==============================
Release Notes for Samba 4.18.8
October 10, 2023
==============================
This is a security release in order to address the following defects:
o CVE-2023-3961: Unsanitized pipe names allow SMB clients to connect as root to
existing unix domain sockets on the file system.
https://www.samba.org/samba/security/CVE-2023-3961.html
o CVE-2023-4091: SMB client can truncate files to 0 bytes by opening files with
OVERWRITE disposition when using the acl_xattr Samba VFS
module with the smb.conf setting
"acl_xattr:ignore system acls = yes"
https://www.samba.org/samba/security/CVE-2023-4091.html
o CVE-2023-4154: An RODC and a user with the GET_CHANGES right can view all
attributes, including secrets and passwords. Additionally,
the access check fails open on error conditions.
https://www.samba.org/samba/security/CVE-2023-4154.html
o CVE-2023-42669: Calls to the rpcecho server on the AD DC can request that the
server block for a user-defined amount of time, denying
service.
https://www.samba.org/samba/security/CVE-2023-42669.html
o CVE-2023-42670: Samba can be made to start multiple incompatible RPC
listeners, disrupting service on the AD DC.
https://www.samba.org/samba/security/CVE-2023-42670.html
==============================
Release Notes for Samba 4.18.7
September 27, 2023
==============================
This is the latest stable release of the Samba 4.18 release series.
Changes since 4.18.6
--------------------
o Jeremy Allison <jra@samba.org>
* BUG 15419: Weird filename can cause assert to fail in
openat_pathref_fsp_nosymlink().
* BUG 15423: use-after-free in aio_del_req_from_fsp during smbd shutdown
after failed IPC FSCTL_PIPE_TRANSCEIVE.
* BUG 15432: TREE_CONNECT without SETUP causes smbd to use uninitialized
pointer.
o Andrew Bartlett <abartlet@samba.org>
* BUG 15401: Avoid infinite loop in initial user sync with Azure AD Connect.
* BUG 15407: Samba replication logs show (null) DN.
o Ralph Boehme <slow@samba.org>
* BUG 15463: macOS mdfind returns only 50 results.
o Remi Collet <rcollet@redhat.com>
* BUG 14808: smbc_getxattr() return value is incorrect.
o Volker Lendecke <vl@samba.org>
* BUG 15481: GETREALFILENAME_CACHE can modify incoming new filename with
previous cache entry value.
o Stefan Metzmacher <metze@samba.org>
* BUG 15464: libnss_winbind causes memory corruption since samba-4.18,
impacts sendmail, zabbix, potentially more.
o MikeLiu <mikeliu@qnap.com>
* BUG 15453: File doesn't show when user doesn't have permission if
aio_pthread is loaded.
o Martin Schwenke <mschwenke@ddn.com>
* BUG 15451: ctdb_killtcp fails to work with --enable-pcap and libpcap ≥
1.9.1.
o Joseph Sutton <josephsutton@catalyst.net.nz>
* BUG 15476: The KDC in 4.18 (and older) is not able to accept tickets with
empty claims pac blobs (from Samba 4.19 or Windows).
* BUG 15477: The heimdal KDC doesn't detect s4u2self correctly when fast is
in use.
Changes since 4.18.5
--------------------
o Jeremy Allison <jra@samba.org>
* BUG 15420: reply_sesssetup_and_X() can dereference uninitialized tmp
pointer.
* BUG 15430: Missing return in reply_exit_done().
o Andrew Bartlett <abartlet@samba.org>
* BUG 15289: post-exec password redaction for samba-tool is more reliable for
fully random passwords as it no longer uses regular expressions
containing the password value itself.
* BUG 9959: Windows client join fails if a second container CN=System exists
somewhere.
o Ralph Boehme <slow@samba.org>
* BUG 15342: Spotlight sometimes returns no results on latest macOS.
* BUG 15417: Renaming results in NT_STATUS_SHARING_VIOLATION if previously
attempted to remove the destination.
* BUG 15427: Spotlight results return wrong date in result list.
o Günther Deschner <gd@samba.org>
* BUG 15414: "net offlinejoin provision" does not work as non-root user.
o Pavel Filipenský <pfilipensky@samba.org>
* BUG 15400: rpcserver no longer accepts double backslash in dfs pathname.
* BUG 15433: cm_prepare_connection() calls close(fd) for the second time.
o Stefan Metzmacher <metze@samba.org>
* BUG 15346: 2-3min delays at reconnect with smb2_validate_sequence_number:
bad message_id 2.
* BUG 15441: samba-tool ntacl get segfault if aio_pthread appended.
* BUG 15446: DCERPC_PKT_CO_CANCEL and DCERPC_PKT_ORPHANED can't be parsed.
o Noel Power <noel.power@suse.com>
* BUG 15390: Python tarfile extraction needs change to avoid a warning
(CVE-2007-4559 mitigation).
* BUG 15435: Regression DFS not working with widelinks = true.
o Arvid Requate <requate@univention.de>
* BUG 9959: Windows client join fails if a second container CN=System exists
somewhere.
o Jones Syue <jonessyue@qnap.com>
* BUG 15441: samba-tool ntacl get segfault if aio_pthread appended.
* BUG 15449: mdssvc: Do an early talloc_free() in _mdssvc_open().
==============================
Release Notes for Samba 4.18.5
July 19, 2023
==============================
This is a security release in order to address the following defects:
o CVE-2022-2127: When winbind is used for NTLM authentication, a maliciously
crafted request can trigger an out-of-bounds read in winbind
and possibly crash it.
https://www.samba.org/samba/security/CVE-2022-2127.html
o CVE-2023-3347: SMB2 packet signing is not enforced if an admin configured
"server signing = required" or for SMB2 connections to Domain
Controllers where SMB2 packet signing is mandatory.
https://www.samba.org/samba/security/CVE-2023-3347.html
o CVE-2023-34966: An infinite loop bug in Samba's mdssvc RPC service for
Spotlight can be triggered by an unauthenticated attacker by
issuing a malformed RPC request.
https://www.samba.org/samba/security/CVE-2023-34966.html
o CVE-2023-34967: Missing type validation in Samba's mdssvc RPC service for
Spotlight can be used by an unauthenticated attacker to
trigger a process crash in a shared RPC mdssvc worker process.
https://www.samba.org/samba/security/CVE-2023-34967.html
o CVE-2023-34968: As part of the Spotlight protocol Samba discloses the server-
side absolute path of shares and files and directories in
search results.
https://www.samba.org/samba/security/CVE-2023-34968.html
Changes since 4.18.4
--------------------
o Ralph Boehme <slow@samba.org>
* BUG 15072: CVE-2022-2127.
* BUG 15340: CVE-2023-34966.
* BUG 15341: CVE-2023-34967.
* BUG 15388: CVE-2023-34968.
* BUG 15397: CVE-2023-3347.
o Volker Lendecke <vl@samba.org>
* BUG 15072: CVE-2022-2127.
o Stefan Metzmacher <metze@samba.org>
* BUG 15418: Secure channel faulty since Windows 10/11 update 07/2023.
Changes since 4.18.3
--------------------
o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* BUG 15404: Backport --pidl-developer fixes.
o Samuel Cabrero <scabrero@samba.org>
* BUG 14030: Named crashes on DLZ zone update.
o Björn Jacke <bj@sernet.de>
* BUG 2312: smbcacls and smbcquotas do not check // before the server.
o Volker Lendecke <vl@samba.org>
* BUG 15382: cli_list loops 100% CPU against pre-lanman2 servers.
* BUG 15391: smbclient leaks fds with showacls.
* BUG 15402: smbd returns NOT_FOUND when creating files on a r/o filesystem.
o Stefan Metzmacher <metze@samba.org>
* BUG 15355: NSS_WRAPPER_HOSTNAME doesn't match NSS_WRAPPER_HOSTS entry and
causes test timeouts.
o Noel Power <noel.power@suse.com>
* BUG 15384: net ads lookup (with unspecified realm) fails.
o Christof Schmitt <cs@samba.org>
* BUG 15381: Register Samba processes with GPFS.
o Andreas Schneider <asn@samba.org>
* BUG 15390: Python tarfile extraction needs change to avoid a warning
(CVE-2007-4559 mitigation).
* BUG 15398: The winbind child segfaults when listing users with `winbind
scan trusted domains = yes`.
o Jones Syue <jonessyue@qnap.com>
* BUG 15383: Remove comments about deprecated 'write cache size'.
* BUG 15403: smbget memory leak if failed to download files recursively.
Changes since 4.18.2
--------------------
o Ralph Boehme <slow@samba.org>
* BUG 15375: Symlinks to files can have random DOS mode information in a
directory listing.
* BUG 15378: vfs_fruit might cause a failing open for delete.
o Volker Lendecke <vl@samba.org>
* BUG 15361: winbind recurses into itself via rpcd_lsad.
* BUG 15366: wbinfo -u fails on ad dc with >1000 users.
o Stefan Metzmacher <metze@samba.org>
* BUG 15338: DS ACEs might be inherited to unrelated object classes.
* BUG 15362: a lot of messages: get_static_share_mode_data:
get_static_share_mode_data_fn failed: NT_STATUS_NOT_FOUND.
* BUG 15374: aes256 smb3 encryption algorithms are not allowed in
smb3_sid_parse().
o Andreas Schneider <asn@samba.org>
* BUG 15360: Setting veto files = /.*/ break listing directories.
o Joseph Sutton <josephsutton@catalyst.net.nz>
* BUG 15363: "samba-tool domain provision" does not run interactive mode if
no arguments are given.
o Nathaniel W. Turner <nturner@exagrid.com>
* BUG 15325: dsgetdcname: assumes local system uses IPv4.
4.18.2
Changes since 4.18.1
--------------------
o Jeremy Allison <jra@samba.org>
* BUG 15302: Log flood: smbd_calculate_access_mask_fsp: Access denied:
message level should be lower.
* BUG 15306: Floating point exception (FPE) via cli_pull_send at
source3/libsmb/clireadwrite.c.
o Andrew Bartlett <abartlet@samba.org>
* BUG 15328: test_tstream_more_tcp_user_timeout_spin fails intermittently on
Rackspace GitLab runners.
* BUG 15329: Reduce flapping of ridalloc test.
* BUG 15351: large_ldap test is unreliable.
o Ralph Boehme <slow@samba.org>
* BUG 15143: New filename parser doesn't check veto files smb.conf parameter.
* BUG 15354: mdssvc may crash when initializing.
o Volker Lendecke <vl@samba.org>
* BUG 15313: large directory optimization broken for non-lcomp path elements.
* BUG 15357: streams_depot fails to create streams.
* BUG 15358: shadow_copy2 and streams_depot don't play well together.
o Rob van der Linde <rob@catalyst.net.nz>
* BUG 15316: Flapping tests in samba_tool_drs_show_repl.py.
o Stefan Metzmacher <metze@samba.org>
* BUG 15317: winbindd idmap child contacts the domain controller without a
need.
* BUG 15318: idmap_autorid may fail to map sids of trusted domains for the
first time.
* BUG 15319: idmap_hash doesn't use ID_TYPE_BOTH for reverse mappings.
* BUG 15323: net ads search -P doesn't work against servers in other domains.
* BUG 15353: Temporary smbXsrv_tcon_global.tdb can't be parsed.
o Joseph Sutton <josephsutton@catalyst.net.nz>
* BUG 15316: Flapping tests in samba_tool_drs_show_repl.py.
* BUG 15343: Tests use depricated and removed methods like
assertRegexpMatches.
4.18.1
This is a security release in order to address the following defects:
o CVE-2023-0225: An incomplete access check on dnsHostName allows authenticated
but otherwise unprivileged users to delete this attribute from
any object in the directory.
https://www.samba.org/samba/security/CVE-2023-0225.html
o CVE-2023-0922: The Samba AD DC administration tool, when operating against a
remote LDAP server, will by default send new or reset
passwords over a signed-only connection.
https://www.samba.org/samba/security/CVE-2023-0922.html
o CVE-2023-0614: The fix in 4.6.16, 4.7.9, 4.8.4 and 4.9.7 for CVE-2018-10919
Confidential attribute disclosure via LDAP filters was
insufficient and an attacker may be able to obtain
confidential BitLocker recovery keys from a Samba AD DC.
Installations with such secrets in their Samba AD should
assume they have been obtained and need replacing.
https://www.samba.org/samba/security/CVE-2023-0614.html
Changes since 4.18.0
--------------------
o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* BUG 15276: CVE-2023-0225.
o Andrew Bartlett <abartlet@samba.org>
* BUG 15270: CVE-2023-0614.
* BUG 15331: ldb wildcard matching makes excessive allocations.
* BUG 15332: large_ldap test is inefficient.
o Rob van der Linde <rob@catalyst.net.nz>
* BUG 15315: CVE-2023-0922.
o Joseph Sutton <josephsutton@catalyst.net.nz>
* BUG 15270: CVE-2023-0614.
* BUG 15276: CVE-2023-0225.
4.18.0
This is the first stable release of the Samba 4.18 release series.
Please read the release notes carefully before upgrading.
NEW FEATURES/CHANGES
====================
SMB Server performance improvements
-----------------------------------
The security improvements in recent releases
(4.13, 4.14, 4.15, 4.16), mainly as protection against symlink races,
caused performance regressions for metadata heavy workloads.
While 4.17 already improved the situation quite a lot,
with 4.18 the locking overhead for contended path based operations
is reduced by an additional factor of ~ 3 compared to 4.17.
It means the throughput of open/close
operations reached the level of 4.12 again.
More succinct samba-tool error messages
---------------------------------------
Historically samba-tool has reported user error or misconfiguration by
means of a Python traceback, showing you where in its code it noticed
something was wrong, but not always exactly what is amiss. Now it
tries harder to identify the true cause and restrict its output to
describing that. Particular cases include:
* a username or password is incorrect
* an ldb database filename is wrong (including in smb.conf)
* samba-tool dns: various zones or records do not exist
* samba-tool ntacl: certain files are missing
* the network seems to be down
* bad --realm or --debug arguments
Accessing the old samba-tool messages
-------------------------------------
This is not new, but users are reminded they can get the full Python
stack trace, along with other noise, by using the argument '-d3'.
This may be useful when searching the web.
The intention is that when samba-tool encounters an unrecognised
problem (especially a bug), it will still output a Python traceback.
If you encounter a problem that has been incorrectly identified by
samba-tool, please report it on https://bugzilla.samba.org.
Colour output with samba-tool --color
-------------------------------------
For some time a few samba-tool commands have had a --color=yes|no|auto
option, which determines whether the command outputs ANSI colour
codes. Now all samba-tool commands support this option, which now also
accepts 'always' and 'force' for 'yes', 'never' and 'none' for 'no',
and 'tty' and 'if-tty' for 'auto' (this more closely matches
convention). With --color=auto, or when --color is omitted, colour
codes are only used when output is directed to a terminal.
Most commands have very little colour in any case. For those that
already used it, the defaults have changed slightly.
* samba-tool drs showrepl: default is now 'auto', not 'no'
* samba-tool visualize: the interactions between --color-scheme,
--color, and --output have changed slightly. When --color-scheme is
set it overrides --color for the purpose of the output diagram, but
not for other output like error messages.
New samba-tool dsacl subcommand for deleting ACES
-------------------------------------------------
The samba-tool dsacl tool can now delete entries in directory access
control lists. The interface for 'samba-tool dsacl delete' is similar
to that of 'samba-tool dsacl set', with the difference being that the
ACEs described by the --sddl argument are deleted rather than added.
No colour with NO_COLOR environment variable
--------------------------------------------
With both samba-tool --color=auto (see above) and some other places
where we use ANSI colour codes, the NO_COLOR environment variable will
disable colour output. See https://no-color.org/ for a description of
this variable. `samba-tool --color=always` will use colour regardless
of NO_COLOR.
New wbinfo option --change-secret-at
------------------------------------
The wbinfo command has a new option, --change-secret-at=<DOMAIN CONTROLLER>
which forces the trust account password to be changed at a specified domain
controller. If the specified domain controller cannot be contacted the
password change fails rather than trying other DCs.
New option to change the NT ACL default location
------------------------------------------------
Usually the NT ACLs are stored in the security.NTACL extended
attribute (xattr) of files and directories. The new
"acl_xattr:security_acl_name" option allows to redefine the default
location. The default "security.NTACL" is a protected location, which
means the content of the security.NTACL attribute is not accessible
from normal users outside of Samba. When this option is set to use a
user-defined value, e.g. user.NTACL then any user can potentially
access and overwrite this information. The module prevents access to
this xattr over SMB, but the xattr may still be accessed by other
means (eg local access, SSH, NFS). This option must only be used when
this consequence is clearly understood and when specific precautions
are taken to avoid compromising the ACL content.
Azure Active Directory / Office365 synchronisation improvements
--------------------------------------------------------------
Use of the Azure AD Connect cloud sync tool is now supported for
password hash synchronisation, allowing Samba AD Domains to synchronise
passwords with this popular cloud environment.
REMOVED FEATURES
================
smb.conf changes
================
Parameter Name Description Default
-------------- ----------- -------
acl_xattr:security_acl_name New security.NTACL
server addresses New
CHANGES SINCE 4.18.0rc4
=======================
o Jeremy Allison <jra@samba.org>
* BUG 15314: streams_xattr is creating unexpected locks on folders.
o Volker Lendecke <vl@samba.org>
* BUG 15310: New samba-dcerpc architecture does not scale gracefully.
CHANGES SINCE 4.18.0rc3
=======================
o Andreas Schneider <asn@samba.org>
* BUG 15308: Avoid that tests fail because other tests didn't do cleanup on
failure.
o baixiangcpp <baixiangcpp@gmail.com>
* BUG 15311: fd_load() function implicitly closes the fd where it should not.
CHANGES SINCE 4.18.0rc2
=======================
o Jeremy Allison <jra@samba.org>
* BUG 15301: Improve file_modtime() and issues around smb3 unix test.
o Ralph Boehme <slow@samba.org>
* BUG 15299: Spotlight doesn't work with latest macOS Ventura.
o Stefan Metzmacher <metze@samba.org>
* BUG 15298: Build failure on solaris with tevent 0.14.0 (and ldb 2.7.0).
(tevent 0.14.1 and ldb 2.7.1 are already released...)
o John Mulligan <jmulligan@redhat.com>
* BUG 15307: vfs_ceph incorrectly uses fsp_get_io_fd() instead of
fsp_get_pathref_fd() in close and fstat.
o Andreas Schneider <asn@samba.org>
* BUG 15291: test_chdir_cache.sh doesn't work with SMBD_DONT_LOG_STDOUT=1.
* BUG 15301: Improve file_modtime() and issues around smb3 unix test.
CHANGES SINCE 4.18.0rc1
=======================
o Andrew Bartlett <abartlet@samba.org>
* BUG 10635: Office365 azure Password Sync not working.
o Stefan Metzmacher <metze@samba.org>
* BUG 15286: auth3_generate_session_info_pac leaks wbcAuthUserInfo.
o Noel Power <noel.power@suse.com>
* BUG 15293: With clustering enabled samba-bgqd can core dump due to use
after free.
==============================
Release Notes for Samba 4.17.7
March 29, 2023
==============================
This is a security release in order to address the following defects:
o CVE-2023-0225: An incomplete access check on dnsHostName allows authenticated
but otherwise unprivileged users to delete this attribute from
any object in the directory.
https://www.samba.org/samba/security/CVE-2023-0225.html
o CVE-2023-0922: The Samba AD DC administration tool, when operating against a
remote LDAP server, will by default send new or reset
passwords over a signed-only connection.
https://www.samba.org/samba/security/CVE-2023-0922.html
o CVE-2023-0614: The fix in 4.6.16, 4.7.9, 4.8.4 and 4.9.7 for CVE-2018-10919
Confidential attribute disclosure via LDAP filters was
insufficient and an attacker may be able to obtain
confidential BitLocker recovery keys from a Samba AD DC.
Installations with such secrets in their Samba AD should
assume they have been obtained and need replacing.
https://www.samba.org/samba/security/CVE-2023-0614.html
==============================
Release Notes for Samba 4.17.6
March 09, 2023
==============================
This is the latest stable release of the Samba 4.17 release series.
Changes since 4.17.5
--------------------
o Jeremy Allison <jra@samba.org>
* BUG 15314: streams_xattr is creating unexpected locks on folders.
o Andrew Bartlett <abartlet@samba.org>
* BUG 10635: Use of the Azure AD Connect cloud sync tool is now supported for
password hash synchronisation, allowing Samba AD Domains to synchronise
passwords with this popular cloud environment.
o Ralph Boehme <slow@samba.org>
* BUG 15299: Spotlight doesn't work with latest macOS Ventura.
o Volker Lendecke <vl@samba.org>
* BUG 15310: New samba-dcerpc architecture does not scale gracefully.
o John Mulligan <jmulligan@redhat.com>
* BUG 15307: vfs_ceph incorrectly uses fsp_get_io_fd() instead of
fsp_get_pathref_fd() in close and fstat.
o Noel Power <noel.power@suse.com>
* BUG 15293: With clustering enabled samba-bgqd can core dump due to use
after free.
o baixiangcpp <baixiangcpp@gmail.com>
* BUG 15311: fd_load() function implicitly closes the fd where it should not.
==============================
Release Notes for Samba 4.17.5
January 26, 2023
==============================
This is the latest stable release of the Samba 4.17 release series.
Changes since 4.17.4
--------------------
o Jeremy Allison <jra@samba.org>
* BUG 14808: smbc_getxattr() return value is incorrect.
* BUG 15172: Compound SMB2 FLUSH+CLOSE requests from MacOSX are not handled
correctly.
* BUG 15210: synthetic_pathref AFP_AfpInfo failed errors.
* BUG 15226: samba-tool gpo listall fails IPv6 only - finddcs() fails to find
DC when there is only an AAAA record for the DC in DNS.
* BUG 15236: smbd crashes if an FSCTL request is done on a stream handle.
* BUG 15277: DFS links don't work anymore on Mac clients since 4.17.
* BUG 15283: vfs_virusfilter segfault on access, directory edgecase
(accessing NULL value).
o Samuel Cabrero <scabrero@samba.org>
* BUG 15240: CVE-2022-38023 [SECURITY] Samba should refuse RC4 (aka md5)
based SChannel on NETLOGON (additional changes).
o Volker Lendecke <vl@samba.org>
* BUG 15243: %U for include directive doesn't work for share listing
(netshareenum).
* BUG 15266: Shares missing from netshareenum response in samba 4.17.4.
* BUG 15269: ctdb: use-after-free in run_proc.
o Stefan Metzmacher <metze@samba.org>
* BUG 15243: %U for include directive doesn't work for share listing
(netshareenum).
* BUG 15266: Shares missing from netshareenum response in samba 4.17.4.
* BUG 15280: irpc_destructor may crash during shutdown.
* BUG 15286: auth3_generate_session_info_pac leaks wbcAuthUserInfo.
o Andreas Schneider <asn@samba.org>
* BUG 15268: smbclient segfaults with use after free on an optimized build.
o Jones Syue <jonessyue@qnap.com>
* BUG 15282: smbstatus leaking files in msg.sock and msg.lock.
o Andrew Walker <awalker@ixsystems.com>
* BUG 15164: Leak in wbcCtxPingDc2.
* BUG 15265: Access based share enum does not work in Samba 4.16+.
* BUG 15267: Crash during share enumeration.
* BUG 15271: rep_listxattr on FreeBSD does not properly check for reads off
end of returned buffer.
o Florian Weimer <fweimer@redhat.com>
* BUG 15281: Avoid relying on C89 features in a few places.
This is the latest stable release of the Samba 4.17 release series.
It also contains security changes in order to address the following defects:
o CVE-2022-37966: This is the Samba CVE for the Windows Kerberos
RC4-HMAC Elevation of Privilege Vulnerability
disclosed by Microsoft on Nov 8 2022.
A Samba Active Directory DC will issue weak rc4-hmac
session keys for use between modern clients and servers
despite all modern Kerberos implementations supporting
the aes256-cts-hmac-sha1-96 cipher.
On Samba Active Directory DCs and members
'kerberos encryption types = legacy' would force
rc4-hmac as a client even if the server supports
aes128-cts-hmac-sha1-96 and/or aes256-cts-hmac-sha1-96.
https://www.samba.org/samba/security/CVE-2022-37966.html
o CVE-2022-37967: This is the Samba CVE for the Windows
Kerberos Elevation of Privilege Vulnerability
disclosed by Microsoft on Nov 8 2022.
A service account with the special constrained
delegation permission could forge a more powerful
ticket than the one it was presented with.
https://www.samba.org/samba/security/CVE-2022-37967.html
o CVE-2022-38023: The "RC4" protection of the NetLogon Secure channel uses the
same algorithms as rc4-hmac cryptography in Kerberos,
and so must also be assumed to be weak.
https://www.samba.org/samba/security/CVE-2022-38023.html
Note that there are several important behavior changes
included in this release, which may cause compatibility problems
interacting with system still expecting the former behavior.
Please read the advisories of CVE-2022-37966,
CVE-2022-37967 and CVE-2022-38023 carefully!
samba-tool got a new 'domain trust modify' subcommand
-----------------------------------------------------
This allows "msDS-SupportedEncryptionTypes" to be changed
on trustedDomain objects. Even against remote DCs (including Windows)
using the --local-dc-ipaddress= (and other --local-dc-* options).
See 'samba-tool domain trust modify --help' for further details.
smb.conf changes
----------------
Parameter Name Description Default
-------------- ----------- -------
allow nt4 crypto Deprecated no
allow nt4 crypto:COMPUTERACCOUNT New
kdc default domain supported enctypes New (see manpage)
kdc supported enctypes New (see manpage)
kdc force enable rc4 weak session keys New No
reject md5 clients New Default, Deprecated Yes
reject md5 servers New Default, Deprecated Yes
server schannel Deprecated Yes
server schannel require seal New, Deprecated Yes
server schannel require seal:COMPUTERACCOUNT New
winbind sealed pipes Deprecated Yes
Changes since 4.17.3
--------------------
o Jeremy Allison <jra@samba.org>
* BUG 15224: pam_winbind uses time_t and pointers assuming they are of the
same size.
o Andrew Bartlett <abartlet@samba.org>
* BUG 14929: CVE-2022-44640 [SECURITY] Upstream Heimdal free of
user-controlled pointer in FAST.
* BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry.
* BUG 15237: CVE-2022-37966.
* BUG 15258: filter-subunit is inefficient with large numbers of knownfails.
o Ralph Boehme <slow@samba.org>
* BUG 15240: CVE-2022-38023.
* BUG 15252: smbd allows setting FILE_ATTRIBUTE_TEMPORARY on directories.
o Stefan Metzmacher <metze@samba.org>
* BUG 13135: The KDC logic arround msDs-supportedEncryptionTypes differs from
Windows.
* BUG 14611: CVE-2021-20251 [SECURITY] Bad password count not incremented
atomically.
* BUG 15203: CVE-2022-42898 [SECURITY] krb5_pac_parse() buffer parsing
vulnerability.
* BUG 15206: libnet: change_password() doesn't work with
dcerpc_samr_ChangePasswordUser4().
* BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry.
* BUG 15230: Memory leak in snprintf replacement functions.
* BUG 15237: CVE-2022-37966.
* BUG 15240: CVE-2022-38023.
* BUG 15253: RODC doesn't reset badPwdCount reliable via an RWDC
(CVE-2021-20251 regression).
o Noel Power <noel.power@suse.com>
* BUG 15224: pam_winbind uses time_t and pointers assuming they are of the
same size.
o Anoop C S <anoopcs@samba.org>
* BUG 15198: Prevent EBADF errors with vfs_glusterfs.
o Andreas Schneider <asn@samba.org>
* BUG 15237: CVE-2022-37966.
* BUG 15243: %U for include directive doesn't work for share listing
(netshareenum).
* BUG 15257: Stack smashing in net offlinejoin requestodj.
o Joseph Sutton <josephsutton@catalyst.net.nz>
* BUG 15197: Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue.
* BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry.
* BUG 15231: CVE-2022-37967.
* BUG 15237: CVE-2022-37966.
o Nicolas Williams <nico@twosigma.com>
* BUG 14929: CVE-2022-44640 [SECURITY] Upstream Heimdal free of
user-controlled pointer in FAST.
Avoids issues when building on systems that have a native libkrb5.so. Samba
libraries that try to link against krb5.so, which during the build phase is
named libgensec_module_krb5.so, end up with incorrect library dependencies,
likely due to wrapper interactions.
This is a security release in order to address the following defects:
o CVE-2022-42898: Samba's Kerberos libraries and AD DC failed to guard against
integer overflows when parsing a PAC on a 32-bit system, which
allowed an attacker with a forged PAC to corrupt the heap.
https://www.samba.org/samba/security/CVE-2022-42898.html
Changes since 4.17.2
--------------------
o Joseph Sutton <josephsutton@catalyst.net.nz>
* BUG 15203: CVE-2022-42898
o Nicolas Williams <nico@twosigma.com>
* BUG 15203: CVE-2022-42898
4.17.2 (2022/10-25)
o CVE-2022-3437: There is a limited write heap buffer overflow in the GSSAPI
unwrap_des() and unwrap_des3() routines of Heimdal (included
in Samba).
https://www.samba.org/samba/security/CVE-2022-3437.html
o CVE-2022-3592: A malicious client can use a symlink to escape the exported
directory.
https://www.samba.org/samba/security/CVE-2022-3592.html
Changes since 4.17.1
--------------------
o Volker Lendecke <vl@samba.org>
* BUG 15207: CVE-2022-3592.
o Joseph Sutton <josephsutton@catalyst.net.nz>
* BUG 15134: CVE-2022-3437.
Changes since 4.17.0
--------------------
o Jeremy Allison <jra@samba.org>
* BUG 14611: CVE-2021-20251 [SECURITY] Bad password count not incremented
atomically.
* BUG 15174: smbXsrv_connection_shutdown_send result leaked.
* BUG 15182: Flush on a named stream never completes.
* BUG 15195: Permission denied calling SMBC_getatr when file not exists.
o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* BUG 15189: Samba 4.5 sometimes cannot be upgraded to Samba 4.6 or later
over DRS: WERROR_DS_DRA_MISSING_PARENT due to faulty GET_ANC.
* BUG 15191: pytest: add file removal helpers for TestCaseInTempDir.
o Andrew Bartlett <abartlet@samba.org>
* BUG 14611: CVE-2021-20251 [SECURITY] Bad password count not incremented
atomically.
* BUG 15189: Samba 4.5 sometimes cannot be upgraded to Samba 4.6 or later.
over DRS: WERROR_DS_DRA_MISSING_PARENT due to faulty GET_ANC.
o Ralph Boehme <slow@samba.org>
* BUG 15182: Flush on a named stream never completes.
o Volker Lendecke <vl@samba.org>
* BUG 15151: vfs_gpfs silently garbles timestamps > year 2106.
o Gary Lockyer <gary@catalyst.net.nz>
* BUG 14611: CVE-2021-20251 [SECURITY] Bad password count not incremented
atomically.
o Stefan Metzmacher <metze@samba.org>
* BUG 15200: multi-channel socket passing may hit a race if one of the
involved processes already existed.
* BUG 15201: memory leak on temporary of struct imessaging_post_state and
struct tevent_immediate on struct imessaging_context (in
rpcd_spoolss and maybe others).
o Noel Power <noel.power@suse.com>
* BUG 15205: Since popt1.19 various use after free errors using result of
poptGetArg are now exposed.
o Anoop C S <anoopcs@samba.org>
* BUG 15192: Remove special case for O_CREAT in SMB_VFS_OPENAT from
vfs_glusterfs.
o Andreas Schneider <asn@samba.org>
* BUG 15169: GETPWSID in memory cache grows indefinetly with each NTLM auth.
o Joseph Sutton <josephsutton@catalyst.net.nz>
* BUG 14611: CVE-2021-20251 [SECURITY] Bad password count not incremented
atomically.
==============================
Release Notes for Samba 4.17.0
September 13, 2022
==============================
This is the first stable release of the Samba 4.17 release series.
Please read the release notes carefully before upgrading.
NEW FEATURES/CHANGES
====================
SMB Server performance improvements
-----------------------------------
The security improvements in recent releases
(4.13, 4.14, 4.15, 4.16), mainly as protection against symlink races,
caused performance regressions for meta data heavy workloads.
With 4.17 the situation improved a lot again:
- Pathnames given by a client are devided into dirname and basename.
The amount of syscalls to validate dirnames is reduced to 2 syscalls
(openat, close) per component. On modern Linux kernels (>= 5.6) smbd
makes use of the openat2() syscall with RESOLVE_NO_SYMLINKS,
in order to just use 2 syscalls (openat2, close) for the whole dirname.
- Contended path based operations used to generate a lot of unsolicited
wakeup events causing thundering herd problems, which lead to masive
latencies for some clients. These events are now avoided in order
to provide stable latencies and much higher throughput of open/close
operations.
Configure without the SMB1 Server
---------------------------------
It is now possible to configure Samba without support for
the SMB1 protocol in smbd. This can be selected at configure
time with either of the options:
--with-smb1-server
--without-smb1-server
By default (without either of these options set) Samba
is configured to include SMB1 support (i.e. --with-smb1-server
is the default). When Samba is configured without SMB1 support,
none of the SMB1 code is included inside smbd except the minimal
stub code needed to allow a client to connect as SMB1 and immediately
negotiate the selected protocol into SMB2 (as a Windows server also
allows).
None of the SMB1-only smb.conf parameters are removed when
configured without SMB1, but these parameters are ignored by
the smbd server. This allows deployment without having to change
an existing smb.conf file.
This option allows sites, OEMs and integrators to configure Samba
to remove the old and insecure SMB1 protocol from their products.
Note that the Samba client libraries still support SMB1 connections
even when Samba is configured as --without-smb1-server. This is
to ensure maximum compatibility with environments containing old
SMB1 servers.
Bronze bit and S4U support now also with MIT Kerberos 1.20
----------------------------------------------------------
In 2020 Microsoft Security Response Team received another Kerberos-related
report. Eventually, that led to a security update of the CVE-2020-17049,
Kerberos KDC Security Feature Bypass Vulnerability, also known as a ‘Bronze
Bit’. With this vulnerability, a compromised service that is configured to use
Kerberos constrained delegation feature could tamper with a service ticket that
is not valid for delegation to force the KDC to accept it.
With the release of MIT Kerberos 1.20, Samba AD DC is able able to mitigate the
‘Bronze Bit’ attack. MIT Kerberos KDC's KDB (Kerberos Database Driver) API was
changed to allow passing more details between KDC and KDB components. When built
against MIT Kerberos, Samba AD DC supports MIT Kerberos 1.19 and 1.20 versions
but 'Bronze Bit' mitigation is provided only with MIT Kerberos 1.20.
In addition to fixing the ‘Bronze Bit’ issue, Samba AD DC now fully supports
S4U2Self and S4U2Proxy Kerberos extensions.
Note the default (Heimdal-based) KDC was already fixed in 2021,
see https://bugzilla.samba.org/show_bug.cgi?id=14642
Resource Based Constrained Delegation (RBCD) support
----------------------------------------------------
Samba AD DC built with MIT Kerberos 1.20 offers RBCD support now. With MIT
Kerberos 1.20 we have complete RBCD support passing Sambas S4U testsuite.
samba-tool delegation got the 'add-principal' and 'del-principal' subcommands
in order to manage RBCD.
To complete RBCD support and make it useful to Administrators we added the
Asserted Identity [1] SID into the PAC for constrained delegation. This is
available for Samba AD compiled with MIT Kerberos 1.20.
Note the default (Heimdal-based) KDC does not support RBCD yet.
[1] https://docs.microsoft.com/en-us/windows-server/security/kerberos/kerberos-constrained-delegation-overview
Customizable DNS listening port
-------------------------------
It is now possible to set a custom listening port for the builtin DNS service,
making easy to host another DNS on the same system that would bind to the
default port and forward the domain-specific queries to Samba using the custom
port. This is the opposite configuration of setting a forwarder in Samba.
It makes possible to use another DNS server as a front and forward to Samba.
Dynamic DNS updates may not be proxied by the front DNS server when forwarding
to Samba. Dynamic DNS update proxying depends on the features of the other DNS
server used as a front.
CTDB changes
------------
* When Samba is configured with both --with-cluster-support and
--systemd-install-services then a systemd service file for CTDB will
be installed.
* ctdbd_wrapper has been removed. ctdbd is now started directly from
a systemd service file or init script.
* The syntax for the ctdb.tunables configuration file has been
relaxed. However, trailing garbage after the value, including
comments, is no longer permitted. Please see ctdb-tunables(7) for
more details.
Operation without the (unsalted) NT password hash
-------------------------------------------------
When Samba is configured with 'nt hash store = never' then Samba will
no longer store the (unsalted) NT password hash for users in Active
Directory. (Trust accounts, like computers, domain controllers and
inter-domain trusts are not impacted).
In the next version of Samba the default for 'nt hash store' will
change from 'always' to 'auto', where it will follow (behave as 'nt
hash store = never' when 'ntlm auth = disabled' is set.
Security-focused deployments of Samba that have eliminated NTLM from
their networks will find setting 'ntlm auth = disabled' with 'nt hash
store = always' as a useful way to improve compliance with
best-practice guidance on password storage (which is to always use an
interated hash).
Note that when 'nt hash store = never' is set, then arcfour-hmac-md5
Kerberos keys will not be available for users who subsequently change
their password, as these keys derive their values from NT hashes. AES
keys are stored by default for all deployments of Samba with Domain
Functional Level 2008 or later, are supported by all modern clients,
and are much more secure.
Finally, also note that password history in Active Directory is stored
in nTPwdHistory using a series of NT hash values. Therefore the full
password history feature is not available in this mode.
To provide some protection against password re-use previous Kerberos
hash values (the current, old and older values are already stored) are
used, providing a history length of 3.
There is one small limitation of this workaround: Changing the
sAMAccountName, userAccountControl or userPrincipalName of an account
can cause the Kerberos password salt to change. This means that after
*both* an account rename and a password change, only the current
password will be recognised for password history purposes.
Python API for smbconf
----------------------
Samba's smbconf library provides a generic frontend to various
configuration backends (plain text file, registry) as a C library. A
new Python wrapper, importable as 'samba.smbconf' is available. An
additional module, 'samba.samba3.smbconf', is also available to enable
registry backend support. These libraries allow Python programs to
read, and optionally write, Samba configuration natively.
JSON support for smbstatus
--------------------------
It is now possible to print detailed information in JSON format in
the smbstatus program using the new option --json. The JSON output
covers all the existing text output including sessions, connections,
open files, byte-range locks, notifies and profile data with all
low-level information maintained by Samba in the respective databases.
Protected Users security group
------------------------------
Samba AD DC now includes support for the Protected Users security
group introduced in Windows Server 2012 R2. The feature reduces the
attack surface of user accounts by preventing the use of weak
encryption types. It also mitigates the effects of credential theft by
limiting credential lifetime and scope.
The protections are intended for user accounts only, and service or
computer accounts should not be added to the Protected Users
group. User accounts added to the group are granted the following
security protections:
* NTLM authentication is disabled.
* Kerberos ticket-granting tickets (TGTs) encrypted with RC4 are
not issued to or accepted from affected principals. Tickets
encrypted with AES, and service tickets encrypted with RC4, are
not affected by this restriction.
* The lifetime of Kerberos TGTs is restricted to a maximum of four
hours.
* Kerberos constrained and unconstrained delegation is disabled.
If the Protected Users group is not already present in the domain, it
can be created with 'samba-tool group add'. The new '--special'
parameter must be specified, with 'Protected Users' as the name of the
group. An example command invocation is:
samba-tool group add 'Protected Users' --special
or against a remote server:
samba-tool group add 'Protected Users' --special -H ldap://dc1.example.com -U Administrator
The Protected Users group is identified in the domain by its having a
RID of 525. Thus, it should only be created with samba-tool and the
'--special' parameter, as above, so that it has the required RID
to function correctly.
REMOVED FEATURES
================
LanMan Authentication and password storage removed from the AD DC
-----------------------------------------------------------------
The storage and authentication with LanMan passwords has been entirely
removed from the Samba AD DC, even when "lanman auth = yes" is set.
smb.conf changes
================
Parameter Name Description Default
-------------- ----------- -------
dns port New default 53
fruit:zero_file_id New default yes
nt hash store New parameter always
smb1 unix extensions Replaces "unix extensions"
volume serial number New parameter -1
winbind debug traceid New parameter no
Changes since 4.16.4
--------------------
* BUG 15128: Possible use after free of connection_struct when iterating
smbd_server_connection->connections.
* BUG 15086: Spotlight RPC service returns wrong response when Spotlight is
disabled on a share.
* BUG 15126: acl_xattr VFS module may unintentionally use filesystem
permissions instead of ACL from xattr.
* BUG 15153: Missing SMB2-GETINFO access checks from MS-SMB2 3.3.5.20.1.
* BUG 15161: assert failed: !is_named_stream(smb_fname)") at
../../lib/util/fault.c:197.
* BUG 15148: Missing READ_LEASE break could cause data corruption.
* BUG 15124: rpcclient can crash using setuserinfo(2).
* BUG 15132: Samba fails to build with glibc 2.36 caused by including
<sys/mount.h> in libreplace.
* BUG 15152: SMB1 negotiation can fail to handle connection errors.
* BUG 15078: samba-tool domain join segfault when joining a samba ad domain.
It doesn't appear to solve the problem, I must have had a stale install
directory around when testing. Still none the wiser as to why the krb5 module
isn't being built correctly, but apparently it seems to work for some folks, so
it will have to be left broken on SunOS for a bit.
The builtin heimdal no longer builds and it's unclear how it can possibly
work as it uses functions that do not exist anywhere. Also fix some SunOS
build issues.
I'm not convinced this won't break builds that use heimdal but will keep an
eye out for failures.
Changes since 4.16.2
--------------------
* BUG 15099: Using vfs_streams_xattr and deleting a file causes a panic.
* BUG 14986: Add support for bind 9.18.
* BUG 15076: logging dsdb audit to specific files does not work.
* BUG 14979: Problem when winbind renews Kerberos.
* BUG 15095: Samba with new lorikeet-heimdal fails to build on gcc 12.1 in
developer mode.
* BUG 15105: Crash in streams_xattr because fsp->base_fsp->fsp_name is NULL.
* BUG 15118: Crash in rpcd_classic - NULL pointer deference in
mangle_is_mangled().
* BUG 15100: smbclient commands del & deltree fail with
NT_STATUS_OBJECT_PATH_NOT_FOUND with DFS.
* BUG 15120: Fix check for chown when processing NFSv4 ACL.
* BUG 15082: The pcap background queue process should not be stopped.
* BUG 15097: testparm: Fix typo in idmap rangesize check.
* BUG 15106: net ads info returns LDAP server and LDAP server name as null.
* BUG 15108: ldconfig: /lib64/libsmbconf.so.0 is not a symbolic link.
* BUG 15090: CTDB child process logging does not work as expected.
Changes since 4.16.1
--------------------
* BUG 15042: Use pathref fd instead of io fd in vfs_default_durable_cookie.
* BUG 15069: vfs_gpfs with vfs_shadowcopy2 fail to restore file if original
file had been deleted.
* BUG 15087: netgroups support removed.
* BUG 14674: net ads info shows LDAP Server: 0.0.0.0 depending on contacted
server.
* BUG 15062: Update from 4.15 to 4.16 breaks discovery of [homes] on
standalone server from Win and IOS.
* BUG 15071: waf produces incorrect names for python extensions with Python
3.11.
* BUG 15075: smbclient -E doesn't work as advertised.
* BUG 15071: waf produces incorrect names for python extensions with Python
3.11.
* BUG 15081: The samba background daemon doesn't refresh the printcap cache
on startup.
* BUG 14443: Out-by-4 error in smbd read reply max_send clamp..
Changes since 4.16.0
--------------------
* BUG 14831: Share and server swapped in smbget password prompt.
* BUG 15022: Durable handles won't reconnect if the leased file is written
to.
* BUG 15023: rmdir silently fails if directory contains unreadable files and
hide unreadable is yes.
* BUG 15038: SMB2_CLOSE_FLAGS_FULL_INFORMATION fails to return information on
renamed file handle.
* BUG 8731: Need to describe --builtin-libraries= better (compare with
--bundled-libraries).
* BUG 14957: vfs_shadow_copy2 breaks "smbd async dosmode" sync fallback.
* BUG 15035: shadow_copy2 fails listing snapshotted dirs with
shadow:fixinodes.
* BUG 15046: PAM Kerberos authentication incorrectly fails with a clock skew
error.
* BUG 15041: Username map - samba erroneously applies unix group memberships
to user account entries.
* BUG 14951: KVNO off by 100000.
* BUG 15027: Uninitialized litemask in variable in vfs_gpfs module.
* BUG 15055: vfs_gpfs recalls=no option prevents listing files.
* BUG 15054: smbd doesn't handle UPNs for looking up names.
Changes since 4.15.5
--------------------
* BUG 14169: Renaming file on DFS root fails with
NT_STATUS_OBJECT_PATH_NOT_FOUND.
* BUG 14737: Samba does not response STATUS_INVALID_PARAMETER when opening 2
objects with same lease key.
* BUG 14938: NT error code is not set when overwriting a file during rename
in libsmbclient.
* BUG 14996: Fix ldap simple bind with TLS auditing.
* BUG 14674: net ads info shows LDAP Server: 0.0.0.0 depending on contacted
server.
* BUG 14979: Problem when winbind renews Kerberos.
* BUG 8691: pam_winbind will not allow gdm login if password about to expire.
* BUG 14971: virusfilter_vfs_openat: Not scanned: Directory or special file.
* BUG 13631: DFS fix for AIX broken.
* BUG 14974: Solaris and AIX acl modules: wrong function arguments.
* BUG 7239: Function aixacl_sys_acl_get_file not declared / coredump.
* BUG 14900: Regression: Samba 4.15.2 on macOS segfaults intermittently
during strcpy in tdbsam_getsampwnam.
* BUG 14989: Fix a use-after-free in SMB1 server.
* BUG 14968: smb2_signing_decrypt_pdu() may not decrypt with
gnutls_aead_cipher_decrypt() from gnutls before 3.5.2.
* BUG 14984: changing the machine password against an RODC likely destroys
the domain join.
* BUG 14993: authsam_make_user_info_dc() steals memory from its struct
ldb_message *msg argument.
* BUG 14995: Use Heimdal 8.0 (pre) rather than an earlier snapshot.
* BUG 14967: Samba autorid fails to map AD users if id rangesize fits in the
id range only once.
This includes a patch (already posted upstream) to fix updated Samba on
NetBSD's /proc, so the upgrade is not blocked anymore.
Release notes for 4.15:
EW FEATURES/CHANGES
====================
VFS
---
The effort to modernize Samba's VFS interface is complete and Samba 4.15.0 ships
with a modernized VFS designed for the post SMB1 world.
For details please refer to the documentation at source3/modules/The_New_VFS.txt
or visit the <https://wiki.samba.org/index.php/The_New_VFS>.
Bind DLZ: add the ability to set allow/deny lists for zone transfer clients
---------------------------------------------------------------------------
Up to now, any client could use a DNS zone transfer request to the
bind server, and get an answer from Samba. Now the default behaviour
will be to deny those request. Two new options have been added to
manage the list of authorized/denied clients for zone transfer
requests. In order to be accepted, the request must be issued by a
client that is in the allow list and NOT in the deny list.
"server multi channel support" no longer experimental
-----------------------------------------------------
This option is enabled by default starting with 4.15 (on Linux and FreeBSD).
Due to dependencies on kernel APIs of Linux or FreeBSD, it's only possible
to use this feature on Linux and FreeBSD for now.
samba-tool available without the ad-dc
--------------------------------------
The 'samba-tool' command is now available when samba is configured
"--without-ad-dc". Not all features will work, and some ad-dc specific options
have been disabled. The 'samba-tool domain' options, for example, are limited
when no ad-dc is present. Samba must still be built with ads in order to enable
'samba-tool'.
Improved command line user experience
-------------------------------------
Samba utilities did not consistently implement their command line interface. A
number of options were requiring to specify values in one tool and not in the
other, some options meant different in different tools.
These should be stories of the past now. A new command line parser has been
implemented with sanity checking. Also the command line interface has been
simplified and provides better control for encryption, signing and kerberos.
Previously many tools silently ignored unknown options. To prevent unexpected
behaviour all tools will now consistently reject unknown options.
Also several command line options have a smb.conf variable to control the
default now.
All tools are now logging to stderr by default. You can use "--debug-stdout" to
change the behavior. All servers will log to stderr at early startup until logging
is setup to go to a file by default.
### Common parser:
Options added:
--client-protection=off|sign|encrypt
Options renamed:
--kerberos -> --use-kerberos=required|desired|off
--krb5-ccache -> --use-krb5-ccache=CCACHE
--scope -> --netbios-scope=SCOPE
--use-ccache -> --use-winbind-ccache
Options removed:
-e|--encrypt
-C removed from --use-winbind-ccache
-i removed from --netbios-scope
-S|--signing
### Duplicates in command line utils
ldbadd/ldbdel/ldbedit/ldbmodify/ldbrename/ldbsearch:
-e is still available as an alias for --editor,
as it used to be.
-s is no longer reported as an alias for --configfile,
it never worked that way as it was shadowed by '-s' for '--scope'.
ndrdump:
-l is not available for --load-dso anymore
net:
-l is not available for --long anymore
sharesec:
-V is not available for --viewsddl anymore
smbcquotas:
--user -> --quota-user
nmbd:
--log-stdout -> --debug-stdout
smbd:
--log-stdout -> --debug-stdout
winbindd:
--log-stdout -> --debug-stdout
Scanning of trusted domains and enterprise principals
-----------------------------------------------------
As an artifact from the NT4 times, we still scanned the list of trusted domains
on winbindd startup. This is wrong as we never can get a full picture in Active
Directory. It is time to change the default value to "No". Also with this change
we always use enterprise principals for Kerberos so that the DC will be able
to redirect ticket requests to the right DC. This is e.g. needed for one way
trusts. The options `winbind use krb5 enterprise principals` and
`winbind scan trusted domains` will be deprecated in one of the next releases.
Support for Offline Domain Join (ODJ)
-------------------------------------
The net utility is now able to support the offline domain join feature
as known from the Windows djoin.exe command for many years. Samba's
implementation is accessible via the 'net offlinejoin' subcommand. It
can provision computers and request offline joining for both Windows
and Unix machines. It is also possible to provision computers from
Windows (using djoin.exe) and use the generated data in Samba's 'net'
utility. The existing options for the provisioning and joining steps
are documented in the net(8) manpage.
'samba-tool dns zoneoptions' for aging control
----------------------------------------------
The 'samba-tool dns zoneoptions' command can be used to turn aging on
and off, alter the refresh and no-refresh periods, and manipulate the
timestamps of existing records.
To turn aging on for a zone, you can use something like this:
samba-tool dns zoneoptions --aging=1 --refreshinterval=306600
which turns on aging and ensures no records less than five years old
are aged out and scavenged. After aging has been on for sufficient
time for records to be renewed, the command
samba-tool dns zoneoptions --refreshinterval=168
will set the refresh period to the standard seven days. Using this two
step process will help prevent the temporary loss of dynamic records
if scavenging happens before their first renewal.
Marking old records as static or dynamic with 'samba-tool'
----------------------------------------------------------
A bug in Samba versions prior to 4.9 meant records that were meant to
be static were marked as dynamic and vice versa. To fix the timestamps
in these domains, it is possible to use the following options,
preferably before turning aging on.
--mark-old-records-static
--mark-records-dynamic-regex
--mark-records-static-regex
The "--mark-old-records-static" option will make records older than the
specified date static (that is, with a zero timestamp). For example,
if you upgraded to Samba 4.9 in November 2018, you could use ensure no
old records will be mistakenly interpreted as dynamic using the
following option:
samba-tool dns zoneoptions --mark-old-records-static=2018-11-30
Then, if you know that that will have marked some records as static
that should be dynamic, and you know which those are due to your
naming scheme, you can use commands like:
samba-tool dns zoneoptions --mark-records-dynamic-regex='\w+-desktop'
where '\w+-desktop' is a perl-compatible regular expression that will
match 'bob-desktop', 'alice-desktop', and so on.
These options are deliberately long and cumbersome to type, so people
have a chance to think before they get to the end. You can make a
mess if you get it wrong.
All 'samba-tool dns zoneoptions' modes can be given a "--dry-run/-n"
argument that allows you to inspect the likely results before going
ahead.
NOTE: for aging to work, you need to have "dns zone scavenging = yes"
set in the smb.conf of at least one server.
DNS tombstones are now deleted as appropriate
---------------------------------------------
When all the records for a DNS name have been deleted, the node is put
in a tombstoned state (separate from general AD object tombstoning,
which deleted nodes also go through). These tombstones should be
cleaned up periodically. Due to a conflation of scavenging and
tombstoning, we have only been deleting tombstones when aging is
enabled.
If you have a lot of tombstoned DNS nodes (that is, DNS names for
which you have removed all the records), cleaning up these DNS
tombstones may take a noticeable time.
DNS tombstones use a consistent timestamp format
------------------------------------------------
DNS records use an hours-since-1601 timestamp format except for in the
case of tombstone records where a 100-nanosecond-intervals-since-1601
format is used (this latter format being the most common in Windows).
We had mixed that up, which might have had strange effects in zones
where aging was enabled (and hence tombstone timestamps were used).
samba-tool dns update and RPC changes
-------------------------------------
The dnsserver DCERPC pipe can be used by 'samba-tool' and Windows tools
to manipulate dns records on the remote server. A bug in Samba meant
it was not possible to update an existing DNS record to change the
TTL. The general behaviour of RPC updates is now closer to that of
Windows.
'samba-tool dns update' is now a bit more careful in rejecting and
warning you about malformed IPv4 and IPv6 addresses.
CVE-2021-3671: Crash in Heimdal KDC and updated security release policy
-----------------------------------------------------------------------
An unuthenticated user can crash the AD DC KDC by omitting the server
name in a TGS-REQ. Per Samba's updated security process a specific
security release was not made for this issue as it is a recoverable
Denial Of Service.
See https://wiki.samba.org/index.php/Samba_Security_Proces
samba-tool domain backup offline with the LMDB backend
------------------------------------------------------
samba-tool domain backup offline, when operating with the LMDB backend
now correctly takes out locks against concurrent modification of the
database during the backup. If you use this tool on a Samba AD DC
using LMDB, you should upgrade to this release for safer backups.
REMOVED FEATURES
================
Tru64 ACL support has been removed from this release. The last
supported release of Tru64 UNIX was in 2012.
NIS support has been removed from this release. This is not
available in Linux distributions anymore.
The DLZ DNS plugin is no longer built for Bind versions 9.8 and 9.9,
which have been out of support since 2018.
smb.conf changes
================
Parameter Name Description Default
-------------- ----------- -------
client use kerberos New desired
client max protocol Values Removed
client min protocol Values Removed
client protection New default
client smb3 signing algorithms New see man smb.conf
client smb3 encryption algorithms New see man smb.conf
preopen:posix-basic-regex New No
preopen:nomatch_log_level New 5
preopen:match_log_level New 5
preopen:nodigits_log_level New 1
preopen:founddigits_log_level New 3
preopen:reset_log_level New 5
preopen:push_log_level New 3
preopen:queue_log_level New 10
server max protocol Values Removed
server min protocol Values Removed
server multi channel support Changed Yes (on Linux and FreeBSD)
server smb3 signing algorithms New see man smb.conf
server smb3 encryption algorithms New see man smb.conf
winbind use krb5 enterprise principals Changed Yes
winbind scan trusted domains Changed No
Release notes for 4.14:
NEW FEATURES/CHANGES
====================
Here is a copy of a clarification note added to the Samba code
in the file: VFS-License-clarification.txt.
--------------------------------------------------------------
A clarification of our GNU GPL License enforcement boundary within the Samba
Virtual File System (VFS) layer.
Samba is licensed under the GNU GPL. All code committed to the Samba
project or that creates a "modified version" or software "based on" Samba must
be either licensed under the GNU GPL or a compatible license.
Samba has several plug-in interfaces where external code may be called
from Samba GNU GPL licensed code. The most important of these is the
Samba VFS layer.
Samba VFS modules are intimately connected by header files and API
definitions to the part of the Samba code that provides file services,
and as such, code that implements a plug-in Samba VFS module must be
licensed under the GNU GPL or a compatible license.
However, Samba VFS modules may themselves call third-party external
libraries that are not part of the Samba project and are externally
developed and maintained.
As long as these third-party external libraries do not use any of the
Samba internal structure, APIs or interface definitions created by the
Samba project (to the extent that they would be considered subject to the GNU
GPL), then the Samba Team will not consider such third-party external
libraries called from Samba VFS modules as "based on" and/or creating a
"modified version" of the Samba code for the purposes of GNU GPL.
Accordingly, we do not require such libraries be licensed under the GNU GPL
or a GNU GPL compatible license.
VFS
---
The effort to modernize Samba's VFS interface has reached a major milestone with
the next release Samba 4.14.
For details please refer to the documentation at source3/modules/The_New_VFS.txt or
visit the <https://wiki.samba.org/index.php/The_New_VFS>.
Printing
--------
Publishing printers in AD is more reliable and more printer features are
added to the published information in AD. Samba now also supports Windows
drivers for the ARM64 architecture.
Client Group Policy
-------------------
This release extends Samba to support Group Policy functionality for Winbind
clients. Active Directory Administrators can set policies that apply Sudoers
configuration, and cron jobs to run hourly, daily, weekly or monthly.
To enable the application of Group Policies on a client, set the global
smb.conf option 'apply group policies' to 'yes'. Policies are applied on an
interval of every 90 minutes, plus a random offset between 0 and 30 minutes.
Policies applied by Samba are 'non-tattooing', meaning that changes can be
reverted by executing the `samba-gpupdate --unapply` command. Policies can be
re-applied using the `samba-gpupdate --force` command.
To view what policies have been or will be applied to a system, use the
`samba-gpupdate --rsop` command.
Administration of Samba policy requires that a Samba ADMX template be uploaded
to the SYSVOL share. The samba-tool command `samba-tool gpo admxload` is
provided as a convenient method for adding this policy. Once uploaded, policies
can be modified in the Group Policy Management Editor under Computer
Configuration/Policies/Administrative Templates. Alternatively, Samba policy
may be managed using the `samba-tool gpo manage` command. This tool does not
require the admx templates to be installed.
Python 3.6 or later required
----------------------------
Samba's minimum runtime requirement for python was raised to Python
3.6 with samba 4.13. Samba 4.14 raises this minimum version to Python
3.6 also to build Samba. It is no longer possible to build Samba
(even just the file server) with Python versions 2.6 and 2.7.
As Python 2.7 has been End Of Life upstream since April 2020, Samba
is dropping ALL Python 2.x support in this release.
Miscellaneous samba-tool changes
--------------------------------
The 'samba-tool' subcommands to manage AD objects (e.g. users, computers and
groups) now consistently use the "add" command when adding a new object to
the AD. The previous deprecation warnings when using the 'add' commands
have been removed. For compatibility reasons, both the 'add' and 'create'
commands can be used now.
Users, groups and contacts can now be renamed with the respective rename
commands.
Locked users can be unlocked with the new 'samba-tool user unlock' command.
The 'samba-tool user list' and 'samba-tool group listmembers' commands
provide additional options to hide expired and disabled user accounts
(--hide-expired and --hide-disabled).
CTDB CHANGES
============
* The NAT gateway and LVS features now uses the term "leader" to refer
to the main node in a group through which traffic is routed and
"follower" for other members of a group. The command for
determining the leader has changed to "ctdb natgw leader" (from
"ctdb natgw master"). The configuration keyword for indicating that
a node can not be the leader of a group has changed to
"follower-only" (from "slave-only"). Identical changes were made
for LVS.
* Remove "ctdb isnotrecmaster" command. It isn't used by CTDB's
scripts and can be checked by users with "ctdb pnn" and "ctdb
recmaster".
smb.conf changes
================
Parameter Name Description Default
-------------- ----------- -------
smb encrypt Removed
async dns timeout New 10
client smb encrypt New default
honor change notify privilege New No
smbd force process locks New No
server smb encrypt New default
===============================
Release Notes for Samba 4.13.17
January 31, 2022
===============================
This is a security release in order to address the following defects:
o CVE-2021-44142: Out-of-Bound Read/Write on Samba vfs_fruit module.
https://www.samba.org/samba/security/CVE-2021-44142.html
o CVE-2022-0336: Re-adding an SPN skips subsequent SPN conflict checks.
https://www.samba.org/samba/security/CVE-2022-0336.html
Changes since 4.13.16
---------------------
o Ralph Boehme <slow@samba.org>
* BUG 14914: CVE-2021-44142
o Joseph Sutton <josephsutton@catalyst.net.nz>
* BUG 14950: CVE-2022-0336
===============================
Release Notes for Samba 4.13.16
January 10, 2022
===============================
This is a security release in order to address the following defects:
o CVE-2021-43566: mkdir race condition allows share escape in Samba 4.x.
https://www.samba.org/samba/security/CVE-2021-43566.html
=======
Details
=======
o CVE-2021-43566:
All versions of Samba prior to 4.13.16 are vulnerable to a malicious
client using an SMB1 or NFS symlink race to allow a directory to be
created in an area of the server file system not exported under the
share definition. Note that SMB1 has to be enabled, or the share
also available via NFS in order for this attack to succeed.
Clients that have write access to the exported part of the file system
under a share via SMB1 unix extensions or NFS can create symlinks that
can race the server by renaming an existing path and then replacing it
with a symlink. If the client wins the race it can cause the server to
create a directory under the new symlink target after the exported
share path check has been done. This new symlink target can point to
anywhere on the server file system. The authenticated user must have
permissions to create a directory under the target directory of the
symlink.
This is a difficult race to win, but theoretically possible. Note that
the proof of concept code supplied wins the race only when the server
is slowed down and put under heavy load. Exploitation of this bug has
not been seen in the wild.
Changes since 4.13.15
---------------------
o Jeremy Allison <jra@samba.org>
* BUG 13979: CVE-2021-43566: mkdir race condition allows share escape in Samba 4.x
This release contain security fixes.
===============================
Release Notes for Samba 4.13.15
December 15, 2021
===============================
This is the latest stable release of the Samba 4.13 release series.
Important Notes
===============
There have been a few regressions in the security release 4.13.14:
o CVE-2020-25717: A user on the domain can become root on domain members.
https://www.samba.org/samba/security/CVE-2020-25717.html
PLEASE [RE-]READ!
The instructions have been updated and some workarounds
initially adviced for 4.13.14 are no longer required and
should be reverted in most cases.
o BUG-14902: User with multiple spaces (eg Fred<space><space>Nurk) become
un-deletable. While this release should fix this bug, it is
adviced to have a look at the bug report for more detailed
information, see https://bugzilla.samba.org/show_bug.cgi?id=14902.
Changes since 4.13.14
---------------------
o Andrew Bartlett <abartlet@samba.org>
* BUG 14656: Spaces incorrectly collapsed in ldb attributes.
* BUG 14901: The CVE-2020-25717 username map [script] advice has undesired
side effects for the local nt token.
* BUG 14902: User with multiple spaces (eg Fred<space><space>Nurk) become un-
deletable.
o Ralph Boehme <slow@samba.org>
* BUG 14922: Kerberos authentication on standalone server in MIT realm
broken.
o Alexander Bokovoy <ab@samba.org>
* BUG 14903: Support for ROLE_IPA_DC is incomplete.
o Stefan Metzmacher <metze@samba.org>
* BUG 14899: winbindd doesn't start when "allow trusted domains" is off.
* BUG 14901: The CVE-2020-25717 username map [script] advice has undesired
side effects for the local nt token.
o Joseph Sutton <josephsutton@catalyst.net.nz>
* BUG 14901: The CVE-2020-25717 username map [script] advice has undesired
side effects for the local nt token.
Changes since 4.13.13
---------------------
o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* CVE-2020-25722
o Andrew Bartlett <abartlet@samba.org>
* CVE-2020-25718
* CVE-2020-25719
* CVE-2020-25721
* CVE-2020-25722
o Ralph Boehme <slow@samba.org>
* CVE-2020-25717
o Alexander Bokovoy <ab@samba.org>
* CVE-2020-25717
o Samuel Cabrero <scabrero@samba.org>
* CVE-2020-25717
o Nadezhda Ivanova <nivanova@symas.com>
* CVE-2020-25722
o Stefan Metzmacher <metze@samba.org>
* CVE-2016-2124
* CVE-2020-25717
* CVE-2020-25719
* CVE-2020-25722
* CVE-2021-23192
* CVE-2021-3738
* ldb: version 2.2.3
o Andreas Schneider <asn@samba.org>
* CVE-2020-25719
o Joseph Sutton <josephsutton@catalyst.net.nz>
* CVE-2020-17049
* CVE-2020-25718
* CVE-2020-25719
* CVE-2020-25721
* CVE-2020-25722
* MS CVE-2020-17049
Changes since 4.13.12
---------------------
o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* BUG 14868: rodc_rwdc test flaps.
* BUG 14881: Backport bronze bit fixes, tests, and selftest improvements.
o Andrew Bartlett <abartlet@samba.org>
* BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze
bit' S4U2Proxy Constrained Delegation bypass in Samba with
embedded Heimdal.
* BUG 14836: Python ldb.msg_diff() memory handling failure.
* BUG 14845: "in" operator on ldb.Message is case sensitive.
* BUG 14848: Release LDB 2.3.1 for Samba 4.14.9.
* BUG 14871: Fix Samba support for UF_NO_AUTH_DATA_REQUIRED.
* BUG 14874: Allow special chars like "@" in samAccountName when generating
the salt.
* BUG 14881: Backport bronze bit fixes, tests, and selftest improvements.
o Isaac Boukris <iboukris@gmail.com>
* BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze
bit' S4U2Proxy Constrained Delegation bypass in Samba with
embedded Heimdal.
* BUG 14881: Backport bronze bit fixes, tests, and selftest improvements.
o Viktor Dukhovni <viktor@twosigma.com>
* BUG 12998: Fix transit path validation.
* BUG 14881: Backport bronze bit fixes, tests, and selftest improvements.
o Luke Howard <lukeh@padl.com>
* BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze
bit' S4U2Proxy Constrained Delegation bypass in Samba with
embedded Heimdal.
* BUG 14881: Backport bronze bit fixes, tests, and selftest improvements.
o Stefan Metzmacher <metze@samba.org>
* BUG 14881: Backport bronze bit fixes, tests, and selftest improvements.
o David Mulder <dmulder@suse.com>
* BUG 14881: Backport bronze bit fixes, tests, and selftest improvements.
o Andreas Schneider <asn@samba.org>
* BUG 14870: Prepare to operate with MIT krb5 >= 1.20.
* BUG 14881: Backport bronze bit fixes, tests, and selftest improvements.
o Joseph Sutton <josephsutton@catalyst.net.nz>
* BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze
bit' S4U2Proxy Constrained Delegation bypass in Samba with
embedded Heimdal.
* BUG 14645: rpcclient NetFileEnum and net rpc file both cause lock order
violation: brlock.tdb, share_entries.tdb.
* BUG 14836: Python ldb.msg_diff() memory handling failure.
* BUG 14845: "in" operator on ldb.Message is case sensitive.
* BUG 14848: Release LDB 2.3.1 for Samba 4.14.9.
* BUG 14868: rodc_rwdc test flaps.
* BUG 14871: Fix Samba support for UF_NO_AUTH_DATA_REQUIRED.
* BUG 14874: Allow special chars like "@" in samAccountName when generating
the salt.
* BUG 14881: Backport bronze bit fixes, tests, and selftest improvements.
o Nicolas Williams <nico@twosigma.com>
* BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze
bit' S4U2Proxy Constrained Delegation bypass in Samba with
embedded Heimdal.
* BUG 14881: Backport bronze bit fixes, tests, and selftest improvements.
All checksums have been double-checked against existing RMD160 and
SHA512 hashes
Not committed (merge conflicts...):
net/radsecproxy/distinfo
The following distfiles could not be fetched (fetched conditionally?):
./net/citrix_ica/distinfo citrix_ica-10.6.115659/en.linuxx86.tar.gz
./net/djbdns/distinfo dnscache-1.05-multiple-ip.patch
./net/djbdns/distinfo djbdns-1.05-test28.diff.xz
./net/djbdns/distinfo djbdns-1.05-ignoreip2.patch
./net/djbdns/distinfo djbdns-1.05-multiip.diff
./net/djbdns/distinfo djbdns-cachestats.patch
Changes since 4.13.11
---------------------
* BUG 14806: Address a signifcant performance regression in database access
in the AD DC since Samba 4.12.
* BUG 14807: Fix performance regression in lsa_LookupSids3/LookupNames4 since
Samba 4.9 by using an explicit database handle cache.
* BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
server name in a TGS-REQ.
* BUG 14818: Address flapping samba_tool_drs_showrepl test.
* BUG 14819: Address flapping dsdb_schema_attributes test.
* BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
server name in a TGS-REQ
* BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
server name in a TGS-REQ.
* BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
server name in a TGS-REQ.
* BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
server name in a TGS-REQ.
* BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
server name in a TGS-REQ.
* BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
server name in a TGS-REQ.
* BUG 14784: Fix CTDB flag/status update race conditions.
* BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
server name in a TGS-REQ.
Changes since 4.13.10
* BUG 14769: smbd panic on force-close share during offload write.
* BUG 14731: Fix returned attributes on fake quota file handle and avoid
hitting the VFS.
* BUG 14783: smbd "deadtime" parameter doesn't work anymore.
* BUG 14787: net conf list crashes when run as normal user.
* BUG 14607: Work around special SMB2 READ response behavior of NetApp Ontap
7.3.7.
* BUG 14793: Start the SMB encryption as soon as possible.
* BUG 14792: Winbind should not start if the socket path for the privileged
pipe is too long.
Changes since 4.13.9
--------------------
o Jeremy Allison <jra@samba.org>
* BUG 14708: s3: smbd: Ensure POSIX default ACL is mapped into returned
Windows ACL for directory handles.
* BUG 14721: Take a copy to make sure we don't reference free'd memory.
* BUG 14722: s3: lib: Fix talloc heirarcy error in parent_smb_fname().
* BUG 14736: s3: smbd: Remove erroneous TALLOC_FREE(smb_fname_parent) in
change_file_owner_to_parent() error path.
o Andrew Bartlett <abartlet@samba.org>
* BUG 14575: samba-tool: Give better error information when the
'domain backup restore' fails with a duplicate SID.
o Ralph Boehme <slow@samba.org>
* BUG 14714: smbd: Correctly initialize close timestamp fields.
* BUG 14740: Spotlight RPC service doesn't work with vfs_glusterfs.
o Volker Lendecke <vl@samba.org>
* BUG 14475: ctdb: Fix a crash in run_proc_signal_handler().
o Stefan Metzmacher <metze@samba.org>
* BUG 14750: gensec_krb5: Restore ipv6 support for kpasswd.
* BUG 14752: smbXsrv_{open,session,tcon}: Protect
smbXsrv_{open,session,tcon}_global_traverse_fn against invalid records.
o Joseph Sutton <josephsutton@catalyst.net.nz>
* BUG 14027: samba-tool domain backup offline doesn't work against bind DLZ
backend.
* BUG 14669: netcmd: Use next_free_rid() function to calculate a SID for
restoring a backup.
Changes since 4.14.4
--------------------
* BUG 14696: s3: smbd: SMB1 SMBsplwr doesn't send a reply packet on success.
* BUG 14708: s3: smbd: Ensure POSIX default ACL is mapped into returned
Windows ACL for directory handles.
* BUG 14721: s3: smbd: Fix uninitialized memory read in
process_symlink_open() when used with vfs_shadow_copy2().
* BUG 14689: docs: Expand the "log level" docs on audit logging.
* BUG 14714: smbd: Correctly initialize close timestamp fields.
* BUG 14699: Fix gcc11 compiler issues.
* BUG 14718: docs-xml: Update smbcacls manpage.
* BUG 14719: docs: Update list of available commands in rpcclient.
* BUG 14475: ctdb: Fix a crash in run_proc_signal_handler().
* BUG 14695: s3:winbind: For 'security = ADS' require realm/workgroup to be
set.
* BUG 14699: lib:replace: Do not build strndup test with gcc 11 or newer.
pkgsrc changes: remove extra spaces in some patch files.
==============================
Release Notes for Samba 4.14.4
April 29, 2021
==============================
This is a security release in order to address the following defect:
o CVE-2021-20254: Negative idmap cache entries can cause incorrect group entries
in the Samba file server process token.
=======
Details
=======
o CVE-2021-20254:
The Samba smbd file server must map Windows group identities (SIDs) into unix
group ids (gids). The code that performs this had a flaw that could allow it
to read data beyond the end of the array in the case where a negative cache
entry had been added to the mapping cache. This could cause the calling code
to return those values into the process token that stores the group
membership for a user.
Most commonly this flaw caused the calling code to crash, but an alert user
(Peter Eriksson, IT Department, Linköping University) found this flaw by
noticing an unprivileged user was able to delete a file within a network
share that they should have been disallowed access to.
Analysis of the code paths has not allowed us to discover a way for a
remote user to be able to trigger this flaw reproducibly or on demand,
but this CVE has been issued out of an abundance of caution.
Changes since 4.14.3
--------------------
o Volker Lendecke <vl@samba.org>
* BUG 14571: CVE-2021-20254: Fix buffer overrun in sids_to_unixids().
Samba 4.14.2
This is a follow-up release to depend on the correct ldb version. This is only
needed when building against a system ldb library.
This is a security release in order to address the following defects:
o CVE-2020-27840: Heap corruption via crafted DN strings.
o CVE-2021-20277: Out of bounds read in AD DC LDAP server.
Samba 4.14.1
This is a security release in order to address the following defects:
o CVE-2020-27840: Heap corruption via crafted DN strings.
o CVE-2021-20277: Out of bounds read in AD DC LDAP server.
Samba 4.14.0
This is the first stable release of the Samba 4.14 release series.
Please read the release notes carefully before upgrading.
NEW FEATURES/CHANGES
====================
Here is a copy of a clarification note added to the Samba code
in the file: VFS-License-clarification.txt.
--------------------------------------------------------------
A clarification of our GNU GPL License enforcement boundary within the Samba
Virtual File System (VFS) layer.
Samba is licensed under the GNU GPL. All code committed to the Samba
project or that creates a "modified version" or software "based on" Samba must
be either licensed under the GNU GPL or a compatible license.
Samba has several plug-in interfaces where external code may be called
from Samba GNU GPL licensed code. The most important of these is the
Samba VFS layer.
Samba VFS modules are intimately connected by header files and API
definitions to the part of the Samba code that provides file services,
and as such, code that implements a plug-in Samba VFS module must be
licensed under the GNU GPL or a compatible license.
However, Samba VFS modules may themselves call third-party external
libraries that are not part of the Samba project and are externally
developed and maintained.
As long as these third-party external libraries do not use any of the
Samba internal structure, APIs or interface definitions created by the
Samba project (to the extent that they would be considered subject to the GNU
GPL), then the Samba Team will not consider such third-party external
libraries called from Samba VFS modules as "based on" and/or creating a
"modified version" of the Samba code for the purposes of GNU GPL.
Accordingly, we do not require such libraries be licensed under the GNU GPL
or a GNU GPL compatible license.
VFS
---
The effort to modernize Samba's VFS interface has reached a major milestone with
the next release Samba 4.14.
For details please refer to the documentation at source3/modules/The_New_VFS.txt or
visit the <https://wiki.samba.org/index.php/The_New_VFS>.
Printing
--------
Publishing printers in AD is more reliable and more printer features are
added to the published information in AD. Samba now also supports Windows
drivers for the ARM64 architecture.
Client Group Policy
-------------------
This release extends Samba to support Group Policy functionality for Winbind
clients. Active Directory Administrators can set policies that apply Sudoers
configuration, and cron jobs to run hourly, daily, weekly or monthly.
To enable the application of Group Policies on a client, set the global
smb.conf option 'apply group policies' to 'yes'. Policies are applied on an
interval of every 90 minutes, plus a random offset between 0 and 30 minutes.
Policies applied by Samba are 'non-tattooing', meaning that changes can be
reverted by executing the `samba-gpupdate --unapply` command. Policies can be
re-applied using the `samba-gpupdate --force` command.
To view what policies have been or will be applied to a system, use the
`samba-gpupdate --rsop` command.
Administration of Samba policy requires that a Samba ADMX template be uploaded
to the SYSVOL share. The samba-tool command `samba-tool gpo admxload` is
provided as a convenient method for adding this policy. Once uploaded, policies
can be modified in the Group Policy Management Editor under Computer
Configuration/Policies/Administrative Templates. Alternatively, Samba policy
may be managed using the `samba-tool gpo manage` command. This tool does not
require the admx templates to be installed.
Python 3.6 or later required
----------------------------
Samba's minimum runtime requirement for python was raised to Python
3.6 with samba 4.13. Samba 4.14 raises this minimum version to Python
3.6 also to build Samba. It is no longer possible to build Samba
(even just the file server) with Python versions 2.6 and 2.7.
As Python 2.7 has been End Of Life upstream since April 2020, Samba
is dropping ALL Python 2.x support in this release.
Miscellaneous samba-tool changes
--------------------------------
The 'samba-tool' subcommands to manage AD objects (e.g. users, computers and
groups) now consistently use the "add" command when adding a new object to
the AD. The previous deprecation warnings when using the 'add' commands
have been removed. For compatibility reasons, both the 'add' and 'create'
commands can be used now.
Users, groups and contacts can now be renamed with the respective rename
commands.
Locked users can be unlocked with the new 'samba-tool user unlock' command.
The 'samba-tool user list' and 'samba-tool group listmembers' commands
provide additional options to hide expired and disabled user accounts
(--hide-expired and --hide-disabled).
CTDB CHANGES
============
* The NAT gateway and LVS features now uses the term "leader" to refer
to the main node in a group through which traffic is routed and
"follower" for other members of a group. The command for
determining the leader has changed to "ctdb natgw leader" (from
"ctdb natgw master"). The configuration keyword for indicating that
a node can not be the leader of a group has changed to
"follower-only" (from "slave-only"). Identical changes were made
for LVS.
* Remove "ctdb isnotrecmaster" command. It isn't used by CTDB's
scripts and can be checked by users with "ctdb pnn" and "ctdb
recmaster".
==============================
Release Notes for Samba 4.13.7
March 24, 2021
==============================
This is a follow-up release to depend on the correct ldb version. This is only
needed when building against a system ldb library.
This is a security release in order to address the following defects:
o CVE-2020-27840: Heap corruption via crafted DN strings.
o CVE-2021-20277: Out of bounds read in AD DC LDAP server.
=======
Details
=======
o CVE-2020-27840:
An anonymous attacker can crash the Samba AD DC LDAP server by sending easily
crafted DNs as part of a bind request. More serious heap corruption is likely
also possible.
o CVE-2021-20277:
User-controlled LDAP filter strings against the AD DC LDAP server may crash
the LDAP server.
For more details, please refer to the security advisories.
Changes since 4.13.6
--------------------
o Release with dependency on ldb version 2.2.1.
Changes 4.13.4
* BUG 14607: Work around special SMB2 IOCTL response behavior of NetApp Ontap
7.3.7.
* BUG 14612: Temporary DFS share setup doesn't set case parameters in the
same way as a regular share definition does.
* BUG 14605: lib: Avoid declaring zero-length VLAs in various messaging
functions.
* BUG 14579: Do not create an empty DB when accessing a sam.ldb.
* BUG 14596: vfs_fruit may close wrong backend fd.
* BUG 14612: Temporary DFS share setup doesn't set case parameters in the
same way as a regular share definition does.
* BUG 14606: vfs_virusfilter: Allocate separate memory for config char*.
* BUG 14596: vfs_fruit may close wrong backend fd.
* BUG 14607: Work around special SMB2 IOCTL response behavior of NetApp Ontap
7.3.7.
* BUG 14601: The cache directory for the user gencache should be created
recursively.
* BUG 14594: Be more flexible with repository names in CentOS 8 test
environments.
Changes since 4.13.2
* BUG 14210: libcli: smb2: Never print length if smb2_signing_key_valid()
fails for crypto blob.
* BUG 14486: s3: modules: gluster. Fix the error I made in preventing talloc
leaks from a function.
* BUG 14515: s3: smbd: Don't overwrite contents of fsp->aio_requests[0] with
NULL via TALLOC_FREE().
* BUG 14568: s3: spoolss: Make parameters in call to user_ok_token() match
all other uses.
* BUG 14590: s3: smbd: Quiet log messages from usershares for an unknown
share.
* BUG 14248: samba process does not honor max log size.
* BUG 14587: vfs_zfsacl: Add missing inherited flag on hidden "magic"
everyone@ ACE.
* BUG 13124: s3-libads: Pass timeout to open_socket_out in ms.
* BUG 14486: s3-vfs_glusterfs: Always disable write-behind translator.
* BUG 14517: smbclient: Fix recursive mget.
* BUG 14581: clitar: Use do_list()'s recursion in clitar.c.
* BUG 14486: manpages/vfs_glusterfs: Mention silent skipping of write-behind
translator.
* BUG 14573: vfs_shadow_copy2: Preserve all open flags assuming ROFS.
* BUG 14514: interface: Fix if_index is not parsed correctly.
Changes since 4.13.1
--------------------
* BUG 14486: s3: modules: vfs_glusterfs: Fix leak of char
**lines onto mem_ctx on return.
* BUG 14471: RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special.
* BUG 14538: smb.conf.5: Add clarification how configuration changes
reflected by Samba.
* BUG 14552: daemons: Report status to systemd even when running in
foreground.
* BUG 14553: DNS Resolver: Support both dnspython before and after 2.0.0.
* BUG 14486: s3-vfs_glusterfs: Refuse connection when write-behind xlator is
present.
* BUG 14487: provision: Add support for BIND 9.16.x.
* BUG 14537: ctdb-common: Avoid aliasing errors during code optimization.
* BUG 14541: libndr: Avoid assigning duplicate versions to symbols.
* BUG 14522: docs: Fix default value of spoolss:architecture.
* BUG 14388: winbind: Fix a memleak.
* BUG 14531: s4:dsdb:acl_read: Implement "List Object" mode feature.
* BUG 14486: docs-xml/manpages: Add warning about write-behind translator for
vfs_glusterfs.
* nsswitch/nsstest.c: Avoid nss function conflicts with glibc nss.h.
* BUG 14530: vfs_shadow_copy2: Avoid closing snapsdir twice.
* BUG 14547: third_party: Update resolv_wrapper to version 1.1.7.
* BUG 14550: examples:auth: Do not install example plugin.
* BUG 14513: ctdb-recoverd: Drop unnecessary and broken code.
* BUG 14471: RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special.
Changes since 4.13.0
--------------------
* BUG 14434: CVE-2020-14318: s3: smbd: Ensure change notifies can't get set
unless the directory handle is open for SEC_DIR_LIST.
* BUG 12795: CVE-2020-14383: Remote crash after adding NS or MX records using
'samba-tool'.
* BUG 14472: CVE-2020-14383: Remote crash after adding MX records.
* BUG 14436: CVE-2020-14323: winbind: Fix invalid lookupsids DoS.
4.31.0:
NEW FEATURES/CHANGES
====================
Python 3.6 or later required
----------------------------
Samba's minimum runtime requirement for python was raised to Python
3.5 with samba 4.12. Samba 4.13 raises this minimum version to Python
3.6 both to access new features and because this is the oldest version
we test with in our CI infrastructure.
This is also the last release where it will be possible to build Samba
(just the file server) with Python versions 2.6 and 2.7.
As Python 2.7 has been End Of Life upstream since April 2020, Samba
is dropping ALL Python 2.x support in the NEXT release.
Samba 4.14 to be released in March 2021 will require Python 3.6 or
later to build.
wide links functionality
------------------------
For this release, the code implementing the insecure "wide links = yes"
functionality has been moved out of the core smbd code and into a separate
VFS module, vfs_widelinks. Currently this vfs module is implicitly loaded
by smbd as the last but one module before vfs_default if "wide links = yes"
is enabled on the share (note, the existing restrictions on enabling wide
links around the SMB1 "unix extensions" and the "allow insecure wide links"
parameters are still in force). The implicit loading was done to allow
existing users of "wide links = yes" to keep this functionality without
having to make a change to existing working smb.conf files.
Please note that the Samba developers recommend changing any Samba
installations that currently use "wide links = yes" to use bind mounts
as soon as possible, as "wide links = yes" is an inherently insecure
configuration which we would like to remove from Samba. Moving the
feature into a VFS module allows this to be done in a cleaner way
in future.
A future release to be determined will remove this implicit linkage,
causing administrators who need this functionality to have to explicitly
add the vfs_widelinks module into the "vfs objects =" parameter lists.
The release notes will be updated to note this change when it occurs.
NT4-like 'classic' Samba domain controllers
-------------------------------------------
Samba 4.13 deprecates Samba's original domain controller mode.
Sites using Samba as a Domain Controller should upgrade from the
NT4-like 'classic' Domain Controller to a Samba Active Directory DC
to ensure full operation with modern windows clients.
SMBv1 only protocol options deprecated
--------------------------------------
A number of smb.conf parameters for less-secure authentication methods
which are only possible over SMBv1 are deprecated in this release.
Summary from NEWS files:
Samba 4.12.9 (2020-10-29)
o CVE-2020-14318:
The SMB1/2/3 protocols have a concept of "ChangeNotify", where a client can
request file name notification on a directory handle when a condition such as
"new file creation" or "file size change" or "file timestamp update" occurs.
A missing permissions check on a directory handle requesting ChangeNotify
meant that a client with a directory handle open only for
FILE_READ_ATTRIBUTES (minimal access rights) could be used to obtain change
notify replies from the server. These replies contain information that should
not be available to directory handles open for FILE_READ_ATTRIBUTE only.
o CVE-2020-14323:
winbind in version 3.6 and later implements a request to translate multiple
Windows SIDs into names in one request. This was done for performance
reasons: Active Directory domain controllers can do multiple SID to name
translations in one RPC call. It was an obvious extension to also offer this
batch operation on the winbind unix domain stream socket that is available to
local processes on the Samba server to reduce network round-trips to the
domain controller.
Due to improper input validation a hand-crafted packet can make winbind
perform a NULL pointer dereference and thus crash.
o CVE-2020-14383:
Some DNS records (such as MX and NS records) usually contain data in the
additional section. Samba's dnsserver RPC pipe (which is an administrative
interface not used in the DNS server itself) made an error in handling the
case where there are no records present: instead of noticing the lack of
records, it dereferenced uninitialised memory, causing the RPC server to
crash. This RPC server, which also serves protocols other than dnsserver,
will be restarted after a short delay, but it is easy for an authenticated
non-admin attacker to crash it again as soon as it returns. The Samba DNS
server itself will continue to operate, but many RPC services will not.
Samba 4.12.8 (2020-10-07)
Changes since 4.12.7
--------------------
o G«änther Deschner <gd@samba.org>
* BUG 14318: docs: Add missing winexe manpage.
o Volker Lendecke <vl@samba.org>
* BUG 14465: idmap_ad does not deal properly with a RFC4511 section 4.4.1
response.
o Laurent Menase <laurent.menase@hpe.com>
* BUG 14388: winbind: Fix a memleak.
o Stefan Metzmacher <metze@samba.org>
* BUG 14465: idmap_ad does not deal properly with a RFC4511 section 4.4.1
response.
* BUG 14482: Compilation of heimdal tree fails if libbsd is not installed.
o Christof Schmitt <cs@samba.org>
* BUG 14166: util: Allow symlinks in directory_create_or_exist.
o Andreas Schneider <asn@samba.org>
* BUG 14399: waf: Only use gnutls_aead_cipher_encryptv2() for GnuTLS >
3.6.14.
* BUG 14467: s3:smbd: Fix %U substitutions if it contains a domain name.
o Martin Schwenke <martin@meltin.net>
* BUG 14466: ctdb disable/enable can fail due to race condition.
Update samba4 package to 4.12.7.
==============================
Release Notes for Samba 4.12.7
September 18, 2020
==============================
This is a security release in order to address the following defect:
o CVE-2020-1472: Unauthenticated domain takeover via netlogon ("ZeroLogon").
The following applies to Samba used as domain controller only (most
seriously the Active Directory DC, but also the classic/NT4-style DC).
Installations running Samba as a file server only are not directly
affected by this flaw, though they may need configuration changes to
continue to talk to domain controllers (see "file servers and domain
members" below).
The netlogon protocol contains a flaw that allows an authentication
bypass. This was reported and patched by Microsoft as CVE-2020-1472.
Since the bug is a protocol level flaw, and Samba implements the
protocol, Samba is also vulnerable.
However, since version 4.8 (released in March 2018), the default
behaviour of Samba has been to insist on a secure netlogon channel,
which is a sufficient fix against the known exploits. This default is
equivalent to having 'server schannel = yes' in the smb.conf.
Therefore versions 4.8 and above are not vulnerable unless they have
the smb.conf lines 'server schannel = no' or 'server schannel = auto'.
Samba versions 4.7 and below are vulnerable unless they have 'server
schannel = yes' in the smb.conf.
Note each domain controller needs the correct settings in its smb.conf.
Vendors supporting Samba 4.7 and below are advised to patch their
installations and packages to add this line to the [global] section if
their smb.conf file.
The 'server schannel = yes' smb.conf line is equivalent to Microsoft's
'FullSecureChannelProtection=1' registry key, the introduction of
which we understand forms the core of Microsoft's fix.
Some domains employ third-party software that will not work with a
'server schannel = yes'. For these cases patches are available that
allow specific machines to use insecure netlogon. For example, the
following smb.conf:
server schannel = yes
server require schannel:triceratops$ = no
server require schannel:greywacke$ = no
will allow only "triceratops$" and "greywacke$" to avoid schannel.
More details can be found here:
https://www.samba.org/samba/security/CVE-2020-1472.html
Changes since 4.12.5
* BUG 14403: s3: libsmb: Fix SMB2 client rename bug to a Windows server.
* BUG 14424: dsdb: Allow "password hash userPassword schemes = CryptSHA256"
to work on RHEL7.
* BUG 14450: dbcheck: Allow a dangling forward link outside our known NCs.
* BUG 14426: lib/debug: Set the correct default backend loglevel to
MAX_DEBUG_LEVEL.
* BUG 14428: PANIC: Assert failed in get_lease_type().
* BUG 14422: util: Fix build on AIX by fixing the order of replace.h include.
* BUG 14355: srvsvc_NetFileEnum asserts with open files.
* BUG 14354: KDC breaks with DES keys still in the database and
msDS-SupportedEncryptionTypes 31 indicating support for it.
* BUG 14427: s3:smbd: Make sure vfs_ChDir() always sets
conn->cwd_fsp->fh->fd = AT_FDCWD.
* BUG 14428: PANIC: Assert failed in get_lease_type().
* BUG 14358: docs: Fix documentation for require_membership_of of
pam_winbind.conf.
* BUG 14444: ctdb-scripts: Use nfsconf utility for variable values in CTDB
NFS scripts.
* BUG 14425: s3:winbind:idmap_ad: Make failure to get attrnames for schema
mode fatal.
Changes since 4.12.4
--------------------
* BUG 14301: Fix smbd panic on force-close share during async io.
* BUG 14374: Fix segfault when using SMBC_opendir_ctx() routine for share
folder that contains incorrect symbols in any file name.
* BUG 14391: Fix DFS links.
* BUG 14310: Can't use DNS functionality after a Windows DC has been in
domain.
* BUG 14413: ldapi search to FreeIPA crashes.
* BUG 14396: Add net-ads-join dnshostname=fqdn option.
* BUG 14406: Fix adding msDS-AdditionalDnsHostName to keytab with Windows DC.
* BUG 14386: docs-xml: Update list of posible VFS operations for
vfs_full_audit.
* BUG 14382: winbindd: Fix a use-after-free when winbind clients exit.
* BUG 14370: Client tools are not able to read gencache anymore.
Samba 4.12.4
============
o CVE-2020-10730:
A client combining the 'ASQ' and 'VLV' LDAP controls can cause a NULL pointer
de-reference and further combinations with the LDAP paged_results feature can
give a use-after-free in Samba's AD DC LDAP server.
o CVE-2020-10745: Parsing and packing of NBT and DNS packets can consume
excessive CPU.
o CVE-2020-10760:
The use of the paged_results or VLV controls against the Global Catalog LDAP
server on the AD DC will cause a use-after-free.
o CVE-2020-14303:
The AD DC NBT server in Samba 4.0 will enter a CPU spin and not process
further requests once it receives an empty (zero-length) UDP packet to
port 137.
For more details, please refer to the security advisories.
Changes since 4.12.3
--------------------
* BUG 14378: CVE-2020-10745: Invalid DNS or NBT queries containing dots use
several seconds of CPU each.
* BUG 14364: CVE-2020-10730: NULL de-reference in AD DC LDAP server when ASQ
and VLV combined.
* BUG 14402: CVE-2020-10760: Fix use-after-free in AD DC Global Catalog LDAP
server with paged_result or VLV.
* BUG 14417: CVE-2020-14303: Fix endless loop from empty UDP packet sent to
AD DC nbt_server.
* BUG 14364: CVE-2020-10730: NULL de-reference in AD DC LDAP server when ASQ
and VLV combined, ldb: Bump version to 2.1.4.
taca
wiz
jperkin
adam
hauke
thor
nia
christos