head 1.3; access; symbols pkgsrc-2022Q3:1.2.0.6 pkgsrc-2022Q3-base:1.2 pkgsrc-2022Q2:1.2.0.4 pkgsrc-2022Q2-base:1.2 pkgsrc-2022Q1:1.2.0.2 pkgsrc-2022Q1-base:1.2 pkgsrc-2021Q4:1.1.0.18 pkgsrc-2021Q4-base:1.1 pkgsrc-2021Q3:1.1.0.16 pkgsrc-2021Q3-base:1.1 pkgsrc-2021Q2:1.1.0.14 pkgsrc-2021Q2-base:1.1 pkgsrc-2021Q1:1.1.0.12 pkgsrc-2021Q1-base:1.1 pkgsrc-2020Q4:1.1.0.10 pkgsrc-2020Q4-base:1.1 pkgsrc-2020Q3:1.1.0.8 pkgsrc-2020Q3-base:1.1 pkgsrc-2020Q2:1.1.0.6 pkgsrc-2020Q2-base:1.1 pkgsrc-2020Q1:1.1.0.4 pkgsrc-2020Q1-base:1.1 pkgsrc-2019Q4:1.1.0.2; locks; strict; comment @# @; 1.3 date 2022.10.25.07.46.11; author wiz; state dead; branches; next 1.2; commitid iWIi5gW2mTzOw4ZD; 1.2 date 2022.03.07.21.40.38; author thor; state Exp; branches; next 1.1; commitid lThpKNoRM9eEAkvD; 1.1 date 2020.01.08.10.40.03; author jperkin; state Exp; branches 1.1.2.1; next ; commitid JTHVtaCO1cS8jSRB; 1.1.2.1 date 2020.01.08.10.40.03; author bsiegert; state dead; branches; next 1.1.2.2; commitid Cn2dZW2VUDoWtAUB; 1.1.2.2 date 2020.01.29.13.13.05; author bsiegert; state Exp; branches; next ; commitid Cn2dZW2VUDoWtAUB; desc @@ 1.3 log @samba: update to 4.17.1. Changes since 4.17.0 -------------------- o Jeremy Allison * BUG 14611: CVE-2021-20251 [SECURITY] Bad password count not incremented atomically. * BUG 15174: smbXsrv_connection_shutdown_send result leaked. * BUG 15182: Flush on a named stream never completes. * BUG 15195: Permission denied calling SMBC_getatr when file not exists. o Douglas Bagnall * BUG 15189: Samba 4.5 sometimes cannot be upgraded to Samba 4.6 or later over DRS: WERROR_DS_DRA_MISSING_PARENT due to faulty GET_ANC. * BUG 15191: pytest: add file removal helpers for TestCaseInTempDir. o Andrew Bartlett * BUG 14611: CVE-2021-20251 [SECURITY] Bad password count not incremented atomically. * BUG 15189: Samba 4.5 sometimes cannot be upgraded to Samba 4.6 or later. over DRS: WERROR_DS_DRA_MISSING_PARENT due to faulty GET_ANC. o Ralph Boehme * BUG 15182: Flush on a named stream never completes. o Volker Lendecke * BUG 15151: vfs_gpfs silently garbles timestamps > year 2106. o Gary Lockyer * BUG 14611: CVE-2021-20251 [SECURITY] Bad password count not incremented atomically. o Stefan Metzmacher * BUG 15200: multi-channel socket passing may hit a race if one of the involved processes already existed. * BUG 15201: memory leak on temporary of struct imessaging_post_state and struct tevent_immediate on struct imessaging_context (in rpcd_spoolss and maybe others). o Noel Power * BUG 15205: Since popt1.19 various use after free errors using result of poptGetArg are now exposed. o Anoop C S * BUG 15192: Remove special case for O_CREAT in SMB_VFS_OPENAT from vfs_glusterfs. o Andreas Schneider * BUG 15169: GETPWSID in memory cache grows indefinetly with each NTLM auth. o Joseph Sutton * BUG 14611: CVE-2021-20251 [SECURITY] Bad password count not incremented atomically. ============================== Release Notes for Samba 4.17.0 September 13, 2022 ============================== This is the first stable release of the Samba 4.17 release series. Please read the release notes carefully before upgrading. NEW FEATURES/CHANGES ==================== SMB Server performance improvements ----------------------------------- The security improvements in recent releases (4.13, 4.14, 4.15, 4.16), mainly as protection against symlink races, caused performance regressions for meta data heavy workloads. With 4.17 the situation improved a lot again: - Pathnames given by a client are devided into dirname and basename. The amount of syscalls to validate dirnames is reduced to 2 syscalls (openat, close) per component. On modern Linux kernels (>= 5.6) smbd makes use of the openat2() syscall with RESOLVE_NO_SYMLINKS, in order to just use 2 syscalls (openat2, close) for the whole dirname. - Contended path based operations used to generate a lot of unsolicited wakeup events causing thundering herd problems, which lead to masive latencies for some clients. These events are now avoided in order to provide stable latencies and much higher throughput of open/close operations. Configure without the SMB1 Server --------------------------------- It is now possible to configure Samba without support for the SMB1 protocol in smbd. This can be selected at configure time with either of the options: --with-smb1-server --without-smb1-server By default (without either of these options set) Samba is configured to include SMB1 support (i.e. --with-smb1-server is the default). When Samba is configured without SMB1 support, none of the SMB1 code is included inside smbd except the minimal stub code needed to allow a client to connect as SMB1 and immediately negotiate the selected protocol into SMB2 (as a Windows server also allows). None of the SMB1-only smb.conf parameters are removed when configured without SMB1, but these parameters are ignored by the smbd server. This allows deployment without having to change an existing smb.conf file. This option allows sites, OEMs and integrators to configure Samba to remove the old and insecure SMB1 protocol from their products. Note that the Samba client libraries still support SMB1 connections even when Samba is configured as --without-smb1-server. This is to ensure maximum compatibility with environments containing old SMB1 servers. Bronze bit and S4U support now also with MIT Kerberos 1.20 ---------------------------------------------------------- In 2020 Microsoft Security Response Team received another Kerberos-related report. Eventually, that led to a security update of the CVE-2020-17049, Kerberos KDC Security Feature Bypass Vulnerability, also known as a ‘Bronze Bit’. With this vulnerability, a compromised service that is configured to use Kerberos constrained delegation feature could tamper with a service ticket that is not valid for delegation to force the KDC to accept it. With the release of MIT Kerberos 1.20, Samba AD DC is able able to mitigate the ‘Bronze Bit’ attack. MIT Kerberos KDC's KDB (Kerberos Database Driver) API was changed to allow passing more details between KDC and KDB components. When built against MIT Kerberos, Samba AD DC supports MIT Kerberos 1.19 and 1.20 versions but 'Bronze Bit' mitigation is provided only with MIT Kerberos 1.20. In addition to fixing the ‘Bronze Bit’ issue, Samba AD DC now fully supports S4U2Self and S4U2Proxy Kerberos extensions. Note the default (Heimdal-based) KDC was already fixed in 2021, see https://bugzilla.samba.org/show_bug.cgi?id=14642 Resource Based Constrained Delegation (RBCD) support ---------------------------------------------------- Samba AD DC built with MIT Kerberos 1.20 offers RBCD support now. With MIT Kerberos 1.20 we have complete RBCD support passing Sambas S4U testsuite. samba-tool delegation got the 'add-principal' and 'del-principal' subcommands in order to manage RBCD. To complete RBCD support and make it useful to Administrators we added the Asserted Identity [1] SID into the PAC for constrained delegation. This is available for Samba AD compiled with MIT Kerberos 1.20. Note the default (Heimdal-based) KDC does not support RBCD yet. [1] https://docs.microsoft.com/en-us/windows-server/security/kerberos/kerberos-constrained-delegation-overview Customizable DNS listening port ------------------------------- It is now possible to set a custom listening port for the builtin DNS service, making easy to host another DNS on the same system that would bind to the default port and forward the domain-specific queries to Samba using the custom port. This is the opposite configuration of setting a forwarder in Samba. It makes possible to use another DNS server as a front and forward to Samba. Dynamic DNS updates may not be proxied by the front DNS server when forwarding to Samba. Dynamic DNS update proxying depends on the features of the other DNS server used as a front. CTDB changes ------------ * When Samba is configured with both --with-cluster-support and --systemd-install-services then a systemd service file for CTDB will be installed. * ctdbd_wrapper has been removed. ctdbd is now started directly from a systemd service file or init script. * The syntax for the ctdb.tunables configuration file has been relaxed. However, trailing garbage after the value, including comments, is no longer permitted. Please see ctdb-tunables(7) for more details. Operation without the (unsalted) NT password hash ------------------------------------------------- When Samba is configured with 'nt hash store = never' then Samba will no longer store the (unsalted) NT password hash for users in Active Directory. (Trust accounts, like computers, domain controllers and inter-domain trusts are not impacted). In the next version of Samba the default for 'nt hash store' will change from 'always' to 'auto', where it will follow (behave as 'nt hash store = never' when 'ntlm auth = disabled' is set. Security-focused deployments of Samba that have eliminated NTLM from their networks will find setting 'ntlm auth = disabled' with 'nt hash store = always' as a useful way to improve compliance with best-practice guidance on password storage (which is to always use an interated hash). Note that when 'nt hash store = never' is set, then arcfour-hmac-md5 Kerberos keys will not be available for users who subsequently change their password, as these keys derive their values from NT hashes. AES keys are stored by default for all deployments of Samba with Domain Functional Level 2008 or later, are supported by all modern clients, and are much more secure. Finally, also note that password history in Active Directory is stored in nTPwdHistory using a series of NT hash values. Therefore the full password history feature is not available in this mode. To provide some protection against password re-use previous Kerberos hash values (the current, old and older values are already stored) are used, providing a history length of 3. There is one small limitation of this workaround: Changing the sAMAccountName, userAccountControl or userPrincipalName of an account can cause the Kerberos password salt to change. This means that after *both* an account rename and a password change, only the current password will be recognised for password history purposes. Python API for smbconf ---------------------- Samba's smbconf library provides a generic frontend to various configuration backends (plain text file, registry) as a C library. A new Python wrapper, importable as 'samba.smbconf' is available. An additional module, 'samba.samba3.smbconf', is also available to enable registry backend support. These libraries allow Python programs to read, and optionally write, Samba configuration natively. JSON support for smbstatus -------------------------- It is now possible to print detailed information in JSON format in the smbstatus program using the new option --json. The JSON output covers all the existing text output including sessions, connections, open files, byte-range locks, notifies and profile data with all low-level information maintained by Samba in the respective databases. Protected Users security group ------------------------------ Samba AD DC now includes support for the Protected Users security group introduced in Windows Server 2012 R2. The feature reduces the attack surface of user accounts by preventing the use of weak encryption types. It also mitigates the effects of credential theft by limiting credential lifetime and scope. The protections are intended for user accounts only, and service or computer accounts should not be added to the Protected Users group. User accounts added to the group are granted the following security protections: * NTLM authentication is disabled. * Kerberos ticket-granting tickets (TGTs) encrypted with RC4 are not issued to or accepted from affected principals. Tickets encrypted with AES, and service tickets encrypted with RC4, are not affected by this restriction. * The lifetime of Kerberos TGTs is restricted to a maximum of four hours. * Kerberos constrained and unconstrained delegation is disabled. If the Protected Users group is not already present in the domain, it can be created with 'samba-tool group add'. The new '--special' parameter must be specified, with 'Protected Users' as the name of the group. An example command invocation is: samba-tool group add 'Protected Users' --special or against a remote server: samba-tool group add 'Protected Users' --special -H ldap://dc1.example.com -U Administrator The Protected Users group is identified in the domain by its having a RID of 525. Thus, it should only be created with samba-tool and the '--special' parameter, as above, so that it has the required RID to function correctly. REMOVED FEATURES ================ LanMan Authentication and password storage removed from the AD DC ----------------------------------------------------------------- The storage and authentication with LanMan passwords has been entirely removed from the Samba AD DC, even when "lanman auth = yes" is set. smb.conf changes ================ Parameter Name Description Default -------------- ----------- ------- dns port New default 53 fruit:zero_file_id New default yes nt hash store New parameter always smb1 unix extensions Replaces "unix extensions" volume serial number New parameter -1 winbind debug traceid New parameter no @ text @$NetBSD: patch-source4_utils_oLschema2ldif_wscript__build,v 1.2 2022/03/07 21:40:38 thor Exp $ --- source4/utils/oLschema2ldif/wscript_build.orig 2021-08-09 13:38:37.571391800 +0000 +++ source4/utils/oLschema2ldif/wscript_build @@@@ -1,5 +1,7 @@@@ #!/usr/bin/env python +import sys + bld.SAMBA_SUBSYSTEM('oLschema2ldif-lib', source='lib.c', deps='samdb', @ 1.2 log @net/samba4: version 4.15.4 This includes a patch (already posted upstream) to fix updated Samba on NetBSD's /proc, so the upgrade is not blocked anymore. Release notes for 4.15: EW FEATURES/CHANGES ==================== VFS --- The effort to modernize Samba's VFS interface is complete and Samba 4.15.0 ships with a modernized VFS designed for the post SMB1 world. For details please refer to the documentation at source3/modules/The_New_VFS.txt or visit the . Bind DLZ: add the ability to set allow/deny lists for zone transfer clients --------------------------------------------------------------------------- Up to now, any client could use a DNS zone transfer request to the bind server, and get an answer from Samba. Now the default behaviour will be to deny those request. Two new options have been added to manage the list of authorized/denied clients for zone transfer requests. In order to be accepted, the request must be issued by a client that is in the allow list and NOT in the deny list. "server multi channel support" no longer experimental ----------------------------------------------------- This option is enabled by default starting with 4.15 (on Linux and FreeBSD). Due to dependencies on kernel APIs of Linux or FreeBSD, it's only possible to use this feature on Linux and FreeBSD for now. samba-tool available without the ad-dc -------------------------------------- The 'samba-tool' command is now available when samba is configured "--without-ad-dc". Not all features will work, and some ad-dc specific options have been disabled. The 'samba-tool domain' options, for example, are limited when no ad-dc is present. Samba must still be built with ads in order to enable 'samba-tool'. Improved command line user experience ------------------------------------- Samba utilities did not consistently implement their command line interface. A number of options were requiring to specify values in one tool and not in the other, some options meant different in different tools. These should be stories of the past now. A new command line parser has been implemented with sanity checking. Also the command line interface has been simplified and provides better control for encryption, signing and kerberos. Previously many tools silently ignored unknown options. To prevent unexpected behaviour all tools will now consistently reject unknown options. Also several command line options have a smb.conf variable to control the default now. All tools are now logging to stderr by default. You can use "--debug-stdout" to change the behavior. All servers will log to stderr at early startup until logging is setup to go to a file by default. ### Common parser: Options added: --client-protection=off|sign|encrypt Options renamed: --kerberos -> --use-kerberos=required|desired|off --krb5-ccache -> --use-krb5-ccache=CCACHE --scope -> --netbios-scope=SCOPE --use-ccache -> --use-winbind-ccache Options removed: -e|--encrypt -C removed from --use-winbind-ccache -i removed from --netbios-scope -S|--signing ### Duplicates in command line utils ldbadd/ldbdel/ldbedit/ldbmodify/ldbrename/ldbsearch: -e is still available as an alias for --editor, as it used to be. -s is no longer reported as an alias for --configfile, it never worked that way as it was shadowed by '-s' for '--scope'. ndrdump: -l is not available for --load-dso anymore net: -l is not available for --long anymore sharesec: -V is not available for --viewsddl anymore smbcquotas: --user -> --quota-user nmbd: --log-stdout -> --debug-stdout smbd: --log-stdout -> --debug-stdout winbindd: --log-stdout -> --debug-stdout Scanning of trusted domains and enterprise principals ----------------------------------------------------- As an artifact from the NT4 times, we still scanned the list of trusted domains on winbindd startup. This is wrong as we never can get a full picture in Active Directory. It is time to change the default value to "No". Also with this change we always use enterprise principals for Kerberos so that the DC will be able to redirect ticket requests to the right DC. This is e.g. needed for one way trusts. The options `winbind use krb5 enterprise principals` and `winbind scan trusted domains` will be deprecated in one of the next releases. Support for Offline Domain Join (ODJ) ------------------------------------- The net utility is now able to support the offline domain join feature as known from the Windows djoin.exe command for many years. Samba's implementation is accessible via the 'net offlinejoin' subcommand. It can provision computers and request offline joining for both Windows and Unix machines. It is also possible to provision computers from Windows (using djoin.exe) and use the generated data in Samba's 'net' utility. The existing options for the provisioning and joining steps are documented in the net(8) manpage. 'samba-tool dns zoneoptions' for aging control ---------------------------------------------- The 'samba-tool dns zoneoptions' command can be used to turn aging on and off, alter the refresh and no-refresh periods, and manipulate the timestamps of existing records. To turn aging on for a zone, you can use something like this: samba-tool dns zoneoptions --aging=1 --refreshinterval=306600 which turns on aging and ensures no records less than five years old are aged out and scavenged. After aging has been on for sufficient time for records to be renewed, the command samba-tool dns zoneoptions --refreshinterval=168 will set the refresh period to the standard seven days. Using this two step process will help prevent the temporary loss of dynamic records if scavenging happens before their first renewal. Marking old records as static or dynamic with 'samba-tool' ---------------------------------------------------------- A bug in Samba versions prior to 4.9 meant records that were meant to be static were marked as dynamic and vice versa. To fix the timestamps in these domains, it is possible to use the following options, preferably before turning aging on. --mark-old-records-static --mark-records-dynamic-regex --mark-records-static-regex The "--mark-old-records-static" option will make records older than the specified date static (that is, with a zero timestamp). For example, if you upgraded to Samba 4.9 in November 2018, you could use ensure no old records will be mistakenly interpreted as dynamic using the following option: samba-tool dns zoneoptions --mark-old-records-static=2018-11-30 Then, if you know that that will have marked some records as static that should be dynamic, and you know which those are due to your naming scheme, you can use commands like: samba-tool dns zoneoptions --mark-records-dynamic-regex='\w+-desktop' where '\w+-desktop' is a perl-compatible regular expression that will match 'bob-desktop', 'alice-desktop', and so on. These options are deliberately long and cumbersome to type, so people have a chance to think before they get to the end. You can make a mess if you get it wrong. All 'samba-tool dns zoneoptions' modes can be given a "--dry-run/-n" argument that allows you to inspect the likely results before going ahead. NOTE: for aging to work, you need to have "dns zone scavenging = yes" set in the smb.conf of at least one server. DNS tombstones are now deleted as appropriate --------------------------------------------- When all the records for a DNS name have been deleted, the node is put in a tombstoned state (separate from general AD object tombstoning, which deleted nodes also go through). These tombstones should be cleaned up periodically. Due to a conflation of scavenging and tombstoning, we have only been deleting tombstones when aging is enabled. If you have a lot of tombstoned DNS nodes (that is, DNS names for which you have removed all the records), cleaning up these DNS tombstones may take a noticeable time. DNS tombstones use a consistent timestamp format ------------------------------------------------ DNS records use an hours-since-1601 timestamp format except for in the case of tombstone records where a 100-nanosecond-intervals-since-1601 format is used (this latter format being the most common in Windows). We had mixed that up, which might have had strange effects in zones where aging was enabled (and hence tombstone timestamps were used). samba-tool dns update and RPC changes ------------------------------------- The dnsserver DCERPC pipe can be used by 'samba-tool' and Windows tools to manipulate dns records on the remote server. A bug in Samba meant it was not possible to update an existing DNS record to change the TTL. The general behaviour of RPC updates is now closer to that of Windows. 'samba-tool dns update' is now a bit more careful in rejecting and warning you about malformed IPv4 and IPv6 addresses. CVE-2021-3671: Crash in Heimdal KDC and updated security release policy ----------------------------------------------------------------------- An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ. Per Samba's updated security process a specific security release was not made for this issue as it is a recoverable Denial Of Service. See https://wiki.samba.org/index.php/Samba_Security_Proces samba-tool domain backup offline with the LMDB backend ------------------------------------------------------ samba-tool domain backup offline, when operating with the LMDB backend now correctly takes out locks against concurrent modification of the database during the backup. If you use this tool on a Samba AD DC using LMDB, you should upgrade to this release for safer backups. REMOVED FEATURES ================ Tru64 ACL support has been removed from this release. The last supported release of Tru64 UNIX was in 2012. NIS support has been removed from this release. This is not available in Linux distributions anymore. The DLZ DNS plugin is no longer built for Bind versions 9.8 and 9.9, which have been out of support since 2018. smb.conf changes ================ Parameter Name Description Default -------------- ----------- ------- client use kerberos New desired client max protocol Values Removed client min protocol Values Removed client protection New default client smb3 signing algorithms New see man smb.conf client smb3 encryption algorithms New see man smb.conf preopen:posix-basic-regex New No preopen:nomatch_log_level New 5 preopen:match_log_level New 5 preopen:nodigits_log_level New 1 preopen:founddigits_log_level New 3 preopen:reset_log_level New 5 preopen:push_log_level New 3 preopen:queue_log_level New 10 server max protocol Values Removed server min protocol Values Removed server multi channel support Changed Yes (on Linux and FreeBSD) server smb3 signing algorithms New see man smb.conf server smb3 encryption algorithms New see man smb.conf winbind use krb5 enterprise principals Changed Yes winbind scan trusted domains Changed No Release notes for 4.14: NEW FEATURES/CHANGES ==================== Here is a copy of a clarification note added to the Samba code in the file: VFS-License-clarification.txt. -------------------------------------------------------------- A clarification of our GNU GPL License enforcement boundary within the Samba Virtual File System (VFS) layer. Samba is licensed under the GNU GPL. All code committed to the Samba project or that creates a "modified version" or software "based on" Samba must be either licensed under the GNU GPL or a compatible license. Samba has several plug-in interfaces where external code may be called from Samba GNU GPL licensed code. The most important of these is the Samba VFS layer. Samba VFS modules are intimately connected by header files and API definitions to the part of the Samba code that provides file services, and as such, code that implements a plug-in Samba VFS module must be licensed under the GNU GPL or a compatible license. However, Samba VFS modules may themselves call third-party external libraries that are not part of the Samba project and are externally developed and maintained. As long as these third-party external libraries do not use any of the Samba internal structure, APIs or interface definitions created by the Samba project (to the extent that they would be considered subject to the GNU GPL), then the Samba Team will not consider such third-party external libraries called from Samba VFS modules as "based on" and/or creating a "modified version" of the Samba code for the purposes of GNU GPL. Accordingly, we do not require such libraries be licensed under the GNU GPL or a GNU GPL compatible license. VFS --- The effort to modernize Samba's VFS interface has reached a major milestone with the next release Samba 4.14. For details please refer to the documentation at source3/modules/The_New_VFS.txt or visit the . Printing -------- Publishing printers in AD is more reliable and more printer features are added to the published information in AD. Samba now also supports Windows drivers for the ARM64 architecture. Client Group Policy ------------------- This release extends Samba to support Group Policy functionality for Winbind clients. Active Directory Administrators can set policies that apply Sudoers configuration, and cron jobs to run hourly, daily, weekly or monthly. To enable the application of Group Policies on a client, set the global smb.conf option 'apply group policies' to 'yes'. Policies are applied on an interval of every 90 minutes, plus a random offset between 0 and 30 minutes. Policies applied by Samba are 'non-tattooing', meaning that changes can be reverted by executing the `samba-gpupdate --unapply` command. Policies can be re-applied using the `samba-gpupdate --force` command. To view what policies have been or will be applied to a system, use the `samba-gpupdate --rsop` command. Administration of Samba policy requires that a Samba ADMX template be uploaded to the SYSVOL share. The samba-tool command `samba-tool gpo admxload` is provided as a convenient method for adding this policy. Once uploaded, policies can be modified in the Group Policy Management Editor under Computer Configuration/Policies/Administrative Templates. Alternatively, Samba policy may be managed using the `samba-tool gpo manage` command. This tool does not require the admx templates to be installed. Python 3.6 or later required ---------------------------- Samba's minimum runtime requirement for python was raised to Python 3.6 with samba 4.13. Samba 4.14 raises this minimum version to Python 3.6 also to build Samba. It is no longer possible to build Samba (even just the file server) with Python versions 2.6 and 2.7. As Python 2.7 has been End Of Life upstream since April 2020, Samba is dropping ALL Python 2.x support in this release. Miscellaneous samba-tool changes -------------------------------- The 'samba-tool' subcommands to manage AD objects (e.g. users, computers and groups) now consistently use the "add" command when adding a new object to the AD. The previous deprecation warnings when using the 'add' commands have been removed. For compatibility reasons, both the 'add' and 'create' commands can be used now. Users, groups and contacts can now be renamed with the respective rename commands. Locked users can be unlocked with the new 'samba-tool user unlock' command. The 'samba-tool user list' and 'samba-tool group listmembers' commands provide additional options to hide expired and disabled user accounts (--hide-expired and --hide-disabled). CTDB CHANGES ============ * The NAT gateway and LVS features now uses the term "leader" to refer to the main node in a group through which traffic is routed and "follower" for other members of a group. The command for determining the leader has changed to "ctdb natgw leader" (from "ctdb natgw master"). The configuration keyword for indicating that a node can not be the leader of a group has changed to "follower-only" (from "slave-only"). Identical changes were made for LVS. * Remove "ctdb isnotrecmaster" command. It isn't used by CTDB's scripts and can be checked by users with "ctdb pnn" and "ctdb recmaster". smb.conf changes ================ Parameter Name Description Default -------------- ----------- ------- smb encrypt Removed async dns timeout New 10 client smb encrypt New default honor change notify privilege New No smbd force process locks New No server smb encrypt New default @ text @d1 1 a1 1 $NetBSD$ @ 1.1 log @samba4: Disable more fmemopen utilities on SunOS. @ text @d3 1 a3 3 Don't build test_oLschema2ldif on SunOS (lacks fmemopen). --- source4/utils/oLschema2ldif/wscript_build.orig 2019-12-06 09:49:26.000000000 +0000 a12 10 @@@@ -11,7 +13,8 @@@@ bld.SAMBA_BINARY('oLschema2ldif', deps='oLschema2ldif-lib POPT_SAMBA', ) -bld.SAMBA_BINARY('test_oLschema2ldif', +if not sys.platform.startswith('sunos'): + bld.SAMBA_BINARY('test_oLschema2ldif', source='test.c', deps='cmocka oLschema2ldif-lib', local_include=False, @ 1.1.2.1 log @file patch-source4_utils_oLschema2ldif_wscript__build was added on branch pkgsrc-2019Q4 on 2020-01-29 13:13:05 +0000 @ text @d1 24 @ 1.1.2.2 log @Pullup ticket #6125 - requested by taca net/samba4: security fix Revisions pulled up: - net/samba4/Makefile 1.86-1.89 - net/samba4/PLIST 1.25 - net/samba4/distinfo 1.39-1.41 - net/samba4/patches/patch-source4_utils_oLschema2ldif_wscript__build 1.1 --- Module Name: pkgsrc Committed By: adam Date: Mon Dec 30 13:58:35 UTC 2019 Modified Files: pkgsrc/net/samba4: Makefile PLIST distinfo Log Message: samba4: updated to 4.11.4 Changes since 4.11.3: * BUG 14161: s3: libsmb: Ensure SMB1 cli_qpathinfo2() doesn't return an inode number. * BUG 14174: s3: utils: smbtree. Ensure we don't call cli_RNetShareEnum() on an SMB1 connection. * BUG 14176: NT_STATUS_ACCESS_DENIED becomes EINVAL when using SMB2 in SMBC_opendir_ctx. * BUG 14189: s3: smbd: SMB2 - Ensure we use the correct session_id if encrypting an interim response. * BUG 14205: Prevent smbd crash after invalid SMB1 negprot. * BUG 13745: s3:printing: Fix %J substition. * BUG 13925: s3: Remove now unneeded call to cmdline_messaging_context(). * BUG 14069: Incomplete conversion of former parametric options. * BUG 14070: Fix sync dosmode fallback in async dosmode codepath. * BUG 14171: vfs_fruit returns capped resource fork length. * BUG 14116: libnet_join: Add SPNs for additional-dns-hostnames entries. * BUG 14211: smbd: Increase a debug level. * BUG 14153: Prevent azure ad connect from reporting discovery errors: reference-value-not-ldap-conformant. * BUG 14179: krb5_plugin: Fix developer build with newer heimdal system library. * BUG 14168: replace: Only link libnsl and libsocket if requrired. * BUG 14175: ctdb: Incoming queue can be orphaned causing communication breakdown. * BUG 13846: ldb: Release ldb 2.0.8. Cross-compile will not take cross-answers or cross-execute. * BUG 13856: heimdal-build: Avoid hard-coded /usr/include/heimdal in asn1_compile-generated code. --- Module Name: pkgsrc Committed By: jperkin Date: Wed Jan 8 10:40:03 UTC 2020 Modified Files: pkgsrc/net/samba4: distinfo Added Files: pkgsrc/net/samba4/patches: patch-source4_utils_oLschema2ldif_wscript__build Log Message: samba4: Disable more fmemopen utilities on SunOS. --- Module Name: pkgsrc Committed By: jperkin Date: Sat Jan 18 21:51:16 UTC 2020 Modified Files: pkgsrc/net/samba4: Makefile Log Message: *: Recursive revision bump for openssl 1.1.1. --- Module Name: pkgsrc Committed By: taca Date: Tue Jan 21 14:12:36 UTC 2020 Modified Files: pkgsrc/net/samba4: Makefile distinfo Log Message: net/samba4: update to 4.11.5 Update samba4 to 4.11.5. ============================== Release Notes for Samba 4.11.5 January 21, 2020 ============================== This is a security release in order to address the following defects: o CVE-2019-14902: Replication of ACLs set to inherit down a subtree on AD Directory not automatic. o CVE-2019-14907: Crash after failed character conversion at log level 3 or above. o CVE-2019-19344: Use after free during DNS zone scavenging in Samba AD DC. ======= Details ======= o CVE-2019-14902: The implementation of ACL inheritance in the Samba AD DC was not complete, and so absent a 'full-sync' replication, ACLs could get out of sync between domain controllers. o CVE-2019-14907: When processing untrusted string input Samba can read past the end of the allocated buffer when printing a "Conversion error" message to the logs. o CVE-2019-19344: During DNS zone scavenging (of expired dynamic entries) there is a read of memory after it has been freed. --- Module Name: pkgsrc Committed By: taca Date: Mon Jan 27 14:04:13 UTC 2020 Modified Files: pkgsrc/net/samba4: Makefile Log Message: net/samba4: update depdendency Update dependency for daabases/ldb and devel/talloc. Bump PKGREVISION. @ text @a0 24 $NetBSD: patch-source4_utils_oLschema2ldif_wscript__build,v 1.1 2020/01/08 10:40:03 jperkin Exp $ Don't build test_oLschema2ldif on SunOS (lacks fmemopen). --- source4/utils/oLschema2ldif/wscript_build.orig 2019-12-06 09:49:26.000000000 +0000 +++ source4/utils/oLschema2ldif/wscript_build @@@@ -1,5 +1,7 @@@@ #!/usr/bin/env python +import sys + bld.SAMBA_SUBSYSTEM('oLschema2ldif-lib', source='lib.c', deps='samdb', @@@@ -11,7 +13,8 @@@@ bld.SAMBA_BINARY('oLschema2ldif', deps='oLschema2ldif-lib POPT_SAMBA', ) -bld.SAMBA_BINARY('test_oLschema2ldif', +if not sys.platform.startswith('sunos'): + bld.SAMBA_BINARY('test_oLschema2ldif', source='test.c', deps='cmocka oLschema2ldif-lib', local_include=False, @