The branch, master has been updated via f04f713 Add Samba 4.15.0 via fc08fc1 NEWS[4.15.0]: Samba 4.15.0 Available for Download from 6d4ce66 team: Add employer for Martin
https://git.samba.org/?p=samba-web.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit f04f71331b726e745556951a0f04038423235997 Author: Jule Anger <jan...@samba.org> Date: Mon Sep 20 09:49:26 2021 +0200 Add Samba 4.15.0 Signed-off-by: Jule Anger <jan...@samba.org> commit fc08fc19474183c6d96d3383204f1334e94e6430 Author: Jule Anger <jan...@samba.org> Date: Mon Sep 20 09:45:02 2021 +0200 NEWS[4.15.0]: Samba 4.15.0 Available for Download Signed-off-by: Jule Anger <jan...@samba.org> ----------------------------------------------------------------------- Summary of changes: history/header_history.html | 1 + history/samba-4.15.0.html | 509 +++++++++++++++++++++++ posted_news/20210920-074634.4.15.0.body.html | 12 + posted_news/20210920-074634.4.15.0.headline.html | 3 + 4 files changed, 525 insertions(+) create mode 100644 history/samba-4.15.0.html create mode 100644 posted_news/20210920-074634.4.15.0.body.html create mode 100644 posted_news/20210920-074634.4.15.0.headline.html Changeset truncated at 500 lines: diff --git a/history/header_history.html b/history/header_history.html index 3af602b..0f7c705 100755 --- a/history/header_history.html +++ b/history/header_history.html @@ -9,6 +9,7 @@ <li><a href="/samba/history/">Release Notes</a> <li class="navSub"> <ul> + <li><a href="samba-4.15.0.html">samba-4.15.0</a></li> <li><a href="samba-4.14.7.html">samba-4.14.7</a></li> <li><a href="samba-4.14.6.html">samba-4.14.6</a></li> <li><a href="samba-4.14.5.html">samba-4.14.5</a></li> diff --git a/history/samba-4.15.0.html b/history/samba-4.15.0.html new file mode 100644 index 0000000..04d4513 --- /dev/null +++ b/history/samba-4.15.0.html @@ -0,0 +1,509 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml"> +<head> +<title>Samba 4.15.0 - Release Notes</title> +</head> +<body> +<H2>Samba 4.15.0 Available for Download</H2> +<p> +<a href="https://download.samba.org/pub/samba/stable/samba-4.15.0.tar.gz">Samba 4.15.0 (gzipped)</a><br> +<a href="https://download.samba.org/pub/samba/stable/samba-4.15.0.tar.asc">Signature</a> +</p> +<p> +<pre> + ============================== + Release Notes for Samba 4.15.0 + September 20, 2021 + ============================== + + +This is the first stable release of the Samba 4.15 release series. +Please read the release notes carefully before upgrading. + + +Removed SMB (development) dialects +================================== + +The following SMB (development) dialects are no longer +supported: SMB2_22, SMB2_24 and SMB3_10. They are were +only supported by Windows technical preview builds. +They used to be useful in order to test against the +latest Windows versions, but it's no longer useful +to have them. If you have them explicitly specified +in your smb.conf or an the command line, +you need to replace them like this: +- SMB2_22 => SMB3_00 +- SMB2_24 => SMB3_00 +- SMB3_10 => SMB3_11 +Note that it's typically not useful to specify +"client max protocol" or "server max protocol" +explicitly to a specific dialect, just leave +them unspecified or specify the value "default". + +New GPG key +=========== + +The GPG release key for Samba releases changed from: + +pub dsa1024/6F33915B6568B7EA 2007-02-04 [SC] [expires: 2021-02-05] + Key fingerprint = 52FB C0B8 6D95 4B08 4332 4CDC 6F33 915B 6568 B7EA +uid [ full ] Samba Distribution Verification Key <samba-b...@samba.org> +sub elg2048/9C6ED163DA6DFB44 2007-02-04 [E] [expires: 2021-02-05] + +to the following new key: + +pub rsa4096/AA99442FB680B620 2020-12-21 [SC] [expires: 2022-12-21] + Key fingerprint = 81F5 E283 2BD2 545A 1897 B713 AA99 442F B680 B620 +uid [ultimate] Samba Distribution Verification Key <samba-b...@samba.org> +sub rsa4096/97EF9386FBFD4002 2020-12-21 [E] [expires: 2022-12-21] + +Starting from Jan 21th 2021, all Samba releases will be signed with the new key. + +See also GPG_AA99442FB680B620_replaces_6F33915B6568B7EA.txt + +New minimum version for the experimental MIT KDC +================================================ + +The build of the AD DC using the system MIT Kerberos, an +experimental feature, now requires MIT Kerberos 1.19. An up-to-date +Fedora 34 has this version and has backported fixes for the KDC crash +bugs CVE-2021-37750 and CVE-2021-36222 + + +NEW FEATURES/CHANGES +==================== + +VFS +--- + +The effort to modernize Samba's VFS interface is complete and Samba 4.15.0 ships +with a modernized VFS designed for the post SMB1 world. + +For details please refer to the documentation at source3/modules/The_New_VFS.txt +or visit the <https://wiki.samba.org/index.php/The_New_VFS>. + + +Bind DLZ: add the ability to set allow/deny lists for zone transfer clients +--------------------------------------------------------------------------- + +Up to now, any client could use a DNS zone transfer request to the +bind server, and get an answer from Samba. Now the default behaviour +will be to deny those request. Two new options have been added to +manage the list of authorized/denied clients for zone transfer +requests. In order to be accepted, the request must be issued by a +client that is in the allow list and NOT in the deny list. + + +"server multi channel support" no longer experimental +----------------------------------------------------- + +This option is enabled by default starting with 4.15 (on Linux and FreeBSD). +Due to dependencies on kernel APIs of Linux or FreeBSD, it's only possible +to use this feature on Linux and FreeBSD for now. + + +samba-tool available without the ad-dc +-------------------------------------- + +The 'samba-tool' command is now available when samba is configured +"--without-ad-dc". Not all features will work, and some ad-dc specific options +have been disabled. The 'samba-tool domain' options, for example, are limited +when no ad-dc is present. Samba must still be built with ads in order to enable +'samba-tool'. + + +Improved command line user experience +------------------------------------- + +Samba utilities did not consistently implement their command line interface. A +number of options were requiring to specify values in one tool and not in the +other, some options meant different in different tools. + +These should be stories of the past now. A new command line parser has been +implemented with sanity checking. Also the command line interface has been +simplified and provides better control for encryption, signing and kerberos. + +Previously many tools silently ignored unknown options. To prevent unexpected +behaviour all tools will now consistently reject unknown options. + +Also several command line options have a smb.conf variable to control the +default now. + +All tools are now logging to stderr by default. You can use "--debug-stdout" to +change the behavior. All servers will log to stderr at early startup until logging +is setup to go to a file by default. + +### Common parser: + +Options added: +--client-protection=off|sign|encrypt + +Options renamed: +--kerberos -> --use-kerberos=required|desired|off +--krb5-ccache -> --use-krb5-ccache=CCACHE +--scope -> --netbios-scope=SCOPE +--use-ccache -> --use-winbind-ccache + +Options removed: +-e|--encrypt +-C removed from --use-winbind-ccache +-i removed from --netbios-scope +-S|--signing + + +### Duplicates in command line utils + +ldbadd/ldbdel/ldbedit/ldbmodify/ldbrename/ldbsearch: +-e is still available as an alias for --editor, + as it used to be. +-s is no longer reported as an alias for --configfile, + it never worked that way as it was shadowed by '-s' for '--scope'. + +ndrdump: +-l is not available for --load-dso anymore + +net: +-l is not available for --long anymore + +sharesec: +-V is not available for --viewsddl anymore + +smbcquotas: +--user -> --quota-user + +nmbd: +--log-stdout -> --debug-stdout + +smbd: +--log-stdout -> --debug-stdout + +winbindd: +--log-stdout -> --debug-stdout + + +Scanning of trusted domains and enterprise principals +----------------------------------------------------- + +As an artifact from the NT4 times, we still scanned the list of trusted domains +on winbindd startup. This is wrong as we never can get a full picture in Active +Directory. It is time to change the default value to "No". Also with this change +we always use enterprise principals for Kerberos so that the DC will be able +to redirect ticket requests to the right DC. This is e.g. needed for one way +trusts. The options `winbind use krb5 enterprise principals` and +`winbind scan trusted domains` will be deprecated in one of the next releases. + + +Support for Offline Domain Join (ODJ) +------------------------------------- + +The net utility is now able to support the offline domain join feature +as known from the Windows djoin.exe command for many years. Samba's +implementation is accessible via the 'net offlinejoin' subcommand. It +can provision computers and request offline joining for both Windows +and Unix machines. It is also possible to provision computers from +Windows (using djoin.exe) and use the generated data in Samba's 'net' +utility. The existing options for the provisioning and joining steps +are documented in the net(8) manpage. + + +'samba-tool dns zoneoptions' for aging control +---------------------------------------------- + +The 'samba-tool dns zoneoptions' command can be used to turn aging on +and off, alter the refresh and no-refresh periods, and manipulate the +timestamps of existing records. + +To turn aging on for a zone, you can use something like this: + + samba-tool dns zoneoptions --aging=1 --refreshinterval=306600 + +which turns on aging and ensures no records less than five years old +are aged out and scavenged. After aging has been on for sufficient +time for records to be renewed, the command + + samba-tool dns zoneoptions --refreshinterval=168 + +will set the refresh period to the standard seven days. Using this two +step process will help prevent the temporary loss of dynamic records +if scavenging happens before their first renewal. + + +Marking old records as static or dynamic with 'samba-tool' +---------------------------------------------------------- + +A bug in Samba versions prior to 4.9 meant records that were meant to +be static were marked as dynamic and vice versa. To fix the timestamps +in these domains, it is possible to use the following options, +preferably before turning aging on. + + --mark-old-records-static + --mark-records-dynamic-regex + --mark-records-static-regex + +The "--mark-old-records-static" option will make records older than the +specified date static (that is, with a zero timestamp). For example, +if you upgraded to Samba 4.9 in November 2018, you could use ensure no +old records will be mistakenly interpreted as dynamic using the +following option: + + samba-tool dns zoneoptions --mark-old-records-static=2018-11-30 + +Then, if you know that that will have marked some records as static +that should be dynamic, and you know which those are due to your +naming scheme, you can use commands like: + + samba-tool dns zoneoptions --mark-records-dynamic-regex='\w+-desktop' + +where '\w+-desktop' is a perl-compatible regular expression that will +match 'bob-desktop', 'alice-desktop', and so on. + +These options are deliberately long and cumbersome to type, so people +have a chance to think before they get to the end. You can make a +mess if you get it wrong. + +All 'samba-tool dns zoneoptions' modes can be given a "--dry-run/-n" +argument that allows you to inspect the likely results before going +ahead. + +NOTE: for aging to work, you need to have "dns zone scavenging = yes" +set in the smb.conf of at least one server. + + +DNS tombstones are now deleted as appropriate +--------------------------------------------- + +When all the records for a DNS name have been deleted, the node is put +in a tombstoned state (separate from general AD object tombstoning, +which deleted nodes also go through). These tombstones should be +cleaned up periodically. Due to a conflation of scavenging and +tombstoning, we have only been deleting tombstones when aging is +enabled. + +If you have a lot of tombstoned DNS nodes (that is, DNS names for +which you have removed all the records), cleaning up these DNS +tombstones may take a noticeable time. + + +DNS tombstones use a consistent timestamp format +------------------------------------------------ + +DNS records use an hours-since-1601 timestamp format except for in the +case of tombstone records where a 100-nanosecond-intervals-since-1601 +format is used (this latter format being the most common in Windows). +We had mixed that up, which might have had strange effects in zones +where aging was enabled (and hence tombstone timestamps were used). + + +samba-tool dns update and RPC changes +------------------------------------- + +The dnsserver DCERPC pipe can be used by 'samba-tool' and Windows tools +to manipulate dns records on the remote server. A bug in Samba meant +it was not possible to update an existing DNS record to change the +TTL. The general behaviour of RPC updates is now closer to that of +Windows. + +'samba-tool dns update' is now a bit more careful in rejecting and +warning you about malformed IPv4 and IPv6 addresses. + +CVE-2021-3671: Crash in Heimdal KDC and updated security release policy +----------------------------------------------------------------------- + +An unuthenticated user can crash the AD DC KDC by omitting the server +name in a TGS-REQ. Per Samba's updated security process a specific +security release was not made for this issue as it is a recoverable +Denial Of Service. + +See https://wiki.samba.org/index.php/Samba_Security_Proces + +samba-tool domain backup offline with the LMDB backend +------------------------------------------------------ + +samba-tool domain backup offline, when operating with the LMDB backend +now correctly takes out locks against concurrent modification of the +database during the backup. If you use this tool on a Samba AD DC +using LMDB, you should upgrade to this release for safer backups. + +REMOVED FEATURES +================ + +Tru64 ACL support has been removed from this release. The last +supported release of Tru64 UNIX was in 2012. + +NIS support has been removed from this release. This is not +available in Linux distributions anymore. + +The DLZ DNS plugin is no longer built for Bind versions 9.8 and 9.9, +which have been out of support since 2018. + + +smb.conf changes +================ + + Parameter Name Description Default + -------------- ----------- ------- + client use kerberos New desired + client max protocol Values Removed + client min protocol Values Removed + client protection New default + client smb3 signing algorithms New see man smb.conf + client smb3 encryption algorithms New see man smb.conf + preopen:posix-basic-regex New No + preopen:nomatch_log_level New 5 + preopen:match_log_level New 5 + preopen:nodigits_log_level New 1 + preopen:founddigits_log_level New 3 + preopen:reset_log_level New 5 + preopen:push_log_level New 3 + preopen:queue_log_level New 10 + server max protocol Values Removed + server min protocol Values Removed + server multi channel support Changed Yes (on Linux and FreeBSD) + server smb3 signing algorithms New see man smb.conf + server smb3 encryption algorithms New see man smb.conf + winbind use krb5 enterprise principals Changed Yes + winbind scan trusted domains Changed No + + +CHANGES SINCE 4.15.0rc6 +======================= + +o Andrew Bartlett <abart...@samba.org> + * BUG 14791: All the ways to specify a password are not documented. + +o Ralph Boehme <s...@samba.org> + * BUG 14790: vfs_btrfs compression support broken. + * BUG 14828: Problems with commandline parsing. + * BUG 14829: smbd crashes when "ea support" is set to no. + +o Stefan Metzmacher <me...@samba.org> + * BUG 14825: "{client,server} smb3 {signing,encryption} algorithms" should + use the same strings as smbstatus output. + * BUG 14828: Problems with commandline parsing. + +o Alex Richardson <alexander.richard...@cl.cam.ac.uk> + * BUG 8773: smbd fails to run as root because it belongs to more than 16 + groups on MacOS X. + +o Martin Schwenke <mar...@meltin.net> + * BUG 14784: Fix CTDB flag/status update race conditions. + + +CHANGES SINCE 4.15.0rc5 +======================= + +o Andrew Bartlett <abart...@samba.org> + * BUG 14806: Address a signifcant performance regression in database access + in the AD DC since Samba 4.12. + * BUG 14807: Fix performance regression in lsa_LookupSids3/LookupNames4 since + Samba 4.9 by using an explicit database handle cache. + * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the + server name in a TGS-REQ. + * BUG 14818: Address flapping samba_tool_drs_showrepl test. + * BUG 14819: Address flapping dsdb_schema_attributes test. + +o Luke Howard <lu...@padl.com> + * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the + server name in a TGS-REQ. + +o Gary Lockyer <g...@catalyst.net.nz> + * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the + server name in a TGS-REQ. + +o Andreas Schneider <a...@samba.org> + * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the + server name in a TGS-REQ. + +o Joseph Sutton <josephsut...@catalyst.net.nz> + * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the + server name in a TGS-REQ. + + +CHANGES SINCE 4.15.0rc4 +======================= + +o Jeremy Allison <j...@samba.org> + * BUG 14809: Shares with variable substitutions cause core dump upon + connection from MacOS Big Sur 11.5.2. + * BUG 14816: Fix pathref open of a filesystem fifo in the DISABLE_OPATH + build. + +o Andrew Bartlett <abart...@samba.org> + * BUG 14815: A subset of tests from Samba's selftest system were not being + run, while others were run twice. + +o Ralph Boehme <s...@samba.org> + * BUG 14771: Some VFS operations on pathref (O_PATH) handles fail on GPFS. + * BUG 14787: net conf list crashes when run as normal user, + * BUG 14803: smbd/winbindd started in daemon mode generate output on + stderr/stdout. + * BUG 14804: winbindd can crash because idmap child state is not fully + initialized. + +o Stefan Metzmacher <me...@samba.org> + * BUG 14771: Some VFS operations on pathref (O_PATH) handles fail on GPFS. + + +CHANGES SINCE 4.15.0rc3 +======================= + +o Bjoern Jacke <b...@sernet.de> + * BUG 14800: util_sock: fix assignment of sa_socklen. + + +CHANGES SINCE 4.15.0rc2 +======================= + +o Jeremy Allison <j...@samba.org> + * BUG 14760: vfs_streams_depot directory creation permissions and store + location problems. + * BUG 14766: vfs_ceph openat() doesn't cope with dirfsp != AT_FDCW. + * BUG 14769: smbd panic on force-close share during offload write. + * BUG 14805: OpenDir() loses the correct errno return. + +o Ralph Boehme <s...@samba.org> + * BUG 14795: copy_file_range() may fail with EOPNOTSUPP. + +o Stefan Metzmacher <me...@samba.org> + * BUG 14793: Start the SMB encryption as soon as possible. + +o Andreas Schneider <a...@samba.org> + * BUG 14779: Winbind should not start if the socket path is too long. + +o Noel Power <noel.po...@suse.com> + * BUG 14760: vfs_streams_depot directory creation permissions and store + location problems. + + +CHANGES SINCE 4.15.0rc1 +======================= + +o Andreas Schneider <a...@samba.org> -- Samba Website Repository