Samba 4.21.6 Available for Download

Samba 4.21.6 (gzipped)
Signature

Patch (gzipped) against Samba 4.21.5
Signature 

                   ==============================
                   Release Notes for Samba 4.21.6
                           June 03, 2025
                   ==============================


This is the latest stable release of the Samba 4.21 release series.
It contains the security-relevant bugfix CVE-2025-0620:

    smbd doesn't pick up group membership changes
    when re-authenticating an expired SMB session:
    https://www.samba.org/samba/security/CVE-2025-0620.html


Description of CVE-2025-0620
-----------------------------

    With Kerberos authentication SMB sessions typically have an
    associated lifetime, requiring re-authentication by the
    client when the session expires. As part of the
    re-authentication, Samba receives the current group
    membership information and is expected to reflect this
    change in further SMB request processing.

    For historic reasons, Samba maintains a cache of
    associations between a user's impersonation information and
    connected shares. A recent change in this cache caused Samba
    to not reflect group membership changes from session
    re-authentication when processing further SMB requests.

    As a result, when an administrator removes a user from a
    particular group in Active Directory, this change will not
    become effective unless the user disconnects from the server
    and establishes a new connection.


Changes since 4.21.5
--------------------

o  Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
   * BUG 15774: Running "gpo manage motd set" twice fails with backtrace.
   * BUG 15829: samba-tool gpo backup creates entity backups it can't read.
   * BUG 15839: gp_cert_auto_enroll_ext.py has problem unpacking GUIDs with
     prepended 0's.

o  Ralph Boehme <slow@samba.org>
   * BUG 15707: CVE-2025-0620 [SECURITY] smbd doesn't pick up group membership
     changes when re-authenticating an expired SMB session.
   * BUG 15767: Deadlock between two smbd processes.

o  Pavel Filipenský <pfilipensky@samba.org>
   * BUG 15727: net ad join fails with "Failed to join domain: failed to create
     kerberos keytab".

o  Andreas Hasenack <andreas.hasenack@canonical.com>
   * BUG 15774: Running "gpo manage motd set" twice fails with backtrace.

o  Volker Lendecke <vl@samba.org>
   * BUG 15841: Wide link issue in samba 4.22.

o  Stefan Metzmacher <metze@samba.org>
   * BUG 15767: Deadlock between two smbd processes.
   * BUG 15851: dcerpcd not able to bind to listening port.

o  Anoop C S <anoopcs@samba.org>
   * BUG 15819: vfs_ceph_snapshots fails to list snapshots for entries at any
     level beyond share root.

o  Martin Schwenke <mschwenke@ddn.com>
   * BUG 15858: CTDB does not put nodes running NFS into grace on graceful
     shutdown.