Samba Changelog

What's new in Samba 4.19.5

Feb 19, 2024

Ralph Boehme :
BUG 13688: Windows 2016 fails to restore previous version of a file from a shadow_copy2 snapshot.
BUG 15549: Symlinks on AIX are broken in 4.19 (and a few version before that).
Bjoern Jacke :
BUG 12421: Fake directory create times has no effect.
Björn Jacke :
BUG 15550: ctime mixed up with mtime by smbd.
David Mulder :
BUG 15548: samba-gpupdate --rsop fails if machine is not in a site.
Gabriel Nagy :
BUG 15557: gpupdate: The root cert import when NDES is not available is broken.
Andreas Schneider :
BUG 15552: samba-gpupdate should print a useful message if cepces-submit can't be found.
BUG 15558: samba-gpupdate logging doesn't work.
Jones Syue :
BUG 15555: smbpasswd reset permissions only if not 0600.

New in Samba 4.19.4 (Jan 9, 2024)

New in Samba 4.19.3 (Nov 28, 2023)

New in Samba 4.19.2 (Oct 16, 2023)

New in Samba 4.19.1 (Oct 11, 2023)

New in Samba 4.19.0 (Sep 6, 2023)

NEW FEATURES/CHANGES:
Migrated smbget to use common command line parser:
The smbget utility implemented its own command line parsing logic. After discovering an issue we decided to migrate it to use the common command line parser. This has some advantages as you get all the feature it provides like Kerberos authentication. The downside is that breaks the options interface. The support for smbgetrc has been removed. You can use an authentication file if needed, this is documented in the manpage.
Please check the smbget manpage or --help output:
gpupdate changes:
The libgpo.get_gpo_list function has been deprecated in favor of an implementation written in python. The new function can be imported via `import samba.gp`. The python implementation connects to Active Directory using the SamDB module, instead of ADS (which is what libgpo uses).
Improved winbind logging and a new tool for parsing the winbind logs:
Winbind logs (if smb.conf 'winbind debug traceid = yes' is set) contain new trace header fields 'traceid' and 'depth'. Field 'traceid' allows to track the trace records belonging to the same request. Field 'depth' allows to track the request nesting level. A new tool samba-log-parser is added for better log parsing.
AD database prepared to FL 2016 standards for new domains:
While Samba still provides only Functional Level 2008R2 by default, Samba as an AD DC will now, in provision ensure that the blank database is already prepared for Functional Level 2016, with AD Schema 2019.
This preparation is of the default objects in the database, adding containers for Authentication Policies, Authentication Silos and AD claims in particular. These DB objects must be updated to allow operation of the new features found in higher functional levels.
Kerberos Claims, Authentication Silos and NTLM authentication policies:
An initial, partial implementation of Active Directory Functional Level 2012, 2012R2 and 2016 is available in this release.
In particular Samba will issue Active Directory "Claims" in the PAC, for member servers that support these, and honour in-directory configuration for Authentication Policies and Authentication Silos.
The primary limitation is that while Samba can read and write claims in the directory, and populate the PAC, Samba does not yet use them for access control decisions.
While we continue to develop these features, existing domains can test the feature by selecting the functional level in provision or raising the DC functional level by setting
ad dc functional level = 2016
in the smb.conf:
The smb.conf file on each DC must have 'ad dc functional level = 2016' set to have the partially complete feature available. This will also, at first startup, update the server's own AD entry with the configured functional level.
For new domains, add these parameters to 'samba-tool provision'
--option="ad dc functional level = 2016" --function-level=2016
The second option, setting the overall domain functional level indicates that all DCs should be at this functional level.
To raise the domain functional level of an existing domain, after updating the smb.conf and restarting Samba run samba-tool domain schemaupgrade --schema=2019 samba-tool domain functionalprep --function-level=2016 samba-tool domain level raise --domain-level=2016 --forest-level=2016
Improved KDC Auditing:
As part of the auditing required to allow successful deployment of Authentication Policies and Authentication Silos, our KDC now provides Samba-style JSON audit logging of all issued Kerberos tickets, including if they would fail a policy that is not yet enforced. Additionally most failures are audited, (after the initial pre-validation of the request).
Kerberos Armoring (FAST) Support for Windows clients:
In domains where the domain controller functional level is set, as above, to 2012, 2012_R2 or 2016, Windows clients will, if configured via GPO, use FAST to protect user passwords between (in particular) a workstation and the KDC on the AD DC. This is a significant security improvement, as weak passwords in an AS-REQ are no longer available for offline attack.
Claims compression in the AD PAC:
Samba as an AD DC will compress "AD claims" using the same compression algorithm as Microsoft Windows.
Resource SID compression in the AD PAC:
Samba as an AD DC will now correctly populate the various PAC group membership buffers, splitting global and local groups correctly.
Additionally, Samba marshals Resource SIDs, being local groups in the member server's own domain, to only consume a header and 4 bytes per group in the PAC, not a full-length SID worth of space each. This is known as "Resource SID compression".
Resource Based Constrained Delegation (RBCD) support in both MIT and Heimdal:
Samba AD DC built with MIT Kerberos (1.20 and later) has offered RBCD support since Samba 4.17. Samba 4.19 brings this feature to the default Heimdal KDC.
Samba 4.17 added to samba-tool delegation the 'add-principal' and 'del-principal' subcommands in order to manage RBCD, and the database changes made by these tools are now honoured by the Heimdal KDC once Samba is upgraded.
Likewise, now both MIT (1.20 and later) and Heimdal KDCs add the Asserted Identity [1] SID into the PAC for constrained delegation.
[1] https://docs.microsoft.com/en-us/windows-server/security/kerberos/kerberos constrained-delegation-overview
New samba-tool support for silos, claims, sites and subnets:
samba-tool can now list, show, add and manipulate Authentication Silos (silos) and Active Directory Authentication Claims (claims).
samba-tool can now list and show Active Directory sites and subnets.
A new Object Relational Model (ORM) based architecture, similar to that used with Django, has been built to make adding new samba-tool subcommands simpler and more consistent, with JSON output available standard on these new commands.
Updated GnuTLS requirement / in-tree cryptography removal:
Samba requires GnuTLS 3.6.13 and prefers GnuTLS 3.6.14 or later.
This has allowed Samba to remove all of our in-tree cryptography, except that found in our Heimdal import. Samba's runtime cryptography needs are now all provided by GnuTLS.
(The GnuTLS vesion requirement is raised to 3.7.2 on systems without the Linux getrandom())
We also use Python's cryptography module for our testing.
The use of well known cryptography libraries makes Samba easier for end-users to validate and deploy, and for distributors to ship. This is the end of a very long journey for Samba.
Updated Heimdal import:
Samba's Heimdal branch (known as lorikeet-heimdal) has been updated to the current pre-8.0 (master) tree from upstream Heimdal, ensuring that this vendored copy, included in our release remains as close as possible to the current upstream code.
Revocation support in Heimdal KDC for PKINIT certificates:
Samba will now correctly honour the revocation of 'smart card' certificates used for PKINIT Kerberos authentication.
This list is reloaded each time the file changes, so no further action other than replacing the file is required. The additional krb5.conf option is:
[kdc]
pkinit_revoke = FILE:/path/to/crl.pem
Information on the "Smart Card login" feature as a whole is at:
https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login
Protocol level testsuite for (Smart Card Logon) PKINIT:
Previously Samba's PKINIT support in the KDC was tested by use of shell scripts around the client tools of MIT or Heimdal Kerberos. Samba's independently written python testsuite has been extended to validate KDC behaviour for PKINIT.
Require encrypted connection to modify unicodePwd on the AD DC:
Setting the password on an AD account on should never be attempted over a plaintext or signed-only LDAP connection. If the unicodePwd (or userPassword) attribute is modified without encryption (as seen by Samba), the request will be rejected. This is to encourage the administrator to use an encrypted connection in the future.
NOTE WELL: If Samba is accessed via a TLS frontend or load balancer, the LDAP request will be regarded as plaintext.
Samba AD TLS Certificates can be reloaded:
The TLS certificates used for Samba's AD DC LDAP server were previously only read on startup, and this meant that when then expired it was required to restart Samba, disrupting service to other users.
smbcontrol ldap_server reload-certs
This will now allow these certificates to be reloaded 'on the fly'

New in Samba 4.18.6 (Aug 16, 2023)

New in Samba 4.18.5 (Jul 19, 2023)

New in Samba 4.18.4 (Jul 7, 2023)

New in Samba 4.18.3 (May 31, 2023)

New in Samba 4.18.2 (Apr 19, 2023)

New in Samba 4.18.1 (Mar 30, 2023)

New in Samba 4.18.0 (Mar 8, 2023)

NEW FEATURES/CHANGES:
SMB Server performance improvements:
The security improvements in recent releases (4.13, 4.14, 4.15, 4.16), mainly as protection against symlink races, caused performance regressions for metadata heavy workloads.
While 4.17 already improved the situation quite a lot, with 4.18 the locking overhead for contended path based operations is reduced by an additional factor of ~ 3 compared to 4.17. It means the throughput of open/close operations reached the level of 4.12 again.
More succinct samba-tool error messages:
Historically samba-tool has reported user error or misconfiguration by means of a Python traceback, showing you where in its code it noticed something was wrong, but not always exactly what is amiss. Now it tries harder to identify the true cause and restrict its output to describing that. Particular cases include:
a username or password is incorrect
an ldb database filename is wrong (including in smb.conf)
samba-tool dns: various zones or records do not exist
samba-tool ntacl: certain files are missing
the network seems to be down
bad --realm or --debug arguments
Accessing the old samba-tool messages:
This is not new, but users are reminded they can get the full Python stack trace, along with other noise, by using the argument '-d3'. This may be useful when searching the web.
The intention is that when samba-tool encounters an unrecognised problem (especially a bug), it will still output a Python traceback. If you encounter a problem that has been incorrectly identified by samba-tool, please report it on https://bugzilla.samba.org.
Colour output with samba-tool --color:
For some time a few samba-tool commands have had a --color=yes|no|auto option, which determines whether the command outputs ANSI colour codes. Now all samba-tool commands support this option, which now also accepts 'always' and 'force' for 'yes', 'never' and 'none' for 'no', and 'tty' and 'if-tty' for 'auto' (this more closely matches convention). With --color=auto, or when --color is omitted, colour codes are only used when output is directed to a terminal.
Most commands have very little colour in any case. For those that already used it, the defaults have changed slightly.
samba-tool drs showrepl: default is now 'auto', not 'no'
samba-tool visualize: the interactions between --color-scheme, --color, and --output have changed slightly. When --color-scheme is set it overrides --color for the purpose of the output diagram, but not for other output like error messages.
New samba-tool dsacl subcommand for deleting ACES:
The samba-tool dsacl tool can now delete entries in directory access control lists. The interface for 'samba-tool dsacl delete' is similar to that of 'samba-tool dsacl set', with the difference being that the ACEs described by the --sddl argument are deleted rather than added.
No colour with NO_COLOR environment variable:
With both samba-tool --color=auto (see above) and some other places where we use ANSI colour codes, the NO_COLOR environment variable will disable colour output. See https://no-color.org/ for a description of this variable. `samba-tool --color=always` will use colour regardless of NO_COLOR.
New wbinfo option --change-secret-at:
The wbinfo command has a new option, --change-secret-at= which forces the trust account password to be changed at a specified domain controller. If the specified domain controller cannot be contacted the password change fails rather than trying other DCs.
New option to change the NT ACL default location:
Usually the NT ACLs are stored in the security.NTACL extended attribute (xattr) of files and directories. The new "acl_xattr:security_acl_name" option allows to redefine the default location. The default "security.NTACL" is a protected location, which means the content of the security.NTACL attribute is not accessible from normal users outside of Samba. When this option is set to use a user-defined value, e.g. user.NTACL then any user can potentially access and overwrite this information. The module prevents access to this xattr over SMB, but the xattr may still be accessed by other means (eg local access, SSH, NFS). This option must only be used when this consequence is clearly understood and when specific precautions are taken to avoid compromising the ACL content.
Azure Active Directory / Office365 synchronisation improvements:
Use of the Azure AD Connect cloud sync tool is now supported for password hash synchronisation, allowing Samba AD Domains to synchronise passwords with this popular cloud environment.

New in Samba 4.17.5 (Jan 27, 2023)

New in Samba 4.17.3 (Nov 15, 2022)

New in Samba 4.17.2 (Oct 26, 2022)

New in Samba 4.17.1 (Oct 20, 2022)

New in Samba 4.17.0 (Sep 14, 2022)

Ralph Boehme :
BUG 15126: acl_xattr VFS module may unintentionally use filesystem permissions instead of ACL from xattr.
BUG 15153: Missing SMB2-GETINFO access checks from MS-SMB2 3.3.5.20.1.
BUG 15161: assert failed: !is_named_stream(smb_fname)") at ../../lib/util/fault.c:197.
Volker Lendecke :
BUG 15126: acl_xattr VFS module may unintentionally use filesystem permissions instead of ACL from xattr.
BUG 15161: assert failed: !is_named_stream(smb_fname)") at ../../lib/util/fault.c:197.
Stefan Metzmacher :
BUG 15159: Cross-node multi-channel reconnects result in SMB2 Negotiate returning NT_STATUS_NOT_SUPPORTED.
Noel Power :
BUG 15160: winbind at info level debug can coredump when processing wb_lookupusergroups.
Anoop C S :
BUG 15157: Make use of glfs_*at() API calls in vfs_glusterfs.
Jeremy Allison :
BUG 15128: Possible use after free of connection_struct when iterating smbd_server_connection->connections.
Christian Ambach :
BUG 15145: `net usershare add` fails with flag works with --long but fails with -l.
Ralph Boehme :
BUG 15126: acl_xattr VFS module may unintentionally use filesystem permissions instead of ACL from xattr.
Stefan Metzmacher :
BUG 15125: Performance regression on contended path based operations.
BUG 15148: Missing READ_LEASE break could cause data corruption.
Andreas Schneider :
BUG 15141: libsamba-errors uses a wrong version number.
Joseph Sutton :
BUG 15152: SMB1 negotiation can fail to handle connection errors.
Jeremy Allison :
BUG 15143: New filename parser doesn't check veto files smb.conf parameter.
BUG 15144: 4.17.rc1 still uses symlink-race prone unix_convert()
BUG 15146: Backport fileserver related changed to 4.17.0rc2
Jule Anger :
BUG 15147: Manpage for smbstatus json is missing
Volker Lendecke :
BUG 15146: Backport fileserver related changed to 4.17.0rc2
Stefan Metzmacher :
BUG 15125: Performance regression on contended path based operations
BUG 15146: Backport fileserver related changed to 4.17.0rc2
Andreas Schneider :
BUG 15140: Fix issues found by coverity in smbstatus json code
BUG 15146: Backport fileserver related changed to 4.17.0rc2

New in Samba 4.16.5 (Sep 8, 2022)

New in Samba 4.16.4 (Jul 27, 2022)

New in Samba 4.16.3 (Jul 18, 2022)

New in Samba 4.16.2 (Jun 15, 2022)

New in Samba 4.16.1 (May 3, 2022)

New in Samba 4.15.0 (Sep 20, 2021)

New in Samba 4.14.7 (Aug 26, 2021)

New in Samba 4.14.6 (Jul 13, 2021)

New in Samba 4.14.5 (Jun 1, 2021)

New in Samba 4.14.3 (Apr 20, 2021)

New in Samba 4.13.4 (Jan 26, 2021)

New in Samba 4.13.3 (Dec 15, 2020)

New in Samba 4.13.2 (Nov 3, 2020)

New in Samba 4.13.1 (Oct 29, 2020)

New in Samba 4.12.7 (Sep 18, 2020)

New in Samba 4.12.6 (Aug 13, 2020)

New in Samba 4.12.5 (Jul 2, 2020)

New in Samba 4.12.4 (Jul 2, 2020)

New in Samba 4.12.3 (May 19, 2020)

New in Samba 4.12.2 (Apr 28, 2020)

New in Samba 4.12.1 (Apr 7, 2020)

New in Samba 4.12.0 (Mar 3, 2020)

New in Samba 4.11.6 (Jan 29, 2020)

New in Samba 4.11.5 (Jan 21, 2020)

New in Samba 4.11.4 (Dec 17, 2019)

New in Samba 4.11.3 (Dec 10, 2019)

New in Samba 4.11.2 (Oct 29, 2019)

New in Samba 4.11.1 (Oct 18, 2019)

New in Samba 4.11 (Oct 9, 2019)

AD Database compatibility:
Samba 4.11 has changed how the AD database is stored on disk. AD users should
not really be affected by this change when upgrading to 4.11. However, AD
users should be extremely careful if they need to downgrade from Samba 4.11 to
an older release.
Samba 4.11 maintains database compatibility with older Samba releases. The database will automatically get rewritten in the new 4.11 format when you
first start the upgraded samba executable.
However, when downgrading from 4.11 you will need to manually downgrade the AD
database yourself. Note that you will need to do this step before you install
the downgraded Samba packages.
When either upgrading or downgrading, users should also avoid making any
database modifications between installing the new Samba packages and starting
the samba executable.
SMB1 is disabled by default
The defaults of 'client min protocol' and 'server min protocol' have been changed to SMB2_02.
This means clients without support for SMB2 or SMB3 are no longer able to connect to smbd (by default).
It also means client tools like smbclient and other, as well as applications making use of libsmbclient are no longer able to connect to servers without SMB2 or SMB3 support (by default).
It's still possible to allow SMB1 dialects, e.g. NT1, LANMAN2 and LANMAN1 for client and server, as well as CORE and COREPLUS on the client.
Note that most commandline tools e.g. smbclient, smbcacls and others also support the '--option' argument to overwrite smb.conf options, e.g. --option='client min protocol=NT1' might be useful.
As Microsoft no longer installs SMB1 support in recent releases or uninstalls it after 30 days without usage, the Samba Team tries to get remove the SMB1 usage as much as possible.
SMB1 is officially deprecated and might be removed step by step in the following years. If you have a strong requirement for SMB1 (except for supporting old Linux Kernels), please file a bug
LanMan and plaintext authentication deprecated:
The "lanman auth" and "encrypt passwords" parameters are deprecated with this release as both are only applicable to SMB1 and are quite insecure. NTLM, NTLMv2 and Kerberos authentication are unaffected, as "encrypt passwords = yes" has been the default since Samba 3.0.0.
If you have a strong requirement for these authentication protocols, please file a bug at https://bugzilla.samba.org and let us know about the details.
BIND9_FLATFILE deprecated:
The BIND9_FLATFILE DNS backend is deprecated in this release and will be removed in the future. This was only practically useful on a single domain controller or under expert care and supervision.
This release therefore deprecates the "rndc command" smb.conf parameter, which is used to support this configuration. After writing out a list of DCs permitted to make changes to the DNS Zone "rndc command" is called with reload to tell the 'named' server if a DC was added/removed to to the domain.
NEW FEATURES/CHANGES:
Default samba process model:
The default for the '--model' argument passed to the samba executable has changed from 'standard' to 'prefork'. This means a difference in the number of samba child processes that are created to handle client connections. The previous
default would create a separate process for every LDAP or NETLOGON client
connection. For a network with a lot of persistent client connections, this
could result in significant memory overhead. Now, with the new default of
'prefork', the LDAP, NETLOGON, and KDC services will create a fixed number of
worker processes at startup and share the client connections amongst these
workers. The number of worker processes can be configured by the 'prefork
children' setting in the smb.conf (the default is 4).
Authentication Logging:
Winbind now logs PAM_AUTH and NTLM_AUTH events, a new attribute "logonId" has
been added to the Authentication JSON log messages. This contains a random logon id that is generated for each PAM_AUTH and NTLM_AUTH request and is passed to SamLogon, linking the windbind and SamLogon requests.
The serviceDescription of the messages is set to "winbind", the authDescription
is set to one of:
LDAP referrals:
The scheme of returned LDAP referrals now reflects the scheme of the original
request, i.e. referrals received via ldap are prefixed with "ldap://"
and those over ldaps are prefixed with "ldaps://".
Previously all referrals were prefixed with "ldap://".
Bind9 logging:
It is now possible to log the duration of DNS operations performed by Bind9.
This should aid future diagnosis of performance issues and could be used to
monitor DNS performance. The logging is enabled by setting log level to
"dns:10" in smb.conf.
The logs are currently human readable text only, i.e. no JSON formatted output.
Default schema updated to 2012_R2:
Default AD schema changed from 2008_R2 to 2012_R2. 2012_R2 functional level
is not yet available. Older schemas can be used by provisioning with the '--base-schema' argument. Existing installations can be updated with the samba-tool command "domain schemaupgrade".
Samba's replication code has also been improved to handle replication with the 2012 schema (the core of this replication fix has also been backported to 4.9.11 and will be in a 4.10.x release).
GnuTLS 3.2 required:
Samba is making efforts to remove in-tree cryptographic functionality, and to instead rely on externally maintained libraries. To this end, Samba has chosen GnuTLS as our standard cryptographic provider.
Samba now requires GnuTLS 3.2 to be installed (including development headers at build time) for all configurations, not just the Samba AD DC.
NOTE WELL: The use of GnuTLS means that Samba will honour the system-wide 'FIPS mode' (a reference to the US FIPS-140 cryptographic standard) and so will not operate in many still common situations if this system-wide parameter is in effect, as many of our protocols rely on outdated cryptography.
A future Samba version will mitigate this to some extent where good cryptography effectively wraps bad cryptography, but for now that above applies.
samba-tool improvements:
A new "samba-tool contact" command has been added to allow the command-line manipulation of contacts, as used for address book lookups in LDAP.
The "samba-tool [user|group|computer|group|contact] edit" command has been
improved to operate more pleasantly on international character sets.
100,000 USER and LARGER Samba AD DOMAINS:
Extensive efforts have been made to optimise Samba for use in organisations (for example) targeting 100,000 users, plus 120,000 computer objects, as well as large number of group memberships.
Many of the specific efforts are detailed below, but the net results is to remove barriers to significantly larger Samba deployments compared to previous releases.
Reindex performance improvements:
The performance of samba-tool dbcheck --reindex has been improved, especially for large domains.
join performance improvements:
The performance of samba-tool domain join has been improved, especially for large domains.
LDAP Server memory improvements:
The LDAP server has improved memory efficiency, ensuring that large LDAP responses (for example a search for all objects) is not copied multiple times into memory.
Setting lmdb map size:
It is now possible to set the lmdb map size (the maximum permitted size for the database). "samba-tool" now accepts the "--backend-store-size" i.e. --backend-store-size=4Gb. If not specified it defaults to 8Gb.
This option is avaiable for the following sub commands:
domain provision
domain join
domain dcpromo
drs clone-dc-database
LDB "batch_mode":
To improve performance during batch operations i.e. joins, ldb now accepts a "batch_mode" option. However to prevent any index or database inconsistencies if an operation fails, the entire transaction will be aborted at commit.
New LDB pack format:
On first use (startup of 'samba' or the first transaction write) Samba's sam.ldb will be updated to a new more efficient pack format. This will take a few moments.
New LDB = index mode to improve replication performance
As well as a new pack format, Samba's sam.ldb uses a new index format allowing Samba to efficiently select objects changed since the last replication cycle. This in turn improves performance during replication of large domains.
Improvements to ldb search performance:
Search performance on large LDB databases has been improved by reducing memory allocations made on each object.
Improvements to subtree rename performance:
Improvements have been made to Samba's handling of subtree renames, for example of containers and organisational units, however large renames are still not recommended.
CTDB changes:
nfs-linux-kernel-callout now defaults to using systemd service names
The Red Hat service names continue to be the default.
Other distributions should patch this file when packaging it.
The onnode -o option has been removed
ctdbd logs when it is using more than 90% of a CPU thread
ctdbd is single threaded, so can become saturated if it uses the full capacity of a CPU thread. To help detect this situation, ctdbd now logs messages when CPU utilisation exceeds 90%. Each change in CPU utilisation over 90% is logged. A message is also logged when CPU utilisation drops below the 90% threshold.
Script configuration variable CTDB_MONITOR_SWAP_USAGE has been removed 05.system.script now monitors total memory (i.e. physical memory + swap) utilisation using the existing CTDB_MONITOR_MEMORY_USAGE script configuration variable.
CephFS Snapshot Integration:
CephFS snapshots can now be exposed as previous file versions using the new
ceph_snapshots VFS module. See the vfs_ceph_snapshots(8) man page for details.
REMOVED FEATURES:
Web server:
As a leftover from work related to the Samba Web Administration Tool (SWAT), Samba still supported a Python WSGI web server (which could still be turned on from the 'server services' smb.conf parameter). This service was unused and has
now been removed from Samba.
samba-tool join subdomain:
The subdomain role has been removed from the join command. This option did
not work and has no tests.
Python2 support:
Samba 4.11 will not have any runtime support for Python 2.
If you are building Samba using the '--disable-python' option (i.e. you're excluding all the run-time Python support), then this will continue to work on a system that supports either python2 or python3.
To build Samba with python2 you *must* set the 'PYTHON' environment variable for both the 'configure' and 'make' steps, i.e.
'PYTHON=python2 ./configure'
'PYTHON=python2 make'
This will override the python3 default.
Except for this specific build-time use of python2, Samba now requires Python 3.4 as a minimum.

New in Samba 4.10.8 (Sep 3, 2019)

New in Samba 4.10.7 (Aug 22, 2019)

New in Samba 4.10.6 (Jul 8, 2019)

New in Samba 4.10.5 (Jun 19, 2019)

New in Samba 4.10.4 (May 22, 2019)

BUG 13938: s3: SMB1: Don't allow recvfile on stream fsp's.
BUG 13882: py/provision: Fix for Python 2.6.
BUG 13873: netcmd: Fix 'passwordsettings --max-pwd-age' command.
BUG 13938: s3:smbd: Don't use recvfile on streams.
BUG 13861: s3-libnet_join: 'net ads join' to child domain fails when using "-U admin@forestroot".
BUG 13896: vfs_ceph: Explicitly enable libcephfs POSIX ACL support.
BUG 13940: vfs_ceph: Fix cephwrap_flistxattr() debug message.
BUG 13895: ctdb-common: Avoid race between fd and signal events.
BUG 13943: ctdb-common: Fix memory leak in run_proc.
BUG 13892: lib: Initialize getline() arguments.
BUG 13903: winbind: Fix overlapping id ranges.
BUG 13902: lib util debug: Increase format buffer to 4KiB.
BUG 13927: nsswitch pam_winbind: Fix Asan use after free.
BUG 13929: s4 lib socket: Ensure address string owned by parent struct.
BUG 13936: s3 rpc_client: Fix Asan stack use after scope.
BUG 10097: s3:smbd: Handle IO_REPARSE_TAG_DFS in SMB_FIND_FILE_FULL_DIRECTORY_INFO.
BUG 10344: smb2_tcon: Avoid STATUS_PENDING completely on tdis.
BUG 12845: smb2_sesssetup: avoid STATUS_PENDING responses for session setup.
BUG 13698: smb2_tcon: Avoid STATUS_PENDING completely on tdis.
BUG 13796: smb2_sesssetup: avoid STATUS_PENDING responses for session setup.
BUG 13843: dbcheck: Fix the err_empty_attribute() check.
BUG 13858: vfs_snapper: Drop unneeded fstat handler.
BUG 13862: vfs_default: Fix vfswrap_offload_write_send() NT_STATUS_INVALID_VIEW_SIZE check.
BUG 13863: smb2_server: Grant all 8192 credits to clients.
BUG 13919: smbd: Implement SMB_FILE_NORMALIZED_NAME_INFORMATION handling.
BUG 13872: s3/vfs_glusterfs: Dynamically determine NAME_MAX.
BUG 13918: s3: modules: ceph: Use current working directory instead of share path.
BUG 13831: winbind: Use domain name from lsa query for sid_to_name cache entry.
BUG 13865: memcache: Increase size of default memcache to 512k.
BUG 13857: docs: Update smbclient manpage for "--max-protocol".
BUG 13861: 'net ads join' to child domain fails when using "-U admin@forestroot".
BUG 13937: s3:utils: If share is NULL in smbcacls, don't print it.
BUG 13939: s3:smbspool: Fix regression printing with Kerberos credentials.
BUG 13860: ctdb-scripts: CTDB restarts failed NFS RPC services by hand, which is incompatible with systemd.
BUG 13888: ctdb-daemon: Revert "We can not assume that just because we could complete a TCP handshake".
BUG 13930: ctdb-daemon: Never use 0 as a client ID.
BUG 13943: ctdb-common: Fix memory leak.
BUG 13904: s3:debug: Enable logging for early startup failures.

New in Samba 4.10.3 (May 14, 2019)

New in Samba 4.10.2 (Apr 8, 2019)

New in Samba 4.10.1 (Apr 3, 2019)

New in Samba 4.9.5 (Mar 12, 2019)

BUG 13714: audit_logging: Remove debug log header and JSON Authentication: prefix.
BUG 13760: Fix upgrade from 4.7 (or earlier) to 4.9.
BUG 11495: s3: lib: nmbname: Ensure we limit the NetBIOS name correctly. CID: 1433607.
BUG 13690: smbd: uid: Don't crash if 'force group' is added to an existing share connection.
BUG 13770: s3: VFS: vfs_fruit. Fix the NetAtalk deny mode compatibility code.
BUG 13803: s3: SMB1 POSIX mkdir does case insensitive name lookup.
BUG 13199: s3:utils/smbget fix recursive download with empty source directories.
BUG 13716: samba-tool drs showrepl: Do not crash if no dnsHostName found.
BUG 13736: s3:libsmb: cli_smb2_list() can sometimes fail initially on a connection.
BUG 13747: join: Throw CommandError instead of Exception for simple errors.
BUG 13762: ldb: Avoid inefficient one-level searches.
BUG 13736: s3: libsmb: use smb2cli_conn_max_trans_size() in cli_smb2_list().
BUG 13776: tldap: Avoid use after free errors.
BUG 13802: Fix idmap xid2sid cache churn.
BUG 13812: access_check_max_allowed() doesn't process "Owner Rights" ACEs.
BUG 13720: s3-smbd: Avoid assuming fsp is always intact after close_file call.
BUG 13725: s3-vfs-fruit: Add close call.
BUG 13746: s3-smbd: Use fruit:model string for mDNS registration.
BUG 13774: s3-vfs: add glusterfs_fuse vfs module.
BUG 13766: printing: Check lp_load_printers() prior to pcap cache update.
BUG 13807: vfs_ceph: vfs_ceph strict_allocate_ftruncate calls (local FS) ftruncate and fallocate.
BUG 13737: lib/audit_logging: Actually create talloc.
BUG 13728: netcmd/user: python[3]-gpgme unsupported and replaced by python[3]-gpg.
BUG 13738: dns: Changing onelevel search for wildcard to subtree.
BUG 13721: samba-tool: Don't print backtrace on simple DNS errors.
BUG 13759: sambaundoguididx: Use the right escaped oder unescaped sam ldb files.
BUG 13742: ctdb: Print locks latency in machinereadable stats.
BUG 13786: messages_dgm: Messaging gets stuck when pids are recycled.
BUG 13715: audit_logging: auth_json_audit required auth_json.
BUG 13765: man pages: Document prefork process model.
BUG 13773: CVE-2019-3824 ldb: Release ldb 1.4.6.
BUG 13697: s3:auth: ignore create_builtin_guests() failing without a valid idmap configuration.
BUG 13722: s3:auth_winbind: Ignore a missing winbindd as NT4 PDC/BDC without trusts.
BUG 13723: s3:auth_winbind: return NT_STATUS_NO_LOGON_SERVERS if winbindd is not available.
BUG 13752: s4:server: Add support for 'smbcontrol samba shutdown' and 'smbcontrol debug/debuglevel'.
BUG 13616: Python: Ensure ldb.Dn can doesn't rencoded str with py2.
BUG 13330: vfs_glusterfs: Adapt to changes in libgfapi signatures.
BUG 13774: s3-vfs: Use ENOATTR in errno comparison for getxattr.
BUG 13704: notifyd: Fix SIGBUS on sparc.
BUG 13787: waf: Check for libnscd.
BUG 13770: s3:vfs: Correctly check if OFD locks should be enabled or not.
BUG 13717: lib/util: Count a trailing line that doesn't end in a newline.
BUG 13800: Recovery lock bug fixes.
BUG 13726: s3: net: Do not set NET_FLAGS_ANONYMOUS with -k.
BUG 13727: s3:libsmb: Honor disable_netbios option in smbsock_connect_send.
BUG 13741: vfs_fileid: Fix get_connectpath_ino.
BUG 13744: vfs_fileid: Fix fsname_norootdir algorithm.

New in Samba 4.9.3 (Dec 13, 2018)

New in Samba 4.9.0 (Sep 14, 2018)

New in Samba 4.9.0 RC 5 (Sep 10, 2018)

New in Samba 4.9.0 RC 4 (Aug 29, 2018)

New in Samba 4.8.5 (Aug 24, 2018)

BUG 13474: python: pysmbd: Additional error path leak fix.
BUG 13511: libsmbclient: Initialize written value before use.
BUG 13519: ldb: Refuse to build Samba against a newer minor version of ldb.
BUG 13527: s3: libsmbclient: Fix cli_splice() fallback when reading less than a complete file.
BUG 13537: Using "sendfile = yes" with SMB2 can cause CPU spin.
BUG 13575: ldb: Release LDB 1.3.6.
BUG 13511: libsmbclient: Initialize written in cli_splice_fallback().
BUG 13318: Durable Handles reconnect fails in a cluster when the cluster fs uses different device ids.
BUG 13351: s3: smbd: Always set vuid in check_user_ok().
BUG 13441: vfs_fruit: Delete 0 byte size streams if AAPL is enabled.
BUG 13451: Fail renaming file if that file has open streams.
BUG 13505: lib: smb_threads: Fix access before init bug.
BUG 13535: s3: smbd: Fix path check in smbd_smb2_create_durable_lease_check().
BUG 13538: samba-tool trust: Support discovery via netr_GetDcName.
BUG 13540: ctdb_mutex_ceph_rados_helper: Set SIGINT signal handler.
BUG 13506: vfs_ceph: Don't lie about flock support.
BUG 13540: Fix deadlock with ctdb_mutex_ceph_rados_helper.
BUG 13493: ctdb: Fix build on FreeBSD and AIX.
BUG 13553: libsmb: Fix CID 1438243 (Unchecked return value), CID 1438244 (Unsigned compared against 0), CID 1438245 (Dereference before null check), CID 1438246 (Unchecked return value).
BUG 13584: vfs_fruit: Fix a panic if fruit_access_check detects a locking conflict.
BUG 13536: The current position in the dns name was not advanced past the '.' character.
BUG 13308: samba-tool domain trust: Fix trust compatibility to Windows Server 1709 and FreeIPA.
BUG 13559: systemd: Only start smb when network interfaces are up.
BUG 13553: Fix quotas with SMB2.
BUG 13563: s3/smbd: Ensure quota code is only called when quota support detected.
BUG 13204: s3/libsmb: Explicitly set delete_on_close token for rmdir.
BUG 13489: krb5_plugin: Install plugins to krb5 modules dir.
BUG 13503: s3:winbind: Do not lookup local system accounts in AD.
BUG 13499: Don't use CTDB_BROADCAST_VNNMAP.
BUG 13500: ctdb-daemon: Only consider client ID for local database attach.
BUG 13485: s3:client: Add "--quiet" option to smbclient.
BUG 13568: s3: vfs: time_audit: Fix handling of token_blob in smb_time_audit_offload_read_recv().

New in Samba 4.8.4 (Aug 14, 2018)

New in Samba 4.9.0 RC 2 (Aug 1, 2018)

New in Samba 4.8.3 (Jul 13, 2018)

New in Samba 4.8.2 (May 20, 2018)

New in Samba 4.8.1 (Apr 26, 2018)

BUG 13244: s3: ldap: Ensure the ADS_STRUCT pointer doesn't get freed on error, we don't own it here.
BUG 13270: s3: smbd: Fix possible directory fd leak if the underlying OS doesn't support fdopendir().
BUG 13319: Round-tripping ACL get/set through vfs_fruit will increase the number of ACE entries without limit.
BUG 13347: s3: smbd: SMB2: Add DBGC_SMB2_CREDITS class to specifically debug credit issues.
BUG 13358: s3: smbd: Files or directories can't be opened DELETE_ON_CLOSE without delete access.
BUG 13372: s3: smbd: Fix memory leak in vfswrap_getwd().
BUG 13375: s3: smbd: Unix extensions attempts to change wrong field in fchown call.
BUG 13337: ms_schema/samba-tool visualize: Fix python2.6 incompatibility.
BUG 13352: Fix invocation of gnutls_aead_cipher_encrypt().
BUG 13328: Windows 10 cannot logon on Samba NT4 domain.
BUG 13332: winbindd: Recover loss of netlogon secure channel in case the peer DC is rebooted.
BUG 13363: s3:smbd: Don't use the directory cache for SMB2/3.
BUG 13356: ctdb-client: Fix bugs in client code.
BUG 13359: ctdb-scripts: Drop "net serverid wipe" from 50.samba event script.
BUG 13368: s3: lib: messages: Don't use the result of sec_init() before calling sec_init().
BUG 13273: libads: Fix the build '--without-ads'.
BUG 13332: winbind: Keep "force_reauth" in invalidate_cm_connection, add 'smbcontrol disconnect-dc'.
BUG 13343: vfs_virusfilter: Fix CIDs 1428738-1428740.
BUG 13367: dsdb: Fix CID 1034966 Uninitialized scalar variable.
BUG 13370: rpc_server: Fix core dump in dfsgetinfo.
BUG 13382: smbclient: Fix notify.
BUG 13215: Fix smbd panic if the client-supplied channel sequence number wraps.
BUG 13328: Windows 10 cannot logon on Samba NT4 domain.
BUG 13342: lib/util: Remove unused '#include ' from tests/tfork.c.
BUG 13343: Fix build errors with cc from developerstudio 12.5 on Solaris.
BUG 13344: Fix the picky-developer build on FreeBSD 11.
BUG 13345: s3:modules: Fix the build of vfs_aixacl2.c.
BUG 13338: s3:smbd: map nterror on smb2_flush errorpath.
BUG 13341: lib:replace: Fix linking when libtirpc-devel overwrites system headers.
BUG 13312: winbindd: 'wbinfo --name-to-sid' returns misleading result on invalid query.
BUG 13376: s3:passdb: Do not return OK if we don't have pinfo set up.
BUG 13302: Allow AESNI to be used on all processor supporting AESNI.

New in Samba 4.8.0 (Apr 13, 2018)

New in Samba 4.8.0 RC 4 (Mar 5, 2018)

New in Samba 4.8.0 RC 3 (Feb 13, 2018)

New in Samba 4.7.5 (Feb 7, 2018)

New in Samba 4.8.0 RC 2 (Jan 26, 2018)

New in Samba 4.8.0 RC 1 (Jan 16, 2018)

NEW FEATURES/CHANGES:
KDC GPO application:
Adds Group Policy support for the Samba kdc. Applies password policies (minimum/maximum password age, minimum password length, and password complexity) and kerberos policies (user/service ticket lifetime and
renew lifetime).
Adds the samba_gpoupdate script for applying and unapplying policy. Can be applied automatically by setting 'server services = +gpoupdate'.
Time Machine Support with vfs_fruit:
Samba can be configured as a Time Machine target for Apple Mac devices through the vfs_fruit module. When enabling a share for Time Machine support the relevant Avahi records to support discovery will be published for installations that have been built against the Avahi client library.
Shares can be designated as a Time Machine share with the following setting: 'fruit:time machine = yes'
Support for lower casing the MDNS Name:
Allows the server name that is advertised through MDNS to be set to the hostname rather than the Samba NETBIOS name. This allows an administrator to make Samba registered MDNS records match the case of the hostname rather than being in all capitals.
This can be set with the following settings: 'mdns name = mdns'
Encrypted secrets:
Attributes deemed to be sensitive are now encrypted on disk. The sensitive values are currently: pekList, msDS-ExecuteScriptPassword, currentValue, dBCSPwd, initialAuthIncoming, initialAuthOutgoing, lmPwdHistory, ntPwdHistory, priorValue, supplementalCredentials, trustAuthIncoming, trustAuthOutgoing, unicodePwd, clearTextPassword.
This encryption is enabled by default on a new provision or join, it can be disabled at provision or join time with the new option '--plaintext-secrets'.
However, an in-place upgrade will not encrypt the database.
Once encrypted, it is not possible to do an in-place downgrade (eg to 4.7) of the database. To obtain an unencrypted copy of the database a new DC join should be performed, specifying the '--plaintext-secrets' option.
The key file "encrypted_secrets.key" is created in the same directory as the database and should NEVER be disclosed. It is included by the samba_backup script.
NT4-style replication based net commands removed:
The following commands and sub-commands have been removed from the "net" utility: net rpc samdump, net rpc vampire ldif.
Also, replicating from a real NT4 domain with "net rpc vampire" and "net rpc vampire keytab" has been removed.
The NT4-based commands were accidentially broken in 2013, and nobody noticed the breakage. So instead of fixing them including tests (which would have meant writing a server for the protocols, which we don't have) we decided to remove them.
For the same reason, the "samsync", "samdeltas" and "database_redo" commands have been removed from rpcclient.
"net rpc vampire keytab" from Active Directory domains continues to be supported.
vfs_aio_linux module removed:
The current Linux kernel aio does not match what Samba would do. Shipping code that uses it leads people to false assumptions. Samba implements async I/O based on threads by default, there is no special module required to see benefits of read and write request being sent do the disk in parallel.
smbclient reparse point symlink parameters reversed:
A bug in smbclient caused the 'symlink' command to reverse the meaning of the new name and link target parameters when creating a reparse point symlink against a Windows server. As this is a little used feature the ordering of these parameters has been
reversed to match the parameter ordering of the UNIX extensions 'symlink' command. The usage message for this command has also been improved to remove confusion.
Winbind changes:
The dependency to global list of trusted domains within the winbindd processes has been reduced a lot.
The construction of that global list is not reliable and often incomplete in complex trust setups. In most situations the list is not needed any more for winbindd to operate correctly. E.g. for plain file serving via SMB using a simple idmap setup with autorid, tdb or ad. However some more complex setups require the list, e.g. if you specify idmap backends for specific domains. Some pam_winbind setups may also require the global list.
If you have a setup that doesn't require the global list, you should set "winbind scan trusted domains = no".
REMOVED FEATURES:
The two commands 'net serverid list' and 'net serverid wipe' have been removed, because the file serverid.tdb is not used anymore.
'net serverid list' can be replaced by listing all files in the subdirectory "msg.lock" of Samba's "lock directory". The unique id listed by 'net serverid list' is stored in every process' lockfile in "msg.lock".
'net serverid wipe' is not necessary anymore. It was meant primarily for clustered environments, where the serverid.tdb file was not properly cleaned up after single node crashes. Nowadays smbd and winbind take care of cleaning up the msg.lock and msg.sock directories automatically.

New in Samba 4.7.4 (Dec 23, 2017)

smbclient reparse point symlink parameters reversed:
A bug in smbclient caused the 'symlink' command to reverse the meaning of the new name and link target parameters when creating a reparse point symlink against a Windows server.
This only affects using the smbclient 'symlink' command against a Windows server, not a Samba server using the UNIX extensions (the parameter order is correct in that case) so no existing user scripts that depend on creating symlinks on Samba servers need to change.
As this is a little used feature the ordering of these parameters has been reversed to match the parameter ordering of the UNIX extensions 'symlink' command. This means running 'symlink' against both Windows and Samba now uses the same paramter ordering in both cases.
The usage message for this command has also been improved to remove confusion.
Fixes:
BUG 13140: s3: smbclient: Implement 'volume' command over SMB2.
BUG 13171: s3: libsmb: Fix valgrind read-after-free error in cli_smb2_close_fnum_recv().
BUG 13172: s3: libsmb: Fix reversing of oldname/newname paths when creating a reparse point symlink on Windows from smbclient.
BUG 12934: Build man page for vfs_zfsacl.8 with Samba.
BUG 13095: repl_meta_data: Allow delete of an object with dangling backlinks.
BUG 13129: s4:samba: Fix default to be running samba as a deamon.
BUG 13191: Performance regression in DNS server with introduction of DNS wildcard, ldb: Release 1.2.3
BUG 6133: vfs_zfsacl: Fix compilation error.
BUG 13051: "smb encrypt" setting changes are not fully applied until full smbd restart.
BUG 13052: winbindd: Fix idmap_rid dependency on trusted domain list.
BUG 13155: vfs_fruit: Proper VFS-stackable conversion of FinderInfo.
BUG 13173: winbindd: Dependency on trusted-domain list in winbindd in critical auth codepath.
BUG 13120: repl_meta_data: Fix removing of backlink on deleted objects.
BUG 13153: ctdb: sock_daemon leaks memory.
BUG 13154: TCP tickles not getting synchronised on CTDB restart.
BUG 13150: winbindd: winbind parent and child share a ctdb connection.
BUG 13170: pthreadpool: Fix deadlock.
BUG 13179: pthreadpool: Fix starvation after fork.
BUG 13180: messaging: Always register the unique id.
13129: s4/smbd: set the process group.
BUG 13095: Fix broken linked attribute handling.
BUG 13132: The KDC on an RWDC doesn't send error replies in some situations.
BUG 13149: libnet_join: Fix 'net rpc oldjoin'.
BUG 13195: g_lock conflict detection broken when processing stale entries.
BUG 13197: s3:smb2_server: allow logoff, close, unlock, cancel and echo on expired sessions.
BUG 13166: s3:libads: net ads keytab list fails with "Key table name malformed".
BUG 13170: Fix crash in pthreadpool thread after failure from pthread_create.
BUG 13129: s4:samba: Allow samba daemon to run in foreground.
BUG 13174: third_party: Link the aesni-intel library with "-z noexecstack".
BUG 13125: vfs_glusterfs: include glusterfs/api/glfs.h without relying on "-I" options.

New in Samba 4.7.3 (Nov 22, 2017)

New in Samba 4.7.1 (Nov 3, 2017)

BUG 13091: vfs_glusterfs: Fix exporting subdirs with shadow_copy2.
BUG 13027: s3: smbd: Currently if getwd() fails after a chdir(), we panic.
BUG 13068: s3: VFS: Ensure default SMB_VFS_GETWD() call can't return a partially completed struct smb_filename.
BUG 13069: sys_getwd() can leak memory or possibly return the wrong errno on older systems.
BUG 13093: 'smbclient' doesn't correctly canonicalize all local names before use.
BUG 13095: Fix broken linked attribute handling.
BUG 12994: Missing LDAP query escapes in DNS rpc server.
BUG 13087: replace: Link to -lbsd when building replace.c by hand.
BUG 6133: Cannot delete non-ACL files on Solaris/ZFS/NFSv4 ACL filesystem.
BUG 7909: Map SYNCHRONIZE acl permission statically in zfs_acl vfs module.
BUG 7933: Samba fails to honor SEC_STD_WRITE_OWNER bit with the acl_xattr module.
BUG 12991: s3/mdssvc: Missing assignment in sl_pack_float.
BUG 12995: Wrong Samba access checks when changing DOS attributes.
BUG 13062: samba_runcmd_send() leaves zombie processes on timeout
BUG 13065: net: groupmap cleanup should not delete BUILTIN mappings.
BUG 13076: Enabling vfs_fruit results in loss of Finder tags and other xattrs.
BUG 9613: man pages: Properly ident lists.
BUG 13081: smb.conf.5: Sort parameters alphabetically.
BUG 12993: s3: spoolss: Fix GUID string format on GetPrinter info.
BUG 13042: Remote serverid check doesn't check for the unique id.
BUG 13056: CTDB starts consuming memory if there are dead nodes in the cluster.
BUG 13070: ctdb-common: Ignore event scripts with multiple '.'s.
BUG 13046: libgpo doesn't sort the GPOs in the correct order.
BUG 13042: Remote serverid check doesn't check for the unique id.
BUG 13090: vfs_catia: Fix a potential memleak.
BUG 12903: Fix file change notification for renames.
BUG 12952: Samba DNS server does not honour wildcards.
BUG 13079: Can't change password in samba from a Windows client if Samba runs on IPv6 only interface.
BUG 13086: vfs_fruit: Replace closedir() by SMB_VFS_CLOSEDIR.
BUG 13047: Apple client can't cope with SMB2 async replies when creating symlinks.
BUG 12959: s4:rpc_server:backupkey: Move variable into scope.
BUG 13099: s4:scripting: Fix ntstatus_gen.h generation on 32bit.
BUG 13100: s3:vfs_glusterfs: Fix a double free in vfs_gluster_getwd().
BUG 13101: Fix resouce leaks and pointer issues.
BUG 13049: vfs_solarisacl: Fix build for samba 4.7 and up.

New in Samba 4.7.0 (Oct 6, 2017)

Bug fixes:
CVE-2017-12150: A man in the middle attack may hijack client connections.
CVE-2017-12151: A man in the middle attack can read and may alter confidential documents transferred via a client connection, which are reached via DFS redirect when the original connection used SMB3.
CVE-2017-12163: Client with write access to a share can cause server memory contents to be written into a file or printer.
BUG 13003: s3: vfs: catia: compression get/set must act only on base file, and must cope with fsp==NULL.
BUG 13008: lib: crypto: Make smbd use the Intel AES instruction set for signing and encryption.
BUG 12946: s4-drsuapi: Avoid segfault when replicating as a non-admin with GUID_DRS_GET_CHANGES.
BUG 13015: Allow re-index of newer databases with binary GUID TDB keys (this officially removes support for re-index of the original pack format 0, rather than simply segfaulting).
BUG 13017: Add ldb_ldif_message_redacted_string() to allow debug of redacted log messages, avoiding showing secret values.
BUG 13023: ldb: version 1.2.2.
BUG 13025: schema: Rework dsdb_schema_set_indices_and_attributes() db operations.
BUG 13030: Install dcerpc/__init__.py for all Python environments.
BUG 13024: s3/smbd: Sticky write time offset miscalculation causes broken timestamps
BUG 13037: lib/util: Only close the event_fd in tfork if the caller didn't call tfork_event_fd().
BUG 13006: messaging: Avoid a socket leak after fork.
BUG 13018: charset: Fix str[n]casecmp_m() by comparing lower case values.
BUG 13037: util_runcmd: Free the fde in event handler.
BUG 13012: ctdb-daemon: Fix implementation of process_exists control.
BUG 13021: GET_DB_SEQNUM control can cause ctdb to deadlock when databases are frozen.
BUG 13029: ctdb-daemon: Free up record data if a call request is deferred.
BUG 13036: ctdb-client: Initialize ctdb_ltdb_header completely for empty record.
BUG 13032: vfs_streams_xattr: Fix segfault when running with log level 10.
BUG 12929: smb.conf: Explain that "ntlm auth" is a per-passdb setting.
BUG 12953: s4/lib/tls: Use SHA256 to sign the TLS certificates.
BUG 12932: Get rid of talloc_autofree_context().
BUG 12978: After restarting CTDB, it attaches replicated databases with wrong flags.
BUG 12863: s3:smbclient: Don't try any workgroup listing with "client min protocol = SMB2".
BUG 12876: s3:libsmb: Don't call cli_NetServerEnum() on SMB2/3 connections in SMBC_opendir_ctx().
BUG 12881: s3:libsmb: Let do_connect() debug the negotiation result similar to "session request ok".
BUG 12919: s4:http/gensec: add missing tevent_req_done() to gensec_http_ntlm_update_done().
BUG 12968: Fix 'smbclient tarmode' with SMB2/3.
BUG 12973: 'smbd': Don't use a lot of CPU on startup of a connection.
BUG 12983: vfs_default: Fix passing of errno from async calls.
BUG 12629: s3:utils: Do not report an invalid range for AD DC role.
BUG 12704: s3:libsmb: Let get_ipc_connect() use CLI_FULL_CONNECTION_FORCE_SMB1.
BUG 12930: Fix build issues with GCC 7.1.
BUG 12950: s3:script: Untaint user supplied data in modprinter.pl.
BUG 12956: s3:libads: Fix changing passwords with Kerberos.
BUG 12975: Fix changing the password with 'smbpasswd' as a local user on a domain member.
BUG 12913: Implement cli_smb2_setatr() by calling cli_smb2_setpathinfo().
BUG 11392: s4-cldap/netlogon: Match Windows 2012R2 and return NETLOGON_NT_VERSION_5 when version unspecified.
BUG 12855: dsdb: Do not force a re-index of sam.ldb on upgrade to 4.7.
BUG 12904: dsdb: Fix dsdb_next_callback to correctly use ldb_module_done() etc.
BUG 12939: s4-rpc_server: Improve debug of new endpoints.
BUG 12791: Fix kernel oplocks issues with named streams.
BUG 12944: vfs_gpfs: Handle EACCES when fetching DOS attributes from xattr.
BUG 12842: samdb/cracknames: Support user and service principal as desired format.
BUG 12911: vfs_ceph: Fix cephwrap_chdir().
BUG 12865: Track machine account ServerAuthenticate3.
BUG 12947: python: Fix incorrect kdc.conf parameter name in kerberos.py.
BUG 12937: s3/utils: 'smbcacls' failed to detect DIRECTORIES using SMB2 (Windows only).
BUG 11392: s4-dsdb/netlogon: Allow missing ntver in cldap ping.
BUG 12936: source3/client: Fix typo in help message displayed by default.
BUG 12930: Fix building with GCC 7.1.1.
BUG 12836: s3: smbd: Fix a read after free if a chained SMB1 call goes async.
BUG 12899: s3: libsmb: Reverse sense of 'clear all attributes', ignore attribute change in SMB2 to match SMB1.
BUG 12914: s3: smbclient: Add new command deltree.
BUG 12885: s3/smbd: Let non_widelink_open() chdir() to directories directly.
BUG 12887: Remove SMB_VFS_STRICT_UNLOCK noop from the VFS.
BUG 12891: Enable TDB mutexes in dbwrap and ctdb.
BUG 12897: vfs_fruit: don't use MS NFS ACEs with Windows clients.
BUG 12910: s3/notifyd: Ensure notifyd doesn't return from smbd_notifyd_init.
BUG 12905: Build py3 versions of other rpc modules.
BUG 12840: vfs_fruit: Add "fruit:model = " parametric option.
BUG 12720: idmap_ad: Retry query_user exactly once if we get TLDAP_SERVER_DOWN.
BUG 12891: dbwrap_ctdb: Fix calculation of persistent flag.
BUG 12927: s3: libsmb: Fix use-after-free when accessing pointer *p.
BUG 12925: smbd: Fix a connection run-down race condition.
tevent: version 0.9.33: make tevent_req_print() more robust against crashes.
ldb: version 1.2.1
BUG 12882: Do not install _ldb_text.py if we have system libldb.
BUG 12890: s3:smbd: consistently use talloc_tos() memory for rpc_pipe_open_interface().
BUG 12900: Fix index out of bound in ldb_msg_find_common_values.
BUG 12884: Easily edit a users object in AD, as if using 'ldbedit'.
BUG 12906: s3: drop build_env
BUG 12882: waf: Do not install _ldb_text.py if we have system libldb.
BUG 12898: ctdb-common: Set close-on-exec when creating PID file.
BUG 12894: CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation
More details regarding this release at:
https://www.samba.org/samba/history/samba-4.7.0.html

New in Samba 4.6.8 (Sep 20, 2017)

New in Samba 4.7.0 RC 6 (Sep 18, 2017)

New in Samba 4.7.0 RC 5 (Aug 29, 2017)

New in Samba 4.6.7 (Aug 9, 2017)

New in Samba 4.6.6 / 4.7.0 RC 2 (Jul 13, 2017)

New in Samba 4.6.5 (Jun 6, 2017)

New in Samba 4.6.4 (May 24, 2017)

New in Samba 4.6.3 (Apr 25, 2017)

BUG 12743: s3:vfs:shadow_copy2: vfs_shadow_copy2 fails to list snapshots from shares with GlusterFS backend.
BUG 12559: Fix for Solaris C compiler.
BUG 12628: s3: locking: Update oplock optimization for the leases era.
BUG 12693: Make the Solaris C compiler happy.
BUG 12695: s3: libgpo: Allow skipping GPO objects that don't have the expected LDAP attributes.
BUG 12747: Fix buffer overflow caused by wrong use of getgroups.
BUG 12746: lib: debug: Avoid negative array access.
BUG 12748: cleanupdb: Fix a memory read error.
BUG 7537: streams_xattr and kernel oplocks results in NT_STATUS_NETWORK_BUSY.
BUG 11961: winbindd: idmap_autorid allocates ids for unknown SIDs from other backends.
BUG 12565: vfs_fruit: Resource fork open request with flags=O_CREAT|O_RDONLY.
BUG 12615: manpages/vfs_fruit: Document global options.
BUG 12624: lib/pthreadpool: Fix a memory leak.
BUG 12727: Lookup-domain for well-known SIDs on a DC.
BUG 12728: winbindd: Fix error handling in rpc_lookup_sids().
BUG 12729: winbindd: Trigger possible passdb_dsdb initialisation.
BUG 12611: credentials_krb5: use gss_acquire_cred for client-side GSSAPI use case.
BUG 12690: lib/crypto: Implement samba.crypto Python module for RC4.
BUG 12697: ctdb-readonly: Avoid a tight loop waiting for revoke to complete.
BUG 12723: ctdb_event monitor command crashes if event is not specified.
BUG 12733: ctdb-docs: Fix documentation of "-n" option to 'ctdb tool'.
BUG 12558: smbd: Fix smb1 findfirst with DFS.
BUG 12610: smbd: Do an early exit on negprot failure.
BUG 12699: winbindd: Fix substitution for 'template homedir'.
BUG 12554: s4:kdc: Disable principal based autodetected referral detection.
BUG 12613: idmap_autorid: Allocate new domain range if the callers knows the sid is valid.
BUG 12724: LINKFLAGS_PYEMBED should not contain -L/some/path.
BUG 12725: PAM auth with WBFLAG_PAM_GET_PWD_POLICY returns wrong policy for trusted domain.
BUG 12731: rpcclient: Allow -U'OTHERDOMAINuser' again.
BUG 12725: winbindd: Fix password policy for pam authentication.
BUG 12554: s3:gse: Correctly handle external trusts with MIT.
BUG 12611: auth/credentials: Always set the realm if we set the principal from the ccache.
BUG 12686: replace: Include sysmacros.h.
BUG 12687: s3:vfs_expand_msdfs: Do not open the remote address as a file.
BUG 12704: s3:libsmb: Only print error message if kerberos use is forced.
BUG 12708: winbindd: Child process crashes when kerberos-authenticating a user with wrong password.
BUG 12715: vfs_fruit: Office document opens as read-only on macOS due to CNID semantics.
BUG 12737: vfs_acl_xattr: Fix failure to get ACL on Linux if memory is fragmented.

New in Samba 4.6.2 (Mar 31, 2017)

New in Samba 4.6.1 (Mar 23, 2017)

New in Samba 4.6.0 (Mar 9, 2017)

New in Samba 4.6.0 RC 4 (Mar 1, 2017)

New in Samba 4.5.5 (Jan 30, 2017)

New in Samba 4.6.0 RC 2 (Jan 27, 2017)

New in Samba 4.5.4 (Jan 18, 2017)

New in Samba 4.6.0 RC 1 (Jan 5, 2017)

Kerberos client encryption types:
Some parts of Samba (most notably winbindd) perform Kerberos client operations based on a Samba-generated krb5.conf file. A new parameter, "kerberos encryption types" allows configuring the encryption types set in this file, thereby allowing the user to enforce strong or legacy encryption in Kerberos exchanges.
The default value of "all" is compatible with previous behavior, allowing all encryption algorithms to be negotiated. Setting the parameter to "strong" only allows AES-based algorithms to be negotiated. Setting the parameter to "legacy" allows only RC4-HMAC-MD5 - the legacy algorithm for Active Directory. This can solves some corner cases of mixed environments with Server 2003R2 and newer DCs.
Printing:
Support for uploading printer drivers from newer Windows clients (Windows 10) has been added until our implementation of [MS-PAR] protocol is ready.
Several issues with uploading different printing drivers have been addressed.
The OS Version for the printing server has been increased to announce Windows Server 2003 R2 SP2. If a driver needs a newer version then you should check the smb.conf manpage for details.
New option for owner inheritance:
The "inherit owner" smb.conf parameter instructs smbd to set the owner of files to be the same as the parent directory's owner. Up until now, this parameter could be set to "yes" or "no".
A new option, "unix only", enables this feature only for the UNIX owner of the file, not affecting the SID owner in the Windows NT ACL of the file. This can be used to emulate something very similar to folder quotas.
Multi-process Netlogon support:
The Netlogon server in the Samba AD DC can now run as multiple processes. The Netlogon server is a part of the AD DC that handles NTLM authentication on behalf of domain members, including file servers, NTLM-authenticated web servers and 802.1x gateways. The previous restriction to running as a single process has been removed, and it will now run in the same process model as the rest of the
'samba' binary.
As part of this change, the NETLOGON service will now run on a distinct TCP port, rather than being shared with all other RPC services (LSA, SAMR, DRSUAPI etc).
New options for controlling TCP ports used for RPC services:
The new 'rpc server port' option controls the default port used for RPC services other than Netlogon. The Netlogon server honors instead the 'rpc server port:netlogon' option. The default value for both these options is the first available port including or after 1024.
Improve AD performance and replication improvements:
Samba's LDB and replication code continues to improve, particularly in respect to the handling of large numbers of linked attributes. We now respect an 'uptodateness vector' which will dramatically reduce the over-replication of links from new DCs. We have also made the parsing of on-disk linked attributes much more efficient.
DNS improvements:
The samba-tool dns subcommand is now much more robust and can delete records in a number of situations where it was not possible to do so in the past.
On the server side, DNS names are now more strictly validated.
CTDB changes:
"ctdb event" is a new top-level command for interacting with event scripts
CTDB's back-end for running event scripts has been replaced by a separate, long-running daemon ctdbd_eventd.
Running ctdb interactively will log to stderr
CTDB logs now include process id for each process
CTDB tags log messages differently.
The mapping between symbolic and numeric debug levels has changed
Tunable IPAllocAlgorithm replaces LCP2PublicIPs, DeterministicIPs
CTDB's configuration tunables should be consistently set across a cluster
CTDB ships with recovery lock helper call-outs for etcd and Ceph RADOS

New in Samba 4.5.3 (Dec 19, 2016)

New in Samba 4.5.2 (Dec 7, 2016)

New in Samba 4.5.1 (Oct 29, 2016)

BUG 11259: smbd contacts a domain controller for each session.
BUG 12272: Fix messaging subsystem crash.
BUG 12283: REGRESSION: smbd segfaults on startup, tevent context being freed.
BUG 12381: s3: cldap: cldap_multi_netlogon_send() fails with one bad IPv6 address.
BUG 12383: s3: libsmb: Fix cut and paste error using the wrong structure type.
BUG 9945: Setting specific logger levels in smb.conf makes 'samba-tool drs showrepl' crash.
BUG 12382: Tombstone expunge does not remove old links.
BUG 8618: s3-printing: Fix migrate printer code.
BUG 12256: s3/smbd: In call_trans2qfilepathinfo call lstat when dealing with posix pathnames.
BUG 12261: s3/smbd: Set FILE_ATTRIBUTE_DIRECTORY as necessary.
BUG 12285: "DriverVersion" registry backend parsing incorrect in spoolss.
BUG 12144: smbd/ioctl: Match WS2016 ReFS get compression behaviour.
BUG 12259: ctdb-protocol: Fix marshalling for GET_DB_SEQNUM control request.
BUG 12275: ctdb-recovery-helper: Add missing initialisation of ban_credits.
BUG 12287: CTDB PID file handling is too weak.
BUG 12045: gencache: Bail out of stabilize if we can not get the allrecord lock.
BUG 12268: smbd: Reset O_NONBLOCK on open files.
BUG 12283: glusterfs: Avoid tevent_internal.h.
BUG 12291: source3/lib/msghdr.c, line 208: syntax error before or at: ;.
BUG 12374: spoolss: Fix caching of printername->sharename.
BUG 12283: REGRESSION: smbd segfaults on startup, tevent context being freed.
BUG 12369: Let winbindd discard expired kerberos tickets when built against (internal) heimdal.
BUG 12298: s3/winbindd: Fix using default domain with [email protected] format.
BUG 12295: winbind: Fix passing idmap failure from wb_sids2xids back to callers.
BUG 12269: nss_wins has incorrect function definitions for gethostbyname*.
BUG 12276: s3-lib: Fix %G substitution in AD member environment.
BUG 12364: s3-utils: Fix loading smb.conf in smbcquotas.
BUG 12286: kcc: Don't check schedule if None.
BUG 12382: Tombstone expunge does not remove old links.
BUG 12377: vfs_glusterfs: Fix a memory leak in connect path.
BUG 12254: CTDB IP takeover does not complete if there are no public addresses configured.
BUG 12255: ctdb-packaging: Fix systemd network dependency.
BUG 12287: CTDB PID file handling is too weak.
BUG 12270: smbcquotas: Fix error message listing quotas.
BUG 12273: s3-sysquotas: Correctly restore path when finding mount point.
BUG 12288: cliquota: Fix param count when setting fs quota.
BUG 12289: smbd: Free talloc context if no quota records are available.
BUG 12307: ntquotas: Support "freeing" an empty quota list.

New in Samba 4.5.0 (Sep 8, 2016)

New in Samba 4.5.0 RC 3 (Aug 29, 2016)

BUG 12155: Some idmap backends don't perform range checks for the result of sids_to_xids.
BUG 12115: Endless loop on drsuapi pull replication after schema changes.
BUG 12135: net ads gpo refresh can crash with null pointer deref..
BUG 12139: Race between break oplock and check for share_mode.
BUG 12150: SMB2 snapshot query fails on DFS shares..
BUG 12165: smbclient allinfo doesn't correctly return 'previous version' info over SMB1.
BUG 12166: smbclient allinfo doesn't correctly return 'previous version' info over SMB2.
BUG 12174: error: 'conn' undeclared.
BUG 12143: misnamed attribute in samba_kcc causes exception in unusual circumstances.
BUG 12187: Backport changes for partial attribute set calculation for 4.5.
BUG 12107: backport backupkey tests.
BUG 12115: Endless loop on drsuapi pull replication after schema changes.
BUG 12128: Correctly resolve replicated schema changes regarding linked attributes.
BUG 12137: Fix printf format non-liternal warnings and printf format errors.
BUG 12138: Fix uninitialized timeout in ctdb_pmda.
BUG 12151: Drop resurrected ctdb commands in new ctdb tool.
BUG 12152: Fix ctdb addip; implementation to match ctdb delip.
BUG 12163: Fix missing arguments and format elements in format strings.
BUG 12168: Fix format-nonliteral warnings.
BUG 12108: Backport selftest/autobuild fixes to v4-5-test.
BUG 12114: In memory schema updated on non schema master.
BUG 12115: Endless loop on drsuapi pull replication after schema changes.
BUG 12128: Correctly resolve replicated schema changes regarding linked attributes.
BUG 12129: let samba-tool ldapcmp ignore whenChanged.
BUG 12187: Backport changes for partial attribute set calculation for 4.5.
BUG 12175: smbget always prompts for a username.
BUG 12150: SMB2 snapshot query fails on DFS shares..
BUG 12157: Coverity and related fixes.
BUG 12158: CTDB release IP fixes.
BUG 12161: Fix CTDB cumulative takeover timeout.
BUG 12170: CTDB test runs can kill each other's ctdbd daemons.
BUG 12145: smbd: if inherit owner is enabled, the free disk on a folder should take the owner's quota into account.
BUG 12149: smbd: cannot load a Windows device driver from a Samba share via SMB2.
BUG 12172: a snapshot folder cannot be accessed via SMB1.

New in Samba 4.5.0 RC 2 (Aug 11, 2016)

New in Samba 4.5.0 RC 1 (Jul 28, 2016)

New in Samba 4.4.5 (Jul 7, 2016)

New in Samba 4.4.4 (Jun 7, 2016)

BUG 11809: SMB3 multichannel: Add implementation of missing channel sequence number verification.
BUG 11919: smbd:close: Only remove kernel share modes if they had been taken at open.
BUG 11930: notifyd: Prevent NULL deref segfault in notifyd_peer_destructor.
BUG 10618: s3: auth: Move the declaration of struct dom_sid tmp_sid to function level scope.
BUG 10796: s3:rpcclient: Make '--pw-nt-hash' option work.
BUG 11354: s3:libsmb/clifile: Use correct value for MaxParameterCount for setting EAs.
BUG 11438: Fix case sensitivity issues over SMB2 or above.
BUG 1703: s3:libnet:libnet_join: Add netbios aliases as SPNs.
BUG 11721: vfs_fruit: Add an option that allows disabling POSIX rename behaviour.
BUG 11936: s3-smbd: Support systemd 230.
BUG 11907: source3: Honor the core soft limit of the OS.
BUG 11809: SMB3 multichannel: Add implementation of missing channel sequence number verification.
BUG 11864: s3:client:smbspool_krb5_wrapper: Fix the non clearenv build.
BUG 11906: s3-kerberos: Avoid entering a password change dialogue also when using MIT.
BUG 11890: ldb-samba/ldb_matching_rules: Fix CID 1349424 - Uninitialized pointer read.
BUG 11844: dbwrap_ctdb: Fix ENOENT->NT_STATUS_NOT_FOUND.
BUG 11276: Correctly set cli->raw_status for libsmbclient in SMB2 code.
BUG 11910: s3:smbd: Fix anonymous authentication if signing is mandatory.
BUG 11912: libcli/auth: Let msrpc_parse() return talloc'ed empty strings.
BUG 11914: Fix NTLM Authentication issue with squid.
BUG 11927: s3:rpcclient: make use of SMB_SIGNING_IPC_DEFAULT.
BUG 11530: pdb: Fix segfault in pdb_ldap for missing gecos.
BUG 11613: Allow 'samba-tool fsmo' to cope with empty or missing fsmo roles.
BUG 11907: packaging: Set default limit for core file size in service files.
BUG 11922: s3-net: Convert the key_name to UTF8 during migration.
BUG 11935: s3-smbspool: Log to stderr.
BUG 11900: heimdal: Encode/decode kvno as signed integer.
BUG 11931: s3-quotas: Fix sysquotas_4B quota fetching for BSD.
BUG 11937: smbd: dfree: Ignore quota if not enforced.
BUG 11907: init: Set core file size to unlimited by default.
BUG 11934: Fix memory leak in share mode locking.

New in Samba 4.4.3 (May 3, 2016)

New in Samba 4.4.2 (Apr 13, 2016)

New in Samba 4.4.1 (Apr 13, 2016)

New in Samba 4.4.0 (Mar 22, 2016)

New in Samba 4.4.0 RC 5 (Mar 16, 2016)

New in Samba 4.4.0 RC 4 (Mar 8, 2016)

New in Samba 4.3.6 (Mar 8, 2016)

New in Samba 4.4.0 RC 3 (Feb 23, 2016)

New in Samba 4.3.5 (Feb 23, 2016)

New in Samba 4.4.0 RC 2 (Feb 9, 2016)

New in Samba 4.4.0 RC 1 (Jan 27, 2016)

NEW FEATURES/CHANGES:
Asynchronous flush requests:
Flush requests from SMB2/3 clients are handled asynchronously and do not block the processing of other requests. Note that 'strict sync' has to be set to 'yes' for Samba to honor flush requests from SMB
clients.
s3: smbd:
Remove '--with-aio-support' configure option. We no longer would ever prefer POSIX-RT aio, use pthread_aio instead.
samba-tool sites:
The 'samba-tool sites' subcommand can now be run against another server by specifying an LDB URL using the '-H' option and not against the local database only (which is still the default when no URL is given).
samba-tool domain demote:
Add '--remove-other-dead-server' option to 'samba-tool domain demote' subcommand. The new version of this tool now can remove another DC that is itself offline. The '--remove-other-dead-server' removes as many references to the DC as possible.
samba-tool drs clone-dc-database:
Replicate an initial clone of domain, but do not join it. This is developed for debugging purposes, but not for setting up another DC.
pdbedit:
Add '--set-nt-hash' option to pdbedit to update user password from nt-hash hexstring. 'pdbedit -vw' shows also password hashes.
smbstatus:
'smbstatus' was enhanced to show the state of signing and encryption for sessions and shares.
s4-rpc_server:
Add a GnuTLS based backupkey implementation.
ntlm_auth:
Using the '--offline-logon' enables ntlm_auth to use cached passwords when the DC is offline.
Allow '--password' force a local password check for ntlm-server-1 mode.
vfs_offline:
A new VFS module called vfs_offline has been added to mark all files in the share as offline. It can be useful for shares mounted on top of a remote file system (either through a samba VFS module or via FUSE).
KCC:
The Samba KCC has been improved, but is still disabled by default.
DNS:
There were several improvements concerning the Samba DNS server.
Active Directory:
There were some improvements in the Active Directory area.
WINS nsswitch module:
The WINS nsswitch module has been rewritten to address memory issues and to simplify the code. The module now uses libwbclient to do WINS queries. This means that winbind needs to be running in order to resolve WINS names using the nss_wins module. This does not affect smbd.
CTDB changes:
CTDB now uses a newly implemented parallel database recovery scheme that avoids deadlocks with smbd. In certain circumstances CTDB and smbd could deadlock. The new recovery implementation avoid this. It also provides improved recovery performance.
All files are now installed into and referred to by the paths configured at build time. Therefore, CTDB will now work properly when installed into the default location at /usr/local.
Public CTDB header files are no longer installed, since Samba and CTDB are built from within the same source tree.
CTDB_DBDIR can now be set to tmpfs[:] This will cause volatile TDBs to be located in a tmpfs. This can help to avoid performance problems associated with contention on the disk where volatile TDBs are usually stored. See ctdbd.conf(5) for more details.
Configuration variable CTDB_NATGW_SLAVE_ONLY is no longer used. Instead, nodes should be annotated with the "slave-only" option in the CTDB NAT gateway nodes file. This file must be consistent across nodes in a NAT gateway group. See ctdbd.conf(5) for more details.
New event script 05.system allows various system resources to be monitored This can be helpful for explaining poor performance or unexpected behaviour. New configuration variables are CTDB_MONITOR_FILESYSTEM_USAGE, CTDB_MONITOR_MEMORY_USAGE and CTDB_MONITOR_SWAP_USAGE. Default values cause warnings to be logged. See the SYSTEM RESOURCE MONITORING CONFIGURATION in ctdbd.conf(5) for more information. The memory, swap and filesystem usage monitoring previously found in 00.ctdb and 40.fs_use is no longer available. Therefore, configuration variables CTDB_CHECK_FS_USE, CTDB_MONITOR_FREE_MEMORY, CTDB_MONITOR_FREE_MEMORY_WARN and CTDB_CHECK_SWAP_IS_NOT_USED are now ignored.
The 62.cnfs eventscript has been removed.
The CTDB tunable parameter EventScriptTimeoutCount has been renamed to MonitorTimeoutCount It has only ever been used to limit timed-out monitor events. Configurations containing CTDB_SET_EventScriptTimeoutCount= will cause CTDB to fail at startup. Useful messages will be logged.
The commandline option "-n all" to CTDB tool has been removed. The option was not uniformly implemented for all the commands. Instead of command "ctdb ip -n all", use "ctdb ip all".
All CTDB current manual pages are now correctly installed

New in Samba 4.3.4 (Jan 12, 2016)

New in Samba 4.3.3 (Dec 16, 2015)

New in Samba 4.3.2 (Dec 1, 2015)

New in Samba 4.3.1 (Oct 20, 2015)

New in Samba 4.2.4 (Sep 8, 2015)

New in Samba 4.3.0 RC 3 (Aug 18, 2015)

New in Samba 4.3.0 RC 1 (Jul 22, 2015)

NEW FEATURES:
Logging:
The logging code now supports logging to multiple backends. In addition to the previously available syslog and file backends, the backends for logging to the systemd-journal, lttng and gpfs have been added. Please consult the section for the 'logging' parameter in the smb.conf manpage for details.
Spotlight:
Support for Apple's Spotlight has been added by integrating with GnomeTracker.
For detailed instructions how to build and setup Samba for Spotlight, please see the Samba wiki:
New FileChangeNotify subsystem:
Samba now contains a new subsystem to do FileChangeNotify. The previous system used a central database, notify_index.tdb, to store all notification requests. In particular in a cluster this turned out to be a major bottleneck, because some hot records need to be bounced back and forth between nodes on every change event like a new created file.
The new FileChangeNotify subsystem works with a central daemon per node. Every FileChangeNotify request and every event are handled by an asynchronous message from smbd to the notify daemon. The notify daemon maintains a database of all FileChangeNotify requests in memory and will distribute the notify events accordingly. This database is asynchronously distributed in the cluster by the notify daemons.
The notify daemon is supposed to scale a lot better than the previous implementation. The functional advantage is cross-node kernel change notify: Files created via NFS will be seen by SMB clients on other nodes per FileChangeNotify, despite the fact that popular cluster file systems do not offer cross-node inotify.
Two changes to the configuration were required for this new subsystem: The parameters "change notify" and "kernel change notify" are not per-share anymore but must be set globally. So it is no longer possible to enable or disable notify per share, the notify daemon has no notion of a share, it only works on absolute paths.
New SMB profiling code:
The code for SMB (SMB1, SMB2 and SMB3) profiling uses a tdb instead of sysv IPC shared memory. This avoids performance problems and NUMA effects. The profile stats are a bit more detailed than before.
Improved DCERPC man in the middle detection for kerberos:
The gssapi based kerberos backends for gensec have support for DCERPC header signing when using DCERPC_AUTH_LEVEL_PRIVACY.
SMB signing required in winbindd by default:
The effective value for "client signing" is required by default for winbindd, if the primary domain uses active directory.
Experimental NTDB was removed:
The experimental NTDB library introduced in Samba 4.0 has been removed again.
Improved support for trusted domains (as AD DC):
The support for trusted domains/forests has improved a lot.
samba-tool got "domain trust" subcommands to manage trusts:
create - Create a domain or forest trust.
delete - Delete a domain trust.
list - List domain trusts.
namespaces - Manage forest trust namespaces.
show - Show trusted domain details.
validate - Validate a domain trust.
External trusts between individual domains work in both ways (inbound and outbound). The same applies to root domains of a forest trust. The transitive routing into the other forest is fully functional for kerberos, but not yet supported for NTLMSSP.
While a lot of things are working fine, there are currently a few limitations:
Both sides of the trust need to fully trust each other!
No SID filtering rules are applied at all!
This means DCs of domain A can grant domain admin rights in domain B.
It's not possible to add users/groups of a trusted domain into domain groups.
SMB 3.1.1 supported:
Both client and server have support for SMB 3.1.1 now.
This is the dialect introduced with Windows 10, it improves the secure negotiation of SMB dialects and features.
New smbclient subcommands:
Query a directory for change notifications: notify
Server side copy: scopy
New rpcclient subcommands:
netshareenumall - Enumerate all shares
netsharegetinfo - Get Share Info
netsharesetinfo - Set Share Info
netsharesetdfsflags - Set DFS flags
netfileenum - Enumerate open files
netnamevalidate - Validate sharename
netfilegetsec - Get File security
netsessdel - Delete Session
netsessenum - Enumerate Sessions
netdiskenum - Enumerate Disks
netconnenum - Enumerate Connections
netshareadd - Add share
netsharedel - Delete share
New modules:
idmap_script - see 'man 8 idmap_script'
vfs_unityed_media - see 'man 8 vfs_unityed_media'
vfs_shell_snap - see 'man 8 vfs_shell_snap'
Changes:
smb.conf changes:
logging
msdfs shuffle referrals
smbd profiling level
spotlight
tls priority
use ntdb
change notify
kernel change notify
client max protocol
server max protocol
Removed modules:
vfs_notify_fam - see section 'New FileChangeNotify subsystem'.

New in Samba 4.2.3 (Jul 15, 2015)

BUG 11366: docs: Overhaul the description of "smb encrypt" to include SMB3 encryption.
BUG 11068: s3: lib: util: Ensure we read a hex number as %x, not %u.
BUG 11295: Excessive cli_resolve_path() usage can slow down transmission.
BUG 11328: winbindd: winbindd_raw_kerberos_login - ensure logon_info exists in PAC.
BUG 11339: s3: smbd: Use separate flag to track become_root()/unbecome_root() state.
BUG 11342: s3: smbd: Codenomicon crash in do_smb_load_module().
BUG 11170: s3:param/loadparm: Fix 'testparm --show-all-parameters'.
BUG 10991: winbindd: Sync secrets.ldb into secrets.tdb on startup.
BUG 11277: s3:smb2: Add padding to last command in compound requests.
BUG 11305: vfs_fruit: Add option "veto_appledouble".
BUG 11323: smbd/trans2: Add a useful diagnostic for files with bad encoding.
BUG 11363: vfs_fruit: Check offset and length for AFP_AfpInfo read requests.
BUG 11371: ncacn_http: Fix GNUism.
BUG 11245: s3-rpc_server: Fix rpc_create_tcpip_sockets() processing of interfaces.
BUG 11331: tdb: version 1.3.5: ABI change: tdb_chainlock_read_nonblock() has been added.
BUG 8780: s4:lib/tls: Fix build with gnutls 3.4.
BUG 11281: Add IPv6 support to ADS client side LDAP connects.
BUG 11282: Add IPv6 support for determining FQDN during ADS join.
BUG 11283: s3: IPv6 enabled DNS connections for ADS client.
BUG 10924: s4.2/fsmo.py: Fixed fsmo transfer exception.
BUG 11293: Fix invalid write in ctdb_lock_context_destructor.
BUG 11218: smbd: Fix a use-after-free.
BUG 11312: tstream: Make socketpair nonblocking.
BUG 11330: tevent: Fix CID 1035381 Unchecked return value.
BUG 11331: tdb: Fix CID 1034842 and 1034841 Resource leaks.
BUG 11061: Logon via MS Remote Desktop hangs.
BUG 11141: tevent: Add a note to tevent_add_fd().
BUG 11293: Fix invalid write in ctdb_lock_context_destructor.
BUG 11316: tevent_fd needs to be destroyed before closing the fd.
BUG 11319: Build fails on Solaris 11 with "â€˜PTHREAD_MUTEX_ROBUSTâ€™ undeclared".
BUG 11326: Robust mutex support broken in 1.3.5.
BUG 11329: s3:smb2_setinfo: Fix memory leak in the defer_rename case.
BUG 11330: Backport tevent-0.9.25.
BUG 11331: Backport tdb-1.3.6.
BUG 11367: s3:auth_domain: Fix talloc problem in connect_to_domain_password_server().
BUG 11315: Group creation: Add msSFU30Name only when --nis-domain was given.
BUG 11356: pidl: Make the compilation of PIDL producing the same results if the content hasn't change.
BUG 11328: Kerberos auth info3 should contain resource group ids available from pac_logon.
BUG 11330: lib: tevent: Fix compile error in Solaris ports backend.
BUG 11313: idmap_rfc2307: Fix wbinfo '--gid-to-sid' query.
BUG 11324: Change sharesec output back to previous format.
BUG 11358: winbindd: Disconnect child process if request is cancelled at main process.
BUG 11330: Backport tevent-0.9.25.
BUG 11217: s3-unix_msg: Remove socket file after closing socket fd.

New in Samba 4.2.2 (Jun 25, 2015)

BUG 11182: s3:smbXsrv: refactor duplicate code into smbXsrv_session_clear_and_logoff().
BUG 11260: gencache: don't fail gencache_stabilize if there were records to delete.
BUG 11186: s3: libsmbclient: After getting attribute server, ensure main srv pointer is still valid.
BUG 11236: s4: rpc: Refactor dcesrv_alter() function into setup and send steps.
BUG 11240: s3: smbd: Incorrect file size returned in the response of "FILE_SUPERSEDE Create".
BUG 11249: Mangled names do not work with acl_xattr.
BUG 11254: nmbd rewrites browse.dat when not required.
BUG 11213: vfs_fruit: add option "nfs_aces" that controls the NFS ACEs stuff.
BUG 11224: s3:smbd: Add missing tevent_req_nterror.
BUG 11243: vfs: kernel_flock and named streams.
BUG 11244: vfs_gpfs: Error code path doesn't call END_PROFILE.
BUG 11284: s4: libcli/finddcs_cldap: continue processing CLDAP until all addresses are used.
BUG 11201: ctdb: check for talloc_asprintf() failure.:w
BUG 11210: spoolss: purge the printer name cache on name change.
BUG 11204: CTDB statd-callout does not scale.
BUG 11221: vfs_fruit: also map characters below 0x20.
BUG 11201: ctdb: Coverity fix for CID 1291643.
BUG 11225: Multiplexed RPC connections are not handled by DCERPC server.
BUG 11226: Fix terminate connection behavior for asynchronous endpoint with PUSH notification flavors.
BUG 11007: ctdb-scripts: Fix bashism in ctdbd_wrapper script.
BUG 11201: ctdb: Fix CIDs 1125615, 1125634, 1125613, 1288201 and 1125553.
BUG 11257: SMB2 should cancel pending NOTIFY calls with DELETE_PENDING if the directory is deleted.
BUG 11141: s3:winbindd: make sure we remove pending io requests before closing client sockets.
BUG 11182: Fix panic triggered by smbd_smb2_request_notify_done() -> smbXsrv_session_find_channel() in smbd.
BUG 11237: 'sharesec' output no longer matches input format.
BUG 11200: waf: Fix systemd detection.
BUG 11202: CTDB: Fix portability issues.
BUG 11203: CTDB: Fix some IPv6-related issues.
BUG 11204: CTDB statd-callout does not scale.
BUG 11234: 'net ads dns gethostbyname' crashes with an error in TALLOC_FREE if you enter invalid values.
BUG 11267: libads: record service ticket endtime for sealed ldap connections.
BUG 11033: lib/util: Include DEBUG macro in internal header files before samba_util.h.

New in Samba 4.2.1 (Apr 16, 2015)

New in Samba 4.2.0 (Mar 17, 2015)

New in Samba 4.2.0 RC 5 (Feb 25, 2015)

New in Samba 4.1.17 (Feb 24, 2015)

New in Samba 4.2.0 RC 4 (Jan 16, 2015)

New in Samba 4.1.16 (Jan 16, 2015)

New in Samba 4.1.15 (Jan 13, 2015)

New in Samba 4.2.0 RC 1 (Oct 3, 2014)

NEW FEATURES:
Transparent File Compression:
Samba 4.2.0 adds support for the manipulation of file and folder compression flags on the Btrfs filesystem.
With the Btrfs Samba VFS module enabled, SMB2+ compression flags can be set remotely from the Windows Explorer File->Properties->Advanced dialog. Files flagged for compression are transparently compressed and uncompressed when accessed or modified.
Previous File Versions with Snapper:
The newly added Snapper VFS module exposes snapshots managed by Snapper for use by Samba. This provides the ability for remote clients to access shadow-copies via Windows Explorer using the "previous versions" dialog.
Winbindd/Netlogon improvements:
The whole concept of maintaining the netlogon secure channel to (other) domain controllers was rewritten in order to maintain global state in a netlogon_creds_cli.tdb.
Winbindd use on the Samba AD DC:
Winbindd is now used on the Samba AD DC by default, replacing the partial rewrite used for winbind operations in Samba 4.0 and 4.1.
This allows more code to be shared, more options to be honoured, and paves the way for support for trusted domains in the AD DC.
If required the old internal winbind can be activated by setting 'server services = +winbind -winbindd'. Upgrading users with a server services parameter specified should ensure they change 'winbind' to 'winbindd' to obtain the new functionality.
The 'samba' binary still manages the starting of this service, there is no need to start the winbindd binary manually.
Winbind now requires secured connections:
To improve protection against rouge domain controllers we now require that when we connect to an AD DC in our forest, that the connection be signed using SMB Signing. Set 'client signing = off' in the smb.conf to disable.
Also and DCE/RPC pipes must be sealed, set 'require strong key = false' and 'winbind sealed pipes = false' to disable.
Finally, the default for 'client ldap sasl wrapping' has been set to 'sign', to ensure the integrity of LDAP connections. Set 'client ldap sasl wrapping = plain' to disable.
Larger IO sizes for SMB2/3 by default:
The default values for "smb2 max read", "smb2 max write" and "smb2 max trans" have been changed to 8388608 (8MiB) in order to match the default of Windows 2012R2.
Improved DCERPC man in the middle detection:
The DCERPC header signing has been implemented in addition to the dcerpc_sec_verification_trailer
protection.
Overhauled "net idmap" command:
The command line interface of the "net idmap" command has been made systematic, and subcommands for reading and writing the autorid idmap database have been added. Note that the writing commands should be used with great care. See the net(8) manual page for details.
tdb improvements:
The tdb library, our core mechanism to store Samba-specific data on disk and share it between processes, has been improved to support process shared robust mutexes on Linux. These mutexes are available on Linux and Solaris and significantly reduce the overhead involved with tdb.
Tdb file space management has also been made more efficient. This will lead to smaller and less fragmented databases.
Messaging improvements:
Our internal messaging subsystem, used for example for things like oplock break messages between smbds or setting a process debug level dynamically, has been rewritten to use unix domain datagram messages.
Clustering support:
Samba's file server clustering component CTDB is now integrated in the Samba tree. This avoids the confusion of compatibility of Samba and CTDB versions as existed previously.
To build the Samba file server with cluster support, use the configure command line option --with-cluster-support. This will build clustered file server against the in-tree ctdb. Building clustered samba with previous versions of CTDB is no longer supported.

New in Samba 4.1.12 (Sep 9, 2014)

Major enhancements:
New parameter "winbind request timeout" has been added (bug #3204). Please see smb.conf man page for details.
Fix smbd crashes when filename contains non-ascii character (bug #10716).
dnsserver: Handle updates of tombstoned dnsNode objects (bug #10749).
Changes:
BUG 10369: build: Fix configure to honour '--without-dmapi'.
BUG 10737: s3:idmap: Don't log missing range config if range checking not requested.
BUG 10741: Fix flapping VFS gpfs offline bit.
BUG 3204: s3: winbindd: On new client connect, prune idle or hung connections older than "winbind request timeout". Add new parameter "winbind request timeout".
BUG 10640: lib: tevent: make TEVENT_SIG_INCREMENT atomic.
BUG 10650: Make "case sensitive = True" option working with "max protocol = SMB2" or higher in large directories.
BUG 10716: Fix smbd crashes when filename contains non-ascii character.
BUG 10728: 'net time': Fix usage and core dump.
BUG 10773: s3: smbd: POSIX ACLs. Remove incorrect check for SECINFO_PROTECTED_DACL in incoming security_information flags in posix_get_nt_acl_common().
BUG 10794: vfs_dirsort: Fix an off-by-one error that can cause uninitialized memory read.
BUG 10543: s3: Enforce a positive allocation_file_size for non-empty files.
BUG 10466: provision: Correctly provision the SOA record minimum TTL.
BUG 10652: Samba 4 consuming a lot of CPU when re-reading printcap info.
BUG 10787: dosmode: Fix FSCTL_SET_SPARSE request validation.
BUG 10742: s4-rpc: dnsserver: Allow . to be specified for @ record.
BUG 10731: sys_poll_intr: Fix timeout arithmetic.
BUG 10778: s3:libsmb: Set a max charge for SMB2 connections.
BUG 10716: lib: strings: Simplify strcasecmp.
BUG 10758: lib: Remove unused nstrcpy.
BUG 10782: smbd: Properly initialize mangle_hash.
BUG 9831: s4:setup/dns_update_list: make use of the new substitution variables.
BUG 10723: Allow netr_ServerReqChallenge() and netr_ServerAuthenticate3() on different connections.
BUG 10749: s4-rpc: dnsserver: Handle updates of tombstoned dnsNode objects.
BUG 10751: s4-rpc: dnsserver: return DNS_RANK_NS_GLUE recors when explicitly asked for.
BUG 10773: libcli/security: Add better detection of SECINFO_[UN]PROTECTED_[D|S]ACL in get_sec_info().
BUG 10761: docs: Fix typos in smb.conf (inherit acls).
BUG 10755: samba: Retain case sensitivity of cifs client.
BUG 9570: passdb: Fix NT_STATUS_NO_SUCH_GROUP.
BUG 10759: Fix a memory leak in cli_set_mntpoint().
BUG 10777: Don't discard result of checking grouptype.

New in Samba 4.1.11 (Aug 5, 2014)

New in Samba 4.1.10 (Jul 30, 2014)

Changes since 4.1.9:
BUG 10693: Backport ldb-1.1.17 + changes from master.
BUG 10587: s3: libsmbclient: Work around bugs in SLES cifsd and Apple smbx SMB1 servers.
BUG 10653: Samba won't start on a machine configured with only IPv4.
BUG 10671: s3: smbd: Prevent file truncation on an open that fails with share mode violation.
BUG 10673: s3: SMB2: Fix leak of blocking lock records in the database.
BUG 10684: SMB1 blocking locks can fail notification on unlock, causing client timeout.
BUG 10685: s3: smbd: Locking, fix off-by one calculation in brl_pending_overlap().
BUG 10692: wbcCredentialCache fails if challenge_blob is not first.
BUG 10693: lib/ldb: Fix compiler warnings.
BUG 8077: dbcheck: Add check and test for various invalid userParameters values.
BUG 8449: Simple use case results in "no talloc stackframe around, leaking memory" error.)
BUG 10130: dsdb: Always store and return the userParameters as a array of LE 16-bit values.
BUG 10582: dsdb: Rename private_data to rootdse_private_data in rootdse.
BUG 10627: rid_array used before status checked - segmentation fault due to null pointer dereference.
BUG 10693: ldb: make the successful ldb_transaction_start() message clearer.
BUG 10694: dsdb: Return NO_SUCH_OBJECT if a basedn is a deleted object.
BUG 10700: Backport access check related fixes from master.
BUG 10674: samba-tool: Add --site parameter to provision command.
BUG 10693: Fix SEGV from improperly formed SUBSTRING/PRESENCE filter.
BUG 10693: ldb: Do not build libldb-cmdline when using system ldb.
BUG 10693: s4-openldap: Remove use of talloc_reference in ldb_map_outbound.c
BUG 3263: net/doc: Make clear that net vampire is for NT4 domains only.
BUG s3: Fix missing braces in nfs4_acls.c.
BUG 10593: Fix "PANIC: assert failed at ../source3/smbd/open.c(1582): ret".
BUG 10663: msg_channel: Fix a 100% CPU loop.
BUG 10671: s3: smbd: Prevent file truncation on an open that fails with share mode violation.
BUG 10680: smbstatus: Fix an uninitialized variable.
BUG 10687: 'RW2' smbtorture test fails when -N is set to 2 due to the invalid status check in the second client.
BUG 10693: ldb: Fix 1138330 Dereference null return value, fix CIDs 241329, 240798, 1034791, 1034792 1034910, 1034910).
BUG 10699: smbd: Avoid double-free in get_print_db_byname.
BUG 8077: s4:dsdb/samldb: Don't allow 'userParameters' to be modified over LDAP for now.
BUG 9763: s4:dsdb/repl_meta_data: Make sure objectGUID can't be deleted.
BUG 10469: ldb-samba: fix a memory leak in ldif_canonicalise_objectCategory().
BUG 10294: s4:repl_meta_data: fix array assignment in replmd_process_linked_attribute().
BUG 10536: dbchecker: Verify and fix broken dn values.
BUG 10692: wbcCredentialCache fails if challenge_blob is not first.
BUG 10693: ldb:pyldb: Add some more helper functions for LdbDn.
BUG 10694: s4:dsdb/extended_dn_in: Don't force DSDB_SEARCH_SHOW_RECYCLED.
BUG 10696: Backport autobuild/selftest fixes from master.
BUG 10706: s3:smb2_read: let smb2_sendfile_send_data() behave like send_file_readX().
BUG 10693: pyldb: Decrement ref counters on py_results and quiet warnings.
BUG 10698: Backport drs-crackname fixes from master.
BUG 10693: ldb: Use of NULL pointer bugfix.
BUG 10703: Backport provision fixes from master.
BUG 10693: ldb: Add a env variable to disable RTLD_DEEPBIND.

New in Samba 4.1.9 (Jul 4, 2014)

New in Samba 4.1.8 (Jun 4, 2014)

New in Samba 4.1.7 (Apr 18, 2014)

Bug fixes:
BUG 9878: Make "force user" work as expected.
BUG 9942: Fix problem with server taking too long to respond to a MSG_PRINTER_DRVUPGRADE message.
BUG 9993: s3-printing: Fix obvious memory leak in printer_list_get_printer().
BUG 10344: SessionLogoff on a signed connection with an outstanding notify request crashes smbd.
BUG 10431: Fix STATUS_NO_MEMORY response from Query File Posix Lock request.
BUG 10508: smbd: Correctly add remote users into local groups.
BUG 10534: Cleanup messages.tdb record after unclean smbd shutdown.
BUG 9911: Fix build on AIX with IBM XL C/C++ (gettext detection issues).
BUG 10308: Fix String Conversion Errors with Samba 4.1.0 Build on AIX 7.1.
BUG 10230: Make (lib)smbclient work with NetApp.
BUG 10458: Fix 'wbinfo -i' with one-way trust.
s3:rpc_server: Minor refactoring of process_request_pdu().
BUG 10471: Don't respond with NXDOMAIN to records that exist with another type.
BUG 10504: lsa.idl: Define lsa.ForestTrustCollisionInfo and ForestTrustCollisionRecord as public structs.
BUG 10439: Increase max netbios name components.
BUG 10188: doc: Add "spoolss: architecture" parameter usage.
BUG 10484: Initial FSRVP rpcclient requests fail with NT_STATUS_PIPE_NOT_AVAILABLE.
BUG 10521: rpcclient FSRVP request UNCs should include a trailing backslash.
BUG 10387: 'net ads search' on high latency networks can return a partial list with no error indication.
BUG 10200: Make 'smbclient' support DFS shares with SMB2/3.
BUG 10344: SessionLogoff on a signed connection with an outstanding notify request crashes smbd.
BUG 10422: max xmit > 64kb leads to segmentation fault.
BUG 10444: smbd_server_connection_terminate("CTDB_SRVID_RELEASE_IP") panics from within ctdbd_migrate() with invalid lock_order.
BUG 10464: samba4 services not binding on IPv6 addresses causing connection delays.
BUG 10378: dfs: Always call create_conn_struct with root privileges.
BUG 10467: s3-vfs: Fix stream_depot vfs module on btrfs.
BUG 10472: pidl: waf should have an option for the dir to install perl files and do not glob.
BUG 10474: s3-spoolssd: Don't register spoolssd if epmd is not running.
BUG 10481: s3-rpc_server: Fix handling of fragmented rpc requests.
BUG 10506: Make 'smbreadline' build with readline 6.3.

New in Samba 4.1.6 (Mar 12, 2014)

New in Samba 4.1.5 (Feb 22, 2014)

New in Samba 4.1.4 (Jan 11, 2014)

New in Samba 4.1.3 (Dec 9, 2013)

This is a security release in order to address
CVE-2013-4408 (DCE-RPC fragment length field is incorrectly checked) and
CVE-2012-6150 (pam_winbind login without require_membership_of restrictions).
CVE-2013-4408:
Samba versions 3.4.0 and above (versions 3.4.0 - 3.4.17, 3.5.0 - 3.5.22, 3.6.0 - 3.6.21, 4.0.0 - 4.0.12 and including 4.1.2) are vulnerable to buffer overrun exploits in the client processing of DCE-RPC packets. This is due to incorrect checking of the DCE-RPC fragment length in the client code.
This is a critical vulnerability as the DCE-RPC client code is part of the winbindd authentication and identity mapping daemon, which is commonly configured as part of many server installations (when joined to an Active Directory Domain). A malicious Active Directory Domain Controller or man-in-the-middle attacker impersonating an Active Directory Domain Controller could achieve root-level access by compromising the winbindd process.
Samba server versions 3.4.0 - 3.4.17 and versions 3.5.0 - 3.5.22 are also vulnerable to a denial of service attack (server crash) due to a similar error in the server code of those versions.
Samba server versions 3.6.0 and above (including all 3.6.x versions, all 4.0.x versions and 4.1.x) are not vulnerable to this problem.
In addition range checks were missing on arguments returned from calls to the DCE-RPC functions LookupSids (lsa and samr), LookupNames (lsa and samr) and LookupRids (samr) which could also cause similar problems.
As this was found during an internal audit of the Samba code there are no currently known exploits for this problem (as of December 9th 2013).
CVE-2012-6150:
Winbind allows for the further restriction of authenticated PAM logins using the require_membership_of parameter. System administrators may specify a list of SIDs or groups for which an authenticated user must be a member of. If an authenticated user does not belong to any of the entries, then login should fail. Invalid group name entries are ignored.
Samba versions 3.3.10, 3.4.3, 3.5.0 and later incorrectly allow login from authenticated users if the require_membership_of parameter specifies only invalid group names.
This is a vulnerability with low impact. All require_membership_of group names must be invalid for this bug to be encountered.

New in Samba 4.1.2 (Nov 22, 2013)

New in Samba 4.1.1 (Nov 12, 2013)

New in Samba 4.1.0 (Oct 14, 2013)

MAJOR ENHANCEMENTS:
Client tools support SMB2/3:
Samba 4.1.0 contains the first release of our client tools and client library that work over the new protocols SMB2 or SMB3. Note that SMB3 only works either to a Samba server version 4.0.0 or above, or to a Windows Server running Windows 2012 or Windows 8.
Encrypted transport:
Although Samba servers have supported encrypted transport connections using the UNIX extensions for many years, selecting SMB3 transport allows encrypted transport connections to Windows servers that support SMB3, as well as Samba servers.
Directory database replication (AD DC mode):
Directory replication has been reworked in order to improve the correctness and efficiency. As a net effect of it, replication with other domain controllers with a heavily modified schema is now possible (ie. Windows 2012 DCs or other Windows DC with exchange installed) and replication didn't fail anymore in such environments.
Server-Side Copy Support:
Samba 4.1.0 adds support for server-side copy operations via the SMB2 FSCTL_SRV_COPYCHUNK request. Clients making use of server-side copy support, such as Windows Server 2012, should experience considerable performance improvements for file copy operations, as file data need not traverse the network. This feature is enabled by default on the smbd file server.
Btrfs Filesystem Integration:
The Btrfs VFS module provided with Samba 4.1.0 further improves the performance of server-side copy operations on shares backed by a Btrfs filesystem. It does so by allowing multiple files to share the same on-disk extents, avoiding the unnecessary duplication of source and destination file data during a server-side copy operation.
REMOVED COMPONENTS:
The Samba Web Administration Tool (SWAT) has been removed.
COMMIT HIGHLIGHTS:
Add SMB2 and SMB3 support for client tools and client library.
Add support for SMB3 Encrypted transport.
Add vfs_btrfs module.
Add support for server-side copy operations via the SMB2 FSCTL_SRV_COPYCHUNK request.
CHANGES SINCE 4.1.0rc4:
BUG 10178: Fix PAC parsing failure.
BUG 10132: pam_winbindd: Support the KEYRING ccache type.
CHANGES SINCE 4.1.0rc3:
BUG 10134: Add "acl allow execute always" parameter.
BUG 10139: Valid utf8 filenames cause "invalid conversion error" messages.
BUG 10145: Samba SMB2 client code reads the wrong short name length in a directory listing reply.
BUG 10149: cli_smb2_get_ea_list_path() failed to close file on exit.
BUG 10150: Not all OEM servers support the ALTNAME info level.
BUG 8077: dsdb: Convert the full string from UTF16 to UTF8, including embedded NULLs.
BUG 9461: python-samba-tool fsmo: Do not give an error on a successful role transfer.
BUG 10157: Regression causes replication failure with Windows 2008R2 and deletes Deleted Objects.
BUG 10147: Better document potential implications of a globally used "valid users".
BUG 10118: Raise the level of a debug when unable to open a printer.
BUG 10008: dbwrap_ctdb: Treat empty records as non-existing.
BUG 10138: smbd: Always clean up share modes after hard crash.
BUG 10162: Fix POSIX ACL mapping when setting DENY ACE's from Windows.
BUG 10144: libcli/smb: Use SMB1 MID=0 for the initial Negprot.
BUG 10146: libcli/smb: Only check the SMB2 session setup signature if required and valid.
BUG 10158: Netbios related samba process consumes 100% CPU.
BUG 10137: vfs_shadow_copy2: Display previous versions correctly over SMB2.
CHANGES SINCE 4.1.0rc2:
BUG 10107: Fix Winbind crashes on DC with trusted AD domains.
BUG 5917: Fix working on site with Read Only Domain Controller.
BUG 9974: Add SMB2 and SMB3 support for smbclient.
BUG 10063: Fix memory leak in source3/lib/util.c:1493.
BUG 10121: Masks incorrectly applied to UNIX extension permission changes.
BUG 9911: Build Samba 4.0.x on AIX with IBM XL C/C++.
BUG 9091: When replicating DNS for bind9_dlz we need to create the server-DNS account remotely.
BUG 9615: Winbind unable to retrieve user information from AD.
BUG 9899: winbind_lookup_names() fails because of NT_STATUS_CANT_ACCESS_DOMAIN_INFO.
BUG 10107: Fix Winbind crashes on DC with trusted AD domains.
BUG 10086: smbd: Fix async echo handler forking.
BUG 10106: Honour output buffer length set by the client for SMB2 GetInfo requests.
BUG 10114: Handle Dropbox (write-only-directory) case correctly in pathname lookup.
BUG 10030: ::1 added to nameserver on join.
BUG 10000: Add man pages for ntdb tools.
BUG 7364: Add man page for vfs_syncops.
BUG 7490: Add man page for vfs_linux_xfs_sgid.
BUG 10001: Add man page for samba-regedit tool.
BUG 10076: Fix variable list in vfs_crossrename man page.
BUG 10073: Fix segmentation fault in 'net ads join'.
BUG 10082: s3-winbind: Fix a segfault passing NULL to a fstring argument.
BUG 10097: MacOSX 10.9 will not follow path-based DFS referrals handed out by Samba.
BUG 10106: Honour output buffer length set by the client for SMB2 GetInfo requests.
CHANGES SINCE 4.1.0rc1:
BUG 9992: Windows error 0x800700FE when copying files with xattr names containing ":".
BUG 10010: Missing integer wrap protection in EA list reading can cause server to loop with DOS (CVE-2013-4124).
BUG 10064: Linux kernel oplock breaks can miss signals.
BUG 9029: Fix replication with --domain-crictical-only to fill in backlinks.
BUG 9820: Fix crash of winbind after "ls -l /usr/local/samba/var/locks/sysvol".
BUG 10056: dsdb improvements.
BUG 10003: Fix segfault while reading incomplete session info.
BUG 9678: Windows 8 Roaming profiles fail.
BUG 10043: Allow to change the default location for Kerberos credential caches.
BUG 10013: Fix a 100% loop at shutdown time (smbd).
BUG 9820: Fix crash of winbind after "ls -l /usr/local/samba/var/locks/sysvol".
BUG 10015: Fix/improve debug options.
BUG 10042: Fix crashes in socket_get_local_addr().
BUG 10056: dsdb improvements.
BUG 9994: Do not delete an existing valid credential cache (s3-winbind).
BUG 10040: Rename regedit to samba-regedit.
BUG 10041: Remove obsolete swat manpage and references.
BUG 10048: nsswitch: Add OPT_KRB5CCNAME to avoid an error message.
BUG 10045: Remove a redundant inlined substitution of ACLs.
BUG 10064: Linux kernel oplock breaks can miss signals.

New in Samba 4.0.10 (Oct 8, 2013)

Major enhancements:
NetBIOS related samba process consumes 100% CPU (bug #10158).
smbd: Clean up share modes after hard crash (bug #10138).
Fix POSIX ACL mapping when setting DENY ACE's from Windows (bug #10162).
Changes since 4.0.9:
BUG 10134: Ease file server upgrades from 3.6 and earlier with "acl allow execute always".
BUG 10169: Fix build error in scavenger.c.
BUG 5917: Make Samba work on site with Read Only Domain Controller.
BUG 9166: Starting smbd or nmbd with stdin from /dev/null results in "EOF on stdin".
BUG 10063: source3/lib/util.c:1493 leaking memory w/ pam_winbind.so / winbind.
BUG 10121: Masks incorrectly applied to UNIX extension permission changes.
BUG 10139: Valid utf8 filenames cause "invalid conversion error" messages.
BUG #9911 - Build Samba 4.0.x on AIX with IBM XL C/C++.
BUG 8077: dsdb: Convert the full string from UTF16 to UTF8, including embedded NULLs.
BUG 9091: When replicating DNS for bind9_dlz we need to create the server-DNS account remotely.
BUG 9461: python-samba-tool fsmo: Do not give an error on a successful role transfer.
BUG 9615: s3-winbindd: fix fallback to ncacn_np in cm_connect_lsat().
BUG 9899: s3-winbindd: fix fallback to ncacn_np in cm_connect_lsat().
BUG 10147: Better document potential implications of a globally used "valid users".
BUG 10118: Samba is chatty about being unable to open a printer.
BUG 9599: samba-tool/dns: Pass on additional flags when creating zones.
BUG 10086: smbd: Fix async echo handler forking.
BUG 10106: Honour output buffer length set by the client for SMB2 GetInfo requests.
BUG 10114: Dropbox (write-only-directory) case isn't handled correctly in pathname lookup.
BUG 10138: smbd: Clean up share modes after hard crash.
BUG 10162: Fix POSIX ACL mapping when setting DENY ACE's from Windows.
BUG 9802: Move gencache.tdb to /var/cache/samba.
BUG 10030: ::1 added to nameserver on join.
BUG 10158: NetBIOS related samba process consumes 100% CPU.
BUG 10137: vfs_shadow_copy2 does not display previous versions correctly over SMB2.
BUG 10076: docs: Fix variable list in man vfs_crossrename.
BUG 10097 - MacOSX 10.9 will not follow path-based DFS referrals handed out by Samba.
BUG 10106: Honour output buffer length set by the client for SMB2 GetInfo requests.

New in Samba 4.1.0 RC 3 (Sep 12, 2013)

NEW FEATURES:
Client tools support SMB2/3:
Samba 4.1.0 contains the first release of our client tools and client library that work over the new protocols SMB2 or SMB3. Note that SMB3 only works either to a Samba server version 4.0.0 or above, or to a Windows Server running Windows 2012 or Windows 8.
Encrypted transport:
Although Samba servers have supported encrypted transport connections using the UNIX extensions for many years, selecting SMB3 transport allows encrypted transport connections to Windows servers that support SMB3, as well as Samba servers.
CHANGES:
BUG 10107: Fix Winbind crashes on DC with trusted AD domains.
BUG 5917: Fix working on site with Read Only Domain Controller.
BUG 9974: Add SMB2 and SMB3 support for smbclient.
BUG 10063: Fix memory leak in source3/lib/util.c:1493.
BUG 10121: Masks incorrectly applied to UNIX extension permission changes.
BUG 9911: Build Samba 4.0.x on AIX with IBM XL C/C++.
BUG 9091: When replicating DNS for bind9_dlz we need to create the server-DNS account remotely.
BUG 9615: Winbind unable to retrieve user information from AD.
BUG 9899: winbind_lookup_names() fails because of NT_STATUS_CANT_ACCESS_DOMAIN_INFO.
BUG 10107: Fix Winbind crashes on DC with trusted AD domains.
BUG 10086: smbd: Fix async echo handler forking.
BUG 10106: Honour output buffer length set by the client for SMB2 GetInfo requests.
BUG 10114: Handle Dropbox (write-only-directory) case correctly in pathname lookup.
BUG 10030: ::1 added to nameserver on join.
BUG 10000: Add man pages for ntdb tools.
BUG 7364: Add man page for vfs_syncops.
BUG 7490: Add man page for vfs_linux_xfs_sgid.
BUG 10001: Add man page for samba-regedit tool.
BUG 10076: Fix variable list in vfs_crossrename man page.
BUG 10073: Fix segmentation fault in 'net ads join'.
BUG 10082: s3-winbind: Fix a segfault passing NULL to a fstring argument.
BUG 10097: MacOSX 10.9 will not follow path-based DFS referrals handed out by Samba.
BUG 10106: Honour output buffer length set by the client for SMB2 GetInfo requests.

New in Samba 4.0.9 (Aug 20, 2013)

New in Samba 4.1.0 RC 2 (Aug 9, 2013)

NEW FEATURES:
Directory database replication (AD DC mode):
Directory replication has been reworked in order to improve the correctness and efficiency. As a net effect of it, replication with other domain controllers with a heavily modified schema is now possible (ie. Windows 2012 DCs or other Windows DC with exchange installed) and replication didn't fail anymore in such environments.
Server-Side Copy Support:
Samba 4.1.0 adds support for server-side copy operations via the SMB2 FSCTL_SRV_COPYCHUNK request. Clients making use of server-side copy support, such as Windows Server 2012, should experience considerable performance improvements for file copy operations, as file data need not traverse the network. This feature is enabled by default on the smbd file server.
Btrfs Filesystem Integration:
The Btrfs VFS module provided with Samba 4.1.0 further improves the performance of server-side copy operations on shares backed by a Btrfs filesystem. It does so by allowing multiple files to share the same on-disk extents, avoiding the unnecessary duplication of source and destination file data during a server-side copy operation. This feature can be explicitly enabled on smbd shares backed by a Btrfs filesystem with the smb.conf parameter: vfs objects = btrfs.
REMOVED COMPONENTS:
The Samba Web Administration Tool (SWAT) has been removed.
CHANGES:
BUG 9992: Windows error 0x800700FE when copying files with xattr names containing ":".
BUG 10010: Missing integer wrap protection in EA list reading can cause server to loop with DOS (CVE-2013-4124).
BUG 10064: Linux kernel oplock breaks can miss signals.
BUG 9029: Fix replication with --domain-crictical-only to fill in backlinks.
BUG 9820: Fix crash of winbind after "ls -l /usr/local/samba/var/locks/sysvol".
BUG 10056: dsdb improvements.
BUG 10003: Fix segfault while reading incomplete session info.
BUG 9678: Windows 8 Roaming profiles fail.
BUG 10043: Allow to change the default location for Kerberos credential caches.
BUG 10013: Fix a 100% loop at shutdown time (smbd).
BUG 9820: Fix crash of winbind after "ls -l /usr/local/samba/var/locks/sysvol".
BUG 10015: Fix/improve debug options.
BUG 10042: Fix crashes in socket_get_local_addr().
BUG 10056: dsdb improvements.
BUG 9994: Do not delete an existing valid credential cache (s3-winbind).
BUG 10040: Rename regedit to samba-regedit.
BUG 10041: Remove obsolete swat manpage and references.
BUG 10048: nsswitch: Add OPT_KRB5CCNAME to avoid an error message.
BUG 10045: Remove a redundant inlined substitution of ACLs.
BUG 10064: Linux kernel oplock breaks can miss signals.

New in Samba 4.0.8 (Aug 5, 2013)

New in Samba 4.1.0 RC 1 (Jul 13, 2013)

New in Samba 4.0.7 (Jul 2, 2013)

New in Samba 4.0.6 (May 21, 2013)

New in Samba 4.0.5 (Apr 11, 2013)

Major enhancements in Samba 4.0.5 include:
Fix large reads/writes from some Linux clients (bug #9706).
Add 'samba-tool dbcheck --reset-well-known-acls' (bugs #9740 and #9267).
Changes since 4.0.4:
BUG 9617: libnss-winbindd does not provide pass struct for groups mapped with ID_TYPE_BOTH and vice versa.
BUG 9653: idmap_autorid: Fix freeing of non-talloced memory.
BUG 9711: s4:winbindd: Do not drop the workgroup name in the getgrnam, getgrent and getgrgid calls.
BUG 9130: Certain xattrs cause Windows error 0x800700FF.
BUG 9519: Samba returns unexpected error on SMB posix open.
BUG 9642: Fix the build of vfs_afsacl.
BUG 9695: Backport tevent changes to bring library to version 0.9.18.
BUG 9706: Fix large reads/writes from some Linux clients.
BUG 9724: is_encrypted_packet() function incorrectly used inside server.
BUG 9733: Fix 'smbcontrol close-share'.
BUG 9748: Remove unneeded fstat system call from hot read path.
BUG 9760: Fix incorrect parsing of SMB2 command codes.
BUG 9643: Fix the build with --fake-kaserver.
BUG 9644: Fix compile of source3/lib/afs.c.
BUG 9669: Fix crash in 'net rpc join' against a Samba 3.0.33 PDC.
BUG 9666: Fix filtering of link-local addresses.
BUG 9663: 'make test' hangs.
BUG 9697: DsReplicaGetInfo fails due to sendto() EMSGSIZE error on UNIX domain socket.
BUG 9703: Fix build on solaris8: Do not force a specific perl on pod2man.
BUG 9717: Set LD_LIBRARY_PATH in install_with_python.sh.
BUG 9718: s4-idmap: Remove requirement that posixAccount or posixGroup be set for rfc2307.
BUG 9719: Allow forcing an override of an old @MODULES record.
BUG 9720: Do not print the admin password during 'samba-tool classicupgrade'.
BUG 9721: Make samba_upgradedns more robust (do not guess addresses when just changing roles).
BUG 9725: upgradeprovision and 'samba-tool dbcheck' patches for 4.0.NEXT.
BUG 9728: DO NOT install samba_upgradeprovision in 4.0.x.
BUG 9739: PIDL: Build fixes for hosts without CPP (Solaris 11).
BUG 9740: Add 'samba-tool dbcheck --reset-well-known-acls'.
BUG 9267: Can't delegate adding computers to domain.
BUG 9636: PIDL: Fix parsing linemarkers in preprocessor output.
BUG 9639: Rename internal subsystem pdb_ldap to pdb_ldapsam.
BUG 9646: Make SMB2_GETINFO multi-volume aware.
BUG 9633: Recursive mget should continue on EPERM.
BUG 9656: Work around FreeBSD's getaddrinfo() underscore issue.
BUG 9696: Remove incomplete samba_dnsupdate IPv6 link-local address check.
BUG 9697: Handle EMSGSIZE on UNIX domain sockets.
BUG 7825: Fix GNU ld version detection with old gcc releases.
BUG 9039: Never try to map global SAM name.
BUG 9701: Fix vfs_catia and update documentation.
BUG 9695: Backport tevent changes to bring library to version 0.9.18.
BUG 9727: Fix NULL pointer dereference.
BUG 9736: Change to smbd/dir.c code gives significant performance increases on large directory listings.
BUG 9557: Fix build on AIX.
BUG 9625: Reauth-capable client fails to access shares on Windows member.
BUG 9695: Backport tevent changes to bring library to version 0.9.18.
BUG 9706: Parameter is incorrect on Android.
BUG 9664: Fix correct linking of libreplace with cmdline-credentials.
BUG 9683: Fix several resource (fd) leaks.
BUG 9685: Fix a memory leak in spoolss rpc server.
BUG 9686: Fix a possible buffer overrun in pdb_smbpasswd.
BUG 9687: Fix several possible null pointer dereferences.
BUG 9723: Add a tool to migrate latin1 printing tdbs to registry.
BUG 9735: Fix Winbind separator in upn to username conversion.
BUG 9758: Don't leak the epm_Map policy handle.
BUG 9674: Samba denies owner Read Control when there is a DENY entry while W2K08 does not.
BUG 9689: Make sure that domain joins work correctly when the DC disallows NTLM auth.
BUG 9704: Fix nss_winbind name on FreeBSD.
BUG 9747: Make sure that we only propogate the INHERITED flag when we are allowed to.

New in Samba 4.0.4 (Mar 20, 2013)

New in Samba 4.0.3 (Feb 6, 2013)

MAJOR ENHANCEMENTS:
check_password_quality: Handle non-ASCII characters properly (bug #9105).
Fix ACL problem with delegation of privileges and deletion of accounts over LDAP interface (bug #8909).
Fix 'smbd' panic triggered by unlink after open (bug #9571).
smbd: Fix memleak in the async echo handler (bug #9549).
CHANGES SINCE 4.0.2:
Michael Adam :
BUG 9568: Document the command line options in dbwrap_tool(1).
Jeremy Allison :
BUG 9196: defer_open is triggered multiple times on the same request.
BUG 9518: conn->:share_access appears not be be reset between users.
BUG 9550: sigprocmask does not work on FreeBSD to stop further signals in a signal handler.
BUG 9572: Fix file corruption during SMB1 read by Mac OSX 10.8.2 clients.
BUG 9586: smbd[29175]: disk_free: sys_popen() failed" message logged in /var/log/message many times.
BUG 9587: Archive flag is always set on directories.
BUG 9588: ACLs are not inherited to directories for DFS shares.
Andrew Bartlett :
BUG 8909: Fix ACL problem with delegation of privileges and deletion of accounts over LDAP interface.
BUG 9461: FSMO seize of naming role fails: NT_STATUS_IO_TIMEOUT.
BUG 9564: Fix compilation of Solaris ACL module.
BUG 9581: gensec: Allow login without a PAC by default.
BUG 9596: Linked attribute handling should be by GUID.
BUG 9598: Use pid,task_id as cluster_id in process_single just like process_prefork.
BUG 9609: ldb: Ensure to decrement the transaction_active whenever we delete a transaction.
BUG 9609: Add 'ldbdump' tool.
BUG 9609: ldb: Remove no-longer-existing ltdb_unpack_data_free from ldb_tdb.h.
BUG 9609: ldb: Change ltdb_unpack_data to take an ldb_context.
BUG 9610: dsdb: Make secrets_tdb_sync cope with -H secrets.ldb.
Björn Baumbach :
BUG 9512: wafsamba: Use additional xml catalog file.
BUG 9517: samba_dnsupdate: Set KRB5_CONFIG for nsupdate command.
BUG 9552: smb.conf(5): Update list of available protocols.
BUG 9568: Add dbwrap_tool.1 manual page.
BUG 9569: ntlm_auth(1): Fix format and make examples visible.
Ira Cooper :
BUG 9575: Duplicate flags defined in the winbindd protocol.
Gönther Deschner :
BUG 9474: Downgrade v4 printer driver requests to v3.
BUG 9595: s3-winbind: Fix the build of idmap_ldap.
David Disseldorp :
BUG 9378: Add extra attributes for AD printer publishing.
Stephen Gallagher :
BUG 9609: ldb: Move doxygen comments for ldb_connect to the right place.
Volker Lendecke :
BUG 9541: Make use of posix_openpt.
BUG 9544: Fix build of vfs_commit and plug in async pwrite support.
BUG 9546: Fix aio_suspend detection on FreeBSD.
BUG 9548: Correctly detect O_DIRECT.
BUG 9549: smbd: Fix memleak in the async echo handler.
Stefan Metzmacher :
BUG 8909: Fix ACL problem with delegation of privileges and deletion of accounts over LDAP interface.
BUG 9105: check_password_quality: Handle non-ASCII characters properly.
BUG 9481: samba_upgradeprovision: fix the nTSecurityDescriptor on more containers.
BUG 9499: s3:smb2_negprot: set the 'remote_proto' value.
BUG 9508: s4:drsuapi: Make sure we report the meta data from the cycle start.
BUG 9540: terminate the irpc_servers_byname() result with server_id_set_disconnected().
BUG 9598: Fix timeouts of some IRPC calls.
BUG 9609: Fix a warning by converting from TDB_DATA to struct ldb_val.
Matthieu Patou :
BUG 8909: Add documentation.
BUG 9565: Adding additional Samba 4.0 DC to W2k8 srv AD domain (in win200 functional level) produces dbcheck errors.
Arvid Requate :
BUG 9555: s4-resolve: Fix parsing of IPv6/AAAA in dns_lookup.
Rusty Russell :
BUG 9609: tdb: Add '-e' option to tdbdump (and document it).
BUG 9609: tdb: 'tdbdump' should log errors, and fail in that case.
BUG 9609: tdb: Add tdb_rescue() to allow an emergency best-effort dump.
Samba-JP oota :
BUG 9528: Remove superfluous bracket in samba.8.xml.
BUG 9530: Fix typo in vfs_tsmsm.8.xml.
Andreas Schneider :
BUG 9574: Fix a possible null pointer dereference in spoolss.
Karolin Seeger :
BUG 9591: Correct meta data in ldb manpages.
Pavel Shilovsky :
BUG 9571: Fix 'smbd' panic triggered by unlink after open.
Andrew Tridgell :
BUG 9609: ldb: Fix callers for ldb_pack_data() and ldb_unpack_data().
BUG 9609: ldb: move ldb_pack.c into common.
Jelmer Vernooij :
BUG 9503: waf assumes that pythonX.Y-config is a Python script.

New in Samba 4.0.2 (Jan 31, 2013)

New in Samba 4.0.1 (Jan 15, 2013)

New in Samba 4.0.0 (Dec 12, 2012)

Active Directory services:
Samba 4.0 supports the server-side of the Active Directory logon environment used by Windows 2000 and later, so we can do full domain join and domain logon operations with these clients.
Our Domain Controller (DC) implementation includes our own built-in LDAP server and Kerberos Key Distribution Center (KDC) as well as the Samba3-like logon services provided over CIFS. We correctly generate the infamous Kerberos PAC, and include it with the Kerberos tickets we issue.
When running an AD DC, you only need to run 'samba' (not smbd/nmbd/winbindd), as the required services are co-coordinated by this master binary. The tool to administer the Active Directory services is called 'samba-tool'.
File Services:
Samba 4.0.0 ships with two distinct file servers. We now use the file server from the Samba 3.x series 'smbd' for all file serving by default.
Samba 4.0 also ships with the 'NTVFS' file server. This file server is what was used prior to the beta2 release of Samba 4.0, and is tuned to match the requirements of an AD domain controller. We continue to support this, not only to provide continuity to installations that have deployed it as part of an AD DC, but also as a running example of the NT-FSA architecture we expect to move smbd to in the longer term.
For pure file server work, the binaries users would expect from that series (smbd, nmbd, winbindd, smbpasswd) continue to be available.
DNS:
As DNS is an integral part of Active Directory, we also provide two DNS solutions, a simple internal DNS server for 'out of the box' configurations and a more elaborate BIND plugin using the BIND DLZ mechanism in versions 9.8 and 9.9. During the provision, you can select which backend to use. With the internal backend, your DNS server is good to go. If you chose the BIND_DLZ backend, a configuration file will be generated for bind to make it use this plugin, as well as a file explaining how to set up bind.
NTP:
To provide accurate timestamps to Windows clients, we integrate with the NTP project to provide secured NTP replies. To use you need to start ntpd and configure it with the 'restrict ... ms-sntp' and ntpsigndsocket options.
Python Scripting Interface:
A new scripting interface has been added to Samba 4, allowing Python programs to interface to Samba's internals, and many tools and internal workings of the DC code is now implemented in python.

New in Samba 3.6.10 (Dec 11, 2012)

New in Samba 3.6.9 (Dec 5, 2012)

New in Samba 4.0.0 RC6 (Dec 5, 2012)

New in Samba 3.6.6 (Jun 26, 2012)

New in Samba 4.0.0 Alpha 20 (May 7, 2012)

New in Samba 3.6.5 (May 7, 2012)

New in Samba 3.6.4 (May 7, 2012)

New in Samba 3.6.3 (Jan 30, 2012)

New in Samba 3.6.2 (Jan 26, 2012)

BUG 8528: Fix SEGFAULT from net registry export on not zero terminated REG_SZ values.
BUG 8541: readlink() on Linux clients fails if the symlink target is outside of the share.
BUG 8542: smbclient posix_open command fails to return correct info on open file.
BUG 8548: winbind_samlogon_retry_loop ignores logon_parameters flags.
BUG 8561: Password change settings not fully observed.
BUG 8562: Fix double free error in talloc.
BUG 8614: Ensure we correctly calculate reply credits over all returned SMB2 replies.
BUG 8631: POSIX ACE x permission becomes rx following mapping to and from a DACL.
BUG 8636: When returning an ACL without SECINFO_DACL requested, we still set SEC_DESC_DACL_PRESENT in the type field.
BUG 8644: vfs_acl_xattr and vfs_acl_tdb modules can fail to add inheritable entries on a directory with no stored ACL.
BUG 8663: Fix deleting a symlink if the symlink target is outside of
the share.
BUG 8664: Fix renaming a symlink if the symlink target is outside of the share.
BUG 8673: Fix NT ACL issue.
BUG 8674: Fix buffer overflow issue with AES encryption in samba traffic analyzer.
BUG 8679: recvfile code path using splice() on Linux leaves data in the pipe on short write.
BUG 8687: Fix typo in 'net memberships' usage.
BUG 8710: Fix major leak with SMB2 in connections.tdb.
Fix a crash bug in the spoolss code.
Add new contributing FAQ announcing acceptance of corporate (C).
BUG 8444: Add an allocation pool to idmap_autorid.
BUG 8585: Increase a debug level.
BUG 8623: Fix crash bug when trying to browse Samba printers.
BUG 8580: Enable inotify if sys or kernel inotify is available.
BUG 8618: Fix migrate printer code.
BUG 8528: Fix SEGFAULT from net registry export on not zero terminated REG_SZ values.
BUG 7465: Remove pointless use_memory_krb5_ccache.
BUG 8176: Fix perl path.
BUG 8591: Fix marshalling of samr_ChangePasswordUser3.
BUG 8692: libads: Fix malloc/talloc mismatch in ads_keytab_verify_ticket().
BUG 4942: DeletePrinterDriverEx deletes files in use.
BUG 8575: Add systemd service files.
BUG 8606: Fix intermittent print job failures caused by character conversion errors.
BUG 8697: Make DeletePrinterDriverEx remove printer driver files.
BUG 8531: Make DSO_EXPORTS_CMD more portable.
BUG 8616: Allow to set TCP_NODELAYACK socket option on AIX.
BUG 8652: Document the "ignore system acls" option of vfs_acl_xattr and vfs_acl_tdb vfs modules.
BUG 8419: Make VFS op "streaminfo" stackable.
BUG 8371: Make Winbind receive user/group information.
BUG 8639: Fix the vfs_commit module.
BUG 8686: Packet validation checks can be done before length validation causing uninitialized memory read.
BUG 5326: Fix cli_write_and_x() against OS/2 print shares.
BUG 8357: Grant credits in async interim responses (SMB2).
BUG 8560: Make SMB2 handle compound request headers in the same way as Windows.
BUG 8573: Fix alignment in the non-extended-security negprot.
BUG 8586: libsmb: Only align unicode pipe_name.
BUG 8579: smb2_flush: Don't send uninitialized memory.
BUG 8592: Don't limit the number of open dptrs for SMB2.
BUG 8593: Fix a crash bug in cldap_socket_recv_dgram().
BUG 8684: Try ctdbd_init_connection() as root.
BUG 563: Fix 'smbclient tar' for files greater than 8GB on BE machines.
BUG 8600: Make cldap work over IPv6.
BUG 8674: Fix buffer overflow issue with AES encryption in samba traffic analyzer.
BUG 8550: Fix setting the machine account password.
BUG 8575: Add systemd service files.
BUG 8608: Winbind: Don't fail on users without a uid.
BUG 8628: libsmb: Don't duplicate Kerberos service tickets.
BUG 8643: Add an update function for Winbind cache.
BUG 8678: Fix Winbind segfault if we can't map the last user.
BUG 7705: Fix some RHEL packaging issues.
BUG 8607: Improve configure.in so it can be used outside the Samba source tree.
BUG 8525: Fix bug with sys_fseek() wrapper on *BSD / OS X).
BUG 8384: Fix Windows XP clients crashing smbd process every once in a while.

New in Samba 3.6.1 (Oct 21, 2011)

BUG 8368: Fix the fallback to the deprecated spelling idmap:script.
BUG 7509: smb_acl_to_posix: ACL is invalid for set (Invalid argument).
BUG 8229: Fix 'widelinks' regression.
BUG 8370: Fix vfs_chown_fsp.
BUG 8412: Fix "saving as" of MS Office 2007 (Word) documents on Samba shares with SMB2.
BUG 8422: Fix infinite loop in ACL module code.
BUG 8429: Compound SMB2 requests on an IPC connection can corrupt the reply stream.
BUG 8443: Be smarter about setting default permissions when a ACL_USER_OBJ isn't given.
BUG 8453: Fix smbclient segfaults when dialect option -m is used for legacy dialects.
BUG 8458: IE9 on Windows 7 cannot download files to samba 3.5.11 share.
BUG 8473: smb2_find uses a hard coded max reply size of 0x10000 instead of smb2_max_trans.
BUG 8474: SMB2 create doesn't cope with an Apple client using NULL blob in create.
BUG 8476: Samba asserts when SMB2 client breaks the crediting rules.
BUG 8477: Map to guest can return uninitialized blob of data.
BUG 8493: DFS breaks zip file extracting unless "follow symlinks = no" set.
BUG 8494: Remove "experimental" label on VFS ACL modules.
BUG 8507: smbd doesn't correctly honor the "force create mode" bits from a cifsfs create.
BUG 8509: Read-only handles on SAMR allow SAMR_DOMAIN_ACCESS_CREATE_USER.
BUG 8521: Winbind cache timeout expiry test was reversed.
BUG 8428: Fix wrong reply to DHnC (durable handle reconnect).
BUG 8518: SMB2 create call returns incorrect file allocation size.
BUG 8364: Fix the build of gpfs.c on RHEL 6.0 with gpfs 3.4.0-4.
BUG 7551: Return error of cli_push when 'put - /some/file' is used.
BUG 8395: Optimize serverid_exists() for Solaris.
BUG 8442: NFSv4 DENY ACLs always include SYNCHRONIZE flag - blocking renames.
BUG 8401: registry/reg_format.c must include includes.h.
BUG 7465: Fix 'net ads join -k' when KRB5CCNAME is not set.
BUG 8480: acl_xattr can free an invalid pointer if no blob is loaded.
BUG 8520: Fix SMB2 SMB2_OP_GETINFO and SMB2_OP_IOCTL parsing requirements.
BUG 8455: Fix uninitialized memory problem in group_sids_to_info3.
BUG 8256: Add man vfs_aio_fork.
BUG 8363: Fix build of vfs_prealloc on SLES8.
BUG 8515: Disallow "." in can_set_delete_on_close().
BUG 7864: Fix usage of cli_errstr().
BUG 8334: smb2: smbd logs "Invalid SMB packet: first request: 0x0008" and crashes.
BUG 8338: Add a fallback for missing open&x support in MAC OS/X Lion.
BUG 8360: OS/2 sends an unexpected write&x/read&x chain.
BUG 8385: Fix smbclient access to NT4 shares.
BUG 8409: Fix a Winbind race leading to 100% CPU load.
BUG 8420: Fix 'getent group' if trusted domains are not reachable.
BUG 8433: Fix segfault in iconv.c.
BUG 8455: Samba PDC is looking up only primary user group.
BUG 8365: Fix warning messages on Freebsd 4.6.2.
BUG 8407: SMB2 server can return requests out-of-order when processing a compound request.
BUG 8452: Check the wct of the incoming SMBnegprot responses.
BUG 8473: smb2_find uses a hard coded max reply size of 0x10000 instead of smb2_max_trans.
BUG 8476: Don't call smbd_terminate_connection in smb2_validate_message_id().
BUG 8503: SMB2_OP_CANCEL requests don't have to be signed.
BUG 8520: Fix SMB2 SMB2_OP_GETINFO and SMB2_OP_IOCTL parsing requirements.
BUG 8390: Fix the build of vfs_aixacl2.c.
BUG 8236: Empty notify servername.
BUG 8351: While migrating forms, don't fail if the form already exists.
BUG 8384: Fix smbd crashes triggered by Windows XP clients.

New in Samba 3.6.0 (Aug 10, 2011)

SMB2 support:
SMB2 support in 3.6.0 is fully functional (with one omission), and can be enabled by setting: max protocol = SMB2 in the [global] section of your smb.conf and re-starting Samba. All features should work over SMB2 except the modification of user quotas using the Windows quota management tools.
As this is the first release containing what we consider to be a fully featured SMB2 protocol, we are not enabling this by default, but encourage users to enable SMB2 and test it. Once we have enough confirmation from Samba users and OEMs that SMB2 support is stable in wide user testing we will enable SMB2 by default in a future Samba release.
Internal Winbind passdb changes:
Winbind has been changed to use the internal samr and lsa rpc pipe to get local user and group information instead of calling passdb functions. The reason is to use more of our infrastructure and test this infrastructure by using it. With this approach more code in Winbind is shared.
New Spoolss code:
The spoolss and the old RAP printing code have been completely overhauled and refactored.
All calls from lanman/printing code has been changed to go through the spoolss RPC interfaces, this allows us to keep all checks in one place and avoid special cases in the main printing code.
Printing code has been therefore confined within the spoolss code.
All the printing code, including the spoolss RPC interfaces has been changed to use the winreg RPC interfaces to store all data.
All data has been migrated from custom, arbitrary TDB files to the registry interface. This transition allow us to present correct data to windows client accessing the server registry through the winreg RPC interfaces to query for printer data. Data is served out from a real registry implementation and therefore arguably 100% forward compatible.
Migration code from the previous TDB files formats is provided. This code is automatically invoked the first time the new code is run on the server. Although manual migration is also available using the 'net printer migrate' command.
These changes not only make all the spoolss code much more closer to "the spec", it also greatly improves our internal testing of both spoolss and winreg interfaces, and reduces overall code duplication.
As part of this work, new tests have been also added to increase coverage.
This code will also allow, in future, an easy transition to split out the spooling functions into a separate daemon for those OEMs that do not need printing functionality in their appliances, reducing the code footprint.
ID Mapping Changes:
The id mapping configuration has been a source of much grief in the past. For this release, id mapping has been rewritten yet again with the goal of making the configuration more simple and more coherent while keeping the needed flexibility and even adding to the flexibility in some respects.
The major change that implies the configuration simplifications is at the heart of the id mapping system: The separation of the "idmap alloc system" that is responsible for the unix id counters in the tdb, tdb2 and ldap idmap backends from the id mapping code itself has been removed.
The sids_to_unixids operation is now atomic and encapsulates (if needed) the action of allocating a unix id for a mapping that is to be created.
Consequently all idmap alloc configuration parameters have vanished and it is hence now also not possible any more to specify an idmap alloc backend different from the idmap backend. Each idmap backend uses its own idmap unixid creation mechanism transparently.
As a consequence of the id mapping changes, the methods that are used for storing and deleting id mappings have been removed from the winbindd API. The "net idmap dump/restore" commands have been rewritten to not speak through winbindd any more but directly act on the databases.
This is currently available for the tdb and tdb2 backends, the implementation for ldap still missing.
The allocate_id functionality is preserved for the unix id creator of the default idmap configuration is also used as the source of unix ids for the group mapping database and for the posix attributes in a ldapsam:editposix setup.
As part of the changes, the default idmap configuration has been changed to be more coherent with the per-domain configuration.
The parameters "idmap uid", "idmap gid" and "idmap range" are now deprecated in favour of the systematic "idmap config * : range" and "idmap config * : backend" parameters. The reason for this change is that the old options only provided an incomplete and hence deceiving backwards compatibility, which was a source of many problems with upgrades. By introducing this change in configuration, it should be brought to the conciousness of the users that even the simple id mapping is not working exactly as in Samba 3.0 versions any more.
Endpoint Mapper:
As Microsoft is more and more relying on endpoint mapper and we didn't have a complete implementation we decided to create an instance for Samba. The endpoint mapper is like a DNS server but for ports. If you want to talk to a certain RPC service over TCP/IP, you just ask the endpoint mapper on which port it is running. Then you can connect to the service and make sure that it is running.
The code is deactivated by default, because it needs more testing and it doesn't scale yet. If you want to enable and test the endpoint mapper you can set "rpc_server:epmapper = daemon" in the smb.conf file.
Internal restructuring:
Ongoing internal restructuring for better separation of internal subsystem to achieve a faster build, smaller binaries and cleaner dependencies for the samba3 waf build.
SMB Traffic Analyzer:
Added the new SMB Traffic Analyzer (SMBTA) VFS module protocol 2 featuring encryption, multiple arguments, and easier parseability. A new tool 'smbta-util' has been created to control the encryption behaviour of SMBTA. For compatibility, SMBTA by default operates on version 1.
There are programs consuming the data that the module sends.

New in Samba 3.5.11 (Aug 4, 2011)

New in Samba 3.5.10 (Jul 27, 2011)

New in Samba 3.5.9 (Jun 15, 2011)

BUG 6911: Kerberos authentication from Vista to Samba fails when security blob size is greater than 16 kB.
BUG 7080: Quota only shown when logged as root.
BUG 7528: Fix Solaris with NIS autohome.
BUG 7987: ACL can get lost when files are being renamed.
BUG 7996: sgid bit lost on folder rename.
BUG 8040: Fix 'smbclient' segfaults when a Cyrillic netbios name or workgroup is configured.
BUG 8072: Fix panic in create_file_acl_common.
BUG 8038: Fix is_myname_or_ipaddr() to be robust against strange DNS setups.
BUG 8083: "inherit owner = yes" doesn't interact correctly with vfs_acl_xattr or vfs_acl_tdb module.
BUG 8088: Fix segfault in rpccli_samr_chng_pswd_auth_crap if any input blobs are null.
BUG 8111: CIFS VFS: Fix unexpected error on SMB posix open.
BUG 8157: Fix parsing CUPS printcap files in std_pcap_cache_reload().
BUG 8163: Fix our asn.1 parser to handle negative numbers.
BUG 8211: "inherit owner = yes" doesn't interact correctly with "inherit permissions = yes".
BUG 8008: Fix a segfault in the krb5 locator plugin.
BUG 8012: Use getgrset() instead of initgroups() + getgroups() when getgrouplist() is not defined.
BUG 8031: Convert gpfs:sharemodes and gpfs:leases parameters from a global setting to a per share setting.
BUG 7893: Don't ever ask for machine$ principals as a target.
BUG 8074: Fix debug message.
BUG 6966: Respect "allow trusted domains = no" in Winbind.
BUG 8047: Fix mdns registration if "interfaces=" is used.
BUG 7993: Make sure we don't crash when publishing a single printer.
BUG 8085: Fix incorrect timeout handling in ncacn_ip_tcp client code.
BUG 8132: Fix filling printers location field when using CUPS.
BUG 7836: Make newly added printers visible to clients.
BUG 7994: Use printcap IDL for IPC.
BUG 7825: Fix GNU ld version detection with old gcc releases.
BUG 8033: Add explicit configure option whether to enable dmapi support or not.
BUG 8099: setpwent() actually does endpwent() on FreeBSD.
BUG 8009: Fix getting username in 'net rap session'.
BUG 8011: Fix memory corruption in shadow_copy2.
BUG 8016: Fix gpfs_get_xattr.
BUG 8042: File creation on OS/X.
BUG 8054: Winbind cache stores/retrieves wrong sizes for 16-bit ints.
BUG 8066: Fix wrong output in 'smbget'.
BUG 8087: Fix wbcChangeUserPasswordEx in RESPONSE mode.
BUG 8010: Fix inode generation so nautilus can count total dir size correctly.
BUG 6364: Pull realm from supplied username on libnet join.
BUG 8166: Don't lockout users when offline.
BUG 7383: Normalize IPv4 mapped IPv6 addresses in both directions.
BUG 8034: SEC_STD_DELETE is always granted to the owner of a file.
BUG 8055: Can't see Parts of DFS CIFS share.
BUG 7610: winbindd_cache.tdb grows too large when scaled.
BUG 6762: Fix ctdb on gpfs error with MS Office.

New in Samba 3.5.8 (Mar 7, 2011)

New in Samba 3.5.7 (Mar 1, 2011)

New in Samba 3.5.5 (Sep 16, 2010)

New in Samba 3.5.4 (Jun 23, 2010)

New in Samba 3.5.3 (May 19, 2010)

New in Samba 3.5.2 (Apr 7, 2010)

BUG 7231: Fix automatic building of vfs_tsmsm if gpfs and dmapi are present.
BUG 7232: Fix race conditions in CTDB persistent transactions.
BUG 7313: Make 'net conf addshare' atomic.
BUG 7314: Eliminate race condition in creating/scanning sorted subkeys in the registry backend.
BUG 7075: Fix bug in vfs_scannedonly rmdir implementation.
BUG 7159: Fix handling of bad server data returns in client rpc_transport.
BUG 7234: Symlink delete fails but incorrectly reports success to client.
BUG 7255: Fix "printer admin" functionality.
BUG 7283: Fix smbd segfault if using vfs_acl_tdb.
BUG 7297: Fix smbd crashes with CUPS printers and no [printers] share defined.
BUG 7310: Fix DOS attribute inconsistency with MS Office.
BUG 7290: Fix core dump in 'ntlm_auth' with "gss-spnego" helper.
BUG 6727: Fix several printing issues.
BUG 7237: Fix smbd segfaults in _netr_SamLogon for clients sending null domain.
BUG 7256: Fix value-needed calculation in_spoolss_EnumPrinterData().
BUG 7258: Fix _winreg_QueryValue crash bugs and implement Windows behavior.
BUG 7203: Fix 'net share' command.
BUG 7269: Fix job management commands for CUPS queues.
BUG 6853: Fix race condition in mount.cifs that allows user to replace mountpoint with a symlink.
BUG 5198: Fix parsing of the gecos field.
BUG 7202: Fix access by multi-threaded applications.
BUG 7212: Fix returning of group members with 'getent group'.
BUG 7216: Fix the build of net_afs.c with --fake-kaserver=yes.
BUG 7229: Fix a NULL pointer dereference in smbd.
BUG 7232: Fix race conditions in CTDB persistent transactions.
BUG 7254: Fix an uninitialized variable read in smbd.
BUG 7278: Fix a memleak in Winbind.
BUG 6814: Fix valgrind warning.
BUG 7170: Never mark external domains as internal in Winbind.
BUG 7225: Make Winbind logs more verbose for troubleshooting.
BUG 7251: Fix smbd segfault in "waiting for connections" message.
BUG 7295: Fix Winbind reconnection to it's own domain.
BUG 7316: Winbind possibly segfaults when trying a trusted domain without inbound trust.
BUG 1206: Fix segfault if hide files or veto files has no ".AppleDouble".
BUG 7204: Fix DN parsing name was always null.
BUG 7312: Many disconnecting clients render clustered Samba unusuable for some time.
BUG 7206: Signals are processed twice in child.

New in Samba 3.5.1 (Mar 9, 2010)

New in Samba 3.5.0 (Mar 1, 2010)

New in Samba 3.4.6 (Feb 24, 2010)

New in Samba 3.5.0 RC3 (Feb 23, 2010)

New in Samba 3.5.0 RC2 (Jan 27, 2010)

New in Samba 3.4.5 (Jan 19, 2010)

New in Samba 4.0.0 Alpha 11 (Jan 11, 2010)

New in Samba 3.4.4 (Jan 7, 2010)

New in Samba 4.0.0 Alpha 9 (Dec 1, 2009)

New in Samba 3.4.3 (Oct 31, 2009)

Jeremy Allison :
BUG 6529: Offline files conflict with Vista and Office 2003.
BUG 6726: SIVAL should have been an SVAL.
BUG 6769: Fix symlink unlink.
BUG 6774: smbd crashes if "aio write behind" is set.
BUG 6776: Fix core dump caused by running overlapping Byte Lock test.
BUG 6781: Fix renaming subfolders in Explorer view.
BUG 6793: Fix Winbind crash with "INTERNAL ERROR: Signal 6".
BUG 6796: Deleting an event context on shutdown can cause smbd to crash.
BUG 6828: Fix infinite timeout when byte lock held outside of Samba.
BUG 6829: Fix displaying of multibyte characters in smbclient.
Günther Deschner :
BUG 6711: Fix trust relationships to windows 2008 (2008 r2).
BUG 6815: Fix Windows 2008 R2 SPNEGO negTokenTarg parsing failure.
Olaf Flebbe :
BUG 6772: Allow outstanding_aio_calls to be decremented.
BUG 6804: Fix hpux compiler issue.
BUG 6805: Correctly handle aio_error() and errno.
Björn Jacke :
BUG 6704: Fix syntax error in avahi configure test.
BUG 6728: BSD needs sys/sysctl.h included to build properly.
BUG 6824: Fix avahi activation.
QNX doesn't know uint - replace with uint_t.
Andrew Klosterman :
BUG 6690: Fix wrong error check in profile.
Marc Aurele La France :
BUG 6707: Fix an occasional segfault in config file parsing.
Jeff Layton :
BUG 6810: Add support for finding alternate credcaches to cifs.upcall.
Volker Lendecke :
BUG 6606: Fix file corruption using smbclient with NT4 server.
BUG 6703: Allow smbstatus as non-root.
BUG 6731: Fix reading beyond the end of a named stream in xattr_streams.
BUG 6765: Add a "hidden" parameter "share:fake_fscaps".
BUG 6793: Fix segfault in winbindd_pam_auth.
BUG 6797: Fix a memleak in libwbclient.
BUG 6807: Fix a segfault in "net rpc trustdom list" for long domain names.
Fix an uninitialized variable.
Only ever handle one event after a select call.
Derrell Lipman :
BUG 6532: Fix domain enumeration if master browser has space in name.
Stefan Metzmacher :
BUG 6711: Fix trust relationships to windows 2008 (2008 r2).
Buchan Milne :
BUG 6791: Fix linking order in cifs.upcall.
Lars Müller :
BUG 6710: Adjust regex to match variable names including underscores.
Conditional install of the cifs.upcall man page.
Shirish Pargaonkar :
BUG 4675: mount.cifs: Do not attempt to update /etc/mtab if it is a symbolic link.
Karolin Seeger :
Fix warning occuring when building the manpages.
Simo Sorce :
BUG 6764: Fix timeval calculation.
Bo Yang :
BUG 6735: Don't overwrite password in pam_winbind, subsequent pam modules might use the old password and new password.
BUG 6811: Fix reference to freed memory in pam_winbind.
BUG 6826: Don't fail authentication when one or some group of require-membership-of is invalid.
BUG 6840: Fix crash in pam_winbind.

New in Samba 3.4.2 (Oct 1, 2009)

New in Samba 3.4.1 (Sep 9, 2009)

New in Samba 3.4.0 (Jul 11, 2009)

New in Samba 3.3.6 (Jul 3, 2009)

New in Samba 3.4.0 RC1 (Jun 19, 2009)

New in Samba 3.3.5 (Jun 16, 2009)

New in Samba 3.4.0 Pre 1 (Apr 30, 2009)

New in Samba 3.3.4 (Apr 29, 2009)

New in Samba 3.3.3 (Apr 2, 2009)

BUG 6195: Don't let smbd child processes panic.
Add backend_requires_messaging() method to libsmbconf.
Add methods is_writeable() and wrapper smbconf_is_writeable() to libsmbconf.
Fall back to file backend when no valid backend was found.
Fix a memleak in dbwrap_rbt.
Provide transaction_start|commit|cancel fns for the registry tdb.
Speed up "net conf drop".
Speed up "net conf import".
Add transactions to the libsmbconf API.
Reduce memory usage of "net conf import".
Registry cleanup.
Fix handling of SAMBA_VERSION_VENDOR_PATCH.
Fix build of pam_winbind.so with static linking.
Tidy up some convert_string_internal error cases.
BUG 6186: Fix map readonly.
BUG 6195: Migrating from 3.0.x to 3.3.x can fail to update passdb.tdb correctly.
BUG 6196: Unable to serve files with colons to Linux CIFS/VFS client.
BUG 6224: nmbd waits 5 minutes at startup before checking if it needs to run elections.
Allow DFS client paths to work when POSIX pathnames have been selected.
Try and fix the build farm RAW-STREAMS errors.
Ensure files starting with multiple dots are hidden.
BUG 6102: NetQueryDisplayInformation could return wrong information.
BUG 6193: Avoid messing with sync_context in libnet_samsync_delta().
Fix notify_printer_status_byname.
Fix Coverity IDs 722, 762, 774, 775, 776.
Fix build on old Heimdal based systems.
Fix compile warning.
Use parentheses in if condition to make negation clear.
Add dirsort module.
BUG 6147: Fix detection of the GNU ld version.
BUG 6097: Fix smbd segfault.
BUG 6130: Don't crash in winbindd_rpc lookup_groupmem() on unmapped members.
BUG 6139: Add missing whitespace in mount.cifs error message.
Fix a malloc/talloc mismatch when cli_initialise() fails.
Fix a valgrind error.
Speed up "net conf list".
Add sorted subkey cache.
Use StrCaseCmp in the dirsort module.
Document the dirsort module.
Fix the build on HP/UX.
Disable dns_sd by default.
Add avahi detection to configure.
Add event avahi binding.
Use avahi to register _smb._tcp in smbd.
Fix two memleaks in the encryption code.
Fix a scary "fill_share_mode_lock failed" message.
BUG 6228: Fix SMBC_open_ctx failure due to path resolve failure doesn't set errno.
Don't use reserved words in smbconftort.
Fix smb signing for fragmented trans/trans2/nttrans requests.
Parse_packet can return NULL which is then dereferenced in match_mailslot_name.
Format the header check for netinet/ip.h more nicely.
Fix detection of netinet/ip.h on FreeBSD.
Missing break in conversion function prevents tdb password database update.

New in Samba 3.3.2 (Mar 12, 2009)

New in Samba 3.3.1 (Feb 24, 2009)

New in Samba 3.3.0 (Jan 27, 2009)

New in Samba 3.2.7 (Jan 5, 2009)

New in Samba 3.3.0 RC2 (Dec 28, 2008)

New in Samba 4.0.0 Alpha 5 (Dec 28, 2008)

New in Samba 3.2.6 (Dec 28, 2008)

New in Samba 4.0.0 Alpha 4 (Aug 8, 2008)

Major bug fixes included in Samba 3.2.1 are:
Race condition in Winbind leading to a crash.
Regression in Winbindd offline mode.
Flushing of smb.conf when creating a new share using SWAT.
Setting of ACEs in setups with "dos filemode = yes".
Michael Adam
BUG 5608: Fix link creation for libtalloc.so.1 (and friends) on Solaris 8.
BUG 5594: Fix "make test" by adding and using a new testparm switch "--skip-logic-checks".
Fix creation of libaddns.a, libsmbclient.a and libsharemodes.a.
Update the section about net conf in the net(8) manpage.
Improve processing of registry shares.
Fix listing of registry shares with testparm.
Fix several build issues.
Jeremy Allison
BUG 5578: Fix error from strlcat.
BUG 5613: Fix flushing of smb.conf when creating a new share using SWAT.
Ensure consistent use of pdb_get_nt_passwd instead of pdb_get_lanman_passwd.
Remove worrying warning message when safe_strcpy tries to copy a pseaudo interface name that's too long.
Canonicalize servername in the printer functions to remove leading '' characters.
Fix option processing in smbcacls - add POPT_COMMON_CONNECTION.
Fix bug creating files using DOS clients with mixed case files.
Fix uninitialized variable.
Yannick Bergeron
Fix compile error on AIX 6.1
Jim Brown
Fix SGI compiler warnings.
Guenther Deschner
BUG 5616: Fix session keys also in rpccli_netr_LogonSamLogonEx wrapper.
BUG 5570: Fix bogus error message during AD domain join.
Fix trusted domain handling in Winbindd.
Fix build warning.
SATOH Fumiyasu
BUG 5202: Fix setting of ACEs for users/groups with write access in setups with 'dos filemode = yes'.
Re-activate 'acl group control' parameter and make it only apply to owning group.
Volodymyr Khomenko
Make ntimes function more like POSIX and allow NULL arg.
Volker Lendecke
BUG 5512: Fix alignment problems on sparc.
BUG 5616: Fix share connections in setups with "server signing = mandatory" or SMB signing set on the client side.
Fix a race condition in Winbind leading to a crash.
Fix a segfault in base64_encode_data_blob.
Fix some uninitialized variable references via ndr_print.
Fix error message if trying to join with a non-privileged user.
Fix setups using "include = registry" without [global] settings in the registry.
Fix "net sam rights" on domain member servers.
Add documentation for the vfs streams modules.
Herb Lewis
Cleanup some duplicate code by passing the password to the wbinfo_auth* functions.
Allow SID with 0 in subauthority to be converted properly.
Zach Loafman
Set sin[6]_family instead of ss_family in in[6]_addr_to_sockaddr_storage.
Fix realpath() check so that it doesn't generate a core() when it fails.
Jim McDonough
Fix overwriting of winbind logfiles.
Lars Mueller
Fix "vfs_full_audit.c: name table not in sync with vfs.h" panic.
Darshan Purandare
Add broadcasting of the debug message to all winbindd children.
Karolin Seeger
BUG 5635: Fix updating of printer queues.
Andreas Schneider
Release still reachable memory if the smbclient context is freed.
Remove trailing withespace from wbinfo -m which breaks gdm auth.
Simo Sorce
BUG 5540: Fix "set primary group script" user option substitution.
Fix regression in Winbindd offline mode.
Bo Yang
Allow authentication and memory credential refresh after password change from gdm/xdm.
Allow %u parameters for print job username.