From f77939c65cc4ae4e0bb9504f700b50d6601bd031 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Wed, 19 Jan 2005 16:09:59 +0000 Subject: [PATCH] r4846: do not keep outdated files here. the updated file is in the Release branch and in the official tarballs --- WHATSNEW.txt | 2504 -------------------------------------------------- 1 file changed, 2504 deletions(-) delete mode 100644 WHATSNEW.txt diff --git a/WHATSNEW.txt b/WHATSNEW.txt deleted file mode 100644 index 28696843b61..00000000000 --- a/WHATSNEW.txt +++ /dev/null @@ -1,2504 +0,0 @@ - ============================= - Release Notes for Samba 3.0.6 - Aug 19, 2004 - ============================= - -This is the latest stable release of Samba. This is the version -that production Samba servers should be running for all -current bug-fixes. There have been several issues fixes since -the 3.0.4/5 release and new features have been added as well. -See the "Changes" section for details on exact updates. - -Common bugs fixed in 3.0.6 include: - - o Schannel failure in winbindd. - o Numerous memory leaks. - o Incompatibilities between the 'write list' and 'force user' - smb.conf options. - o Premature optimization of the open_directory() internal - function that broke tools such as the ArcServe backup - agent, Macromedia HomeSite, and Robocopy. - o Corrupt workgroup names in nmbd's browse.dat. - o Sharing violation errors commonly seen when opening - when serving Microsoft Office documents from a Samba - file share. - o Browsing problems caused by an apostrophe (') in the - computer's description field. - o Problems creating special file types from UNIX CIFS - clients and enabling 'unix extensions'. - o Fix stalls in smbd caused by inaccessible LDAP servers. - o Remove various memory leaks. - o Fix issues in the password lockout feature. - -New features introduced in this release include: - - O Support symlinks created by CIFS clients which - can be followed on the server. - o Using a cups server other than localhost. - o Maintaining the service principal entry in the system - keytab for integration with other kerberized services. - Please refer to the 'use kerberos keytab' entry in - smb.conf(5). When using the heimdal kerberos libraries, - you must also specify the following in /etc/krb5.conf: - [libdefaults] - default_keytab_name = FILE:/etc/krb5.keytab - o Support for maintaining individual printer names - stored separately from the printer's sharename. - o Support for maintaining user password history. - o Support for honoring the logon times for user in a - Samba domain. - --------------------------------------------- -unix extensions = yes (default) and symlinks --------------------------------------------- - -Beginning with Samba 3.0.6pre1 (formerly known as 3.0.5pre1), -clients supporting the UNIX extensions to the CIFS protocol -can create symlinks to absolute paths which will be **followed** -by the server. This functionality has been requested in order -to correctly support certain applications when the user's home -directory is mounted using some type of CIFS client (e.g. the -cifsvfs in the Linux 2.6 kernel). - -If this behavior is not acceptable for your production environment -you can set 'wide links = no' in the specific share declaration in -the server's smb.conf. Be aware that disabling wide link support -out of a share in Samba may impact the server's performance due -to the fact that smbd will now have to check each path additional -times before traversing it. - ------------------------- -Password History Support ------------------------- - -The new password history feature allows smbd to check the new -password in password change requests against a list of the user's -previous passwords. The number of previous passwords to save can -be set using pdbedit (4 in this example): - - root# pdbedit -P "password history" -C 4 - -When using the ldapsam passdb backend, it is vital to secure the -following attributes from access by non-administrative users: - - * sambaNTPassword - * sambaLMPassword - * sambaPasswordHistory - -You should refer to your directory server's documentation on how -to implement this restriction. - - -###################################################################### -Changes -####### - -Changes since 3.0.6rc2 ----------------------- - -o Jeremy Allison - * Ensure we return the same ACL revision on the wire that - W2K3 does. - * BUG 1578: Hardcode replacement for invalid characters as '_' - (based on fix from Alexander E. Patrakov ). - * Fix hashed password history for LDAP backends. - * Enforce logon hours restrictions if confiogured (based on code - from Richard Renard ). - * BUG 1606: Force smbd to disable sendfile with DOS clients - and ensure that the chained header is filled in for ...&X - commands. - * BUG 1602: Fix access to shares when all symlink support - has been disabled. - - -o Gerald (Jerry) Carter - * Tighten the cache consistency with the ntprinters.tdb entry - an the in memory cache associated with open printer handles. - * Make sure that register_messages_flags() doesn't overwrite - the originally registered flags. - - -o Guenther Deschner - * Correct infinite loop in pam_winbind's verification of - group membership in the 'other sids' field in the user_info3 - struct. - - -o Steve French - * prevent infinite recusion in reopen_logs() when expanding - the smb.conf variable %I. - - -o Volker Lendecke - * Improved NT->AFS ACL mapping VFS module. - - -o Buchan Milne - * Mandrake packaging fixes. - - -o Lars Mueller - * Fix compiler warnings in the kerberos client code. - - -o James Peach - * Prevent smbd from attempting to use sendfile at all if it is - not supported by the server's OS. - * Allow SWAT to search for index.html when serving html files - in a directory. - - -o Jelmer Vernooij - * BUG 1474: Fix build of --with-expsam stuff on Solaris. - - -Changes since 3.0.5 -------------------- - -smb.conf changes ----------------- - - Parameter Name Action - -------------- ------ - cups server New - defer sharing violations New - force unknown acl user New - ldap timeout New - printcap cache time New - use kerberos keytab New - -commits -------- -o Jeremy Allison - * Correct path parsing bug that broke DeletePrinterDriverEx(). - * Fix bugs in check_path_syntax() caught by asserts. - * Internal change - rearrange internal global case setting - variables to a per connection basis. - * BUG 1345: Fix premature optimization in unix_convert(). - * Allow clients to truncate a locked file. - * BUG 1319: Always check to see if a user as write access - to a share, even when 'force user' is set. - * Fix specific case of open that doesn't cause oplock break, - or share mode check. - * Correct sid type is WKN_GROUP, not alias. Added some - more known types (inspired by patch from Jianliang Lu). - * Allow creation of absolute symlink paths via CIFS clients. - * Fix charset bug in when invoking send_mailslot(). - * When using widelinks = no, use realpath to canonicalize - the connection path on connection create for the user. - * Enhance stat open code. - * Fix unix extensions mknod code path. - * Allow unix domain socket creation via unix extensions. - * Auto disable the 'store dos attribute' parameter if the - underlying filesystem doesn't support EAs. - * Implement deferred open code to fix a bug with Excel files - on Samba shares. - * BUG 1427: Catch bad path errors at the right point. Ensure - all our pathname parsing is consistent. - * Fix SMB signing error introduced by the new deferred open - code. - * Change default setting for case sensitivity to "auto". (see - commit message -- r1154 -- for details). - * Add new remote client arch -- CIFSFS. - * Allow smbd to maintain the service principal entry in the - system keytab file (based on patch Dan Perry , - Guenther Deschner, et. al.). - * Fix longstanding memleak bug with logfile name. - * Fix incorrect type in printer publishing (struct uuid, - not UUID_FLAT). - * Heimdal compile fixes after introduction of the new ketyab - feature. - * Ensure we check attributes correctly on rename request. - * Ensure we defer a sharing violation on rename correctly. - * BUG 607: Ensure we remove DNS and DNSFAIL records immediately - on timeout. - * Fix bogus error message when using "mangling method = hash" - rather than hash2. - * Turn on sendfile by default for non-Win9x clients. - * Handle non-io opens that cause oplock breaks correctly. - * Ensure ldap replication sleep time is not more than 5 seconds. - * Add support for storing a user's password history. - LDAP portion of the code was based on a patch from - Jianliang Lu . - * Correct memory leaks found in the password change code. - * Fix support for the mknod command with the Linux CIFS client. - * Remove support for passing the new password to smbpasswd - on the command line without using the -s option. - * Ensure home directory service number is correctly reused - (inspired by patches from Michael Collin Nielsen - ). - * Fix to stop printing accounts from resetting the bas - password and account lockout flags. - * If a account was locked out by an admin (and has a bad - password count of zero) leave it locked out until an admin - unlocks it (but log a message). - - -o Tom Alsberg - * Allow pdbedit to export a single user from a passdb backend. - - -o Andrew Bartlett - * Fix parsing bug in GetDomPwInfo(). - * Fix segfault in 'ntlm_auth --diagnostics'. - * Re-enable code to allow sid_to_gid() to perform a group - mapping lookup before checking with winbindd. - * Fix memory leak in the trans2 signing code. - * Allow more flexible GSS-SPENGO client and server operation - in ntlm_auth. - * Improve smbd's internal random number generation. - * Fix a few outstanding long password changes in smbd. - * Fix LANMAN2 session setup code. - - -o Eric Boehm - BUG 703: Final touches on netgroup case lookups. - - -o Jerome Borsboom - * Ensure error status codes don't get overwritten in - lsa_lookup_sids() server code. - * Correct bug that caused smbd to overwrite certain error - codes when returning up the call stack. - * Ensure the correct sid type returned for builtin sids. - - -o Gerald Carter - * Fix a few bugs in the Fedora Packaging files. - * Fix for setting the called name to by our IP if the - called name was *SMBSERVER and *SMBSERV. Fixes issue - with connecting to printers via \\ip.ad.dr.ess\printer - UNC path. - * BUG 1315: fix for schannel client connections to servers - when we haven't specifically negotiated AUTH_PIPE_SEAL. - * Allow PrinterDriverData valuenames with embedded backslashes - (Fixes bug with one of the Konica Fiery drivers). - * Fixed string length miscalculation in netbios names that - resulted in corrupt workgroup names in browse.dat. - * When running smbd as a daemon, launch child smbd to update - the lpq cache listing in the background. - * Allow printers "Printers..." folder to be renamed to a string - other than the share name. - * Allow winbindd to use domain trust account passwords when - running on a Samba DC to establish an schannel to remote - domains. - * Fix bad merge and ensure that we always use tdb_open_log() - instead of tdb_open_ex() (the former call enforce the 'use - mmap' parameter). - * BUG 1221: revert old change that used single and double - quotes as delimeters in next_token(), and change - print_parameter() to print out parm values surrounded by - double quotes (instead of single quotes). - * Prevent home directories added during the SMBsesssetup&X from - being removed as unused services. - * Invalidate the print object cache for open printer handles when - smbd receives a message that an attribute on a given printer - has been changed. - * Cause the configure script to exit if --enable-cups[=yes] is - defined and the system does not have the cups devel files - installed. - * BUG 1297: Prevent map_username() from being called twice - during logon. - * Ensure that we use the userPrincipalName AD attribute - value for LDAP SASL binds. - * Ensure we remove the tdb entry when deleting a job that - is being spooled. - * BUG 1520: Work around bug in Windows XP SP2 RC2 where the - client sends a FindNextPrintChangeNotify() request without - previously sending a FindFirstPrintChangeNotify(). Return - the same error code as Windows 2000 SP4. - * BUG 1516: Manually declare ldap_open_with_timeout() to - workaround compiler errors on IRIX (or other systems without - LDAP headers). - * Merge security fixes for CAN-2004-0600, CAN-2004-0686 from - 3.0.5. - * Corrected syntax error in the OID for sambaUnixIdPool, - sambaSidEntry, & sambaIdmapEntry object classes. - - -o Fabien Chevalier - * Debian BUG 252591: Ensure that the return value from the - number of available interfaces is initialized in case no - interfaces are actually available. - - -o Guenther Deschner - * Implement 'rpcclient setprintername'. - * Add local groups to the user's NT_TOKEN since they are - actually supported now. - * Heimdal compile fixes after introduction of the new keytab - feature. - * Correctly honor the info level parameter in 'rpcclient - enumprinters'. - * Reintroduce 'force unknown acl user' parameter. When getting a - security descriptor for a file, if the owner sid is not known, - the owner uid is set to the current uid. Same for group sid. - * Ensure that REG_SZ values in the SetPrinterData actually - get written in UNICODE strings rather than ASCII. - * Ensure that the last kerberos error return is not invalid. - * Display share ACL entries from rpcclient. - - -o Fabian Franz - * Support specifying a port in the device URL passed to smbspool. - - -o Steve French - * Handle -S and user mount parms in mount.cifs. - * Fix user unmount of shares mount with suid mount.cifs. - - -o Bjoern Jacke - * Install libsmbclient into $(LIBDIR), not into hard coded - ${prefix}/lib. This helps amd64 systems with /lib and /lib64 - and an explicit configure --libdir setting. - - -o - * Correct more memory leaks and initialization bugs. - * Fix bug that prevented core dumps from being generated - even if you tried. - * Connect to the winbind pipe in non-blocking mode to - prevent processes from hanging. - * Memory leak fixes. - - -o Stephan Kulow - * Fix crash bug in libsmbclient. - - -o Volker Lendecke - * Added vfs_full_audit module. - * Add vfs_afsacl.c which can display & set AFS acls via - the NT security editor. - * Fix crash bug caused by trying to Base64 encode a NULL string. - * Fix DOS error code bug in reply_chkpath(). - * Correct misunderstanding of the max_size field in - cli_samr_enum_als_groups; it is more like an account_control - field with individual bits what to retrieve. - * Implement 'net rpc group rename' -- rename domain groups. - * Implement the 'cups server' option. This makes it possible - to have virtual smbd's connect to different cups daemons. - * Paranoia fixes when adding local aliases to a user's NT_TOKEN. - * Fix sid_to_gid() calls in winbindd to prevent loops. - * Ensure that local_sid_to_gid() sets the type of the group on - return. - * Make sure that the clients are given back the IP address to - which they connected in the case of a multi-homed host. Only - affects strings the spoolss printing replies. - * Fix the bad password lockout. This has not worked as pdb_ldap.c - did not ask for the modifyTimestamp attribute, so it could - not find it. Try not to regress by not putting that attrib - in the main list but append it manually for the relevant searches. - * Fix two memleaks in login_cache.c. - * fixes memory bloat when unmarshalling strings. - * Fix compile errors using gcc 3.2 on SuSE 8.2. - * Fix the build for systems without kerberos headers. - * Allow winbindd to handle authentication requests only when - started without either an 'idmap uid' or 'idmap gid' range. - * Fix the build for systems without ldap headers. - * Fix interaction between share security descriptor and the - 'read only' smb.conf option. - * Fix bug that caused _samr_lookupsids() with more than 32 ( - MAX_REF_DOMAINS) SIDs to fail. - * Allow the 'idmap backend' parameter to accept a list of - LDAP servers for failover purposes. - * Revert code in smbd to remove a tdb when it has become - corrupted. - * Add paranoid checks when mapping SIDs to a uid/gid to - ensure that the type is correct. - * Initial work on getting client support for sending mailslot - datagrams. - * Add 'ldap timeout' parameter. - * Dont always uppercase 'afs username map'. - * Expand aliases for getusersids as well. - - -o Herb Lewis - * Add the acls debug class. - * Fix logic bug in netbios name truncate routine. - * Fix smbd crash caused by smbtorture IOCTL test. - * Fix errno tromping before calling iconv to reset the - conversion state. - * need to leave empty dacl so we can remove last ACE. - - -o Jianliang Lu - * Fix to stop smbd hanging on missing group member in - get_memberuids(). - * Make sure Samba returns the correct group types. - * Reset the bad password count password counts upon a successful login. - - -o Jim McDonough - * BUG 1279: SMBjobid fix for Samba print servers running on - Big-Endian platforms. - - -o Joe Meadows - * Add optional timeout parameter to ldap open calls. - * Allow get_dc_list() to check the negative cache. - - -o Jason Mader - * BUG 1385: Don't use non-consts in a structure initialization. - - -o Stefan Metzmacher - * fix a configure logic bug for linux/XFS quotas when - using --with-sys-quotas. - * Use quota debug class in quota code. - * print out the SVN revision by configure, - - -o Lars Mueller - * BUG 1279: Added 'printcap cache time' parameter. - * Fix afs related build issues on SuSE. - - -o James Peach - * More iconv detection fixes for IRIX. - * Compile fixed for systems that do not have C99/UNIX98 compliant - vsnprintf by default. - - -o Dan Peterson - * Implement NFS quota support on FreeBSD. - - -o Tim Potter - * BUG 1360: Use -Bsymbolic when creating shared libraries to - avoid conflicts with identical symbols in the global namespace - when loading libnss_wins.so. - - -o Richard Renard - * Save the current password as it is being changed into the - password history list. - - -o Richard Sharpe - * Fix error return codes on some lock messages. - * BUG 1178: Make the libsmbclient routines callable - by C++ programs. - * BUG 1333: Make sure we return an error code when - things go wrong. - * BUG 1301: Return NT_STATUS_SHARING_VIOLATION when - share mode locking requests fail. - - -o Simo Sorce - * Update Debian stable & unstable packaging. - * Tidy up parametric options in testparm output. - - -o Richard Sharpe - * Add sigchild handling to winbindd to restart the child - daemon if necessary. - - -o Tom Shaw - * Use winbindd_fill_pwent() consistently. - - -o Nick Thompson - * Protect smbd against broken filesystems which return zero - blocksize. - - -o Andrew Tridgell - * Fixed bug in handling of timeout in socket connections. - - -o Nick Wellnhofer - * Prevent lp_interfaces() list from being corrupted. Fixes - bug where nmbd would lose the list of network interfaces - on the system and consequently shutdown. - - -o James Wilkinson - * Fix ntlm_auth memory leaks. - - -o Jelmer Vernooij - * Additional NT status to unix error mappings. - * BUG 478: Rename vsnprintf to smb_vsnprintf so we don't - get duplicate symbol errors. - * Return an error when the last command read from stdin - fails in smbclient. - * Prepare for better error checking in tar. - - -Changes for older versions follow below: - - -------------------------------------------------- - - ============================= - Release Notes for Samba 3.0.5 - July 20, 2004 - ============================= - -Please note that Samba 3.0.5 is identical to Samba 3.0.4 with -the exception of correcting the two security issues outlined -below. - -######################## SECURITY RELEASE ######################## - -Summary: Multiple Potential Buffer Overruns in Samba 3.0.x -CVE ID: CAN-2004-0600, CAN-2004-0686 - (http://cve.mitre.org/) - - -This is the latest stable release of Samba. This is the version -that production Samba servers should be running for all current -bug-fixes. - -It has been confirmed that versions of Samba 3 prior to v3.0.4 -are vulnerable to two potential buffer overruns. The individual -details are given below. - -------------- -CAN-2004-0600 -------------- - -Affected Versions: Samba 3.0.2 and later - -The internal routine used by the Samba Web Administration -Tool (SWAT v3.0.2 and later) to decode the base64 data -during HTTP basic authentication is subject to a buffer -overrun caused by an invalid base64 character. It is -recommended that all Samba v3.0.2 or later installations -running SWAT either (a) upgrade to v3.0.5, or (b) disable -the swat administration service as a temporary workaround. - -This same code is used internally to decode the -sambaMungedDial attribute value when using the ldapsam -passdb backend. While we do not believe that the base64 -decoding routines used by the ldapsam passdb backend can -be exploited, sites using an LDAP directory service with -Samba are strongly encouraged to verify that the DIT only -allows write access to sambaSamAccount attributes by a -sufficiently authorized user. - -The Samba Team would like to heartily thank Evgeny Demidov -for analyzing and reporting this bug. - -------------- -CAN-2004-0686 -------------- - -Affected Versions: Samba 3.0.0 and later - -A buffer overrun has been located in the code used to support -the 'mangling method = hash' smb.conf option. Please be aware -that the default setting for this parameter is 'mangling method -= hash2' and therefore not vulnerable. - -Affected Samba 3 installations can avoid this possible security -bug by using the default hash2 mangling method. Server -installations requiring the hash mangling method are encouraged -to upgrade to Samba 3.0.5. - - -################################################################## - - -------------------------------------------------- - - ============================= - Release Notes for Samba 3.0.4 - May 8, 2004 - ============================= - -Common bugs fixed in Samba 3.0.4 include: - - o Password changing after applying the patch described in - the Microsoft KB828741 article to Windows clients. - o Crashes in smbd. - o Managing print jobs via Windows on Big-Endian servers. - o Several memory leaks in winbindd and smbd. - o Compile issues on AIX and *BSD. - -Changes since 3.0.3 --------------------- - -commits -------- - -o Jeremy Allison - * Fix path processing for DeletePrinterDriverEx(). - * BUG 1303: Fix for Microsoft hotfix MS04-011 password change - breakage. - - -o Andrew Bartlett - * Fix alignment bug in GetDomPwInfo(). - - -o Alexander Bokovoy - * Fix utime[s]() issues in smbwrapper on systems - that can boot both the 2.4 and 2.6 Linux kernels. - - -o Gerald Carter - * Fedora packaging fixes. - * BUG 1302: Fix seg fault by not trying to optimize a list of - invalid gids using the wrong array size. - * BUG 1309: fix seg fault caused by trying to strdup(NULL) - seen when 'security = share'. - * Fix problems when using IBM's compiler on AIX. - * Link Developer's Guide, Example Guide, and multi-page HOWTO - into SWAT's welcome page. - * BUG 1293: fix double free in printer publishing code. - - -o Wim Delvaux - * Fix for handling timeouts in socket connections. - - -o Michel Gravey - * BUG 483: patch from to fix password hash creation in SWAT. - - -o Volker Lendecke - * Close the open NT pipes before the tdis. - * Fix AFS related build issues. - * Handle error conditions when base64 encoding a blob of 0 bytes. - - -o Herb Lewis - * Added 'acls' debug class. - -o kawasa_r@itg.hitachi.co.jp - * Multiple variable initialization and memory leak fixes. - - -o Stephan Kulow - * Fix string length bug in libsmbclient that caused KDE's - Konqueror to crash. - * BUG 429: More libsmbclient fixes. - - -o Jim McDonough - * BUG 1007, 1279: Store the print job using a little-endian key. - - -o Eric Mertens - o Compile fix for OpenBSD (ENOTSUP not supported). - - -o Stefan Metzmacher - * Correct bug in disks quota views from explorer. - - -o Tim Potter - BUG 1305: Correct debug output. - - -o Richard Sharpe - * Fix incorrect error code mapping. - - -o Jelmer Vernooij - * Add additional NT_STATUS errorm mappings. - - -Changes for older versions follow below: - - -------------------------------------------------- - - ============================= - Release Notes for Samba 3.0.3 - April 29, 2004 - ============================= - - -Common bugs fixed in Samba 3.0.3 include: - - o Crash bugs and change notify issues in Samba's printing code. - o Honoring secondary group membership on domain member servers. - o TDB scalability issue surrounding the TDB_CLEAR_IF_FIRST flag. - o Substitution errors for %[UuGg] in smb.conf. - o winbindd crashes when using ADS security mode. - o SMB signing errors. - o Delays in winbindd startup caused by unnecessary - connections to trusted domain controllers. - o Various small memory leaks. - o Winbindd failing due to expired Kerberos tickets. - -New features introduced in Samba 3.0.3 include: - - o Improved support for i18n character sets. - o Support for account lockout policy based on - bad password attempts. - o Improved support for long password changes (>14 - characters) and strong password enforcement. - o Support for Windows aliases (i.e. nested groups). - o Experimental support for storing DOS attribute on files - and folders in Extended Attributes. - o Support for local nested groups via winbindd. - o Specifying options to be passed directly to the CUPS libraries. - -Please be aware that the Samba source code repository was -migrated from CVS to Subversion on April 4, 2004. Details on -accessing the Samba source tree via anonymous svn can be found -at http://svn.samba.org/samba/subversion.html. - - -Changes since 3.0.2a --------------------- -smb.conf changes ----------------- - - Parameter Name Action - -------------- ------ - cups options New - ea support New - only user Deprecated - store dos attributes New - unicode Removed - winbind nested groups New - - -commits -------- - -o Jeremy Allison - * Ensure that Kerberos mutex is always properly unlocked. - * Removed Heimdal "in-memory keytab" support. - * Fixup the 'multiple-vuids' bugs in our server code. - * Correct return code from lsa_lookup_sids() on unmapped - sids (based on work by vl@samba.org). - * Fix the "too many fcntl locks" scalability problem - raised by tridge. - * Fixup correct (as per W2K3) returns for lookupsids - as well as lookupnames. - * Fixups for delete-on-close semantics as per Win2k3 behavior. - * Make SMB_FILE_ACCESS_INFORMATION call work correctly. - * Fix "unable to initialize" bug when smbd hasn't been run with - new system and a user is being added via pdbedit/smbpasswd. - * Added NTrename SMB (0xA5). - * Fixup correct timeout values for blocking lock timeouts. - * Fix various bugs reported by 'gentest'. - * More locking fixes in the case where we own the lock. - * Fix up regression in IS_NAME_VALID and renames. - * Don't set allocation size on directories. - * Return correct error code on fail if file exists and target - is a directory. - * Added client "hardlink" comment to test doing NT rename with - hard links. Added hardlink_internals() code - UNIX extensions - now use this as well. - * Use a common function to parse all pathnames from the wire for - much closer emulation of Win2k3 error return codes. - * Implement check_path_syntax() and rewrite string sub - functions for better multibyte support. - * Ensure msdfs referrals are multibyte safe. - * Allow msdfs symlink syntax to be more forgiving. - eg. sym_link -> msdfs://server/share/path/in/share - or sym_link -> msdfs:\\server\share\path\in\share. - * Cleanup multibyte netbios name support in nmbd ( based on patch - by MORIYAMA Masayuki ). - * Fix check_path_syntax() for multibyte encodings which have - no '\' as second byte (based on work by ab@samba.org. - * Fix the "dfs self-referrals as anonymous user" problem - (based on patch from vl@samba.org). - * BUG 1064: Ensure truncate attribute checking is done correctly - on "hidden" dot files. - * Fix bug in anonymous dfs self-referrals again. - * Fix get/set of EA's in client library - * Added support for OS/2 EA's in smbd server. - * Added 'ea support' parameter to smb.conf. - * Added 'store dos attributes' parameter to smb.conf. - * Fix wildcard identical rename. - * Fix reply_ctemp - make compatible with w2k3. - * Fix wildcard unlink. - * Fix wildcard src with wildcard dest renames. - * BUG 1139: Fix based on suggestion by jdev@panix.com. - swap lookups for user and group - group will do an - algorithmic lookup if it fails, user won't. - * Make EA's lookups case independent. - * Fix SETPATHINFO in 'unix extensions' support. - * Make 3.x pass the Samba 4.x RAW-SEARCH tests - except for - the UNIX info levels, and the short case preserve names. - - -o Timur Bakeyev - * BUG 1144: only set --with-fhs when the argument is 'yes' - * BUG 1152: Allow python modules to build despite libraries added - to LDFLAGS instead of LDPATH. - * BUG 1141: Fix nss*.so names on FreeBSD 5.x. - - -o Craig Barratt - * BUG 389: Allow multiple exclude arguments with smbclient - tar -Xr options (better support for Amanda backup client). - - -o Andrew Bartlett - * Include support for linking with cracklib for enforcing strong - password changes. - * Add support for >14 character password changes from Windows - clients. - * Add 'admin set password' capability to 'net rpc'. - * Allow 'net rpc samdump' to work with any joined domain - regardless of smb.conf settings. - * Use an allocated buffer for count_chars. - * Add sanity checks for changes in the domain SID in an - LDAP DIT. - * Implement python unit tests for Samba's multibyte string - support. - * Remove 'unicode' smb.conf option. - * BUG 1138: Fix support for 'optional' SMB signing and other - signing bugs. - * BUG 169: Fix NTLMv2-only behavior. - * Ensure 'net' honors the 'netbios name' in the smb.conf by - default. - * Support SMB signing on connections using only the LANMAN - password and generate the correct the 'session key' for these - connections. - * Implement --required-membership-of=, an ntlm_auth option - that restricts all authentication to members of this particular - group. - * Improve our fall back code for password changes. - * Only send the ntlm_auth 'ntlm-server-1' helper client a '.' - after the server had said something (such as an error). - * Add 'ntlm-server-1' helper protocol to ntlm_auth. - - -o Alexander Bokovoy - * Fix incorrect size calculation of the directory name - in recycle.so. - * Fix problems with very long filenames in both smbd and smbclient - caused by truncating paths during character conversions. - * Fix smbfs problem with Tree Disconnect issued before smbfs - starts its work. - - -o Gerald Carter - * BUG 850: Fix 'make installmodules' bug on True64. - * BUG 66: mark 'only user' deprecated. - * Remove corrupt tdb and shutdown (only for printing tdbs, - connections, sessionid & locking). - * decrement smbd counter in connections.tdb in smb_panic(). - * RedHat specfile updates. - * Fix xattr.h build issue on Debian testing and SuSE 8.2. - * BUG 1147; bad pointer case in get_stored_queue_info() - causing seg fault. - * BUG 761: read the config file before initialized default - values for printing options; don't default to bsd printing - Linux. - * Allow the 'printing' parameter to be set on a per share basis. - * BUG 503: RedHat/Fedora packaging fixes regarding logrotate. - * BUG 848: don't create winbind local users/groups that already - exist in the tdb. - * BUG 1080: fix declaration of SMB_BIG_UINT (broke compile on - LynxOS/ppc). - * BUG 488: fix the 'show client in col 1' button and correctly - enumerate active connections. - * BUG 1007 (partial): Fix abort in smbd caused by byte ordering - problem when storing the updating pid for the lpq cache. - * BUG 1007 (partial): Fix print change notify bugs. - * BUG 1165, 1126: Fix bug with secondary groups (security = ads) - and winbind use default domain = yes. Also ensures that - * BUG 1151: Ensure that winbindd users are passed through - the username map. - * Fix client rpc binds for ASU derived servers (pc netlink, - etc...). - * BUG 417, 1128: Ensure that the current_user_info is set - consistently so that %[UuGg] is expanded correctly. - * BUG 1195: Fix crash in winbindd when the ADS server is - unavailable. - * BUG 1185: Set reconnect time to be the same as the - 'winbind cache time'. - * Ensure that we return the sec_desc in smb_io_printer_info_2. - * Change Samba printers Win32 attribute to PRINTER_ATTRIBUTE_LOCAL. - * BUG 1095: Honor the '-l' option in smbclient. - * BUG 1023: surround get_group_from_gid() with become_unbecome_root() - block. - * Ensure server schannel uses the auth level requested by the - client. - * Removed --with-cracklib option due to potential crash issue. - * Fix -lcrypto linking problem with wbinfo. - * BUG 761: allow printing parameter to set defaults on a per - share basis. - * Add 'cups options' parameter to allow raw printing without - changing /etc/cups/cupsd.conf. - * BUG 1081, 1183: Added remove_duplicate_gids() to smbd and - winbindd. - * BUG 1246: Fix typo in Fedora /etc/init.d/winbind. - * BUG 1288: resolve any machine netbios name (0x00) and not just - servers (0x20). - * BUG 1199: Fix potential symlink issue in - examples/printing/smbprint. - - -o Robert Dahlem - * BUG 1048: Don't return short names when when 'mangled names = no' - - -o Guenther Deschner - * Remove hard coded attribute name in the ads ranged retrieval - code. - * Add --with-libdir and --with-mandir to autoconf script. - - -o Bostjan Golob - * BUG 1046: Fix getpwent_list() so that the username is not - overwritten by other fields. - - -o Landon Fuller - * BUG 1232: patch from landonf@opendarwin.org (Landon Fuller) - to fix user/group enumeration on systems whose libc does not - call setgrent() before trying to enumerate users (i.e. - FreeBSD 5.2). - - -o Steve French - * Update mount.cifs to version 1.1. - * Disable dev (MS_NODEV) on user mounts from cifs vfs. - * Fixes to minor security bug in the mount helper. - * Fix credential file mounting for cifs vfs. - * Fix free of incremented pointer in cifsvfs mount helper. - * Fix path canonicalization of the mount target path and help - text display in the cifs mount helper. - * Add missing guest mount option for mount.cifs. - - -o SATOH Fumiyasu - * BUG 1055; formatting fixes for 'net share'. - * BUG 692: correct truncation of share names and workgroup - names in smbclient. - * BUG 1088: use strchr_m() for query_host (smbclient -L). - * Patch from to internally count characters correctly. - - -o Paul Green - * Update VOS _POSIX_C_SOURCE macro to 200112L. - * Fix bug in configure.ion by moving the first use of - AC_CHECK_HEADERS so it is always executed. - * Fix configure.in to only use $BLDSHARED to select whether to - build static or shared libraries. - - -o Pat Haywarrd - * Make the session_users list dynamic (max of 128K). - - -o Cal Heldenbrand - * Fix for for 'pam_smbpass migrate' functionality. - - -o Chris Hertel - * fix enumeration of shares 12 characters in length via - smbclient. - - -o Ulrich Holeschak - * BUG 932: fix local password change using pam_smbpass - - -o Krischan Jodies - * Implement 'net rpc group delete' - - -o John Klinger - * Return NSS_SUCCESS once the max number of gids possible - has been found in initgroups() on Solaris. - * BUG 1182: Re-enable the -n 'no cache' option for winbindd. - - -o Volker Lendecke - * Fix success message for net groupmap modify. - * Fix errors when enumerating members of groups in 'net rpc'. - * Match Windows behavior in samr_lookup_names() by returning - ALIAS(4) when you search in BUILTIN. - * Fix server SAMR code to be able to set alias info for - builtin as well. - * Fix duplication of logic when creating groups via smbd. - * Ensure that the HWM values are set correctly after running - 'net idmap'. - * Add 'net rpc group add'. - * Implement 'net groupmap set' and 'net groupmap cleanup'. - * Add 'net rpc group [add|del]mem' for domain groups and aliases. - * Fix wb_delgrpmem (wbinfo -o). - * As a DC we should not reply to lsalookupnames on DCNAME\\user. - * Fix sambaUserWorkstations on a Samba DC. - * Implement wbinfo -k: Have winbind generate an AFS token after - authenticating the user. - * Add expand_msdfs VFS module for providing referrals based on the - the client's IP address. - * Implement client side NETLOGON GetDCName function. - * Fix caching of name->sid lookups. - * Add support in winbindd for expanding nested local groups. - * Fix memleak in winbindd. - * Fix msdfs proxy. - * Don't list domain groups from BUILTIN. - * Fix memleak in policy handle utility functions. - * Decrease winbindd startup time by only contacting trusted - domains as necessary. - * Allow winbindd to ask the DC for its domain for a trusted - DC. - * Fix Netscape DS schema based on comments from - . - * Correct case where adding a domain user to a XP local group - did a lsalookupname on the user without domain prefix, and - failed. - * Fix segfault in winbindd caused by 'wbinfo -a'. - - -o Herb Lewis - * Fix typo for tag in proto file. - * Add missing #ifdef HAVE_BICONV stuff. - * Truncate Samba's netbios name at the first '.' (not - right to left). - - -o Derrell Lipman - * Bug fixes and enhancements to libsmbclient library. - - -o Jianliang Lu - * Enforce the 'user must change password at next login' flag. - * Decode meaning of 'fields present' flags (improves support - for usrmgr.exe). - * NTLMv2 fixes. - * Don't force an upper case domain name in the ntlmssp code. - - -o L. Lucius . - * type fixes. - - -o Jim McDonough - * Add versioning support to tdbsam. - * Update the IBM Directory Server schema with the OpenLDAP - file. - * Various decoding fixes to improve usrmgr.exe support. - * Fix statfs redeclaration of statfs struct on ppc - * Implement support for password lockout of Samba domain - controllers and standalone servers. - * Get MungedDial attribute actually working with full TS - strings in it for pdb_ldap. - * BUG 1208 (partial): Improvements for working with expired krb5 - tickets in winbindd. - * Use timegm, or our already existing replacement instead of - timezone (spotted by Andrzej Tobola ). - * Remove modifyTimestamp from list of our attributes. - * Fix lsalookupnames to check for domain users as well as local - users. - * Merge struct uuid replacement for GUID from trunk. - * BUG 1208: Finish support for handling expired tickets in - winbindd (in conjunction with Guenther Deschner ). - - -o Stefan Metzmacher - * Implement new VERSION schema based on subversion revision - numbers. - * Add shadow_copy vfs module. - * Fix segault in login_cache support. - - -o Heinrich Mislik - o BUG 979 -- Fix quota display on AIX. - - -o James Peach - * Correct check for printf() format when using the SGI MIPSPro - compiler. - * BUG 1038: support backtrace for 'panic action' on IRIX. - * BUG 768: Accept profileing arg to IRIX init script. - * BUG 748: Relax arg parsing to sambalp script (IRIX). - * BUG 758: Fix pdma build. - * Search IRIX ABI paths for libiconv. Based on initial fix from - Jason Mader. - - -o Kurt Pfeifle - * Add example shell script for migrating drivers and printers - from a Windows print server to a Samba print server using - smbclient/rpcclient (examples/printing/VamireDriversFunctions). - - -o Tim Potter - * Fix logic bug in tdb non-blocking lock routines when - errno == EAGAIN. - * BUG 1025: Include sys/acl.h in check for broken nisplus - include files. - * BUG 1066: s/printf/d_printf/g in SWAT. - * BUG 1098: rename internal msleep() function to fix build - problems on AIX. - * BUG 1112: Fix for writable printerdata problem in python bindings. - * BUG 1154: Remove reference to in tdbdump.c. - * BUG 1155: enclose use of fchown() with guards. - * Relicense tdb python module as LGPL. - - -o Richard Sharpe - * Add support to smbclient for multiple logins on the same - session (based on work by abartlet@samba.org). - * Correct blocking condition in smbd's use of accept() on IRIX. - * Add support for printing out the MAC address on nmblookup. - - -o Simo Sorce - * Replace unknown_3 with fields_present in SAMR code. - * More length checks in strlcat(). - - -o Andrew Tridgell - * Rewrote the AIX UESS backend for winbindd. - * Fixed compilation with --enable-dmalloc. - * Change tdb license to LGPL (see source/tdb/tdb.c). - * Force winbindd to use schannel in clients connections to - DC's if possible. - - -o Jelmer Vernooij - * Fix ETA Calculation when resuming downloads in smbget. - * Add -O (for writing downloaded files to standard out) - based on patch by Bas van Sisseren . - * Fix syntax error in example mysql table - - -o TAKEDA yasuma - * BUG 900: fix token processing in cmd_symlink, cmd_link, - cmd_chown, cmd_chmod smbclient functions. - - -o Shiro Yamada - * BUG 1129: install image files for SWAT. - - - -------------------------------------------------- - - ============================== - Release Notes for Samba 3.0.2a - February 13, 2004 - ============================== - -Samba 3.0.2a is a minor patch release for the 3.0.2 code base -to address, in particular, a problem when using pdbedit to -sanitize (--force-initialized-passwords) Samba's tdbsam -backend. This is the latest stable release of Samba. This -is the version that all production Samba servers should be -running for all current bug-fixes. - -******************* Attention! Achtung! Kree! ********************* - -Beginning with Samba 3.0.2, passwords for accounts with a last -change time (LCT-XXX in smbpasswd, sambaPwdLastSet attribute in -ldapsam, etc...) of zero (0) will be regarded as uninitialized -strings. This will cause authentication to fail for such -accounts. If you have valid passwords that meet this criteria, -you must update the last change time to a non-zero value. If you -do not, then 'pdbedit --force-initialized-passwords' will disable -these accounts and reset the password hashes to a string of X's. - -******************* Attention! Achtung! Kree! ********************* - - -Changes since 3.0.2 -------------------- - -commits -------- - -Please refer to the CVS log for the SAMBA_3_0 branch for complete -details. The list of changes per contributor are as follows: - - -o Jeremy Allison - * Added paranoia checks in parsing code. - - -o Andrew Bartlett - * Ensure that changes to uninitialized passwords in ldapsam - are written to the DIT. - - -o Gerald (Jerry) Carter - * Fixed iterator in tdbsam. - * Fix bug that disabled accounts with a valid NT password - hash, but no LanMan hash. - - -o Steve French - * Added missing nosetuid and noexec options. - - -o Bostjan Golob - * BUG 1046: Don't overwrite usernames of entries returned - by getpwent_list(). - - -o Sebastian Krahmer - * Fixed potential crash bug in NTLMSSP parsing code. - - -o Tim Potter - * Fixed logic in tdb_brlock error checking. - - -o Urban Widmark - * Set nosuid,nodev flags in smbmnt by default. - - - -------------------------------------------------- - - ============================= - Release Notes for Samba 3.0.2 - February 9, 2004 - ============================= - -It has been confirmed that previous versions of Samba 3.0 are -susceptible to a password initialization bug that could grant an -attacker unauthorized access to a user account created by the -mksmbpasswd.sh shell script. - -The Common Vulnerabilities and Exposures project (cve.mitre.org) -has assigned the name CAN-2004-0082 to this issue. - -Samba administrators not wishing to upgrade to the current -version should download the 3.0.2 release, build the pdbedit -tool, and run - - root# pdbedit-3.0.2 --force-initialized-passwords - -This will disable all accounts not possessing a valid password -(e.g. the password field has been set a string of X's). - -Samba servers running 3.0.2 are not vulnerable to this bug -regardless of whether or not pdbedit has been used to sanitize -the passdb backend. - -Some of the more visible bugs in 3.0.1 addressed in the 3.0.2 -release include: - - o Joining a Samba domain from Pre-SP2 Windows 2000 clients. - o Logging onto a Samba domain from Windows XP clients. - o Problems with the %U and %u smb.conf variables in relation to - Windows 9x/ME clients. - o Kerberos failures due to an invalid in memory keytab detection - test. - o Updates to the ntlm_auth tool. - o Fixes for various SMB signing errors. - o Better separation of WINS and DNS queries for domain controllers. - o Issues with nss_winbind FreeBSD and Solaris. - o Several crash bugs in smbd and winbindd. - o Output formatting fixes for smbclient for better compatibility - with scripts based on the 2.2 version. - - -Changes since 3.0.1 -------------------- - -smb.conf changes ----------------- - - Parameter Name Action - -------------- ------ - ldap replication sleep New - read size removed (unused) - source environment removed (unused) - - -commits -------- - -Please refer to the CVS log for the SAMBA_3_0 branch for complete -details. The list of changes per contributor are as follows: - -o Jeremy Allison - * Revert change that broke Exchange clear text samlogons. - * Fix gcc 3.4 warning in MS-DFS code. - * Tidy up of NTLMSSP code. - * Fixes for SMB signing errors - * BUG 815: Workaround NT4 bug to support plaintext - password logins and UNICODE. - * Fix SMB signing bug when copying large files. - * Correct error logic in mkdir_internals() (caused a panic - when combined with --enable-developer). - * BUG 830: Protect against crashes due to bad character - conversions. - - -o Petri Asikainen - * BUG 330, 387:Fix single valued attribute updates when - working with Novell NDS. - - -o Andrew Bartlett - * Correctly handle per-pipe NTLMSSP inside a NULL session. - * Fix segfault in gencache - * Fix early free() of encrypted_session_key. - * Change DC lookup routines to more carefully separate - DNS names (realms) from NetBIOS domain names. - * Add new sid_to_dn() function for internal winbindd use. - * Refactor cli_ds_enum_domain_trusts(). - * BUG 707: Implement range retrieval of ADS attributes (based - on work from Volker and Guenther Deschner - ). - * Automatically initialize the signing engine if a session key - is available. - * BUG 916: Do not perform a + -> ' ' substitution for squid URL - encoded strings, only form input in SWAT. - * Resets the NTLMSSP state for new negotiate packets. - * Add 2-byte alignments in net_samlogon() queries to parse - odd-length plain text passwords. - * Allow Windows groups with no members in winbindd. - * Allow normal authentication in the absence of a server - generated session key. - * More optimizations for looking up UNIX group lists. - * Clean up error codes and return values for pam_winbindd - and winbindd PAM interface. - * Fix string return values in ntlm_auth tool. - * Fix segfault when 'security = ads' but no realm is defined. - * BUG 722: Allow winbindd to map machine accounts to uids. - * More cleanups for winbindd's find_our_domain(). - * More clearly detect whether a domain controller is an NT4 - or mixed-mode AD DC (additional bug fixes by jerry & jmcd). - * Increase separation between DNS queries for hosts and queries - for AD domain controllers. - * Include additional NT_STATUS to PAM error mappings. - * Password initialization fixes. - - -o Justin Baugh - * BUG 948: Implement missing functions required for FreeBSD - nss_winbind support. - - -o Alexander Bokovoy - * BUG 922: Make sure enable fast path for strlower_m() and - strupper_m(). - - -o Luca Bolcioni - * Fix crash when using 'security = server' and 'encrypt - passwords = no' by always initializing the session key. - - -o Dmitry Butskoj - * Fix for special files being hidden from admins. - - -o Gerald (Jerry) Carter - * Fix bug in the lanman session key generation. Caused - "decode_pw: incorrect password length" error messages. - * Save the right case for the located user name in - fill_sam_account(). Fixes %U/%u expansion for win9x clients. - * BUG 897: Add well known rid for pre win2k compatible access - group. - * BUG 887: Correct typo in delete user script example. - * Use short lived TALLOC_CTX* for allocating printer objects - from the print handle cache. - * BUG 912: Fix check for HAVE_MEMORY_KEYTAB. - * Fix several warnings reported by the SUN Forte C compiler. - * Fully control DNS queries for AD DC's using 'name resolve order'. - * BUG 770: Send the SMBjobid for UNIX jobs back to the client. - * BUG 972: Fix segfault in cli_ds_getprimarydominfo(). - * BUG 936: fix bind credentials for schannel binds in smbd. - * BUG 446: Fix output of smbclient for better compatibility - with scripts based on the 2.2 version (including Amanda). - * BUG 891, 949: Fedora packaging fixes. - * Fix bug that caused rpcclient to incorrectly retrieve - the SID for a server (this causing all calls that required - this information to fail). - * BUG 977: Don't create a homes share for a user if a static - share already exists by the same name. - * Removed unused smb.conf options. - * Password initialization fixes. - * Set the disable flag for template accounts created by - mksmbpasswd.sh. - * Disable any account has no passwords and does not have the - ACB_PWNOTREQ bit set. - - -o Guenther Deschner - * Install smbwrapper.so should be put into the $(libdir) - and not $(bindir). - * Add the capability to specify the new user password - for "net ads password" on the command line. - * Correctly detect AFS headers on SuSE. - - -o James Flemer - * Fix AIX compile bug by linking HAVE_ATTR_LIST to - HAVE_SYS_ATTRIBUTES_H. - - -o Luke Howard - * Fix segfault in session setup reply caused by a early free(). - - -o Stoian Ivanov - * Implement grepable output for smbclient -L. - - -o LaMont Jones - * BUG 225328 (Debian): Correct false failure LFS test that resulted - in _GNU_SOURCE not being defined (thus resulting in strndup() - not being defined). - - -o Volker Lendecke - * BUG 583: Ensure that user names always contain the short - version of the domain name. - * Fix our parsing of the LDAP uri. - * Don't show the 'afs username map' in the SWAT basic view. - * Fix SMB signing issues in relation to failed NTLMSSP logins. - * BUG 924: Fix return codes in smbtorture harness. - * Always lower-case usernames before handing it to AFS code. - * Add a German translation for SWAT. - * Fix a segfaults in winbindd. - * Fix the user's domain passed to register_vuid() from - reply_spnego_kerberos(). - * Add NSS example code in nss_winbind to convert UNIX - id's <-> Windows SIDs. - * Display more descriptive error messages for login via 'net'. - * Fix compiler warning in the net tool. - * Fix length bug when decoding base64 strings. - * Ensure we don't call getpwnam() inside a loop that is iterating - over users with getpwent(). This broke on glibc 2.3.2. - - -o Herb Lewis - * Fix bit rot in psec. - - -o Jianliang Lu - * Ensure we delete the group mapping before calling the delete - group script. - * Define well known RID for managing the "Power Users" group. - * BUG 381: check builtin (not local) group SID when updating - group membership. - * BUG 101: set the SV_TYPE_PRINTQ_SERVER flag in host announcement - packet. - - -o John Klinger - * Implement initgroups() call in nss_winbind on Solaris. - - -o Jim McDonough - * Fix regression in net rpc join caused by recent changes - to cli_lsa_query_info_policy(). - * BUG 964: Fix crash bug in 'net rpc join' using a preexisting - machine account. - - -o MORIYAMA Masayuki - * BUG 570: Ensure that configure honors the LDFLAGS variable. - - -o Stefan Metzmacher - * Implement LDAP rebind sleep patch. - * Revert to 2.2 quota code because of so many broken quota files - out there. - * Fix XFS quotas: HAVE_XFS_QUOTA -> HAVE_XFS_QUOTAS - XFS_USER_QUOTA -> USRQUOTA - XFS_GROUP_QUOTA -> GRPQUOTA - * Fix disk_free calculation with group quotas. - * Add debug class 'quota' and a lot of DEBUG()'s - to the quota code. - * Fix sys_chown() when no chown() is present. - * Add SIGABRT to fault handling in order to catch got a - backtrace if an error occurs the OpenLDAP client libs. - - -o - * Allow an existing LDAP machine account to be re-used when - joining an AD domain. - - -o James Peach - * BUG 889: Change smbd to use pread/pwrite on platforms that - support these calls. Can lead to a significant speed increase. - - -o Tim Potter - * BUG 905: Remove POBAD_CC to fix Solaris Forte compiles. - * BUG 924: Fix typo in RW2 torture test. - - -o Richard Sharpe - * Small fixes to torture.c to cleanup the error handling - and prevent crashes. - - -o J. Tournier - * Small fixes for the smbldap-tool scripts. - - -o Andrew Tridgell - * Fix src len check in pull_usc2(). - - -o Jelmer Vernooij - * Put functions for generating SQL queries in pdb_sql.c - * Add pgSQL backend (based on patch by Hamish Friedlander) - * BUG 908: Fix -s option to smbcontrol. - * Add smbget utility - a wget-clone for the SMB/CIFS protocol. - * Fix for libnss_wins on IRIX platforms. - * Fix swatdir for --with-fhs. - - - -------------------------------------------------- - - ============================= - Release Notes for Samba 3.0.1 - December 15, 2003 - ============================= - -Some of the more common bugs in 3.0.0 addressed in the release -include: - - o Substitution problems with smb.conf variables. - o Errors in return codes which caused some applications - to fail to open files. - o General Protection Faults on Windows 2000/XP clients - using Samba point-n-print features. - o Several miscellaneous crash bugs. - o Access problems when enumerating group mappings are - stored in an LDAP Directory. - o Several common SWAT bugs when writing changes to - smb.conf. - o Internal inconsistencies when 'winbind use default - domain = yes' - - - -Changes since 3.0.0 ----------------------- - - Parameter Name Action - -------------- ------ - hide local users Removed - mangled map Deprecated - mangled stack Removed - passwd chat timeout New - - -commits -------- - -o Change the interface for init_unistr2 to not take a length - but a flags field. We were assuming that - 2*strlen(mb_string) == length of ucs2-le string. (bug 480). -o Allow d_printf() to handle strings with escaped quotation - marks since the msg file includes the escape character (bug 489). -o Fix bad html table row termination in SWAT wizard code (bug 413). -o Fix to parse the level-2 strings. -o Fix for "valid users = %S" in [homes]. Fix read/write - list as well. -o Change AC_CHECK_LIB_EXT to prepend libraries instead of append. - This is the same way AC_CHECK_LIB works (bug 508). -o Testparm output fixes for clarity. -o Fix broken wins hook functionality -- i18n bug (bug 528). -o Take care of condition where DOS and NT error codes must differ. -o Default to using only built-in charsets when a working iconv - implementation cannot be located. -o Wrap internals of sys_setgroups() so the sys_XX() call can - be done unconditionally (bug 550). -o Remove duplicate smbspool link on SWAT's front page (bug 541). -o Save and restore CFLAGS before/after AC_PROG_CC. Ensures that - --enable-debug=[yes|no] works correctly. -o Allow ^C to interrupt smbpasswd if using our getpass - (e.g. smbpasswd command). -o Support signing only on RPC's (bug 167). -o Correct bug that prevented Excel 2000 clients from opening - files marked as read-only. -o Portability fix bugs 546 - 549). -o Explicitly initialize the value of AR for vendor makes that don't - do this (e.g. HPUX 11). (bug 552). -o More i18n fixes for SWAT (bug 413). -o Change the cwd before the postexec script to ensure that a - umount will succeed. -o Correct double free that caused winbindd to crash when a DC - is rebooted (bug 437). -o Fix incorrect mode sum (bug 562). -o Canonicalize SMB_INFO_ALLOCATION in the same was as - SMB_FS_FULL_SIZE_INFORMATION (bug 564). -o Add script to generate *msg files. -o Add Dutch SWAT translation file. -o Make sure to call get_user_groups() with the full winbindd - name for a user if he/she has one (bug 406). -o Fix up error code returns from Samba4 tester. Ensure invalid - paths are validated the same way. -o Allow Samba3 to pass the Samba4 RAW-READ tests. -o Refuse to configure if --with-expsam=$BACKEND was used but no - libraries were found for $BACKEND. -o Move sysquotas autoconf tests to a separate file. -o Match W2K w.r.t. writelock and writeclose. Samba4 torture - tester -o Make sure that the files that contain the static_init_$subsystem; - macro get recompiled after configure by removing the object - files. -o Ensure canceling a blocking lock returns the correct error - message. -o Match Samba 2.2 behavior; make ACB_NORMAL the default ACB value. -o Updated Japanese welcome file in SWAT. -o Fix to nt-time <-> unix-time functions reversible. -o Ensure that winbindd uses the the escaped DN when querying - an AD ldap server. -o Fix portability issues when compiling (bug 505, 550) -o Compile fix for tdbbackup when Samba needs to override - non-C99 compliant implementations of snprintf(). -o Use @PICSUFFIX@ instead of .po in Makefile.in (bug 574). -o Make sure we break out of samsync loop on error. -o Ensure error code path doesn't free unmalloc()'d memory - (bug 628). -o Add configure test for krb5_keytab_entry keyblock vs key - member (bug 636). -o Fixed spinlocks. -o Modified testparm so that all output so all debug output goes - to stderr, and all file processing goes to stdout. -o Fix error return code for BUFFER_TOO_SMALL in smbcacls - and smbcquotas. -o Fix "NULL dest in safe_strcpy()" log message by ensuring that - we have a devmode before copying a string to the devicename. -o Support mapping REALM.COM\user to a local user account (without - running winbindd) for compatibility with 2.2.x release. -o Ensure we don't use mmap() on blacklisted systems. -o fixed a number of bugs and memory leaks in the AIX - winbindd shim -o Call initgroups() in SWAT before becomming the user so that - secondary group permissions can be used when writing to - smb.conf. -o Fix signing problems when reverse connecting back to a - client for printer notify -o Fix signing problems caused by a miss-sequence bug. -o Missing map in errormap for ERROR_MORE_DATA -> ERRDOS, ERRmoredata. - Fixes NEXUS tools running on Win9x clients (bug 64). -o Don't leave the domain field uninitialized in cli_lsa.c if some - SID could not be mapped. -o Fix segfault in mount.cifs helper when there is no options - specified during mount. -o Change the \n after the password prompt to go to tty instead - of stdout (bug 668). -o Stop net -P from prompting for machine account password (bug 451). -o Change in behavior to Not only change the effective uid but also - the real uid when becoming unprivileged. -o Cope with Exchange 5.5 cleartext pop password auth. -o New files for support of initshutdown pipe. Win2k doesn't - respond properly to all requests on the winreg pipe, so we need - to handle this new pipe (bug 534). -o Added more va_copy() checks in configure.in. -o Include fixes for libsmbclient build problems. -o Missing UNIX -> DOS codepage conversion in lanman.c. -o Allow DFMS-S filenames can now have arbitrary case (bug 667). -o Parameterize the listen backlog in smbd and make it larger by - default. A backlog of 5 is way too small these days. -o Check for an invalid fid before dereferencing the fsp pointer - (bug 696). -o Remove invalid memory frees and return codes in pdb_ldap.c. -o Prompt for password when invoking --set-auth-user and no - password is given. -o Bind the nmbd sending socket to the 'socket address'. -o Re-order link command for smbd, rpcclient and smbpasswd to ensure - $LDFLAGS occurs before any library specification (bug 661). -o Fix large number of printf() calls for 64-bit size_t. -o Fix AC_CHECK_MEMBER so that SLES8 does correctly finds the - keyblock in the krb5 structs. -o Remove #include in hopes to avoid problems with - apache header files. -o Correct winbindd build problems on HP-UX 11. -o Lowercase netgroups lookups (bug 703). -o Use the actual size of the buffer in strftime instead of a made - up value which just happens to be less than sizeof(fstring). - (bug 713). -o Add ldaplibs to pdbedit link line (bug 651). -o Fix crash bug in smbclient completion (bug 659). -o Fix packet length for browse list reply (bug 771). -o Fix coredump in cli_get_backup_list(). -o Make sure that we expand %N (bug 612). -o Allow rpcclient adddriver command to specify printer driver - version (bug 514). -o Compile tdbdump by default. -o Apply patches to fix iconv detection for FreeBSD. -o Do not allow the 'guest account' to be added to a passdb backend - using smbpasswd or pdbedit (bug 624). -o Save LDFLAGS during iconv detection (bug 57). -o Run krb5 logins through the username map if the winbindd - lookup fails (bug 698). -o Add const for lp_set_name_resolve_order() to avoid compiler - warnings (bug 471). -o Add support for the %i macro in smb.conf to stand in for the for - the local IP address to which a client connected. -o Allow winbindd to match local accounts to domain SID when - 'winbind trusted domains only = yes' (bug 680). -o Remove code in idmap_ldap that searches the user suffix and group - suffix. It's not needed and provides inconsistent functionality - from the tdb backend. -o Patch to handle munged dial string for Windows 2000 TSE. - Thanks to Gaz de France, Direction de la Recherche, Service - Informatique Métier for their supporting this work by Aurelien - Degrémont . -o Correct the "smbldap_open: cannot access when not root error" - messages when looking up group information (bug 281). -o Skip over the winbind separator when looking up a user. - This fixes the bug that prevented local users from - matching an AD user when not running winbindd (bug 698). -o Fix a problem with configure on *BSD systems. Make sure - we add -liconv etc to LDFLAGS. -o Fix core dump bug when "security = server" and the authentication - server goes away. -o Correct crash bug due to an empty munged dial string. -o Show files locked by a specific user (smbstatus -u 'user') - (bug 590). -o Fix bug preventing print jobs from display in the queue - monitor used by Windows NT and later clients (bug 660). -o Fix several reported problems with point-n-print from - Windows 2000/XP clients due to a bug in the EnumPrinterDataEx() - reply (bug 338, 527 & 643). -o Fix a handful of potential memory leaks in the LDAP code used - by ldapsam[_compat] and the LDAP idmap backend. -o Fix for pdbedit error code returns (bug 763). -o Make sure we only enumerate group mapping entries (not - /etc/group) even when doing local aliases. -o Relax check on the pipe name in a dce/rpc bind response to work - around issues with establishing trusts to a Windows 2003 domain. -o Ensure we mangle names ending in '.' in hash2 mangling method. -o Correct parsing issues with munged dial string. -o Fix bugs in quota support for XFS. -o Add a cleaner method for applications that need to provide - name->SID mappings to do this via NSS rather than having to - know the winbindd pipe protocol. -o Adds a variant of the winbindd_getgroups() call called - winbindd_getusersids() that provides direct SID->SIDs listing of - a users supplementary groups. This is enough to allow non-Samba - applications to do ACL checking. -o Make sure we don't append the 'ldap suffix' when writing out the - 'ldap XXX suffix' values in SWAT (bug 328). -o Fix renames across file systems. -o Ensure that items in a list of strings containing whitespace are - written out surrounded by single quotes. This means that both - double and single quotes are now used to surround strings in - smb.conf (bug 481). -o Enable SWAT to correctly determine if winbindd is running (bug - 398). -o Include WWW-Authenticate field in 401 response for bad auth - attempt (bug 629). -o Add support for NTLM2 (NTLMv2 session security). -o Add support for variable-length session keys. -o More privilege fixes for group enumeration in LDAP (bug 281). -o Use the dns name (or IP) as the originating client name when - using CUPS (bug 467). -o Fix various SMB signing bugs. -o Fix ACL propagation on a DFS root (bug 263). -o Disable NTLM2 for RPC pipes. -o Allow the client to specify the NTLM2 flags got NTLMSSP - authentication. -o Change the name of the job passed off to cups from "Test Page" - to "smbprn.00000033 Test Page" so that we can get the smb - jobid back. This allow users to delete jobs with cups printing - backend (partial work on bug 770). -o Fix build of winbindd with static pdb modules. -o Retrieve the correct ACL group bits if the file has an ACL - (bug 802). -o Implement "net rpc group members": Get members of a domain group - in human-readable format. -o Add MacOSX (Darwin) specific charset module code. -o Use samr_dispinfo(level == 1) for enumerating domain users so we - can include the full name in gecos field (bug 587). -o Add support for winbind's NSS library on FeeeBSD 5.1 (bug 797). -o Implement 'net rpc group list [global|local|builtin]*' for a - select listing of the respective user databases. -o Don't automatically set NT status code flag unless client tells - us it can cope. -o Add 'net status [sessions|shares] [parseable]'. -o Don't mistake pre-existing UNIX jobs for smb jobs (remainder of - bug 770). -o Add 'Replicator' and 'RAS Servers' to list of builtin SIDs - (bug 608). -o Fix inverted logic in hosts allow/deny checks caused by - s/strcmp/strequal/ (bug 846). -o Implement correct version SamrRemoveSidForeignDomain() (bug 252). -o Fix typo in 'hash' mangling algorithm. -o Support munged dial for ldapsam (bug 800). -o Fix process_incoming_data() to return the number of bytes handled - this call whether we have a complete PDU or not; fixes bug - with multiple PDU request rpc's broken over SMBwriteX calls - each. -o Fix incorrect smb flags2 for connections to pre-NT servers - (causes smbclient to fail to OS2 for example) (bug 821). -o Update version string in smbldap-tools Makefile to 0.8.2. -o Correct a problem with "net rpc vampire" mis-parsing the - alias member info reply. -o Ensure the ${libdir} is created by the installclientlib script. -o Fix detection of Windows 2003 client architecture in the smb.conf - %a variable. -o Ensure that smbd calls the add user script for a missing UNIX - user on kerberos auth call (bug 445). -o Fix bugs in hosts allow/deny when using a mismatched - network/netmask pair. -o Protect alloc_sub_basic() from crashing when the source string - is NULL (partial work on bug 687). -o Fix spinlocks on IRIX. -o Corrected some bad destination paths when running "configure - --with-fhs". -o Add packaging files for Fedora Core 1. -o Correct bug in SWAT install script for non-english languages. -o Support character set ISO-8859-1 internally (bug 558). -o Fixed more LDAP access errors when looking up group mappings - (bug 281). -o Fix UNISTR2 length bug in LsaQueryInfo(3) that caused SID - resolution to fail on local files on on domain members - (bug 875). -o Fix uninitialized variable in passdb.c. -o Fix formal parameter type in get_static() in nsswitch/wins.c. -o Fix problem mounting directories when mount.cifs is installed - with the setuid bit on. -o Fix bug that prevent --mandir from overriding the defaults - given in the --with-fhs macro. -o Fix bug in in-memory Kerberos keytab detection routines - in configure.in - - - -###################################################################### - - The original 3.0.0 release notes follow - ======================================= - WHATS NEW IN Samba 3.0.0 - September 24, 2003 - ======================================= - - -Major new features: -------------------- - -1) Active Directory support. Samba 3.0 is now able to - join a ADS realm as a member server and authenticate - users using LDAP/Kerberos. - -2) Unicode support. Samba will now negotiate UNICODE on the wire - and internally there is now a much better infrastructure for - multi-byte and UNICODE character sets. - -3) New authentication system. The internal authentication system - has been almost completely rewritten. Most of the changes are - internal, but the new auth system is also very configurable. - -4) New default filename mangling system. - -5) A new "net" command has been added. It is somewhat similar to - the "net" command in windows. Eventually we plan to replace - numerous other utilities (such as smbpasswd) with subcommands - in "net". - -6) Samba now negotiates NT-style status32 codes on the wire. This - improves error handling a lot. - -7) Better Windows 2000/XP/2003 printing support including publishing - printer attributes in active directory. - -8) New loadable module support for passdb backends and character - sets. - -9) New default dual-daemon winbindd support for better performance. - -10) Support for migrating from a Windows NT 4.0 domain to a Samba - domain and maintaining user, group and domain SIDs. - -11) Support for establishing trust relationships with Windows NT 4.0 - domain controllers. - -12) Initial support for a distributed Winbind architecture using - an LDAP directory for storing SID to uid/gid mappings. - -13) Major updates to the Samba documentation tree. - -14) Full support for client and server SMB signing to ensure - compatibility with default Windows 2003 security settings. - -15) Improvement of ACL mapping features based on code donated by - Andreas Grünbacher. - - -Plus lots of other improvements! - - -Additional Documentation ------------------------- - -Please refer to Samba documentation tree (included in the docs/ -subdirectory) for extensive explanations of installing, configuring -and maintaining Samba 3.0 servers and clients. It is advised to -begin with the Samba-HOWTO-Collection for overviews and specific -tasks (the current book is up to approximately 400 pages) and to -refer to the various man pages for information on individual options. - -We are very glad to be able to include the second edition of -"Using Samba" by Jay Ts, Robert Eckstein, and David Collier-Brown -(O'Reilly & Associates) in this release. The book is available -on-line at http://samba.org/samba/docs/ and is included with -the Samba Web Administration Tool (SWAT). Thanks to the authors and -publisher for making "Using Samba" under the GNU Free Documentation -License. - - -###################################################################### -Upgrading from a previous Samba 3.0 beta -######################################## - -Beginning with Samba 3.0.0beta3, the RID allocation functions -have been moved into winbindd. Previously these were handled -by each passdb backend. This means that winbindd must be running -to automatically allocate RIDs for users and/or groups. Otherwise, -smbd will use the 2.2 algorithm for generating new RIDs. - -If you are using 'passdb backend = tdbsam' with a previous Samba -3.0 beta release (or possibly alpha), it may be necessary to -move the RID_COUNTER entry from /usr/local/samba/private/passdb.tdb -to winbindd_idmap.tdb. To do this: - -1) Ensure that winbindd_idmap.tdb exists (launch winbindd at least - once) -2) build tdbtool by executing 'make tdbtool' in the source/tdb/ - directory -3) run: (note that 'tdb>' is the tool's prompt for input) - - root# ./tdbtool /usr/local/samba/private/passdb.tdb - tdb> show RID_COUNTER - key 12 bytes - RID_COUNTER - data 4 bytes - [000] 0A 52 00 00 .R. - - tdb> move RID_COUNTER /usr/local/samba/var/locks/winbindd_idmap.tdb - .... - record moved - -If you are using 'passdb backend = ldapsam', it will be necessary to -store idmap entries in the LDAP directory as well (i.e. idmap backend -= ldap). Refer to the 'net idmap' command for more information on -migrating SID<->UNIX id mappings from one backend to another. - -If the RID_COUNTER record does not exist, then these instructions are -unneccessary and the new RID_COUNTER record will be correctly generated -if needed. - - - -######################## -Upgrading from Samba 2.2 -######################## - -This section is provided to help administrators understand the details -involved with upgrading a Samba 2.2 server to Samba 3.0. - - -Building --------- - -Many of the options to the GNU autoconf script have been modified -in the 3.0 release. The most noticeable are: - - * removal of --with-tdbsam (is now included by default; see section - on passdb backends and authentication for more details) - - * --with-ldapsam is now on used to provided backward compatible - parameters for LDAP enabled Samba 2.2 servers. Refer to the passdb - backend and authentication section for more details - - * inclusion of non-standard passdb modules may be enabled using - --with-expsam. This includes an XML backend and a mysql backend. - - * removal of --with-msdfs (is now enabled by default) - - * removal of --with-ssl (no longer supported) - - * --with-utmp now defaults to 'yes' on supported systems - - * --with-sendfile-support is now enabled by default on supported - systems - - -Parameters ----------- - -This section contains a brief listing of changes to smb.conf options -in the 3.0.0 release. Please refer to the smb.conf(5) man page for -complete descriptions of new or modified parameters. - -Removed Parameters (order alphabetically): - - * admin log - * alternate permissions - * character set - * client codepage - * code page directory - * coding system - * domain admin group - * domain guest group - * force unknown acl user - * hide local users - * mangled stack - * nt smb support - * postscript - * printer driver - * printer driver file - * printer driver location - * read size - * source environment - * status - * strip dot - * total print jobs - * use rhosts - * valid chars - * vfs options - -New Parameters (new parameters have been grouped by function): - - Remote management - ----------------- - * abort shutdown script - * shutdown script - - User and Group Account Management - --------------------------------- - * add group script - * add machine script - * add user to group script - * algorithmic rid base - * delete group script - * delete user from group script - * passdb backend - * set primary group script - - Authentication - -------------- - * auth methods - * realm - * passwd chat timeout - - Protocol Options - ---------------- - * client lanman auth - * client NTLMv2 auth - * client schannel - * client signing - * client use spnego - * disable netbios - * ntlm auth - * paranoid server security - * server schannel - * server signing - * smb ports - * use spnego - - File Service - ------------ - * get quota command - * hide special files - * hide unwriteable files - * hostname lookups - * kernel change notify - * mangle prefix - * map acl inherit - * msdfs proxy - * set quota command - * use sendfile - * vfs objects - - Printing - -------- - * max reported print jobs - - UNICODE and Character Sets - -------------------------- - * display charset - * dos charset - * unicode - * unix charset - - SID to uid/gid Mappings - ----------------------- - * idmap backend - * idmap gid - * idmap uid - * winbind enable local accounts - * winbind trusted domains only - * template primary group - * enable rid algorithm - - LDAP - ---- - * ldap delete dn - * ldap group suffix - * ldap idmap suffix - * ldap machine suffix - * ldap passwd sync - * ldap replication sleep - * ldap user suffix - - General Configuration - --------------------- - * preload modules - * private dir - -Modified Parameters (changes in behavior): - - * encrypt passwords (enabled by default) - * mangling method (set to 'hash2' by default) - * passwd chat - * passwd program - * restrict anonymous (integer value) - * security (new 'ads' value) - * strict locking (enabled by default) - * unix extensions (enabled by default) - * winbind cache time (increased to 5 minutes) - * winbind uid (deprecated in favor of 'idmap uid') - * winbind gid (deprecated in favor of 'idmap gid') - - -Databases ---------- - -This section contains brief descriptions of any new databases -introduced in Samba 3.0. Please remember to backup your existing -${lock directory}/*tdb before upgrading to Samba 3.0. Samba will -upgrade databases as they are opened (if necessary), but downgrading -from 3.0 to 2.2 is an unsupported path. - -Name Description Backup? ----- ----------- ------- -account_policy User policy settings yes -gencache Generic caching db no -group_mapping Mapping table from Windows yes - groups/SID to unix groups -winbindd_idmap ID map table from SIDS to UNIX yes - uids/gids. -namecache Name resolution cache entries no -netsamlogon_cache Cache of NET_USER_INFO_3 structure no - returned as part of a successful - net_sam_logon request -printing/*.tdb Cached output from 'lpq no - command' created on a per print - service basis -registry Read-only samba registry skeleton no - that provides support for exporting - various db tables via the winreg RPCs - - -Changes in Behavior -------------------- - -The following issues are known changes in behavior between Samba 2.2 and -Samba 3.0 that may affect certain installations of Samba. - - 1) When operating as a member of a Windows domain, Samba 2.2 would - map any users authenticated by the remote DC to the 'guest account' - if a uid could not be obtained via the getpwnam() call. Samba 3.0 - rejects the connection as NT_STATUS_LOGON_FAILURE. There is no - current work around to re-establish the 2.2 behavior. - - 2) When adding machines to a Samba 2.2 controlled domain, the - 'add user script' was used to create the UNIX identity of the - machine trust account. Samba 3.0 introduces a new 'add machine - script' that must be specified for this purpose. Samba 3.0 will - not fall back to using the 'add user script' in the absence of - an 'add machine script' - - -###################################################################### -Passdb Backends and Authentication -################################## - -There have been a few new changes that Samba administrators should be -aware of when moving to Samba 3.0. - - 1) encrypted passwords have been enabled by default in order to - inter-operate better with out-of-the-box Windows client - installations. This does mean that either (a) a samba account - must be created for each user, or (b) 'encrypt passwords = no' - must be explicitly defined in smb.conf. - - 2) Inclusion of new 'security = ads' option for integration - with an Active Directory domain using the native Windows - Kerberos 5 and LDAP protocols. - - MIT kerberos 1.3.1 supports the ARCFOUR-HMAC-MD5 encryption - type which is neccessary for servers on which the - administrator password has not been changed, or kerberos-enabled - SMB connections to servers that require Kerberos SMB signing. - Besides this one difference, either MIT or Heimdal Kerberos - distributions are usable by Samba 3.0. - - -Samba 3.0 also includes the possibility of setting up chains -of authentication methods (auth methods) and account storage -backends (passdb backend). Please refer to the smb.conf(5) -man page for details. While both parameters assume sane default -values, it is likely that you will need to understand what the -values actually mean in order to ensure Samba operates correctly. - -The recommended passdb backends at this time are - - * smbpasswd - 2.2 compatible flat file format - * tdbsam - attribute rich database intended as an smbpasswd - replacement for stand alone servers - * ldapsam - attribute rich account storage and retrieval - backend utilizing an LDAP directory. - * ldapsam_compat - a 2.2 backward compatible LDAP account - backend - -Certain functions of the smbpasswd(8) tool have been split between the -new smbpasswd(8) utility, the net(8) tool, and the new pdbedit(8) -utility. See the respective man pages for details. - - -###################################################################### -LDAP -#### - -This section outlines the new features affecting Samba / LDAP -integration. - -New Schema ----------- - -A new object class (sambaSamAccount) has been introduced to replace -the old sambaAccount. This change aids us in the renaming of -attributes to prevent clashes with attributes from other vendors. -There is a conversion script (examples/LDAP/convertSambaAccount) to -modify and LDIF file to the new schema. - -Example: - - $ ldapsearch .... -b "ou=people,dc=..." > sambaAcct.ldif - $ convertSambaAccount --sid= \ - --input=sambaAcct.ldif --output=sambaSamAcct.ldif \ - --changetype=[modify|add] - -The can be obtained by running 'net getlocalsid -' on the Samba PDC as root. The changetype determines -the format of the generated LDIF output--either create new entries -or modify existing entries. - -The old sambaAccount schema may still be used by specifying the -"ldapsam_compat" passdb backend. However, the sambaAccount and -associated attributes have been moved to the historical section of -the schema file and must be uncommented before use if needed. -The 2.2 object class declaration for a sambaAccount has not changed -in the 3.0 samba.schema file. - -Other new object classes and their uses include: - - * sambaDomain - domain information used to allocate rids - for users and groups as necessary. The attributes are added - in 'ldap suffix' directory entry automatically if - an idmap uid/gid range has been set and the 'ldapsam' - passdb backend has been selected. - - * sambaGroupMapping - an object representing the - relationship between a posixGroup and a Windows - group/SID. These entries are stored in the 'ldap - group suffix' and managed by the 'net groupmap' command. - - * sambaUnixIdPool - created in the 'ldap idmap suffix' entry - automatically and contains the next available 'idmap uid' and - 'idmap gid' - - * sambaIdmapEntry - object storing a mapping between a - SID and a UNIX uid/gid. These objects are created by the - idmap_ldap module as needed. - - * sambaSidEntry - object representing a SID alone, as a Structural - class on which to build the sambaIdmapEntry. - - -New Suffix for Searching ------------------------- - -The following new smb.conf parameters have been added to aid in directing -certain LDAP queries when 'passdb backend = ldapsam://...' has been -specified. - - * ldap suffix - used to search for user and computer accounts - * ldap user suffix - used to store user accounts - * ldap machine suffix - used to store machine trust accounts - * ldap group suffix - location of posixGroup/sambaGroupMapping entries - * ldap idmap suffix - location of sambaIdmapEntry objects - -If an 'ldap suffix' is defined, it will be appended to all of the -remaining sub-suffix parameters. In this case, the order of the suffix -listings in smb.conf is important. Always place the 'ldap suffix' first -in the list. - -Due to a limitation in Samba's smb.conf parsing, you should not surround -the DN's with quotation marks. - - -IdMap LDAP support ------------------- - -Samba 3.0 supports an ldap backend for the idmap subsystem. The -following options would inform Samba that the idmap table should be -stored on the directory server onterose in the "ou=idmap,dc=plainjoe, -dc=org" partition. - - [global] - ... - idmap backend = ldap:ldap://onterose/ - ldap idmap suffix = ou=idmap,dc=plainjoe,dc=org - idmap uid = 40000-50000 - idmap gid = 40000-50000 - -This configuration allows winbind installations on multiple servers to -share a uid/gid number space, thus avoiding the interoperability problems -with NFS that were present in Samba 2.2. - - - -###################################################################### -Trust Relationships and a Samba Domain -###################################### - -Samba 3.0.0beta2 is able to utilize winbindd as the means of -allocating uids and gids to trusted users and groups. More -information regarding Samba's support for establishing trust -relationships can be found in the Samba-HOWTO-Collection included -in the docs/ directory of this release. - -First create your Samba PDC and ensure that everything is -working correctly before moving on the trusts. - -To establish Samba as the trusting domain (named SAMBA) from a Windows NT -4.0 domain named WINDOWS: - - 1) create the trust account for SAMBA in "User Manager for Domains" - 2) connect the trust from the Samba domain using - 'net rpc trustdom establish GLASS' - -To create a trustlationship with SAMBA as the trusted domain: - - 1) create the initial trust account for GLASS using - 'smbpasswd -a -i GLASS'. You may need to create a UNIX - account for GLASS$ prior to this step (depending on your - local configuration). - 2) connect the trust from a WINDOWS DC using "User Manager - for Domains" - -Now join winbindd on the Samba PDC to the SAMBA domain using -the normal steps for adding a Samba server to an NT4 domain: -(note that smbd & nmbd must be running at this point) - - root# net rpc join -U root - Password: - -Start winbindd and test the join with 'wbinfo -t'. - -Now test the trust relationship by connecting to the SAMBA DC -(e.g. POGO) as a user from the WINDOWS domain: - - $ smbclient //pogo/netlogon -U Administrator -W WINDOWS - Password: - -Now connect to the WINDOWS DC (e.g. CRYSTAL) as a Samba user: - - $ smbclient //crystal/netlogon -U root -W WINDOWS - Password: - -###################################################################### -Changes in Winbind -################## - -Beginning with Samba3.0.0beta3, winbindd has been given new account -manage functionality equivalent to the 'add user script' family of -smb.conf parameters. The idmap design has also been changed to -centralize control of foreign SID lookups and matching to UNIX -uids and gids. - - -Brief Description of Changes ----------------------------- - -1) The sid_to_uid() family of functions (smbd/uid.c) have been - reverted to the 2.2.x design. This means that when resolving a - SID to a UID or similar mapping: - - a) First consult winbindd - b) perform a local lookup only if winbindd fails to - return a successful answer - - There are some variations to this, but these two rules generally - apply. - -2) All idmap lookups have been moved into winbindd. This means that - a server must run winbindd (and support NSS) in order to achieve - any mappings of SID to dynamically allocated UNIX ids. This was - a conscious design choice. - -3) New functions have been added to winbindd to emulate the 'add user - script' family of smbd functions without requiring that external - scripts be defined. This functionality is controlled by the 'winbind - enable local accounts' smb.conf parameter (enabled by default). - - However, this account management functionality is only supported - in a local tdb (winbindd_idmap.tdb). If these new UNIX accounts - must be shared among multiple Samba servers (such as a PDC and BDCs), - it will be necessary to define your own 'add user script', et. al. - programs that place the accounts/groups in some form of directory - such as NIS or LDAP. This requirement was deemed beyond the scope - of winbind's account management functions. Solutions for - distributing UNIX system information have been deployed and tested - for many years. We saw no need to reinvent the wheel. - -4) A member of a Samba controlled domain running winbindd is now able - to map domain users directly onto existing UNIX accounts while still - automatically creating accounts for trusted users and groups. This - behavior is controlled by the 'winbind trusted domains only' smb.conf - parameter (disabled by default to provide 2.2.x winbind behavior). - -5) Group mapping support is wrapped in the local_XX_to_XX() functions - in smbd/uid.c. The reason that group mappings are not included - in winbindd is because the purpose of Samba's group map is to - match any Windows SID with an existing UNIX group. These UNIX - groups can be created by winbindd (see next section), but the - SID<->gid mapping is retreived by smbd, not winbindd. - - -Examples --------- - -* security = server running winbindd to allocate accounts on demand - -* Samba PDC running winbindd to handle the automatic creation of UNIX - identities for machine trust accounts - -* Automtically creating UNIX user and groups when migrating a Windows NT - 4.0 PDC to a Samba PDC. Winbindd must be running when executing - 'net rpc vampire' for this to work. - - -###################################################################### -Known Issues -############ - -* There are several bugs currently logged against the 3.0 codebase - that affect the use of NT 4.0 GUI domain management tools when run - against a Samba 3.0 PDC. This bugs should be released in an early - 3.0.x release. - -Please refer to https://bugzilla.samba.org/ for a current list of bugs -filed against the Samba 3.0 codebase. - - -###################################################################### -Reporting bugs & Development Discussion -####################################### - -Please discuss this release on the samba-technical mailing list or by -joining the #samba-technical IRC channel on irc.freenode.net. - -If you do report problems then please try to send high quality -feedback. If you don't provide vital information to help us track down -the problem then you will probably be ignored. - -A new bugzilla installation has been established to help support the -Samba 3.0 community of users. This server, located at -https://bugzilla.samba.org/, has replaced the older jitterbug server -previously located at http://bugs.samba.org/. -