samba (2:4.2.10+dfsg-0+deb8u1) jessie-security; urgency=high

    This Samba security release moves Samba from Samba 4.1 to 4.2 in
    Debian jessie.  This addresses both Denial of Service and Man in
    the Middle vulnerabilities.

    This change was required as the scale of the patches did not
    permit a backport to Samba 4.1.

    Both of these changes implement a number of stricter behaviours
    to prevent Man in the Middle attacks on our network services, as a
    client and as a server.

    Between these changes, compatibility with a large number of older
    software versions has been lost in the default configuration.

    As an AD DC server, only Windows 2000 and Samba 3.6 and above as a
    domain member is supported out-of-the box.

    Specifically compatibility with the sssd client depends on the
    options selected (the ad or krb5 identity providers should work).

    Also as an AD DC, use of ldaps:// from ldbsearch or OpenLDAP's
    ldapsearch is not compatible with NTLMSSP or Kerberos, it is now
    only useful for simple binds.  This applies unless the 'ldap
    server require strong auth' option is modified to a less secure
    setting of 'allow_sasl_over_tls'.  Instead, use ldap:// and allow
    NTLMSSP/Kerberos to provide the sign/seal protection (on by
    default for Samba clients, and required by the server in this release).

    As a File Server, compatibility with the Linux Kernel cifs client
    depends on which configuration options are selected, please use
    sec=krb5(i) or sec=ntlmssp(i), not sec=ntlmv2.

    As a file or printer client and as a domain member, out of the box
    compatibility with Samba less than 4.0 and other SMB/CIFS servers,
    depends on support for SMB signing or SMB2 on the server, which is
    often disabled or absent.

    Additionally, as a domain member, out the the box compatibility
    for Samba 3.x domain controllers requires NETLOGON features only
    in Samba 3.2 and above.

    However, all of these can be worked around by setting smb.conf
    options in Samba, see WHATSNEW.txt the 4.2.0 release notes at
    https://www.samba.org/samba/history/samba-4.2.0.html and the Samba
    wiki for details, workarounds and suggested security-improving
    changes to these and other software packages.

    Finally, two important configuration options should be considered,
    that we were unable to silently change defaults for:
    - smb signing = required
    - ntlm auth = no

    Without smb signing = required, Man in the Middle attacks are
    still possible against our file server and classic/NT4-like/Samba3
    Domain controller.  (It is now enforced on our AD DC.)

    Without 'ntlm auth = no', there may still be clients not using
    NTLMv2, and these observed passwords may be brute-forced easily
    using cloud-computing resources or rainbow tables. 

 -- Andrew Bartlett <abartlet+debian@catalyst.net.nz>  Tue, 12 Apr 2016 16:18:57 +1200

samba (2:4.0.10+dfsg-3) unstable; urgency=low

    The SWAT package is no longer available.

    Upstream support for SWAT (Samba Web Administration Tool) was removed in
    samba 4.1.0. As a result, swat is no longer shipped in the Debian Samba
    packages. Unfortunately, there is currently no replacement.

    Details why SWAT has been removed upstream can be found on the
    samba-technical mailing list:

    https://lists.samba.org/archive/samba-technical/2013-February/090572.html

 -- Ivo De Decker <ivo.dedecker@ugent.be>  Tue, 22 Oct 2013 07:52:54 +0200

samba (2:3.6.5-2) unstable; urgency=low

    NSS modules have been split out from libpam-winbind to
    libnss-winbind.
    
    If Recommends: installs are disabled on your system you may need
    to manually install the libnss-winbind package after upgrading
    from former versions of winbind (for instance from squeeze) or
    from former versions of libpam-winbind.

 -- Christian Perrier <bubulle@debian.org>  Mon, 07 May 2012 22:16:32 +0200

samba (2:3.5.11~dfsg-3) unstable; urgency=low

    PAM modules and NSS modules have been split out from the winbind
    package into libpam-winbind.
    
    If Recommends: installs are disabled on your system you may need
    to manually install the libpam-winbind package after upgrading
    from former versions of winbind (for instance from squeeze)

 -- Steve Langasek <vorlon@debian.org>  Fri, 21 Oct 2011 20:00:13 +0000

samba (2:3.4.0-1) unstable; urgency=low

    Default passdb backend changed in samba 3.4.0 and above
  
    Beginning with samba 3.4.0, the default setting for "passdb
    backend" changed from "smbpasswd" to "tdbsam".
    
    If your smb.conf file does not have an explicit mention of
    "passdb backend" when upgrading from pre-3.4.0 versions of
    samba, it is likely that users will no longer be able to
    authenticate.
    
    As a consequence of all this, if you're upgrading from lenny
    and have no setting of "passdb backend" in smb.conf, you MUST
    add "passdb backend = smbpasswd" in order to keep your samba
    server's behaviour.
    
    As Debian packages of samba explicitly set "passdb backend = tdbsam"
    by default since etch, very few users should need to modify their
    settings.

 -- Christian Perrier <bubulle@debian.org>  Tue, 07 Jul 2009 20:42:19 +0200

samba (3.0.27a-2) unstable; urgency=low

    Weak authentication methods are disabled by default

    Beginning with this version, plaintext authentication is disabled for
    clients and lanman authentication is disabled for both clients and
    servers.  Lanman authentication is not needed for Windows
    NT/2000/XP/Vista, Mac OS X or Samba, but if you still have Windows
    95/98/ME clients (or servers) you may need to set lanman auth (or client
    lanman auth) to yes in your smb.conf.

    The "lanman auth = no" setting will also cause lanman password hashes to
    be deleted from smbpasswd and prevent new ones from being written, so
    that these can't be subjected to brute-force password attacks.  This
    means that re-enabling lanman auth after it has been disabled is more
    difficult; it is therefore advisable that you re-enable the option as
    soon as possible if you think you will need to support Win9x clients.

    Client support for plaintext passwords is not needed for recent Windows
    servers, and in fact this behavior change makes the Samba client behave
    in a manner consistent with all Windows clients later than Windows 98.
    However, if you need to connect to a Samba server that does not have
    encrypted password support enabled, or to another server that does not
    support NTLM authentication, you will need to set
    "client plaintext auth = yes" and "client lanman auth = yes" in smb.conf.

 -- Steve Langasek <vorlon@debian.org>  Sat, 24 Nov 2007 00:23:37 -0800

samba (3.0.26a-2) unstable; urgency=low

    Default printing system has changed from BSD to CUPS

    Previous versions of this package were configured to use BSD lpr as the
    default printing system.  With this version of Samba, the default has
    been changed to CUPS for consistency with the current default printer
    handling in the rest of the system.

    If you wish to continue using the BSD printing interface from Samba, you
    will need to set "printing = bsd" manually in /etc/samba/smb.conf.  If
    you wish to use CUPS printing but have previously set any of the
    "print command", "lpq command", or "lprm command" options in smb.conf,
    you will want to remove these settings from your config.  Otherwise, if
    you have the cupsys package installed, Samba should begin to use it
    automatically with no action on your part.

 -- Steve Langasek <vorlon@debian.org>  Wed, 14 Nov 2007 17:19:36 -0800
