./net/samba4, SMB/CIFS protocol server suite

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]


Branch: CURRENT, Version: 4.19.5, Package name: samba-4.19.5, Maintainer: pkgsrc-users

Samba is the standard Windows interoperability suite of programs
for Linux and Unix.

Samba is Free Software licensed under the GNU General Public License,
the Samba project is a member of the Software Freedom Conservancy.

Since 1992, Samba has provided secure, stable and fast file and
print services for all clients using the SMB/CIFS protocol, such
as all versions of DOS and Windows, OS/2, Linux and many others.

Samba is an important component to seamlessly integrate Linux/Unix
Servers and Desktops into Active Directory environments. It can
function both as a domain controller or as a regular domain member.

This package intends to provide the current stable version of samba
within the 4.x series. (As will all packages, it may of course
sometimes contain an older stable release due to not being updated
yet.)

MESSAGE.rcd [+/-]

Required to run:
[textproc/py-expat] [converters/libiconv] [databases/openldap-client] [archivers/libarchive] [lang/perl5] [net/py-dns] [security/gnutls] [security/libgcrypt] [devel/p5-Parse-Yapp] [devel/popt] [devel/gettext-lib] [devel/readline] [net/avahi] [textproc/jansson] [devel/talloc] [time/py-iso8601] [devel/cmocka] [databases/lmdb] [lang/python37] [devel/tevent] [databases/ldb]

Required to build:
[textproc/docbook-xml] [textproc/docbook-xsl] [textproc/libxslt] [pkgtools/x11-links] [x11/xcb-proto] [x11/fixesproto4] [pkgtools/cwrappers] [x11/xorgproto]

Package options: ads, avahi, ldap, pam, winbind

Master sites:

Filesize: 40859.53 KB

Version history: (Expand)


CVS history: (Expand)


   2024-02-20 06:21:35 by Adam Ciarcinski | Files touched by this commit (2) | Package updated
Log message:
samba4: updated to 4.19.5

Changes since 4.19.4
--------------------
* BUG 13688: Windows 2016 fails to restore previous version of a file from a
  shadow_copy2 snapshot.
* BUG 15549: Symlinks on AIX are broken in 4.19 (and a few version before
  that).
* BUG 12421: Fake directory create times has no effect.
* BUG 15550: ctime mixed up with mtime by smbd.
* BUG 15548: samba-gpupdate --rsop fails if machine is not in a site.
* BUG 15557: gpupdate: The root cert import when NDES is not available is
  broken.
* BUG 15552: samba-gpupdate should print a useful message if cepces-submit
  can't be found.
* BUG 15558: samba-gpupdate logging doesn't work.
* BUG 15555: smbpasswd reset permissions only if not 0600.
   2024-01-10 09:39:30 by Adam Ciarcinski | Files touched by this commit (4) | Package updated
Log message:
samba4: updated to 4.19.4

Changes since 4.19.3
* BUG 13577: net changesecretpw cannot set the machine account password if
  secrets.tdb is empty.
* BUG 15540: For generating doc, take, if defined, env XML_CATALOG_FILES.
* BUG 15541: Trivial C typo in nsswitch/winbind_nss_netbsd.c.
* BUG 15542: vfs_linux_xfs is incorrectly named.
* BUG 15377: systemd stumbled over copyright-message at smbd startup.
* BUG 15505: Following intermediate abolute share-local symlinks is broken.
* BUG 15523: ctdb RELEASE_IP causes a crash in release_ip if a connection to
  a non-public address disconnects first.
* BUG 15544: shadow_copy2 broken when current fileset's directories are
  removed.
* BUG 15377: systemd stumbled over copyright-message at smbd startup.
* BUG 15523: ctdb RELEASE_IP causes a crash in release_ip if a connection to
  a non-public address disconnects first.
* BUG 15534: smbd does not detect ctdb public ipv6 addresses for multichannel
  exclusion.
* BUG 15469: 'force user = localunixuser' doesn't work if 'allow trusted
  domains = no' is set.
* BUG 15525: smbget debug logging doesn't work.
* BUG 15532: smget: username in the smburl and interactive password entry
  doesn't work.
* BUG 15538: smbget auth function doesn't set values for password prompt
  correctly.
* BUG 15523: ctdb RELEASE_IP causes a crash in release_ip if a connection to
  a non-public address disconnects first.
* BUG 15440: Unable to copy and write files from clients to Ceph cluster via
  SMB Linux gateway with Ceph VFS module.
* BUG 15547: Multichannel refresh network information.
   2023-11-27 18:08:25 by Adam Ciarcinski | Files touched by this commit (3) | Package updated
Log message:
samba4: updated to 4.19.3

Release Notes for Samba 4.19.3

This is the latest stable release of the Samba 4.19 release series.
It contains the security-relevant bugfix CVE-2018-14628:

    Wrong ntSecurityDescriptor values for "CN=Deleted Objects"
    allow read of object tombstones over LDAP
    (Administrator action required!)
    https://www.samba.org/samba/security/CVE-2018-14628.html

Description of CVE-2018-14628
-----------------------------

All versions of Samba from 4.0.0 onwards are vulnerable to an
information leak (compared with the established behaviour of
Microsoft's Active Directory) when Samba is an Active Directory Domain
Controller.

When a domain was provisioned with an unpatched Samba version,
the ntSecurityDescriptor is simply inherited from Domain/Partition-HEAD-Object
instead of being very strict (as on a Windows provisioned domain).

This means also non privileged users can use the
LDAP_SERVER_SHOW_DELETED_OID control in order to view,
the names and preserved attributes of deleted objects.

No information that was hidden before the deletion is visible, but in
with the correct ntSecurityDescriptor value in place the whole object
is also not visible without administrative rights.

There is no further vulnerability associated with this error, merely an
information disclosure.

Action required in order to resolve CVE-2018-14628!
---------------------------------------------------

The patched Samba does NOT protect existing domains!

The administrator needs to run the following command
(on only one domain controller)
in order to apply the protection to an existing domain:

  samba-tool dbcheck --cross-ncs --attrs=nTSecurityDescriptor --fix

The above requires manual interaction in order to review the
changes before they are applied. Typicall question look like this:

  Reset nTSecurityDescriptor on CN=Deleted Objects,DC=samba,DC=org back to \ 
provision default?
        Owner mismatch: SY (in ref) DA(in current)
        Group mismatch: SY (in ref) DA(in current)
        Part dacl is different between reference and current here is the detail:
                (A;;LCRPLORC;;;AU) ACE is not present in the reference
                (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY) ACE is not present in the \ 
reference
                (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DA) ACE is not present in the \ 
reference
                (A;;CCDCLCSWRPWPSDRCWDWO;;;SY) ACE is not present in the current
                (A;;LCRP;;;BA) ACE is not present in the current
   [y/N/all/none] y
  Fixed attribute 'nTSecurityDescriptor' of 'CN=Deleted Objects,DC=samba,DC=org'

The change should be confirmed with 'y' for all objects starting with
'CN=Deleted Objects'.

Changes since 4.19.2
--------------------

o  Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
   * BUG 15520: sid_strings test broken by unix epoch > 1700000000.

o  Ralph Boehme <slow@samba.org>
   * BUG 15487: smbd crashes if asked to return full information on close of a
     stream handle with delete on close disposition set.
   * BUG 15521: smbd: fix close order of base_fsp and stream_fsp in
     smb_fname_fsp_destructor().

o  Pavel FilipenskĂ˝ <pfilipensky@samba.org>
   * BUG 15499: Improve logging for failover scenarios.

o  Björn Jacke <bj@sernet.de>
   * BUG 15093: Files without "read attributes" NFS4 ACL permission are not
     listed in directories.

o  Stefan Metzmacher <metze@samba.org>
   * BUG 13595: CVE-2018-14628 [SECURITY] Deleted Object tombstones visible in
     AD LDAP to normal users.
   * BUG 15492: Kerberos TGS-REQ with User2User does not work for normal
     accounts.

o  Christof Schmitt <cs@samba.org>
   * BUG 15507: vfs_gpfs stat calls fail due to file system permissions.

o  Andreas Schneider <asn@samba.org>
   * BUG 15513: Samba doesn't build with Python 3.12.
   2023-11-16 17:37:32 by Tom Spindler | Files touched by this commit (1)
Log message:
fix "-ads" option build
   2023-11-15 19:54:43 by Thomas Klausner | Files touched by this commit (6) | Package updated
Log message:
samba: update to 4.19.2.

This is the first stable release of the Samba 4.19 release series.
   2023-11-08 14:21:43 by Thomas Klausner | Files touched by this commit (2377)
Log message:
*: recursive bump for icu 74.1
   2023-10-25 00:11:51 by Thomas Klausner | Files touched by this commit (2298)
Log message:
*: bump for openssl 3
   2023-10-21 19:11:59 by Greg Troxel | Files touched by this commit (1345) | Package updated
Log message:
recursive revbump for tiff update