./net/samba4, SMB/CIFS protocol server suite

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]

Branch: CURRENT, Version: 4.10.2, Package name: samba-4.10.2, Maintainer: pkgsrc-users

Samba is the standard Windows interoperability suite of programs
for Linux and Unix.

Samba is Free Software licensed under the GNU General Public License,
the Samba project is a member of the Software Freedom Conservancy.

Since 1992, Samba has provided secure, stable and fast file and
print services for all clients using the SMB/CIFS protocol, such
as all versions of DOS and Windows, OS/2, Linux and many others.

Samba is an important component to seamlessly integrate Linux/Unix
Servers and Desktops into Active Directory environments. It can
function both as a domain controller or as a regular domain member.

This package tracks 4.x branch release.

MESSAGE.rcd [+/-]

Required to run:
[textproc/py-expat] [converters/libiconv] [archivers/libarchive] [lang/perl5] [net/py-dns] [security/gnutls] [security/libgcrypt] [devel/p5-Parse-Yapp] [devel/popt] [devel/gettext-lib] [devel/readline] [textproc/jansson] [devel/talloc] [time/py-iso8601] [devel/cmocka] [lang/python37] [devel/tevent] [databases/ldb]

Required to build:
[textproc/docbook-xml] [textproc/docbook-xsl] [textproc/libxslt] [pkgtools/cwrappers]

Package options: ads, ldap, pam, winbind

Master sites:

SHA1: b0b5dd49e92b266315cea6530dcfc926f27dd4ed
RMD160: 6d91d2d581e095753deaae1fae28b8a048e103fc
Filesize: 17852.256 KB

Version history: (Expand)

CVS history: (Expand)

   2019-04-08 20:35:59 by Adam Ciarcinski | Files touched by this commit (3) | Package updated
Log message:
samba4: updated to 4.10.2

Release Notes for Samba 4.10.2

This is a security release in order to address the following defects:
o  CVE-2019-3870 (World writable files in Samba AD DC private/ dir)
o  CVE-2019-3880 (Save registry file outside share as unprivileged user)


o  CVE-2019-3870:
   During the provision of a new Active Directory DC, some files in the private/
   directory are created world-writable.

o  CVE-2019-3880:
   Authenticated users with write permission can trigger a symlink traversal to
   write or detect files outside the Samba share.

For more details and workarounds, please refer to the security advisories.

Changes since 4.10.1:
* BUG 13834: CVE-2019-3870: pysmbd: Ensure a zero umask is set for
* BUG 13851: CVE-2018-14629: rpc: winreg: Remove implementations of
   2019-04-03 16:23:06 by Adam Ciarcinski | Files touched by this commit (2) | Package updated
Log message:
samba4: updated to 4.10.1

Changes since 4.10.0:
* BUG 13837: py/kcc_utils: py2.6 compatibility.
* BUG 13869: libcli: permit larger values of DataLength in
  SMB2_ENCRYPTION_CAPABILITIES of negotiate response.
* BUG 13840: regfio: Improve handling of malformed registry hive files.
* BUG 13789: ctdb-version: Simplify version string usage.
* BUG 13859: lib: Make fd_load work for non-regular files.
* BUG 13816: dbcheck in the middle of the tombstone garbage collection causes
  replication failures, dbcheck: add --selftest-check-expired-tombstones
  cmdline option.
* BUG 13818: ndr_spoolss_buf: Fix out of scope use of stack variable in
* BUG 13854: s4/messaging: Fix undefined reference in linking
* BUG 13836: acl_read: Fix regression for empty lists.
* BUG 13841: s4:dlz make b9_has_soa check dc=@ node.
* BUG 13832: s3:client: Fix printing via smbspool backend with kerberos auth.
* BUG 13847: s4:librpc: Fix installation of Samba.
* BUG 13848: s3:lib: Fix the debug message for adding cache entries.
* BUG 13793: s3:utils: Add 'smbstatus -L --resolve-uids' to show username.
* BUG 13848: s3:lib: Fix the debug message for adding cache entries.
* BUG 13853: s3:waf: Fix the detection of makdev() macro on Linux.
* BUG 13789: ctdb-build: Drop creation of .distversion in tarball.
* BUG 13838: ctdb-packaging: Test package requires tcpdump, ctdb package
  should not own system library directory.
   2019-03-27 07:28:05 by Adam Ciarcinski | Files touched by this commit (3)
Log message:
Mark as incomparible with Python 2.7
   2019-03-20 20:09:10 by Adam Ciarcinski | Files touched by this commit (13) | Package updated
Log message:
samba4: updated to 4.10.0

Release Notes for Samba 4.10.0

This is the first stable release of the Samba 4.10 release series.
Please read the release notes carefully before upgrading.


GPO Improvements

A new 'samba-tool gpo backup' command has been added that can export a
set of Group Policy Objects from a domain in a generalised XML format.

A corresponding 'samba-tool gpo restore' command has been added to
rebuild the Group Policy Objects from the XML after generalization.
(The administrator needs to correct the values of XML entities between
the backup and restore to account for the change in domain).

KDC prefork

The KDC now supports the pre-fork process model and worker processes will be
forked for the KDC when the pre-fork process model is selected for samba.

Prefork 'prefork children'

The default value for this smdb.conf parameter has been increased from 1 to

Netlogon prefork

DCERPC now supports pre-forked NETLOGON processes. The netlogon processes are
pre-forked when the prefork process model is selected for samba.

Offline domain backups

The 'samba-tool domain backup' command has been extended with a new 'offline'
option. This safely creates a backup of the local DC's database directly from
disk. The main benefits of an offline backup are it's quicker, it stores more
database details (for forensic purposes), and the samba process does not have
to be running when the backup is made. Refer to the samba-tool help for more
details on using this command.

Group membership statistics

A new 'samba-tool group stats' command has been added. This provides summary
information about how the users are spread across groups in your domain.
The 'samba-tool group list --verbose' command has also been updated to include
the number of users in each group.

Paged results LDAP control

The behaviour of the paged results control (1.2.840.113556.1.4.319, RFC2696)
has been changed to more closely match Windows servers, to improve memory
usage. Paged results may be used internally (or is requested by the user) by
LDAP libraries or tools that deal with large result sizes, for example, when
listing all the objects in the database.

Previously, results were returned as a snapshot of the database but now,
some changes made to the set of results while paging may be reflected in the
responses. If strict inter-record consistency is required in answers (which is
not possible on Windows with large result sets), consider avoiding the paged
results control or alternatively, it might be possible to enforce restrictions
using the LDAP filter expression.

For further details see https://wiki.samba.org/index.php/Paged_Results

Prefork process restart

The pre-fork process model now restarts failed processes. The delay between
restart attempts is controlled by the "prefork backoff increment" \ 
(default = 10)
and "prefork maximum backoff" (default = 120) smbd.conf parameters.  A \ 
back off strategy is used with "prefork backoff increment" added to the
delay between restart attempts up until it reaches "prefork maximum \ 

Using the default sequence the restart delays (in seconds) are:
  0, 10, 20, ..., 120, 120, ...

Standard process model

When using the standard process model samba forks a new process to handle ldap
and netlogon connections.  Samba now honours the 'max smbd processes' smb.conf
parameter.  The default value of 0, indicates there is no limit.  The limit
is applied individually to netlogon and ldap.  When the process limit is
exceeded Samba drops new connections immediately.

python3 support

This is the first release of Samba which has full support for Python 3.
Samba 4.10 still has support for Python 2, however, Python 3 will be used by
default, i.e. 'configure' & 'make' will execute using python3.

To build Samba with python2 you *must* set the 'PYTHON' environment variable
for both the 'configure' and 'make' steps, i.e.
   'PYTHON=python2 ./configure'
   'PYTHON=python2 make'
This will override the python3 default.

Alternatively, it is possible to produce Samba Python bindings for both
Python 2 and Python 3. To do so, specify '--extra-python=/usr/bin/python2'
as part of the 'configure' command. Note that python3 will still be used as
the default in this case.

Note that Samba 4.10 supports Python 3.4 onwards.

Future Python support

Samba 4.10 will be the last release that comes with full support for
Python 2. Unfortunately, the Samba Team doesn't have the resources to support
both Python 2 and Python 3 long-term.

Samba 4.11 will not have any runtime support for Python 2. This means if
you use Python 2 bindings it is time to migrate to Python 3 now.

If you are building Samba using the '--disable-python' option (i.e. you're
excluding all the run-time Python support), then this will continue to work
on a system that supports either python2 or python3.

Also note that Samba 4.11 will most likely only support Python 3.6 onwards.

JSON logging

Authentication messages now contain the Windows Event Id "eventId" and \ 
type "logonType". The supported event codes and logon types are:
  Event codes:
    4624  Successful logon
    4625  Unsuccessful logon

  Logon Types:
    2  Interactive
    3  Network
    8  NetworkCleartext

The version number for Authentication messages is now 1.1, changed from 1.0

Password change messages now contain the Windows Event Id "eventId", the
supported event Id's are:
  4723 Password changed
  4724 Password reset

The version number for PasswordChange messages is now 1.1, changed from 1.0

Group membership change messages now contain the Windows Event Id \ 
the supported event Id's are:
  4728 A member was added to a security enabled global group
  4729 A member was removed from a security enabled global group
  4732 A member was added to a security enabled local group
  4733 A member was removed from a security enabled local group
  4746 A member was added to a security disabled local group
  4747 A member was removed from a security disabled local group
  4751 A member was added to a security disabled global group
  4752 A member was removed from a security disabled global group
  4756 A member was added to a security enabled universal group
  4757 A member was removed from a security enabled universal group
  4761 A member was added to a security disabled universal group
  4762 A member was removed from a security disabled universal group

The version number for GroupChange messages is now 1.1, changed from 1.0. Also
A GroupChange message is generated when a new user is created to log that the
user has been added to their primary group.

The leading "JSON <message type>:" and source file  prefix of \ 
the JSON formatted
log entries has been removed to make the parsing of the JSON log messages
easier. JSON log entries now start with 2 spaces followed by an opening brace
i.e. "  {"

SMBv2 samba-tool support

On previous releases, some samba-tool commands would not work against a remote
DC that had SMBv1 disabled. SMBv2 support has now been added for samba-tool.
The affected commands are 'samba-tool domain backup|rename' and the
'samba-tool gpo' set of commands.

New glusterfs_fuse VFS module

The new vfs_glusterfs_fuse module improves performance when Samba
accesses a glusterfs volume mounted via FUSE (Filesystem in Userspace
as part of the Linux kernel). It achieves that by leveraging a
mechanism to retrieve the appropriate case of filenames by querying a
specific extended attribute in the filesystem. No extra configuration
is required to use this module, only glusterfs_fuse needs to be set in
the "vfs objects" parameter. Further details can be found in the
vfs_glusterfs_fuse(8) manpage. This new vfs_glusterfs_fuse module does
not replace the existing vfs_glusterfs module, it just provides an
additional, alternative mechanism to access a Gluster volume.


MIT Kerberos build of the AD DC

While not removed, the MIT Kerberos build of the Samba AD DC is still
considered experimental.  Because Samba will not issue security
patches for this configuration, such builds now require the explicit
configure option: --with-experimental-mit-ad-dc

For further details see
https://wiki.samba.org/index.php/Runnin … rberos_KDC


The samba_backup script has been removed. This has now been replaced by the
'samba-tool domain backup offline' command.

SMB client Python bindings

The SMB client python bindings are now deprecated and will be removed in future
Samba releases. This will only affects users that may have used the Samba
Python bindings to write their own utilities, i.e. users with a custom Python
script that includes the line 'from samba import smb'.
   2019-03-13 19:30:39 by Adam Ciarcinski | Files touched by this commit (1) | Package updated
Log message:
samba4: updated to 4.9.5

Changes since 4.9.4:
* audit_logging: Remove debug log header and JSON Authentication:
* Fix upgrade from 4.7 (or earlier) to 4.9.
* s3: lib: nmbname: Ensure we limit the NetBIOS name correctly.
  CID: 1433607.
* smbd: uid: Don't crash if 'force group' is added to an existing
  share connection.
* s3: VFS: vfs_fruit. Fix the NetAtalk deny mode compatibility
* s3: SMB1 POSIX mkdir does case insensitive name lookup.
* s3:utils/smbget fix recursive download with empty source
* samba-tool drs showrepl: Do not crash if no dnsHostName found.
* s3:libsmb: cli_smb2_list() can sometimes fail initially on a
* join: Throw CommandError instead of Exception for simple errors.
* ldb: Avoid inefficient one-level searches.
* s3: libsmb: use smb2cli_conn_max_trans_size() in
* tldap: Avoid use after free errors.
* Fix idmap xid2sid cache churn.
* access_check_max_allowed() doesn't process "Owner Rights" ACEs.
* s3-smbd: Avoid assuming fsp is always intact after close_file
* s3-vfs-fruit: Add close call.
* s3-smbd: Use fruit:model string for mDNS registration.
* s3-vfs: add glusterfs_fuse vfs module.
* printing: Check lp_load_printers() prior to pcap cache update.
* vfs_ceph: vfs_ceph strict_allocate_ftruncate calls (local FS)
  ftruncate and fallocate.
* lib/audit_logging: Actually create talloc.
* netcmd/user: python[3]-gpgme unsupported and replaced by
* dns: Changing onelevel search for wildcard to subtree.
* samba-tool: Don't print backtrace on simple DNS errors.
* sambaundoguididx: Use the right escaped oder unescaped sam ldb
* ctdb: Print locks latency in machinereadable stats.
* messages_dgm: Messaging gets stuck when pids are recycled.
* audit_logging: auth_json_audit required auth_json.
* man pages: Document prefork process model.
* CVE-2019-3824 ldb: Release ldb 1.4.6.
* s3:auth: ignore create_builtin_guests() failing without a valid
  idmap configuration.
* s3:auth_winbind: Ignore a missing winbindd as NT4 PDC/BDC
  without trusts.
* s3:auth_winbind: return NT_STATUS_NO_LOGON_SERVERS if winbindd
  is not available.
* s4:server: Add support for 'smbcontrol samba shutdown' and
  'smbcontrol <pid> debug/debuglevel'.
* Python: Ensure ldb.Dn can doesn't rencoded str with py2.
* vfs_glusterfs: Adapt to changes in libgfapi signatures.
* s3-vfs: Use ENOATTR in errno comparison for getxattr.
* notifyd: Fix SIGBUS on sparc.
* waf: Check for libnscd.
* s3:vfs: Correctly check if OFD locks should be enabled or not.
* lib/util: Count a trailing line that doesn't end in a newline.
* Recovery lock bug fixes.
* s3: net: Do not set NET_FLAGS_ANONYMOUS with -k.
* s3:libsmb: Honor disable_netbios option in smbsock_connect_send.
* vfs_fileid: Fix get_connectpath_ino.
* vfs_fileid: Fix fsname_norootdir algorithm.
   2019-03-13 19:02:31 by Adam Ciarcinski | Files touched by this commit (11) | Package updated
Log message:
py-twine: updated to 1.13.0

Twine is a utility for publishing Python packages on PyPI. It provides build
system independent uploads of source and binary distribution artifacts for both
new and existing projects.
   2019-03-01 21:03:24 by Roy Marples | Files touched by this commit (3)
Log message:
Add a patch taken from upstream to allow smbd to work when
winbindd has been started but not configured.
   2019-02-23 22:29:29 by Jonathan Perkin | Files touched by this commit (1)
Log message:
samba4: Needs socket libraries on SunOS.