[Announce] Samba 4.7.0rc3 Available for Download
kseeger at samba.org
Tue Jul 25 09:18:33 UTC 2017
This is the third release candidate of Samba 4.7. This is *not*
intended for production environments and is designed for testing
purposes only. Please report any defects via the Samba bug reporting
system at https://bugzilla.samba.org/.
Samba 4.7 will be the next version of the Samba suite.
smbclient no longer prints a 'Domain=[...] OS=[Windows 6.1] Server=[...]'
banner when connecting to the first server. With SMB2 and Kerberos
there's no way to print this information reliable. Now we avoid it at all
consistently. In interactive session the following banner is now presented
to the user: 'Try "help" do get a list of possible commands.'.
The default for "client max protocol" has changed to "SMB3_11",
which means that smbclient (and related commands) will work against
servers without SMB1 support.
It's possible to use the '-m/--max-protocol' option to overwrite
the "client max protocol" option temporary.
Note that the '-e/--encrypt' option also works with most SMB3 servers
(e.g. Windows >= 2012 and Samba >= 4.0.0), so the SMB1 unix extensions
are not required for encryption.
The change to SMB3_11 as default also means smbclient no longer
negotiates SMB1 unix extensions by default, when talking to a Samba server with
"unix extensions = yes". As a result some commands are not available, e.g.
posix_encrypt, posix_open, posix_mkdir, posix_rmdir, posix_unlink, posix_whoami,
getfacl and symlink. Using "-mNT1" reenabled them, if the server supports SMB1.
Note the default ("CORE") for "client min protocol" hasn't changed,
so it's still possible to connect to SMB1-only servers by default.
smbclient learned a new command "deltree" that is able to do
a recursive deletion of a directory tree.
Whole DB read locks: Improved LDAP and replication consistency
Prior to Samba 4.7 and ldb 1.2.0, the LDB database layer used by Samba
erronously did not take whole-DB read locks to protect search
and DRS replication operations.
While each object returned remained subject to a record-level lock (so
would remain consistent to itself), under a race condition with a
rename or delete, it and any links (like the member attribute) to it
would not be returned.
The symptoms of this issue include:
Replication failures with this error showing in the client side logs:
error during DRS repl ADD: No objectClass found in replPropertyMetaData for
Failed to commit objects:
A crash of the server, in particular the rpc_server process with
INTERNAL ERROR: Signal 11
LDAP read inconsistency
A DN subject to a search at the same time as it is being renamed
may not appear under either the old or new name, but will re-appear
for a subsequent search.
See https://bugzilla.samba.org/show_bug.cgi?id=12858 for more details
and updated advise on database recovery for affected installations.
Samba AD with MIT Kerberos
After four years of development, Samba finally supports compiling and
running Samba AD with MIT Kerberos. You can enable it with:
Samba requires version 1.15.1 of MIT Kerberos to build with AD DC support.
The krb5-devel and krb5-server packages are required.
The feature set is not on par with with the Heimdal build but the most important
things, like forest and external trusts, are working. Samba uses the KDC binary
provided by MIT Kerberos.
Missing features, compared to Heimdal, are:
* PKINIT support
* S4U2SELF/S4U2PROXY support
* RODC support (not fully working with Heimdal either)
The Samba AD process will take care of starting the MIT KDC and it will load a
KDB (Kerberos Database) driver to access the Samba AD database. When
provisioning an AD DC using 'samba-tool' it will take care of creating a correct
kdc.conf file for the MIT KDC. Note that 'samba-tool' will overwrite the system
kdc.conf by default. It is possible to use a different location during
provision. You should consult the 'samba-tool' help and smb.conf manpage for
Dynamic RPC port range
The dynamic port range for RPC services has been changed from the old default
value 1024-1300 to 49152-65535. This port range is not only used by a
Samba AD DC but also applies to all other server roles including NT4-style
domain controllers. The new value has been defined by Microsoft in Windows
Server 2008 and newer versions. To make it easier for Administrators to control
those port ranges we use the same default and make it configurable with the
option: 'rpc server dynamic port range'.
The 'rpc server port' option sets the first available port from the new
'rpc server dynamic port range' option. The option 'rpc server port' only
applies to Samba provisioned as an AD DC.
Authentication and Authorization audit support
Detailed authentication and authorization audit information is now
logged to Samba's debug logs under the "auth_audit" debug class,
including in particular the client IP address triggering the audit
line. Additionally, if Samba is compiled against the jansson JSON
library, a JSON representation is logged under the "auth_json_audit"
Audit support is comprehensive for all authentication and
authorisation of user accounts in the Samba Active Directory Domain
Controller, as well as the implicit authentication in password
changes. In the file server and classic/NT4 domain controller, NTLM
authentication, SMB and RPC authorization is covered, however password
changes are not at this stage, and this support is not currently
backed by a testsuite.
Multi-process LDAP Server
The LDAP server in the AD DC now honours the process model used for
the rest of the samba process, rather than being forced into a single
process. This aids in Samba's ability to scale to larger numbers of AD
clients and the AD DC's overall resiliency, but will mean that there is a
fork()ed child for every LDAP client, which may be more resource
intensive in some situations.
Improved Read-Only Domain Controller (RODC) Support
Support for RODCs in Samba AD until now has been experimental. With this latest
version, many of the critical bugs have been fixed and the RODC can be used in
DC environments requiring no writable behaviour. RODCs now correctly support
bad password lockouts and password disclosure auditing through the
The fixes made to the RWDC will also allow Windows RODC to function more
correctly and to avoid strange data omissions such as failures to replicate
groups or updated passwords. Password changes are currently rejected at the
RODC, although referrals should be given over LDAP. While any bad passwords can
trigger domain-wide lockout, good passwords which have not been replicated yet
for a password change can only be used via NTLM on the RODC (and not Kerberos).
The reliability of RODCs locating a writable partner still requires some
improvements and so the 'password server' configuration option is generally
recommended on the RODC.
Additional password hashes stored in supplementalCredentials
A new config option 'password hash userPassword schemes' has been added to
enable generation of SHA-256 and SHA-512 hashes (without storing the plaintext
password with reversible encryption). This builds upon previous work to improve
password sync for the AD DC (originally using GPG).
The user command of 'samba-tool' has been updated in order to be able to
extract these additional hashes, as well as extracting the (HTTP) WDigest
hashes that we had also been storing in supplementalCredentials.
Improvements to DNS during Active Directory domain join
The 'samba-tool' domain join command will now add the A and GUID DNS records
(on both the local and remote servers) during a join if possible via RPC. This
should allow replication to proceed more smoothly post-join.
The mname element of the SOA record will now also be dynamically generated to
point to the local read-write server. 'samba_dnsupdate' should now be more
reliable as it will now find the appropriate name server even when resolv.conf
points to a forwarder.
Significant AD performance and replication improvements
Previously, replication of group memberships was been an incredibly expensive
process for the AD DC. This was mostly due to unnecessary CPU time being spent
parsing member linked attributes. The database now stores these linked
attributes in sorted form to perform efficient searches for existing members.
In domains with a large number of group memberships, a join can now be
completed in half the time compared with Samba 4.6.
LDAP search performance has also improved, particularly in the unindexed search
case. Parsing and processing of security descriptors should now be more
efficient, improving replication but also overall performance.
Query record for open file or directory
The record attached to an open file or directory in Samba can be
queried through the 'net tdb locking' command. In clustered Samba this
can be useful to determine the file or directory triggering
corresponding "hot" record warnings in ctdb.
Removal of lpcfg_register_defaults_hook()
The undocumented and unsupported function lpcfg_register_defaults_hook()
that was used by external projects to call into Samba and modify
smb.conf default parameter settings has been removed. If your project
was using this call please raise the issue on
samba-technical at lists.samba.org in order to design a supported
way of obtaining the same functionality.
Change of loadable module interface
The _init function of all loadable modules in Samba has changed
NTSTATUS _init(TALLOC_CTX *);
This allows a program loading a module to pass in a long-lived
talloc context (which must be guaranteed to be alive for the
lifetime of the module). This allows modules to avoid use of
the talloc_autofree_context() (which is inherently thread-unsafe)
and still be valgrind-clean on exit. Modules that don't need to
free long-lived data on exit should use the NULL talloc context.
* CTDB no longer allows mixed minor versions in a cluster
See the AllowMixedVersions tunable option in ctdb-tunables(7) and also
* CTDB now ignores hints from Samba about TDB flags when attaching to databases
CTDB will use the correct flags depending on the type of database.
For clustered databases, the smb.conf setting
dbwrap_tdb_mutexes:*=true will be ignored. Instead, CTDB continues
to use the TDBMutexEnabled tunable.
* New configuration variable CTDB_NFS_CHECKS_DIR
See ctdbd.conf(5) for more details.
* The CTDB_SERVICE_AUTOSTARTSTOP configuration variable has been
To continue to manage/unmanage services while CTDB is running:
- Start service by hand and then flag it as managed
- Mark service as unmanaged and shut it down by hand
- In some cases CTDB does something fancy - e.g. start Samba under
"nice", so care is needed. One technique is to disable the
eventscript, mark as managed, run the startup event by hand and then
re-enable the eventscript.
* The CTDB_SCRIPT_DEBUGLEVEL configuration variable has been removed
* The example NFS Ganesha call-out has been improved
* A new "replicated" database type is available
Replicated databases are intended for CTDB's internal use to
replicate state data across the cluster, but may find other
uses. The data in replicated databases is valid for the lifetime of
CTDB and cleared on first attach.
The "strict sync" global parameter has been changed from
a default of "no" to "yes". This means smbd will by default
obey client requests to synchronize unwritten data in operating
system buffers safely onto disk. This is a safer default setting
for modern SMB1/2/3 clients.
The 'ntlm auth' option default is renamed to 'ntlmv2-only', reflecting
the previous behaviour. Two new values have been provided,
'mschapv2-and-ntlmv2-only' (allowing MSCHAPv2 while denying NTLMv1)
and 'disabled', totally disabling NTLM authentication and password
Parameter Name Description Default
-------------- ----------- -------
allow unsafe cluster upgrade New parameter no
auth event notification New parameter no
auth methods Deprecated
client max protocol Effective SMB3_11
map untrusted to domain New value/ auto
mit kdc command New parameter
profile acls Deprecated
rpc server dynamic port range New parameter 49152-65535
strict sync Default changed yes
password hash userPassword schemes New parameter
ntlm auth New values ntlmv2-only
CHANGES SINCE 4.7.0rc2
o Jeremy Allison <jra at samba.org>
* BUG 12836: s3: smbd: Fix a read after free if a chained SMB1 call goes
* BUG 12899: s3: libsmb: Reverse sense of 'clear all attributes', ignore
attribute change in SMB2 to match SMB1.
* BUG 12914: s3: smbclient: Add new command deltree.
o Ralph Boehme <slow at samba.org>
* BUG 12885: s3/smbd: Let non_widelink_open() chdir() to directories
* BUG 12887: Remove SMB_VFS_STRICT_UNLOCK noop from the VFS.
* BUG 12891: Enable TDB mutexes in dbwrap and ctdb.
* BUG 12897: vfs_fruit: don't use MS NFS ACEs with Windows clients.
* BUG 12910: s3/notifyd: Ensure notifyd doesn't return from
o Alexander Bokovoy <ab at samba.org>
* BUG 12905: Build py3 versions of other rpc modules.
o Günther Deschner <gd at samba.org>
* BUG 12840: vfs_fruit: Add "fruit:model = <modelname>" parametric option.
o Dustin L. Howett
* BUG 12720: idmap_ad: Retry query_user exactly once if we get
o Amitay Isaacs <amitay at gmail.com>
* BUG 12891: dbwrap_ctdb: Fix calculation of persistent flag.
o Thomas Jarosch <thomas.jarosch at intra2net.com>
* BUG 12927: s3: libsmb: Fix use-after-free when accessing pointer *p.
o Volker Lendecke <vl at samba.org>
* BUG 12925: smbd: Fix a connection run-down race condition.
o Stefan Metzmacher <metze at samba.org>
* tevent: version 0.9.33: make tevent_req_print() more robust against crashes.
* ldb: version 1.2.1
* BUG 12882: Do not install _ldb_text.py if we have system libldb.
* BUG 12890: s3:smbd: consistently use talloc_tos() memory for
* BUG 12900: Fix index out of bound in ldb_msg_find_common_values.
o Rowland Penny <rpenny at samba.org>
* BUG 12884: Easily edit a users object in AD, as if using 'ldbedit'.
o Bernhard M. Wiedemann <bwiedemann at suse.de>
* BUG 12906: s3: drop build_env
o Andreas Schneider <asn at samba.org>
* BUG 12882: waf: Do not install _ldb_text.py if we have system libldb.
o Martin Schwenke <martin at meltin.net>
* BUG 12898: ctdb-common: Set close-on-exec when creating PID file.
CHANGES SINCE 4.7.0rc1
o Jeffrey Altman <jaltman at secure-endpoints.com>
* BUG 12894: CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation
Reporting bugs & Development Discussion
Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.
If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored. All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
The uncompressed tarballs and patch files have been signed
using GnuPG (ID 6F33915B6568B7EA). The source code can be downloaded
The release notes are available online at:
Our Code, Our Bugs, Our Responsibility.
The Samba Team
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 163 bytes
Desc: not available
More information about the samba-technical