============================== Release Notes for Samba 4.22.4 August 21, 2025 ============================== This is the latest stable release of the Samba 4.22 release series. Changes since 4.22.3 -------------------- o Ralph Boehme * BUG 14981: netr_LogonSamLogonEx returns NR_STATUS_ACCESS_DENIED with SysvolReady=0. * BUG 15844: getpwuid does not shift to new DC when current DC is down. * BUG 15876: Windows security hardening locks out schannel'ed netlogon dc calls like netr_DsRGetDCName- * BUG 15881: Unresponsive second DC can cause idmapping failure when using idmap_ad- o Günther Deschner * BUG 15840: kinit command is failing with Missing cache Error. o Pavel Filipenský * BUG 15891: Figuring out the DC name from IP address fails and breaks fork_domain_child(). o Volker Lendecke * BUG 15816: vfs_streams_depot fstatat broken. * BUG 15892: Delayed leader broadcast can block ctdb forever. o Stefan Metzmacher * BUG 14981: netr_LogonSamLogonEx returns NR_STATUS_ACCESS_DENIED with SysvolReady=0. o Rabinarayan Panigrahi * BUG 15663: Apparently there is a conflict between shadow_copy2 module and virusfilter (action quarantine). o Aleksandr Sharov * BUG 15877: Fix handling of empty GPO link. o Srinivas Rao V * BUG 15880: SMB ACL inheritance doesn't work for files created. ####################################### Reporting bugs & Development Discussion ####################################### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical:matrix.org matrix room, or #samba-technical IRC channel on irc.libera.chat. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). ====================================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ====================================================================== Release notes for older releases follow: ---------------------------------------- ============================== Release Notes for Samba 4.22.3 July 07, 2025 ============================== This is the latest stable release of the Samba 4.22 release series. Important Change in Upcoming Microsoft Update --------------------------------------------- On 8th of July, Microsoft will release an important security update for Active Directory Domain Controllers for Windows Server versions prior to 2025. This update includes a change to the Microsoft RPC Netlogon protocol, which improves security by tightening access checks for a set of RPC requests. Samba running as domain members in these environments will be impacted by this change if a specific configuration is used, see below for which configuration is affected. Windows Server version 2025 is already equipped with these specific security hardenings, and Microsoft is now planning to deploy them to all supported Windows Server versions down to Windows Server 2008. Who is affected? Samba installations acting as member servers in Windows AD domains will be affected if they are configured to use the 'ad' idmapping backend. Samba servers not using this configuration will not be affected by the change – at least to our current knowledge and understanding of the change – and no further action is required. Current versions of Samba with the affected configuration will no longer function correctly once the Microsoft update has been applied. Users will not be able to connect to the SMB service provided by Samba for any domain configured to use the 'ad' idmapping backend. See https://bugzilla.samba.org/show_bug.cgi?id=15876. Changes since 4.22.2 -------------------- o Douglas Bagnall * BUG 15854: samba-tool cannot add user to group whose name is exactly 16 characters long. o Günther Deschner * BUG 15876: Windows security hardening locks out schannel'ed netlogon dc calls like netr_DsRGetDCName. o Stefan Metzmacher * BUG 15876: Windows security hardening locks out schannel'ed netlogon dc calls like netr_DsRGetDCName. o Andreas Schneider * BUG 15869: Startup messages of rpc daemons fills /var/log/messages. ####################################### Reporting bugs & Development Discussion ####################################### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical:matrix.org matrix room, or #samba-technical IRC channel on irc.libera.chat. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). ====================================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ====================================================================== ---------------------------------------------------------------------- ============================== Release Notes for Samba 4.22.2 June 05, 2025 ============================== This is the latest stable release of the Samba 4.22 release series. It contains the security-relevant bugfix CVE-2025-0620: smbd doesn't pick up group membership changes when re-authenticating an expired SMB session https://www.samba.org/samba/security/CVE-2025-0620.html Description of CVE-2025-0620 ----------------------------- With Kerberos authentication SMB sessions typically have an associated lifetime, requiring re-authentication by the client when the session expires. As part of the re-authentication, Samba receives the current group membership information and is expected to reflect this change in further SMB request processing. For historic reasons, Samba maintains a cache of associations between a user's impersonation information and connected shares. A recent change in this cache caused Samba to not reflect group membership changes from session re-authentication when processing further SMB requests. As a result, when an administrator removes a user from a particular group in Active Directory, this change will not become effective unless the user disconnects from the server and establishes a new connection. Changes since 4.22.1 -------------------- o Ralph Boehme * BUG 15707: (CVE-2025-0620) [SECURITY] CVE-2025-0620: smbd doesn't pick up group membership changes when re-authenticating an expired SMB session. * BUG 15861: Profile sync fails due to Directory Leases. o Pavel Filipenský * BUG 15727: net ad join fails with "Failed to join domain: failed to create kerberos keytab". o Stefan Metzmacher * BUG 15851: dcerpcd not able to bind to listening port. o Anoop C S * BUG 15819: vfs_ceph_snapshots fails to list snapshots for entries at any level beyond share root. o Martin Schwenke * BUG 15858: CTDB does not put nodes running NFS into grace on graceful shutdown. ####################################### Reporting bugs & Development Discussion ####################################### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical:matrix.org matrix room, or #samba-technical IRC channel on irc.libera.chat. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). ====================================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ====================================================================== ---------------------------------------------------------------------- ============================== Release Notes for Samba 4.22.1 April 17, 2025 ============================== This is the latest stable release of the Samba 4.22 release series. Changes since 4.22.0 -------------------- o Douglas Bagnall * BUG 15774: Running "gpo manage motd set" twice fails with backtrace. * BUG 15829: samba-tool gpo backup creates entity backups it can't read. * BUG 15839: gp_cert_auto_enroll_ext.py has problem unpacking GUIDs with prepended 0's. o Ralph Boehme * BUG 15767: Deadlock between two smbd processes. * BUG 15823: Subnet based interfaces definition not listening on all covered IP addresses. * BUG 15836: PANIC: assert failed at source3/smbd/smb2_oplock.c(156): sconn->oplocks.exclusive_open>=0. o Pavel Filipenský * BUG 15727: net ad join fails with "Failed to join domain: failed to create kerberos keytab". o Andreas Hasenack * BUG 15774: Running "gpo manage motd set" twice fails with backtrace. o Xavi Hernandez * BUG 15822: Enable support for cephfs case insensitive behavior. o Volker Lendecke * BUG 15791: Remove of file or directory not possible with vfs_acl_tdb. * BUG 15841: Wide link issue in samba 4.22. o Stefan Metzmacher * BUG 15767: Deadlock between two smbd processes. * BUG 15845: NT_STATUS_INVALID_PARAMETER: Can't create folders on share of an exfat file system. * BUG 15849: Lease code is not endian-safe. o Anoop C S * BUG 15818: vfs_ceph_new module does not work with other modules for snapshot management. * BUG 15834: vfs_ceph_new: Add path based fallback for SMB_VFS_FCHOWN, SMB_VFS_FCHMOD and SMB_VFS_FNTIMES. o Shachar Sharon * BUG 15810: Add async io API from libcephfs to ceph_new VFS module. ####################################### Reporting bugs & Development Discussion ####################################### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical:matrix.org matrix room, or #samba-technical IRC channel on irc.libera.chat. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). ====================================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ====================================================================== ---------------------------------------------------------------------- ============================== Release Notes for Samba 4.22.0 March 06, 2025 ============================== This is the first stable release of the Samba 4.22 release series. Please read the release notes carefully before upgrading. NEW FEATURES/CHANGES ==================== SMB3 Directory Leases --------------------- Starting with Samba 4.22 SMB3 Directory Leases are supported. The new global option "smb3 directory leases" controls whether the feature is enabled or not. By default, SMB3 Directory Leases are enabled on non-clustered Samba and disabled on clustered Samba, based on the "clustering" option. See man smb.conf for more details. SMB3 Directory Leases allow clients to cache directory listings and, depending on the workload, result in a decent reduction in SMB requests from clients. Netlogon Ping over LDAP and LDAPS --------------------------------- Samba must query domain controller information via simple queries on the AD rootdse's netlogon attribute. Typically this is done via connectionless LDAP, using UDP on port 389. The same information is also available via classic LDAP rootdse queries over TCP. Samba can now be configured to use TCP via the new "client netlogon ping protocol" parameter to enable running in environments where firewalls completely block port 389 or UDP traffic to domain controllers. Experimental Himmelblaud Authentication in Samba ------------------------------------------------ Samba now includes experimental support for Azure Entra ID authentication via `himmelblaud`, located in the `rust/` directory. This implementation provides basic authentication and is configured through `smb.conf`, utilizing options such as `realm`, `winbindd_socket_directory`, and `template_homedir`. New global parameters include `himmelblaud_sfa_fallback`, `himmelblaud_hello_enabled`, and `himmelblaud_hsm_pin_path`. To enable, configure Samba with `--enable-rust --with-himmelblau`. AD DC schema upgrade and provision performance improvements ----------------------------------------------------------- By increasing the LDB index cache size for certain offline operations that are likely to require large transactions, these are now several times faster. REMOVED FEATURES ================ The "nmbd proxy logon" feature was removed. This was used before Samba4 acquired a NBT server. The parameter "cldap port" has been removed. CLDAP runs over UDP port 389, we don't see a reason why this should ever be changed to a different port. Moreover, we had several places in the code where Samba did not respect this parameter, so the behaviour was at least inconsistent. fruit:posix_rename ------------------ This option of the vfs_fruit VFS module that could be used to enable POSIX directory rename behaviour for OS X clients has been removed as it could result in severe problems for Windows clients. As a possible workaround it is possible to prevent creation of .DS_Store files (a Finder thingy to store directory view settings) on network mounts by running $ defaults write com.apple.desktopservices DSDontWriteNetworkStores true on the Mac. smb.conf changes ================ Parameter Name Description Default -------------- ----------- ------- smb3 directory leases New Auto vfs mkdir use tmp name New Auto client netlogon ping protocol New cldap himmelblaud hello enabled New no himmelblaud hsm pin path New default hsm pin path himmelblaud sfa fallback New no client use krb5 netlogon Experimental no reject aes netlogon servers Experimental no server reject aes schannel Experimental no server support krb5 netlogon Experimental no fruit:posix_rename Removed cldap port Removed CHANGES SINCE 4.22.0rc4 ======================= o Ralph Boehme * BUG 15801: `NT_STATUS_ACCESS_DENIED making remote directory` on OpenBSD. o Anoop C S * BUG 15797: Unable to connect to CephFS subvolume shares with vfs_shadow_copy2. o Stefan Metzmacher * BUG 15801: `NT_STATUS_ACCESS_DENIED making remote directory` on OpenBSD. o Martin Schwenke * BUG 15820: Incorrect FSF address in ctdb pcp scripts. o Andrea Venturoli * BUG 15804: "samba-tool domain backup offline" hangs. CHANGES SINCE 4.22.0rc3 ======================= o Stefan Metzmacher * BUG 15815: client use krb5 netlogon is experimental and should not be used in production. CHANGES SINCE 4.22.0rc2 ======================= o Douglas Bagnall * BUG 15738: Creation of GPOs applicable to more than one group is impossible with Samba 4.20.0 and later. o Björn Baumbach * BUG 15806: samba-tool acl commands broken for relative path names * BUG 15807: pysmbd seg faults when file is not found. o Ralph Boehme * BUG 15796: Spotlight search results don't show file size and creation date. o Pavel Filipenský * BUG 15759: net ads create/join/winbind producing unix dysfunctional keytabs. o Volker Lendecke * BUG 15806: samba-tool acl commands broken for relative path names. * BUG 15807: pysmbd seg faults when file is not found. o Stefan Metzmacher * BUG 15680: Trust domains are not created. o Andreas Schneider * BUG 15680: Trust domains are not created. o Shweta Sodani * BUG 15703: General improvements for vfs_ceph_new module. CHANGES SINCE 4.22.0rc1 ======================= o Björn Baumbach * BUG 15798: libnet4: seg fault after dc lookup failure KNOWN ISSUES ============ https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.22#Release_blocking_bugs ####################################### Reporting bugs & Development Discussion ####################################### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical:matrix.org matrix room, or #samba-technical IRC channel on irc.libera.chat If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). ====================================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ======================================================================