RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2077468 - Rebase Samba to the the latest 4.16.x release
Summary: Rebase Samba to the the latest 4.16.x release
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: samba
Version: 8.7
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Andreas Schneider
QA Contact: Denis Karpelevich
Marc Muehlfeld
Depends On: 2077482 2077484 2077485
TreeView+ depends on / blocked
Reported: 2022-04-21 12:49 UTC by Pavel Filipensky
Modified: 2022-11-08 12:26 UTC (History)
5 users (show)

Fixed In Version: samba-4.16.1-0.el8
Doc Type: Enhancement
Doc Text:
.`samba` rebased to version 4.16.1 The `samba` packages have been upgraded to upstream version 4.16.1, which provides bug fixes and enhancements over the previous version: * By default, the `smbd` process automatically starts the new `samba-dcerpcd` process on demand to serve Distributed Computing Environment / Remote Procedure Calls (DCERPC). Note that Samba 4.16 and later always requires `samba-dcerpcd` to use DCERPC. If you disable the `rpc start on demand helpers` setting in the `[global]` section in the `/etc/samba/smb.conf` file, you must create a `systemd` service unit to run `samba-dcerpcd` in standalone mode. * The Cluster Trivial Database (CTDB) `recovery master` role has been renamed to `leader`. As a result, the following `ctdb` sub-commands have been renamed: ** `recmaster` to `leader` ** `setrecmasterrole` to `setleaderrole` * The CTDB `recovery lock` configuration has been renamed to `cluster lock`. * CTDB now uses leader broadcasts and an associated timeout to determine if an election is required. Note that the server message block version 1 (SMB1) protocol is deprecated since Samba 4.11 and will be removed in a future release. Back up the database files before starting Samba. When the `smbd`, `nmbd`, or `winbind` services start, Samba automatically updates its `tdb` database files. Note that Red Hat does not support downgrading `tdb` database files. After updating Samba, verify the `/etc/samba/smb.conf` file using the `testparm` utility. For further information about notable changes, read the link:https://www.samba.org/samba/history/samba-4.16.0.html[upstream release notes] before updating.
Clone Of:
Last Closed: 2022-11-08 10:45:48 UTC
Type: Bug
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-119520 0 None None None 2022-04-21 12:57:44 UTC
Red Hat Issue Tracker SSSD-4577 0 None None None 2022-04-25 07:43:48 UTC
Red Hat Product Errata RHBA-2022:7698 0 None None None 2022-11-08 10:46:39 UTC

Description Pavel Filipensky 2022-04-21 12:49:12 UTC
Description of problem:
Rebase Samba to the latest 4.16 release.


New samba-dcerpcd binary to provide DCERPC in the member server setup

In order to make it much easier to break out the DCERPC services
from smbd, a new samba-dcerpcd binary has been created.

samba-dcerpcd can be used in two ways. In the normal case without
startup script modification it is invoked on demand from smbd or
winbind --np-helper to serve DCERPC over named pipes. Note that
in order to run in this mode the smb.conf [global] section has
a new parameter "rpc start on demand helpers = [true|false]".
This parameter is set to "true" by default, meaning no changes to
smb.conf files are needed to run samba-dcerpcd on demand as a named
pipe helper.

It can also be used in a standalone mode where it is started
separately from smbd or winbind but this requires changes to system
startup scripts, and in addition a change to smb.conf, setting the new
[global] parameter "rpc start on demand helpers = false". If "rpc
start on demand helpers" is not set to false, samba-dcerpcd will
refuse to start in standalone mode.

Note that when Samba is run in the Active Directory Domain Controller
mode the samba binary that provides the AD code will still provide its
normal DCERPC services whilst allowing samba-dcerpcd to provide
services like SRVSVC in the same way that smbd used to in this

The parameters that allowed some smbd-hosted services to be started
externally are now gone (detailed below) as this is now the default

samba-dcerpcd can also be useful for use outside of the Samba
framework, for example, use with the Linux kernel SMB2 server ksmbd or
possibly other SMB2 server implementations.

Heimdal-8.0pre used for Samba Internal Kerberos, adds FAST support

Samba has since Samba 4.0 included a snapshot of the Heimdal Kerberos
implementation.  This snapshot has now been updated and will closely
match what will be released as Heimdal 8.0 shortly.

This is a major update, previously we used a snapshot of Heimdal from
2011, and brings important new Kerberos security features such as
Kerberos request armoring, known as FAST.  This tunnels ticket
requests and replies that might be encrypted with a weak password
inside a wrapper built with a stronger password, say from a machine

In Heimdal and MIT modes Samba's KDC now supports FAST, for the
support of non-Windows clients.

Windows clients will not use this feature however, as they do not
attempt to do so against a server not advertising domain Functional
Level 2012.  Samba users are of course free to modify how Samba
advertises itself, but use with Windows clients is not supported "out
of the box".

Finally, Samba also uses a per-KDC, not per-realm 'cookie' to secure part of
the FAST protocol.  A future version will align this more closely with
Microsoft AD behaviour.

If FAST needs to be disabled on your Samba KDC, set

 kdc enable fast = no

in the smb.conf.

The Samba project wishes to thank the numerous developers who have put
in a massive effort to make this possible over many years.  In
particular we thank Stefan Metzmacher, Joseph Sutton, Gary Lockyer,
Isaac Boukris and Andrew Bartlett.  Samba's developers in turn thank
their employers and in turn their customers who have supported this
effort over many years.

Certificate Auto Enrollment

Certificate Auto Enrollment allows devices to enroll for certificates from
Active Directory Certificate Services. It is enabled by Group Policy.
To enable Certificate Auto Enrollment, Samba's group policy will need to be
enabled by setting the smb.conf option `apply group policies` to Yes. Samba
Certificate Auto Enrollment depends on certmonger, the cepces certmonger
plugin, and sscep. Samba uses sscep to download the CA root chain, then uses
certmonger paired with cepces to monitor the host certificate templates.
Certificates are installed in /var/lib/samba/certs and private keys are
installed in /var/lib/samba/private/certs.

Ability to add ports to dns forwarder addresses in internal DNS backend

The internal DNS server of Samba forwards queries non-AD zones to one or more
configured forwarders. Up until now it has been assumed that these forwarders
listen on port 53. Starting with this version it is possible to configure the
port using host:port notation. See smb.conf for more details. Existing setups
are not affected, as the default port is 53.

CTDB changes

* The "recovery master" role has been renamed "leader"

  Documentation and logs now refer to "leader".

  The following ctdb tool command names have changed:

    recmaster -> leader
    setrecmasterrole -> setleaderrole

  Command output has changed for the following commands:


  The "[legacy] -> recmaster capability" configuration option has been
  renamed and moved to the cluster section, so this is now:

    [cluster] -> leader capability

* The "recovery lock" has been renamed "cluster lock"

  Documentation and logs now refer to "cluster lock".

  The "[cluster] -> recovery lock" configuration option has been
  deprecated and will be removed in a future version.  Please use
  "[cluster] -> cluster lock" instead.

  If the cluster lock is enabled then traditional elections are not
  done and leader elections use a race for the cluster lock.  This
  avoids various conditions where a node is elected leader but can not
  take the cluster lock.  Such conditions included:

  - At startup, a node elects itself leader of its own cluster before
    connecting to other nodes

  - Cluster filesystem failover is slow

  The abbreviation "reclock" is still used in many places, because a
  better abbreviation eludes us (i.e. "clock" is obvious bad) and
  changing all instances would require a lot of churn.  If the
  abbreviation "reclock" for "cluster lock" is confusing, please
  consider mentally prefixing it with "really excellent".

* CTDB now uses leader broadcasts and an associated timeout to
  determine if an election is required

  The leader broadcast timeout can be configured via new configuration

    [cluster] -> leader timeout

  This specifies the number of seconds without leader broadcasts
  before a node calls an election.  The default is 5.


Older SMB1 protocol SMBCopy command removed

SMB is a nearly 30-year old protocol, and some protocol commands that
while supported in all versions, have not seen widespread use.

One of those is SMBCopy, a feature for a server-side copy of a file.
This feature has been so unmaintained that Samba has no testsuite for

The SMB1 command SMB_COM_COPY (SMB1 command number 0x29) was
introduced in the LAN Manager 1.0 dialect and it was rendered obsolete
in the NT LAN Manager dialect.

Therefore it has been removed from the Samba smbd server.

We do note that a fully supported and tested server-side copy is
present in SMB2, and can be accessed with "scopy" subcommand in

SMB1 server-side wildcard expansion removed

Server-side wildcard expansion is another feature that sounds useful,
but is also rarely used and has become problematic - imposing extra
work on the server (both in terms of code and CPU time).

In actual OS design, wildcard expansion is handled in the local shell,
not at the remote server using SMB wildcard syntax (which is not shell

In Samba 4.16 the ability to process file name wildcards in requests
using the SMB1 commands SMB_COM_RENAME (SMB1 command number 0x7),
SMB_COM_NT_RENAME (SMB1 command number 0xA5) and SMB_COM_DELETE (SMB1
command number 0x6) has been removed.

SMB1 protocol has been deprecated, particularly older dialects

We take this opportunity to remind that we have deprecated and
disabled by default, but not removed, the whole SMB1 protocol since
Samba 4.11.  If needed for security purposes or code maintenance we
will continue to remove older protocol commands and dialects that are
unused or have been replaced in more modern SMB1 versions.

We specifically deprecate the older dialects older than "NT LM 0.12"
(also known as "NT LANMAN 1.0" and "NT1").

Please note that "NT LM 0.12" is the dialect used by software as old
as Windows 95, Windows NT and Samba 2.0, so this deprecation applies
to DOS and similar era clients.

We do reassure that that 'simple' operation of older clients than
these (eg DOS) will, while untested, continue for the near future, our
purpose is not to cripple use of Samba in unique situations, but to
reduce the maintaince burden.

Eventually SMB1 as a whole will be removed, but no broader change is
announced for 4.16.

In the rare case where the above changes cause incompatibilities,
users requiring support for these features will need to use older
versions of Samba.

No longer using Linux mandatory locks for sharemodes

smbd mapped sharemodes to Linux mandatory locks. This code in the Linux kernel
was broken for a long time, and is planned to be removed with Linux 5.15. This
Samba release removes the usage of mandatory locks for sharemodes and the
"kernel share modes" config parameter is changed to default to "no". The Samba
VFS interface is kept, so that file-system specific VFS modules can still use
private calls for enforcing sharemodes.

smb.conf changes

  Parameter Name                          Description     Default
  --------------                          -----------     -------
  kernel share modes                      New default     No
  dns forwarder                           Changed
  rpc_daemon                              Removed
  rpc_server                              Removed
  rpc start on demand helpers             Added           true


o  Andrew Bartlett <abartlet>
   * BUG 15000: Memory leak in FAST cookie handling.

o  Elia Geretto <elia.f.geretto>
   * BUG 14983: NT_STATUS_ACCESS_DENIED translates into EPERM instead of EACCES
     in SMBC_server_internal.

o  Stefan Metzmacher <metze>
   * BUG 13879: Simple bind doesn't work against an RODC (with non-preloaded
   * BUG 14641: Crash of winbind on RODC.
   * BUG 15001: LDAP simple binds should honour "old password allowed period".
   * BUG 15002: S4U2Self requests don't work against servers without FAST
   * BUG 15003: wbinfo -a doesn't work reliable with upn names.
   * BUG 15005: A cross-realm kerberos client exchanges fail using KDCs with and
     without FAST.
   * BUG 15015: PKINIT: hdb_samba4_audit: Unhandled hdb_auth_status=9 =>

o  Garming Sam <garming.nz>
   * BUG 13879: Simple bind doesn't work against an RODC (with non-preloaded

o  Andreas Schneider <asn>
   * BUG 15016: Regression: create krb5 conf = yes doesn't work with a single

o  Joseph Sutton <josephsutton.nz>
   * BUG 15015: PKINIT: hdb_samba4_audit: Unhandled hdb_auth_status=9 =>


o  Jeremy Allison <jra>
   * BUG 14737: Samba does not response STATUS_INVALID_PARAMETER when opening 2
     objects with same lease key.

o  Jule Anger <janger>
   * BUG 14999: Listing shares with smbstatus no longer works.

o  Douglas Bagnall <douglas.bagnall.nz>
   * BUG 14996: Fix ldap simple bind with TLS auditing.

o  Andrew Bartlett <abartlet>
   * BUG 14995: Use Heimdal 8.0 (pre) rather than an earlier snapshot.

o  Volker Lendecke <vl>
   * BUG 14989: Fix a use-after-free in SMB1 server.

o  Stefan Metzmacher <metze>
   * BUG 14865: Uncached logon on RODC always fails once.
   * BUG 14984: Changing the machine password against an RODC likely destroys
     the domain join.
   * BUG 14993: authsam_make_user_info_dc() steals memory from its struct
     ldb_message *msg argument.
   * BUG 14995: Use Heimdal 8.0 (pre) rather than an earlier snapshot.

o  Joseph Sutton <josephsutton.nz>
   * BUG 14995: Use Heimdal 8.0 (pre) rather than an earlier snapshot.


o  Samuel Cabrero <scabrero>
   * BUG 14979: Problem when winbind renews Kerberos.

o  Björn Jacke <bj>
   * BUG 13631: DFS fix for AIX broken.
   * BUG 14974: Solaris and AIX acl modules: wrong function arguments.
   * BUG 7239: Function aixacl_sys_acl_get_file not declared / coredump.

o  Andreas Schneider <asn>
   * BUG 14967: Samba autorid fails to map AD users if id rangesize fits in the
     id range only once.

o  Martin Schwenke <martin>
   * BUG 14958: CTDB can get stuck in election and recovery.


o  Jeremy Allison <jra>
   * BUG 14169: Renaming file on DFS root fails with
   * BUG 14938: NT error code is not set when overwriting a file during rename
     in libsmbclient.

o  Ralph Boehme <slow>
   * BUG 14674: net ads info shows LDAP Server: depending on contacted

o  Pavel Filipenský <pfilipen>
   * BUG 14971: virusfilter_vfs_openat: Not scanned: Directory or special file.

o  Volker Lendecke <vl>
   * BUG 14900: Regression: Samba 4.15.2 on macOS segfaults intermittently
     during strcpy in tdbsam_getsampwnam.
   * BUG 14975: Fix a crash in vfs_full_audit - CREATE_FILE can free a used fsp.

o  Stefan Metzmacher <metze>
   * BUG 14968: smb2_signing_decrypt_pdu() may not decrypt with
     gnutls_aead_cipher_decrypt() from gnutls before 3.5.2.

o  Andreas Schneider <asn>
   * BUG 14960: SDB uses HDB flags directly which can lead to unwanted side


o  Jeremy Allison <jra>
   * BUG 14911: CVE-2021-44141: UNIX extensions in SMB1 disclose whether the
     outside target of a symlink exists.

o  Ralph Boehme <slow>
   * BUG 14914: CVE-2021-44142: Out-of-Bound Read/Write on Samba vfs_fruit
   * BUG 14961: install elasticsearch_mappings.json

o  FeRD (Frank Dana) <ferdnyc>
   * BUG 14947: samba-bgqd still notifying systemd, triggering log warnings
     without NotifyAccess=all.

o  Stefan Metzmacher <metze>
   * BUG 14867: Printing no longer works on Windows 7 with 2021-10 monthly
     rollup patch.
   * BUG 14956: ndr_push_string() adds implicit termination for
     STR_NOTERM|REMAINING empty strings.

o  Joseph Sutton <josephsutton.nz>
   * BUG 14950: CVE-2022-0336: Re-adding an SPN skips subsequent SPN conflict



Comment 6 errata-xmlrpc 2022-11-08 10:45:48 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (samba bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.