summaryrefslogtreecommitdiffstats
path: root/debian/samba.NEWS
diff options
context:
space:
mode:
Diffstat (limited to 'debian/samba.NEWS')
-rw-r--r--debian/samba.NEWS179
1 files changed, 179 insertions, 0 deletions
diff --git a/debian/samba.NEWS b/debian/samba.NEWS
new file mode 100644
index 0000000..5f4c14f
--- /dev/null
+++ b/debian/samba.NEWS
@@ -0,0 +1,179 @@
+samba (2:4.6.5+dfsg-5) unstable; urgency=medium
+
+ The samba service has been removed. Use the individual services instead:
+
+ * nmbd
+ * smbd
+ * samba-ad-dc
+
+ -- Mathieu Parent <sathieu@debian.org> Tue, 18 Jul 2017 22:52:05 +0200
+
+samba (2:4.4.1+dfsg-1) experimental; urgency=medium
+
+ This Samba security addresses both Denial of Service and Man in
+ the Middle vulnerabilities.
+
+ Both of these changes implement new smb.conf options and a number
+ of stricter behaviours to prevent Man in the Middle attacks on our
+ network services, as a client and as a server.
+
+ Between these changes, compatibility with a large number of older
+ software versions has been lost in the default configuration.
+
+ See the release notes in WHATNEW.txt for more information.
+
+
+ Here are some additional hints how to work around the new stricter default behaviors:
+
+ * As an AD DC server, only Windows 2000 and Samba 3.6 and above as
+ a domain member are supported out of the box. Other smb file
+ servers as domain members are also fine out of the box.
+
+ * As an AD DC server, with default setting of "ldap server require
+ strong auth", LDAP clients connecting over ldaps:// or START_TLS
+ will be allowed to perform simple LDAP bind only.
+
+ The preferred configuration for LDAP clients is to use SASL
+ GSSAPI directly over ldap:// without using ldaps:// or
+ START_TLS.
+
+ To use LDAP with START_TLS and SASL GSSAPI (either Kerberos or
+ NTLMSSP) sign/seal protection must be used by the client and
+ server should be configured with "ldap server require strong
+ auth = allow_sasl_over_tls".
+
+ Consult OpenLDAP documentation how to set sign/seal protection
+ in ldap.conf.
+
+ For SSSD client configured with "id_provider = ad" or
+ "id_provider = ldap" with "auth_provider = krb5", see
+ sssd-ldap(5) manual for details on TLS session handling.
+
+ * As a File Server, compatibility with the Linux Kernel cifs
+ client depends on which configuration options are selected, please
+ use "sec=krb5(i)" or "sec=ntlmssp(i)", not "sec=ntlmv2".
+
+ * As a file or printer client and as a domain member, out of the
+ box compatibility with Samba less than 4.0 and other SMB/CIFS
+ servers, depends on support for SMB signing or SMB2 on the
+ server, which is often disabled or absent. You may need to
+ adjust the "client ipc signing" to "no" in these cases.
+
+ * In case of an upgrade from versions before 4.2.0, you might run
+ into problems as a domain member. The out of the box compatibility
+ with Samba 3.x domain controllers requires NETLOGON features only
+ available in Samba 3.2 and above.
+
+ However, all of these can be worked around by setting smb.conf
+ options in Samba, see WHATSNEW.txt the 4.2.0 release notes at
+ https://www.samba.org/samba/history/samba-4.2.0.html and the Samba
+ wiki for details, workarounds and suggested security-improving
+ changes to these and other software packages.
+
+
+ Suggested further improvements after patching:
+
+ It is recommended that administrators set these additional options,
+ if compatible with their network environment:
+
+ server signing = mandatory
+ ntlm auth = no
+
+ Without "server signing = mandatory", Man in the Middle attacks
+ are still possible against our file server and
+ classic/NT4-like/Samba3 Domain controller. (It is now enforced on
+ Samba's AD DC.) Note that this has heavy impact on the file server
+ performance, so you need to decide between performance and
+ security. These Man in the Middle attacks for smb file servers are
+ well known for decades.
+
+ Without "ntlm auth = no", there may still be clients not using
+ NTLMv2, and these observed passwords may be brute-forced easily using
+ cloud-computing resources or rainbow tables.
+
+ -- Andrew Bartlett <abartlet+debian@catalyst.net.nz> Tue, 12 Apr 2016 16:18:57 +1200
+
+samba (2:4.0.10+dfsg-3) unstable; urgency=low
+
+ The SWAT package is no longer available.
+
+ Upstream support for SWAT (Samba Web Administration Tool) was removed in
+ samba 4.1.0. As a result, swat is no longer shipped in the Debian Samba
+ packages. Unfortunately, there is currently no replacement.
+
+ Details why SWAT has been removed upstream can be found on the
+ samba-technical mailing list:
+
+ https://lists.samba.org/archive/samba-technical/2013-February/090572.html
+
+ -- Ivo De Decker <ivo.dedecker@ugent.be> Tue, 22 Oct 2013 07:52:54 +0200
+
+samba (2:3.4.0-1) unstable; urgency=low
+
+ Default passdb backend changed in samba 3.4.0 and above
+
+ Beginning with samba 3.4.0, the default setting for "passdb
+ backend" changed from "smbpasswd" to "tdbsam".
+
+ If your smb.conf file does not have an explicit mention of
+ "passdb backend" when upgrading from pre-3.4.0 versions of
+ samba, it is likely that users will no longer be able to
+ authenticate.
+
+ As a consequence of all this, if you're upgrading from lenny
+ and have no setting of "passdb backend" in smb.conf, you MUST
+ add "passdb backend = smbpasswd" in order to keep your samba
+ server's behaviour.
+
+ As Debian packages of samba explicitly set "passdb backend = tdbsam"
+ by default since etch, very few users should need to modify their
+ settings.
+
+ -- Christian Perrier <bubulle@debian.org> Tue, 07 Jul 2009 20:42:19 +0200
+
+samba (3.0.27a-2) unstable; urgency=low
+
+ Weak authentication methods are disabled by default
+
+ Beginning with this version, plaintext authentication is disabled for
+ clients and lanman authentication is disabled for both clients and
+ servers. Lanman authentication is not needed for Windows
+ NT/2000/XP/Vista, Mac OS X or Samba, but if you still have Windows
+ 95/98/ME clients (or servers) you may need to set lanman auth (or client
+ lanman auth) to yes in your smb.conf.
+
+ The "lanman auth = no" setting will also cause lanman password hashes to
+ be deleted from smbpasswd and prevent new ones from being written, so
+ that these can't be subjected to brute-force password attacks. This
+ means that re-enabling lanman auth after it has been disabled is more
+ difficult; it is therefore advisable that you re-enable the option as
+ soon as possible if you think you will need to support Win9x clients.
+
+ Client support for plaintext passwords is not needed for recent Windows
+ servers, and in fact this behavior change makes the Samba client behave
+ in a manner consistent with all Windows clients later than Windows 98.
+ However, if you need to connect to a Samba server that does not have
+ encrypted password support enabled, or to another server that does not
+ support NTLM authentication, you will need to set
+ "client plaintext auth = yes" and "client lanman auth = yes" in smb.conf.
+
+ -- Steve Langasek <vorlon@debian.org> Sat, 24 Nov 2007 00:23:37 -0800
+
+samba (3.0.26a-2) unstable; urgency=low
+
+ Default printing system has changed from BSD to CUPS
+
+ Previous versions of this package were configured to use BSD lpr as the
+ default printing system. With this version of Samba, the default has
+ been changed to CUPS for consistency with the current default printer
+ handling in the rest of the system.
+
+ If you wish to continue using the BSD printing interface from Samba, you
+ will need to set "printing = bsd" manually in /etc/samba/smb.conf. If
+ you wish to use CUPS printing but have previously set any of the
+ "print command", "lpq command", or "lprm command" options in smb.conf,
+ you will want to remove these settings from your config. Otherwise, if
+ you have the cupsys package installed, Samba should begin to use it
+ automatically with no action on your part.
+
+ -- Steve Langasek <vorlon@debian.org> Wed, 14 Nov 2007 17:19:36 -0800