Release Announcements
---------------------
This is the first stable release of the Samba 4.13 release series.
Please read the release notes carefully before upgrading.
ZeroLogon
========
Please avoid to set "server schannel = no" and "server schannel=
auto" on all
Samba domain controllers due to the wellknown ZeroLogon issue.
For details please see
https://www.samba.org/samba/security/CVE-2020-1472.html.
NEW FEATURES/CHANGES
===================
Python 3.6 or later required
----------------------------
Samba's minimum runtime requirement for python was raised to Python
3.5 with samba 4.12. Samba 4.13 raises this minimum version to Python
3.6 both to access new features and because this is the oldest version
we test with in our CI infrastructure.
This is also the last release where it will be possible to build Samba
(just the file server) with Python versions 2.6 and 2.7.
As Python 2.7 has been End Of Life upstream since April 2020, Samba
is dropping ALL Python 2.x support in the NEXT release.
Samba 4.14 to be released in March 2021 will require Python 3.6 or
later to build.
wide links functionality
------------------------
For this release, the code implementing the insecure "wide links =
yes"
functionality has been moved out of the core smbd code and into a separate
VFS module, vfs_widelinks. Currently this vfs module is implicitly loaded
by smbd as the last but one module before vfs_default if "wide links =
yes"
is enabled on the share (note, the existing restrictions on enabling wide
links around the SMB1 "unix extensions" and the "allow insecure
wide links"
parameters are still in force). The implicit loading was done to allow
existing users of "wide links = yes" to keep this functionality
without
having to make a change to existing working smb.conf files.
Please note that the Samba developers recommend changing any Samba
installations that currently use "wide links = yes" to use bind mounts
as soon as possible, as "wide links = yes" is an inherently insecure
configuration which we would like to remove from Samba. Moving the
feature into a VFS module allows this to be done in a cleaner way
in future.
A future release to be determined will remove this implicit linkage,
causing administrators who need this functionality to have to explicitly
add the vfs_widelinks module into the "vfs objects =" parameter lists.
The release notes will be updated to note this change when it occurs.
NT4-like 'classic' Samba domain controllers
-------------------------------------------
Samba 4.13 deprecates Samba's original domain controller mode.
Sites using Samba as a Domain Controller should upgrade from the
NT4-like 'classic' Domain Controller to a Samba Active Directory DC
to ensure full operation with modern windows clients.
SMBv1 only protocol options deprecated
--------------------------------------
A number of smb.conf parameters for less-secure authentication methods
which are only possible over SMBv1 are deprecated in this release.
REMOVED FEATURES
===============
The deprecated "ldap ssl ads" smb.conf option has been removed.
The deprecated "server schannel" smb.conf option will very likely
removed in the final 4.13.0 release.
smb.conf changes
===============
Parameter Name Description Default
-------------- ----------- -------
ldap ssl ads Removed
smb2 disable lock sequence checking Added No
smb2 disable oplock break retry Added No
domain logons Deprecated no
raw NTLMv2 auth Deprecated no
client plaintext auth Deprecated no
client NTLMv2 auth Deprecated yes
client lanman auth Deprecated no
client use spnego Deprecated yes
server schannel To be removed in 4.13.0
server require schannel:COMPUTER Added
CHANGES SINCE 4.13.0rc5
======================
o Jeremy Allison <jra at samba.org>
* BUG 14497: CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Protect
netr_ServerPasswordSet2 against unencrypted passwords.
o G?nther Deschner <gd at samba.org>
* BUG 14497: CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Support
"server require schannel:WORKSTATION$ = no" about unsecure
configurations.
o Gary Lockyer <gary at catalyst.net.nz>
* BUG 14497: CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated bytes in
client challenge.
o Stefan Metzmacher <metze at samba.org>
* BUG 14497: CVE-2020-1472(ZeroLogon): libcli/auth: Reject weak client
challenges in netlogon_creds_server_init()
"server require schannel:WORKSTATION$ = no".
CHANGES SINCE 4.13.0rc4
======================
o Andreas Schneider <asn at samba.org>
* BUG 14399: waf: Only use gnutls_aead_cipher_encryptv2() for GnuTLS >
3.6.14.
* BUG 14467: s3:smbd: Fix %U substitutions if it contains a domain name.
* BUG 14479: The created krb5.conf for 'net ads join' doesn't
have a domain
entry.
o Stefan Metzmacher <metze at samba.org>
* BUG 14482: Fix build problem if libbsd-dev is not installed.
CHANGES SINCE 4.13.0rc3
======================
o David Disseldorp <ddiss at samba.org>
* BUG 14437: build: Toggle vfs_snapper using
"--with-shared-modules".
o Volker Lendecke <vl at samba.org>
* BUG 14465: idmap_ad does not deal properly with a RFC4511 section 4.4.1
response.
o Stefan Metzmacher <metze at samba.org>
* BUG 14428: PANIC: Assert failed in get_lease_type().
* BUG 14465: idmap_ad does not deal properly with a RFC4511 section 4.4.1
response.
CHANGES SINCE 4.13.0rc2
======================
o Andrew Bartlett <abartlet at samba.org>
* BUG 14460: Deprecate domain logons, SMBv1 things.
o G?nther Deschner <gd at samba.org>
* BUG 14318: docs: Add missing winexe manpage.
o Christof Schmitt <cs at samba.org>
* BUG 14166: util: Allow symlinks in directory_create_or_exist.
o Martin Schwenke <martin at meltin.net>
* BUG 14466: ctdb disable/enable can fail due to race condition.
CHANGES SINCE 4.13.0rc1
======================
o Andrew Bartlett <abartlet at samba.org>
* BUG 14450: dbcheck: Allow a dangling forward link outside our known NCs.
o Isaac Boukris <iboukris at gmail.com>
* BUG 14462: Remove deprecated "ldap ssl ads" smb.conf option.
o Volker Lendecke <vl at samba.org>
* BUG 14435: winbind: Fix lookuprids cache problem.
o Stefan Metzmacher <metze at samba.org>
* BUG 14354: kdc:db-glue: Ignore KRB5_PROG_ETYPE_NOSUPP also for
Primary:Kerberos.
o Andreas Schneider <asn at samba.org>
* BUG 14358: docs: Fix documentation for require_membership_of of
pam_winbind.conf.
o Martin Schwenke <martin at meltin.net>
* BUG 14444: ctdb-scripts: Use nfsconf as a last resort get nfsd thread
count.
KNOWN ISSUES
===========
https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.13#Release_blocking_bugs
#######################################
Reporting bugs & Development Discussion
#######################################
Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.
If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored. All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).
======================================================================= Our
Code, Our Bugs, Our Responsibility.
== The Samba Team
=====================================================================
===============Download Details
===============
The uncompressed tarballs and patch files have been signed
using GnuPG (ID 6F33915B6568B7EA). The source code can be downloaded
from:
https://download.samba.org/pub/samba/stable/
The release notes are available online at:
https://www.samba.org/samba/history/samba-4.13.0.html
Our Code, Our Bugs, Our Responsibility.
(https://bugzilla.samba.org/)
--Enjoy
The Samba Team
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL:
<http://lists.samba.org/pipermail/samba-announce/attachments/20200922/c728b457/signature.sig>
Rowland penny
2020-Sep-22 14:23 UTC
[Samba] [Announce] Samba 4.13.0 Available for Download
On 22/09/2020 15:06, Karolin Seeger via samba-technical wrote:> Release Announcements > --------------------- > > This is the first stable release of the Samba 4.13 release series. > Please read the release notes carefully before upgrading. > > > ZeroLogon > ========> > Please avoid to set "server schannel = no" and "server schannel= auto" on all > Samba domain controllers due to the wellknown ZeroLogon issue. > > For details please see > https://www.samba.org/samba/security/CVE-2020-1472.html. > > > REMOVED FEATURES > ===============> > > The deprecated "server schannel" smb.conf option will very likely > removed in the final 4.13.0 release. > > > smb.conf changes > ===============> > Parameter Name Description Default > -------------- ----------- ------- > > server schannel To be removed in 4.13.0 > server require schannel:COMPUTER AddedIs it possible to 'fix' the release notes ? 'server schannel' wasn't removed. I can see confused users here. Rowland
Karolin Seeger
2020-Sep-23 07:41 UTC
[Samba] [Announce] Samba 4.13.0 Available for Download
Hi Rowland, Am 22.09.20 um 16:23 schrieb Rowland penny:> On 22/09/2020 15:06, Karolin Seeger via samba-technical wrote: >> Release Announcements >> --------------------- >> >> This is the first stable release of the Samba 4.13 release series. >> Please read the release notes carefully before upgrading. >> >> >> ZeroLogon >> ========>> >> Please avoid to set "server schannel = no" and "server schannel= auto" >> on all >> Samba domain controllers due to the wellknown ZeroLogon issue. >> >> For details please see >> https://www.samba.org/samba/security/CVE-2020-1472.html. >> >> >> REMOVED FEATURES >> ===============>> >> >> The deprecated "server schannel" smb.conf option will very likely >> removed in the final 4.13.0 release. >> >> >> smb.conf changes >> ===============>> >> ?? Parameter Name????????????????????? Description??????????????? Default >> ?? --------------????????????????????? -----------??????????????? ------- >> >> ?? server schannel???????????????????? To be removed in 4.13.0 >> ?? server require schannel:COMPUTER??? Added > > Is it possible to 'fix' the release notes ? > > 'server schannel' wasn't removed. > > I can see confused users here.sorry, my fault! Yes, I will update it now. Cheers, Karolin -- Karolin Seeger https://samba.org/~kseeger/ Release Manager Samba Team https://samba.org Team Lead Samba SerNet https://sernet.de
Reasonably Related Threads
- [Announce] Samba 4.13.0 Available for Download
- [Announce] Samba 4.13.0rc6 Available for Download
- [Announce] Samba 4.13.0rc6 Available for Download
- [Announce] Samba 4.12.7, 4.11.13 and 4.10.18 Security Releases Available
- [Announce] Samba 4.12.7, 4.11.13 and 4.10.18 Security Releases Available