Release Announcements ===================== This is the sixth release condidate of Samba 4.13. This is *not* intended for production environments and is designed for testing purposes only. Please report any defects via the Samba bug reporting system at https://bugzilla.samba.org/. Samba 4.13 will be the next version of the Samba suite. SECURITY ======== o CVE-2020-1472: Unauthenticated domain takeover via netlogon ("ZeroLogon"). The following applies to Samba used as domain controller only (most seriously the Active Directory DC, but also the classic/NT4-style DC). Installations running Samba as a file server only are not directly affected by this flaw, though they may need configuration changes to continue to talk to domain controllers (see "file servers and domain members" below). The netlogon protocol contains a flaw that allows an authentication bypass. This was reported and patched by Microsoft as CVE-2020-1472. Since the bug is a protocol level flaw, and Samba implements the protocol, Samba is also vulnerable. However, since version 4.8 (released in March 2018), the default behaviour of Samba has been to insist on a secure netlogon channel, which is a sufficient fix against the known exploits. This default is equivalent to having 'server schannel = yes' in the smb.conf. Therefore versions 4.8 and above are not vulnerable unless they have the smb.conf lines 'server schannel = no' or 'server schannel = auto'. Samba versions 4.7 and below are vulnerable unless they have 'server schannel = yes' in the smb.conf. Note each domain controller needs the correct settings in its smb.conf. Vendors supporting Samba 4.7 and below are advised to patch their installations and packages to add this line to the [global] section if their smb.conf file. The 'server schannel = yes' smb.conf line is equivalent to Microsoft's 'FullSecureChannelProtection=1' registry key, the introduction of which we understand forms the core of Microsoft's fix. Some domains employ third-party software that will not work with a 'server schannel = yes'. For these cases patches are available that allow specific machines to use insecure netlogon. For example, the following smb.conf: server schannel = yes server require schannel:triceratops$ = no server require schannel:greywacke$ = no will allow only "triceratops$" and "greywacke$" to avoid schannel. More details can be found here: https://www.samba.org/samba/security/CVE-2020-1472.html UPGRADING ========= NEW FEATURES/CHANGES ==================== Python 3.6 or later required ---------------------------- Samba's minimum runtime requirement for python was raised to Python 3.5 with samba 4.12. Samba 4.13 raises this minimum version to Python 3.6 both to access new features and because this is the oldest version we test with in our CI infrastructure. This is also the last release where it will be possible to build Samba (just the file server) with Python versions 2.6 and 2.7. As Python 2.7 has been End Of Life upstream since April 2020, Samba is dropping ALL Python 2.x support in the NEXT release. Samba 4.14 to be released in March 2021 will require Python 3.6 or later to build. wide links functionality ------------------------ For this release, the code implementing the insecure "wide links = yes" functionality has been moved out of the core smbd code and into a separate VFS module, vfs_widelinks. Currently this vfs module is implicitly loaded by smbd as the last but one module before vfs_default if "wide links = yes" is enabled on the share (note, the existing restrictions on enabling wide links around the SMB1 "unix extensions" and the "allow insecure wide links" parameters are still in force). The implicit loading was done to allow existing users of "wide links = yes" to keep this functionality without having to make a change to existing working smb.conf files. Please note that the Samba developers recommend changing any Samba installations that currently use "wide links = yes" to use bind mounts as soon as possible, as "wide links = yes" is an inherently insecure configuration which we would like to remove from Samba. Moving the feature into a VFS module allows this to be done in a cleaner way in future. A future release to be determined will remove this implicit linkage, causing administrators who need this functionality to have to explicitly add the vfs_widelinks module into the "vfs objects =" parameter lists. The release notes will be updated to note this change when it occurs. NT4-like 'classic' Samba domain controllers ------------------------------------------- Samba 4.13 deprecates Samba's original domain controller mode. Sites using Samba as a Domain Controller should upgrade from the NT4-like 'classic' Domain Controller to a Samba Active Directory DC to ensure full operation with modern windows clients. SMBv1 only protocol options deprecated -------------------------------------- A number of smb.conf parameters for less-secure authentication methods which are only possible over SMBv1 are deprecated in this release. REMOVED FEATURES ================ The deprecated "ldap ssl ads" smb.conf option has been removed. The deprecated "server schannel" smb.conf option will very likely removed in the final 4.13.0 release. smb.conf changes ================ Parameter Name Description Default -------------- ----------- ------- ldap ssl ads Removed smb2 disable lock sequence checking Added No smb2 disable oplock break retry Added No domain logons Deprecated no raw NTLMv2 auth Deprecated no client plaintext auth Deprecated no client NTLMv2 auth Deprecated yes client lanman auth Deprecated no client use spnego Deprecated yes server schannel To be removed in 4.13.0 server require schannel:COMPUTER Added CHANGES SINCE 4.13.0rc5 ======================= o Jeremy Allison * BUG 14497: CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Protect netr_ServerPasswordSet2 against unencrypted passwords. o Günther Deschner * BUG 14497: CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Support "server require schannel:WORKSTATION$ = no" about unsecure configurations. o Gary Lockyer * BUG 14497: CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated bytes in client challenge. o Stefan Metzmacher * BUG 14497: CVE-2020-1472(ZeroLogon): libcli/auth: Reject weak client challenges in netlogon_creds_server_init() "server require schannel:WORKSTATION$ = no". CHANGES SINCE 4.13.0rc4 ======================= o Andreas Schneider * BUG 14399: waf: Only use gnutls_aead_cipher_encryptv2() for GnuTLS > 3.6.14. * BUG 14467: s3:smbd: Fix %U substitutions if it contains a domain name. * BUG 14479: The created krb5.conf for 'net ads join' doesn't have a domain entry. o Stefan Metzmacher * BUG 14482: Fix build problem if libbsd-dev is not installed. CHANGES SINCE 4.13.0rc3 ======================= o David Disseldorp * BUG 14437: build: Toggle vfs_snapper using "--with-shared-modules". o Volker Lendecke * BUG 14465: idmap_ad does not deal properly with a RFC4511 section 4.4.1 response. o Stefan Metzmacher * BUG 14428: PANIC: Assert failed in get_lease_type(). * BUG 14465: idmap_ad does not deal properly with a RFC4511 section 4.4.1 response. CHANGES SINCE 4.13.0rc2 ======================= o Andrew Bartlett * BUG 14460: Deprecate domain logons, SMBv1 things. o Günther Deschner * BUG 14318: docs: Add missing winexe manpage. o Christof Schmitt * BUG 14166: util: Allow symlinks in directory_create_or_exist. o Martin Schwenke * BUG 14466: ctdb disable/enable can fail due to race condition. CHANGES SINCE 4.13.0rc1 ======================= o Andrew Bartlett * BUG 14450: dbcheck: Allow a dangling forward link outside our known NCs. o Isaac Boukris * BUG 14462: Remove deprecated "ldap ssl ads" smb.conf option. o Volker Lendecke * BUG 14435: winbind: Fix lookuprids cache problem. o Stefan Metzmacher * BUG 14354: kdc:db-glue: Ignore KRB5_PROG_ETYPE_NOSUPP also for Primary:Kerberos. o Andreas Schneider * BUG 14358: docs: Fix documentation for require_membership_of of pam_winbind.conf. o Martin Schwenke * BUG 14444: ctdb-scripts: Use nfsconf as a last resort get nfsd thread count. KNOWN ISSUES ============ https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.13#Release_blocking_bugs ####################################### Reporting bugs & Development Discussion ####################################### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical IRC channel on irc.freenode.net. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). ====================================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ======================================================================