- samba-ad-dc-libs packages are missing a DLZ plugin for bind 9.20;
(bso#15790); (bsc#1249058).
- Update to 4.23.4
* Samba 4.22 breaks Time Machine; (bso#15926).
* mdssvc doesn't support $time.iso dates before 1970;
(bso#15947).
* Fix winbind cache consistency; (bso#15963).
* Assert failed: (dirfd != -1) || (smb_fname->base_name[0] ==
'/') in vfswrap_openat; (bso#15897).
* ctdb can crash with inconsistent cluster lock configuration;
(bso#15950).
* samba-bgqd: rework man page; (bso#15809).
* samba-bgqd can't find [printers] share; (bso#15936).
* Winbind can hang forever in gssapi if there are network
issues; (bso#15955).
* libldb requires linking libreplace on Linux; (bso#15961).
- Update to 4.23.3
* Spotlight search restriction for shares incomplete and
default search searches in too many attributes; (bso#15927).
* Searching for numbers doesn't work with Spotlight;
(bso#15930).
* rpcd_mdssvc may crash because name mangling is not
initialized; (bso#15931).
* Only increment lease epoch if a lease was granted;
(bso#15933).
* vfs_recycle does not update mtime; (bso#15940).
* samba-log-parser fails with UnicodeDecodeError: 'utf-8' codec
can't decode byte; (bso#15943).
* Crash in ctdbd on failed updateip; (bso#15935).
OBS-URL: https://build.opensuse.org/request/show/1323093
OBS-URL: https://build.opensuse.org/package/show/network:samba:STABLE/samba?expand=0&rev=712
- Update [printers] location to /var/samba/spool; (bsc#1249179).
- Update to 4.22.6
* macOS Finder client DFS broken on 4.22.0; (bso#15843).
* Samba 4.22 breaks Time Machine; (bso#15926).
* Spotlight search restriction for shares incomplete and
default search searches in too many attributes; (bso#15927).
* rpcd_mdssvc may crash because name mangling is not
initialized; (bso#15931).
* Only increment lease epoch if a lease was granted;
(bso#15933).
* samba-4.21 fails to join AD when multiple DCs are returned;
(bso#15905).
* 'net ads group' failed to list domain groups; (bso#15900).
* vfs_ceph_new should not use ceph_ll_nonblocking_readv_writev
for fsync_send; (bso#15919).
* CTDB_SOCKET can be used even when CTDB_TEST_MODE is not set;
(bso#15921).
OBS-URL: https://build.opensuse.org/request/show/1318733
OBS-URL: https://build.opensuse.org/package/show/network:samba:STABLE/samba?expand=0&rev=711
- Disable timeouts for smb.service so that possibly slow running
ExecStartPre script 'update-samba-security-profile' doesn't
cause service start to fail due to timeouts;(bsc#1249181).
- Ensure semanage is pulled in as a requirement when samba in
installed when selinux security access mechanism that is used;
(bsc#1249180).
- don't attempt to label paths that don't exist, also remove
unecessary evaluation of semange & restorecon cmds;(bsc#1249179).
- Update to 4.22.4
* netr_LogonSamLogonEx returns NR_STATUS_ACCESS_DENIED with
SysvolReady=0; (bso#14981).
* getpwuid does not shift to new DC when current DC is down;
(bso#15844).
* Windows security hardening locks out schannel'ed netlogon dc
calls like netr_DsRGetDCName-; (bso#15876).
* Unresponsive second DC can cause idmapping failure when using
idmap_ad-; (bso#15881).
* kinit command is failing with Missing cache Error;
(bso#15840).
* Figuring out the DC name from IP address fails and breaks
fork_domain_child(); (bso#15891).
* vfs_streams_depot fstatat broken; (bso#15816).
* Delayed leader broadcast can block ctdb forever; (bso#15892).
* Apparently there is a conflict between shadow_copy2 module
and virusfilter (action quarantine); (bso#15663).
* Fix handling of empty GPO link; (bso#15877).
* SMB ACL inheritance doesn't work for files created;
OBS-URL: https://build.opensuse.org/request/show/1309646
OBS-URL: https://build.opensuse.org/package/show/network:samba:STABLE/samba?expand=0&rev=708
- Update to 4.22.2
* (CVE-2025-0620) [SECURITY] CVE-2025-0620: smbd doesn't pick
up group membership changes when re-authenticating an expired
SMB session; (bso#15707); (bsc#1244136).
* Profile sync fails due to Directory Leases; (bso#15861).
* net ad join fails with "Failed to join domain: failed to
create kerberos keytab"; (bso#15727).
* dcerpcd not able to bind to listening port; (bso#15851).
* vfs_ceph_snapshots fails to list snapshots for entries at any
level beyond share root; (bso#15819).
* CTDB does not put nodes running NFS into grace on graceful
shutdown; (bso#15858).
OBS-URL: https://build.opensuse.org/request/show/1284043
OBS-URL: https://build.opensuse.org/package/show/network:samba:STABLE/samba?expand=0&rev=704
- Update and rename update-apparmor-samba-profile script to
update-samba-security-profile. It additionally now caters
for selinux (if selinux is used); (bsc#1241391);
- Update smb.conf to enable SMB3 unix extensions
- Update to 4.22.1
* Running "gpo manage motd set" twice fails with backtrace;
(bso#15774).
* samba-tool gpo backup creates entity backups it can't read;
(bso#15829).
* gp_cert_auto_enroll_ext.py has problem unpacking GUIDs with
prepended 0's; (bso#15839).
* Deadlock between two smbd processes; (bso#15767).
* Subnet based interfaces definition not listening on all
covered IP addresses; (bso#15823).
* PANIC: assert failed at source3/smbd/smb2_oplock.c(156):
sconn->oplocks.exclusive_open>=0; (bso#15836).
* net ad join fails with "Failed to join domain: failed to
create kerberos keytab"; (bso#15727).
* Enable support for cephfs case insensitive behavior;
(bso#15822).
* Remove of file or directory not possible with vfs_acl_tdb;
(bso#15791).
* Wide link issue in samba 4.22; (bso#15841).
* NT_STATUS_INVALID_PARAMETER: Can't create folders on share of
an exfat file system; (bso#15845).
* Lease code is not endian-safe; (bso#15849).
* vfs_ceph_new module does not work with other modules for
snapshot management; (bso#15818).
OBS-URL: https://build.opensuse.org/request/show/1278591
OBS-URL: https://build.opensuse.org/package/show/network:samba:STABLE/samba?expand=0&rev=703
Please stage together with talloc, tdb and tevent.
- Update to 4.22.0
* SMB3 Directory Leases are supported. By default, SMB3 Directory
Leases are enabled on non-clustered Samba and disabled on
clustered Samba, based on the "clustering" option.
* Netlogon Ping over LDAP and LDAPS
* Experimental Himmelblaud Authentication in Samba
* The "nmbd proxy logon" feature was removed.
* fruit:posix_rename option of the vfs_fruit VFS module that
could be used to enable POSIX directory rename behaviour for
OS X clients has been removed as it could result in severe
problems for Windows clients.
OBS-URL: https://build.opensuse.org/request/show/1254187
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/samba?expand=0&rev=317
- Remove nscd build dependency and usage in RPM scriptlets;
(bsc#1237296);
- Update to 4.21.4
* Increasing slowness of sharesec performance with high number
of registry shares; (bso#15780).
* winbindd shows memleak in kerberos_decode_pac; (bso#15782).
* Creation of GPOs applicable to more than one group is
impossible with Samba 4.20.0 and later; (bso#15738).
* Replace `crypt` module in
python/samba/netcmd/user/readpasswords/common.py;
(bso#15756).
* vfs_gpfs silently garbles timestamps > year 2106;
(bso#15151).
* Spotlight search results don't show file size and creation
date; (bso#15796).
* General improvements for vfs_ceph_new module; (bso#15703).
* net offlinejoin not working correctly; (bso#15777).
* net ads create/join/winbind producing unix dysfunctional
keytabs; (bso#15759).
* Windows Explorer crashes on S-1-22-* Unix-SIDs when accessing
security tab; (bso#14213).
* The values from hresult_errstr_const and hresult_errstr are
reversed in 4.20 and 4.21; (bso#15769).
* Kerberos referral tickets are generated for principals in our
domain if we have a trust to a top level domain; (bso#15778).
* NETLOGON_NTLMV2_ENABLED is missing in the SamLogon*
user_flags field; (bso#15783).
* Regression: stack-use-after-return in crypt_as_best_we_can();
(bso#15784).
OBS-URL: https://build.opensuse.org/request/show/1250469
OBS-URL: https://build.opensuse.org/package/show/network:samba:STABLE/samba?expand=0&rev=701
- Update to 4.21.3
* More possible replication loops against Azure AD;
(bso#15701).
* Compound rename from Mac clients can fail with
NT_STATUS_INTERNAL_ERROR if the file has a lease;
(bso#15697).
* vfs crossrename seems not work correctly; (bso#15724).
* After 'machine password timeout' /etc/krb5.keytab is not
updated; (bso#6750).
* Memory leak wbcCtxLookupSid; (bso#15771).
* Fix heap-user-after-free with association groups;
(bso#15765).
* Segfault in vfs_btrfs; (bso#15758).
* Avoid event failure race when disabling an event script;
(bso#15755).
OBS-URL: https://build.opensuse.org/request/show/1238025
OBS-URL: https://build.opensuse.org/package/show/network:samba:STABLE/samba?expand=0&rev=700
- Update shipped /etc/samba/smb.conf to point to smb.conf
man page;(bsc#1233880).
- Update to 4.21.2
* smbd fails to correctly check sharemode against OVERWRITE
dispositions; (bso#15732).
* Panic in close_directory; (bso#15754).
* winexe no longer works with samba 4.21; (bso#15752).
* protocol error - Unclear debug message "pad length mismatch"
for invalid bind packet; (bso#14356).
* NetrGetLogonCapabilities QueryLevel 2 needs to be
implemented; (bso#15425).
* gss_accept_sec_context() from Heimdal does not imply
GSS_C_MUTUAL_FLAG with GSS_C_DCE_STYLE; (bso#15740).
* winbindd should call process_set_title() for locator child;
(bso#15749).
* Update CTDB to track all TCP connections to public IP
addresses; (bso#15320).
- Update shipped /etc/samba/smb.conf to point to smb.conf
man page;(bsc#1233880).
- Update to 4.21.2
* smbd fails to correctly check sharemode against OVERWRITE
dispositions; (bso#15732).
* Panic in close_directory; (bso#15754).
* winexe no longer works with samba 4.21; (bso#15752).
* protocol error - Unclear debug message "pad length mismatch"
for invalid bind packet; (bso#14356).
* NetrGetLogonCapabilities QueryLevel 2 needs to be
implemented; (bso#15425).
OBS-URL: https://build.opensuse.org/request/show/1231967
OBS-URL: https://build.opensuse.org/package/show/network:samba:STABLE/samba?expand=0&rev=699
- Adjust spec to split out rpcd_* binaries into a separate
sub package; (bsc#1231414).
- Update to 4.21.1
* DH reconnect error handling can lead to stale sharemode
entries; (bso#15624).
* "inherit permissions = yes" triggers assert() in vfs_default
when creating a stream; (bso#15695).
* Samba 4.21.0 broke FreeIPA domain member integration;
(bso#15715).
* Missing conversion for msDS-UserTGTLifetime, msDS-
ComputerTGTLifetime and msDS-ServiceTGTLifetime on "samba-
tool domain auth policy modify"; (bso#15692).
* irpc_destructor may crash during shutdown; (bso#15280).
* Durable handle is not granted when a previous OPEN exists
with NoOplock; (bso#15649).
* Durable handle is granted but reconnect fails; (bso#15651).
* Disconnected durable handles with RH lease should not be
purged by a new non conflicting open; (bso#15708).
* net ads testjoin and other commands use the wrong secrets.tdb
in a cluster; (bso#15714).
* 4.21 using --with-system-mitkrb5 requires MIT krb5 1.16 as
rfc 8009 etypes are used; (bso#15726).
* VFS_OPEN_HOW_WITH_BACKUP_INTENT breaks shadow_copy2;
(bso#15730).
* Samba 4.20.0 DLZ module crashes BIND on startup; (bso#15643).
* Cannot build libldb lmdb backend on a build without AD DC;
(bso#15721).
* Consistent log level for sighup handler; (bso#15706).
OBS-URL: https://build.opensuse.org/package/show/network:samba:STABLE/samba?expand=0&rev=697
- Support needed packaging changes required update to samba-4.21.0
Update samba.spec, baselibs.conf to deliver libldb packages.
- Package ceph_new VFS module.
- Incorrect FSCTL_QUERY_ALLOCATED_RANGES response when truncated;
(bso#15699); (bsc#1229684).
- Bad variable definition for ParseTuple causing test failure for
Smb3UnixTests.test_create_context_reparse; (bso#15702).
- Update to 4.21.0
* Incorrect FSCTL_QUERY_ALLOCATED_RANGES response when
truncated; (bso#15699).
* Bad variable definition for ParseTuple causing test failure
for Smb3UnixTests.test_create_context_reparse; (bso#15702).
* Add new vfs_ceph module (based on low level API);
(bso#15686).
* samba-tool can not load the default configuration file;
(bso#15698).
* Crash when readlinkat fails; (bso#15700).
* Can't add/delete special keys to keytab for nfs, cifs, http
etc; (bso#15689).
* Compound SMB2 requests don't return
NT_STATUS_NETWORK_SESSION_EXPIRED for all requests, confuses
MacOSX clients; (bso#15696).
* --version-* options are still not ergonomic, and they reject
tilde characters; (bso#15673).
* ldb_version.h is missing from ldb public library;
(bso#15690).
OBS-URL: https://build.opensuse.org/request/show/1206056
OBS-URL: https://build.opensuse.org/package/show/network:samba:STABLE/samba?expand=0&rev=696
- Fix a crash when joining offline and 'kerberos method' includes
keytab; (bsc#1228732).
- Update to 4.20.4
* --version-* options are still not ergonomic, and they reject
tilde characters; (bso#15673).
- Update to 4.20.3
* Running samba-bgqd a a standalone systemd service does not
work; (bso#15683).
* When claims enabled with heimdal kerberos, unable to log on
to a Windows computer when user account need to change their
own password; (bso#15655).
* Invalid client warning about command line passwords;
(bso#15671).
* Version string is truncated in manpages; (bso#15672).
* cmdline_burn does not always burn secrets; (bso#15674).
* Samba does not parse SDDL found in defaultSecurityDescriptor
in AD_DS_Classes_Windows_Server_v1903.ldf; (bso#15685).
* The images don\'t build after the git security release and
CentOS 8 Stream is EOL; (bso#15660).
* Fix clock skew error message and memory cache clock skew
recovery; (bso#15676).
* Heimdal ignores _gsskrb5_decapsulate errors in
init_sec_context/repl_mutual; (bso#15603).
* s4:ldap_server: does not support tls channel bindings for
sasl binds; (bso#15621).
* CTDB socket output queues may suffer unbounded delays under
some special conditions; (bso#15678).
OBS-URL: https://build.opensuse.org/request/show/1194082
OBS-URL: https://build.opensuse.org/package/show/network:samba:STABLE/samba?expand=0&rev=695
- Update to 4.20.1
* dns update debug message is too noisy; (bso#15630);
* Do not fail PAC validation for RFC8009 checksums types; (bso#15635);
* Improve performance of lookup_groupmem() in idmap_ad; (bso#15605);
* Smbcacls incorrectly propagates inheritance with Inherit-Only flag; (bso#15636);
* http library doesn't support 'chunked transfer encoding'; (bso#15611);
* Provide a systemd service file for the background queue daemon; (bso#15600);
- Update to 4.20.0
New features:
* samba-tool user getpassword / syncpasswords ;rounds= change
* Group Managed service account client-side features
* New Windows Search Protocol Client
* Allow 'smbcacls' to save/restore DACLs to file
* Samba-tool extensions for AD Claims, Authentication Policies and Silos
* AD DC support for Authentication Silos and Authentication Policies
* Conditional ACEs and Resource Attribute ACEs
* Service Witness Protocol [MS-SWN]
Removed features:
* Get locally logged on users from utmp
Fixed bugs:
* Avoid null-dereference with bad claims; (bso#15606);
* ndr_pull_security_ace can leave resource attribute ACE coda
claim struct undefined; (bso#15613);
* fd_handle_destructor() panics within an smbd_smb2_close() if
vfs_stat_fsp() fails in fd_close(); (bso#15527);
* set_nt_acl sometimes fails with NT_STATUS_INVALID_PARAMETER -
openat() EACCES; (bso#15583);
* libgpo: Segfault in python bindings; (bso#15599);
* Samba AD is missing some authentication policy tests;
(bso#15607);
OBS-URL: https://build.opensuse.org/request/show/1177473
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/samba?expand=0&rev=305
- Update to 4.19.5
* Windows 2016 fails to restore previous version of a file from
a shadow_copy2 snapshot; (bso#13688).
* Symlinks on AIX are broken in 4.19 (and a few version before
that); (bso#15549).
* Fake directory create times has no effect; (bso#12421).
* ctime mixed up with mtime by smbd; (bso#15550).
* samba-gpupdate --rsop fails if machine is not in a site;
(bso#15548).
* gpupdate: The root cert import when NDES is not available is
broken; (bso#15557).
* samba-gpupdate should print a useful message if cepces-submit
can't be found; (bso#15552).
* samba-gpupdate logging doesn't work; (bso#15558).
* smbpasswd reset permissions only if not 0600; (bso#15555).
OBS-URL: https://build.opensuse.org/request/show/1149633
OBS-URL: https://build.opensuse.org/package/show/network:samba:STABLE/samba?expand=0&rev=689
