mirror of
https://github.com/samba-team/samba.git
synced 2024-12-23 17:34:34 +03:00
fe43107ff1
(This used to be commit 737b3a5a92
)
1567 lines
58 KiB
Plaintext
1567 lines
58 KiB
Plaintext
=================================
|
|
Release Notes for Samba 3.0.3pre1
|
|
XXXXXX XX, 2004
|
|
=================================
|
|
|
|
This is a preview release of the Samba 3.0.3 code base and is
|
|
provided for testing only. This release is *not* intended for
|
|
production servers. Use at your own risk.
|
|
|
|
There have been several bug fixes since the 3.0.2a release that
|
|
we feel are important to make available to the Samba community
|
|
for wider testings. See the "Changes" section for details on
|
|
exact updates.
|
|
|
|
Common bugs fixed in this preview release include:
|
|
|
|
o <FILL THIS IN>
|
|
|
|
|
|
######################################################################
|
|
Changes
|
|
#######
|
|
Changes since 3.0.2a
|
|
--------------------
|
|
smb.conf changes
|
|
----------------
|
|
|
|
Parameter Name Action
|
|
-------------- ------
|
|
only user Deprecated
|
|
use cracklib New
|
|
|
|
|
|
Please refer to the CVS log for the SAMBA_3_0 branch for complete
|
|
details. The list of changes per contributor are as follows:
|
|
|
|
|
|
commits
|
|
-------
|
|
o Jeremy Allison <jra@samba.org>
|
|
* Ensure that Kerberos mutex is always properly unlocked.
|
|
* Removed Heimdal "in-memory keytab" support.
|
|
* Fixup the 'multiple-vuids' bugs in our server code.
|
|
* Correct return code from lsa_lookup_sids() on unmapped
|
|
sids (based on work by vlendecke).
|
|
* Fix the "too many fcntl locks" scalability problem
|
|
raised by tridge.
|
|
* Fixup correct (as per W2K3) returns for lookupsids
|
|
as well as lookupnames.
|
|
* Fixups for delete-on-close semantics as per Win2k3 behavior.
|
|
* Make SMB_FILE_ACCESS_INFORMATION call work correctly.
|
|
* Fix "unable to initialize" bug when smbd hasn't been run with
|
|
new system and a user is being added via pdbedit/smbpasswd.
|
|
* Added NTrename SMB (0xA5).
|
|
* Fixup correct timeout values for blocking lock timeouts.
|
|
* Fix various bugs reported by 'gentest'.
|
|
* More locking fixes in the case where we own the lock.
|
|
* Fix up regression in IS_NAME_VALID and renames.
|
|
* Don't set allocation size on directories.
|
|
* Return correct error code on fail if file exists and target
|
|
is a directory.
|
|
* Added client "hardlink" commant to test doing NT rename with
|
|
hard links. Added hardlink_internals() code - UNIX extensions
|
|
now use this as well.
|
|
* Use a common function to parse all pathnames from the wire for
|
|
much closer emulation of Win2k3 error return codes.
|
|
* More fixes for internal multibyte string handling.
|
|
|
|
|
|
o Timur Bakeyev <timur@com.bat.ru>
|
|
* BUG 1144: only set --with-fhs when the argumenet is 'yes'
|
|
|
|
|
|
o Andrew Bartlet <abartlet@samba.org>
|
|
* Include support for linking with cracklib for enforcing
|
|
strong password changes.
|
|
* Add support for >14 character password changes from Windows
|
|
clients.
|
|
* Add 'admin set password' capability to 'net rpc'.
|
|
* Allow 'net rpc samdump' to work with any joined domain
|
|
regardless of smb.conf settings.
|
|
* Use an allocated buffer for count_chars.
|
|
* Add sanity checks for changes in the domain SID in an
|
|
LDAP DIT.
|
|
|
|
|
|
o Alexander Bokovoy <ab@samba.org>
|
|
|
|
|
|
o Gerald (Jerry) Carter <jerry@samba.org>
|
|
* Fix 'make installmodules' bug on True64.
|
|
* BUG 66: mark 'only user' deprecated.
|
|
* Remove corrupt tdb and shutdown (only for printing tdbs,
|
|
connections, sessionid & locking).
|
|
* decrement smbd counter in connections.tdb in smb_panic().
|
|
* RedHat specfile updates.
|
|
* Fix xattr.h build issue on Debian testing and SuSE 8.2.
|
|
* BUG 1147; bad pointer case in get_stored_queue_info()
|
|
causing seg fault.
|
|
* BUG 761: read the config file before initialized default
|
|
values for printing options; don't default to bsd printing
|
|
Linux.
|
|
* Allow the 'printing' parameter to be set on a per share basis.
|
|
* BUG 503: RedHat/Fedora packaging fixes regarding logrotate.
|
|
* BUG 848: don't create winbind local users/groups that already
|
|
exist in the tdb.
|
|
* BUG 1080: fix declaration of SMB_BIG_UINT (broek compile on
|
|
LynxOS/ppc).
|
|
|
|
|
|
o Guenther Deschner <gd@suse.com>
|
|
* Remove hard coded attribute name in the ads ranged retrieval
|
|
code.
|
|
|
|
|
|
o Bostjan Golob <golob@gimb.org>
|
|
* BUG 1046: Fix getpwent_list() so that the username is not
|
|
overwritten by other fields.
|
|
|
|
|
|
o Steve French <sfrench@us.ibm.com>
|
|
* Update moun.cifs to version 1.1.
|
|
* Disable dev (MS_NODEV) on user mounts from cifs vfs.
|
|
* Fixes to minor security bug in the mount helper.
|
|
|
|
|
|
o SATOH Fumiyasu <fumiya@miraclelinux.com>
|
|
* BUG 1055; formatting fixes for 'net share'.
|
|
* BUG 692: correct truncation of share names and workgroup
|
|
names in smbclient.
|
|
|
|
|
|
o Chris Hertel <crh@samba.org>
|
|
* fix enumeration of shares 12 characters in length via
|
|
smbclient.
|
|
|
|
|
|
o John Klinger <john.klinger@lmco.com>
|
|
* Return NSS_SUCCESS once the max number of gids possible
|
|
has been found in initgroups() on Solaris.
|
|
|
|
|
|
o Volker Lendecke <vl@samba.org>
|
|
* Fix success message for net groupmap modify.
|
|
* Fix errors when enumerating members of groups in 'net rpc'.
|
|
* Match Windows behavior in samr_lookup_names() by returning
|
|
ALIAS(4) when you search in BUILTIN.
|
|
* Fix server SAMR code to be able to set alias info for
|
|
builtin as well.
|
|
* Fix duplication of logic when creating groups via smbd.
|
|
* Ensure that the HWM values are set correctly after running
|
|
'net idmap'.
|
|
* Add 'net rpc group add'.
|
|
* Implement 'net groupmap set' and 'net groupmap cleanup'.
|
|
* Add 'net rpc group [add|del]mem' for domain groups and aliases.
|
|
|
|
|
|
o Herb Lewis <herb@samba.org>
|
|
|
|
|
|
o Jianliang Lu <j.lu@tiesse.com>
|
|
* Enforce the 'user must change password at nmext login' flag.
|
|
* Decode meaning of 'fields present' flags (improves support
|
|
for usewrmgr.exe).
|
|
|
|
|
|
o L. Lucius <ib@digicron.com>.
|
|
* type fixes.
|
|
|
|
|
|
o Jim McDonough <jmcd@us.ibm.com>
|
|
* Add versioning support to tdbsam.
|
|
* Update the IBM Directory Server schema with the OpenLDAP
|
|
file.
|
|
* Various decoding fixes to improve usermgr.exe support.
|
|
* Fix statfs redeclaration of statfs struct on ppc
|
|
* Implement support for password lockout of Samba domain
|
|
controllers and standalone servers.
|
|
|
|
|
|
o Stefan Metzmacher <metze@samba.org>
|
|
|
|
|
|
o James Peach <jpeach@sgi.com>
|
|
* Correct check for printf() format when using the SGI MIPSPro
|
|
compiler.
|
|
* BUG 1038: support backtrace for 'panic action' on IRIX.
|
|
|
|
|
|
o Tim Potter <tpot@samba.org>
|
|
* Fix logic bug in tdb non-blocking lock routines when
|
|
errno == EAGAIN.
|
|
* BUG 1025: Include sys/acl.h in check for broken nisplus
|
|
include files.
|
|
* BUG 1066: s/printf/d_printf/g in SWAT.
|
|
* BUG 1098: rename internal msleep() function to fix build
|
|
problems on AIX.
|
|
* BUG 1112: Fix for writable printerdata problem in python bindings.
|
|
|
|
|
|
o Simo Source <idra@samba.org>
|
|
* Replace unknown_3 with fields_present in SAMR code.
|
|
|
|
|
|
o Richard Sharpe <rsharpe@samba.org>
|
|
* Add support to smbclient for multiple logins on the same
|
|
session (based on work by abartlet).
|
|
|
|
|
|
o Andrew Tridgell <tridge@samba.org>
|
|
* Rewrote the AIX UESS backend for winbindd.
|
|
* Fixed compilation with --enable-dmalloc.
|
|
|
|
|
|
o Jelmer Vernooij <jelmer@samba.org>
|
|
* Fix ETA Calculation when resuming downloads in smbget.
|
|
|
|
|
|
o TAKEDA yasuma <yasuma@miraclelinux.com>
|
|
* BUG 900: fix token processing in cmd_symlink, cmd_link,
|
|
cmd_chown, cmd_chmod smbclient functions.
|
|
|
|
|
|
o Shiro Yamada <shiro@miraclelinux.com>
|
|
* BUG 1129: install image files for SWAT.
|
|
|
|
|
|
Changes for older versions follow below:
|
|
|
|
--------------------------------------------------
|
|
|
|
==============================
|
|
Release Notes for Samba 3.0.2a
|
|
February 13, 2004
|
|
==============================
|
|
|
|
Samba 3.0.2a is a minor patch release for the 3.0.2 code base
|
|
to address, in particular, a problem when using pdbedit to
|
|
sanitize (--force-initialized-passwords) Samba's tdbsam
|
|
backend. This is the latest stable release of Samba. This
|
|
is the version that all production Samba servers should be
|
|
running for all current bug-fixes.
|
|
|
|
******************* Attention! Achtung! Kree! *********************
|
|
|
|
Beginning with Samba 3.0.2, passwords for accounts with a last
|
|
change time (LCT-XXX in smbpasswd, sambaPwdLastSet attribute in
|
|
ldapsam, etc...) of zero (0) will be regarded as uninitialized
|
|
strings. This will cause authentication to fail for such
|
|
accounts. If you have valid passwords that meet this criteria,
|
|
you must update the last change time to a non-zero value. If you
|
|
do not, then 'pdbedit --force-initialized-passwords' will disable
|
|
these accounts and reset the password hashes to a string of X's.
|
|
|
|
******************* Attention! Achtung! Kree! *********************
|
|
|
|
|
|
######################################################################
|
|
Changes
|
|
#######
|
|
|
|
Changes since 3.0.2
|
|
-------------------
|
|
|
|
commits
|
|
-------
|
|
|
|
Please refer to the CVS log for the SAMBA_3_0 branch for complete
|
|
details. The list of changes per contributor are as follows:
|
|
|
|
|
|
o Jeremy Allison <jra@samba.org>
|
|
* Added paranoia checks in parsing code.
|
|
|
|
|
|
o Andrew Bartlet <abartlet@samba.org>
|
|
* Ensure that changes to uninitialized passwords in ldapsam
|
|
are written to the DIT.
|
|
|
|
|
|
o Gerald (Jerry) Carter <jerry@samba.org>
|
|
* Fixed iterator in tdbsam.
|
|
* Fix bug that disabled accounts with a valid NT password
|
|
hash, but no LanMan hash.
|
|
|
|
|
|
o Steve French <sfrench@us.ibm.com>
|
|
* Added missing nosetuid and noexec options.
|
|
|
|
|
|
o Bostjan Golob <golob@gimb.org>
|
|
* BUG 1046: Don't overwrite usernames of entries returned
|
|
by getpwent_list().
|
|
|
|
|
|
o Sebastian Krahmer <krahmer@suse.de>
|
|
* Fixed potential crash bug in NTLMSSP parsing code.
|
|
|
|
|
|
o Tim Potter <tpot@samba.org>
|
|
* Fixed logic in tdb_brlock error checking.
|
|
|
|
|
|
o Urban Widmark <urban@teststation.com>
|
|
* Set nosuid,nodev flags in smbmnt by default.
|
|
|
|
|
|
--------------------------------------------------
|
|
|
|
=============================
|
|
Release Notes for Samba 3.0.2
|
|
February 9, 2004
|
|
=============================
|
|
|
|
It has been confirmed that previous versions of Samba 3.0 are
|
|
susceptible to a password initialization bug that could grant an
|
|
attacker unauthorized access to a user account created by the
|
|
mksmbpasswd.sh shell script.
|
|
|
|
The Common Vulnerabilities and Exposures project (cve.mitre.org)
|
|
has assigned the name CAN-2004-0082 to this issue.
|
|
|
|
Samba administrators not wishing to upgrade to the current
|
|
version should download the 3.0.2 release, build the pdbedit
|
|
tool, and run
|
|
|
|
root# pdbedit-3.0.2 --force-initialized-passwords
|
|
|
|
This will disable all accounts not possessing a valid password
|
|
(e.g. the password field has been set a string of X's).
|
|
|
|
Samba servers running 3.0.2 are not vulnerable to this bug
|
|
regardless of whether or not pdbedit has been used to sanitize
|
|
the passdb backend.
|
|
|
|
Some of the more visible bugs in 3.0.1 addressed in the 3.0.2
|
|
release include:
|
|
|
|
o Joining a Samba domain from Pre-SP2 Windows 2000 clients.
|
|
o Logging onto a Samba domain from Windows XP clients.
|
|
o Problems with the %U and %u smb.conf variables in relation to
|
|
Windows 9x/ME clients.
|
|
o Kerberos failures due to an invalid in memory keytab detection
|
|
test.
|
|
o Updates to the ntlm_auth tool.
|
|
o Fixes for various SMB signing errors.
|
|
o Better separation of WINS and DNS queries for domain controllers.
|
|
o Issues with nss_winbind FreeBSD and Solaris.
|
|
o Several crash bugs in smbd and winbindd.
|
|
o Output formatting fixes for smbclient for better compatibility
|
|
with scripts based on the 2.2 version.
|
|
|
|
|
|
Changes since 3.0.1
|
|
-------------------
|
|
|
|
smb.conf changes
|
|
----------------
|
|
|
|
Parameter Name Action
|
|
-------------- ------
|
|
ldap replication sleep New
|
|
read size removed (unused)
|
|
source environment removed (unused)
|
|
|
|
|
|
commits
|
|
-------
|
|
|
|
Please refer to the CVS log for the SAMBA_3_0 branch for complete
|
|
details. The list of changes per contributor are as follows:
|
|
|
|
o Jeremy Allison <jra@samba.org>
|
|
* Revert change that broke Exchange clear text samlogons.
|
|
* Fix gcc 3.4 warning in MS-DFS code.
|
|
* Tidy up of NTLMSSP code.
|
|
* Fixes for SMB signing errors
|
|
* BUG 815: Workaround NT4 bug to support plaintext
|
|
password logins and UNICODE.
|
|
* Fix SMB signing bug when copying large files.
|
|
* Correct error logic in mkdir_internals() (caused a panic
|
|
when combined with --enable-developer).
|
|
* BUG 830: Protect against crashes due to bad character
|
|
conversions.
|
|
|
|
|
|
o Petri Asikainen <paca@sci.fi>
|
|
* BUG 330, 387:Fix single valued attribute updates when
|
|
working with Novell NDS.
|
|
|
|
|
|
o Andrew Bartlet <abartlet@samba.org>
|
|
* Correctly handle per-pipe NTLMSSP inside a NULL session.
|
|
* Fix segfault in gencache
|
|
* Fix early free() of encrypted_session_key.
|
|
* Change DC lookup routines to more carefully separate
|
|
DNS names (realms) from NetBIOS domain names.
|
|
* Add new sid_to_dn() function for internal winbindd use.
|
|
* Refactor cli_ds_enum_domain_trusts().
|
|
* BUG 707: Implement range retrieval of ADS attributes (based
|
|
on work from Volker <vl@samba.org> and Guenther Deschner
|
|
<gd@suse.com>).
|
|
* Automatically initialize the signing engine if a session key
|
|
is available.
|
|
* BUG 916: Do not perform a + -> ' ' substitution for squid URL
|
|
encoded strings, only form input in SWAT.
|
|
* Resets the NTLMSSP state for new negotiate packets.
|
|
* Add 2-byte alignments in net_samlogon() queries to parse
|
|
odd-length plain text passwords.
|
|
* Allow Windows groups with no members in winbindd.
|
|
* Allow normal authentication in the absence of a server
|
|
generated session key.
|
|
* More optimizations for looking up UNIX group lists.
|
|
* Clean up error codes and return values for pam_winbindd
|
|
and winbindd PAM interface.
|
|
* Fix string return values in ntlm_auth tool.
|
|
* Fix segfault when 'security = ads' but no realm is defined.
|
|
* BUG 722: Allow winbindd to map machine accounts to uids.
|
|
* More cleanups for winbindd's find_our_domain().
|
|
* More clearly detect whether a domain controller is an NT4
|
|
or mixed-mode AD DC (additional bug fixes by jerry & jmcd).
|
|
* Increase separation between DNS queries for hosts and queries
|
|
for AD domain controllers.
|
|
* Include additional NT_STATUS to PAM error mappings.
|
|
* Password initialization fixes.
|
|
|
|
|
|
o Justin Baugh <justin.baugh@request.com>
|
|
* BUG 948: Implement missing functions required for FreeBSD
|
|
nss_winbind support.
|
|
|
|
|
|
o Alexander Bokovoy <ab@samba.org>
|
|
* BUG 922: Make sure enable fast path for strlower_m() and
|
|
strupper_m().
|
|
|
|
|
|
o Luca Bolcioni <Luca.Bolcioni@yacme.com>
|
|
* Fix crash when using 'security = server' and 'encrypt
|
|
passwords = no' by always initializing the session key.
|
|
|
|
|
|
o Dmitry Butskoj <buc@odusz.elektra.ru>
|
|
* Fix for special files being hidden from admins.
|
|
|
|
|
|
o Gerald (Jerry) Carter <jerry@samba.org>
|
|
* Fix bug in the lanman session key generation. Caused
|
|
"decode_pw: incorrect password length" error messages.
|
|
* Save the right case for the located user name in
|
|
fill_sam_account(). Fixes %U/%u expansion for win9x clients.
|
|
* BUG 897: Add well known rid for pre win2k compatible access
|
|
group.
|
|
* BUG 887: Correct typo in delete user script example.
|
|
* Use short lived TALLOC_CTX* for allocating printer objects
|
|
from the print handle cache.
|
|
* BUG 912: Fix check for HAVE_MEMORY_KEYTAB.
|
|
* Fix several warnings reported by the SUN Forte C compiler.
|
|
* Fully control DNS queries for AD DC's using 'name resolve order'.
|
|
* BUG 770: Send the SMBjobid for UNIX jobs back to the client.
|
|
* BUG 972: Fix segfault in cli_ds_getprimarydominfo().
|
|
* BUG 936: fix bind credentials for schannel binds in smbd.
|
|
* BUG 446: Fix output of smbclient for better compatibility
|
|
with scripts based on the 2.2 version (including Amanda).
|
|
* BUG 891, 949: Fedora packaging fixes.
|
|
* Fix bug that caused rpcclient to incorrectly retrieve
|
|
the SID for a server (this causing all calls that required
|
|
this information to fail).
|
|
* BUG 977: Don't create a homes share for a user if a static
|
|
share already exists by the same name.
|
|
* Removed unused smb.conf options.
|
|
* Password initialization fixes.
|
|
* Set the disable flag for template accounts created by
|
|
mksmbpasswd.sh.
|
|
* Disable any account has no passwords and does not have the
|
|
ACB_PWNOTREQ bit set.
|
|
|
|
|
|
o Guenther Deschner <gd@suse.com>
|
|
* Install smbwrapper.so should be put into the $(libdir)
|
|
and not $(bindir).
|
|
* Add the capability to specify the new user password
|
|
for "net ads password" on the command line.
|
|
* Correctly detect AFS headers on SuSE.
|
|
|
|
|
|
o James Flemer <jflemer@uvm.edu>
|
|
* Fix AIX compile bug by linking HAVE_ATTR_LIST to
|
|
HAVE_SYS_ATTRIBUTES_H.
|
|
|
|
|
|
o Luke Howard <lukeh@PADL.COM>
|
|
* Fix segfault in session setup reply caused by a early free().
|
|
|
|
|
|
o Stoian Ivanov <sdr@bultra.com>
|
|
* Implement grepable output for smbclient -L.
|
|
|
|
|
|
o LaMont Jones <lamont@debian.org>
|
|
* BUG 225328 (Debian): Correct false failure LFS test that resulted
|
|
in _GNU_SOURCE not being defined (thus resulting in strndup()
|
|
not being defined).
|
|
|
|
|
|
o Volker Lendecke <vl@samba.org>
|
|
* BUG 583: Ensure that user names always contain the short
|
|
version of the domain name.
|
|
* Fix our parsing of the LDAP uri.
|
|
* Don't show the 'afs username map' in the SWAT basic view.
|
|
* Fix SMB signing issues in relation to failed NTLMSSP logins.
|
|
* BUG 924: Fix return codes in smbtorture harness.
|
|
* Always lower-case usernames before handing it to AFS code.
|
|
* Add a German translation for SWAT.
|
|
* Fix a segfaults in winbindd.
|
|
* Fix the user's domain passed to register_vuid() from
|
|
reply_spnego_kerberos().
|
|
* Add NSS example code in nss_winbind to convert UNIX
|
|
id's <-> Windows SIDs.
|
|
* Display more descriptive error messages for login via 'net'.
|
|
* Fix compiler warning in the net tool.
|
|
* Fix length bug when decoding base64 strings.
|
|
* Ensure we don't call getpwnam() inside a loop that is iterating
|
|
over users with getpwent(). This broke on glibc 2.3.2.
|
|
|
|
|
|
o Herb Lewis <herb@samba.org>
|
|
* Fix bit rot in psec.
|
|
|
|
|
|
o Jianliang Lu <j.lu@tiesse.com>
|
|
* Ensure we delete the group mapping before calling the delete
|
|
group script.
|
|
* Define well known RID for managing the "Power Users" group.
|
|
* BUG 381: check builtin (not local) group SID when updating
|
|
group membership.
|
|
* BUG 101: set the SV_TYPE_PRINTQ_SERVER flag in host announcement
|
|
packet.
|
|
|
|
|
|
o John Klinger <john.klinger@lmco.com>
|
|
* Implement initgroups() call in nss_winbind on Solaris.
|
|
|
|
|
|
o Jim McDonough <jmcd@us.ibm.com>
|
|
* Fix regression in net rpc join caused by recent changes
|
|
to cli_lsa_query_info_policy().
|
|
* BUG 964: Fix crash bug in 'net rpc join' using a preexisting
|
|
machine account.
|
|
|
|
|
|
o MORIYAMA Masayuki <moriyama@miraclelinux.com>
|
|
* BUG 570: Ensure that configure honors the LDFLAGS variable.
|
|
|
|
|
|
o Stefan Metzmacher <metze@samba.org>
|
|
* Implement LDAP rebind sleep patch.
|
|
* Revert to 2.2 quota code because of so many broken quota files
|
|
out there.
|
|
* Fix XFS quotas: HAVE_XFS_QUOTA -> HAVE_XFS_QUOTAS
|
|
XFS_USER_QUOTA -> USRQUOTA
|
|
XFS_GROUP_QUOTA -> GRPQUOTA
|
|
* Fix disk_free calculation with group quotas.
|
|
* Add debug class 'quota' and a lot of DEBUG()'s
|
|
to the quota code.
|
|
* Fix sys_chown() when no chown() is present.
|
|
* Add SIGABRT to fault handling in order to catch got a
|
|
backtrace if an error occurs the OpenLDAP client libs.
|
|
|
|
|
|
o <ndb@theghet.to>
|
|
* Allow an existing LDAP machine account to be re-used when
|
|
joining an AD domain.
|
|
|
|
|
|
o James Peach <jpeach@sgi.com>
|
|
* BUG 889: Change smbd to use pread/pwrite on platforms that
|
|
support these calls. Can lead to a significant speed increase.
|
|
|
|
|
|
o Tim Potter <tpot@samba.org>
|
|
* BUG 905: Remove POBAD_CC to fix Solaris Forte compiles.
|
|
* BUG 924: Fix typo in RW2 torture test.
|
|
|
|
|
|
o Richard Sharpe <shape@samba.org>
|
|
* Small fixes to torture.c to cleanup the error handling
|
|
and prevent crashes.
|
|
|
|
|
|
o J. Tournier <jerome.tournier@IDEALX.com>
|
|
* Small fixes for the smbldap-tool scripts.
|
|
|
|
|
|
o Andrew Tridgell <tridge@samba.org>
|
|
* Fix src len check in pull_usc2().
|
|
|
|
|
|
o Jelmer Vernooij <jelmer@samba.org>
|
|
* Put functions for generating SQL queries in pdb_sql.c
|
|
* Add pgSQL backend (based on patch by Hamish Friedlander)
|
|
* BUG 908: Fix -s option to smbcontrol.
|
|
* Add smbget utility - a wget-clone for the SMB/CIFS protocol.
|
|
* Fix for libnss_wins on IRIX platforms.
|
|
* Fix swatdir for --with-fhs.
|
|
|
|
|
|
--------------------------------------------------
|
|
|
|
=============================
|
|
Release Notes for Samba 3.0.1
|
|
December 15, 2003
|
|
=============================
|
|
|
|
Some of the more common bugs in 3.0.0 addressed in the release
|
|
include:
|
|
|
|
o Substitution problems with smb.conf variables.
|
|
o Errors in return codes which caused some applications
|
|
to fail to open files.
|
|
o General Protection Faults on Windows 2000/XP clients
|
|
using Samba point-n-print features.
|
|
o Several miscellaneous crash bugs.
|
|
o Access problems when enumerating group mappings are
|
|
stored in an LDAP Directory.
|
|
o Several common SWAT bugs when writing changes to
|
|
smb.conf.
|
|
o Internal inconsistencies when 'winbind use default
|
|
domain = yes'
|
|
|
|
|
|
|
|
Changes since 3.0.0
|
|
----------------------
|
|
|
|
Parameter Name Action
|
|
-------------- ------
|
|
hide local users Removed
|
|
mangled map Deprecated
|
|
mangled stack Removed
|
|
passwd chat timeout New
|
|
|
|
|
|
commits
|
|
-------
|
|
|
|
o Change the interface for init_unistr2 to not take a length
|
|
but a flags field. We were assuming that
|
|
2*strlen(mb_string) == length of ucs2-le string. (bug 480).
|
|
o Allow d_printf() to handle strings with escaped quotation
|
|
marks since the msg file includes the escape character (bug 489).
|
|
o Fix bad html table row termination in SWAT wizard code (bug 413).
|
|
o Fix to parse the level-2 strings.
|
|
o Fix for "valid users = %S" in [homes]. Fix read/write
|
|
list as well.
|
|
o Change AC_CHECK_LIB_EXT to prepend libraries instead of append.
|
|
This is the same way AC_CHECK_LIB works (bug 508).
|
|
o Testparm output fixes for clarity.
|
|
o Fix broken wins hook functionality -- i18n bug (bug 528).
|
|
o Take care of condition where DOS and NT error codes must differ.
|
|
o Default to using only built-in charsets when a working iconv
|
|
implementation cannot be located.
|
|
o Wrap internals of sys_setgroups() so the sys_XX() call can
|
|
be done unconditionally (bug 550).
|
|
o Remove duplicate smbspool link on SWAT's front page (bug 541).
|
|
o Save and restore CFLAGS before/after AC_PROG_CC. Ensures that
|
|
--enable-debug=[yes|no] works correctly.
|
|
o Allow ^C to interrupt smbpasswd if using our getpass
|
|
(e.g. smbpasswd command).
|
|
o Support signing only on RPC's (bug 167).
|
|
o Correct bug that prevented Excel 2000 clients from opening
|
|
files marked as read-only.
|
|
o Portability fix bugs 546 - 549).
|
|
o Explicitly initialize the value of AR for vendor makes that don't
|
|
do this (e.g. HPUX 11). (bug 552).
|
|
o More i18n fixes for SWAT (bug 413).
|
|
o Change the cwd before the postexec script to ensure that a
|
|
umount will succeed.
|
|
o Correct double free that caused winbindd to crash when a DC
|
|
is rebooted (bug 437).
|
|
o Fix incorrect mode sum (bug 562).
|
|
o Canonicalize SMB_INFO_ALLOCATION in the same was as
|
|
SMB_FS_FULL_SIZE_INFORMATION (bug 564).
|
|
o Add script to generate *msg files.
|
|
o Add Dutch SWAT translation file.
|
|
o Make sure to call get_user_groups() with the full winbindd
|
|
name for a user if he/she has one (bug 406).
|
|
o Fix up error code returns from Samba4 tester. Ensure invalid
|
|
paths are validated the same way.
|
|
o Allow Samba3 to pass the Samba4 RAW-READ tests.
|
|
o Refuse to configure if --with-expsam=$BACKEND was used but no
|
|
libraries were found for $BACKEND.
|
|
o Move sysquotas autoconf tests to a separate file.
|
|
o Match W2K w.r.t. writelock and writeclose. Samba4 torture
|
|
tester
|
|
o Make sure that the files that contain the static_init_$subsystem;
|
|
macro get recompiled after configure by removing the object
|
|
files.
|
|
o Ensure canceling a blocking lock returns the correct error
|
|
message.
|
|
o Match Samba 2.2 behavior; make ACB_NORMAL the default ACB value.
|
|
o Updated Japanese welcome file in SWAT.
|
|
o Fix to nt-time <-> unix-time functions reversible.
|
|
o Ensure that winbindd uses the the escaped DN when querying
|
|
an AD ldap server.
|
|
o Fix portability issues when compiling (bug 505, 550)
|
|
o Compile fix for tdbbackup when Samba needs to override
|
|
non-C99 compliant implementations of snprintf().
|
|
o Use @PICSUFFIX@ instead of .po in Makefile.in (bug 574).
|
|
o Make sure we break out of samsync loop on error.
|
|
o Ensure error code path doesn't free unmalloc()'d memory
|
|
(bug 628).
|
|
o Add configure test for krb5_keytab_entry keyblock vs key
|
|
member (bug 636).
|
|
o Fixed spinlocks.
|
|
o Modified testparm so that all output so all debug output goes
|
|
to stderr, and all file processing goes to stdout.
|
|
o Fix error return code for BUFFER_TOO_SMALL in smbcacls
|
|
and smbcquotas.
|
|
o Fix "NULL dest in safe_strcpy()" log message by ensuring that
|
|
we have a devmode before copying a string to the devicename.
|
|
o Support mapping REALM.COM\user to a local user account (without
|
|
running winbindd) for compatibility with 2.2.x release.
|
|
o Ensure we don't use mmap() on blacklisted systems.
|
|
o fixed a number of bugs and memory leaks in the AIX
|
|
winbindd shim
|
|
o Call initgroups() in SWAT before becomming the user so that
|
|
secondary group permissions can be used when writing to
|
|
smb.conf.
|
|
o Fix signing problems when reverse connecting back to a
|
|
client for printer notify
|
|
o Fix signing problems caused by a miss-sequence bug.
|
|
o Missing map in errormap for ERROR_MORE_DATA -> ERRDOS, ERRmoredata.
|
|
Fixes NEXUS tools running on Win9x clients (bug 64).
|
|
o Don't leave the domain field uninitialized in cli_lsa.c if some
|
|
SID could not be mapped.
|
|
o Fix segfault in mount.cifs helper when there is no options
|
|
specified during mount.
|
|
o Change the \n after the password prompt to go to tty instead
|
|
of stdout (bug 668).
|
|
o Stop net -P from prompting for machine account password (bug 451).
|
|
o Change in behavior to Not only change the effective uid but also
|
|
the real uid when becoming unprivileged.
|
|
o Cope with Exchange 5.5 cleartext pop password auth.
|
|
o New files for support of initshutdown pipe. Win2k doesn't
|
|
respond properly to all requests on the winreg pipe, so we need
|
|
to handle this new pipe (bug 534).
|
|
o Added more va_copy() checks in configure.in.
|
|
o Include fixes for libsmbclient build problems.
|
|
o Missing UNIX -> DOS codepage conversion in lanman.c.
|
|
o Allow DFMS-S filenames can now have arbitrary case (bug 667).
|
|
o Parameterize the listen backlog in smbd and make it larger by
|
|
default. A backlog of 5 is way too small these days.
|
|
o Check for an invalid fid before dereferencing the fsp pointer
|
|
(bug 696).
|
|
o Remove invalid memory frees and return codes in pdb_ldap.c.
|
|
o Prompt for password when invoking --set-auth-user and no
|
|
password is given.
|
|
o Bind the nmbd sending socket to the 'socket address'.
|
|
o Re-order link command for smbd, rpcclient and smbpasswd to ensure
|
|
$LDFLAGS occurs before any library specification (bug 661).
|
|
o Fix large number of printf() calls for 64-bit size_t.
|
|
o Fix AC_CHECK_MEMBER so that SLES8 does correctly finds the
|
|
keyblock in the krb5 structs.
|
|
o Remove #include <compat.h> in hopes to avoid problems with
|
|
apache header files.
|
|
o Correct winbindd build problems on HP-UX 11.
|
|
o Lowercase netgroups lookups (bug 703).
|
|
o Use the actual size of the buffer in strftime instead of a made
|
|
up value which just happens to be less than sizeof(fstring).
|
|
(bug 713).
|
|
o Add ldaplibs to pdbedit link line (bug 651).
|
|
o Fix crash bug in smbclient completion (bug 659).
|
|
o Fix packet length for browse list reply (bug 771).
|
|
o Fix coredump in cli_get_backup_list().
|
|
o Make sure that we expand %N (bug 612).
|
|
o Allow rpcclient adddriver command to specify printer driver
|
|
version (bug 514).
|
|
o Compile tdbdump by default.
|
|
o Apply patches to fix iconv detection for FreeBSD.
|
|
o Do not allow the 'guest account' to be added to a passdb backend
|
|
using smbpasswd or pdbedit (bug 624).
|
|
o Save LDFLAGS during iconv detection (bug 57).
|
|
o Run krb5 logins through the username map if the winbindd
|
|
lookup fails (bug 698).
|
|
o Add const for lp_set_name_resolve_order() to avoid compiler
|
|
warnings (bug 471).
|
|
o Add support for the %i macro in smb.conf to stand in for the for
|
|
the local IP address to which a client connected.
|
|
o Allow winbindd to match local accounts to domain SID when
|
|
'winbind trusted domains only = yes' (bug 680).
|
|
o Remove code in idmap_ldap that searches the user suffix and group
|
|
suffix. It's not needed and provides inconsistent functionality
|
|
from the tdb backend.
|
|
o Patch to handle munged dial string for Windows 2000 TSE.
|
|
Thanks to Gaz de France, Direction de la Recherche, Service
|
|
Informatique Métier for their supporting this work by Aurelien
|
|
Degrémont <adegremont@idealx.com>.
|
|
o Correct the "smbldap_open: cannot access when not root error"
|
|
messages when looking up group information (bug 281).
|
|
o Skip over the winbind separator when looking up a user.
|
|
This fixes the bug that prevented local users from
|
|
matching an AD user when not running winbindd (bug 698).
|
|
o Fix a problem with configure on *BSD systems. Make sure
|
|
we add -liconv etc to LDFLAGS.
|
|
o Fix core dump bug when "security = server" and the authentication
|
|
server goes away.
|
|
o Correct crash bug due to an empty munged dial string.
|
|
o Show files locked by a specific user (smbstatus -u 'user')
|
|
(bug 590).
|
|
o Fix bug preventing print jobs from display in the queue
|
|
monitor used by Windows NT and later clients (bug 660).
|
|
o Fix several reported problems with point-n-print from
|
|
Windows 2000/XP clients due to a bug in the EnumPrinterDataEx()
|
|
reply (bug 338, 527 & 643).
|
|
o Fix a handful of potential memory leaks in the LDAP code used
|
|
by ldapsam[_compat] and the LDAP idmap backend.
|
|
o Fix for pdbedit error code returns (bug 763).
|
|
o Make sure we only enumerate group mapping entries (not
|
|
/etc/group) even when doing local aliases.
|
|
o Relax check on the pipe name in a dce/rpc bind response to work
|
|
around issues with establishing trusts to a Windows 2003 domain.
|
|
o Ensure we mangle names ending in '.' in hash2 mangling method.
|
|
o Correct parsing issues with munged dial string.
|
|
o Fix bugs in quota support for XFS.
|
|
o Add a cleaner method for applications that need to provide
|
|
name->SID mappings to do this via NSS rather than having to
|
|
know the winbindd pipe protocol.
|
|
o Adds a variant of the winbindd_getgroups() call called
|
|
winbindd_getusersids() that provides direct SID->SIDs listing of
|
|
a users supplementary groups. This is enough to allow non-Samba
|
|
applications to do ACL checking.
|
|
o Make sure we don't append the 'ldap suffix' when writing out the
|
|
'ldap XXX suffix' values in SWAT (bug 328).
|
|
o Fix renames across file systems.
|
|
o Ensure that items in a list of strings containing whitespace are
|
|
written out surrounded by single quotes. This means that both
|
|
double and single quotes are now used to surround strings in
|
|
smb.conf (bug 481).
|
|
o Enable SWAT to correctly determine if winbindd is running (bug
|
|
398).
|
|
o Include WWW-Authenticate field in 401 response for bad auth
|
|
attempt (bug 629).
|
|
o Add support for NTLM2 (NTLMv2 session security).
|
|
o Add support for variable-length session keys.
|
|
o More privilege fixes for group enumeration in LDAP (bug 281).
|
|
o Use the dns name (or IP) as the originating client name when
|
|
using CUPS (bug 467).
|
|
o Fix various SMB signing bugs.
|
|
o Fix ACL propagation on a DFS root (bug 263).
|
|
o Disable NTLM2 for RPC pipes.
|
|
o Allow the client to specify the NTLM2 flags got NTLMSSP
|
|
authentication.
|
|
o Change the name of the job passed off to cups from "Test Page"
|
|
to "smbprn.00000033 Test Page" so that we can get the smb
|
|
jobid back. This allow users to delete jobs with cups printing
|
|
backend (partial work on bug 770).
|
|
o Fix build of winbindd with static pdb modules.
|
|
o Retrieve the correct ACL group bits if the file has an ACL
|
|
(bug 802).
|
|
o Implement "net rpc group members": Get members of a domain group
|
|
in human-readable format.
|
|
o Add MacOSX (Darwin) specific charset module code.
|
|
o Use samr_dispinfo(level == 1) for enumerating domain users so we
|
|
can include the full name in gecos field (bug 587).
|
|
o Add support for winbind's NSS library on FeeeBSD 5.1 (bug 797).
|
|
o Implement 'net rpc group list [global|local|builtin]*' for a
|
|
select listing of the respective user databases.
|
|
o Don't automatically set NT status code flag unless client tells
|
|
us it can cope.
|
|
o Add 'net status [sessions|shares] [parseable]'.
|
|
o Don't mistake pre-existing UNIX jobs for smb jobs (remainder of
|
|
bug 770).
|
|
o Add 'Replicator' and 'RAS Servers' to list of builtin SIDs
|
|
(bug 608).
|
|
o Fix inverted logic in hosts allow/deny checks caused by
|
|
s/strcmp/strequal/ (bug 846).
|
|
o Implement correct version SamrRemoveSidForeignDomain() (bug 252).
|
|
o Fix typo in 'hash' mangling algorithm.
|
|
o Support munged dial for ldapsam (bug 800).
|
|
o Fix process_incoming_data() to return the number of bytes handled
|
|
this call whether we have a complete PDU or not; fixes bug
|
|
with multiple PDU request rpc's broken over SMBwriteX calls
|
|
each.
|
|
o Fix incorrect smb flags2 for connections to pre-NT servers
|
|
(causes smbclient to fail to OS2 for example) (bug 821).
|
|
o Update version string in smbldap-tools Makefile to 0.8.2.
|
|
o Correct a problem with "net rpc vampire" mis-parsing the
|
|
alias member info reply.
|
|
o Ensure the ${libdir} is created by the installclientlib script.
|
|
o Fix detection of Windows 2003 client architecture in the smb.conf
|
|
%a variable.
|
|
o Ensure that smbd calls the add user script for a missing UNIX
|
|
user on kerberos auth call (bug 445).
|
|
o Fix bugs in hosts allow/deny when using a mismatched
|
|
network/netmask pair.
|
|
o Protect alloc_sub_basic() from crashing when the source string
|
|
is NULL (partial work on bug 687).
|
|
o Fix spinlocks on IRIX.
|
|
o Corrected some bad destination paths when running "configure
|
|
--with-fhs".
|
|
o Add packaging files for Fedora Core 1.
|
|
o Correct bug in SWAT install script for non-english languages.
|
|
o Support character set ISO-8859-1 internally (bug 558).
|
|
o Fixed more LDAP access errors when looking up group mappings
|
|
(bug 281).
|
|
o Fix UNISTR2 length bug in LsaQueryInfo(3) that caused SID
|
|
resolution to fail on local files on on domain members
|
|
(bug 875).
|
|
o Fix uninitialized variable in passdb.c.
|
|
o Fix formal parameter type in get_static() in nsswitch/wins.c.
|
|
o Fix problem mounting directories when mount.cifs is installed
|
|
with the setuid bit on.
|
|
o Fix bug that prevent --mandir from overriding the defaults
|
|
given in the --with-fhs macro.
|
|
o Fix bug in in-memory Kerberos keytab detection routines
|
|
in configure.in
|
|
|
|
|
|
|
|
######################################################################
|
|
|
|
The original 3.0.0 release notes follow
|
|
=======================================
|
|
WHATS NEW IN Samba 3.0.0
|
|
September 24, 2003
|
|
=======================================
|
|
|
|
|
|
Major new features:
|
|
-------------------
|
|
|
|
1) Active Directory support. Samba 3.0 is now able to
|
|
join a ADS realm as a member server and authenticate
|
|
users using LDAP/Kerberos.
|
|
|
|
2) Unicode support. Samba will now negotiate UNICODE on the wire
|
|
and internally there is now a much better infrastructure for
|
|
multi-byte and UNICODE character sets.
|
|
|
|
3) New authentication system. The internal authentication system
|
|
has been almost completely rewritten. Most of the changes are
|
|
internal, but the new auth system is also very configurable.
|
|
|
|
4) New default filename mangling system.
|
|
|
|
5) A new "net" command has been added. It is somewhat similar to
|
|
the "net" command in windows. Eventually we plan to replace
|
|
numerous other utilities (such as smbpasswd) with subcommands
|
|
in "net".
|
|
|
|
6) Samba now negotiates NT-style status32 codes on the wire. This
|
|
improves error handling a lot.
|
|
|
|
7) Better Windows 2000/XP/2003 printing support including publishing
|
|
printer attributes in active directory.
|
|
|
|
8) New loadable module support for passdb backends and character
|
|
sets.
|
|
|
|
9) New default dual-daemon winbindd support for better performance.
|
|
|
|
10) Support for migrating from a Windows NT 4.0 domain to a Samba
|
|
domain and maintaining user, group and domain SIDs.
|
|
|
|
11) Support for establishing trust relationships with Windows NT 4.0
|
|
domain controllers.
|
|
|
|
12) Initial support for a distributed Winbind architecture using
|
|
an LDAP directory for storing SID to uid/gid mappings.
|
|
|
|
13) Major updates to the Samba documentation tree.
|
|
|
|
14) Full support for client and server SMB signing to ensure
|
|
compatibility with default Windows 2003 security settings.
|
|
|
|
15) Improvement of ACL mapping features based on code donated by
|
|
Andreas Grünbacher.
|
|
|
|
|
|
Plus lots of other improvements!
|
|
|
|
|
|
Additional Documentation
|
|
------------------------
|
|
|
|
Please refer to Samba documentation tree (included in the docs/
|
|
subdirectory) for extensive explanations of installing, configuring
|
|
and maintaining Samba 3.0 servers and clients. It is advised to
|
|
begin with the Samba-HOWTO-Collection for overviews and specific
|
|
tasks (the current book is up to approximately 400 pages) and to
|
|
refer to the various man pages for information on individual options.
|
|
|
|
We are very glad to be able to include the second edition of
|
|
"Using Samba" by Jay Ts, Robert Eckstein, and David Collier-Brown
|
|
(O'Reilly & Associates) in this release. The book is available
|
|
on-line at http://samba.org/samba/docs/ and is included with
|
|
the Samba Web Administration Tool (SWAT). Thanks to the authors and
|
|
publisher for making "Using Samba" under the GNU Free Documentation
|
|
License.
|
|
|
|
|
|
######################################################################
|
|
Upgrading from a previous Samba 3.0 beta
|
|
########################################
|
|
|
|
Beginning with Samba 3.0.0beta3, the RID allocation functions
|
|
have been moved into winbindd. Previously these were handled
|
|
by each passdb backend. This means that winbindd must be running
|
|
to automatically allocate RIDs for users and/or groups. Otherwise,
|
|
smbd will use the 2.2 algorithm for generating new RIDs.
|
|
|
|
If you are using 'passdb backend = tdbsam' with a previous Samba
|
|
3.0 beta release (or possibly alpha), it may be necessary to
|
|
move the RID_COUNTER entry from /usr/local/samba/private/passdb.tdb
|
|
to winbindd_idmap.tdb. To do this:
|
|
|
|
1) Ensure that winbindd_idmap.tdb exists (launch winbindd at least
|
|
once)
|
|
2) build tdbtool by executing 'make tdbtool' in the source/tdb/
|
|
directory
|
|
3) run: (note that 'tdb>' is the tool's prompt for input)
|
|
|
|
root# ./tdbtool /usr/local/samba/private/passdb.tdb
|
|
tdb> show RID_COUNTER
|
|
key 12 bytes
|
|
RID_COUNTER
|
|
data 4 bytes
|
|
[000] 0A 52 00 00 .R.
|
|
|
|
tdb> move RID_COUNTER /usr/local/samba/var/locks/winbindd_idmap.tdb
|
|
....
|
|
record moved
|
|
|
|
If you are using 'passdb backend = ldapsam', it will be necessary to
|
|
store idmap entries in the LDAP directory as well (i.e. idmap backend
|
|
= ldap). Refer to the 'net idmap' command for more information on
|
|
migrating SID<->UNIX id mappings from one backend to another.
|
|
|
|
If the RID_COUNTER record does not exist, then these instructions are
|
|
unneccessary and the new RID_COUNTER record will be correctly generated
|
|
if needed.
|
|
|
|
|
|
|
|
########################
|
|
Upgrading from Samba 2.2
|
|
########################
|
|
|
|
This section is provided to help administrators understand the details
|
|
involved with upgrading a Samba 2.2 server to Samba 3.0.
|
|
|
|
|
|
Building
|
|
--------
|
|
|
|
Many of the options to the GNU autoconf script have been modified
|
|
in the 3.0 release. The most noticeable are:
|
|
|
|
* removal of --with-tdbsam (is now included by default; see section
|
|
on passdb backends and authentication for more details)
|
|
|
|
* --with-ldapsam is now on used to provided backward compatible
|
|
parameters for LDAP enabled Samba 2.2 servers. Refer to the passdb
|
|
backend and authentication section for more details
|
|
|
|
* inclusion of non-standard passdb modules may be enabled using
|
|
--with-expsam. This includes an XML backend and a mysql backend.
|
|
|
|
* removal of --with-msdfs (is now enabled by default)
|
|
|
|
* removal of --with-ssl (no longer supported)
|
|
|
|
* --with-utmp now defaults to 'yes' on supported systems
|
|
|
|
* --with-sendfile-support is now enabled by default on supported
|
|
systems
|
|
|
|
|
|
Parameters
|
|
----------
|
|
|
|
This section contains a brief listing of changes to smb.conf options
|
|
in the 3.0.0 release. Please refer to the smb.conf(5) man page for
|
|
complete descriptions of new or modified parameters.
|
|
|
|
Removed Parameters (order alphabetically):
|
|
|
|
* admin log
|
|
* alternate permissions
|
|
* character set
|
|
* client codepage
|
|
* code page directory
|
|
* coding system
|
|
* domain admin group
|
|
* domain guest group
|
|
* force unknown acl user
|
|
* hide local users
|
|
* mangled stack
|
|
* nt smb support
|
|
* postscript
|
|
* printer driver
|
|
* printer driver file
|
|
* printer driver location
|
|
* read size
|
|
* source environment
|
|
* status
|
|
* strip dot
|
|
* total print jobs
|
|
* use rhosts
|
|
* valid chars
|
|
* vfs options
|
|
|
|
New Parameters (new parameters have been grouped by function):
|
|
|
|
Remote management
|
|
-----------------
|
|
* abort shutdown script
|
|
* shutdown script
|
|
|
|
User and Group Account Management
|
|
---------------------------------
|
|
* add group script
|
|
* add machine script
|
|
* add user to group script
|
|
* algorithmic rid base
|
|
* delete group script
|
|
* delete user from group script
|
|
* passdb backend
|
|
* set primary group script
|
|
|
|
Authentication
|
|
--------------
|
|
* auth methods
|
|
* realm
|
|
* passwd chat timeout
|
|
|
|
Protocol Options
|
|
----------------
|
|
* client lanman auth
|
|
* client NTLMv2 auth
|
|
* client schannel
|
|
* client signing
|
|
* client use spnego
|
|
* disable netbios
|
|
* ntlm auth
|
|
* paranoid server security
|
|
* server schannel
|
|
* server signing
|
|
* smb ports
|
|
* use spnego
|
|
|
|
File Service
|
|
------------
|
|
* get quota command
|
|
* hide special files
|
|
* hide unwriteable files
|
|
* hostname lookups
|
|
* kernel change notify
|
|
* mangle prefix
|
|
* map acl inherit
|
|
* msdfs proxy
|
|
* set quota command
|
|
* use sendfile
|
|
* vfs objects
|
|
|
|
Printing
|
|
--------
|
|
* max reported print jobs
|
|
|
|
UNICODE and Character Sets
|
|
--------------------------
|
|
* display charset
|
|
* dos charset
|
|
* unicode
|
|
* unix charset
|
|
|
|
SID to uid/gid Mappings
|
|
-----------------------
|
|
* idmap backend
|
|
* idmap gid
|
|
* idmap uid
|
|
* winbind enable local accounts
|
|
* winbind trusted domains only
|
|
* template primary group
|
|
* enable rid algorithm
|
|
|
|
LDAP
|
|
----
|
|
* ldap delete dn
|
|
* ldap group suffix
|
|
* ldap idmap suffix
|
|
* ldap machine suffix
|
|
* ldap passwd sync
|
|
* ldap replication sleep
|
|
* ldap user suffix
|
|
|
|
General Configuration
|
|
---------------------
|
|
* preload modules
|
|
* private dir
|
|
|
|
Modified Parameters (changes in behavior):
|
|
|
|
* encrypt passwords (enabled by default)
|
|
* mangling method (set to 'hash2' by default)
|
|
* passwd chat
|
|
* passwd program
|
|
* restrict anonymous (integer value)
|
|
* security (new 'ads' value)
|
|
* strict locking (enabled by default)
|
|
* unix extensions (enabled by default)
|
|
* winbind cache time (increased to 5 minutes)
|
|
* winbind uid (deprecated in favor of 'idmap uid')
|
|
* winbind gid (deprecated in favor of 'idmap gid')
|
|
|
|
|
|
Databases
|
|
---------
|
|
|
|
This section contains brief descriptions of any new databases
|
|
introduced in Samba 3.0. Please remember to backup your existing
|
|
${lock directory}/*tdb before upgrading to Samba 3.0. Samba will
|
|
upgrade databases as they are opened (if necessary), but downgrading
|
|
from 3.0 to 2.2 is an unsupported path.
|
|
|
|
Name Description Backup?
|
|
---- ----------- -------
|
|
account_policy User policy settings yes
|
|
gencache Generic caching db no
|
|
group_mapping Mapping table from Windows yes
|
|
groups/SID to unix groups
|
|
winbindd_idmap ID map table from SIDS to UNIX yes
|
|
uids/gids.
|
|
namecache Name resolution cache entries no
|
|
netsamlogon_cache Cache of NET_USER_INFO_3 structure no
|
|
returned as part of a successful
|
|
net_sam_logon request
|
|
printing/*.tdb Cached output from 'lpq no
|
|
command' created on a per print
|
|
service basis
|
|
registry Read-only samba registry skeleton no
|
|
that provides support for exporting
|
|
various db tables via the winreg RPCs
|
|
|
|
|
|
Changes in Behavior
|
|
-------------------
|
|
|
|
The following issues are known changes in behavior between Samba 2.2 and
|
|
Samba 3.0 that may affect certain installations of Samba.
|
|
|
|
1) When operating as a member of a Windows domain, Samba 2.2 would
|
|
map any users authenticated by the remote DC to the 'guest account'
|
|
if a uid could not be obtained via the getpwnam() call. Samba 3.0
|
|
rejects the connection as NT_STATUS_LOGON_FAILURE. There is no
|
|
current work around to re-establish the 2.2 behavior.
|
|
|
|
2) When adding machines to a Samba 2.2 controlled domain, the
|
|
'add user script' was used to create the UNIX identity of the
|
|
machine trust account. Samba 3.0 introduces a new 'add machine
|
|
script' that must be specified for this purpose. Samba 3.0 will
|
|
not fall back to using the 'add user script' in the absence of
|
|
an 'add machine script'
|
|
|
|
|
|
######################################################################
|
|
Passdb Backends and Authentication
|
|
##################################
|
|
|
|
There have been a few new changes that Samba administrators should be
|
|
aware of when moving to Samba 3.0.
|
|
|
|
1) encrypted passwords have been enabled by default in order to
|
|
inter-operate better with out-of-the-box Windows client
|
|
installations. This does mean that either (a) a samba account
|
|
must be created for each user, or (b) 'encrypt passwords = no'
|
|
must be explicitly defined in smb.conf.
|
|
|
|
2) Inclusion of new 'security = ads' option for integration
|
|
with an Active Directory domain using the native Windows
|
|
Kerberos 5 and LDAP protocols.
|
|
|
|
MIT kerberos 1.3.1 supports the ARCFOUR-HMAC-MD5 encryption
|
|
type which is neccessary for servers on which the
|
|
administrator password has not been changed, or kerberos-enabled
|
|
SMB connections to servers that require Kerberos SMB signing.
|
|
Besides this one difference, either MIT or Heimdal Kerberos
|
|
distributions are usable by Samba 3.0.
|
|
|
|
|
|
Samba 3.0 also includes the possibility of setting up chains
|
|
of authentication methods (auth methods) and account storage
|
|
backends (passdb backend). Please refer to the smb.conf(5)
|
|
man page for details. While both parameters assume sane default
|
|
values, it is likely that you will need to understand what the
|
|
values actually mean in order to ensure Samba operates correctly.
|
|
|
|
The recommended passdb backends at this time are
|
|
|
|
* smbpasswd - 2.2 compatible flat file format
|
|
* tdbsam - attribute rich database intended as an smbpasswd
|
|
replacement for stand alone servers
|
|
* ldapsam - attribute rich account storage and retrieval
|
|
backend utilizing an LDAP directory.
|
|
* ldapsam_compat - a 2.2 backward compatible LDAP account
|
|
backend
|
|
|
|
Certain functions of the smbpasswd(8) tool have been split between the
|
|
new smbpasswd(8) utility, the net(8) tool, and the new pdbedit(8)
|
|
utility. See the respective man pages for details.
|
|
|
|
|
|
######################################################################
|
|
LDAP
|
|
####
|
|
|
|
This section outlines the new features affecting Samba / LDAP
|
|
integration.
|
|
|
|
New Schema
|
|
----------
|
|
|
|
A new object class (sambaSamAccount) has been introduced to replace
|
|
the old sambaAccount. This change aids us in the renaming of
|
|
attributes to prevent clashes with attributes from other vendors.
|
|
There is a conversion script (examples/LDAP/convertSambaAccount) to
|
|
modify and LDIF file to the new schema.
|
|
|
|
Example:
|
|
|
|
$ ldapsearch .... -b "ou=people,dc=..." > sambaAcct.ldif
|
|
$ convertSambaAccount --sid=<Domain SID> \
|
|
--input=sambaAcct.ldif --output=sambaSamAcct.ldif \
|
|
--changetype=[modify|add]
|
|
|
|
The <DOM SID> can be obtained by running 'net getlocalsid
|
|
<DOMAINNAME>' on the Samba PDC as root. The changetype determines
|
|
the format of the generated LDIF output--either create new entries
|
|
or modify existing entries.
|
|
|
|
The old sambaAccount schema may still be used by specifying the
|
|
"ldapsam_compat" passdb backend. However, the sambaAccount and
|
|
associated attributes have been moved to the historical section of
|
|
the schema file and must be uncommented before use if needed.
|
|
The 2.2 object class declaration for a sambaAccount has not changed
|
|
in the 3.0 samba.schema file.
|
|
|
|
Other new object classes and their uses include:
|
|
|
|
* sambaDomain - domain information used to allocate rids
|
|
for users and groups as necessary. The attributes are added
|
|
in 'ldap suffix' directory entry automatically if
|
|
an idmap uid/gid range has been set and the 'ldapsam'
|
|
passdb backend has been selected.
|
|
|
|
* sambaGroupMapping - an object representing the
|
|
relationship between a posixGroup and a Windows
|
|
group/SID. These entries are stored in the 'ldap
|
|
group suffix' and managed by the 'net groupmap' command.
|
|
|
|
* sambaUnixIdPool - created in the 'ldap idmap suffix' entry
|
|
automatically and contains the next available 'idmap uid' and
|
|
'idmap gid'
|
|
|
|
* sambaIdmapEntry - object storing a mapping between a
|
|
SID and a UNIX uid/gid. These objects are created by the
|
|
idmap_ldap module as needed.
|
|
|
|
* sambaSidEntry - object representing a SID alone, as a Structural
|
|
class on which to build the sambaIdmapEntry.
|
|
|
|
|
|
New Suffix for Searching
|
|
------------------------
|
|
|
|
The following new smb.conf parameters have been added to aid in directing
|
|
certain LDAP queries when 'passdb backend = ldapsam://...' has been
|
|
specified.
|
|
|
|
* ldap suffix - used to search for user and computer accounts
|
|
* ldap user suffix - used to store user accounts
|
|
* ldap machine suffix - used to store machine trust accounts
|
|
* ldap group suffix - location of posixGroup/sambaGroupMapping entries
|
|
* ldap idmap suffix - location of sambaIdmapEntry objects
|
|
|
|
If an 'ldap suffix' is defined, it will be appended to all of the
|
|
remaining sub-suffix parameters. In this case, the order of the suffix
|
|
listings in smb.conf is important. Always place the 'ldap suffix' first
|
|
in the list.
|
|
|
|
Due to a limitation in Samba's smb.conf parsing, you should not surround
|
|
the DN's with quotation marks.
|
|
|
|
|
|
IdMap LDAP support
|
|
------------------
|
|
|
|
Samba 3.0 supports an ldap backend for the idmap subsystem. The
|
|
following options would inform Samba that the idmap table should be
|
|
stored on the directory server onterose in the "ou=idmap,dc=plainjoe,
|
|
dc=org" partition.
|
|
|
|
[global]
|
|
...
|
|
idmap backend = ldap:ldap://onterose/
|
|
ldap idmap suffix = ou=idmap,dc=plainjoe,dc=org
|
|
idmap uid = 40000-50000
|
|
idmap gid = 40000-50000
|
|
|
|
This configuration allows winbind installations on multiple servers to
|
|
share a uid/gid number space, thus avoiding the interoperability problems
|
|
with NFS that were present in Samba 2.2.
|
|
|
|
|
|
|
|
######################################################################
|
|
Trust Relationships and a Samba Domain
|
|
######################################
|
|
|
|
Samba 3.0.0beta2 is able to utilize winbindd as the means of
|
|
allocating uids and gids to trusted users and groups. More
|
|
information regarding Samba's support for establishing trust
|
|
relationships can be found in the Samba-HOWTO-Collection included
|
|
in the docs/ directory of this release.
|
|
|
|
First create your Samba PDC and ensure that everything is
|
|
working correctly before moving on the trusts.
|
|
|
|
To establish Samba as the trusting domain (named SAMBA) from a Windows NT
|
|
4.0 domain named WINDOWS:
|
|
|
|
1) create the trust account for SAMBA in "User Manager for Domains"
|
|
2) connect the trust from the Samba domain using
|
|
'net rpc trustdom establish GLASS'
|
|
|
|
To create a trustlationship with SAMBA as the trusted domain:
|
|
|
|
1) create the initial trust account for GLASS using
|
|
'smbpasswd -a -i GLASS'. You may need to create a UNIX
|
|
account for GLASS$ prior to this step (depending on your
|
|
local configuration).
|
|
2) connect the trust from a WINDOWS DC using "User Manager
|
|
for Domains"
|
|
|
|
Now join winbindd on the Samba PDC to the SAMBA domain using
|
|
the normal steps for adding a Samba server to an NT4 domain:
|
|
(note that smbd & nmbd must be running at this point)
|
|
|
|
root# net rpc join -U root
|
|
Password: <enter root password from smbpasswd file here>
|
|
|
|
Start winbindd and test the join with 'wbinfo -t'.
|
|
|
|
Now test the trust relationship by connecting to the SAMBA DC
|
|
(e.g. POGO) as a user from the WINDOWS domain:
|
|
|
|
$ smbclient //pogo/netlogon -U Administrator -W WINDOWS
|
|
Password:
|
|
|
|
Now connect to the WINDOWS DC (e.g. CRYSTAL) as a Samba user:
|
|
|
|
$ smbclient //crystal/netlogon -U root -W WINDOWS
|
|
Password:
|
|
|
|
######################################################################
|
|
Changes in Winbind
|
|
##################
|
|
|
|
Beginning with Samba3.0.0beta3, winbindd has been given new account
|
|
manage functionality equivalent to the 'add user script' family of
|
|
smb.conf parameters. The idmap design has also been changed to
|
|
centralize control of foreign SID lookups and matching to UNIX
|
|
uids and gids.
|
|
|
|
|
|
Brief Description of Changes
|
|
----------------------------
|
|
|
|
1) The sid_to_uid() family of functions (smbd/uid.c) have been
|
|
reverted to the 2.2.x design. This means that when resolving a
|
|
SID to a UID or similar mapping:
|
|
|
|
a) First consult winbindd
|
|
b) perform a local lookup only if winbindd fails to
|
|
return a successful answer
|
|
|
|
There are some variations to this, but these two rules generally
|
|
apply.
|
|
|
|
2) All idmap lookups have been moved into winbindd. This means that
|
|
a server must run winbindd (and support NSS) in order to achieve
|
|
any mappings of SID to dynamically allocated UNIX ids. This was
|
|
a conscious design choice.
|
|
|
|
3) New functions have been added to winbindd to emulate the 'add user
|
|
script' family of smbd functions without requiring that external
|
|
scripts be defined. This functionality is controlled by the 'winbind
|
|
enable local accounts' smb.conf parameter (enabled by default).
|
|
|
|
However, this account management functionality is only supported
|
|
in a local tdb (winbindd_idmap.tdb). If these new UNIX accounts
|
|
must be shared among multiple Samba servers (such as a PDC and BDCs),
|
|
it will be necessary to define your own 'add user script', et. al.
|
|
programs that place the accounts/groups in some form of directory
|
|
such as NIS or LDAP. This requirement was deemed beyond the scope
|
|
of winbind's account management functions. Solutions for
|
|
distributing UNIX system information have been deployed and tested
|
|
for many years. We saw no need to reinvent the wheel.
|
|
|
|
4) A member of a Samba controlled domain running winbindd is now able
|
|
to map domain users directly onto existing UNIX accounts while still
|
|
automatically creating accounts for trusted users and groups. This
|
|
behavior is controlled by the 'winbind trusted domains only' smb.conf
|
|
parameter (disabled by default to provide 2.2.x winbind behavior).
|
|
|
|
5) Group mapping support is wrapped in the local_XX_to_XX() functions
|
|
in smbd/uid.c. The reason that group mappings are not included
|
|
in winbindd is because the purpose of Samba's group map is to
|
|
match any Windows SID with an existing UNIX group. These UNIX
|
|
groups can be created by winbindd (see next section), but the
|
|
SID<->gid mapping is retreived by smbd, not winbindd.
|
|
|
|
|
|
Examples
|
|
--------
|
|
|
|
* security = server running winbindd to allocate accounts on demand
|
|
|
|
* Samba PDC running winbindd to handle the automatic creation of UNIX
|
|
identities for machine trust accounts
|
|
|
|
* Automtically creating UNIX user and groups when migrating a Windows NT
|
|
4.0 PDC to a Samba PDC. Winbindd must be running when executing
|
|
'net rpc vampire' for this to work.
|
|
|
|
|
|
######################################################################
|
|
Known Issues
|
|
############
|
|
|
|
* There are several bugs currently logged against the 3.0 codebase
|
|
that affect the use of NT 4.0 GUI domain management tools when run
|
|
against a Samba 3.0 PDC. This bugs should be released in an early
|
|
3.0.x release.
|
|
|
|
Please refer to https://bugzilla.samba.org/ for a current list of bugs
|
|
filed against the Samba 3.0 codebase.
|
|
|
|
|
|
######################################################################
|
|
Reporting bugs & Development Discussion
|
|
#######################################
|
|
|
|
Please discuss this release on the samba-technical mailing list or by
|
|
joining the #samba-technical IRC channel on irc.freenode.net.
|
|
|
|
If you do report problems then please try to send high quality
|
|
feedback. If you don't provide vital information to help us track down
|
|
the problem then you will probably be ignored.
|
|
|
|
A new bugzilla installation has been established to help support the
|
|
Samba 3.0 community of users. This server, located at
|
|
https://bugzilla.samba.org/, has replaced the older jitterbug server
|
|
previously located at http://bugs.samba.org/.
|
|
|