Release Announcements --------------------- This is the first stable release of the Samba 4.16 release series. Please read the release notes carefully before upgrading. NEW FEATURES/CHANGES =================== New samba-dcerpcd binary to provide DCERPC in the member server setup --------------------------------------------------------------------- In order to make it much easier to break out the DCERPC services from smbd, a new samba-dcerpcd binary has been created. samba-dcerpcd can be used in two ways. In the normal case without startup script modification it is invoked on demand from smbd or winbind --np-helper to serve DCERPC over named pipes. Note that in order to run in this mode the smb.conf [global] section has a new parameter "rpc start on demand helpers = [true|false]". This parameter is set to "true" by default, meaning no changes to smb.conf files are needed to run samba-dcerpcd on demand as a named pipe helper. It can also be used in a standalone mode where it is started separately from smbd or winbind but this requires changes to system startup scripts, and in addition a change to smb.conf, setting the new [global] parameter "rpc start on demand helpers = false". If "rpc start on demand helpers" is not set to false, samba-dcerpcd will refuse to start in standalone mode. Note that when Samba is run in the Active Directory Domain Controller mode the samba binary that provides the AD code will still provide its normal DCERPC services whilst allowing samba-dcerpcd to provide services like SRVSVC in the same way that smbd used to in this configuration. The parameters that allowed some smbd-hosted services to be started externally are now gone (detailed below) as this is now the default setting. samba-dcerpcd can also be useful for use outside of the Samba framework, for example, use with the Linux kernel SMB2 server ksmbd or possibly other SMB2 server implementations. Heimdal-8.0pre used for Samba Internal Kerberos, adds FAST support ------------------------------------------------------------------ Samba has since Samba 4.0 included a snapshot of the Heimdal Kerberos implementation.? This snapshot has now been updated and will closely match what will be released as Heimdal 8.0 shortly. This is a major update, previously we used a snapshot of Heimdal from 2011, and brings important new Kerberos security features such as Kerberos request armoring, known as FAST.? This tunnels ticket requests and replies that might be encrypted with a weak password inside a wrapper built with a stronger password, say from a machine account. In Heimdal and MIT modes Samba's KDC now supports FAST, for the support of non-Windows clients. Windows clients will not use this feature however, as they do not attempt to do so against a server not advertising domain Functional Level 2012.? Samba users are of course free to modify how Samba advertises itself, but use with Windows clients is not supported "out of the box". Finally, Samba also uses a per-KDC, not per-realm 'cookie' to secure part of the FAST protocol.? A future version will align this more closely with Microsoft AD behaviour. If FAST needs to be disabled on your Samba KDC, set ?kdc enable fast = no in the smb.conf. The Samba project wishes to thank the numerous developers who have put in a massive effort to make this possible over many years.? In particular we thank Stefan Metzmacher, Joseph Sutton, Gary Lockyer, Isaac Boukris and Andrew Bartlett.? Samba's developers in turn thank their employers and in turn their customers who have supported this effort over many years. Certificate Auto Enrollment --------------------------- Certificate Auto Enrollment allows devices to enroll for certificates from Active Directory Certificate Services. It is enabled by Group Policy. To enable Certificate Auto Enrollment, Samba's group policy will need to be enabled by setting the smb.conf option `apply group policies` to Yes. Samba Certificate Auto Enrollment depends on certmonger, the cepces certmonger plugin, and sscep. Samba uses sscep to download the CA root chain, then uses certmonger paired with cepces to monitor the host certificate templates. Certificates are installed in /var/lib/samba/certs and private keys are installed in /var/lib/samba/private/certs. Ability to add ports to dns forwarder addresses in internal DNS backend ----------------------------------------------------------------------- The internal DNS server of Samba forwards queries non-AD zones to one or more configured forwarders. Up until now it has been assumed that these forwarders listen on port 53. Starting with this version it is possible to configure the port using host:port notation. See smb.conf for more details. Existing setups are not affected, as the default port is 53. CTDB changes ------------ * The "recovery master" role has been renamed "leader" ? Documentation and logs now refer to "leader". ? The following ctdb tool command names have changed: ??? recmaster -> leader ??? setrecmasterrole -> setleaderrole ? Command output has changed for the following commands: ??? status ??? getcapabilities ? The "[legacy] -> recmaster capability" configuration option has been ? renamed and moved to the cluster section, so this is now: ??? [cluster] -> leader capability * The "recovery lock" has been renamed "cluster lock" ? Documentation and logs now refer to "cluster lock". ? The "[cluster] -> recovery lock" configuration option has been ? deprecated and will be removed in a future version.? Please use ? "[cluster] -> cluster lock" instead. ? If the cluster lock is enabled then traditional elections are not ? done and leader elections use a race for the cluster lock.? This ? avoids various conditions where a node is elected leader but can not ? take the cluster lock.? Such conditions included: ? - At startup, a node elects itself leader of its own cluster before ??? connecting to other nodes ? - Cluster filesystem failover is slow ? The abbreviation "reclock" is still used in many places, because a ? better abbreviation eludes us (i.e. "clock" is obvious bad) and ? changing all instances would require a lot of churn.? If the ? abbreviation "reclock" for "cluster lock" is confusing, please ? consider mentally prefixing it with "really excellent". * CTDB now uses leader broadcasts and an associated timeout to ? determine if an election is required ? The leader broadcast timeout can be configured via new configuration ? option ??? [cluster] -> leader timeout ? This specifies the number of seconds without leader broadcasts ? before a node calls an election.? The default is 5. REMOVED FEATURES =============== Older SMB1 protocol SMBCopy command removed ------------------------------------------- SMB is a nearly 30-year old protocol, and some protocol commands that while supported in all versions, have not seen widespread use. One of those is SMBCopy, a feature for a server-side copy of a file. This feature has been so unmaintained that Samba has no testsuite for it. The SMB1 command SMB_COM_COPY (SMB1 command number 0x29) was introduced in the LAN Manager 1.0 dialect and it was rendered obsolete in the NT LAN Manager dialect. Therefore it has been removed from the Samba smbd server. We do note that a fully supported and tested server-side copy is present in SMB2, and can be accessed with "scopy" subcommand in smbclient) SMB1 server-side wildcard expansion removed ------------------------------------------- Server-side wildcard expansion is another feature that sounds useful, but is also rarely used and has become problematic - imposing extra work on the server (both in terms of code and CPU time). In actual OS design, wildcard expansion is handled in the local shell, not at the remote server using SMB wildcard syntax (which is not shell syntax). In Samba 4.16 the ability to process file name wildcards in requests using the SMB1 commands SMB_COM_RENAME (SMB1 command number 0x7), SMB_COM_NT_RENAME (SMB1 command number 0xA5) and SMB_COM_DELETE (SMB1 command number 0x6) has been removed. SMB1 protocol has been deprecated, particularly older dialects -------------------------------------------------------------- We take this opportunity to remind that we have deprecated and disabled by default, but not removed, the whole SMB1 protocol since Samba 4.11.? If needed for security purposes or code maintenance we will continue to remove older protocol commands and dialects that are unused or have been replaced in more modern SMB1 versions. We specifically deprecate the older dialects older than "NT LM 0.12" (also known as "NT LANMAN 1.0" and "NT1"). Please note that "NT LM 0.12" is the dialect used by software as old as Windows 95, Windows NT and Samba 2.0, so this deprecation applies to DOS and similar era clients. We do reassure that that 'simple' operation of older clients than these (eg DOS) will, while untested, continue for the near future, our purpose is not to cripple use of Samba in unique situations, but to reduce the maintaince burden. Eventually SMB1 as a whole will be removed, but no broader change is announced for 4.16. In the rare case where the above changes cause incompatibilities, users requiring support for these features will need to use older versions of Samba. No longer using Linux mandatory locks for sharemodes =================================================== smbd mapped sharemodes to Linux mandatory locks. This code in the Linux kernel was broken for a long time, and is planned to be removed with Linux 5.15. This Samba release removes the usage of mandatory locks for sharemodes and the "kernel share modes" config parameter is changed to default to "no". The Samba VFS interface is kept, so that file-system specific VFS modules can still use private calls for enforcing sharemodes. smb.conf changes =============== ? Parameter Name????????????????????????? Description???? Default ? --------------????????????????????????? -----------???? ------- ? kernel share modes????????????????????? New default???? No ? dns forwarder?????????????????????????? Changed ? rpc_daemon????????????????????????????? Removed ? rpc_server????????????????????????????? Removed ? rpc start on demand helpers???????????? Added?????????? true CHANGES SINCE 4.16.0rc5 ====================== o? Andrew Bartlett <abartlet at samba.org> ?? * BUG 15000: Memory leak in FAST cookie handling. o? Elia Geretto <elia.f.geretto at gmail.com> ?? * BUG 14983: NT_STATUS_ACCESS_DENIED translates into EPERM instead of EACCES ???? in SMBC_server_internal. o? Stefan Metzmacher <metze at samba.org> ?? * BUG 13879: Simple bind doesn't work against an RODC (with non-preloaded ???? users). ?? * BUG 14641: Crash of winbind on RODC. ?? * BUG 15001: LDAP simple binds should honour "old password allowed period". ?? * BUG 15002: S4U2Self requests don't work against servers without FAST ???? support. ?? * BUG 15003: wbinfo -a doesn't work reliable with upn names. ?? * BUG 15005: A cross-realm kerberos client exchanges fail using KDCs with and ???? without FAST. ?? * BUG 15015: PKINIT: hdb_samba4_audit: Unhandled hdb_auth_status=9 => ???? INTERNAL_ERROR. o? Garming Sam <garming at catalyst.net.nz> ?? * BUG 13879: Simple bind doesn't work against an RODC (with non-preloaded ???? users). o? Andreas Schneider <asn at samba.org> ?? * BUG 15016: Regression: create krb5 conf = yes doesn't work with a single ???? KDC. o? Joseph Sutton <josephsutton at catalyst.net.nz> ?? * BUG 15015: PKINIT: hdb_samba4_audit: Unhandled hdb_auth_status=9 => ???? INTERNAL_ERROR. CHANGES SINCE 4.16.0rc4 ====================== o? Jeremy Allison <jra at samba.org> ?? * BUG 14737: Samba does not response STATUS_INVALID_PARAMETER when opening 2 ???? objects with same lease key. o? Jule Anger <janger at samba.org> ?? * BUG 14999: Listing shares with smbstatus no longer works. o? Douglas Bagnall <douglas.bagnall at catalyst.net.nz> ?? * BUG 14996: Fix ldap simple bind with TLS auditing. o? Andrew Bartlett <abartlet at samba.org> ?? * BUG 14995: Use Heimdal 8.0 (pre) rather than an earlier snapshot. o? Volker Lendecke <vl at samba.org> ?? * BUG 14989: Fix a use-after-free in SMB1 server. o? Stefan Metzmacher <metze at samba.org> ?? * BUG 14865: Uncached logon on RODC always fails once. ?? * BUG 14984: Changing the machine password against an RODC likely destroys ???? the domain join. ?? * BUG 14993: authsam_make_user_info_dc() steals memory from its struct ???? ldb_message *msg argument. ?? * BUG 14995: Use Heimdal 8.0 (pre) rather than an earlier snapshot. o? Joseph Sutton <josephsutton at catalyst.net.nz> ?? * BUG 14995: Use Heimdal 8.0 (pre) rather than an earlier snapshot. CHANGES SINCE 4.16.0rc3 ====================== o? Samuel Cabrero <scabrero at suse.de> ?? * BUG 14979: Problem when winbind renews Kerberos. o? Bj?rn Jacke <bj at sernet.de> ?? * BUG 13631: DFS fix for AIX broken. ?? * BUG 14974: Solaris and AIX acl modules: wrong function arguments. ?? * BUG 7239: Function aixacl_sys_acl_get_file not declared / coredump. o? Andreas Schneider <asn at samba.org> ?? * BUG 14967: Samba autorid fails to map AD users if id rangesize fits in the ???? id range only once. o? Martin Schwenke <martin at meltin.net> ?? * BUG 14958: CTDB can get stuck in election and recovery. CHANGES SINCE 4.16.0rc2 ====================== o? Jeremy Allison <jra at samba.org> ?? * BUG 14169: Renaming file on DFS root fails with ???? NT_STATUS_OBJECT_PATH_NOT_FOUND. ?? * BUG 14938: NT error code is not set when overwriting a file during rename ???? in libsmbclient. o? Ralph Boehme <slow at samba.org> ?? * BUG 14674: net ads info shows LDAP Server: 0.0.0.0 depending on contacted ???? server. o? Pavel Filipensk? <pfilipen at redhat.com> ?? * BUG 14971: virusfilter_vfs_openat: Not scanned: Directory or special file. o? Volker Lendecke <vl at samba.org> ?? * BUG 14900: Regression: Samba 4.15.2 on macOS segfaults intermittently ???? during strcpy in tdbsam_getsampwnam. ?? * BUG 14975: Fix a crash in vfs_full_audit - CREATE_FILE can free a used fsp. o? Stefan Metzmacher <metze at samba.org> ?? * BUG 14968: smb2_signing_decrypt_pdu() may not decrypt with ???? gnutls_aead_cipher_decrypt() from gnutls before 3.5.2. o? Andreas Schneider <asn at samba.org> ?? * BUG 14960: SDB uses HDB flags directly which can lead to unwanted side ???? effects. CHANGES SINCE 4.16.0rc1 ====================== o? Jeremy Allison <jra at samba.org> ?? * BUG 14911: CVE-2021-44141: UNIX extensions in SMB1 disclose whether the ???? outside target of a symlink exists. o? Ralph Boehme <slow at samba.org> ?? * BUG 14914: CVE-2021-44142: Out-of-Bound Read/Write on Samba vfs_fruit ???? module. ?? * BUG 14961: install elasticsearch_mappings.json o? FeRD (Frank Dana) <ferdnyc at gmail.com> ?? * BUG 14947: samba-bgqd still notifying systemd, triggering log warnings ???? without NotifyAccess=all. o? Stefan Metzmacher <metze at samba.org> ?? * BUG 14867: Printing no longer works on Windows 7 with 2021-10 monthly ???? rollup patch. ?? * BUG 14956: ndr_push_string() adds implicit termination for ???? STR_NOTERM|REMAINING empty strings. o? Joseph Sutton <josephsutton at catalyst.net.nz> ?? * BUG 14950: CVE-2022-0336: Re-adding an SPN skips subsequent SPN conflict ???? checks. KNOWN ISSUES =========== https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.16#Release_blocking_bugs ####################################### Reporting bugs & Development Discussion ####################################### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical:matrix.org matrix room, or #samba-technical IRC channel on irc.libera.chat If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored.? All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). ======================================================================= Our Code, Our Bugs, Our Responsibility. == The Samba Team ===================================================================== ===============Download Details =============== The uncompressed tarballs and patch files have been signed using GnuPG (ID AA99442FB680B620).? The source code can be downloaded from: ??????? https://download.samba.org/pub/samba/stable/ The release notes are available online at: ??????? https://www.samba.org/samba/history/samba-4.16.0.html Our Code, Our Bugs, Our Responsibility. (https://bugzilla.samba.org/) ??????????????????????? --Enjoy ??????????????????????? The Samba Team
Peter Eriksson
2022-Mar-24 13:09 UTC
[Samba] [Announce] Samba 4.16.0 Available for Download
Build of Samba 4.16.0 fails for me on FreeBSD 12.3 with: ? PYTHONHASHSEED=1 WAF_MAKE=1 ./buildtools/bin/waf build Waf: Entering directory `/export/software/Build/samba/samba-4.16.0/bin/default' Selected embedded Heimdal build Checking project rules ... ERROR: target pamwinbind.objlist: dependency target samba_intl is missing samba_builtin_subsystem Reported: https://bugzilla.samba.org/show_bug.cgi?id=15030 <https://bugzilla.samba.org/show_bug.cgi?id=15030> Dunno what to do about it (probably needs to add samba_builtin_subsystem to some large samba_intl but? :-) - Peter> On 21 Mar 2022, at 13:40, Jule Anger via samba <samba at lists.samba.org> wrote: > > Release Announcements > --------------------- > > This is the first stable release of the Samba 4.16 release series. > Please read the release notes carefully before upgrading. > > > NEW FEATURES/CHANGES > ===================> > New samba-dcerpcd binary to provide DCERPC in the member server setup > --------------------------------------------------------------------- > > In order to make it much easier to break out the DCERPC services > from smbd, a new samba-dcerpcd binary has been created. > > samba-dcerpcd can be used in two ways. In the normal case without > startup script modification it is invoked on demand from smbd or > winbind --np-helper to serve DCERPC over named pipes. Note that > in order to run in this mode the smb.conf [global] section has > a new parameter "rpc start on demand helpers = [true|false]". > This parameter is set to "true" by default, meaning no changes to > smb.conf files are needed to run samba-dcerpcd on demand as a named > pipe helper. > > It can also be used in a standalone mode where it is started > separately from smbd or winbind but this requires changes to system > startup scripts, and in addition a change to smb.conf, setting the new > [global] parameter "rpc start on demand helpers = false". If "rpc > start on demand helpers" is not set to false, samba-dcerpcd will > refuse to start in standalone mode. > > Note that when Samba is run in the Active Directory Domain Controller > mode the samba binary that provides the AD code will still provide its > normal DCERPC services whilst allowing samba-dcerpcd to provide > services like SRVSVC in the same way that smbd used to in this > configuration. > > The parameters that allowed some smbd-hosted services to be started > externally are now gone (detailed below) as this is now the default > setting. > > samba-dcerpcd can also be useful for use outside of the Samba > framework, for example, use with the Linux kernel SMB2 server ksmbd or > possibly other SMB2 server implementations. > > Heimdal-8.0pre used for Samba Internal Kerberos, adds FAST support > ------------------------------------------------------------------ > > Samba has since Samba 4.0 included a snapshot of the Heimdal Kerberos > implementation. This snapshot has now been updated and will closely > match what will be released as Heimdal 8.0 shortly. > > This is a major update, previously we used a snapshot of Heimdal from > 2011, and brings important new Kerberos security features such as > Kerberos request armoring, known as FAST. This tunnels ticket > requests and replies that might be encrypted with a weak password > inside a wrapper built with a stronger password, say from a machine > account. > > In Heimdal and MIT modes Samba's KDC now supports FAST, for the > support of non-Windows clients. > > Windows clients will not use this feature however, as they do not > attempt to do so against a server not advertising domain Functional > Level 2012. Samba users are of course free to modify how Samba > advertises itself, but use with Windows clients is not supported "out > of the box". > > Finally, Samba also uses a per-KDC, not per-realm 'cookie' to secure part of > the FAST protocol. A future version will align this more closely with > Microsoft AD behaviour. > > If FAST needs to be disabled on your Samba KDC, set > > kdc enable fast = no > > in the smb.conf. > > The Samba project wishes to thank the numerous developers who have put > in a massive effort to make this possible over many years. In > particular we thank Stefan Metzmacher, Joseph Sutton, Gary Lockyer, > Isaac Boukris and Andrew Bartlett. Samba's developers in turn thank > their employers and in turn their customers who have supported this > effort over many years. > > Certificate Auto Enrollment > --------------------------- > > Certificate Auto Enrollment allows devices to enroll for certificates from > Active Directory Certificate Services. It is enabled by Group Policy. > To enable Certificate Auto Enrollment, Samba's group policy will need to be > enabled by setting the smb.conf option `apply group policies` to Yes. Samba > Certificate Auto Enrollment depends on certmonger, the cepces certmonger > plugin, and sscep. Samba uses sscep to download the CA root chain, then uses > certmonger paired with cepces to monitor the host certificate templates. > Certificates are installed in /var/lib/samba/certs and private keys are > installed in /var/lib/samba/private/certs. > > Ability to add ports to dns forwarder addresses in internal DNS backend > ----------------------------------------------------------------------- > > The internal DNS server of Samba forwards queries non-AD zones to one or more > configured forwarders. Up until now it has been assumed that these forwarders > listen on port 53. Starting with this version it is possible to configure the > port using host:port notation. See smb.conf for more details. Existing setups > are not affected, as the default port is 53. > > CTDB changes > ------------ > > * The "recovery master" role has been renamed "leader" > > Documentation and logs now refer to "leader". > > The following ctdb tool command names have changed: > > recmaster -> leader > setrecmasterrole -> setleaderrole > > Command output has changed for the following commands: > > status > getcapabilities > > The "[legacy] -> recmaster capability" configuration option has been > renamed and moved to the cluster section, so this is now: > > [cluster] -> leader capability > > * The "recovery lock" has been renamed "cluster lock" > > Documentation and logs now refer to "cluster lock". > > The "[cluster] -> recovery lock" configuration option has been > deprecated and will be removed in a future version. Please use > "[cluster] -> cluster lock" instead. > > If the cluster lock is enabled then traditional elections are not > done and leader elections use a race for the cluster lock. This > avoids various conditions where a node is elected leader but can not > take the cluster lock. Such conditions included: > > - At startup, a node elects itself leader of its own cluster before > connecting to other nodes > > - Cluster filesystem failover is slow > > The abbreviation "reclock" is still used in many places, because a > better abbreviation eludes us (i.e. "clock" is obvious bad) and > changing all instances would require a lot of churn. If the > abbreviation "reclock" for "cluster lock" is confusing, please > consider mentally prefixing it with "really excellent". > > * CTDB now uses leader broadcasts and an associated timeout to > determine if an election is required > > The leader broadcast timeout can be configured via new configuration > option > > [cluster] -> leader timeout > > This specifies the number of seconds without leader broadcasts > before a node calls an election. The default is 5. > > > REMOVED FEATURES > ===============> > Older SMB1 protocol SMBCopy command removed > ------------------------------------------- > > SMB is a nearly 30-year old protocol, and some protocol commands that > while supported in all versions, have not seen widespread use. > > One of those is SMBCopy, a feature for a server-side copy of a file. > This feature has been so unmaintained that Samba has no testsuite for > it. > > The SMB1 command SMB_COM_COPY (SMB1 command number 0x29) was > introduced in the LAN Manager 1.0 dialect and it was rendered obsolete > in the NT LAN Manager dialect. > > Therefore it has been removed from the Samba smbd server. > > We do note that a fully supported and tested server-side copy is > present in SMB2, and can be accessed with "scopy" subcommand in > smbclient) > > SMB1 server-side wildcard expansion removed > ------------------------------------------- > > Server-side wildcard expansion is another feature that sounds useful, > but is also rarely used and has become problematic - imposing extra > work on the server (both in terms of code and CPU time). > > In actual OS design, wildcard expansion is handled in the local shell, > not at the remote server using SMB wildcard syntax (which is not shell > syntax). > > In Samba 4.16 the ability to process file name wildcards in requests > using the SMB1 commands SMB_COM_RENAME (SMB1 command number 0x7), > SMB_COM_NT_RENAME (SMB1 command number 0xA5) and SMB_COM_DELETE (SMB1 > command number 0x6) has been removed. > > SMB1 protocol has been deprecated, particularly older dialects > -------------------------------------------------------------- > > We take this opportunity to remind that we have deprecated and > disabled by default, but not removed, the whole SMB1 protocol since > Samba 4.11. If needed for security purposes or code maintenance we > will continue to remove older protocol commands and dialects that are > unused or have been replaced in more modern SMB1 versions. > > We specifically deprecate the older dialects older than "NT LM 0.12" > (also known as "NT LANMAN 1.0" and "NT1"). > > Please note that "NT LM 0.12" is the dialect used by software as old > as Windows 95, Windows NT and Samba 2.0, so this deprecation applies > to DOS and similar era clients. > > We do reassure that that 'simple' operation of older clients than > these (eg DOS) will, while untested, continue for the near future, our > purpose is not to cripple use of Samba in unique situations, but to > reduce the maintaince burden. > > Eventually SMB1 as a whole will be removed, but no broader change is > announced for 4.16. > > In the rare case where the above changes cause incompatibilities, > users requiring support for these features will need to use older > versions of Samba. > > No longer using Linux mandatory locks for sharemodes > ===================================================> > smbd mapped sharemodes to Linux mandatory locks. This code in the Linux kernel > was broken for a long time, and is planned to be removed with Linux 5.15. This > Samba release removes the usage of mandatory locks for sharemodes and the > "kernel share modes" config parameter is changed to default to "no". The Samba > VFS interface is kept, so that file-system specific VFS modules can still use > private calls for enforcing sharemodes. > > > smb.conf changes > ===============> > Parameter Name Description Default > -------------- ----------- ------- > kernel share modes New default No > dns forwarder Changed > rpc_daemon Removed > rpc_server Removed > rpc start on demand helpers Added true > > > CHANGES SINCE 4.16.0rc5 > ======================> > o Andrew Bartlett <abartlet at samba.org> > * BUG 15000: Memory leak in FAST cookie handling. > > o Elia Geretto <elia.f.geretto at gmail.com> > * BUG 14983: NT_STATUS_ACCESS_DENIED translates into EPERM instead of EACCES > in SMBC_server_internal. > > o Stefan Metzmacher <metze at samba.org> > * BUG 13879: Simple bind doesn't work against an RODC (with non-preloaded > users). > * BUG 14641: Crash of winbind on RODC. > * BUG 15001: LDAP simple binds should honour "old password allowed period". > * BUG 15002: S4U2Self requests don't work against servers without FAST > support. > * BUG 15003: wbinfo -a doesn't work reliable with upn names. > * BUG 15005: A cross-realm kerberos client exchanges fail using KDCs with and > without FAST. > * BUG 15015: PKINIT: hdb_samba4_audit: Unhandled hdb_auth_status=9 => > INTERNAL_ERROR. > > o Garming Sam <garming at catalyst.net.nz> > * BUG 13879: Simple bind doesn't work against an RODC (with non-preloaded > users). > > o Andreas Schneider <asn at samba.org> > * BUG 15016: Regression: create krb5 conf = yes doesn't work with a single > KDC. > > o Joseph Sutton <josephsutton at catalyst.net.nz> > * BUG 15015: PKINIT: hdb_samba4_audit: Unhandled hdb_auth_status=9 => > INTERNAL_ERROR. > > > CHANGES SINCE 4.16.0rc4 > ======================> > o Jeremy Allison <jra at samba.org> > * BUG 14737: Samba does not response STATUS_INVALID_PARAMETER when opening 2 > objects with same lease key. > > o Jule Anger <janger at samba.org> > * BUG 14999: Listing shares with smbstatus no longer works. > > o Douglas Bagnall <douglas.bagnall at catalyst.net.nz> > * BUG 14996: Fix ldap simple bind with TLS auditing. > > o Andrew Bartlett <abartlet at samba.org> > * BUG 14995: Use Heimdal 8.0 (pre) rather than an earlier snapshot. > > o Volker Lendecke <vl at samba.org> > * BUG 14989: Fix a use-after-free in SMB1 server. > > o Stefan Metzmacher <metze at samba.org> > * BUG 14865: Uncached logon on RODC always fails once. > * BUG 14984: Changing the machine password against an RODC likely destroys > the domain join. > * BUG 14993: authsam_make_user_info_dc() steals memory from its struct > ldb_message *msg argument. > * BUG 14995: Use Heimdal 8.0 (pre) rather than an earlier snapshot. > > o Joseph Sutton <josephsutton at catalyst.net.nz> > * BUG 14995: Use Heimdal 8.0 (pre) rather than an earlier snapshot. > > > CHANGES SINCE 4.16.0rc3 > ======================> > o Samuel Cabrero <scabrero at suse.de> > * BUG 14979: Problem when winbind renews Kerberos. > > o Bj?rn Jacke <bj at sernet.de> > * BUG 13631: DFS fix for AIX broken. > * BUG 14974: Solaris and AIX acl modules: wrong function arguments. > * BUG 7239: Function aixacl_sys_acl_get_file not declared / coredump. > > o Andreas Schneider <asn at samba.org> > * BUG 14967: Samba autorid fails to map AD users if id rangesize fits in the > id range only once. > > o Martin Schwenke <martin at meltin.net> > * BUG 14958: CTDB can get stuck in election and recovery. > > > CHANGES SINCE 4.16.0rc2 > ======================> > o Jeremy Allison <jra at samba.org> > * BUG 14169: Renaming file on DFS root fails with > NT_STATUS_OBJECT_PATH_NOT_FOUND. > * BUG 14938: NT error code is not set when overwriting a file during rename > in libsmbclient. > > o Ralph Boehme <slow at samba.org> > * BUG 14674: net ads info shows LDAP Server: 0.0.0.0 depending on contacted > server. > > o Pavel Filipensk? <pfilipen at redhat.com> > * BUG 14971: virusfilter_vfs_openat: Not scanned: Directory or special file. > > o Volker Lendecke <vl at samba.org> > * BUG 14900: Regression: Samba 4.15.2 on macOS segfaults intermittently > during strcpy in tdbsam_getsampwnam. > * BUG 14975: Fix a crash in vfs_full_audit - CREATE_FILE can free a used fsp. > > o Stefan Metzmacher <metze at samba.org> > * BUG 14968: smb2_signing_decrypt_pdu() may not decrypt with > gnutls_aead_cipher_decrypt() from gnutls before 3.5.2. > > o Andreas Schneider <asn at samba.org> > * BUG 14960: SDB uses HDB flags directly which can lead to unwanted side > effects. > > > CHANGES SINCE 4.16.0rc1 > ======================> > o Jeremy Allison <jra at samba.org> > * BUG 14911: CVE-2021-44141: UNIX extensions in SMB1 disclose whether the > outside target of a symlink exists. > > o Ralph Boehme <slow at samba.org> > * BUG 14914: CVE-2021-44142: Out-of-Bound Read/Write on Samba vfs_fruit > module. > * BUG 14961: install elasticsearch_mappings.json > > o FeRD (Frank Dana) <ferdnyc at gmail.com> > * BUG 14947: samba-bgqd still notifying systemd, triggering log warnings > without NotifyAccess=all. > > o Stefan Metzmacher <metze at samba.org> > * BUG 14867: Printing no longer works on Windows 7 with 2021-10 monthly > rollup patch. > * BUG 14956: ndr_push_string() adds implicit termination for > STR_NOTERM|REMAINING empty strings. > > o Joseph Sutton <josephsutton at catalyst.net.nz> > * BUG 14950: CVE-2022-0336: Re-adding an SPN skips subsequent SPN conflict > checks. > > > KNOWN ISSUES > ===========> > https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.16#Release_blocking_bugs > > > ####################################### > Reporting bugs & Development Discussion > ####################################### > > Please discuss this release on the samba-technical mailing list or by > joining the #samba-technical:matrix.org matrix room, or > #samba-technical IRC channel on irc.libera.chat > > If you do report problems then please try to send high quality > feedback. If you don't provide vital information to help us track down > the problem then you will probably be ignored. All bug reports should > be filed under the Samba 4.1 and newer product in the project's Bugzilla > database (https://bugzilla.samba.org/). > > > =====================================================================> == Our Code, Our Bugs, Our Responsibility. > == The Samba Team > =====================================================================> > ===============> Download Details > ===============> > The uncompressed tarballs and patch files have been signed > using GnuPG (ID AA99442FB680B620). The source code can be downloaded > from: > > https://download.samba.org/pub/samba/stable/ > > The release notes are available online at: > > https://www.samba.org/samba/history/samba-4.16.0.html > > Our Code, Our Bugs, Our Responsibility. > (https://bugzilla.samba.org/) > > --Enjoy > The Samba Team > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Michael Tokarev
2022-Mar-26 17:12 UTC
[Samba] [Announce] Samba 4.16.0 Available for Download
We tried to build 4.16 on debian, and are having quite some issues already. First, I had to remove _PUBLIC_ markers from all declarations in tdb.h and talloc.h files, - in debian we package these separately in their own binary packages, and when their header files are included in samba, _PUBLIC_ is already #defined as visibility(hidden), so this clashes with the really- public library. It was really puzzling wrt the linker (ld) behavior. Right now, I'm trying to deal with one missing symbol when dynamically linking libwbclient.so: it misses hex_encode_talloc symbol since obviously lib/util/util.o file is not included into the wbclient library link line. Is libwbclient.so supposed to be buildable as shared library? Thanks, /mjt