[Samba] [Announce] Samba 4.17.0rc4 Available for Download

Jule Anger janger at samba.org
Tue Aug 30 15:12:32 UTC 2022

Release Announcements

This is the fourth release candidate of Samba 4.17.  This is *not*
intended for production environments and is designed for testing
purposes only.  Please report any defects via the Samba bug reporting
system at https://bugzilla.samba.org/.

Samba 4.17 will be the next version of the Samba suite.



SMB Server performance improvements

The security improvements in recent releases
(4.13, 4.14, 4.15, 4.16), mainly as protection against symlink races,
caused performance regressions for meta data heavy workloads.

With 4.17 the situation improved a lot again:

- Pathnames given by a client are devided into dirname and basename.
   The amount of syscalls to validate dirnames is reduced to 2 syscalls
   (openat, close) per component. On modern Linux kernels (>= 5.6) smbd
   makes use of the openat2() syscall with RESOLVE_NO_SYMLINKS,
   in order to just use 2 syscalls (openat2, close) for the whole dirname.

- Contended path based operations used to generate a lot of unsolicited
   wakeup events causing thundering herd problems, which lead to masive
   latencies for some clients. These events are now avoided in order
   to provide stable latencies and much higher throughput of open/close

Configure without the SMB1 Server

It is now possible to configure Samba without support for
the SMB1 protocol in smbd. This can be selected at configure
time with either of the options:


By default (without either of these options set) Samba
is configured to include SMB1 support (i.e. --with-smb1-server
is the default). When Samba is configured without SMB1 support,
none of the SMB1 code is included inside smbd except the minimal
stub code needed to allow a client to connect as SMB1 and immediately
negotiate the selected protocol into SMB2 (as a Windows server also

None of the SMB1-only smb.conf parameters are removed when
configured without SMB1, but these parameters are ignored by
the smbd server. This allows deployment without having to change
an existing smb.conf file.

This option allows sites, OEMs and integrators to configure Samba
to remove the old and insecure SMB1 protocol from their products.

Note that the Samba client libraries still support SMB1 connections
even when Samba is configured as --without-smb1-server. This is
to ensure maximum compatibility with environments containing old
SMB1 servers.

Bronze bit and S4U support with MIT Kerberos 1.20

In 2020 Microsoft Security Response Team received another Kerberos-related
report. Eventually, that led to a security update of the CVE-2020-17049,
Kerberos KDC Security Feature Bypass Vulnerability, also known as a ‘Bronze
Bit’. With this vulnerability, a compromised service that is configured 
to use
Kerberos constrained delegation feature could tamper with a service 
ticket that
is not valid for delegation to force the KDC to accept it.

With the release of MIT Kerberos 1.20, Samba AD DC is able able to 
mitigate the
‘Bronze Bit’ attack. MIT Kerberos KDC's KDB (Kerberos Database Driver) 
API was
changed to allow passing more details between KDC and KDB components. 
When built
against MIT Kerberos, Samba AD DC supports MIT Kerberos 1.19 and 1.20 
but 'Bronze Bit' mitigation is provided only with MIT Kerberos 1.20.

In addition to fixing the ‘Bronze Bit’ issue, Samba AD DC now fully supports
S4U2Self and S4U2Proxy Kerberos extensions.

Resource Based Constrained Delegation (RBCD) support

Samba AD DC built with MIT Kerberos 1.20 offers RBCD support now. With MIT
Kerberos 1.20 we have complete RBCD support passing Sambas S4U testsuite.
Note that samba-tool lacks support for setting this up yet!

To complete RBCD support and make it useful to Administrators we added the
Asserted Identity [1] SID into the PAC for constrained delegation. This is
available for Samba AD compiled with MIT Kerberos 1.20.


Customizable DNS listening port

It is now possible to set a custom listening port for the builtin DNS 
making easy to host another DNS on the same system that would bind to the
default port and forward the domain-specific queries to Samba using the 
port. This is the opposite configuration of setting a forwarder in Samba.

It makes possible to use another DNS server as a front and forward to Samba.

Dynamic DNS updates may not be proxied by the front DNS server when 
to Samba. Dynamic DNS update proxying depends on the features of the 
other DNS
server used as a front.

CTDB changes

* When Samba is configured with both --with-cluster-support and
   --systemd-install-services then a systemd service file for CTDB will
   be installed.

* ctdbd_wrapper has been removed.  ctdbd is now started directly from
   a systemd service file or init script.

* The syntax for the ctdb.tunables configuration file has been
   relaxed.  However, trailing garbage after the value, including
   comments, is no longer permitted.  Please see ctdb-tunables(7) for
   more details.

Operation without the (unsalted) NT password hash

When Samba is configured with 'nt hash store = never' then Samba will
no longer store the (unsalted) NT password hash for users in Active
Directory.  (Trust accounts, like computers, domain controllers and
inter-domain trusts are not impacted).

In the next version of Samba the default for 'nt hash store' will
change from 'always' to 'auto', where it will follow (behave as 'nt
hash store = never' when 'ntlm auth = disabled' is set.

Security-focused deployments of Samba that have eliminated NTLM from
their networks will find setting 'ntlm auth = disabled' with 'nt hash
store = always' as a useful way to improve compliance with
best-practice guidance on password storage (which is to always use an
interated hash).

Note that when 'nt hash store = never' is set, then arcfour-hmac-md5
Kerberos keys will not be available for users who subsequently change
their password, as these keys derive their values from NT hashes. AES
keys are stored by default for all deployments of Samba with Domain
Functional Level 2008 or later, are supported by all modern clients,
and are much more secure.

Finally, also note that password history in Active Directory is stored
in nTPwdHistory using a series of NT hash values.  Therefore the full
password history feature is not available in this mode.

To provide some protection against password re-use previous Kerberos
hash values (the current, old and older values are already stored) are
used, providing a history length of 3.

There is one small limitation of this workaround: Changing the
sAMAccountName, userAccountControl or userPrincipalName of an account
can cause the Kerberos password salt to change.  This means that after
*both* an account rename and a password change, only the current
password will be recognised for password history purposes.

Python API for smbconf

Samba's smbconf library provides a generic frontend to various
configuration backends (plain text file, registry) as a C library. A
new Python wrapper, importable as 'samba.smbconf' is available. An
additional module, 'samba.samba3.smbconf', is also available to enable
registry backend support. These libraries allow Python programs to
read, and optionally write, Samba configuration natively.

JSON support for smbstatus

It is now possible to print detailed information in JSON format in
the smbstatus program using the new option --json. The JSON output
covers all the existing text output including sessions, connections,
open files, byte-range locks, notifies and profile data with all
low-level information maintained by Samba in the respective databases.


LanMan Authentication and password storage removed from the AD DC

The storage and authentication with LanMan passwords has been entirely
removed from the Samba AD DC, even when "lanman auth = yes" is set.

smb.conf changes

   Parameter Name                          Description     Default
   --------------                          -----------     -------
   dns port                                New default     53
   nt hash store                  New parameter   always
   volume serial number              New parameter   -1


o  Anoop C S <anoopcs at samba.org>
    * BUG 15157: Make use of glfs_*at() API calls in vfs_glusterfs.


o  Jeremy Allison <jra at samba.org>
    * BUG 15128: Possible use after free of connection_struct when iterating

o  Christian Ambach <ambi at samba.org>
    * BUG 15145: `net usershare add` fails with flag works with --long 
but fails
      with -l.

o  Ralph Boehme <slow at samba.org>
    * BUG 15126: acl_xattr VFS module may unintentionally use filesystem
      permissions instead of ACL from xattr.

o  Stefan Metzmacher <metze at samba.org>
    * BUG 15125: Performance regression on contended path based operations.
    * BUG 15148: Missing READ_LEASE break could cause data corruption.

o  Andreas Schneider <asn at samba.org>
    * BUG 15141: libsamba-errors uses a wrong version number.

o  Joseph Sutton <josephsutton at catalyst.net.nz>
    * BUG 15152: SMB1 negotiation can fail to handle connection errors.


o  Jeremy Allison <jra at samba.org>
    * BUG 15143: New filename parser doesn't check veto files smb.conf 
    * BUG 15144: 4.17.rc1 still uses symlink-race prone unix_convert()
    * BUG 15146: Backport fileserver related changed to 4.17.0rc2

o  Jule Anger <janger at samba.org>
    * BUG 15147: Manpage for smbstatus json is missing

o  Volker Lendecke <vl at samba.org>
    * BUG 15146: Backport fileserver related changed to 4.17.0rc2

o  Stefan Metzmacher <metze at samba.org>
    * BUG 15125: Performance regression on contended path based operations
    * BUG 15146: Backport fileserver related changed to 4.17.0rc2

o  Andreas Schneider <asn at samba.org>
    * BUG 15140: Fix issues found by coverity in smbstatus json code
    * BUG 15146: Backport fileserver related changed to 4.17.0rc2



Reporting bugs & Development Discussion

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical:matrix.org matrix room, or
#samba-technical IRC channel on irc.libera.chat

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).

== Our Code, Our Bugs, Our Responsibility.
== The Samba Team

Download Details

The uncompressed tarballs and patch files have been signed
using GnuPG (ID AA99442FB680B620).  The source code can be downloaded


The release notes are available online at:


Our Code, Our Bugs, Our Responsibility.

                         The Samba Team

More information about the samba mailing list