head 1.5; access; symbols pkgsrc-2023Q3:1.4.0.4 pkgsrc-2023Q3-base:1.4 pkgsrc-2023Q2:1.4.0.2 pkgsrc-2023Q2-base:1.4 pkgsrc-2023Q1:1.3.0.10 pkgsrc-2023Q1-base:1.3 pkgsrc-2022Q4:1.3.0.8 pkgsrc-2022Q4-base:1.3 pkgsrc-2022Q3:1.3.0.6 pkgsrc-2022Q3-base:1.3 pkgsrc-2022Q2:1.3.0.4 pkgsrc-2022Q2-base:1.3 pkgsrc-2022Q1:1.3.0.2 pkgsrc-2022Q1-base:1.3 pkgsrc-2021Q4:1.2.0.24 pkgsrc-2021Q4-base:1.2 pkgsrc-2021Q3:1.2.0.22 pkgsrc-2021Q3-base:1.2 pkgsrc-2021Q2:1.2.0.20 pkgsrc-2021Q2-base:1.2 pkgsrc-2021Q1:1.2.0.18 pkgsrc-2021Q1-base:1.2 pkgsrc-2020Q4:1.2.0.16 pkgsrc-2020Q4-base:1.2 pkgsrc-2020Q3:1.2.0.14 pkgsrc-2020Q3-base:1.2 pkgsrc-2020Q2:1.2.0.12 pkgsrc-2020Q2-base:1.2 pkgsrc-2020Q1:1.2.0.8 pkgsrc-2020Q1-base:1.2 pkgsrc-2019Q4:1.2.0.10 pkgsrc-2019Q4-base:1.2 pkgsrc-2019Q3:1.2.0.6 pkgsrc-2019Q3-base:1.2 pkgsrc-2019Q2:1.2.0.4 pkgsrc-2019Q2-base:1.2 pkgsrc-2019Q1:1.2.0.2 pkgsrc-2019Q1-base:1.2 pkgsrc-2018Q4:1.1.0.32 pkgsrc-2018Q4-base:1.1 pkgsrc-2018Q3:1.1.0.30 pkgsrc-2018Q3-base:1.1 pkgsrc-2018Q2:1.1.0.28 pkgsrc-2018Q2-base:1.1 pkgsrc-2018Q1:1.1.0.26 pkgsrc-2018Q1-base:1.1 pkgsrc-2017Q4:1.1.0.24 pkgsrc-2017Q4-base:1.1 pkgsrc-2017Q3:1.1.0.22 pkgsrc-2017Q3-base:1.1 pkgsrc-2017Q2:1.1.0.18 pkgsrc-2017Q2-base:1.1 pkgsrc-2017Q1:1.1.0.16 pkgsrc-2017Q1-base:1.1 pkgsrc-2016Q4:1.1.0.14 pkgsrc-2016Q4-base:1.1 pkgsrc-2016Q3:1.1.0.12 pkgsrc-2016Q3-base:1.1 pkgsrc-2016Q2:1.1.0.10 pkgsrc-2016Q2-base:1.1 pkgsrc-2016Q1:1.1.0.8 pkgsrc-2016Q1-base:1.1 pkgsrc-2015Q4:1.1.0.6 pkgsrc-2015Q4-base:1.1 pkgsrc-2015Q3:1.1.0.4 pkgsrc-2015Q3-base:1.1 pkgsrc-2015Q2:1.1.0.2 pkgsrc-2015Q2-base:1.1; locks; strict; comment @# @; 1.5 date 2023.11.15.18.54.43; author wiz; state dead; branches; next 1.4; commitid fiF0sOo1KnyBOJME; 1.4 date 2023.04.29.08.01.06; author wiz; state Exp; branches; next 1.3; commitid 8eZ9Hjsd0f4iDYmE; 1.3 date 2022.03.07.21.40.38; author thor; state Exp; branches; next 1.2; commitid lThpKNoRM9eEAkvD; 1.2 date 2019.03.20.19.09.10; author adam; state Exp; branches; next 1.1; commitid 6hMtylCUPtqDz8gB; 1.1 date 2015.06.26.16.09.49; author jperkin; state Exp; branches; next ; commitid Cc8Xam97HYwDmXqy; desc @@ 1.5 log @samba: update to 4.19.2. This is the first stable release of the Samba 4.19 release series. @ text @$NetBSD: patch-lib_replace_wscript,v 1.4 2023/04/29 08:01:06 wiz Exp $ Skip epoll tests on SunOS, implementation is Linux-specific. --- lib/replace/wscript.orig 2023-02-15 15:14:32.440958000 +0000 +++ lib/replace/wscript @@@@ -480,7 +480,9 @@@@ def configure(conf): conf.CHECK_FUNCS('gai_strerror get_current_dir_name') conf.CHECK_FUNCS('timegm getifaddrs freeifaddrs mmap setgroups syscall setsid') conf.CHECK_FUNCS('getgrent_r getgrgid_r getgrnam_r getgrouplist getpagesize') - conf.CHECK_FUNCS('getpwent_r getpwnam_r getpwuid_r epoll_create') + conf.CHECK_FUNCS('getpwent_r getpwnam_r getpwuid_r') + if not sys.platform.startswith('sunos'): + conf.CHECK_FUNCS('epoll_create') conf.CHECK_FUNCS('getprogname') if not conf.CHECK_FUNCS('copy_file_range'): conf.CHECK_CODE(''' @ 1.4 log @samba: update to 4.18.2. 4.18.2 Changes since 4.18.1 -------------------- o Jeremy Allison * BUG 15302: Log flood: smbd_calculate_access_mask_fsp: Access denied: message level should be lower. * BUG 15306: Floating point exception (FPE) via cli_pull_send at source3/libsmb/clireadwrite.c. o Andrew Bartlett * BUG 15328: test_tstream_more_tcp_user_timeout_spin fails intermittently on Rackspace GitLab runners. * BUG 15329: Reduce flapping of ridalloc test. * BUG 15351: large_ldap test is unreliable. o Ralph Boehme * BUG 15143: New filename parser doesn't check veto files smb.conf parameter. * BUG 15354: mdssvc may crash when initializing. o Volker Lendecke * BUG 15313: large directory optimization broken for non-lcomp path elements. * BUG 15357: streams_depot fails to create streams. * BUG 15358: shadow_copy2 and streams_depot don't play well together. o Rob van der Linde * BUG 15316: Flapping tests in samba_tool_drs_show_repl.py. o Stefan Metzmacher * BUG 15317: winbindd idmap child contacts the domain controller without a need. * BUG 15318: idmap_autorid may fail to map sids of trusted domains for the first time. * BUG 15319: idmap_hash doesn't use ID_TYPE_BOTH for reverse mappings. * BUG 15323: net ads search -P doesn't work against servers in other domains. * BUG 15353: Temporary smbXsrv_tcon_global.tdb can't be parsed. o Joseph Sutton * BUG 15316: Flapping tests in samba_tool_drs_show_repl.py. * BUG 15343: Tests use depricated and removed methods like assertRegexpMatches. 4.18.1 This is a security release in order to address the following defects: o CVE-2023-0225: An incomplete access check on dnsHostName allows authenticated but otherwise unprivileged users to delete this attribute from any object in the directory. https://www.samba.org/samba/security/CVE-2023-0225.html o CVE-2023-0922: The Samba AD DC administration tool, when operating against a remote LDAP server, will by default send new or reset passwords over a signed-only connection. https://www.samba.org/samba/security/CVE-2023-0922.html o CVE-2023-0614: The fix in 4.6.16, 4.7.9, 4.8.4 and 4.9.7 for CVE-2018-10919 Confidential attribute disclosure via LDAP filters was insufficient and an attacker may be able to obtain confidential BitLocker recovery keys from a Samba AD DC. Installations with such secrets in their Samba AD should assume they have been obtained and need replacing. https://www.samba.org/samba/security/CVE-2023-0614.html Changes since 4.18.0 -------------------- o Douglas Bagnall * BUG 15276: CVE-2023-0225. o Andrew Bartlett * BUG 15270: CVE-2023-0614. * BUG 15331: ldb wildcard matching makes excessive allocations. * BUG 15332: large_ldap test is inefficient. o Rob van der Linde * BUG 15315: CVE-2023-0922. o Joseph Sutton * BUG 15270: CVE-2023-0614. * BUG 15276: CVE-2023-0225. 4.18.0 This is the first stable release of the Samba 4.18 release series. Please read the release notes carefully before upgrading. NEW FEATURES/CHANGES ==================== SMB Server performance improvements ----------------------------------- The security improvements in recent releases (4.13, 4.14, 4.15, 4.16), mainly as protection against symlink races, caused performance regressions for metadata heavy workloads. While 4.17 already improved the situation quite a lot, with 4.18 the locking overhead for contended path based operations is reduced by an additional factor of ~ 3 compared to 4.17. It means the throughput of open/close operations reached the level of 4.12 again. More succinct samba-tool error messages --------------------------------------- Historically samba-tool has reported user error or misconfiguration by means of a Python traceback, showing you where in its code it noticed something was wrong, but not always exactly what is amiss. Now it tries harder to identify the true cause and restrict its output to describing that. Particular cases include: * a username or password is incorrect * an ldb database filename is wrong (including in smb.conf) * samba-tool dns: various zones or records do not exist * samba-tool ntacl: certain files are missing * the network seems to be down * bad --realm or --debug arguments Accessing the old samba-tool messages ------------------------------------- This is not new, but users are reminded they can get the full Python stack trace, along with other noise, by using the argument '-d3'. This may be useful when searching the web. The intention is that when samba-tool encounters an unrecognised problem (especially a bug), it will still output a Python traceback. If you encounter a problem that has been incorrectly identified by samba-tool, please report it on https://bugzilla.samba.org. Colour output with samba-tool --color ------------------------------------- For some time a few samba-tool commands have had a --color=yes|no|auto option, which determines whether the command outputs ANSI colour codes. Now all samba-tool commands support this option, which now also accepts 'always' and 'force' for 'yes', 'never' and 'none' for 'no', and 'tty' and 'if-tty' for 'auto' (this more closely matches convention). With --color=auto, or when --color is omitted, colour codes are only used when output is directed to a terminal. Most commands have very little colour in any case. For those that already used it, the defaults have changed slightly. * samba-tool drs showrepl: default is now 'auto', not 'no' * samba-tool visualize: the interactions between --color-scheme, --color, and --output have changed slightly. When --color-scheme is set it overrides --color for the purpose of the output diagram, but not for other output like error messages. New samba-tool dsacl subcommand for deleting ACES ------------------------------------------------- The samba-tool dsacl tool can now delete entries in directory access control lists. The interface for 'samba-tool dsacl delete' is similar to that of 'samba-tool dsacl set', with the difference being that the ACEs described by the --sddl argument are deleted rather than added. No colour with NO_COLOR environment variable -------------------------------------------- With both samba-tool --color=auto (see above) and some other places where we use ANSI colour codes, the NO_COLOR environment variable will disable colour output. See https://no-color.org/ for a description of this variable. `samba-tool --color=always` will use colour regardless of NO_COLOR. New wbinfo option --change-secret-at ------------------------------------ The wbinfo command has a new option, --change-secret-at= which forces the trust account password to be changed at a specified domain controller. If the specified domain controller cannot be contacted the password change fails rather than trying other DCs. New option to change the NT ACL default location ------------------------------------------------ Usually the NT ACLs are stored in the security.NTACL extended attribute (xattr) of files and directories. The new "acl_xattr:security_acl_name" option allows to redefine the default location. The default "security.NTACL" is a protected location, which means the content of the security.NTACL attribute is not accessible from normal users outside of Samba. When this option is set to use a user-defined value, e.g. user.NTACL then any user can potentially access and overwrite this information. The module prevents access to this xattr over SMB, but the xattr may still be accessed by other means (eg local access, SSH, NFS). This option must only be used when this consequence is clearly understood and when specific precautions are taken to avoid compromising the ACL content. Azure Active Directory / Office365 synchronisation improvements -------------------------------------------------------------- Use of the Azure AD Connect cloud sync tool is now supported for password hash synchronisation, allowing Samba AD Domains to synchronise passwords with this popular cloud environment. REMOVED FEATURES ================ smb.conf changes ================ Parameter Name Description Default -------------- ----------- ------- acl_xattr:security_acl_name New security.NTACL server addresses New CHANGES SINCE 4.18.0rc4 ======================= o Jeremy Allison * BUG 15314: streams_xattr is creating unexpected locks on folders. o Volker Lendecke * BUG 15310: New samba-dcerpc architecture does not scale gracefully. CHANGES SINCE 4.18.0rc3 ======================= o Andreas Schneider * BUG 15308: Avoid that tests fail because other tests didn't do cleanup on failure. o baixiangcpp * BUG 15311: fd_load() function implicitly closes the fd where it should not. CHANGES SINCE 4.18.0rc2 ======================= o Jeremy Allison * BUG 15301: Improve file_modtime() and issues around smb3 unix test. o Ralph Boehme * BUG 15299: Spotlight doesn't work with latest macOS Ventura. o Stefan Metzmacher * BUG 15298: Build failure on solaris with tevent 0.14.0 (and ldb 2.7.0). (tevent 0.14.1 and ldb 2.7.1 are already released...) o John Mulligan * BUG 15307: vfs_ceph incorrectly uses fsp_get_io_fd() instead of fsp_get_pathref_fd() in close and fstat. o Andreas Schneider * BUG 15291: test_chdir_cache.sh doesn't work with SMBD_DONT_LOG_STDOUT=1. * BUG 15301: Improve file_modtime() and issues around smb3 unix test. CHANGES SINCE 4.18.0rc1 ======================= o Andrew Bartlett * BUG 10635: Office365 azure Password Sync not working. o Stefan Metzmacher * BUG 15286: auth3_generate_session_info_pac leaks wbcAuthUserInfo. o Noel Power * BUG 15293: With clustering enabled samba-bgqd can core dump due to use after free. @ text @d1 1 a1 1 $NetBSD: patch-lib_replace_wscript,v 1.3 2022/03/07 21:40:38 thor Exp $ @ 1.3 log @net/samba4: version 4.15.4 This includes a patch (already posted upstream) to fix updated Samba on NetBSD's /proc, so the upgrade is not blocked anymore. Release notes for 4.15: EW FEATURES/CHANGES ==================== VFS --- The effort to modernize Samba's VFS interface is complete and Samba 4.15.0 ships with a modernized VFS designed for the post SMB1 world. For details please refer to the documentation at source3/modules/The_New_VFS.txt or visit the . Bind DLZ: add the ability to set allow/deny lists for zone transfer clients --------------------------------------------------------------------------- Up to now, any client could use a DNS zone transfer request to the bind server, and get an answer from Samba. Now the default behaviour will be to deny those request. Two new options have been added to manage the list of authorized/denied clients for zone transfer requests. In order to be accepted, the request must be issued by a client that is in the allow list and NOT in the deny list. "server multi channel support" no longer experimental ----------------------------------------------------- This option is enabled by default starting with 4.15 (on Linux and FreeBSD). Due to dependencies on kernel APIs of Linux or FreeBSD, it's only possible to use this feature on Linux and FreeBSD for now. samba-tool available without the ad-dc -------------------------------------- The 'samba-tool' command is now available when samba is configured "--without-ad-dc". Not all features will work, and some ad-dc specific options have been disabled. The 'samba-tool domain' options, for example, are limited when no ad-dc is present. Samba must still be built with ads in order to enable 'samba-tool'. Improved command line user experience ------------------------------------- Samba utilities did not consistently implement their command line interface. A number of options were requiring to specify values in one tool and not in the other, some options meant different in different tools. These should be stories of the past now. A new command line parser has been implemented with sanity checking. Also the command line interface has been simplified and provides better control for encryption, signing and kerberos. Previously many tools silently ignored unknown options. To prevent unexpected behaviour all tools will now consistently reject unknown options. Also several command line options have a smb.conf variable to control the default now. All tools are now logging to stderr by default. You can use "--debug-stdout" to change the behavior. All servers will log to stderr at early startup until logging is setup to go to a file by default. ### Common parser: Options added: --client-protection=off|sign|encrypt Options renamed: --kerberos -> --use-kerberos=required|desired|off --krb5-ccache -> --use-krb5-ccache=CCACHE --scope -> --netbios-scope=SCOPE --use-ccache -> --use-winbind-ccache Options removed: -e|--encrypt -C removed from --use-winbind-ccache -i removed from --netbios-scope -S|--signing ### Duplicates in command line utils ldbadd/ldbdel/ldbedit/ldbmodify/ldbrename/ldbsearch: -e is still available as an alias for --editor, as it used to be. -s is no longer reported as an alias for --configfile, it never worked that way as it was shadowed by '-s' for '--scope'. ndrdump: -l is not available for --load-dso anymore net: -l is not available for --long anymore sharesec: -V is not available for --viewsddl anymore smbcquotas: --user -> --quota-user nmbd: --log-stdout -> --debug-stdout smbd: --log-stdout -> --debug-stdout winbindd: --log-stdout -> --debug-stdout Scanning of trusted domains and enterprise principals ----------------------------------------------------- As an artifact from the NT4 times, we still scanned the list of trusted domains on winbindd startup. This is wrong as we never can get a full picture in Active Directory. It is time to change the default value to "No". Also with this change we always use enterprise principals for Kerberos so that the DC will be able to redirect ticket requests to the right DC. This is e.g. needed for one way trusts. The options `winbind use krb5 enterprise principals` and `winbind scan trusted domains` will be deprecated in one of the next releases. Support for Offline Domain Join (ODJ) ------------------------------------- The net utility is now able to support the offline domain join feature as known from the Windows djoin.exe command for many years. Samba's implementation is accessible via the 'net offlinejoin' subcommand. It can provision computers and request offline joining for both Windows and Unix machines. It is also possible to provision computers from Windows (using djoin.exe) and use the generated data in Samba's 'net' utility. The existing options for the provisioning and joining steps are documented in the net(8) manpage. 'samba-tool dns zoneoptions' for aging control ---------------------------------------------- The 'samba-tool dns zoneoptions' command can be used to turn aging on and off, alter the refresh and no-refresh periods, and manipulate the timestamps of existing records. To turn aging on for a zone, you can use something like this: samba-tool dns zoneoptions --aging=1 --refreshinterval=306600 which turns on aging and ensures no records less than five years old are aged out and scavenged. After aging has been on for sufficient time for records to be renewed, the command samba-tool dns zoneoptions --refreshinterval=168 will set the refresh period to the standard seven days. Using this two step process will help prevent the temporary loss of dynamic records if scavenging happens before their first renewal. Marking old records as static or dynamic with 'samba-tool' ---------------------------------------------------------- A bug in Samba versions prior to 4.9 meant records that were meant to be static were marked as dynamic and vice versa. To fix the timestamps in these domains, it is possible to use the following options, preferably before turning aging on. --mark-old-records-static --mark-records-dynamic-regex --mark-records-static-regex The "--mark-old-records-static" option will make records older than the specified date static (that is, with a zero timestamp). For example, if you upgraded to Samba 4.9 in November 2018, you could use ensure no old records will be mistakenly interpreted as dynamic using the following option: samba-tool dns zoneoptions --mark-old-records-static=2018-11-30 Then, if you know that that will have marked some records as static that should be dynamic, and you know which those are due to your naming scheme, you can use commands like: samba-tool dns zoneoptions --mark-records-dynamic-regex='\w+-desktop' where '\w+-desktop' is a perl-compatible regular expression that will match 'bob-desktop', 'alice-desktop', and so on. These options are deliberately long and cumbersome to type, so people have a chance to think before they get to the end. You can make a mess if you get it wrong. All 'samba-tool dns zoneoptions' modes can be given a "--dry-run/-n" argument that allows you to inspect the likely results before going ahead. NOTE: for aging to work, you need to have "dns zone scavenging = yes" set in the smb.conf of at least one server. DNS tombstones are now deleted as appropriate --------------------------------------------- When all the records for a DNS name have been deleted, the node is put in a tombstoned state (separate from general AD object tombstoning, which deleted nodes also go through). These tombstones should be cleaned up periodically. Due to a conflation of scavenging and tombstoning, we have only been deleting tombstones when aging is enabled. If you have a lot of tombstoned DNS nodes (that is, DNS names for which you have removed all the records), cleaning up these DNS tombstones may take a noticeable time. DNS tombstones use a consistent timestamp format ------------------------------------------------ DNS records use an hours-since-1601 timestamp format except for in the case of tombstone records where a 100-nanosecond-intervals-since-1601 format is used (this latter format being the most common in Windows). We had mixed that up, which might have had strange effects in zones where aging was enabled (and hence tombstone timestamps were used). samba-tool dns update and RPC changes ------------------------------------- The dnsserver DCERPC pipe can be used by 'samba-tool' and Windows tools to manipulate dns records on the remote server. A bug in Samba meant it was not possible to update an existing DNS record to change the TTL. The general behaviour of RPC updates is now closer to that of Windows. 'samba-tool dns update' is now a bit more careful in rejecting and warning you about malformed IPv4 and IPv6 addresses. CVE-2021-3671: Crash in Heimdal KDC and updated security release policy ----------------------------------------------------------------------- An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ. Per Samba's updated security process a specific security release was not made for this issue as it is a recoverable Denial Of Service. See https://wiki.samba.org/index.php/Samba_Security_Proces samba-tool domain backup offline with the LMDB backend ------------------------------------------------------ samba-tool domain backup offline, when operating with the LMDB backend now correctly takes out locks against concurrent modification of the database during the backup. If you use this tool on a Samba AD DC using LMDB, you should upgrade to this release for safer backups. REMOVED FEATURES ================ Tru64 ACL support has been removed from this release. The last supported release of Tru64 UNIX was in 2012. NIS support has been removed from this release. This is not available in Linux distributions anymore. The DLZ DNS plugin is no longer built for Bind versions 9.8 and 9.9, which have been out of support since 2018. smb.conf changes ================ Parameter Name Description Default -------------- ----------- ------- client use kerberos New desired client max protocol Values Removed client min protocol Values Removed client protection New default client smb3 signing algorithms New see man smb.conf client smb3 encryption algorithms New see man smb.conf preopen:posix-basic-regex New No preopen:nomatch_log_level New 5 preopen:match_log_level New 5 preopen:nodigits_log_level New 1 preopen:founddigits_log_level New 3 preopen:reset_log_level New 5 preopen:push_log_level New 3 preopen:queue_log_level New 10 server max protocol Values Removed server min protocol Values Removed server multi channel support Changed Yes (on Linux and FreeBSD) server smb3 signing algorithms New see man smb.conf server smb3 encryption algorithms New see man smb.conf winbind use krb5 enterprise principals Changed Yes winbind scan trusted domains Changed No Release notes for 4.14: NEW FEATURES/CHANGES ==================== Here is a copy of a clarification note added to the Samba code in the file: VFS-License-clarification.txt. -------------------------------------------------------------- A clarification of our GNU GPL License enforcement boundary within the Samba Virtual File System (VFS) layer. Samba is licensed under the GNU GPL. All code committed to the Samba project or that creates a "modified version" or software "based on" Samba must be either licensed under the GNU GPL or a compatible license. Samba has several plug-in interfaces where external code may be called from Samba GNU GPL licensed code. The most important of these is the Samba VFS layer. Samba VFS modules are intimately connected by header files and API definitions to the part of the Samba code that provides file services, and as such, code that implements a plug-in Samba VFS module must be licensed under the GNU GPL or a compatible license. However, Samba VFS modules may themselves call third-party external libraries that are not part of the Samba project and are externally developed and maintained. As long as these third-party external libraries do not use any of the Samba internal structure, APIs or interface definitions created by the Samba project (to the extent that they would be considered subject to the GNU GPL), then the Samba Team will not consider such third-party external libraries called from Samba VFS modules as "based on" and/or creating a "modified version" of the Samba code for the purposes of GNU GPL. Accordingly, we do not require such libraries be licensed under the GNU GPL or a GNU GPL compatible license. VFS --- The effort to modernize Samba's VFS interface has reached a major milestone with the next release Samba 4.14. For details please refer to the documentation at source3/modules/The_New_VFS.txt or visit the . Printing -------- Publishing printers in AD is more reliable and more printer features are added to the published information in AD. Samba now also supports Windows drivers for the ARM64 architecture. Client Group Policy ------------------- This release extends Samba to support Group Policy functionality for Winbind clients. Active Directory Administrators can set policies that apply Sudoers configuration, and cron jobs to run hourly, daily, weekly or monthly. To enable the application of Group Policies on a client, set the global smb.conf option 'apply group policies' to 'yes'. Policies are applied on an interval of every 90 minutes, plus a random offset between 0 and 30 minutes. Policies applied by Samba are 'non-tattooing', meaning that changes can be reverted by executing the `samba-gpupdate --unapply` command. Policies can be re-applied using the `samba-gpupdate --force` command. To view what policies have been or will be applied to a system, use the `samba-gpupdate --rsop` command. Administration of Samba policy requires that a Samba ADMX template be uploaded to the SYSVOL share. The samba-tool command `samba-tool gpo admxload` is provided as a convenient method for adding this policy. Once uploaded, policies can be modified in the Group Policy Management Editor under Computer Configuration/Policies/Administrative Templates. Alternatively, Samba policy may be managed using the `samba-tool gpo manage` command. This tool does not require the admx templates to be installed. Python 3.6 or later required ---------------------------- Samba's minimum runtime requirement for python was raised to Python 3.6 with samba 4.13. Samba 4.14 raises this minimum version to Python 3.6 also to build Samba. It is no longer possible to build Samba (even just the file server) with Python versions 2.6 and 2.7. As Python 2.7 has been End Of Life upstream since April 2020, Samba is dropping ALL Python 2.x support in this release. Miscellaneous samba-tool changes -------------------------------- The 'samba-tool' subcommands to manage AD objects (e.g. users, computers and groups) now consistently use the "add" command when adding a new object to the AD. The previous deprecation warnings when using the 'add' commands have been removed. For compatibility reasons, both the 'add' and 'create' commands can be used now. Users, groups and contacts can now be renamed with the respective rename commands. Locked users can be unlocked with the new 'samba-tool user unlock' command. The 'samba-tool user list' and 'samba-tool group listmembers' commands provide additional options to hide expired and disabled user accounts (--hide-expired and --hide-disabled). CTDB CHANGES ============ * The NAT gateway and LVS features now uses the term "leader" to refer to the main node in a group through which traffic is routed and "follower" for other members of a group. The command for determining the leader has changed to "ctdb natgw leader" (from "ctdb natgw master"). The configuration keyword for indicating that a node can not be the leader of a group has changed to "follower-only" (from "slave-only"). Identical changes were made for LVS. * Remove "ctdb isnotrecmaster" command. It isn't used by CTDB's scripts and can be checked by users with "ctdb pnn" and "ctdb recmaster". smb.conf changes ================ Parameter Name Description Default -------------- ----------- ------- smb encrypt Removed async dns timeout New 10 client smb encrypt New default honor change notify privilege New No smbd force process locks New No server smb encrypt New default @ text @d1 1 a1 1 $NetBSD: patch-lib_replace_wscript,v 1.2 2019/03/20 19:09:10 adam Exp $ d5 1 a5 1 --- lib/replace/wscript.orig 2021-08-26 09:01:35.530309000 +0000 d7 1 a7 1 @@@@ -451,7 +451,9 @@@@ def configure(conf): a14 1 conf.CHECK_FUNCS('port_create') d17 1 @ 1.2 log @samba4: updated to 4.10.0 Release Notes for Samba 4.10.0 This is the first stable release of the Samba 4.10 release series. Please read the release notes carefully before upgrading. NEW FEATURES/CHANGES ==================== GPO Improvements ---------------- A new 'samba-tool gpo backup' command has been added that can export a set of Group Policy Objects from a domain in a generalised XML format. A corresponding 'samba-tool gpo restore' command has been added to rebuild the Group Policy Objects from the XML after generalization. (The administrator needs to correct the values of XML entities between the backup and restore to account for the change in domain). KDC prefork ----------- The KDC now supports the pre-fork process model and worker processes will be forked for the KDC when the pre-fork process model is selected for samba. Prefork 'prefork children' -------------------------- The default value for this smdb.conf parameter has been increased from 1 to 4. Netlogon prefork ---------------- DCERPC now supports pre-forked NETLOGON processes. The netlogon processes are pre-forked when the prefork process model is selected for samba. Offline domain backups ---------------------- The 'samba-tool domain backup' command has been extended with a new 'offline' option. This safely creates a backup of the local DC's database directly from disk. The main benefits of an offline backup are it's quicker, it stores more database details (for forensic purposes), and the samba process does not have to be running when the backup is made. Refer to the samba-tool help for more details on using this command. Group membership statistics --------------------------- A new 'samba-tool group stats' command has been added. This provides summary information about how the users are spread across groups in your domain. The 'samba-tool group list --verbose' command has also been updated to include the number of users in each group. Paged results LDAP control -------------------------- The behaviour of the paged results control (1.2.840.113556.1.4.319, RFC2696) has been changed to more closely match Windows servers, to improve memory usage. Paged results may be used internally (or is requested by the user) by LDAP libraries or tools that deal with large result sizes, for example, when listing all the objects in the database. Previously, results were returned as a snapshot of the database but now, some changes made to the set of results while paging may be reflected in the responses. If strict inter-record consistency is required in answers (which is not possible on Windows with large result sets), consider avoiding the paged results control or alternatively, it might be possible to enforce restrictions using the LDAP filter expression. For further details see https://wiki.samba.org/index.php/Paged_Results Prefork process restart ----------------------- The pre-fork process model now restarts failed processes. The delay between restart attempts is controlled by the "prefork backoff increment" (default = 10) and "prefork maximum backoff" (default = 120) smbd.conf parameters. A linear back off strategy is used with "prefork backoff increment" added to the delay between restart attempts up until it reaches "prefork maximum backoff". Using the default sequence the restart delays (in seconds) are: 0, 10, 20, ..., 120, 120, ... Standard process model ---------------------- When using the standard process model samba forks a new process to handle ldap and netlogon connections. Samba now honours the 'max smbd processes' smb.conf parameter. The default value of 0, indicates there is no limit. The limit is applied individually to netlogon and ldap. When the process limit is exceeded Samba drops new connections immediately. python3 support --------------- This is the first release of Samba which has full support for Python 3. Samba 4.10 still has support for Python 2, however, Python 3 will be used by default, i.e. 'configure' & 'make' will execute using python3. To build Samba with python2 you *must* set the 'PYTHON' environment variable for both the 'configure' and 'make' steps, i.e. 'PYTHON=python2 ./configure' 'PYTHON=python2 make' This will override the python3 default. Alternatively, it is possible to produce Samba Python bindings for both Python 2 and Python 3. To do so, specify '--extra-python=/usr/bin/python2' as part of the 'configure' command. Note that python3 will still be used as the default in this case. Note that Samba 4.10 supports Python 3.4 onwards. Future Python support --------------------- Samba 4.10 will be the last release that comes with full support for Python 2. Unfortunately, the Samba Team doesn't have the resources to support both Python 2 and Python 3 long-term. Samba 4.11 will not have any runtime support for Python 2. This means if you use Python 2 bindings it is time to migrate to Python 3 now. If you are building Samba using the '--disable-python' option (i.e. you're excluding all the run-time Python support), then this will continue to work on a system that supports either python2 or python3. Also note that Samba 4.11 will most likely only support Python 3.6 onwards. JSON logging ------------ Authentication messages now contain the Windows Event Id "eventId" and logon type "logonType". The supported event codes and logon types are: Event codes: 4624 Successful logon 4625 Unsuccessful logon Logon Types: 2 Interactive 3 Network 8 NetworkCleartext The version number for Authentication messages is now 1.1, changed from 1.0 Password change messages now contain the Windows Event Id "eventId", the supported event Id's are: 4723 Password changed 4724 Password reset The version number for PasswordChange messages is now 1.1, changed from 1.0 Group membership change messages now contain the Windows Event Id "eventId", the supported event Id's are: 4728 A member was added to a security enabled global group 4729 A member was removed from a security enabled global group 4732 A member was added to a security enabled local group 4733 A member was removed from a security enabled local group 4746 A member was added to a security disabled local group 4747 A member was removed from a security disabled local group 4751 A member was added to a security disabled global group 4752 A member was removed from a security disabled global group 4756 A member was added to a security enabled universal group 4757 A member was removed from a security enabled universal group 4761 A member was added to a security disabled universal group 4762 A member was removed from a security disabled universal group The version number for GroupChange messages is now 1.1, changed from 1.0. Also A GroupChange message is generated when a new user is created to log that the user has been added to their primary group. The leading "JSON :" and source file prefix of the JSON formatted log entries has been removed to make the parsing of the JSON log messages easier. JSON log entries now start with 2 spaces followed by an opening brace i.e. " {" SMBv2 samba-tool support ------------------------ On previous releases, some samba-tool commands would not work against a remote DC that had SMBv1 disabled. SMBv2 support has now been added for samba-tool. The affected commands are 'samba-tool domain backup|rename' and the 'samba-tool gpo' set of commands. New glusterfs_fuse VFS module ----------------------------- The new vfs_glusterfs_fuse module improves performance when Samba accesses a glusterfs volume mounted via FUSE (Filesystem in Userspace as part of the Linux kernel). It achieves that by leveraging a mechanism to retrieve the appropriate case of filenames by querying a specific extended attribute in the filesystem. No extra configuration is required to use this module, only glusterfs_fuse needs to be set in the "vfs objects" parameter. Further details can be found in the vfs_glusterfs_fuse(8) manpage. This new vfs_glusterfs_fuse module does not replace the existing vfs_glusterfs module, it just provides an additional, alternative mechanism to access a Gluster volume. REMOVED FEATURES ================ MIT Kerberos build of the AD DC ------------------------------- While not removed, the MIT Kerberos build of the Samba AD DC is still considered experimental. Because Samba will not issue security patches for this configuration, such builds now require the explicit configure option: --with-experimental-mit-ad-dc For further details see https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC samba_backup ------------ The samba_backup script has been removed. This has now been replaced by the 'samba-tool domain backup offline' command. SMB client Python bindings -------------------------- The SMB client python bindings are now deprecated and will be removed in future Samba releases. This will only affects users that may have used the Samba Python bindings to write their own utilities, i.e. users with a custom Python script that includes the line 'from samba import smb'. @ text @d1 1 a1 1 $NetBSD: patch-lib_replace_wscript,v 1.1 2015/06/26 16:09:49 jperkin Exp $ d5 1 a5 1 --- lib/replace/wscript.orig 2019-01-15 10:07:00.000000000 +0000 d7 1 a7 1 @@@@ -424,7 +424,9 @@@@ def configure(conf): d17 1 a17 1 @ 1.1 log @Attempt to fix various build issues: - Explicitly disable samba-regedit for now, it is built depending on various curses characteristics that we do not currently support. - Avoid epoll implementation on SmartOS. - Pull in Active Directory and LDAP options from net/samba, LDAP support is dynamically configured and we need to ensure that, if enabled, we correctly pull in openldap. The SunOS native LDAP is missing some TLS functions that Samba depends upon. Tested with various PKG_OPTIONS combinations, fixes build on SmartOS. @ text @d1 1 a1 1 $NetBSD$ d5 1 a5 1 --- lib/replace/wscript.orig 2015-04-15 18:00:13.000000000 +0000 d7 1 a7 1 @@@@ -283,7 +283,9 @@@@ def configure(conf): d16 1 a17 1 conf.SET_TARGET_TYPE('attr', 'EMPTY') @