pkgsrc changes: remove extra spaces in some patch files.
==============================
Release Notes for Samba 4.14.4
April 29, 2021
==============================
This is a security release in order to address the following defect:
o CVE-2021-20254: Negative idmap cache entries can cause incorrect group entries
in the Samba file server process token.
=======
Details
=======
o CVE-2021-20254:
The Samba smbd file server must map Windows group identities (SIDs) into unix
group ids (gids). The code that performs this had a flaw that could allow it
to read data beyond the end of the array in the case where a negative cache
entry had been added to the mapping cache. This could cause the calling code
to return those values into the process token that stores the group
membership for a user.
Most commonly this flaw caused the calling code to crash, but an alert user
(Peter Eriksson, IT Department, Linköping University) found this flaw by
noticing an unprivileged user was able to delete a file within a network
share that they should have been disallowed access to.
Analysis of the code paths has not allowed us to discover a way for a
remote user to be able to trigger this flaw reproducibly or on demand,
but this CVE has been issued out of an abundance of caution.
Changes since 4.14.3
--------------------
o Volker Lendecke <vl@samba.org>
* BUG 14571: CVE-2021-20254: Fix buffer overrun in sids_to_unixids().
Samba 4.14.2
This is a follow-up release to depend on the correct ldb version. This is only
needed when building against a system ldb library.
This is a security release in order to address the following defects:
o CVE-2020-27840: Heap corruption via crafted DN strings.
o CVE-2021-20277: Out of bounds read in AD DC LDAP server.
Samba 4.14.1
This is a security release in order to address the following defects:
o CVE-2020-27840: Heap corruption via crafted DN strings.
o CVE-2021-20277: Out of bounds read in AD DC LDAP server.
Samba 4.14.0
This is the first stable release of the Samba 4.14 release series.
Please read the release notes carefully before upgrading.
NEW FEATURES/CHANGES
====================
Here is a copy of a clarification note added to the Samba code
in the file: VFS-License-clarification.txt.
--------------------------------------------------------------
A clarification of our GNU GPL License enforcement boundary within the Samba
Virtual File System (VFS) layer.
Samba is licensed under the GNU GPL. All code committed to the Samba
project or that creates a "modified version" or software "based on" Samba must
be either licensed under the GNU GPL or a compatible license.
Samba has several plug-in interfaces where external code may be called
from Samba GNU GPL licensed code. The most important of these is the
Samba VFS layer.
Samba VFS modules are intimately connected by header files and API
definitions to the part of the Samba code that provides file services,
and as such, code that implements a plug-in Samba VFS module must be
licensed under the GNU GPL or a compatible license.
However, Samba VFS modules may themselves call third-party external
libraries that are not part of the Samba project and are externally
developed and maintained.
As long as these third-party external libraries do not use any of the
Samba internal structure, APIs or interface definitions created by the
Samba project (to the extent that they would be considered subject to the GNU
GPL), then the Samba Team will not consider such third-party external
libraries called from Samba VFS modules as "based on" and/or creating a
"modified version" of the Samba code for the purposes of GNU GPL.
Accordingly, we do not require such libraries be licensed under the GNU GPL
or a GNU GPL compatible license.
VFS
---
The effort to modernize Samba's VFS interface has reached a major milestone with
the next release Samba 4.14.
For details please refer to the documentation at source3/modules/The_New_VFS.txt or
visit the <https://wiki.samba.org/index.php/The_New_VFS>.
Printing
--------
Publishing printers in AD is more reliable and more printer features are
added to the published information in AD. Samba now also supports Windows
drivers for the ARM64 architecture.
Client Group Policy
-------------------
This release extends Samba to support Group Policy functionality for Winbind
clients. Active Directory Administrators can set policies that apply Sudoers
configuration, and cron jobs to run hourly, daily, weekly or monthly.
To enable the application of Group Policies on a client, set the global
smb.conf option 'apply group policies' to 'yes'. Policies are applied on an
interval of every 90 minutes, plus a random offset between 0 and 30 minutes.
Policies applied by Samba are 'non-tattooing', meaning that changes can be
reverted by executing the `samba-gpupdate --unapply` command. Policies can be
re-applied using the `samba-gpupdate --force` command.
To view what policies have been or will be applied to a system, use the
`samba-gpupdate --rsop` command.
Administration of Samba policy requires that a Samba ADMX template be uploaded
to the SYSVOL share. The samba-tool command `samba-tool gpo admxload` is
provided as a convenient method for adding this policy. Once uploaded, policies
can be modified in the Group Policy Management Editor under Computer
Configuration/Policies/Administrative Templates. Alternatively, Samba policy
may be managed using the `samba-tool gpo manage` command. This tool does not
require the admx templates to be installed.
Python 3.6 or later required
----------------------------
Samba's minimum runtime requirement for python was raised to Python
3.6 with samba 4.13. Samba 4.14 raises this minimum version to Python
3.6 also to build Samba. It is no longer possible to build Samba
(even just the file server) with Python versions 2.6 and 2.7.
As Python 2.7 has been End Of Life upstream since April 2020, Samba
is dropping ALL Python 2.x support in this release.
Miscellaneous samba-tool changes
--------------------------------
The 'samba-tool' subcommands to manage AD objects (e.g. users, computers and
groups) now consistently use the "add" command when adding a new object to
the AD. The previous deprecation warnings when using the 'add' commands
have been removed. For compatibility reasons, both the 'add' and 'create'
commands can be used now.
Users, groups and contacts can now be renamed with the respective rename
commands.
Locked users can be unlocked with the new 'samba-tool user unlock' command.
The 'samba-tool user list' and 'samba-tool group listmembers' commands
provide additional options to hide expired and disabled user accounts
(--hide-expired and --hide-disabled).
CTDB CHANGES
============
* The NAT gateway and LVS features now uses the term "leader" to refer
to the main node in a group through which traffic is routed and
"follower" for other members of a group. The command for
determining the leader has changed to "ctdb natgw leader" (from
"ctdb natgw master"). The configuration keyword for indicating that
a node can not be the leader of a group has changed to
"follower-only" (from "slave-only"). Identical changes were made
for LVS.
* Remove "ctdb isnotrecmaster" command. It isn't used by CTDB's
scripts and can be checked by users with "ctdb pnn" and "ctdb
recmaster".
==============================
Release Notes for Samba 4.13.7
March 24, 2021
==============================
This is a follow-up release to depend on the correct ldb version. This is only
needed when building against a system ldb library.
This is a security release in order to address the following defects:
o CVE-2020-27840: Heap corruption via crafted DN strings.
o CVE-2021-20277: Out of bounds read in AD DC LDAP server.
=======
Details
=======
o CVE-2020-27840:
An anonymous attacker can crash the Samba AD DC LDAP server by sending easily
crafted DNs as part of a bind request. More serious heap corruption is likely
also possible.
o CVE-2021-20277:
User-controlled LDAP filter strings against the AD DC LDAP server may crash
the LDAP server.
For more details, please refer to the security advisories.
Changes since 4.13.6
--------------------
o Release with dependency on ldb version 2.2.1.
Changes 4.13.4
* BUG 14607: Work around special SMB2 IOCTL response behavior of NetApp Ontap
7.3.7.
* BUG 14612: Temporary DFS share setup doesn't set case parameters in the
same way as a regular share definition does.
* BUG 14605: lib: Avoid declaring zero-length VLAs in various messaging
functions.
* BUG 14579: Do not create an empty DB when accessing a sam.ldb.
* BUG 14596: vfs_fruit may close wrong backend fd.
* BUG 14612: Temporary DFS share setup doesn't set case parameters in the
same way as a regular share definition does.
* BUG 14606: vfs_virusfilter: Allocate separate memory for config char*.
* BUG 14596: vfs_fruit may close wrong backend fd.
* BUG 14607: Work around special SMB2 IOCTL response behavior of NetApp Ontap
7.3.7.
* BUG 14601: The cache directory for the user gencache should be created
recursively.
* BUG 14594: Be more flexible with repository names in CentOS 8 test
environments.
Changes since 4.13.2
* BUG 14210: libcli: smb2: Never print length if smb2_signing_key_valid()
fails for crypto blob.
* BUG 14486: s3: modules: gluster. Fix the error I made in preventing talloc
leaks from a function.
* BUG 14515: s3: smbd: Don't overwrite contents of fsp->aio_requests[0] with
NULL via TALLOC_FREE().
* BUG 14568: s3: spoolss: Make parameters in call to user_ok_token() match
all other uses.
* BUG 14590: s3: smbd: Quiet log messages from usershares for an unknown
share.
* BUG 14248: samba process does not honor max log size.
* BUG 14587: vfs_zfsacl: Add missing inherited flag on hidden "magic"
everyone@ ACE.
* BUG 13124: s3-libads: Pass timeout to open_socket_out in ms.
* BUG 14486: s3-vfs_glusterfs: Always disable write-behind translator.
* BUG 14517: smbclient: Fix recursive mget.
* BUG 14581: clitar: Use do_list()'s recursion in clitar.c.
* BUG 14486: manpages/vfs_glusterfs: Mention silent skipping of write-behind
translator.
* BUG 14573: vfs_shadow_copy2: Preserve all open flags assuming ROFS.
* BUG 14514: interface: Fix if_index is not parsed correctly.
Changes since 4.13.1
--------------------
* BUG 14486: s3: modules: vfs_glusterfs: Fix leak of char
**lines onto mem_ctx on return.
* BUG 14471: RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special.
* BUG 14538: smb.conf.5: Add clarification how configuration changes
reflected by Samba.
* BUG 14552: daemons: Report status to systemd even when running in
foreground.
* BUG 14553: DNS Resolver: Support both dnspython before and after 2.0.0.
* BUG 14486: s3-vfs_glusterfs: Refuse connection when write-behind xlator is
present.
* BUG 14487: provision: Add support for BIND 9.16.x.
* BUG 14537: ctdb-common: Avoid aliasing errors during code optimization.
* BUG 14541: libndr: Avoid assigning duplicate versions to symbols.
* BUG 14522: docs: Fix default value of spoolss:architecture.
* BUG 14388: winbind: Fix a memleak.
* BUG 14531: s4:dsdb:acl_read: Implement "List Object" mode feature.
* BUG 14486: docs-xml/manpages: Add warning about write-behind translator for
vfs_glusterfs.
* nsswitch/nsstest.c: Avoid nss function conflicts with glibc nss.h.
* BUG 14530: vfs_shadow_copy2: Avoid closing snapsdir twice.
* BUG 14547: third_party: Update resolv_wrapper to version 1.1.7.
* BUG 14550: examples:auth: Do not install example plugin.
* BUG 14513: ctdb-recoverd: Drop unnecessary and broken code.
* BUG 14471: RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special.
Changes since 4.13.0
--------------------
* BUG 14434: CVE-2020-14318: s3: smbd: Ensure change notifies can't get set
unless the directory handle is open for SEC_DIR_LIST.
* BUG 12795: CVE-2020-14383: Remote crash after adding NS or MX records using
'samba-tool'.
* BUG 14472: CVE-2020-14383: Remote crash after adding MX records.
* BUG 14436: CVE-2020-14323: winbind: Fix invalid lookupsids DoS.
4.31.0:
NEW FEATURES/CHANGES
====================
Python 3.6 or later required
----------------------------
Samba's minimum runtime requirement for python was raised to Python
3.5 with samba 4.12. Samba 4.13 raises this minimum version to Python
3.6 both to access new features and because this is the oldest version
we test with in our CI infrastructure.
This is also the last release where it will be possible to build Samba
(just the file server) with Python versions 2.6 and 2.7.
As Python 2.7 has been End Of Life upstream since April 2020, Samba
is dropping ALL Python 2.x support in the NEXT release.
Samba 4.14 to be released in March 2021 will require Python 3.6 or
later to build.
wide links functionality
------------------------
For this release, the code implementing the insecure "wide links = yes"
functionality has been moved out of the core smbd code and into a separate
VFS module, vfs_widelinks. Currently this vfs module is implicitly loaded
by smbd as the last but one module before vfs_default if "wide links = yes"
is enabled on the share (note, the existing restrictions on enabling wide
links around the SMB1 "unix extensions" and the "allow insecure wide links"
parameters are still in force). The implicit loading was done to allow
existing users of "wide links = yes" to keep this functionality without
having to make a change to existing working smb.conf files.
Please note that the Samba developers recommend changing any Samba
installations that currently use "wide links = yes" to use bind mounts
as soon as possible, as "wide links = yes" is an inherently insecure
configuration which we would like to remove from Samba. Moving the
feature into a VFS module allows this to be done in a cleaner way
in future.
A future release to be determined will remove this implicit linkage,
causing administrators who need this functionality to have to explicitly
add the vfs_widelinks module into the "vfs objects =" parameter lists.
The release notes will be updated to note this change when it occurs.
NT4-like 'classic' Samba domain controllers
-------------------------------------------
Samba 4.13 deprecates Samba's original domain controller mode.
Sites using Samba as a Domain Controller should upgrade from the
NT4-like 'classic' Domain Controller to a Samba Active Directory DC
to ensure full operation with modern windows clients.
SMBv1 only protocol options deprecated
--------------------------------------
A number of smb.conf parameters for less-secure authentication methods
which are only possible over SMBv1 are deprecated in this release.
Summary from NEWS files:
Samba 4.12.9 (2020-10-29)
o CVE-2020-14318:
The SMB1/2/3 protocols have a concept of "ChangeNotify", where a client can
request file name notification on a directory handle when a condition such as
"new file creation" or "file size change" or "file timestamp update" occurs.
A missing permissions check on a directory handle requesting ChangeNotify
meant that a client with a directory handle open only for
FILE_READ_ATTRIBUTES (minimal access rights) could be used to obtain change
notify replies from the server. These replies contain information that should
not be available to directory handles open for FILE_READ_ATTRIBUTE only.
o CVE-2020-14323:
winbind in version 3.6 and later implements a request to translate multiple
Windows SIDs into names in one request. This was done for performance
reasons: Active Directory domain controllers can do multiple SID to name
translations in one RPC call. It was an obvious extension to also offer this
batch operation on the winbind unix domain stream socket that is available to
local processes on the Samba server to reduce network round-trips to the
domain controller.
Due to improper input validation a hand-crafted packet can make winbind
perform a NULL pointer dereference and thus crash.
o CVE-2020-14383:
Some DNS records (such as MX and NS records) usually contain data in the
additional section. Samba's dnsserver RPC pipe (which is an administrative
interface not used in the DNS server itself) made an error in handling the
case where there are no records present: instead of noticing the lack of
records, it dereferenced uninitialised memory, causing the RPC server to
crash. This RPC server, which also serves protocols other than dnsserver,
will be restarted after a short delay, but it is easy for an authenticated
non-admin attacker to crash it again as soon as it returns. The Samba DNS
server itself will continue to operate, but many RPC services will not.
Samba 4.12.8 (2020-10-07)
Changes since 4.12.7
--------------------
o G«änther Deschner <gd@samba.org>
* BUG 14318: docs: Add missing winexe manpage.
o Volker Lendecke <vl@samba.org>
* BUG 14465: idmap_ad does not deal properly with a RFC4511 section 4.4.1
response.
o Laurent Menase <laurent.menase@hpe.com>
* BUG 14388: winbind: Fix a memleak.
o Stefan Metzmacher <metze@samba.org>
* BUG 14465: idmap_ad does not deal properly with a RFC4511 section 4.4.1
response.
* BUG 14482: Compilation of heimdal tree fails if libbsd is not installed.
o Christof Schmitt <cs@samba.org>
* BUG 14166: util: Allow symlinks in directory_create_or_exist.
o Andreas Schneider <asn@samba.org>
* BUG 14399: waf: Only use gnutls_aead_cipher_encryptv2() for GnuTLS >
3.6.14.
* BUG 14467: s3:smbd: Fix %U substitutions if it contains a domain name.
o Martin Schwenke <martin@meltin.net>
* BUG 14466: ctdb disable/enable can fail due to race condition.
Update samba4 package to 4.12.7.
==============================
Release Notes for Samba 4.12.7
September 18, 2020
==============================
This is a security release in order to address the following defect:
o CVE-2020-1472: Unauthenticated domain takeover via netlogon ("ZeroLogon").
The following applies to Samba used as domain controller only (most
seriously the Active Directory DC, but also the classic/NT4-style DC).
Installations running Samba as a file server only are not directly
affected by this flaw, though they may need configuration changes to
continue to talk to domain controllers (see "file servers and domain
members" below).
The netlogon protocol contains a flaw that allows an authentication
bypass. This was reported and patched by Microsoft as CVE-2020-1472.
Since the bug is a protocol level flaw, and Samba implements the
protocol, Samba is also vulnerable.
However, since version 4.8 (released in March 2018), the default
behaviour of Samba has been to insist on a secure netlogon channel,
which is a sufficient fix against the known exploits. This default is
equivalent to having 'server schannel = yes' in the smb.conf.
Therefore versions 4.8 and above are not vulnerable unless they have
the smb.conf lines 'server schannel = no' or 'server schannel = auto'.
Samba versions 4.7 and below are vulnerable unless they have 'server
schannel = yes' in the smb.conf.
Note each domain controller needs the correct settings in its smb.conf.
Vendors supporting Samba 4.7 and below are advised to patch their
installations and packages to add this line to the [global] section if
their smb.conf file.
The 'server schannel = yes' smb.conf line is equivalent to Microsoft's
'FullSecureChannelProtection=1' registry key, the introduction of
which we understand forms the core of Microsoft's fix.
Some domains employ third-party software that will not work with a
'server schannel = yes'. For these cases patches are available that
allow specific machines to use insecure netlogon. For example, the
following smb.conf:
server schannel = yes
server require schannel:triceratops$ = no
server require schannel:greywacke$ = no
will allow only "triceratops$" and "greywacke$" to avoid schannel.
More details can be found here:
https://www.samba.org/samba/security/CVE-2020-1472.html
Changes since 4.12.5
* BUG 14403: s3: libsmb: Fix SMB2 client rename bug to a Windows server.
* BUG 14424: dsdb: Allow "password hash userPassword schemes = CryptSHA256"
to work on RHEL7.
* BUG 14450: dbcheck: Allow a dangling forward link outside our known NCs.
* BUG 14426: lib/debug: Set the correct default backend loglevel to
MAX_DEBUG_LEVEL.
* BUG 14428: PANIC: Assert failed in get_lease_type().
* BUG 14422: util: Fix build on AIX by fixing the order of replace.h include.
* BUG 14355: srvsvc_NetFileEnum asserts with open files.
* BUG 14354: KDC breaks with DES keys still in the database and
msDS-SupportedEncryptionTypes 31 indicating support for it.
* BUG 14427: s3:smbd: Make sure vfs_ChDir() always sets
conn->cwd_fsp->fh->fd = AT_FDCWD.
* BUG 14428: PANIC: Assert failed in get_lease_type().
* BUG 14358: docs: Fix documentation for require_membership_of of
pam_winbind.conf.
* BUG 14444: ctdb-scripts: Use nfsconf utility for variable values in CTDB
NFS scripts.
* BUG 14425: s3:winbind:idmap_ad: Make failure to get attrnames for schema
mode fatal.
Changes since 4.12.4
--------------------
* BUG 14301: Fix smbd panic on force-close share during async io.
* BUG 14374: Fix segfault when using SMBC_opendir_ctx() routine for share
folder that contains incorrect symbols in any file name.
* BUG 14391: Fix DFS links.
* BUG 14310: Can't use DNS functionality after a Windows DC has been in
domain.
* BUG 14413: ldapi search to FreeIPA crashes.
* BUG 14396: Add net-ads-join dnshostname=fqdn option.
* BUG 14406: Fix adding msDS-AdditionalDnsHostName to keytab with Windows DC.
* BUG 14386: docs-xml: Update list of posible VFS operations for
vfs_full_audit.
* BUG 14382: winbindd: Fix a use-after-free when winbind clients exit.
* BUG 14370: Client tools are not able to read gencache anymore.
Samba 4.12.4
============
o CVE-2020-10730:
A client combining the 'ASQ' and 'VLV' LDAP controls can cause a NULL pointer
de-reference and further combinations with the LDAP paged_results feature can
give a use-after-free in Samba's AD DC LDAP server.
o CVE-2020-10745: Parsing and packing of NBT and DNS packets can consume
excessive CPU.
o CVE-2020-10760:
The use of the paged_results or VLV controls against the Global Catalog LDAP
server on the AD DC will cause a use-after-free.
o CVE-2020-14303:
The AD DC NBT server in Samba 4.0 will enter a CPU spin and not process
further requests once it receives an empty (zero-length) UDP packet to
port 137.
For more details, please refer to the security advisories.
Changes since 4.12.3
--------------------
* BUG 14378: CVE-2020-10745: Invalid DNS or NBT queries containing dots use
several seconds of CPU each.
* BUG 14364: CVE-2020-10730: NULL de-reference in AD DC LDAP server when ASQ
and VLV combined.
* BUG 14402: CVE-2020-10760: Fix use-after-free in AD DC Global Catalog LDAP
server with paged_result or VLV.
* BUG 14417: CVE-2020-14303: Fix endless loop from empty UDP packet sent to
AD DC nbt_server.
* BUG 14364: CVE-2020-10730: NULL de-reference in AD DC LDAP server when ASQ
and VLV combined, ldb: Bump version to 2.1.4.
out with
runtime error: file /usr/pkg/share/xsl/docbook/lib/lib.xsl line 58 element choose
xsltApplySequenceConstructor: A potential infinite template recursion was detected.
This is probably the most important of the Samba man pages, and it
should not have been excluded from the build without a detailed
explanation, "just to make the pkg build".
Samba 4.12.2
This is a security release in order to address the following defects:
o CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ
o CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC
Samba 4.12.1
* BUG 14295: nmblib: Avoid undefined behaviour in handle_name_ptrs().
* BUG 14296: samba-tool group: Handle group names with special chars
correctly.
* BUG 14293: Add missing check for DMAPI offline status in async DOS
attributes.
* BUG 14295: Starting ctdb node that was powered off hard before results in
recovery loop.
* BUG 14307: smbd: Ignore set NTACL requests which contain S-1-5-88 NFS ACEs.
* BUG 14316: vfs_recycle: Prevent flooding the log if we're called on
non-existant paths.
* BUG 14313: librpc: Fix IDL for svcctl_ChangeServiceConfigW.
* BUG 14327: nsswitch: Fix use-after-free causing segfault in
_pam_delete_cred.
* BUG 13622: fruit:time machine max size is broken on arm.
* BUG 14294: CTDB recovery corner cases can cause record resurrection and
node banning.
* BUG 14332: s3/utils: Fix double free error with smbtree.
* BUG 14294: CTDB recovery corner cases can cause record resurrection and
node banning.
* BUG 14295: Starting ctdb node that was powered off hard before results in
recovery loop.
* BUG 14324: CTDB recovery daemon can crash due to dereference of NULL
pointer.
samba 4.12.0:
NEW FEATURES/CHANGES
====================
Python 3.5 Required
-------------------
Samba's minimum runtime requirement for python was raised to Python
3.4 with samba 4.11. Samba 4.12 raises this minimum version to Python
3.5 both to access new features and because this is the oldest version
we test with in our CI infrastructure.
(Build time support for the file server with Python 2.6 has not
changed)
Removing in-tree cryptography: GnuTLS 3.4.7 required
----------------------------------------------------
Samba is making efforts to remove in-tree cryptographic functionality,
and to instead rely on externally maintained libraries. To this end,
Samba has chosen GnuTLS as our standard cryptographic provider.
Samba now requires GnuTLS 3.4.7 to be installed (including development
headers at build time) for all configurations, not just the Samba AD
DC.
Thanks to this work Samba no longer ships an in-tree DES
implementation and on GnuTLS 3.6.5 or later Samba will include no
in-tree cryptography other than the MD4 hash and that
implemented in our copy of Heimdal.
Using GnuTLS for SMB3 encryption you will notice huge performance and copy
speed improvements. Tests with the CIFS Kernel client from Linux Kernel 5.3
show a 3x speed improvement for writing and a 2.5x speed improvement for reads!
NOTE WELL: The use of GnuTLS means that Samba will honour the
system-wide 'FIPS mode' (a reference to the US FIPS-140 cryptographic
standard) and so will not operate in many still common situations if
this system-wide parameter is in effect, as many of our protocols rely
on outdated cryptography.
A future Samba version will mitigate this to some extent where good
cryptography effectively wraps bad cryptography, but for now that above
applies.
zlib library is now required to build Samba
-------------------------------------------
Samba no longer includes a local copy of zlib in our source tarball.
By removing this we do not need to ship (even where we did not
build) the old, broken zip encryption code found there.
New Spotlight backend for Elasticsearch
---------------------------------------
Support for the macOS specific Spotlight search protocol has been enhanced
significantly. Starting with 4.12 Samba supports using Elasticsearch as search
backend. Various new parameters have been added to configure this:
spotlight backend = noindex | elasticsearch | tracker
elasticsearch:address = ADDRESS
elasticsearch:port = PORT
elasticsearch:use tls = BOOLEAN
elasticsearch:index = INDEXNAME
elasticsearch:mappings = PATH
elasticsearch:max results = NUMBER
Samba also ships a Spotlight client command "mdfind" which can be used to search
any SMB server that runs the Spotlight RPC service. See the manpage of mdfind
for details.
Note that when upgrading existing installations that are using the previous
default Spotlight backend Gnome Tracker must explicitly set "spotlight backend =
tracker" as the new default is "noindex".
'net ads kerberos pac save' and 'net eventlog export'
-----------------------------------------------------
The 'net ads kerberos pac save' and 'net eventlog export' tools will
no longer silently overwrite an existing file during data export. If
the filename given exits, an error will be shown.
Fuzzing
-------
A large number of fuzz targets have been added to Samba, and Samba has
been registered in Google's oss-fuzz cloud fuzzing service. In
particular, we now have good fuzzing coverage of our generated NDR
parsing code.
A large number of issues have been found and fixed thanks to this
effort.
'samba-tool' improvements add contacts as member to groups
----------------------------------------------------------
Previously 'samba-tool group addmemers' can just add users, groups and
computers as members to groups. But also contacts can be members of
groups. Samba 4.12 adds the functionality to add contacts to
groups. Since contacts have no sAMAccountName, it's possible that
there are more than one contact with the same name in different
organizational units. Therefore it's necessary to have an option to
handle group members by their DN.
To get the DN of an object there is now the "--full-dn" option available
for all necessary commands.
The MS Windows UI allows to search for specific types of group members
when searching for new members for a group. This feature is included
here with the new samba-tool group addmembers "--object-type=OBJECTYPE"
option. The different types are selected accordingly to the Windows
UI. The default samba-toole behaviour shouldn't be changed.
Allow filtering by OU or subtree in samba-tool
----------------------------------------------
A new "--base-dn" and "--member-base-dn" option is added to relevant
samba-tool user, group and ou management commands to allow operation
on just one part of the AD tree, such as a single OU.
VFS
===
SMB_VFS_NTIMES
--------------
Samba now uses a sentinel value based on utimensat(2) UTIME_OMIT to denote
to-be-ignored timestamp variables passed to the SMB_VFS_NTIMES() VFS function.
VFS modules can check whether any of the time values inside a struct
smb_file_time is to be ignored by calling is_omit_timespec() on the value.
'io_uring' vfs module
---------------------
The module makes use of the new io_uring infrastructure
(intruduced in Linux 5.1), see https://lwn.net/Articles/776703/
Currently this implements SMB_VFS_{PREAD,PWRITE,FSYNC}_SEND/RECV
and avoids the overhead of the userspace threadpool in the default
vfs backend. See also vfs_io_uring(8).
In order to build the module you need the liburing userspace library
and its developement headers installed, see
https://git.kernel.dk/cgit/liburing/
At runtime you'll need a Linux kernel with version 5.1 or higher.
Note that 5.4.14 and 5.4.15 have a regression that breaks the Samba
module! The regression was fixed in Linux 5.4.16 again.
MS-DFS changes in the VFS
-------------------------
This release changes set getting and setting of MS-DFS redirects
on the filesystem to go through two new VFS functions:
SMB_VFS_CREATE_DFS_PATHAT()
SMB_VFS_READ_DFS_PATHAT()
instead of smbd explicitly storing MS-DFS redirects inside
symbolic links on the filesystem. The underlying default
implementations of this has not changed, the redirects are
still stored inside symbolic links on the filesystem, but
moving the creation and reading of these links into the VFS
as first-class functions now allows alternate methods of
storing them (maybe in extended attributes) for OEMs who
don't want to mis-use filesystem symbolic links in this
way.
CTDB changes
============
* The ctdb_mutex_fcntl_helper periodically re-checks the lock file
The re-check period is specified using a 2nd argument to this
helper. The default re-check period is 5s.
If the file no longer exists or the inode number changes then the
helper exits. This triggers an election.
REMOVED FEATURES
================
The smb.conf parameter "write cache size" has been removed.
Since the in-memory write caching code was written, our write path has
changed significantly. In particular we have gained very flexible
support for async I/O, with the new linux io_uring interface in
development. The old write cache concept which cached data in main
memory followed by a blocking pwrite no longer gives any improvement
on modern systems, and may make performance worse on memory-contrained
systems, so this functionality should not be enabled in core smbd
code.
In addition, it complicated the write code, which is a performance
critical code path.
If required for specialist purposes, it can be recreated as a VFS
module.
Retiring DES encryption types in Kerberos.
------------------------------------------
With this release, support for DES encryption types has been removed from
Samba, and setting DES_ONLY flag for an account will cause Kerberos
authentication to fail for that account (see RFC-6649).
Samba-DC: DES keys no longer saved in DB.
-----------------------------------------
When a new password is set for an account, Samba DC will store random keys
in DB instead of DES keys derived from the password. If the account is being
migrated to Windbows or to an older version of Samba in order to use DES keys,
the password must be reset to make it work.
Heimdal-DC: removal of weak-crypto.
-----------------------------------
Following removal of DES encryption types from Samba, the embedded Heimdal
build has been updated to not compile weak crypto code (HEIM_WEAK_CRYPTO).
vfs_netatalk: The netatalk VFS module has been removed.
-------------------------------------------------------
The netatalk VFS module has been removed. It was unmaintained and is not needed
any more.
BIND9_FLATFILE deprecated
-------------------------
The BIND9_FLATFILE DNS backend is deprecated in this release and will
be removed in the future. This was only practically useful on a single
domain controller or under expert care and supervision.
This release removes the 'rndc command' smb.conf parameter, which
supported this configuration by writing out a list of DCs permitted to
make changes to the DNS Zone and nudging the 'named' server if a new
DC was added to the domain. Administrators using BIND9_FLATFILE will
need to maintain this manually from now on.
Based on input from Mike Pumford.
(It is acknowledged that samba4 is 4.11 and should be 4.12, but that's
normal being behind, not intended, as I see it.)
Update samba4 to 4.11.5.
==============================
Release Notes for Samba 4.11.5
January 21, 2020
==============================
This is a security release in order to address the following defects:
o CVE-2019-14902: Replication of ACLs set to inherit down a subtree on AD
Directory not automatic.
o CVE-2019-14907: Crash after failed character conversion at log level 3 or
above.
o CVE-2019-19344: Use after free during DNS zone scavenging in Samba AD DC.
=======
Details
=======
o CVE-2019-14902:
The implementation of ACL inheritance in the Samba AD DC was not complete,
and so absent a 'full-sync' replication, ACLs could get out of sync between
domain controllers.
o CVE-2019-14907:
When processing untrusted string input Samba can read past the end of the
allocated buffer when printing a "Conversion error" message to the logs.
o CVE-2019-19344:
During DNS zone scavenging (of expired dynamic entries) there is a read of
memory after it has been freed.
Samba 4.11.3
This is a security release in order to address the following defects:
o CVE-2019-14861: Samba AD DC zone-named record Denial of Service in DNS
management server (dnsserver).
o CVE-2019-14870: DelegationNotAllowed not being enforced in protocol transition
on Samba AD DC.
4.11.2:
This is a security release in order to address the following defects:
o CVE-2019-10218: Client code can return filenames containing path separators.
o CVE-2019-14833: Samba AD DC check password script does not receive the full
password.
o CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server
via dirsync.
4.11.1:
This is the latest stable release of the Samba 4.11 release series.
Changes since 4.11.0:
* BUG 14141: getpwnam and getpwuid need to return data for ID_TYPE_BOTH
group.
* BUG 14094: smbc_readdirplus() is incompatible with smbc_telldir() and
smbc_lseekdir().
* BUG 14152: s3: smbclient: Stop an SMB2-connection from blundering into
SMB1-specific calls.
* BUG 14137: Fix stale file handle error when using mkstemp on a share.
* BUG 14106: Fix spnego fallback from kerberos to ntlmssp in smbd server.
* BUG 14140: Overlinking libreplace against librt and pthread against every
binary or library causes issues.
* BUG 14130: s3-winbindd: Fix forest trusts with additional trust attributes.
* BUG 14134: auth/gensec: Fix non-AES schannel seal.
* BUG 14147: Deleted records can be resurrected during recovery.
* BUG 14136: Fix uncaught exception in classicupgrade.
* BUG 14139: fault.c: Improve fault_report message text pointing to our wiki.
* BUG 14128: s3:client: Use DEVICE_URI, instead of argv[0], for Device URI.
* BUG 14124: pam_winbind with krb5_auth or wbinfo -K doesn't work for users
of trusted domains/forests.
* BUG 14131: Remove 'pod2man' as it is no longer needed.
* BUG 13884: Joining Active Directory should not use SAMR to set the
password.
* BUG 14140: Overlinking libreplace against librt and pthread against every
binary or library causes issues.
* BUG 14155: 'kpasswd' fails when built with MIT Kerberos.
* BUG 14129: Exit code of ctdb nodestatus should not be influenced by deleted
nodes.
4.11.0:
* BUG 14049: ldb: Don't try to save a value that isn't there.
* ldb_dn: Free dn components on explode failure.
* ldb: Do not allow adding a DN as a base to itself.
* ldb: Release ldb 2.0.7.
* BUG 13695: ldb: Correct Pigeonhole principle validation in
ldb_filter_attrs().
* BUG 14049: Fix ldb dn crash.
* BUG 14117: Deprecate "lanman auth = yes" and "encrypt passwords = no".
* BUG 14038: Fix compiling ctdb on older systems lacking POSIX robust
mutexes.
* BUG 14121: smbd returns bad File-ID on filehandle used to create a file or
directory.
* BUG 14098: vfs_glusterfs: Use pthreadpool for scheduling aio operations.
* BUG 14055: Add the target server name of SMB 3.1.1 connections as a hint to
load balancers or servers with "multi-tenancy" support.
* BUG 14113: Fix byte range locking bugs/regressions.
* ldb: Fix mem-leak if talloc_realloc fails.
* BUG 14007: Fix join with don't exists machine account.
* BUG 14085: ctdb-recoverd: Only check for LMASTER nodes in the VNN map.
CHANGES SINCE 4.11.0rc2
* BUG 13972: Different Device Id for GlusterFS FUSE mount is causing data
loss in CTDB cluster.
* BUG 14035: CVE-2019-10197: Permissions check deny can allow user to escape
from the share.
* BUG 14059: ldb: Release ldb 2.0.6 (log database repack so users know what
is happening).
* BUG 14092: docs: Deprecate "rndc command" for Samba 4.11.
* BUG 14059: ldb: Free memory when repacking database.
* BUG 14089: vfs_default: Use correct flag in vfswrap_fs_file_id.
* BUG 14090: vfs_glusterfs: Initialize st_ex_file_id, st_ex_itime and
st_ex_iflags.
* BUG 14093: vfs_glusterfs: Enable profiling for file system operations.
* BUG 14059: Backport sambadowngradedatabase for v4.11.
* BUG 14035: CVE-2019-10197: Permissions check deny can allow user to escape
from the share.
* BUG 14032: vfs_gpfs: Implement special case for denying owner access to
ACL.
* BUG 14084: Avoid marking a node as connected before it can receive packets.
* BUG 14086: Fix onnode test failure with ShellCheck >= 0.4.7.
* BUG 14087: ctdb-daemon: Stop "ctdb stop" from completing before freezing
databases.
