[Announce] Samba 4.18.0 Available for Download

Jule Anger janger at samba.org
Wed Mar 8 12:56:31 UTC 2023

Release Announcements

This is the first stable release of the Samba 4.18 release series.
Please read the release notes carefully before upgrading.


SMB Server performance improvements

The security improvements in recent releases
(4.13, 4.14, 4.15, 4.16), mainly as protection against symlink races,
caused performance regressions for metadata heavy workloads.

While 4.17 already improved the situation quite a lot,
with 4.18 the locking overhead for contended path based operations
is reduced by an additional factor of ~ 3 compared to 4.17.
It means the throughput of open/close
operations reached the level of 4.12 again.

More succinct samba-tool error messages

Historically samba-tool has reported user error or misconfiguration by
means of a Python traceback, showing you where in its code it noticed
something was wrong, but not always exactly what is amiss. Now it
tries harder to identify the true cause and restrict its output to
describing that. Particular cases include:

  * a username or password is incorrect
  * an ldb database filename is wrong (including in smb.conf)
  * samba-tool dns: various zones or records do not exist
  * samba-tool ntacl: certain files are missing
  * the network seems to be down
  * bad --realm or --debug arguments

Accessing the old samba-tool messages

This is not new, but users are reminded they can get the full Python
stack trace, along with other noise, by using the argument '-d3'.
This may be useful when searching the web.

The intention is that when samba-tool encounters an unrecognised
problem (especially a bug), it will still output a Python traceback.
If you encounter a problem that has been incorrectly identified by
samba-tool, please report it on https://bugzilla.samba.org.

Colour output with samba-tool --color

For some time a few samba-tool commands have had a --color=yes|no|auto
option, which determines whether the command outputs ANSI colour
codes. Now all samba-tool commands support this option, which now also
accepts 'always' and 'force' for 'yes', 'never' and 'none' for 'no',
and 'tty' and 'if-tty' for 'auto' (this more closely matches
convention). With --color=auto, or when --color is omitted, colour
codes are only used when output is directed to a terminal.

Most commands have very little colour in any case. For those that
already used it, the defaults have changed slightly.

  * samba-tool drs showrepl: default is now 'auto', not 'no'

  * samba-tool visualize: the interactions between --color-scheme,
    --color, and --output have changed slightly. When --color-scheme is
    set it overrides --color for the purpose of the output diagram, but
    not for other output like error messages.

New samba-tool dsacl subcommand for deleting ACES

The samba-tool dsacl tool can now delete entries in directory access
control lists. The interface for 'samba-tool dsacl delete' is similar
to that of 'samba-tool dsacl set', with the difference being that the
ACEs described by the --sddl argument are deleted rather than added.

No colour with NO_COLOR environment variable

With both samba-tool --color=auto (see above) and some other places
where we use ANSI colour codes, the NO_COLOR environment variable will
disable colour output. See https://no-color.org/ for a description of
this variable. `samba-tool --color=always` will use colour regardless

New wbinfo option --change-secret-at

The wbinfo command has a new option, --change-secret-at=<DOMAIN CONTROLLER>
which forces the trust account password to be changed at a specified domain
controller. If the specified domain controller cannot be contacted the
password change fails rather than trying other DCs.

New option to change the NT ACL default location

Usually the NT ACLs are stored in the security.NTACL extended
attribute (xattr) of files and directories. The new
"acl_xattr:security_acl_name" option allows to redefine the default
location. The default "security.NTACL" is a protected location, which
means the content of the security.NTACL attribute is not accessible
from normal users outside of Samba. When this option is set to use a
user-defined value, e.g. user.NTACL then any user can potentially
access and overwrite this information. The module prevents access to
this xattr over SMB, but the xattr may still be accessed by other
means (eg local access, SSH, NFS). This option must only be used when
this consequence is clearly understood and when specific precautions
are taken to avoid compromising the ACL content.

Azure Active Directory / Office365 synchronisation improvements

Use of the Azure AD Connect cloud sync tool is now supported for
password hash synchronisation, allowing Samba AD Domains to synchronise
passwords with this popular cloud environment.


smb.conf changes

   Parameter Name                          Description     Default
   --------------                          -----------     -------
   acl_xattr:security_acl_name             New security.NTACL
   server addresses                        New


o  Jeremy Allison <jra at samba.org>
    * BUG 15314: streams_xattr is creating unexpected locks on folders.

o  Volker Lendecke <vl at samba.org>
    * BUG 15310: New samba-dcerpc architecture does not scale gracefully.


o  Andreas Schneider <asn at samba.org>
    * BUG 15308: Avoid that tests fail because other tests didn't do 
cleanup on

o  baixiangcpp <baixiangcpp at gmail.com>
    * BUG 15311: fd_load() function implicitly closes the fd where it 
should not.


o  Jeremy Allison <jra at samba.org>
    * BUG 15301: Improve file_modtime() and issues around smb3 unix test.

o  Ralph Boehme <slow at samba.org>
    * BUG 15299: Spotlight doesn't work with latest macOS Ventura.

o  Stefan Metzmacher <metze at samba.org>
    * BUG 15298: Build failure on solaris with tevent 0.14.0 (and ldb 
      (tevent 0.14.1 and ldb 2.7.1 are already released...)

o  John Mulligan <jmulligan at redhat.com>
    * BUG 15307: vfs_ceph incorrectly uses fsp_get_io_fd() instead of
      fsp_get_pathref_fd() in close and fstat.

o  Andreas Schneider <asn at samba.org>
    * BUG 15291: test_chdir_cache.sh doesn't work with 
    * BUG 15301: Improve file_modtime() and issues around smb3 unix test.


o  Andrew Bartlett <abartlet at samba.org>
    * BUG 10635: Office365 azure Password Sync not working.

o  Stefan Metzmacher <metze at samba.org>
    * BUG 15286: auth3_generate_session_info_pac leaks wbcAuthUserInfo.

o  Noel Power <noel.power at suse.com>
    * BUG 15293: With clustering enabled samba-bgqd can core dump due to use
      after free.



Reporting bugs & Development Discussion

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical:matrix.org matrix room, or
#samba-technical IRC channel on irc.libera.chat

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).

== Our Code, Our Bugs, Our Responsibility.
== The Samba Team

Download Details

The uncompressed tarballs and patch files have been signed
using GnuPG (ID AA99442FB680B620).  The source code can be downloaded


The release notes are available online at:


Our Code, Our Bugs, Our Responsibility.

                         The Samba Team

More information about the samba-announce mailing list