-Release Announcements
-=====================
+ ===============================
+ Release Notes for Samba 4.17.12
+ October 10, 2023
+ ===============================
-This is the first pre release of Samba 4.14. This is *not*
-intended for production environments and is designed for testing
-purposes only. Please report any defects via the Samba bug reporting
-system at https://bugzilla.samba.org/.
-Samba 4.14 will be the next version of the Samba suite.
+This is a security release in order to address the following defects:
-UPGRADING
-=========
+o CVE-2023-3961: Unsanitized pipe names allow SMB clients to connect as root to
+ existing unix domain sockets on the file system.
+ https://www.samba.org/samba/security/CVE-2023-3961.html
+
+o CVE-2023-4091: SMB client can truncate files to 0 bytes by opening files with
+ OVERWRITE disposition when using the acl_xattr Samba VFS
+ module with the smb.conf setting
+ "acl_xattr:ignore system acls = yes"
+ https://www.samba.org/samba/security/CVE-2023-4091.html
+
+o CVE-2023-4154: An RODC and a user with the GET_CHANGES right can view all
+ attributes, including secrets and passwords. Additionally,
+ the access check fails open on error conditions.
+ https://www.samba.org/samba/security/CVE-2023-4154.html
+
+o CVE-2023-42669: Calls to the rpcecho server on the AD DC can request that the
+ server block for a user-defined amount of time, denying
+ service.
+ https://www.samba.org/samba/security/CVE-2023-42669.html
+
+o CVE-2023-42670: Samba can be made to start multiple incompatible RPC
+ listeners, disrupting service on the AD DC.
+ https://www.samba.org/samba/security/CVE-2023-42670.html
+
+
+Changes since 4.17.11
+---------------------
+
+o Jeremy Allison <jra@samba.org>
+ * BUG 15422: CVE-2023-3961.
+
+o Andrew Bartlett <abartlet@samba.org>
+ * BUG 15424: CVE-2023-4154.
+ * BUG 15473: CVE-2023-42670.
+ * BUG 15474: CVE-2023-42669.
+
+o Ralph Boehme <slow@samba.org>
+ * BUG 15439: CVE-2023-4091.
+
+o Christian Merten <christian@merten.dev>
+ * BUG 15424: CVE-2023-4154.
+
+o Stefan Metzmacher <metze@samba.org>
+ * BUG 15424: CVE-2023-4154.
+
+o Andreas Schneider <asn@samba.org>
+ * BUG 15424: CVE-2023-4154.
+
+o Joseph Sutton <josephsutton@catalyst.net.nz>
+ * BUG 15424: CVE-2023-4154.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+ ===============================
+ Release Notes for Samba 4.17.11
+ September 07, 2023
+ ===============================
+
+
+This is the latest stable release of the Samba 4.17 release series.
+
+
+Changes since 4.17.10
+---------------------
+
+o Jeremy Allison <jra@samba.org>
+ * BUG 15419: Weird filename can cause assert to fail in
+ openat_pathref_fsp_nosymlink().
+ * BUG 15420: reply_sesssetup_and_X() can dereference uninitialized tmp
+ pointer.
+ * BUG 15430: Missing return in reply_exit_done().
+ * BUG 15432: TREE_CONNECT without SETUP causes smbd to use uninitialized
+ pointer.
+
+o Andrew Bartlett <abartlet@samba.org>
+ * BUG 15401: Improve GetNChanges to address some (but not all "Azure AD
+ Connect") syncronisation tool looping during the initial user sync phase.
+ * BUG 15407: Samba replication logs show (null) DN.
+ * BUG 9959: Windows client join fails if a second container CN=System exists
+ somewhere.
+
+o Ralph Boehme <slow@samba.org>
+ * BUG 15342: Spotlight sometimes returns no results on latest macOS.
+ * BUG 15417: Renaming results in NT_STATUS_SHARING_VIOLATION if previously
+ attempted to remove the destination.
+ * BUG 15427: Spotlight results return wrong date in result list.
+ * BUG 15463: macOS mdfind returns only 50 results.
+
+o Volker Lendecke <vl@samba.org>
+ * BUG 15346: 2-3min delays at reconnect with smb2_validate_sequence_number:
+ bad message_id 2.
+
+o Stefan Metzmacher <metze@samba.org>
+ * BUG 15346: 2-3min delays at reconnect with smb2_validate_sequence_number:
+ bad message_id 2.
+ * BUG 15441: samba-tool ntacl get segfault if aio_pthread appended.
+ * BUG 15446: DCERPC_PKT_CO_CANCEL and DCERPC_PKT_ORPHANED can't be parsed.
+
+o MikeLiu <mikeliu@qnap.com>
+ * BUG 15453: File doesn't show when user doesn't have permission if
+ aio_pthread is loaded.
+
+o Noel Power <noel.power@suse.com>
+ * BUG 15384: net ads lookup (with unspecified realm) fails
+ * BUG 15435: Regression DFS not working with widelinks = true.
+
+o Arvid Requate <requate@univention.de>
+ * BUG 9959: Windows client join fails if a second container CN=System exists
+ somewhere.
+
+o Martin Schwenke <mschwenke@ddn.com>
+ * BUG 15451: ctdb_killtcp fails to work with --enable-pcap and libpcap ≥
+ 1.9.1.
+
+o Jones Syue <jonessyue@qnap.com>
+ * BUG 15441: samba-tool ntacl get segfault if aio_pthread appended.
+ * BUG 15449: mdssvc: Do an early talloc_free() in _mdssvc_open().
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+----------------------------------------------------------------------
+ ===============================
+ Release Notes for Samba 4.17.10
+ July 19, 2023
+ ===============================
+
+
+This is a security release in order to address the following defects:
+
+o CVE-2022-2127: When winbind is used for NTLM authentication, a maliciously
+ crafted request can trigger an out-of-bounds read in winbind
+ and possibly crash it.
+ https://www.samba.org/samba/security/CVE-2022-2127.html
+
+o CVE-2023-3347: SMB2 packet signing is not enforced if an admin configured
+ "server signing = required" or for SMB2 connections to Domain
+ Controllers where SMB2 packet signing is mandatory.
+ https://www.samba.org/samba/security/CVE-2023-3347.html
+
+o CVE-2023-34966: An infinite loop bug in Samba's mdssvc RPC service for
+ Spotlight can be triggered by an unauthenticated attacker by
+ issuing a malformed RPC request.
+ https://www.samba.org/samba/security/CVE-2023-34966.html
+
+o CVE-2023-34967: Missing type validation in Samba's mdssvc RPC service for
+ Spotlight can be used by an unauthenticated attacker to
+ trigger a process crash in a shared RPC mdssvc worker process.
+ https://www.samba.org/samba/security/CVE-2023-34967.html
+
+o CVE-2023-34968: As part of the Spotlight protocol Samba discloses the server-
+ side absolute path of shares and files and directories in
+ search results.
+ https://www.samba.org/samba/security/CVE-2023-34968.html
+
+
+Changes since 4.17.9
+--------------------
+
+o Ralph Boehme <slow@samba.org>
+ * BUG 15072: CVE-2022-2127.
+ * BUG 15340: CVE-2023-34966.
+ * BUG 15341: CVE-2023-34967.
+ * BUG 15388: CVE-2023-34968.
+ * BUG 15397: CVE-2023-3347.
+
+o Volker Lendecke <vl@samba.org>
+ * BUG 15072: CVE-2022-2127.
+
+o Stefan Metzmacher <metze@samba.org>
+ * BUG 15418: Secure channel faulty since Windows 10/11 update 07/2023.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+----------------------------------------------------------------------
+ ==============================
+ Release Notes for Samba 4.17.9
+ July 06, 2023
+ ==============================
+
+
+This is the latest stable release of the Samba 4.17 release series.
+
+
+Changes since 4.17.8
+--------------------
+
+o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
+ * BUG 15404: Backport --pidl-developer fixes.
+
+o Ralph Boehme <slow@samba.org>
+ * BUG 15275: smbd_scavenger crashes when service smbd is stopped.
+ * BUG 15378: vfs_fruit might cause a failing open for delete.
+
+o Samuel Cabrero <scabrero@samba.org>
+ * BUG 14030: named crashes on DLZ zone update.
+
+o Volker Lendecke <vl@samba.org>
+ * BUG 15361: winbind recurses into itself via rpcd_lsad.
+ * BUG 15382: cli_list loops 100% CPU against pre-lanman2 servers.
+ * BUG 15391: smbclient leaks fds with showacls.
+
+o Stefan Metzmacher <metze@samba.org>
+ * BUG 15374: aes256 smb3 encryption algorithms are not allowed in
+ smb3_sid_parse().
+ * BUG 15413: winbindd gets stuck on NT_STATUS_RPC_SEC_PKG_ERROR.
+
+o Jones Syue <jonessyue@qnap.com>
+ * BUG 15403: smbget memory leak if failed to download files recursively.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+----------------------------------------------------------------------
+ ==============================
+ Release Notes for Samba 4.17.8
+ May 11, 2023
+ ==============================
+
+
+This is the latest stable release of the Samba 4.17 release series.
+
+
+Changes since 4.17.7
+--------------------
+
+o Jeremy Allison <jra@samba.org>
+ * BUG 15302: log flood: smbd_calculate_access_mask_fsp: Access denied:
+ message level should be lower.
+ * BUG 15306: Floating point exception (FPE) via cli_pull_send at
+ source3/libsmb/clireadwrite.c.
+
+o Andrew Bartlett <abartlet@samba.org>
+ * BUG 15328: test_tstream_more_tcp_user_timeout_spin fails intermittently on
+ Rackspace GitLab runners.
+ * BUG 15329: Reduce flapping of ridalloc test.
+ * BUG 15351: large_ldap test is unreliable.
+
+o Ralph Boehme <slow@samba.org>
+ * BUG 15143: New filename parser doesn't check veto files smb.conf parameter.
+ * BUG 15354: mdssvc may crash when initializing.
+
+o Volker Lendecke <vl@samba.org>
+ * BUG 15313: Large directory optimization broken for non-lcomp path elements.
+ * BUG 15357: streams_depot fails to create streams.
+ * BUG 15358: shadow_copy2 and streams_depot don't play well together.
+ * BUG 15366: wbinfo -u fails on ad dc with >1000 users.
+
+o Stefan Metzmacher <metze@samba.org>
+ * BUG 15317: winbindd idmap child contacts the domain controller without a
+ need.
+ * BUG 15318: idmap_autorid may fail to map sids of trusted domains for the
+ first time.
+ * BUG 15319: idmap_hash doesn't use ID_TYPE_BOTH for reverse mappings.
+ * BUG 15323: net ads search -P doesn't work against servers in other domains.
+ * BUG 15338: DS ACEs might be inherited to unrelated object classes.
+ * BUG 15353: Temporary smbXsrv_tcon_global.tdb can't be parsed.
+
+o Andreas Schneider <asn@samba.org>
+ * BUG 15360: Setting veto files = /.*/ break listing directories.
+
+o Joseph Sutton <josephsutton@catalyst.net.nz>
+ * BUG 14810: CVE-2020-25720 [SECURITY] Create Child permission should not
+ allow full write to all attributes (additional changes).
+ * BUG 15329: Reduce flapping of ridalloc test.
+
+o Nathaniel W. Turner <nturner@exagrid.com>
+ * BUG 15325: dsgetdcname: assumes local system uses IPv4.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+----------------------------------------------------------------------
+ ==============================
+ Release Notes for Samba 4.17.7
+ March 29, 2023
+ ==============================
+
+
+This is a security release in order to address the following defects:
+
+o CVE-2023-0225: An incomplete access check on dnsHostName allows authenticated
+ but otherwise unprivileged users to delete this attribute from
+ any object in the directory.
+ https://www.samba.org/samba/security/CVE-2023-0225.html
+
+o CVE-2023-0922: The Samba AD DC administration tool, when operating against a
+ remote LDAP server, will by default send new or reset
+ passwords over a signed-only connection.
+ https://www.samba.org/samba/security/CVE-2023-0922.html
+
+o CVE-2023-0614: The fix in 4.6.16, 4.7.9, 4.8.4 and 4.9.7 for CVE-2018-10919
+ Confidential attribute disclosure via LDAP filters was
+ insufficient and an attacker may be able to obtain
+ confidential BitLocker recovery keys from a Samba AD DC.
+ Installations with such secrets in their Samba AD should
+ assume they have been obtained and need replacing.
+ https://www.samba.org/samba/security/CVE-2023-0614.html
+
+
+Changes since 4.17.6
+--------------------
+
+o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
+ * BUG 15276: CVE-2023-0225.
+
+o Andrew Bartlett <abartlet@samba.org>
+ * BUG 15270: CVE-2023-0614.
+ * BUG 15331: ldb wildcard matching makes excessive allocations.
+ * BUG 15332: large_ldap test is inefficient.
+
+o Rob van der Linde <rob@catalyst.net.nz>
+ * BUG 15315: CVE-2023-0922.
+
+o Joseph Sutton <josephsutton@catalyst.net.nz>
+ * BUG 14810: CVE-2020-25720 [SECURITY] Create Child permission should not
+ allow full write to all attributes (additional changes).
+ * BUG 15270: CVE-2023-0614.
+ * BUG 15276: CVE-2023-0225.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+----------------------------------------------------------------------
+ ==============================
+ Release Notes for Samba 4.17.6
+ March 09, 2023
+ ==============================
+
+
+This is the latest stable release of the Samba 4.17 release series.
+
+
+Changes since 4.17.5
+--------------------
+
+o Jeremy Allison <jra@samba.org>
+ * BUG 15314: streams_xattr is creating unexpected locks on folders.
+
+o Andrew Bartlett <abartlet@samba.org>
+ * BUG 10635: Use of the Azure AD Connect cloud sync tool is now supported for
+ password hash synchronisation, allowing Samba AD Domains to synchronise
+ passwords with this popular cloud environment.
+
+o Ralph Boehme <slow@samba.org>
+ * BUG 15299: Spotlight doesn't work with latest macOS Ventura.
+
+o Volker Lendecke <vl@samba.org>
+ * BUG 15310: New samba-dcerpc architecture does not scale gracefully.
+
+o John Mulligan <jmulligan@redhat.com>
+ * BUG 15307: vfs_ceph incorrectly uses fsp_get_io_fd() instead of
+ fsp_get_pathref_fd() in close and fstat.
+
+o Noel Power <noel.power@suse.com>
+ * BUG 15293: With clustering enabled samba-bgqd can core dump due to use
+ after free.
+
+o baixiangcpp <baixiangcpp@gmail.com>
+ * BUG 15311: fd_load() function implicitly closes the fd where it should not.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat.
+
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+----------------------------------------------------------------------
+ ==============================
+ Release Notes for Samba 4.17.5
+ January 26, 2023
+ ==============================
+
+
+This is the latest stable release of the Samba 4.17 release series.
+
+
+Changes since 4.17.4
+--------------------
+
+o Jeremy Allison <jra@samba.org>
+ * BUG 14808: smbc_getxattr() return value is incorrect.
+ * BUG 15172: Compound SMB2 FLUSH+CLOSE requests from MacOSX are not handled
+ correctly.
+ * BUG 15210: synthetic_pathref AFP_AfpInfo failed errors.
+ * BUG 15226: samba-tool gpo listall fails IPv6 only - finddcs() fails to find
+ DC when there is only an AAAA record for the DC in DNS.
+ * BUG 15236: smbd crashes if an FSCTL request is done on a stream handle.
+ * BUG 15277: DFS links don't work anymore on Mac clients since 4.17.
+ * BUG 15283: vfs_virusfilter segfault on access, directory edgecase
+ (accessing NULL value).
+
+o Samuel Cabrero <scabrero@samba.org>
+ * BUG 15240: CVE-2022-38023 [SECURITY] Samba should refuse RC4 (aka md5)
+ based SChannel on NETLOGON (additional changes).
+
+o Volker Lendecke <vl@samba.org>
+ * BUG 15243: %U for include directive doesn't work for share listing
+ (netshareenum).
+ * BUG 15266: Shares missing from netshareenum response in samba 4.17.4.
+ * BUG 15269: ctdb: use-after-free in run_proc.
+
+o Stefan Metzmacher <metze@samba.org>
+ * BUG 15243: %U for include directive doesn't work for share listing
+ (netshareenum).
+ * BUG 15266: Shares missing from netshareenum response in samba 4.17.4.
+ * BUG 15280: irpc_destructor may crash during shutdown.
+ * BUG 15286: auth3_generate_session_info_pac leaks wbcAuthUserInfo.
+
+o Andreas Schneider <asn@samba.org>
+ * BUG 15268: smbclient segfaults with use after free on an optimized build.
+
+o Jones Syue <jonessyue@qnap.com>
+ * BUG 15282: smbstatus leaking files in msg.sock and msg.lock.
+
+o Andrew Walker <awalker@ixsystems.com>
+ * BUG 15164: Leak in wbcCtxPingDc2.
+ * BUG 15265: Access based share enum does not work in Samba 4.16+.
+ * BUG 15267: Crash during share enumeration.
+ * BUG 15271: rep_listxattr on FreeBSD does not properly check for reads off
+ end of returned buffer.
+
+o Florian Weimer <fweimer@redhat.com>
+ * BUG 15281: Avoid relying on C89 features in a few places.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat.
+
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+----------------------------------------------------------------------
+ ==============================
+ Release Notes for Samba 4.17.4
+ December 15, 2022
+ ==============================
+
+
+This is the latest stable release of the Samba 4.17 release series.
+It also contains security changes in order to address the following defects:
+
+
+o CVE-2022-37966: This is the Samba CVE for the Windows Kerberos
+ RC4-HMAC Elevation of Privilege Vulnerability
+ disclosed by Microsoft on Nov 8 2022.
+
+ A Samba Active Directory DC will issue weak rc4-hmac
+ session keys for use between modern clients and servers
+ despite all modern Kerberos implementations supporting
+ the aes256-cts-hmac-sha1-96 cipher.
+
+ On Samba Active Directory DCs and members
+ 'kerberos encryption types = legacy' would force
+ rc4-hmac as a client even if the server supports
+ aes128-cts-hmac-sha1-96 and/or aes256-cts-hmac-sha1-96.
+
+ https://www.samba.org/samba/security/CVE-2022-37966.html
+
+o CVE-2022-37967: This is the Samba CVE for the Windows
+ Kerberos Elevation of Privilege Vulnerability
+ disclosed by Microsoft on Nov 8 2022.
+
+ A service account with the special constrained
+ delegation permission could forge a more powerful
+ ticket than the one it was presented with.
+
+ https://www.samba.org/samba/security/CVE-2022-37967.html
+
+o CVE-2022-38023: The "RC4" protection of the NetLogon Secure channel uses the
+ same algorithms as rc4-hmac cryptography in Kerberos,
+ and so must also be assumed to be weak.
+
+ https://www.samba.org/samba/security/CVE-2022-38023.html
+
+Note that there are several important behavior changes
+included in this release, which may cause compatibility problems
+interacting with system still expecting the former behavior.
+Please read the advisories of CVE-2022-37966,
+CVE-2022-37967 and CVE-2022-38023 carefully!
+
+samba-tool got a new 'domain trust modify' subcommand
+-----------------------------------------------------
+
+This allows "msDS-SupportedEncryptionTypes" to be changed
+on trustedDomain objects. Even against remote DCs (including Windows)
+using the --local-dc-ipaddress= (and other --local-dc-* options).
+See 'samba-tool domain trust modify --help' for further details.
+
+smb.conf changes
+----------------
+
+ Parameter Name Description Default
+ -------------- ----------- -------
+ allow nt4 crypto Deprecated no
+ allow nt4 crypto:COMPUTERACCOUNT New
+ kdc default domain supported enctypes New (see manpage)
+ kdc supported enctypes New (see manpage)
+ kdc force enable rc4 weak session keys New No
+ reject md5 clients New Default, Deprecated Yes
+ reject md5 servers New Default, Deprecated Yes
+ server schannel Deprecated Yes
+ server schannel require seal New, Deprecated Yes
+ server schannel require seal:COMPUTERACCOUNT New
+ winbind sealed pipes Deprecated Yes
+
+Changes since 4.17.3
+--------------------
+
+o Jeremy Allison <jra@samba.org>
+ * BUG 15224: pam_winbind uses time_t and pointers assuming they are of the
+ same size.
+
+o Andrew Bartlett <abartlet@samba.org>
+ * BUG 14929: CVE-2022-44640 [SECURITY] Upstream Heimdal free of
+ user-controlled pointer in FAST.
+ * BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry.
+ * BUG 15237: CVE-2022-37966.
+ * BUG 15258: filter-subunit is inefficient with large numbers of knownfails.
+
+o Ralph Boehme <slow@samba.org>
+ * BUG 15240: CVE-2022-38023.
+ * BUG 15252: smbd allows setting FILE_ATTRIBUTE_TEMPORARY on directories.
+
+o Stefan Metzmacher <metze@samba.org>
+ * BUG 13135: The KDC logic arround msDs-supportedEncryptionTypes differs from
+ Windows.
+ * BUG 14611: CVE-2021-20251 [SECURITY] Bad password count not incremented
+ atomically.
+ * BUG 15203: CVE-2022-42898 [SECURITY] krb5_pac_parse() buffer parsing
+ vulnerability.
+ * BUG 15206: libnet: change_password() doesn't work with
+ dcerpc_samr_ChangePasswordUser4().
+ * BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry.
+ * BUG 15230: Memory leak in snprintf replacement functions.
+ * BUG 15237: CVE-2022-37966.
+ * BUG 15240: CVE-2022-38023.
+ * BUG 15253: RODC doesn't reset badPwdCount reliable via an RWDC
+ (CVE-2021-20251 regression).
+
+o Noel Power <noel.power@suse.com>
+ * BUG 15224: pam_winbind uses time_t and pointers assuming they are of the
+ same size.
+
+o Anoop C S <anoopcs@samba.org>
+ * BUG 15198: Prevent EBADF errors with vfs_glusterfs.
+
+o Andreas Schneider <asn@samba.org>
+ * BUG 15237: CVE-2022-37966.
+ * BUG 15243: %U for include directive doesn't work for share listing
+ (netshareenum).
+ * BUG 15257: Stack smashing in net offlinejoin requestodj.
+
+o Joseph Sutton <josephsutton@catalyst.net.nz>
+ * BUG 15197: Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue.
+ * BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry.
+ * BUG 15231: CVE-2022-37967.
+ * BUG 15237: CVE-2022-37966.
+
+o Nicolas Williams <nico@twosigma.com>
+ * BUG 14929: CVE-2022-44640 [SECURITY] Upstream Heimdal free of
+ user-controlled pointer in FAST.
+
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat.
+
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+----------------------------------------------------------------------
+ ==============================
+ Release Notes for Samba 4.17.3
+ November 15, 2022
+ ==============================
+
+
+This is a security release in order to address the following defects:
+
+
+o CVE-2022-42898: Samba's Kerberos libraries and AD DC failed to guard against
+ integer overflows when parsing a PAC on a 32-bit system, which
+ allowed an attacker with a forged PAC to corrupt the heap.
+ https://www.samba.org/samba/security/CVE-2022-42898.html
+
+Changes since 4.17.2
+--------------------
+o Joseph Sutton <josephsutton@catalyst.net.nz>
+ * BUG 15203: CVE-2022-42898
+
+o Nicolas Williams <nico@twosigma.com>
+ * BUG 15203: CVE-2022-42898
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat.
+
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+----------------------------------------------------------------------
+ ==============================
+ Release Notes for Samba 4.17.2
+ October 25, 2022
+ ==============================
+
+
+This is a security release in order to address the following defects:
+
+o CVE-2022-3437: There is a limited write heap buffer overflow in the GSSAPI
+ unwrap_des() and unwrap_des3() routines of Heimdal (included
+ in Samba).
+ https://www.samba.org/samba/security/CVE-2022-3437.html
+
+o CVE-2022-3592: A malicious client can use a symlink to escape the exported
+ directory.
+ https://www.samba.org/samba/security/CVE-2022-3592.html
+
+Changes since 4.17.1
+--------------------
+
+o Volker Lendecke <vl@samba.org>
+ * BUG 15207: CVE-2022-3592.
+
+o Joseph Sutton <josephsutton@catalyst.net.nz>
+ * BUG 15134: CVE-2022-3437.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+----------------------------------------------------------------------
+ ==============================
+ Release Notes for Samba 4.17.1
+ October 19, 2022
+ ==============================
+
+
+This is the latest stable release of the Samba 4.17 release series.
+
+
+Changes since 4.17.0
+--------------------
+
+o Jeremy Allison <jra@samba.org>
+ * BUG 14611: CVE-2021-20251 [SECURITY] Bad password count not incremented
+ atomically.
+ * BUG 15174: smbXsrv_connection_shutdown_send result leaked.
+ * BUG 15182: Flush on a named stream never completes.
+ * BUG 15195: Permission denied calling SMBC_getatr when file not exists.
+
+o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
+ * BUG 15189: Samba 4.5 sometimes cannot be upgraded to Samba 4.6 or later
+ over DRS: WERROR_DS_DRA_MISSING_PARENT due to faulty GET_ANC.
+ * BUG 15191: pytest: add file removal helpers for TestCaseInTempDir.
+
+o Andrew Bartlett <abartlet@samba.org>
+ * BUG 14611: CVE-2021-20251 [SECURITY] Bad password count not incremented
+ atomically.
+ * BUG 15189: Samba 4.5 sometimes cannot be upgraded to Samba 4.6 or later.
+ over DRS: WERROR_DS_DRA_MISSING_PARENT due to faulty GET_ANC.
+
+o Ralph Boehme <slow@samba.org>
+ * BUG 15182: Flush on a named stream never completes.
+
+o Volker Lendecke <vl@samba.org>
+ * BUG 15151: vfs_gpfs silently garbles timestamps > year 2106.
+
+o Gary Lockyer <gary@catalyst.net.nz>
+ * BUG 14611: CVE-2021-20251 [SECURITY] Bad password count not incremented
+ atomically.
+
+o Stefan Metzmacher <metze@samba.org>
+ * BUG 15200: multi-channel socket passing may hit a race if one of the
+ involved processes already existed.
+ * BUG 15201: memory leak on temporary of struct imessaging_post_state and
+ struct tevent_immediate on struct imessaging_context (in
+ rpcd_spoolss and maybe others).
+
+o Noel Power <noel.power@suse.com>
+ * BUG 15205: Since popt1.19 various use after free errors using result of
+ poptGetArg are now exposed.
+
+o Anoop C S <anoopcs@samba.org>
+ * BUG 15192: Remove special case for O_CREAT in SMB_VFS_OPENAT from
+ vfs_glusterfs.
+
+o Andreas Schneider <asn@samba.org>
+ * BUG 15169: GETPWSID in memory cache grows indefinetly with each NTLM auth.
+
+o Joseph Sutton <josephsutton@catalyst.net.nz>
+ * BUG 14611: CVE-2021-20251 [SECURITY] Bad password count not incremented
+ atomically.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat.
+
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+----------------------------------------------------------------------
+ ==============================
+ Release Notes for Samba 4.17.0
+ September 13, 2022
+ ==============================
+
+
+This is the first stable release of the Samba 4.17 release series.
+Please read the release notes carefully before upgrading.
NEW FEATURES/CHANGES
====================
-Here is a copy of a clarification note added to the Samba code
-in the file: VFS-License-clarification.txt.
---------------------------------------------------------------
+SMB Server performance improvements
+-----------------------------------
-A clarification of our GNU GPL License enforcement boundary within the Samba
-Virtual File System (VFS) layer.
+The security improvements in recent releases
+(4.13, 4.14, 4.15, 4.16), mainly as protection against symlink races,
+caused performance regressions for meta data heavy workloads.
-Samba is licensed under the GNU GPL. All code committed to the Samba
-project or that creates a "modified version" or software "based on" Samba must
-be either licensed under the GNU GPL or a compatible license.
+With 4.17 the situation improved a lot again:
-Samba has several plug-in interfaces where external code may be called
-from Samba GNU GPL licensed code. The most important of these is the
-Samba VFS layer.
+- Pathnames given by a client are devided into dirname and basename.
+ The amount of syscalls to validate dirnames is reduced to 2 syscalls
+ (openat, close) per component. On modern Linux kernels (>= 5.6) smbd
+ makes use of the openat2() syscall with RESOLVE_NO_SYMLINKS,
+ in order to just use 2 syscalls (openat2, close) for the whole dirname.
-Samba VFS modules are intimately connected by header files and API
-definitions to the part of the Samba code that provides file services,
-and as such, code that implements a plug-in Samba VFS module must be
-licensed under the GNU GPL or a compatible license.
+- Contended path based operations used to generate a lot of unsolicited
+ wakeup events causing thundering herd problems, which lead to masive
+ latencies for some clients. These events are now avoided in order
+ to provide stable latencies and much higher throughput of open/close
+ operations.
-However, Samba VFS modules may themselves call third-party external
-libraries that are not part of the Samba project and are externally
-developed and maintained.
+Configure without the SMB1 Server
+---------------------------------
-As long as these third-party external libraries do not use any of the
-Samba internal structure, APIs or interface definitions created by the
-Samba project (to the extent that they would be considered subject to the GNU
-GPL), then the Samba Team will not consider such third-party external
-libraries called from Samba VFS modules as "based on" and/or creating a
-"modified version" of the Samba code for the purposes of GNU GPL.
-Accordingly, we do not require such libraries be licensed under the GNU GPL
-or a GNU GPL compatible license.
+It is now possible to configure Samba without support for
+the SMB1 protocol in smbd. This can be selected at configure
+time with either of the options:
-VFS
----
+--with-smb1-server
+--without-smb1-server
-The effort to modernize Samba's VFS interface has reached a major milestone with
-the next release Samba 4.14.
+By default (without either of these options set) Samba
+is configured to include SMB1 support (i.e. --with-smb1-server
+is the default). When Samba is configured without SMB1 support,
+none of the SMB1 code is included inside smbd except the minimal
+stub code needed to allow a client to connect as SMB1 and immediately
+negotiate the selected protocol into SMB2 (as a Windows server also
+allows).
-For details please refer to the documentation at source3/modules/The_New_VFS.txt or
-visit the <https://wiki.samba.org/index.php/The_New_VFS>.
+None of the SMB1-only smb.conf parameters are removed when
+configured without SMB1, but these parameters are ignored by
+the smbd server. This allows deployment without having to change
+an existing smb.conf file.
-Printing
---------
+This option allows sites, OEMs and integrators to configure Samba
+to remove the old and insecure SMB1 protocol from their products.
-Publishing printers in AD is more reliable and more printer features are
-added to the published information in AD. Samba now also supports Windows
-drivers for the ARM64 architecture.
+Note that the Samba client libraries still support SMB1 connections
+even when Samba is configured as --without-smb1-server. This is
+to ensure maximum compatibility with environments containing old
+SMB1 servers.
+Bronze bit and S4U support now also with MIT Kerberos 1.20
+----------------------------------------------------------
-Client Group Policy
--------------------
-This release extends Samba to support Group Policy functionality for Winbind
-clients. Active Directory Administrators can set policies that apply Sudoers
-configuration, and cron jobs to run hourly, daily, weekly or monthly.
+In 2020 Microsoft Security Response Team received another Kerberos-related
+report. Eventually, that led to a security update of the CVE-2020-17049,
+Kerberos KDC Security Feature Bypass Vulnerability, also known as a ‘Bronze
+Bit’. With this vulnerability, a compromised service that is configured to use
+Kerberos constrained delegation feature could tamper with a service ticket that
+is not valid for delegation to force the KDC to accept it.
-To enable the application of Group Policies on a client, set the global
-smb.conf option 'apply group policies' to 'yes'. Policies are applied on an
-interval of every 90 minutes, plus a random offset between 0 and 30 minutes.
+With the release of MIT Kerberos 1.20, Samba AD DC is able able to mitigate the
+‘Bronze Bit’ attack. MIT Kerberos KDC's KDB (Kerberos Database Driver) API was
+changed to allow passing more details between KDC and KDB components. When built
+against MIT Kerberos, Samba AD DC supports MIT Kerberos 1.19 and 1.20 versions
+but 'Bronze Bit' mitigation is provided only with MIT Kerberos 1.20.
-Policies applied by Samba are 'non-tattooing', meaning that changes can be
-reverted by executing the `samba-gpupdate --unapply` command. Policies can be
-re-applied using the `samba-gpupdate --force` command.
-To view what policies have been or will be applied to a system, use the
-`samba-gpupdate --rsop` command.
+In addition to fixing the ‘Bronze Bit’ issue, Samba AD DC now fully supports
+S4U2Self and S4U2Proxy Kerberos extensions.
-Administration of Samba policy requires that a Samba ADMX template be uploaded
-to the SYSVOL share. The samba-tool command `samba-tool gpo admxload` is
-provided as a convenient method for adding this policy. Once uploaded, policies
-can be modified in the Group Policy Management Editor under Computer
-Configuration/Policies/Administrative Templates. Alternatively, Samba policy
-may be managed using the `samba-tool gpo manage` command. This tool does not
-require the admx templates to be installed.
+Note the default (Heimdal-based) KDC was already fixed in 2021,
+see https://bugzilla.samba.org/show_bug.cgi?id=14642
+Resource Based Constrained Delegation (RBCD) support
+----------------------------------------------------
-Python 3.6 or later required
-----------------------------
+Samba AD DC built with MIT Kerberos 1.20 offers RBCD support now. With MIT
+Kerberos 1.20 we have complete RBCD support passing Sambas S4U testsuite.
-Samba's minimum runtime requirement for python was raised to Python
-3.6 with samba 4.13. Samba 4.14 raises this minimum version to Python
-3.6 also to build Samba. It is no longer possible to build Samba
-(even just the file server) with Python versions 2.6 and 2.7.
+samba-tool delegation got the 'add-principal' and 'del-principal' subcommands
+in order to manage RBCD.
-As Python 2.7 has been End Of Life upstream since April 2020, Samba
-is dropping ALL Python 2.x support in this release.
+To complete RBCD support and make it useful to Administrators we added the
+Asserted Identity [1] SID into the PAC for constrained delegation. This is
+available for Samba AD compiled with MIT Kerberos 1.20.
+Note the default (Heimdal-based) KDC does not support RBCD yet.
-NT4-like 'classic' Samba domain controllers
--------------------------------------------
+[1] https://docs.microsoft.com/en-us/windows-server/security/kerberos/kerberos-constrained-delegation-overview
-Samba 4.13 deprecates Samba's original domain controller mode.
+Customizable DNS listening port
+-------------------------------
-Sites using Samba as a Domain Controller should upgrade from the
-NT4-like 'classic' Domain Controller to a Samba Active Directory DC
-to ensure full operation with modern windows clients.
+It is now possible to set a custom listening port for the builtin DNS service,
+making easy to host another DNS on the same system that would bind to the
+default port and forward the domain-specific queries to Samba using the custom
+port. This is the opposite configuration of setting a forwarder in Samba.
+It makes possible to use another DNS server as a front and forward to Samba.
-SMBv1 only protocol options deprecated
---------------------------------------
+Dynamic DNS updates may not be proxied by the front DNS server when forwarding
+to Samba. Dynamic DNS update proxying depends on the features of the other DNS
+server used as a front.
-A number of smb.conf parameters for less-secure authentication methods
-which are only possible over SMBv1 are deprecated in this release.
+CTDB changes
+------------
+* When Samba is configured with both --with-cluster-support and
+ --systemd-install-services then a systemd service file for CTDB will
+ be installed.
-Miscellaneous samba-tool changes
---------------------------------
+* ctdbd_wrapper has been removed. ctdbd is now started directly from
+ a systemd service file or init script.
-The samba-tool commands to manage AD objects (e.g. users, computers and
-groups) now consistently use the "add" command when adding a new object to
-the AD. The previous deprecation warnings when using the "add" commands
-have been removed. For compatibility reasons, both the "add" and "create"
-commands can be used now.
+* The syntax for the ctdb.tunables configuration file has been
+ relaxed. However, trailing garbage after the value, including
+ comments, is no longer permitted. Please see ctdb-tunables(7) for
+ more details.
-Users, groups and contacts can now be renamed with the respective rename
-commands.
+Operation without the (unsalted) NT password hash
+-------------------------------------------------
-Locked users can be unlocked with the new "samba-tool user unlock" command.
+When Samba is configured with 'nt hash store = never' then Samba will
+no longer store the (unsalted) NT password hash for users in Active
+Directory. (Trust accounts, like computers, domain controllers and
+inter-domain trusts are not impacted).
-The "samba-tool user list" and "samba-tool group listmembers" commands
-provide additional options to hide expired and disabled user accounts
-(--hide-expired and --hide-disabled).
+In the next version of Samba the default for 'nt hash store' will
+change from 'always' to 'auto', where it will follow (behave as 'nt
+hash store = never' when 'ntlm auth = disabled' is set.
+Security-focused deployments of Samba that have eliminated NTLM from
+their networks will find setting 'ntlm auth = disabled' with 'nt hash
+store = always' as a useful way to improve compliance with
+best-practice guidance on password storage (which is to always use an
+interated hash).
-CTDB CHANGES
-============
+Note that when 'nt hash store = never' is set, then arcfour-hmac-md5
+Kerberos keys will not be available for users who subsequently change
+their password, as these keys derive their values from NT hashes. AES
+keys are stored by default for all deployments of Samba with Domain
+Functional Level 2008 or later, are supported by all modern clients,
+and are much more secure.
+
+Finally, also note that password history in Active Directory is stored
+in nTPwdHistory using a series of NT hash values. Therefore the full
+password history feature is not available in this mode.
+
+To provide some protection against password re-use previous Kerberos
+hash values (the current, old and older values are already stored) are
+used, providing a history length of 3.
+
+There is one small limitation of this workaround: Changing the
+sAMAccountName, userAccountControl or userPrincipalName of an account
+can cause the Kerberos password salt to change. This means that after
+*both* an account rename and a password change, only the current
+password will be recognised for password history purposes.
+
+Python API for smbconf
+----------------------
+
+Samba's smbconf library provides a generic frontend to various
+configuration backends (plain text file, registry) as a C library. A
+new Python wrapper, importable as 'samba.smbconf' is available. An
+additional module, 'samba.samba3.smbconf', is also available to enable
+registry backend support. These libraries allow Python programs to
+read, and optionally write, Samba configuration natively.
+
+JSON support for smbstatus
+--------------------------
+
+It is now possible to print detailed information in JSON format in
+the smbstatus program using the new option --json. The JSON output
+covers all the existing text output including sessions, connections,
+open files, byte-range locks, notifies and profile data with all
+low-level information maintained by Samba in the respective databases.
+
+Protected Users security group
+------------------------------
+
+Samba AD DC now includes support for the Protected Users security
+group introduced in Windows Server 2012 R2. The feature reduces the
+attack surface of user accounts by preventing the use of weak
+encryption types. It also mitigates the effects of credential theft by
+limiting credential lifetime and scope.
+
+The protections are intended for user accounts only, and service or
+computer accounts should not be added to the Protected Users
+group. User accounts added to the group are granted the following
+security protections:
+
+ * NTLM authentication is disabled.
+ * Kerberos ticket-granting tickets (TGTs) encrypted with RC4 are
+ not issued to or accepted from affected principals. Tickets
+ encrypted with AES, and service tickets encrypted with RC4, are
+ not affected by this restriction.
+ * The lifetime of Kerberos TGTs is restricted to a maximum of four
+ hours.
+ * Kerberos constrained and unconstrained delegation is disabled.
-* The NAT gateway and LVS features now uses the term "leader" to refer
- to the main node in a group through which traffic is routed and
- "follower" for other members of a group. The command for
- determining the leader has changed to "ctdb natgw leader" (from
- "ctdb natgw master"). The configuration keyword for indicating that
- a node can not be the leader of a group has changed to
- "follower-only" (from "slave-only"). Identical changes were made
- for LVS.
+If the Protected Users group is not already present in the domain, it
+can be created with 'samba-tool group add'. The new '--special'
+parameter must be specified, with 'Protected Users' as the name of the
+group. An example command invocation is:
-* Remove "ctdb isnotrecmaster" command. It isn't used by CTDB's
- scripts and can be checked by users with "ctdb pnn" and "ctdb
- recmaster".
+samba-tool group add 'Protected Users' --special
+
+or against a remote server:
+
+samba-tool group add 'Protected Users' --special -H ldap://dc1.example.com -U Administrator
+
+The Protected Users group is identified in the domain by its having a
+RID of 525. Thus, it should only be created with samba-tool and the
+'--special' parameter, as above, so that it has the required RID
+to function correctly.
REMOVED FEATURES
================
-The deprecated "ldap ssl ads" smb.conf option has been removed.
+LanMan Authentication and password storage removed from the AD DC
+-----------------------------------------------------------------
+
+The storage and authentication with LanMan passwords has been entirely
+removed from the Samba AD DC, even when "lanman auth = yes" is set.
smb.conf changes
================
- Parameter Name Description Default
- -------------- ----------- -------
- smb encrypt Removed
- ldap ssl ads Removed
- client plaintext auth Deprecated no
- client NTLMv2 auth Deprecated yes
- client lanman auth Deprecated no
- client use spnego Deprecated yes
- domain logons Deprecated no
- raw NTLMv2 auth Deprecated no
- async dns timeout New 10
- client smb encrypt New default
- honor change notify privilege New No
- smbd force process locks New No
- server smb encrypt New default
+ Parameter Name Description Default
+ -------------- ----------- -------
+ dns port New default 53
+ fruit:zero_file_id New default yes
+ nt hash store New parameter always
+ smb1 unix extensions Replaces "unix extensions"
+ volume serial number New parameter -1
+ winbind debug traceid New parameter no
+
+
+CHANGES SINCE 4.17.0rc4
+=======================
+
+o Ralph Boehme <slow@samba.org>
+ * BUG 15126: acl_xattr VFS module may unintentionally use filesystem
+ permissions instead of ACL from xattr.
+ * BUG 15153: Missing SMB2-GETINFO access checks from MS-SMB2 3.3.5.20.1.
+ * BUG 15161: assert failed: !is_named_stream(smb_fname)") at
+ ../../lib/util/fault.c:197.
+
+o Volker Lendecke <vl@samba.org>
+ * BUG 15126: acl_xattr VFS module may unintentionally use filesystem
+ permissions instead of ACL from xattr.
+ * BUG 15161: assert failed: !is_named_stream(smb_fname)") at
+ ../../lib/util/fault.c:197.
+
+o Stefan Metzmacher <metze@samba.org>
+ * BUG 15159: Cross-node multi-channel reconnects result in SMB2 Negotiate
+ returning NT_STATUS_NOT_SUPPORTED.
+
+o Noel Power <noel.power@suse.com>
+ * BUG 15160: winbind at info level debug can coredump when processing
+ wb_lookupusergroups.
+
+
+CHANGES SINCE 4.17.0rc3
+=======================
+
+o Anoop C S <anoopcs@samba.org>
+ * BUG 15157: Make use of glfs_*at() API calls in vfs_glusterfs.
+
+
+CHANGES SINCE 4.17.0rc2
+=======================
+
+o Jeremy Allison <jra@samba.org>
+ * BUG 15128: Possible use after free of connection_struct when iterating
+ smbd_server_connection->connections.
+
+o Christian Ambach <ambi@samba.org>
+ * BUG 15145: `net usershare add` fails with flag works with --long but fails
+ with -l.
+
+o Ralph Boehme <slow@samba.org>
+ * BUG 15126: acl_xattr VFS module may unintentionally use filesystem
+ permissions instead of ACL from xattr.
+
+o Stefan Metzmacher <metze@samba.org>
+ * BUG 15125: Performance regression on contended path based operations.
+ * BUG 15148: Missing READ_LEASE break could cause data corruption.
+
+o Andreas Schneider <asn@samba.org>
+ * BUG 15141: libsamba-errors uses a wrong version number.
+
+o Joseph Sutton <josephsutton@catalyst.net.nz>
+ * BUG 15152: SMB1 negotiation can fail to handle connection errors.
+
+
+CHANGES SINCE 4.17.0rc1
+=======================
+
+o Jeremy Allison <jra@samba.org>
+ * BUG 15143: New filename parser doesn't check veto files smb.conf parameter.
+ * BUG 15144: 4.17.rc1 still uses symlink-race prone unix_convert()
+ * BUG 15146: Backport fileserver related changed to 4.17.0rc2
+
+o Jule Anger <janger@samba.org>
+ * BUG 15147: Manpage for smbstatus json is missing
+
+o Volker Lendecke <vl@samba.org>
+ * BUG 15146: Backport fileserver related changed to 4.17.0rc2
+
+o Stefan Metzmacher <metze@samba.org>
+ * BUG 15125: Performance regression on contended path based operations
+ * BUG 15146: Backport fileserver related changed to 4.17.0rc2
+
+o Andreas Schneider <asn@samba.org>
+ * BUG 15140: Fix issues found by coverity in smbstatus json code
+ * BUG 15146: Backport fileserver related changed to 4.17.0rc2
KNOWN ISSUES
============
-https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.14#Release_blocking_bugs
+https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.17#Release_blocking_bugs
#######################################
#######################################
Please discuss this release on the samba-technical mailing list or by
-joining the #samba-technical IRC channel on irc.freenode.net.
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat
If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
git.samba.org / samba.git / blobdiff