- Update from version 4.17.0 to 4.17.3
- Update of rootfile (x86_64) - other architectures will need to be adjusted.
- Changelog
Release Notes for Samba 4.17.3
This is a security release in order to address the following defects:
o CVE-2022-42898: Samba's Kerberos libraries and AD DC failed to guard against
integer overflows when parsing a PAC on a 32-bit system, which
allowed an attacker with a forged PAC to corrupt the heap.
https://www.samba.org/samba/security/CVE-2022-42898.html
o Joseph Sutton <josephsutton@catalyst.net.nz>
* BUG 15203: CVE-2022-42898
o Nicolas Williams <nico@twosigma.com>
* BUG 15203: CVE-2022-42898
Release Notes for Samba 4.17.2
This is a security release in order to address the following defects:
o CVE-2022-3437: There is a limited write heap buffer overflow in the GSSAPI
unwrap_des() and unwrap_des3() routines of Heimdal (included
in Samba).
https://www.samba.org/samba/security/CVE-2022-3437.html
o CVE-2022-3592: A malicious client can use a symlink to escape the exported
directory.
https://www.samba.org/samba/security/CVE-2022-3592.html
o Volker Lendecke <vl@samba.org>
* BUG 15207: CVE-2022-3592.
o Joseph Sutton <josephsutton@catalyst.net.nz>
* BUG 15134: CVE-2022-3437.
Release Notes for Samba 4.17.1
o Jeremy Allison <jra@samba.org>
* BUG 14611: CVE-2021-20251 [SECURITY] Bad password count not incremented
atomically.
* BUG 15174: smbXsrv_connection_shutdown_send result leaked.
* BUG 15182: Flush on a named stream never completes.
* BUG 15195: Permission denied calling SMBC_getatr when file not exists.
o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* BUG 15189: Samba 4.5 sometimes cannot be upgraded to Samba 4.6 or later
over DRS: WERROR_DS_DRA_MISSING_PARENT due to faulty GET_ANC.
* BUG 15191: pytest: add file removal helpers for TestCaseInTempDir.
o Andrew Bartlett <abartlet@samba.org>
* BUG 14611: CVE-2021-20251 [SECURITY] Bad password count not incremented
atomically.
* BUG 15189: Samba 4.5 sometimes cannot be upgraded to Samba 4.6 or later.
over DRS: WERROR_DS_DRA_MISSING_PARENT due to faulty GET_ANC.
o Ralph Boehme <slow@samba.org>
* BUG 15182: Flush on a named stream never completes.
o Volker Lendecke <vl@samba.org>
* BUG 15151: vfs_gpfs silently garbles timestamps > year 2106.
o Gary Lockyer <gary@catalyst.net.nz>
* BUG 14611: CVE-2021-20251 [SECURITY] Bad password count not incremented
atomically.
o Stefan Metzmacher <metze@samba.org>
* BUG 15200: multi-channel socket passing may hit a race if one of the
involved processes already existed.
* BUG 15201: memory leak on temporary of struct imessaging_post_state and
struct tevent_immediate on struct imessaging_context (in
rpcd_spoolss and maybe others).
o Noel Power <noel.power@suse.com>
* BUG 15205: Since popt1.19 various use after free errors using result of
poptGetArg are now exposed.
o Anoop C S <anoopcs@samba.org>
* BUG 15192: Remove special case for O_CREAT in SMB_VFS_OPENAT from
vfs_glusterfs.
o Andreas Schneider <asn@samba.org>
* BUG 15169: GETPWSID in memory cache grows indefinetly with each NTLM auth.
o Joseph Sutton <josephsutton@catalyst.net.nz>
* BUG 14611: CVE-2021-20251 [SECURITY] Bad password count not incremented
atomically.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
On one hand, the key.dns_resolver binary is linked against libkrb5, so this
library at least is required by the base system.
On the other hand this easily allows different services on the firewall
to use kerberos for authentication (ssh etc).
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
- samba is linked to liblber from openldap. openldap was updated in CU168 but
I missed that samba had a dependency to one of its libraries.
- find-dependencies was not run on openldap liblber although looking at the openldap
rootfile it is clear that an sobump occurred.
- This patch increments the samba PAK_VER so that it will be shipped and therefore
have the library links updated.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
- Update from version 4.15.5 to 4.16.0
- Update of rootfile
- perl-JSON now added to samba requirements. Additional patch combined with this on for
install of perl-JSON
- Changelog
Release Notes for Samba 4.16.0
NEW FEATURES/CHANGES
New samba-dcerpcd binary to provide DCERPC in the member server setup
In order to make it much easier to break out the DCERPC services
from smbd, a new samba-dcerpcd binary has been created.
samba-dcerpcd can be used in two ways. In the normal case without
startup script modification it is invoked on demand from smbd or
winbind --np-helper to serve DCERPC over named pipes. Note that
in order to run in this mode the smb.conf [global] section has
a new parameter "rpc start on demand helpers = [true|false]".
This parameter is set to "true" by default, meaning no changes to
smb.conf files are needed to run samba-dcerpcd on demand as a named
pipe helper.
It can also be used in a standalone mode where it is started
separately from smbd or winbind but this requires changes to system
startup scripts, and in addition a change to smb.conf, setting the new
[global] parameter "rpc start on demand helpers = false". If "rpc
start on demand helpers" is not set to false, samba-dcerpcd will
refuse to start in standalone mode.
Note that when Samba is run in the Active Directory Domain Controller
mode the samba binary that provides the AD code will still provide its
normal DCERPC services whilst allowing samba-dcerpcd to provide
services like SRVSVC in the same way that smbd used to in this
configuration.
The parameters that allowed some smbd-hosted services to be started
externally are now gone (detailed below) as this is now the default
setting.
samba-dcerpcd can also be useful for use outside of the Samba
framework, for example, use with the Linux kernel SMB2 server ksmbd or
possibly other SMB2 server implementations.
Heimdal-8.0pre used for Samba Internal Kerberos, adds FAST support
Samba has since Samba 4.0 included a snapshot of the Heimdal Kerberos
implementation. This snapshot has now been updated and will closely
match what will be released as Heimdal 8.0 shortly.
This is a major update, previously we used a snapshot of Heimdal from
2011, and brings important new Kerberos security features such as
Kerberos request armoring, known as FAST. This tunnels ticket
requests and replies that might be encrypted with a weak password
inside a wrapper built with a stronger password, say from a machine
account.
In Heimdal and MIT modes Samba's KDC now supports FAST, for the
support of non-Windows clients.
Windows clients will not use this feature however, as they do not
attempt to do so against a server not advertising domain Functional
Level 2012. Samba users are of course free to modify how Samba
advertises itself, but use with Windows clients is not supported "out
of the box".
Finally, Samba also uses a per-KDC, not per-realm 'cookie' to secure part of
the FAST protocol. A future version will align this more closely with
Microsoft AD behaviour.
If FAST needs to be disabled on your Samba KDC, set
kdc enable fast = no
in the smb.conf.
Certificate Auto Enrollment
Certificate Auto Enrollment allows devices to enroll for certificates from
Active Directory Certificate Services. It is enabled by Group Policy.
To enable Certificate Auto Enrollment, Samba's group policy will need to be
enabled by setting the smb.conf option `apply group policies` to Yes. Samba
Certificate Auto Enrollment depends on certmonger, the cepces certmonger
plugin, and sscep. Samba uses sscep to download the CA root chain, then uses
certmonger paired with cepces to monitor the host certificate templates.
Certificates are installed in /var/lib/samba/certs and private keys are
installed in /var/lib/samba/private/certs.
Ability to add ports to dns forwarder addresses in internal DNS backend
The internal DNS server of Samba forwards queries non-AD zones to one or more
configured forwarders. Up until now it has been assumed that these forwarders
listen on port 53. Starting with this version it is possible to configure the
port using host:port notation. See smb.conf for more details. Existing setups
are not affected, as the default port is 53.
CTDB changes
* The "recovery master" role has been renamed "leader"
Documentation and logs now refer to "leader".
The following ctdb tool command names have changed:
recmaster -> leader
setrecmasterrole -> setleaderrole
Command output has changed for the following commands:
status
getcapabilities
The "[legacy] -> recmaster capability" configuration option has been
renamed and moved to the cluster section, so this is now:
[cluster] -> leader capability
* The "recovery lock" has been renamed "cluster lock"
Documentation and logs now refer to "cluster lock".
The "[cluster] -> recovery lock" configuration option has been
deprecated and will be removed in a future version. Please use
"[cluster] -> cluster lock" instead.
If the cluster lock is enabled then traditional elections are not
done and leader elections use a race for the cluster lock. This
avoids various conditions where a node is elected leader but can not
take the cluster lock. Such conditions included:
- At startup, a node elects itself leader of its own cluster before
connecting to other nodes
- Cluster filesystem failover is slow
The abbreviation "reclock" is still used in many places, because a
better abbreviation eludes us (i.e. "clock" is obvious bad) and
changing all instances would require a lot of churn. If the
abbreviation "reclock" for "cluster lock" is confusing, please
consider mentally prefixing it with "really excellent".
* CTDB now uses leader broadcasts and an associated timeout to
determine if an election is required
The leader broadcast timeout can be configured via new configuration
option
[cluster] -> leader timeout
This specifies the number of seconds without leader broadcasts
before a node calls an election. The default is 5.
REMOVED FEATURES
Older SMB1 protocol SMBCopy command removed
SMB is a nearly 30-year old protocol, and some protocol commands that
while supported in all versions, have not seen widespread use.
One of those is SMBCopy, a feature for a server-side copy of a file.
This feature has been so unmaintained that Samba has no testsuite for
it.
The SMB1 command SMB_COM_COPY (SMB1 command number 0x29) was
introduced in the LAN Manager 1.0 dialect and it was rendered obsolete
in the NT LAN Manager dialect.
Therefore it has been removed from the Samba smbd server.
We do note that a fully supported and tested server-side copy is
present in SMB2, and can be accessed with "scopy" subcommand in
smbclient)
SMB1 server-side wildcard expansion removed
Server-side wildcard expansion is another feature that sounds useful,
but is also rarely used and has become problematic - imposing extra
work on the server (both in terms of code and CPU time).
In actual OS design, wildcard expansion is handled in the local shell,
not at the remote server using SMB wildcard syntax (which is not shell
syntax).
In Samba 4.16 the ability to process file name wildcards in requests
using the SMB1 commands SMB_COM_RENAME (SMB1 command number 0x7),
SMB_COM_NT_RENAME (SMB1 command number 0xA5) and SMB_COM_DELETE (SMB1
command number 0x6) has been removed.
SMB1 protocol has been deprecated, particularly older dialects
We take this opportunity to remind that we have deprecated and
disabled by default, but not removed, the whole SMB1 protocol since
Samba 4.11. If needed for security purposes or code maintenance we
will continue to remove older protocol commands and dialects that are
unused or have been replaced in more modern SMB1 versions.
We specifically deprecate the older dialects older than "NT LM 0.12"
(also known as "NT LANMAN 1.0" and "NT1").
Please note that "NT LM 0.12" is the dialect used by software as old
as Windows 95, Windows NT and Samba 2.0, so this deprecation applies
to DOS and similar era clients.
We do reassure that that 'simple' operation of older clients than
these (eg DOS) will, while untested, continue for the near future, our
purpose is not to cripple use of Samba in unique situations, but to
reduce the maintaince burden.
Eventually SMB1 as a whole will be removed, but no broader change is
announced for 4.16.
In the rare case where the above changes cause incompatibilities,
users requiring support for these features will need to use older
versions of Samba.
No longer using Linux mandatory locks for sharemodes
smbd mapped sharemodes to Linux mandatory locks. This code in the Linux kernel
was broken for a long time, and is planned to be removed with Linux 5.15. This
Samba release removes the usage of mandatory locks for sharemodes and the
"kernel share modes" config parameter is changed to default to "no". The Samba
VFS interface is kept, so that file-system specific VFS modules can still use
private calls for enforcing sharemodes.
smb.conf changes
Parameter Name Description Default
-------------- ----------- -------
kernel share modes New default No
dns forwarder Changed
rpc_daemon Removed
rpc_server Removed
rpc start on demand helpers Added true
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Historically, the MD5 checksums in our LFS files serve as a protection
against broken downloads, or accidentally corrupted source files.
While the sources are nowadays downloaded via HTTPS, it make sense to
beef up integrity protection for them, since transparently intercepting
TLS is believed to be feasible for more powerful actors, and the state
of the public PKI ecosystem is clearly not helping.
Therefore, this patch switches from MD5 to BLAKE2, updating all LFS
files as well as make.sh to deal with this checksum algorithm. BLAKE2 is
notably faster (and more secure) than SHA2, so the performance penalty
introduced by this patch is negligible, if noticeable at all.
In preparation of this patch, the toolchain files currently used have
been supplied with BLAKE2 checksums as well on
https://source.ipfire.org/.
Cc: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremeripfire.org>
* Add a Summary and Services field to all pak lfs files
* Replace occurances of INSTALL_INITSCRIPT with new INSTALL_INITSCRIPTS
macro in all pak lfs files.
Signed-off-by: Robin Roevens <robin.roevens@disroot.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
- Update from 4.14.4 to 4.14.6
- Update of rootfile not required
- Changelog
Release Notes for Samba 4.14.6
* BUG 14722: s3: lib: Fix talloc heirarcy error in parent_smb_fname().
* BUG 14732: smbd: Fix pathref unlinking in create_file_unixpath().
* BUG 14734: s3: VFS: default: Add proc_fd's fallback for vfswrap_fchown().
* BUG 14736: s3: smbd: Remove erroneous TALLOC_FREE(smb_fname_parent) in
change_file_owner_to_parent() error path.
* BUG 14730: NT_STATUS_FILE_IS_A_DIRECTORY error messages when using
glusterfs VFS module.
* BUG 14734: s3/modules: fchmod: Fallback to path based chmod if pathref.
* BUG 14740: Spotlight RPC service doesn't work with vfs_glusterfs.
* BUG 14750: gensec_krb5: Restore ipv6 support for kpasswd.
* BUG 14752: smbXsrv_{open,session,tcon}: protect
smbXsrv_{open,session,tcon}_global_traverse_fn against invalid records.
* BUG 14027: samba-tool domain backup offline doesn't work against bind DLZ
backend.
* BUG 14669: netcmd: Use next_free_rid() function to calculate a SID for
restoring a backup.
Release Notes for Samba 4.14.5
* BUG 14696: s3: smbd: SMB1 SMBsplwr doesn't send a reply packet on success.
* BUG 14708: s3: smbd: Ensure POSIX default ACL is mapped into returned
Windows ACL for directory handles.
* BUG 14721: s3: smbd: Fix uninitialized memory read in
process_symlink_open() when used with vfs_shadow_copy2().
* BUG 14689: docs: Expand the "log level" docs on audit logging.
* BUG 14714: smbd: Correctly initialize close timestamp fields.
* BUG 14699: Fix gcc11 compiler issues.
* BUG 14718: docs-xml: Update smbcacls manpage.
* BUG 14719: docs: Update list of available commands in rpcclient.
* BUG 14475: ctdb: Fix a crash in run_proc_signal_handler().
* BUG 14695: s3:winbind: For 'security = ADS' require realm/workgroup to be
set.
* BUG 14699: lib:replace: Do not build strndup test with gcc 11 or newer.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
- Update from 4.14.3 to 4.14.4
- Update of rootfile not required
- Changelog
Release Notes for Samba 4.14.4 April 29, 2021
This is a security release in order to address the following defect:
o CVE-2021-20254: Negative idmap cache entries can cause incorrect
group entries in the Samba file server process token.
Details
o CVE-2021-20254:
The Samba smbd file server must map Windows group identities (SIDs) into unix
group ids (gids). The code that performs this had a flaw that could allow it
to read data beyond the end of the array in the case where a negative cache
entry had been added to the mapping cache. This could cause the calling code
to return those values into the process token that stores the group
membership for a user.
Most commonly this flaw caused the calling code to crash, but an alert user
(Peter Eriksson, IT Department, Linköping University) found this flaw by
noticing an unprivileged user was able to delete a file within a network
share that they should have been disallowed access to.
Analysis of the code paths has not allowed us to discover a way for a
remote user to be able to trigger this flaw reproducibly or on demand,
but this CVE has been issued out of an abundance of caution.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from 4.13.7 to 4.14.3
Change to Samba 4.14 release series
4.13 is now in maintenance mode
4.14 is now the current stable release series
- Update of x86_64 rootfile
- Checked library changes with find-dependencies
No linked programs found
- Changelog
o Trever L. Adams <trever.adams@gmail.com>
* BUG 14671: s3:modules:vfs_virusfilter: Recent New_VFS changes break
vfs_virusfilter_openat.
o Andrew Bartlett <abartlet@samba.org>
* BUG 14586: build: Notice if flex is missing at configure time.
o Ralph Boehme <slow@samba.org>
* BUG 14672: Fix smbd panic when two clients open same file.
* BUG 14675: Fix memory leak in the RPC server.
* BUG 14679: s3: smbd: fix deferred renames.
o Samuel Cabrero <scabrero@samba.org>
* BUG 14675: s3-iremotewinspool: Set the per-request memory context.
o Volker Lendecke <vl@samba.org>
* BUG 14675: Fix memory leak in the RPC server.
o Stefan Metzmacher <metze@samba.org>
* BUG 11899: third_party: Update socket_wrapper to version 1.3.2.
* BUG 14640: third_party: Update socket_wrapper to version 1.3.3.
o David Mulder <dmulder@suse.com>
* BUG 14665: samba-gpupdate: Test that sysvol paths download in
case-insensitive way.
o Sachin Prabhu <sprabhu@redhat.com>
* BUG 14662: smbd: Ensure errno is preserved across fsp destructor.
o Christof Schmitt <cs@samba.org>
* BUG 14663: idmap_rfc2307 and idmap_nss return wrong mapping for uid/gid
conflict.
o Martin Schwenke <martin@meltin.net>
* BUG 14288: build: Only add -Wl,--as-needed when supported.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from 4.13.4 to 4.13.7
- Update of x68_64 rootfile
- Changelog
Release Notes for Samba 4.13.7 March 24, 2021
This is a security release in order to address the following defects:
o CVE-2020-27840:
An anonymous attacker can crash the Samba AD DC LDAP server by sending easily
crafted DNs as part of a bind request. More serious heap corruption is likely
also possible.
Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* BUG 14595: CVE-2020-27840: Fix unauthenticated remote heap corruption via
bad DNs.
o CVE-2021-20277:
User-controlled LDAP filter strings against the AD DC LDAP server may crash
the LDAP server.
Andrew Bartlett <abartlet@samba.org>
* BUG 14655: CVE-2021-20277: Fix out of bounds read in ldb_handler_fold.
Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* BUG 14655: CVE-2021-20277: Fix out of bounds read in ldb_handler_fold.
Release Notes for Samba 4.13.5 March 09, 2021
This is the latest stable release of the Samba 4.13 release series.
o Trever L. Adams <trever.adams@gmail.com>
* BUG 14634: s3:modules:vfs_virusfilter: Recent talloc changes cause infinite
start-up failure.
o Jeremy Allison <jra@samba.org>
* BUG 13992: s3: libsmb: Add missing cli_tdis() in error path if encryption
setup failed on temp proxy connection.
* BUG 14604: smbd: In conn_force_tdis_done() when forcing a connection closed
force a full reload of services.
o Andrew Bartlett <abartlet@samba.org>
* BUG 14593: dbcheck: Check Deleted Objects and reduce noise in reports about
expired tombstones.
o Ralph Boehme <slow@samba.org
* BUG 14503: s3: Fix fcntl waf configure check.
* BUG 14602: s3/auth: Implement "winbind:ignore domains".
* BUG 14617: smbd: Use fsp->conn->session_info for the initial
delete-on-close token.
o Peter Eriksson <pen@lysator.liu.se>
* BUG 14648: s3: VFS: nfs4_acls. Add missing TALLOC_FREE(frame) in error
path.
o Björn Jacke <bj@sernet.de>
* BUG 14624: classicupgrade: Treat old never expires value right.
o Volker Lendecke <vl@samba.org>
* BUG 14636: g_lock: Fix uninitalized variable reads.
o Stefan Metzmacher <metze@samba.org>
* BUG 13898: s3:pysmbd: Fix fd leak in py_smbd_create_file().
o Andreas Schneider <asn@samba.org>
* BUG 14625: lib:util: Avoid free'ing our own pointer.
o Paul Wise <pabs3@bonedaddy.net>
* BUG 12505: HEIMDAL: krb5_storage_free(NULL) should work.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
It is complicated to set the password in the C helper binary.
Therefore it is being set by a helper script.
This is still not an optimal solution since the password might be
exposed to the shell environment, but has the advantage that shell
command injection is no longer possible.
Fixes: #12562
Reported-by: Albert Schwarzkopf <ipfire@quitesimple.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This is a security release in order to address
CVE-2020-14318 (Missing handle permissions check in SMB1/2/3 ChangeNotify),
CVE-2020-14323 (Unprivileged user can crash winbind) and
CVE-2020-14383 (An authenticated user can crash the DCE/RPC DNS with easily
crafted records).
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Not sure why this has ever been there. This simply makes it
nicer to read and edit because we can have line-breaks now.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Most of these files still used old dates and/or domain names for contact
mail addresses. This is now replaced by an up-to-date copyright line.
Just some housekeeping... :-)
Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Removed 'unrecognized' configure-options.
Deleted empty tab at line end and moved line '-mkdir -p /var/ipfire/samba'
because of error message:
'mkdir: cannot create directory ‘/var/ipfire/samba’: File exists'
Best,
Matthias
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This commit updates krb5 to version 1.14.4
The patch is removed, because he is upstream since 1.12.2.
The samba version is incremented, to link samba against the new krb5
version. Otherwise samba for example is linked against
/usr/lib/libkdb5.so.7 but the current version is /usr/lib/libkdb5.so.8
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This is a security releases in order to address
CVE-2014-0244 (Denial of service - CPU loop) and
CVE-2014-3493 (Denial of service - Server crash/memory corruption).
