Protected Users' as the name of the
767 group. An example command invocation is:
769 samba-tool group add 'Protected Users' --special
771 or against a remote server:
773 samba-tool group add 'Protected Users' --special -H ldap://dc1.example.com -U Administrator
775 The Protected Users group is identified in the domain by its having a
776 RID of 525. Thus, it should only be created with samba-tool and the
777 '--special' parameter, as above, so that it has the required RID
778 to function correctly.
784 LanMan Authentication and password storage removed from the AD DC
785 -----------------------------------------------------------------
787 The storage and authentication with LanMan passwords has been entirely
788 removed from the Samba AD DC, even when "lanman auth = yes" is set.
794 Parameter Name Description Default
795 -------------- ----------- -------
796 dns port New default 53
797 fruit:zero_file_id New default yes
798 nt hash store New parameter always
799 smb1 unix extensions Replaces "unix extensions"
800 volume serial number New parameter -1
801 winbind debug traceid New parameter no
804 CHANGES SINCE 4.17.0rc4
805 =======================
807 o Ralph Boehme <slow@samba.org>
808 * BUG 15126: acl_xattr VFS module may unintentionally use filesystem
809 permissions instead of ACL from xattr.
810 * BUG 15153: Missing SMB2-GETINFO access checks from MS-SMB2 3.3.5.20.1.
811 * BUG 15161: assert failed: !is_named_stream(smb_fname)") at
812 ../../lib/util/fault.c:197.
814 o Volker Lendecke <vl@samba.org>
815 * BUG 15126: acl_xattr VFS module may unintentionally use filesystem
816 permissions instead of ACL from xattr.
817 * BUG 15161: assert failed: !is_named_stream(smb_fname)") at
818 ../../lib/util/fault.c:197.
820 o Stefan Metzmacher <metze@samba.org>
821 * BUG 15159: Cross-node multi-channel reconnects result in SMB2 Negotiate
822 returning NT_STATUS_NOT_SUPPORTED.
824 o Noel Power <noel.power@suse.com>
825 * BUG 15160: winbind at info level debug can coredump when processing
829 CHANGES SINCE 4.17.0rc3
830 =======================
832 o Anoop C S <anoopcs@samba.org>
833 * BUG 15157: Make use of glfs_*at() API calls in vfs_glusterfs.
836 CHANGES SINCE 4.17.0rc2
837 =======================
839 o Jeremy Allison <jra@samba.org>
840 * BUG 15128: Possible use after free of connection_struct when iterating
841 smbd_server_connection->connections.
843 o Christian Ambach <ambi@samba.org>
844 * BUG 15145: `net usershare add` fails with flag works with --long but fails
847 o Ralph Boehme <slow@samba.org>
848 * BUG 15126: acl_xattr VFS module may unintentionally use filesystem
849 permissions instead of ACL from xattr.
851 o Stefan Metzmacher <metze@samba.org>
852 * BUG 15125: Performance regression on contended path based operations.
853 * BUG 15148: Missing READ_LEASE break could cause data corruption.
855 o Andreas Schneider <asn@samba.org>
856 * BUG 15141: libsamba-errors uses a wrong version number.
858 o Joseph Sutton <josephsutton@catalyst.net.nz>
859 * BUG 15152: SMB1 negotiation can fail to handle connection errors.
862 CHANGES SINCE 4.17.0rc1
863 =======================
865 o Jeremy Allison <jra@samba.org>
866 * BUG 15143: New filename parser doesn't check veto files smb.conf parameter.
867 * BUG 15144: 4.17.rc1 still uses symlink-race prone unix_convert()
868 * BUG 15146: Backport fileserver related changed to 4.17.0rc2
870 o Jule Anger <janger@samba.org>
871 * BUG 15147: Manpage for smbstatus json is missing
873 o Volker Lendecke <vl@samba.org>
874 * BUG 15146: Backport fileserver related changed to 4.17.0rc2
876 o Stefan Metzmacher <metze@samba.org>
877 * BUG 15125: Performance regression on contended path based operations
878 * BUG 15146: Backport fileserver related changed to 4.17.0rc2
880 o Andreas Schneider <asn@samba.org>
881 * BUG 15140: Fix issues found by coverity in smbstatus json code
882 * BUG 15146: Backport fileserver related changed to 4.17.0rc2
888 https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.17#Release_blocking_bugs
891 #######################################
892 Reporting bugs & Development Discussion
893 #######################################
895 Please discuss this release on the samba-technical mailing list or by
896 joining the #samba-technical:matrix.org matrix room, or
897 #samba-technical IRC channel on irc.libera.chat
899 If you do report problems then please try to send high quality
900 feedback. If you don't provide vital information to help us track down
901 the problem then you will probably be ignored. All bug reports should
902 be filed under the Samba 4.1 and newer product in the project's Bugzilla
903 database (https://bugzilla.samba.org/).
906 ======================================================================
907 == Our Code, Our Bugs, Our Responsibility.
909 ======================================================================