out with
runtime error: file /usr/pkg/share/xsl/docbook/lib/lib.xsl line 58 element choose
xsltApplySequenceConstructor: A potential infinite template recursion was detected.
This is probably the most important of the Samba man pages, and it
should not have been excluded from the build without a detailed
explanation, "just to make the pkg build".
Samba 4.12.2
This is a security release in order to address the following defects:
o CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ
o CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC
Samba 4.12.1
* BUG 14295: nmblib: Avoid undefined behaviour in handle_name_ptrs().
* BUG 14296: samba-tool group: Handle group names with special chars
correctly.
* BUG 14293: Add missing check for DMAPI offline status in async DOS
attributes.
* BUG 14295: Starting ctdb node that was powered off hard before results in
recovery loop.
* BUG 14307: smbd: Ignore set NTACL requests which contain S-1-5-88 NFS ACEs.
* BUG 14316: vfs_recycle: Prevent flooding the log if we're called on
non-existant paths.
* BUG 14313: librpc: Fix IDL for svcctl_ChangeServiceConfigW.
* BUG 14327: nsswitch: Fix use-after-free causing segfault in
_pam_delete_cred.
* BUG 13622: fruit:time machine max size is broken on arm.
* BUG 14294: CTDB recovery corner cases can cause record resurrection and
node banning.
* BUG 14332: s3/utils: Fix double free error with smbtree.
* BUG 14294: CTDB recovery corner cases can cause record resurrection and
node banning.
* BUG 14295: Starting ctdb node that was powered off hard before results in
recovery loop.
* BUG 14324: CTDB recovery daemon can crash due to dereference of NULL
pointer.
samba 4.12.0:
NEW FEATURES/CHANGES
====================
Python 3.5 Required
-------------------
Samba's minimum runtime requirement for python was raised to Python
3.4 with samba 4.11. Samba 4.12 raises this minimum version to Python
3.5 both to access new features and because this is the oldest version
we test with in our CI infrastructure.
(Build time support for the file server with Python 2.6 has not
changed)
Removing in-tree cryptography: GnuTLS 3.4.7 required
----------------------------------------------------
Samba is making efforts to remove in-tree cryptographic functionality,
and to instead rely on externally maintained libraries. To this end,
Samba has chosen GnuTLS as our standard cryptographic provider.
Samba now requires GnuTLS 3.4.7 to be installed (including development
headers at build time) for all configurations, not just the Samba AD
DC.
Thanks to this work Samba no longer ships an in-tree DES
implementation and on GnuTLS 3.6.5 or later Samba will include no
in-tree cryptography other than the MD4 hash and that
implemented in our copy of Heimdal.
Using GnuTLS for SMB3 encryption you will notice huge performance and copy
speed improvements. Tests with the CIFS Kernel client from Linux Kernel 5.3
show a 3x speed improvement for writing and a 2.5x speed improvement for reads!
NOTE WELL: The use of GnuTLS means that Samba will honour the
system-wide 'FIPS mode' (a reference to the US FIPS-140 cryptographic
standard) and so will not operate in many still common situations if
this system-wide parameter is in effect, as many of our protocols rely
on outdated cryptography.
A future Samba version will mitigate this to some extent where good
cryptography effectively wraps bad cryptography, but for now that above
applies.
zlib library is now required to build Samba
-------------------------------------------
Samba no longer includes a local copy of zlib in our source tarball.
By removing this we do not need to ship (even where we did not
build) the old, broken zip encryption code found there.
New Spotlight backend for Elasticsearch
---------------------------------------
Support for the macOS specific Spotlight search protocol has been enhanced
significantly. Starting with 4.12 Samba supports using Elasticsearch as search
backend. Various new parameters have been added to configure this:
spotlight backend = noindex | elasticsearch | tracker
elasticsearch:address = ADDRESS
elasticsearch:port = PORT
elasticsearch:use tls = BOOLEAN
elasticsearch:index = INDEXNAME
elasticsearch:mappings = PATH
elasticsearch:max results = NUMBER
Samba also ships a Spotlight client command "mdfind" which can be used to search
any SMB server that runs the Spotlight RPC service. See the manpage of mdfind
for details.
Note that when upgrading existing installations that are using the previous
default Spotlight backend Gnome Tracker must explicitly set "spotlight backend =
tracker" as the new default is "noindex".
'net ads kerberos pac save' and 'net eventlog export'
-----------------------------------------------------
The 'net ads kerberos pac save' and 'net eventlog export' tools will
no longer silently overwrite an existing file during data export. If
the filename given exits, an error will be shown.
Fuzzing
-------
A large number of fuzz targets have been added to Samba, and Samba has
been registered in Google's oss-fuzz cloud fuzzing service. In
particular, we now have good fuzzing coverage of our generated NDR
parsing code.
A large number of issues have been found and fixed thanks to this
effort.
'samba-tool' improvements add contacts as member to groups
----------------------------------------------------------
Previously 'samba-tool group addmemers' can just add users, groups and
computers as members to groups. But also contacts can be members of
groups. Samba 4.12 adds the functionality to add contacts to
groups. Since contacts have no sAMAccountName, it's possible that
there are more than one contact with the same name in different
organizational units. Therefore it's necessary to have an option to
handle group members by their DN.
To get the DN of an object there is now the "--full-dn" option available
for all necessary commands.
The MS Windows UI allows to search for specific types of group members
when searching for new members for a group. This feature is included
here with the new samba-tool group addmembers "--object-type=OBJECTYPE"
option. The different types are selected accordingly to the Windows
UI. The default samba-toole behaviour shouldn't be changed.
Allow filtering by OU or subtree in samba-tool
----------------------------------------------
A new "--base-dn" and "--member-base-dn" option is added to relevant
samba-tool user, group and ou management commands to allow operation
on just one part of the AD tree, such as a single OU.
VFS
===
SMB_VFS_NTIMES
--------------
Samba now uses a sentinel value based on utimensat(2) UTIME_OMIT to denote
to-be-ignored timestamp variables passed to the SMB_VFS_NTIMES() VFS function.
VFS modules can check whether any of the time values inside a struct
smb_file_time is to be ignored by calling is_omit_timespec() on the value.
'io_uring' vfs module
---------------------
The module makes use of the new io_uring infrastructure
(intruduced in Linux 5.1), see https://lwn.net/Articles/776703/
Currently this implements SMB_VFS_{PREAD,PWRITE,FSYNC}_SEND/RECV
and avoids the overhead of the userspace threadpool in the default
vfs backend. See also vfs_io_uring(8).
In order to build the module you need the liburing userspace library
and its developement headers installed, see
https://git.kernel.dk/cgit/liburing/
At runtime you'll need a Linux kernel with version 5.1 or higher.
Note that 5.4.14 and 5.4.15 have a regression that breaks the Samba
module! The regression was fixed in Linux 5.4.16 again.
MS-DFS changes in the VFS
-------------------------
This release changes set getting and setting of MS-DFS redirects
on the filesystem to go through two new VFS functions:
SMB_VFS_CREATE_DFS_PATHAT()
SMB_VFS_READ_DFS_PATHAT()
instead of smbd explicitly storing MS-DFS redirects inside
symbolic links on the filesystem. The underlying default
implementations of this has not changed, the redirects are
still stored inside symbolic links on the filesystem, but
moving the creation and reading of these links into the VFS
as first-class functions now allows alternate methods of
storing them (maybe in extended attributes) for OEMs who
don't want to mis-use filesystem symbolic links in this
way.
CTDB changes
============
* The ctdb_mutex_fcntl_helper periodically re-checks the lock file
The re-check period is specified using a 2nd argument to this
helper. The default re-check period is 5s.
If the file no longer exists or the inode number changes then the
helper exits. This triggers an election.
REMOVED FEATURES
================
The smb.conf parameter "write cache size" has been removed.
Since the in-memory write caching code was written, our write path has
changed significantly. In particular we have gained very flexible
support for async I/O, with the new linux io_uring interface in
development. The old write cache concept which cached data in main
memory followed by a blocking pwrite no longer gives any improvement
on modern systems, and may make performance worse on memory-contrained
systems, so this functionality should not be enabled in core smbd
code.
In addition, it complicated the write code, which is a performance
critical code path.
If required for specialist purposes, it can be recreated as a VFS
module.
Retiring DES encryption types in Kerberos.
------------------------------------------
With this release, support for DES encryption types has been removed from
Samba, and setting DES_ONLY flag for an account will cause Kerberos
authentication to fail for that account (see RFC-6649).
Samba-DC: DES keys no longer saved in DB.
-----------------------------------------
When a new password is set for an account, Samba DC will store random keys
in DB instead of DES keys derived from the password. If the account is being
migrated to Windbows or to an older version of Samba in order to use DES keys,
the password must be reset to make it work.
Heimdal-DC: removal of weak-crypto.
-----------------------------------
Following removal of DES encryption types from Samba, the embedded Heimdal
build has been updated to not compile weak crypto code (HEIM_WEAK_CRYPTO).
vfs_netatalk: The netatalk VFS module has been removed.
-------------------------------------------------------
The netatalk VFS module has been removed. It was unmaintained and is not needed
any more.
BIND9_FLATFILE deprecated
-------------------------
The BIND9_FLATFILE DNS backend is deprecated in this release and will
be removed in the future. This was only practically useful on a single
domain controller or under expert care and supervision.
This release removes the 'rndc command' smb.conf parameter, which
supported this configuration by writing out a list of DCs permitted to
make changes to the DNS Zone and nudging the 'named' server if a new
DC was added to the domain. Administrators using BIND9_FLATFILE will
need to maintain this manually from now on.
Update samba4 to 4.11.5.
==============================
Release Notes for Samba 4.11.5
January 21, 2020
==============================
This is a security release in order to address the following defects:
o CVE-2019-14902: Replication of ACLs set to inherit down a subtree on AD
Directory not automatic.
o CVE-2019-14907: Crash after failed character conversion at log level 3 or
above.
o CVE-2019-19344: Use after free during DNS zone scavenging in Samba AD DC.
=======
Details
=======
o CVE-2019-14902:
The implementation of ACL inheritance in the Samba AD DC was not complete,
and so absent a 'full-sync' replication, ACLs could get out of sync between
domain controllers.
o CVE-2019-14907:
When processing untrusted string input Samba can read past the end of the
allocated buffer when printing a "Conversion error" message to the logs.
o CVE-2019-19344:
During DNS zone scavenging (of expired dynamic entries) there is a read of
memory after it has been freed.
Samba 4.11.3
This is a security release in order to address the following defects:
o CVE-2019-14861: Samba AD DC zone-named record Denial of Service in DNS
management server (dnsserver).
o CVE-2019-14870: DelegationNotAllowed not being enforced in protocol transition
on Samba AD DC.
4.11.2:
This is a security release in order to address the following defects:
o CVE-2019-10218: Client code can return filenames containing path separators.
o CVE-2019-14833: Samba AD DC check password script does not receive the full
password.
o CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server
via dirsync.
4.11.1:
This is the latest stable release of the Samba 4.11 release series.
Changes since 4.11.0:
* BUG 14141: getpwnam and getpwuid need to return data for ID_TYPE_BOTH
group.
* BUG 14094: smbc_readdirplus() is incompatible with smbc_telldir() and
smbc_lseekdir().
* BUG 14152: s3: smbclient: Stop an SMB2-connection from blundering into
SMB1-specific calls.
* BUG 14137: Fix stale file handle error when using mkstemp on a share.
* BUG 14106: Fix spnego fallback from kerberos to ntlmssp in smbd server.
* BUG 14140: Overlinking libreplace against librt and pthread against every
binary or library causes issues.
* BUG 14130: s3-winbindd: Fix forest trusts with additional trust attributes.
* BUG 14134: auth/gensec: Fix non-AES schannel seal.
* BUG 14147: Deleted records can be resurrected during recovery.
* BUG 14136: Fix uncaught exception in classicupgrade.
* BUG 14139: fault.c: Improve fault_report message text pointing to our wiki.
* BUG 14128: s3:client: Use DEVICE_URI, instead of argv[0], for Device URI.
* BUG 14124: pam_winbind with krb5_auth or wbinfo -K doesn't work for users
of trusted domains/forests.
* BUG 14131: Remove 'pod2man' as it is no longer needed.
* BUG 13884: Joining Active Directory should not use SAMR to set the
password.
* BUG 14140: Overlinking libreplace against librt and pthread against every
binary or library causes issues.
* BUG 14155: 'kpasswd' fails when built with MIT Kerberos.
* BUG 14129: Exit code of ctdb nodestatus should not be influenced by deleted
nodes.
4.11.0:
* BUG 14049: ldb: Don't try to save a value that isn't there.
* ldb_dn: Free dn components on explode failure.
* ldb: Do not allow adding a DN as a base to itself.
* ldb: Release ldb 2.0.7.
* BUG 13695: ldb: Correct Pigeonhole principle validation in
ldb_filter_attrs().
* BUG 14049: Fix ldb dn crash.
* BUG 14117: Deprecate "lanman auth = yes" and "encrypt passwords = no".
* BUG 14038: Fix compiling ctdb on older systems lacking POSIX robust
mutexes.
* BUG 14121: smbd returns bad File-ID on filehandle used to create a file or
directory.
* BUG 14098: vfs_glusterfs: Use pthreadpool for scheduling aio operations.
* BUG 14055: Add the target server name of SMB 3.1.1 connections as a hint to
load balancers or servers with "multi-tenancy" support.
* BUG 14113: Fix byte range locking bugs/regressions.
* ldb: Fix mem-leak if talloc_realloc fails.
* BUG 14007: Fix join with don't exists machine account.
* BUG 14085: ctdb-recoverd: Only check for LMASTER nodes in the VNN map.
CHANGES SINCE 4.11.0rc2
* BUG 13972: Different Device Id for GlusterFS FUSE mount is causing data
loss in CTDB cluster.
* BUG 14035: CVE-2019-10197: Permissions check deny can allow user to escape
from the share.
* BUG 14059: ldb: Release ldb 2.0.6 (log database repack so users know what
is happening).
* BUG 14092: docs: Deprecate "rndc command" for Samba 4.11.
* BUG 14059: ldb: Free memory when repacking database.
* BUG 14089: vfs_default: Use correct flag in vfswrap_fs_file_id.
* BUG 14090: vfs_glusterfs: Initialize st_ex_file_id, st_ex_itime and
st_ex_iflags.
* BUG 14093: vfs_glusterfs: Enable profiling for file system operations.
* BUG 14059: Backport sambadowngradedatabase for v4.11.
* BUG 14035: CVE-2019-10197: Permissions check deny can allow user to escape
from the share.
* BUG 14032: vfs_gpfs: Implement special case for denying owner access to
ACL.
* BUG 14084: Avoid marking a node as connected before it can receive packets.
* BUG 14086: Fix onnode test failure with ShellCheck >= 0.4.7.
* BUG 14087: ctdb-daemon: Stop "ctdb stop" from completing before freezing
databases.
Samba 4.10.8:
This is a security release in order to address the following defect:
o CVE-2019-10197: Combination of parameters and permissions can allow user
to escape from the share path definition.
Samba 4.10.7
* BUG 14010: Unable to create or rename file/directory inside shares
configured with vfs_glusterfs_fuse module.
* BUG 13844: build: Allow build when '--disable-gnutls' is set.
* BUG 13973: samba-tool: Add 'import samba.drs_utils' to fsmo.py.
* BUG 14008: Fix 'Error 32 determining PSOs in system' message on old DB
with FL upgrade.
* BUG 14021: s4/libnet: Fix joining a Windows pre-2008R2 DC.
* BUG 14046: join: Use a specific attribute order for the DsAddEntry
nTDSDSA object.
* BUG 14015: vfs_catia: Pass stat info to synthetic_smb_fname().
* BUG 14091: lookup_name: Allow own domain lookup when flags == 0.
* BUG 13932: s4 librpc rpc pyrpc: Ensure tevent_context deleted last.
* BUG 13915: DEBUGC and DEBUGADDC doesn't print into a class specific log
file.
* BUG 13949: Request to keep deprecated option "server schannel",
VMWare Quickprep requires "auto".
* BUG 13967: dbcheck: Fallback to the default tombstoneLifetime of 180 days.
* BUG 13969: dnsProperty fails to decode values from older Windows versions.
* BUG 13973: samba-tool: Use only one LDAP modify for dns partition fsmo
role transfer.
* BUG 13960: third_party: Update waf to version 2.0.17.
* BUG 14051: netcmd: Allow 'drs replicate --local' to create partitions.
* BUG 14017: ctdb-config: Depend on /etc/ctdb/nodes file.
Changes 4.10.6:
* BUG 13956: s3: winbind: Fix crash when invoking winbind idmap scripts.
* BUG 13964: smbd does not correctly parse arguments passed to dfree and
quota scripts.
* BUG 13965: samba-tool dns: use bytes for inet_ntop.
* BUG 13828: samba-tool domain provision: Fix --interactive module in
python3.
* BUG 13893: ldb_kv: Skip @ records early in a search full scan.
* BUG 13981: docs: Improve documentation of "lanman auth" and "ntlm auth"
connection.
* BUG 14002: python/ntacls: Use correct "state directory" smb.conf option
instead of "state dir".
* BUG 13840: registry: Add a missing include.
* BUG 13944: Fix SMB guest authentication.
* BUG 13958: AppleDouble conversion breaks Resourceforks.
* BUG 13968: vfs_fruit makes direct use of syscalls like mmap() and pread().
* BUG 13987: s3:mdssvc: Fix flex compilation error.
* BUG 13872: s3/vfs_glusterfs[_fuse]: Avoid using NAME_MAX directly:
* BUG 13799: dsdb:samdb: schemainfo update with relax control.
* BUG 13964: s3:util: Move static file_pload() function to lib/util.
* BUG 13957: smbd: Fix a panic.
* BUG 12478: ldap server: Generate correct referral schemes.
* BUG 13941: s4 dsdb/repl_meta_data: fix use after free in
dsdb_audit_add_ldb_value.
* BUG 13942: s4 dsdb: Fix use after free in
samldb_rename_search_base_callback.
* BUG 12204: dsdb/repl: we need to replicate the whole schema before we can
apply it.
* BUG 12478: ldb: Release ldb 1.5.5
* BUG 13713: Schema replication fails if link crosses chunk boundary
backwards.
* BUG 13799: 'samba-tool domain schemaupgrade' uses relax control and skips
the schemaInfo update provision.
* BUG 13916: dsdb_audit: avoid printing "... remote host [Unknown]
SID [(NULL SID)] ..."
* BUG 13917: python/ntacls: We only need security.SEC_STD_READ_CONTROL in
order to get the ACL.
* BUG 13947: s3:loadparm: Ensure to truncate FS Volume Label at multibyte
boundary.
* BUG 13939: Using Kerberos credentials to print using spoolss doesn't work.
* BUG 13998: wafsamba: Use native waf timer.
* BUG 13984: ctdb-scripts: Fix tcp_tw_recycle existence check.
Release Notes for Samba 4.10.5
This is a security release in order to address the following defects:
o CVE-2019-12435 (Samba AD DC Denial of Service in DNS management server
(dnsserver))
o CVE-2019-12436 (Samba AD DC LDAP server crash (paged searches))
Details
=======
o CVE-2019-12435:
An authenticated user can crash the Samba AD DC's RPC server process via a
NULL pointer dereference.
o CVE-2019-12436:
An user with read access to the directory can cause a NULL pointer
dereference using the paged search control.
For more details and workarounds, please refer to the security advisories.
Samba 4.10.3, 4.9.8 and 4.8.12 Security Releases Available
These are security releases in order to address CVE-2018-16860 (Samba AD DC S4U2Self/S4U2Proxy unkeyed checksum).
Release Notes for Samba 4.10.2
This is a security release in order to address the following defects:
o CVE-2019-3870 (World writable files in Samba AD DC private/ dir)
o CVE-2019-3880 (Save registry file outside share as unprivileged user)
Details
o CVE-2019-3870:
During the provision of a new Active Directory DC, some files in the private/
directory are created world-writable.
o CVE-2019-3880:
Authenticated users with write permission can trigger a symlink traversal to
write or detect files outside the Samba share.
For more details and workarounds, please refer to the security advisories.
Changes since 4.10.1:
* BUG 13834: CVE-2019-3870: pysmbd: Ensure a zero umask is set for
smbd.mkdir().
* BUG 13851: CVE-2018-14629: rpc: winreg: Remove implementations of
SaveKey/RestoreKey.
Release Notes for Samba 4.10.0
This is the first stable release of the Samba 4.10 release series.
Please read the release notes carefully before upgrading.
NEW FEATURES/CHANGES
====================
GPO Improvements
----------------
A new 'samba-tool gpo backup' command has been added that can export a
set of Group Policy Objects from a domain in a generalised XML format.
A corresponding 'samba-tool gpo restore' command has been added to
rebuild the Group Policy Objects from the XML after generalization.
(The administrator needs to correct the values of XML entities between
the backup and restore to account for the change in domain).
KDC prefork
-----------
The KDC now supports the pre-fork process model and worker processes will be
forked for the KDC when the pre-fork process model is selected for samba.
Prefork 'prefork children'
--------------------------
The default value for this smdb.conf parameter has been increased from 1 to
4.
Netlogon prefork
----------------
DCERPC now supports pre-forked NETLOGON processes. The netlogon processes are
pre-forked when the prefork process model is selected for samba.
Offline domain backups
----------------------
The 'samba-tool domain backup' command has been extended with a new 'offline'
option. This safely creates a backup of the local DC's database directly from
disk. The main benefits of an offline backup are it's quicker, it stores more
database details (for forensic purposes), and the samba process does not have
to be running when the backup is made. Refer to the samba-tool help for more
details on using this command.
Group membership statistics
---------------------------
A new 'samba-tool group stats' command has been added. This provides summary
information about how the users are spread across groups in your domain.
The 'samba-tool group list --verbose' command has also been updated to include
the number of users in each group.
Paged results LDAP control
--------------------------
The behaviour of the paged results control (1.2.840.113556.1.4.319, RFC2696)
has been changed to more closely match Windows servers, to improve memory
usage. Paged results may be used internally (or is requested by the user) by
LDAP libraries or tools that deal with large result sizes, for example, when
listing all the objects in the database.
Previously, results were returned as a snapshot of the database but now,
some changes made to the set of results while paging may be reflected in the
responses. If strict inter-record consistency is required in answers (which is
not possible on Windows with large result sets), consider avoiding the paged
results control or alternatively, it might be possible to enforce restrictions
using the LDAP filter expression.
For further details see https://wiki.samba.org/index.php/Paged_Results
Prefork process restart
-----------------------
The pre-fork process model now restarts failed processes. The delay between
restart attempts is controlled by the "prefork backoff increment" (default = 10)
and "prefork maximum backoff" (default = 120) smbd.conf parameters. A linear
back off strategy is used with "prefork backoff increment" added to the
delay between restart attempts up until it reaches "prefork maximum backoff".
Using the default sequence the restart delays (in seconds) are:
0, 10, 20, ..., 120, 120, ...
Standard process model
----------------------
When using the standard process model samba forks a new process to handle ldap
and netlogon connections. Samba now honours the 'max smbd processes' smb.conf
parameter. The default value of 0, indicates there is no limit. The limit
is applied individually to netlogon and ldap. When the process limit is
exceeded Samba drops new connections immediately.
python3 support
---------------
This is the first release of Samba which has full support for Python 3.
Samba 4.10 still has support for Python 2, however, Python 3 will be used by
default, i.e. 'configure' & 'make' will execute using python3.
To build Samba with python2 you *must* set the 'PYTHON' environment variable
for both the 'configure' and 'make' steps, i.e.
'PYTHON=python2 ./configure'
'PYTHON=python2 make'
This will override the python3 default.
Alternatively, it is possible to produce Samba Python bindings for both
Python 2 and Python 3. To do so, specify '--extra-python=/usr/bin/python2'
as part of the 'configure' command. Note that python3 will still be used as
the default in this case.
Note that Samba 4.10 supports Python 3.4 onwards.
Future Python support
---------------------
Samba 4.10 will be the last release that comes with full support for
Python 2. Unfortunately, the Samba Team doesn't have the resources to support
both Python 2 and Python 3 long-term.
Samba 4.11 will not have any runtime support for Python 2. This means if
you use Python 2 bindings it is time to migrate to Python 3 now.
If you are building Samba using the '--disable-python' option (i.e. you're
excluding all the run-time Python support), then this will continue to work
on a system that supports either python2 or python3.
Also note that Samba 4.11 will most likely only support Python 3.6 onwards.
JSON logging
------------
Authentication messages now contain the Windows Event Id "eventId" and logon
type "logonType". The supported event codes and logon types are:
Event codes:
4624 Successful logon
4625 Unsuccessful logon
Logon Types:
2 Interactive
3 Network
8 NetworkCleartext
The version number for Authentication messages is now 1.1, changed from 1.0
Password change messages now contain the Windows Event Id "eventId", the
supported event Id's are:
4723 Password changed
4724 Password reset
The version number for PasswordChange messages is now 1.1, changed from 1.0
Group membership change messages now contain the Windows Event Id "eventId",
the supported event Id's are:
4728 A member was added to a security enabled global group
4729 A member was removed from a security enabled global group
4732 A member was added to a security enabled local group
4733 A member was removed from a security enabled local group
4746 A member was added to a security disabled local group
4747 A member was removed from a security disabled local group
4751 A member was added to a security disabled global group
4752 A member was removed from a security disabled global group
4756 A member was added to a security enabled universal group
4757 A member was removed from a security enabled universal group
4761 A member was added to a security disabled universal group
4762 A member was removed from a security disabled universal group
The version number for GroupChange messages is now 1.1, changed from 1.0. Also
A GroupChange message is generated when a new user is created to log that the
user has been added to their primary group.
The leading "JSON <message type>:" and source file prefix of the JSON formatted
log entries has been removed to make the parsing of the JSON log messages
easier. JSON log entries now start with 2 spaces followed by an opening brace
i.e. " {"
SMBv2 samba-tool support
------------------------
On previous releases, some samba-tool commands would not work against a remote
DC that had SMBv1 disabled. SMBv2 support has now been added for samba-tool.
The affected commands are 'samba-tool domain backup|rename' and the
'samba-tool gpo' set of commands.
New glusterfs_fuse VFS module
-----------------------------
The new vfs_glusterfs_fuse module improves performance when Samba
accesses a glusterfs volume mounted via FUSE (Filesystem in Userspace
as part of the Linux kernel). It achieves that by leveraging a
mechanism to retrieve the appropriate case of filenames by querying a
specific extended attribute in the filesystem. No extra configuration
is required to use this module, only glusterfs_fuse needs to be set in
the "vfs objects" parameter. Further details can be found in the
vfs_glusterfs_fuse(8) manpage. This new vfs_glusterfs_fuse module does
not replace the existing vfs_glusterfs module, it just provides an
additional, alternative mechanism to access a Gluster volume.
REMOVED FEATURES
================
MIT Kerberos build of the AD DC
-------------------------------
While not removed, the MIT Kerberos build of the Samba AD DC is still
considered experimental. Because Samba will not issue security
patches for this configuration, such builds now require the explicit
configure option: --with-experimental-mit-ad-dc
For further details see
https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC
samba_backup
------------
The samba_backup script has been removed. This has now been replaced by the
'samba-tool domain backup offline' command.
SMB client Python bindings
--------------------------
The SMB client python bindings are now deprecated and will be removed in future
Samba releases. This will only affects users that may have used the Samba
Python bindings to write their own utilities, i.e. users with a custom Python
script that includes the line 'from samba import smb'.
Twine is a utility for publishing Python packages on PyPI. It provides build
system independent uploads of source and binary distribution artifacts for both
new and existing projects.
PkgSrc changes:
* fix building on Darwin and probably other systems as well
* install manpages
* use correct install_name on Darwin
* does not collide with p5-Parse-Yapp anymore
* use cmocka and libgcrypt
* clean-ups
Release Notes for Samba 4.9.4
Major bug fixes include:
o dns: Fix CNAME loop prevention using counter regression.
Changes since 4.9.3:
* BUG 9175: libcli/smb: Don't overwrite status code.
* BUG 12164: wbinfo --group-info 'NT AUTHORITY\System' does not work.
* BUG 13661: Session setup reauth fails to sign response.
* BUG 13677: vfs_fruit: Validation of writes on AFP_AfpInfo stream.
* BUG 13688: vfs_shadow_copy2: Nicely deal with attempts to open previous
version for writing.
* BUG 13455: Restoring previous version of stream with vfs_shadow_copy2 fails
with NT_STATUS_OBJECT_NAME_INVALID fsp->base_fsp->fsp_name.
* BUG 13571: CVE-2018-16853: Fix S4U2Self crash with MIT KDC build.
* BUG 13708: s3-vfs: Prevent NULL pointer dereference in vfs_glusterfs.
* PEP8: fix E231: missing whitespace after ','.
* BUG 13629: winbindd: Fix crash when taking profiles.
* BUG 13600: CVE-2018-14629 dns: Fix CNAME loop prevention using counter
regression.
* BUG 13686: 'samba-tool user syscpasswords' fails on a domain with many DCs.
* BUG 13571: CVE-2018-16853: Do not segfault if client is not set.
* BUG 13679: lib:util: Fix DEBUGCLASS pointer initializiation.
* BUG 13696: ctdb-daemon: Exit with error if a database directory does not
exist.
* BUG 13498: s3:libads: Add net ads leave keep-account option.
=============================
Release Notes for Samba 4.9.3
November 27, 2018
=============================
This is a security release in order to address the following defects:
o CVE-2018-14629 (Unprivileged adding of CNAME record causing loop in AD
Internal DNS server)
o CVE-2018-16841 (Double-free in Samba AD DC KDC with PKINIT)
o CVE-2018-16851 (NULL pointer de-reference in Samba AD DC LDAP server)
o CVE-2018-16852 (NULL pointer de-reference in Samba AD DC DNS servers)
o CVE-2018-16853 (Samba AD DC S4U2Self crash in experimental MIT Kerberos
configuration (unsupported))
o CVE-2018-16857 (Bad password count in AD DC not always effective)
=======
Details
=======
o CVE-2018-14629:
All versions of Samba from 4.0.0 onwards are vulnerable to infinite
query recursion caused by CNAME loops. Any dns record can be added via
ldap by an unprivileged user using the ldbadd tool, so this is a
security issue.
o CVE-2018-16841:
When configured to accept smart-card authentication, Samba's KDC will call
talloc_free() twice on the same memory if the principal in a validly signed
certificate does not match the principal in the AS-REQ.
This is only possible after authentication with a trusted certificate.
talloc is robust against further corruption from a double-free with
talloc_free() and directly calls abort(), terminating the KDC process.
There is no further vulnerability associated with this issue, merely a
denial of service.
o CVE-2018-16851:
During the processing of an LDAP search before Samba's AD DC returns
the LDAP entries to the client, the entries are cached in a single
memory object with a maximum size of 256MB. When this size is
reached, the Samba process providing the LDAP service will follow the
NULL pointer, terminating the process.
There is no further vulnerability associated with this issue, merely a
denial of service.
o CVE-2018-16852:
During the processing of an DNS zone in the DNS management DCE/RPC server,
the internal DNS server or the Samba DLZ plugin for BIND9, if the
DSPROPERTY_ZONE_MASTER_SERVERS property or DSPROPERTY_ZONE_SCAVENGING_SERVERS
property is set, the server will follow a NULL pointer and terminate.
There is no further vulnerability associated with this issue, merely a
denial of service.
o CVE-2018-16853:
A user in a Samba AD domain can crash the KDC when Samba is built in the
non-default MIT Kerberos configuration.
With this advisory we clarify that the MIT Kerberos build of the Samba
AD DC is considered experimental. Therefore the Samba Team will not
issue security patches for this configuration.
o CVE-2018-16857:
AD DC Configurations watching for bad passwords (to restrict brute forcing
of passwords) in a window of more than 3 minutes may not watch for bad
passwords at all.
For more details and workarounds, please refer to the security advisories.
