Software 42481 Published by

Samba 4.19.0 has been released. Samba is the standard Windows interoperability suite of programs for Linux and Unix.

Samba 4.19.0 Available for Download

This is the first stable release of the Samba 4.19 release series. Please read the release notes carefully before upgrading.



Migrated smbget to use common command line parser

The smbget utility implemented its own command line parsing logic. After
discovering an issue we decided to migrate it to use the common command line
parser. This has some advantages as you get all the feature it provides like
Kerberos authentication. The downside is that breaks the options interface.
The support for smbgetrc has been removed. You can use an authentication
if needed, this is documented in the manpage.

Please check the smbget manpage or --help output.

gpupdate changes

The libgpo.get_gpo_list function has been deprecated in favor of
an implementation written in python. The new function can be imported via
`import`. The python implementation connects to Active Directory
using the SamDB module, instead of ADS (which is what libgpo uses).

Improved winbind logging and a new tool for parsing the winbind logs

Winbind logs (if smb.conf 'winbind debug traceid = yes' is set) contain new
trace header fields 'traceid' and 'depth'.  Field 'traceid' allows to
track the
trace records belonging to the same request.  Field 'depth' allows to
track the
request nesting level. A new tool samba-log-parser is added for better log

AD database prepared to FL 2016 standards for new domains

While Samba still provides only Functional Level 2008R2 by default,
Samba as an AD DC will now, in provision ensure that the blank
database is already prepared for Functional Level 2016, with AD Schema

This preparation is of the default objects in the database, adding
containers for Authentication Policies, Authentication Silos and AD
claims in particular.  These DB objects must be updated to allow
operation of the new features found in higher functional levels.

Kerberos Claims, Authentication Silos and NTLM authentication policies

An initial, partial implementation of Active Directory Functional
Level 2012, 2012R2 and 2016 is available in this release.

In particular Samba will issue Active Directory "Claims" in the PAC,
for member servers that support these, and honour in-directory
configuration for Authentication Policies and Authentication Silos.

The primary limitation is that while Samba can read and write claims
in the directory, and populate the PAC, Samba does not yet use them
for access control decisions.

While we continue to develop these features, existing domains can
test the feature by selecting the functional level in provision or
raising the DC functional level by setting

 ad dc functional level = 2016

in the smb.conf

The smb.conf file on each DC must have 'ad dc functional level = 2016'
set to have the partially complete feature available.  This will also,
at first startup, update the server's own AD entry with the configured
functional level.

For new domains, add these parameters to 'samba-tool provision'

--option="ad dc functional level = 2016" --function-level=2016

The second option, setting the overall domain functional level
indicates that all DCs should be at this functional level.

To raise the domain functional level of an existing domain, after
updating the smb.conf and restarting Samba run
samba-tool domain schemaupgrade --schema=2019
samba-tool domain functionalprep --function-level=2016
samba-tool domain level raise --domain-level=2016 --forest-level=2016

Improved KDC Auditing

As part of the auditing required to allow successful deployment of
Authentication Policies and Authentication Silos, our KDC now provides
Samba-style JSON audit logging of all issued Kerberos tickets,
including if they would fail a policy that is not yet enforced.
Additionally most failures are audited, (after the initial
pre-validation of the request).

Kerberos Armoring (FAST) Support for Windows clients

In domains where the domain controller functional level is set, as
above, to 2012, 2012_R2 or 2016, Windows clients will, if configured
via GPO, use FAST to protect user passwords between (in particular) a
workstation and the KDC on the AD DC.  This is a significant security
improvement, as weak passwords in an AS-REQ are no longer available
for offline attack.

Claims compression in the AD PAC

Samba as an AD DC will compress "AD claims" using the same compression
algorithm as Microsoft Windows.

Resource SID compression in the AD PAC

Samba as an AD DC will now correctly populate the various PAC group
membership buffers, splitting global and local groups correctly.

Additionally, Samba marshals Resource SIDs, being local groups in the
member server's own domain, to only consume a header and 4 bytes per
group in the PAC, not a full-length SID worth of space each.  This is
known as "Resource SID compression".

Resource Based Constrained Delegation (RBCD) support in both MIT and Heimdal

Samba AD DC built with MIT Kerberos (1.20 and later) has offered RBCD
support since Samba 4.17.  Samba 4.19 brings this feature to the
default Heimdal KDC.

Samba 4.17 added to samba-tool delegation the 'add-principal' and
'del-principal' subcommands in order to manage RBCD, and the database
changes made by these tools are now honoured by the Heimdal KDC once
Samba is upgraded.

Likewise, now both MIT (1.20 and later) and Heimdal KDCs add the
Asserted Identity [1] SID into the PAC for constrained delegation.


New samba-tool support for silos, claims, sites and subnets.

samba-tool can now list, show, add and manipulate Authentication Silos
(silos) and Active Directory Authentication Claims (claims).

samba-tool can now list and show Active Directory sites and subnets.

A new Object Relational Model (ORM) based architecture, similar to
that used with Django, has been built to make adding new samba-tool
subcommands simpler and more consistent, with JSON output available
standard on these new commands.

Updated GnuTLS requirement / in-tree cryptography removal

Samba requires GnuTLS 3.6.13 and prefers GnuTLS 3.6.14 or later.

This has allowed Samba to remove all of our in-tree cryptography,
except that found in our Heimdal import.  Samba's runtime cryptography
needs are now all provided by GnuTLS.

(The GnuTLS vesion requirement is raised to 3.7.2 on systems without
the Linux getrandom())

We also use Python's cryptography module for our testing.

The use of well known cryptography libraries makes Samba easier for
end-users to validate and deploy, and for distributors to ship. This
is the end of a very long journey for Samba.

Updated Heimdal import

Samba's Heimdal branch (known as lorikeet-heimdal) has been updated to
the current pre-8.0 (master) tree from upstream Heimdal, ensuring that
this vendored copy, included in our release remains as close as
possible to the current upstream code.

Revocation support in Heimdal KDC for PKINIT certificates

Samba will now correctly honour the revocation of 'smart card'
certificates used for PKINIT Kerberos authentication.

This list is reloaded each time the file changes, so no further action
other than replacing the file is required.  The additional krb5.conf
option is:

    pkinit_revoke = FILE:/path/to/crl.pem

Information on the "Smart Card login" feature as a whole is at:

Protocol level testsuite for (Smart Card Logon) PKINIT

Previously Samba's PKINIT support in the KDC was tested by use of
shell scripts around the client tools of MIT or Heimdal Kerberos.
Samba's independently written python testsuite has been extended to
validate KDC behaviour for PKINIT.

Require encrypted connection to modify unicodePwd on the AD DC

Setting the password on an AD account on should never be attempted
over a plaintext or signed-only LDAP connection.  If the unicodePwd
(or userPassword) attribute is modified without encryption (as seen by
Samba), the request will be rejected.  This is to encourage the
administrator to use an encrypted connection in the future.

NOTE WELL: If Samba is accessed via a TLS frontend or load balancer,
the LDAP request will be regarded as plaintext.

Samba AD TLS Certificates can be reloaded

The TLS certificates used for Samba's AD DC LDAP server were
previously only read on startup, and this meant that when then expired
it was required to restart Samba, disrupting service to other users.

 smbcontrol ldap_server reload-certs

This will now allow these certificates to be reloaded 'on the fly'


smb.conf changes

  Parameter Name                          Description     Default
  --------------                          -----------     -------
  winbind debug traceid                   Add traceid     No
  directory name cache size               Removed


o  MikeLiu []
   * BUG 15453: File doesn't show when user doesn't have permission if
     aio_pthread is loaded.

o  Martin Schwenke []
   * BUG 15451: ctdb_killtcp fails to work with --enable-pcap and libpcap ≥


o  Martin Schwenke []
   * BUG 15460: Logging to stdout/stderr with
     to syslog.

o  Joseph Sutton []
   * BUG 15458: ‘samba-tool domain level raise’ fails unless given a URL.


o  Jeremy Allison []
   * BUG 15420: reply_sesssetup_and_X() can dereference uninitialized tmp
   * BUG 15430: missing return in reply_exit_done().
   * BUG 15432: TREE_CONNECT without SETUP causes smbd to use uninitialized

o  Andrew Bartlett []
   * BUG 15401: Avoid infinite loop in initial user sync with Azure AD
     when synchronising a large Samba AD domain.
   * BUG 15407: Samba replication logs show (null) DN.

o  Stefan Metzmacher []
   * BUG 15346: 2-3min delays at reconnect with
     bad message_id 2.

o  Martin Schwenke []
   * BUG 15438: CID 1539212 causes real issue when output contains only

o  Joseph Sutton []
   * BUG 15452: KDC encodes INT64 claims incorrectly.

o  Jones Syue []
   * BUG 15449: mdssvc: Do an early talloc_free() in _mdssvc_open().


o  Andrew Bartlett []
   * BUG 9959: Windows client join fails if a second container
CN=System exists

o  Noel Power []
   * BUG 15435: regression DFS not working with widelinks = true.

o  Arvid Requate []
   * BUG 9959: Windows client join fails if a second container
CN=System exists

o  Joseph Sutton []
   * BUG 15443: Heimdal fails to build on 32-bit FreeBSD.

o  Jones Syue []
   * BUG 15441: samba-tool ntacl get segfault if aio_pthread appended.


Reporting bugs & Development Discussion

Please discuss this release on the samba-technical mailing list or by
joining the matrix room, or
#samba-technical IRC channel on

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (

== Our Code, Our Bugs, Our Responsibility.
== The Samba Team

Download Details

The uncompressed tarballs and patch files have been signed
using GnuPG (ID AA99442FB680B620).  The source code can be downloaded

The release notes are available online at:

Our Code, Our Bugs, Our Responsibility.

                        The Samba Team