Opened 3 years ago

Closed 3 years ago

Last modified 3 years ago

#14748 closed enhancement (fixed)


Reported by: Bruce Dubbs Owned by: Douglas R. Reno
Priority: normal Milestone: 11.0
Component: BOOK Version: SVN
Severity: normal Keywords:


New minor version.

Change History (7)

comment:1 by Xi Ruoyao, 3 years ago

--enable-selftest now requires three Python 3 modules: iso8601, cryptography, and pyasn1.

cryptography needs Rust, I don't think we'll like it.

Maybe we should just disable selftest.

comment:2 by Douglas R. Reno, 3 years ago

Disabling selftest sounds good to me for now, but I would like to reintroduce it next time that we have a security update for Samba. The initial version of the ZeroLogon fixes were flawed, and the tests were the only way for me to tell. I'd also like to reintroduce it if we get something else in the book that needs cryptography and pyasn1. I'll update the text regarding running the test suite, and also will make sure that the dependencies have those listed.

comment:3 by Douglas R. Reno, 3 years ago

On the other hand, could we do something like bind and tell the user to install them with 'pip'?

comment:4 by Douglas R. Reno, 3 years ago

Owner: changed from blfs-book to Douglas R. Reno
Status: newassigned

comment:5 by Douglas R. Reno, 3 years ago

                   Release Notes for Samba 4.14.0
                          March 09, 2021

This is the first stable release of the Samba 4.14 release series.
Please read the release notes carefully before upgrading.

New GPG key

The GPG release key for Samba releases changed from:

pub   dsa1024/6F33915B6568B7EA 2007-02-04 [SC] [expires: 2021-02-05]
      Key fingerprint = 52FB C0B8 6D95 4B08 4332  4CDC 6F33 915B 6568 B7EA
uid                 [  full  ] Samba Distribution Verification Key <>
sub   elg2048/9C6ED163DA6DFB44 2007-02-04 [E] [expires: 2021-02-05]

to the following new key:

pub   rsa4096/AA99442FB680B620 2020-12-21 [SC] [expires: 2022-12-21]
      Key fingerprint = 81F5 E283 2BD2 545A 1897  B713 AA99 442F B680 B620
uid                 [ultimate] Samba Distribution Verification Key <>
sub   rsa4096/97EF9386FBFD4002 2020-12-21 [E] [expires: 2022-12-21]

Starting from Jan 21th 2021, all Samba releases will be signed with the new key.

See also GPG_AA99442FB680B620_replaces_6F33915B6568B7EA.txt


Here is a copy of a clarification note added to the Samba code
in the file: VFS-License-clarification.txt.

A clarification of our GNU GPL License enforcement boundary within the Samba
Virtual File System (VFS) layer.

Samba is licensed under the GNU GPL. All code committed to the Samba
project or that creates a "modified version" or software "based on" Samba must
be either licensed under the GNU GPL or a compatible license.

Samba has several plug-in interfaces where external code may be called
from Samba GNU GPL licensed code. The most important of these is the
Samba VFS layer.

Samba VFS modules are intimately connected by header files and API
definitions to the part of the Samba code that provides file services,
and as such, code that implements a plug-in Samba VFS module must be
licensed under the GNU GPL or a compatible license.

However, Samba VFS modules may themselves call third-party external
libraries that are not part of the Samba project and are externally
developed and maintained.

As long as these third-party external libraries do not use any of the
Samba internal structure, APIs or interface definitions created by the
Samba project (to the extent that they would be considered subject to the GNU
GPL), then the Samba Team will not consider such third-party external
libraries called from Samba VFS modules as "based on" and/or creating a
"modified version" of the Samba code for the purposes of GNU GPL.
Accordingly, we do not require such libraries be licensed under the GNU GPL
or a GNU GPL compatible license.


The effort to modernize Samba's VFS interface has reached a major milestone with
the next release Samba 4.14.

For details please refer to the documentation at source3/modules/The_New_VFS.txt or
visit the <>.


Publishing printers in AD is more reliable and more printer features are
added to the published information in AD. Samba now also supports Windows
drivers for the ARM64 architecture.

Client Group Policy
This release extends Samba to support Group Policy functionality for Winbind
clients. Active Directory Administrators can set policies that apply Sudoers
configuration, and cron jobs to run hourly, daily, weekly or monthly.

To enable the application of Group Policies on a client, set the global
smb.conf option 'apply group policies' to 'yes'. Policies are applied on an
interval of every 90 minutes, plus a random offset between 0 and 30 minutes.

Policies applied by Samba are 'non-tattooing', meaning that changes can be
reverted by executing the `samba-gpupdate --unapply` command. Policies can be
re-applied using the `samba-gpupdate --force` command.
To view what policies have been or will be applied to a system, use the
`samba-gpupdate --rsop` command.

Administration of Samba policy requires that a Samba ADMX template be uploaded
to the SYSVOL share. The samba-tool command `samba-tool gpo admxload` is
provided as a convenient method for adding this policy. Once uploaded, policies
can be modified in the Group Policy Management Editor under Computer
Configuration/Policies/Administrative Templates. Alternatively, Samba policy
may be managed using the `samba-tool gpo manage` command. This tool does not
require the admx templates to be installed.

Python 3.6 or later required

Samba's minimum runtime requirement for python was raised to Python
3.6 with samba 4.13.  Samba 4.14 raises this minimum version to Python
3.6 also to build Samba. It is no longer possible to build Samba
(even just the file server) with Python versions 2.6 and 2.7.

As Python 2.7 has been End Of Life upstream since April 2020, Samba
is dropping ALL Python 2.x support in this release.

Miscellaneous samba-tool changes

The 'samba-tool' subcommands to manage AD objects (e.g. users, computers and
groups) now consistently use the "add" command when adding a new object to
the AD. The previous deprecation warnings when using the 'add' commands
have been removed. For compatibility reasons, both the 'add' and 'create'
commands can be used now.

Users, groups and contacts can now be renamed with the respective rename

Locked users can be unlocked with the new 'samba-tool user unlock' command.

The 'samba-tool user list' and 'samba-tool group listmembers' commands
provide additional options to hide expired and disabled user accounts
(--hide-expired and --hide-disabled).


* The NAT gateway and LVS features now uses the term "leader" to refer
  to the main node in a group through which traffic is routed and
  "follower" for other members of a group.  The command for
  determining the leader has changed to "ctdb natgw leader" (from
  "ctdb natgw master").  The configuration keyword for indicating that
  a node can not be the leader of a group has changed to
  "follower-only" (from "slave-only").  Identical changes were made
  for LVS.

* Remove "ctdb isnotrecmaster" command.  It isn't used by CTDB's
  scripts and can be checked by users with "ctdb pnn" and "ctdb

smb.conf changes

  Parameter Name                     Description                Default
  --------------                     -----------                -------
  smb encrypt                        Removed
  async dns timeout                  New                        10
  client smb encrypt                 New                        default
  honor change notify privilege      New                        No
  smbd force process locks           New                        No
  server smb encrypt                 New                        default


o  Trever L. Adams <>
   * BUG 14634: s3:modules:vfs_virusfilter: Recent talloc changes cause infinite
     start-up failure.

o  Peter Eriksson <>
   * BUG 14648: s3: VFS: nfs4_acls. Add missing TALLOC_FREE(frame) in error

o  Volker Lendecke <>
   * BUG 14636: g_lock: Fix uninitalized variable reads.


o  Jeremy Allison <>
   * BUG 14604: smbd: In conn_force_tdis_done() when forcing a connection closed
     force a full reload of services.

o  Andrew Bartlett <>
   * BUG 14593: dbcheck: Check Deleted Objects and reduce noise in reports about
     expired tombstones.

o  Ralph Boehme <>
   * BUG 14619: vfs: Restore platform specific POSIX sys_acl_set_file()
   * BUG 14620: Fix the build on AIX.
   * BUG 14629: smbd: Don't overwrite _mode if neither a msdfs symlink nor
     get_dosmode is requested.
   * BUG 14635: Fix printer driver upload.


o  Björn Jacke <>
   * BUG 14624: classicupgrade: Treat old never expires value right.

o  Stefan Metzmacher <>
   * BUG 13898: s3:pysmbd: fix fd leak in py_smbd_create_file().

o  Andreas Schneider <>
   * BUG 14625: Fix smbd share mode double free crash.

o  Paul Wise <>
   * BUG 12505: HEIMDAL: krb5_storage_free(NULL) should work.


o  Jeremy Allison <>
   * BUG 13992: Fix SAMBA RPC share error.

o  Ralph Boehme <>
   * BUG 14602: "winbind:ignore domains" doesn't prevent user login from trusted
   * BUG 14617: smbd tries to delete files with wrong permissions (uses guest
     instead of user from force user =).

o  Stefan Metzmacher <>
   * BUG 14539: s3:idmap_hash: Reliably return ID_TYPE_BOTH.

o  Andreas Schneider <>
   * BUG 14627: s3:smbd: Fix invalid memory access in


comment:6 by Douglas R. Reno, 3 years ago

Resolution: fixed
Status: assignedclosed

Fixed at r24365

comment:7 by Bruce Dubbs, 3 years ago

Milestone: 10.211.0

Milestone renamed

Note: See TracTickets for help on using tickets.