Version 2.0.5a of Samba contains three security bugfixes for
problems in previous versions of Samba found by Olaf Kirch of
Caldera Systems (www.caldera.com). The Samba Team would like to
publicly thank Olaf for his help in doing a security review of our
code and finding these bugs.
The three bugs are one potentially exploitable buffer overrun
bug (although no current exploits are known) in smbd and two denial
of service bugs in nmbd. By default the smbd bug was not
exploitable as shipped (the problem parameter was disabled by
default) but instructions on protecting any version of Samba prior
to 2.0.5 are included below.
All these bugs have been fixed in Samba 2.0.5 and 2.0.5a.
If using any version of Samba prior to 2.0.5 the administrator
*MUST NOT* enable the "message command" parameter in smb.conf, and
*MUST* remove any "message command" that is listed in any existing
smb.conf file. No known instances of this attack being exploited
have been reported.
All Samba versions of nmbd prior to 2.0.5 are vulnerable to a
denial of service attack causing nmbd to either crash or to go into
an infinite loop. No known instances of this attack being exploited
have been reported.
New/Changed parameters in 2.0.5 and 2.0.5a.
There are 5 new parameters in the smb.conf file.
force security mode
directory security mask
force directory secruty mode
The first 4 parameters are used to control the UNIX permissions
bits that an NT client is allowed to modify. These parameters are
now used instead of the older "create" parameters that were used in
2.0.4 to allow an administrator to separate the two functions.
Use of these new parameters is described in the smb.conf man
page, and also in the documents :
The fifth new parameter is described in the following
Level II oplocks
Samba 2.0.5 now implements level2 oplocks. As this is new code
this parameter is set to "off" by default. The benefit of level2
oplocks is to allow read-only file caching from multiple clients.
This is of great speed benefit to shares that are serving
application executable programs (.EXE's) that are usually not
written to. To learn more about using level 2 oplocks read the
parameter description in the smb.conf documentation or read the
Changes in 2.0.5a
1). Fix for smbd crash bug in string_sub(). smbd was
miscalculating memmove lengths on multiple '%' substitutions.
2). Fix for wildcard matching bug for old DOS programs running on
3). Fix for Windows NT client changing passwords against a Samba
server, intermittently failing.
4). Fix for PPP link being detected as primary interface if using
the same IP address as the primary.
5). Ensure smbmount is built with RPM build.
Changes in 2.0.5
1). smbmount for Linux systems has been re-written to use the
libsmb code and clientutil.c is no longer used with it.
2). A bug preventing directory opens using the NT SMB calls has
3). A related bug causing a file structure leak when directory
opens were denied has been fixed.
4). Fix for glibc2.1 bug on 32-bit systems being reported as 64
5). Prevent timestamps of 0 or -1 corrupting file timestamps.
6). Fix for unusual delays when browsing shares using Windows 2000
- fix added by Matt.
7). Fix for smbpassword reading problems on Sparc Linux was
8). Fix for compiling with SSL library.
9). smbclient fix for crash when doing CR/LF conversion.
10). smbclient now reports short read errors.
11). smbclient now uses remote server workgroup to list servers by
12). smbclient now has -b option to change transmit/send buffer
13). smbclient fix for corrupting files when issuing multiple
outstanding read requests.
14). Printing bug where Linux was using SYSV printing by default
fixed. Linux now set to be BSD printing by default.
15). Change for Linux to use SYSV shared memory by default.
16). Fix for using IP_TOS options on some systems.
17). Fix for some systems that complained about static struct
passwd buffers being modified.
18). Range checking applied to all string substitutions.
Theoretically not a bug, but much more rebust now.
19). Level II oplocks implemented.
20). Fix for Win2K client printing added.
21). Always allow loopback (127.0.0.1) connects unless specifically
22). Patch for FreeBSD interface detection code from Archie Cobbs
23). Return correct status from smbrun.
24). snprintf fixes for floating point numbers.
25). Force directories to always have zero size.
26). Fix for "force group" and "force user" options. "force user"
now always uses primary group of user as well. Force group now
enhanced with '+' semantics (see smb.conf man page for
27). Wildcard matching fix to get closer to WinNT semantics for
28). Potential crash bug fixed in wildcard matching code. This bug
could also cause smbd to sometimes not see exact file matches.
29). Read/write for sockets changed to use revc/send to allow
30). Oplocks added to client library.
31). Several purify fixes in IPC code.
32). nmbd crash bug in processing strange NetBIOS names fixed.
33). nmbd loop bug in processing strange NetBIOS names fixed.
34). Paranoia fixes to processing of incoming WinPopup messages in
35). Share mode code now auto initialised.
36). Detect dead processes in IPC lock code.
37). Explicit -V version switch added to command line
38). WORKGROUP(1b) name processing with no WINS server fixed.
39). Win2k client detection code added by Matt.
40). Fix to allow really short changenotify times to be
41). Fix for NT delete finding the wrong file from Tine Smukavec
42). SWAT fix to prevent stderr messages from breaking the Web
43). testparm fixes to check more parameter conflicts.
44). Relative paths not fetched via SWAT in CGI scripts.
45). SWAT remote password change - remote host name not treated as
a password field any more.
Changes in 2.0.4b
A bug with MS-Word 97 saving files with zero UNIX permissions
was fixed. Even though a workaround is available (set force create
mode = 644 on the share) Word is such an important application that
a point fix was neccessary.
Changes in 2.0.4a
The text and html versions of NT_Security were missing from the
shipping tarball. Also a compile bug for platforms that don't have
usleep was fixed.
Changes in 2.0.4
There are 5 new parameters and one modified parameter in the
1). Fix for 8 character password problem when using HPUX and
2). --with-pam option added to ./configure.
3). Client fixes for memory leak and display of 64 bit values.
4). Fixes for -E and -s option with smbclient.
5). smbclient now allows -L //server or -L \\server
6). smbtar fix for display of 64 bit values.
7). Endian independence added to DCE/RPC code.
8). DCE/RPC marshalling/unmarshalling code re-written to provide
overflow reporting and sign and seal support.
9). Bind NAK reply packet added to DCE/RPC code, used to correctly
refuse bind requests (prevents NT system event log messages).
10). Mapping of UNIX permissions into NT ACL's for get and set
11). DCE/RPC enumeration of numbers of shares made dynamic. Samba
now has no limit on the number of exported shares seen.
12). Fix to speed up random number seed generation on /dev/urandom
13). Several memory fixes added by running Purify on the code.
14). Read from client error messages improved.
15). Fixed endianness used in UNICODE strings.
16). Cope with ERRORmoredata in an RPC pipe client call.
17). Check for malformed responses in nmbd register name.
18). NT Encrypted password changing from the NT password dialog box
now fully implmented.
19). Mangle 64-bit lock ranges into 32-bits (NT bug!) on a 32-bit
20). Allow file to be pseudo-openend in order to read security
21). Improve filename mangling to reduce chance of collisions.
22). Added code to prevent granting of oplocks when a file is under
23). Added tunable wait time before sending an oplock break request
to a client if the client caused the break request. Helps with
clients not responding to oplock breaks.
24). Always respond negatively to queued local oplock break
messages before shutdown. This can prevent "freezes" on an oplock
25). Allow admin to restrict logons to correct domain when in
domain level security.
26). Added "restrict anonymous" patch from Andy
(email@example.com) to prevent parameter substitution
problems with anonymous connections.
27). Fix SMBseek where seeking to a negative number sets the offset
28). Fixed problem with mode getting corrupted in trans2 request
(setting to zero means please ignore it).
29). Correctly become the authenticated user on an authenticated
DCE/RPC pipe request.
30). Correctly reset debug level in nmbd if someone set it on the
31). Added more checking into testparm
32). NetBench simulator added to smbtorture by Andrew.
33). Fixed NIS+ option compile (was broken in 2.0.3).
34). Recursive smbclient directory listing fix. Patch from E. Jay
Bugfixes added since 2.0.2
1). --with-ssl configure now include ssl include directory. Fix
from Richard Sharpe.
2). Patch for configure for glibc2.1 support (large files
3). Several bugfixes for smbclient tar mode from Bob Boehmer
(firstname.lastname@example.org) to fix smbclient aborting problems when
restoring tar files.
4). Some automount fixes for smbmount.
5). Attempt to fix the AIX 4.1.x/3.x problems where smbd runs as
root. As no-one has given us root access to such a server this
cannot be tested fully, but should work.
6). Crash bug fix in debug code where *real* uid rather than
*effective* uid was being checked before attempting to rotate log
files. This fix should help a *lot* of people who were reporting
smbd aborting in the middle of a copy operation.
7). SIGALRM bugfix to ensure infinate file locks time out.
8). New code to implement NT ACL reporting for cacls.exe
9). UDP loopback socket rebind fix for Solaris.
10). Ensure all UNICODE strings are correctly in little-endian
11). smbpasswd file locking fix.
12). Fixes for strncpy problems with glibc2.1.
13). Ensure smbd correctly reports major and minor version number
and server type when queried via NT rpc calls.
14). Bugfix for short mangled names not being pulled off the
mangled stack correctly.
15). Fix for mapping of rwx bits being incorrectly overwritten when
16). Fix for returning multiple PDU packets in NT rpc code. Should
allow multiple shares to be returned correctly).
17). Improved mapping of NT open access requests into UNIX open
18). Fix for copying files from an NTFS volume that contain
multiple data forks. Added 'magic' error code NT needs.
19). Fixed crash bug when primary NT authentication server is down,
rolls over to secondaries correctly now.
20). Fixed timeout processing to be timer based. Now will always
occur even if smbd is under load.
21). Fixed signed/unsigned problem in quotas code.
22). Fixed bug where setting the password of a completely fresh
user would end up setting the account disabled flag.
23). Improved user logon messages to help admins having trouble
with user authentication.
Bugfixes added since 2.0.1
Note that due to a critical signal handling bug in 2.0.1, this
release has been removed and replaced immediately with 2.0.2. The
Samba Team would like to apologise for any problem this may have
1). Fixed smbd looping on SIGCLD problem. This was caused by a
missing break statement in a critical piece of code.
Bugfixes added since 2.0.0
1). Autoconf changes for gcc2.7.x and Solaris 2.5/2.6
2). Autoconf changes to help HPUX configure correctly.
3). Autoconf changes to allow lock directory to be set.
4). Client fix to allow port to be set.
5). clitar fix to send debug messages to stderr.
6). smbmount race condition fix.
7). Fix for bug where trying to browse large numbers of shares
generated an error from an NT client.
8). Wrapper for setgroups for SunOS 4.x
9). Fix for directory deleting failing from multiuser NT.
10). Fix for crash bug if bitmap was full.
11). Fix for Linux genrand where /dev/random could cause clients to
timeout on connect if the entropy pool was empty.
12). The default PASSWD_CHAT may now be overridden in local.h
13). HPUX printing fixes for default programs.
14). Reverted (erroneous) code in MACHINE.SID generation that was
setting the sid to 0x21 - should be *decimal* 21.
15). Fix for printing to remote machine under SVR4.
16). Fix for chgpasswd wait being interrupted with EINTR.
17). Fix for disk free routine. NT and Win98 now correctly show
greater than 2GB disks.
18). Fix for crash bug in stat cache statistics printing.
19). Fix for filenames ending in .~xx.
20). Fix for access check code wait being interrupted with
21). Fix for password changes from "invalid password" to a valid
one setting the account disabled bit.
22). Fix for smbd crash bug in SMBreadraw cache prime code.
23). Fix for overly zealous lock range overflow reporting.
24). Fix for large disk disk free reporting (NT SMB code).
25). Fix for NT failing to truncate files correctly.
26). Fix for smbd crash bug with SMBcancel calls.
7). Additional -T flag to nmblookup to do reverse DNS on
28). SWAT fix to start/stop smbd/nmbd correctly.
Major changes in Samba 2.0
This is a MAJOR new release of Samba, the UNIX based SMB/CIFS
file and print server for Windows systems.
There have been many changes in Samba since the last major
release, 1.9.18. These have mainly been in the areas of performance
and SMB protocol correctness. In addition, a Web based GUI
interface for configuring Samba has been added.
In addition, Samba has been re-written to help portability to
other POSIX-based systems, based on the GNU autoconf tool.
There are many major changes in Samba for version 2.0. Here are
some of them:
Samba has been benchmarked on high-end UNIX hardware as
out-performing all other SMB/CIFS servers using the Ziff-Davis
NetBench benchmark. Many changes to the code to optimise high-end
performance have been made.
Samba now supports the Windows NT specific SMB requests. This means
that on platforms that are capable Samba now presents a 64 bit view
of the filesystem to Windows NT clients and is capable of handling
very large files.
Samba is now self-configuring using GNU autoconf, removing the need
for people installing Samba to have to hand configure Makefiles, as
was needed in previous versions.
You now configure Samba by running "./configure" then "make".
See docs/textdocs/UNIX_INSTALL.txt for details.
4). Web based GUI configuration
Samba now comes with SWAT, a web based GUI config system. See the
swat man page for details on how to set it up.
5). Cross protocol data integrity
An open function interface has been defined to allow "opportunistic
locks" (oplocks for short) granted by Samba to be seen by other
UNIX processes. This allows complete cross protocol (NFS and SMB)
data integrety using Samba with platforms that support this
6). Domain client capability
Samba is now capable of using a Windows NT PDC for user
authentication in exactly the same way that a Windows NT
workstation does, i.e. it can be a member of a Domain. See
docs/textdocs/DOMAIN_MEMBER.txt for details.
7). Documentation Updates
All the reference parts of the Samba documentation (the manual
pages) have been updated and converted to a document format that
allows automatic generation of HTML, SGML, and text formats. These
documents now ship as standard in HTML and manpage format.
NOTE - Some important option defaults changed
Several parameters have changed their default values. The most
important of these is that the default security mode is now user
level security rather than share level security.
This (incompatible) change was made to ease new Samba installs
as user level security is easier to use for Windows 95/98 and
Windows NT clients.
If you have no "security=" line in the [global] section of your
current smb.conf and you update to Samba 2.0 you will need to add
the line :
to get exactly the same behaviour with Samba 2.0 as you did with
previous versions of Samba.
********END IMPORTANT NOTE*************
In addition, Samba now defaults to case sensitivity options that
match a Windows NT server precisely, that is, case insensitive but
The default format of the smbpasswd file has also been changed
for this release, although the new tools will read and write the
old format, for backwards compatibility.
NOTE - Primary Domain Controller Functionality
This version of Samba contains code that correctly implements
the undocumented Primary Domain Controller authentication
protocols. However, there is much more to being a Primary Domain
Controller than serving Windows NT logon requests.
A useful version of a Primary Domain Controller contains many
remote procedure calls to do things like enumerate users, groups,
and security information, only some of which Samba currently
implements. In addition, there are outstanding (known) bugs with
using Samba as a PDC in this release that the Samba Team are
actively working on. For this reason we have chosen not to
advertise and actively support Primary Domain Controller
functionality with this release.
This work is being done in the CVS (developer) versions of
Samba, development of which continues at a fast pace. If you are
interested in participating in or helping with this development
please join the Samba-NTDOM mailing list. Details on joining are
available at :
Details on obtaining CVS (developer) versions of Samba are
If you think you have found a bug please email a report to :
Some of the products that appear on this site are from companies from which QuinStreet receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. QuinStreet does not include all companies or all types of products available in the marketplace.