- =================================
- Release Notes for Samba 3.0.3pre1
- March 19, 2004
- =================================
-
-This is a preview release of the Samba 3.0.3 code base and is
-provided for testing only. This release is *not* intended for
-production servers. Use at your own risk.
-
-There have been several bug fixes since the 3.0.2a release that
-we feel are important to make available to the Samba community
-for wider testings. See the "Changes" section for details on
-exact updates.
-
-Common bugs fixed in this preview release include:
-
- o Crash bugs and change notify issues in Samba's
- printing code.
- o Honoring secondary group membership on domain
- member servers.
- o TDB scalability issue surrounding the TDB_CLEAR_IF_FIRST
- flag.
-
-New features introduced in this preview release include:
+ =============================
+ Release Notes for Samba 3.0.6
+ Aug 19, 2004
+ =============================
- o Improved support for i18n character sets.
- o Support for account lockout policy based on
- bad password attempts.
- o Improved support for long password changes (>14
- characters) and strong password enforcement.
- o Continued work on support Windows aliases (i.e.
- nested groups).
+This is the latest stable release of Samba. This is the version
+that production Samba servers should be running for all
+current bug-fixes. There have been several issues fixes since
+the 3.0.4/5 release and new features have been added as well.
+See the "Changes" section for details on exact updates.
+
+Common bugs fixed in 3.0.6 include:
+
+ o Schannel failure in winbindd.
+ o Numerous memory leaks.
+ o Incompatibilities between the 'write list' and 'force user'
+ smb.conf options.
+ o Premature optimization of the open_directory() internal
+ function that broke tools such as the ArcServe backup
+ agent, Macromedia HomeSite, and Robocopy.
+ o Corrupt workgroup names in nmbd's browse.dat.
+ o Sharing violation errors commonly seen when opening
+ when serving Microsoft Office documents from a Samba
+ file share.
+ o Browsing problems caused by an apostrophe (') in the
+ computer's description field.
+ o Problems creating special file types from UNIX CIFS
+ clients and enabling 'unix extensions'.
+ o Fix stalls in smbd caused by inaccessible LDAP servers.
+ o Remove various memory leaks.
+ o Fix issues in the password lockout feature.
+
+New features introduced in this release include:
+
+ O Support symlinks created by CIFS clients which
+ can be followed on the server.
+ o Using a cups server other than localhost.
+ o Maintaining the service principal entry in the system
+ keytab for integration with other kerberized services.
+ Please refer to the 'use kerberos keytab' entry in
+ smb.conf(5). When using the heimdal kerberos libraries,
+ you must also specify the following in /etc/krb5.conf:
+ [libdefaults]
+ default_keytab_name = FILE:/etc/krb5.keytab
+ o Support for maintaining individual printer names
+ stored separately from the printer's sharename.
+ o Support for maintaining user password history.
+ o Support for honoring the logon times for user in a
+ Samba domain.
+
+--------------------------------------------
+unix extensions = yes (default) and symlinks
+--------------------------------------------
+
+Beginning with Samba 3.0.6pre1 (formerly known as 3.0.5pre1),
+clients supporting the UNIX extensions to the CIFS protocol
+can create symlinks to absolute paths which will be **followed**
+by the server. This functionality has been requested in order
+to correctly support certain applications when the user's home
+directory is mounted using some type of CIFS client (e.g. the
+cifsvfs in the Linux 2.6 kernel).
+
+If this behavior is not acceptable for your production environment
+you can set 'wide links = no' in the specific share declaration in
+the server's smb.conf. Be aware that disabling wide link support
+out of a share in Samba may impact the server's performance due
+to the fact that smbd will now have to check each path additional
+times before traversing it.
+
+------------------------
+Password History Support
+------------------------
+
+The new password history feature allows smbd to check the new
+password in password change requests against a list of the user's
+previous passwords. The number of previous passwords to save can
+be set using pdbedit (4 in this example):
+ root# pdbedit -P "password history" -C 4
+When using the ldapsam passdb backend, it is vital to secure the
+following attributes from access by non-administrative users:
+
+ * sambaNTPassword
+ * sambaLMPassword
+ * sambaPasswordHistory
+
+You should refer to your directory server's documentation on how
+to implement this restriction.
+
######################################################################
Changes
#######
+
+Changes since 3.0.6rc2
+----------------------
+
+o Jeremy Allison <jra@samba.org>
+ * Ensure we return the same ACL revision on the wire that
+ W2K3 does.
+ * BUG 1578: Hardcode replacement for invalid characters as '_'
+ (based on fix from Alexander E. Patrakov <patrakov@ums.usu.ru>).
+ * Fix hashed password history for LDAP backends.
+ * Enforce logon hours restrictions if confiogured (based on code
+ from Richard Renard <rrenard@idealx.com>).
+ * BUG 1606: Force smbd to disable sendfile with DOS clients
+ and ensure that the chained header is filled in for ...&X
+ commands.
+ * BUG 1602: Fix access to shares when all symlink support
+ has been disabled.
+
+
+o Gerald (Jerry) Carter <jerry@samba.org>
+ * Tighten the cache consistency with the ntprinters.tdb entry
+ an the in memory cache associated with open printer handles.
+ * Make sure that register_messages_flags() doesn't overwrite
+ the originally registered flags.
+
+
+o Guenther Deschner <gd@sernet.de>
+ * Correct infinite loop in pam_winbind's verification of
+ group membership in the 'other sids' field in the user_info3
+ struct.
+
+
+o Steve French <sfrench@us.ibm.com>
+ * prevent infinite recusion in reopen_logs() when expanding
+ the smb.conf variable %I.
+
+
+o Volker Lendecke <vl@samba.org>
+ * Improved NT->AFS ACL mapping VFS module.
+
+
+o Buchan Milne <bgmilne@mandrake.org>
+ * Mandrake packaging fixes.
+
+
+o Lars Mueller <lmuelle@suse.de>
+ * Fix compiler warnings in the kerberos client code.
+
+
+o James Peach <jpeach@sgi.com>
+ * Prevent smbd from attempting to use sendfile at all if it is
+ not supported by the server's OS.
+ * Allow SWAT to search for index.html when serving html files
+ in a directory.
+
+
+o Jelmer Vernooij <jelmer@samba.org>
+ * BUG 1474: Fix build of --with-expsam stuff on Solaris.
+
+
+Changes since 3.0.5
+-------------------
+
+smb.conf changes
+----------------
+
+ Parameter Name Action
+ -------------- ------
+ cups server New
+ defer sharing violations New
+ force unknown acl user New
+ ldap timeout New
+ printcap cache time New
+ use kerberos keytab New
+
+commits
+-------
+o Jeremy Allison <jra@samba.org>
+ * Correct path parsing bug that broke DeletePrinterDriverEx().
+ * Fix bugs in check_path_syntax() caught by asserts.
+ * Internal change - rearrange internal global case setting
+ variables to a per connection basis.
+ * BUG 1345: Fix premature optimization in unix_convert().
+ * Allow clients to truncate a locked file.
+ * BUG 1319: Always check to see if a user as write access
+ to a share, even when 'force user' is set.
+ * Fix specific case of open that doesn't cause oplock break,
+ or share mode check.
+ * Correct sid type is WKN_GROUP, not alias. Added some
+ more known types (inspired by patch from Jianliang Lu).
+ * Allow creation of absolute symlink paths via CIFS clients.
+ * Fix charset bug in when invoking send_mailslot().
+ * When using widelinks = no, use realpath to canonicalize
+ the connection path on connection create for the user.
+ * Enhance stat open code.
+ * Fix unix extensions mknod code path.
+ * Allow unix domain socket creation via unix extensions.
+ * Auto disable the 'store dos attribute' parameter if the
+ underlying filesystem doesn't support EAs.
+ * Implement deferred open code to fix a bug with Excel files
+ on Samba shares.
+ * BUG 1427: Catch bad path errors at the right point. Ensure
+ all our pathname parsing is consistent.
+ * Fix SMB signing error introduced by the new deferred open
+ code.
+ * Change default setting for case sensitivity to "auto". (see
+ commit message -- r1154 -- for details).
+ * Add new remote client arch -- CIFSFS.
+ * Allow smbd to maintain the service principal entry in the
+ system keytab file (based on patch Dan Perry <dperry@pppl.gov>,
+ Guenther Deschner, et. al.).
+ * Fix longstanding memleak bug with logfile name.
+ * Fix incorrect type in printer publishing (struct uuid,
+ not UUID_FLAT).
+ * Heimdal compile fixes after introduction of the new ketyab
+ feature.
+ * Ensure we check attributes correctly on rename request.
+ * Ensure we defer a sharing violation on rename correctly.
+ * BUG 607: Ensure we remove DNS and DNSFAIL records immediately
+ on timeout.
+ * Fix bogus error message when using "mangling method = hash"
+ rather than hash2.
+ * Turn on sendfile by default for non-Win9x clients.
+ * Handle non-io opens that cause oplock breaks correctly.
+ * Ensure ldap replication sleep time is not more than 5 seconds.
+ * Add support for storing a user's password history.
+ LDAP portion of the code was based on a patch from
+ Jianliang Lu <j.lu@tiesse.com>.
+ * Correct memory leaks found in the password change code.
+ * Fix support for the mknod command with the Linux CIFS client.
+ * Remove support for passing the new password to smbpasswd
+ on the command line without using the -s option.
+ * Ensure home directory service number is correctly reused
+ (inspired by patches from Michael Collin Nielsen
+ <michael@hum.aau.dk>).
+ * Fix to stop printing accounts from resetting the bas
+ password and account lockout flags.
+ * If a account was locked out by an admin (and has a bad
+ password count of zero) leave it locked out until an admin
+ unlocks it (but log a message).
+
+
+o Tom Alsberg <alsbergt@cs.huji.ac.il>
+ * Allow pdbedit to export a single user from a passdb backend.
+
+
+o Andrew Bartlett <abartlet@samba.org>
+ * Fix parsing bug in GetDomPwInfo().
+ * Fix segfault in 'ntlm_auth --diagnostics'.
+ * Re-enable code to allow sid_to_gid() to perform a group
+ mapping lookup before checking with winbindd.
+ * Fix memory leak in the trans2 signing code.
+ * Allow more flexible GSS-SPENGO client and server operation
+ in ntlm_auth.
+ * Improve smbd's internal random number generation.
+ * Fix a few outstanding long password changes in smbd.
+ * Fix LANMAN2 session setup code.
+
+
+o Eric Boehm <boehm@nortelnetworks.com>
+ BUG 703: Final touches on netgroup case lookups.
+
+
+o Jerome Borsboom <j.borsboom@erasmusmc.nl>
+ * Ensure error status codes don't get overwritten in
+ lsa_lookup_sids() server code.
+ * Correct bug that caused smbd to overwrite certain error
+ codes when returning up the call stack.
+ * Ensure the correct sid type returned for builtin sids.
+
+
+o Gerald Carter <jerry@samba.org>
+ * Fix a few bugs in the Fedora Packaging files.
+ * Fix for setting the called name to by our IP if the
+ called name was *SMBSERVER and *SMBSERV. Fixes issue
+ with connecting to printers via \\ip.ad.dr.ess\printer
+ UNC path.
+ * BUG 1315: fix for schannel client connections to servers
+ when we haven't specifically negotiated AUTH_PIPE_SEAL.
+ * Allow PrinterDriverData valuenames with embedded backslashes
+ (Fixes bug with one of the Konica Fiery drivers).
+ * Fixed string length miscalculation in netbios names that
+ resulted in corrupt workgroup names in browse.dat.
+ * When running smbd as a daemon, launch child smbd to update
+ the lpq cache listing in the background.
+ * Allow printers "Printers..." folder to be renamed to a string
+ other than the share name.
+ * Allow winbindd to use domain trust account passwords when
+ running on a Samba DC to establish an schannel to remote
+ domains.
+ * Fix bad merge and ensure that we always use tdb_open_log()
+ instead of tdb_open_ex() (the former call enforce the 'use
+ mmap' parameter).
+ * BUG 1221: revert old change that used single and double
+ quotes as delimeters in next_token(), and change
+ print_parameter() to print out parm values surrounded by
+ double quotes (instead of single quotes).
+ * Prevent home directories added during the SMBsesssetup&X from
+ being removed as unused services.
+ * Invalidate the print object cache for open printer handles when
+ smbd receives a message that an attribute on a given printer
+ has been changed.
+ * Cause the configure script to exit if --enable-cups[=yes] is
+ defined and the system does not have the cups devel files
+ installed.
+ * BUG 1297: Prevent map_username() from being called twice
+ during logon.
+ * Ensure that we use the userPrincipalName AD attribute
+ value for LDAP SASL binds.
+ * Ensure we remove the tdb entry when deleting a job that
+ is being spooled.
+ * BUG 1520: Work around bug in Windows XP SP2 RC2 where the
+ client sends a FindNextPrintChangeNotify() request without
+ previously sending a FindFirstPrintChangeNotify(). Return
+ the same error code as Windows 2000 SP4.
+ * BUG 1516: Manually declare ldap_open_with_timeout() to
+ workaround compiler errors on IRIX (or other systems without
+ LDAP headers).
+ * Merge security fixes for CAN-2004-0600, CAN-2004-0686 from
+ 3.0.5.
+ * Corrected syntax error in the OID for sambaUnixIdPool,
+ sambaSidEntry, & sambaIdmapEntry object classes.
+
+
+o Fabien Chevalier <fabien.chevalier@supelec.fr>
+ * Debian BUG 252591: Ensure that the return value from the
+ number of available interfaces is initialized in case no
+ interfaces are actually available.
+
+
+o Guenther Deschner <gd@sernet.de>
+ * Implement 'rpcclient setprintername'.
+ * Add local groups to the user's NT_TOKEN since they are
+ actually supported now.
+ * Heimdal compile fixes after introduction of the new keytab
+ feature.
+ * Correctly honor the info level parameter in 'rpcclient
+ enumprinters'.
+ * Reintroduce 'force unknown acl user' parameter. When getting a
+ security descriptor for a file, if the owner sid is not known,
+ the owner uid is set to the current uid. Same for group sid.
+ * Ensure that REG_SZ values in the SetPrinterData actually
+ get written in UNICODE strings rather than ASCII.
+ * Ensure that the last kerberos error return is not invalid.
+ * Display share ACL entries from rpcclient.
+
+
+o Fabian Franz <FabianFranz@gmx.de>
+ * Support specifying a port in the device URL passed to smbspool.
+
+
+o Steve French <sfrench@us.ibm.com>
+ * Handle -S and user mount parms in mount.cifs.
+ * Fix user unmount of shares mount with suid mount.cifs.
+
+
+o Bjoern Jacke <bj@sernet.de>
+ * Install libsmbclient into $(LIBDIR), not into hard coded
+ ${prefix}/lib. This helps amd64 systems with /lib and /lib64
+ and an explicit configure --libdir setting.
+
+
+o <kawasa_r@itg.hitachi.co.jp>
+ * Correct more memory leaks and initialization bugs.
+ * Fix bug that prevented core dumps from being generated
+ even if you tried.
+ * Connect to the winbind pipe in non-blocking mode to
+ prevent processes from hanging.
+ * Memory leak fixes.
+
+
+o Stephan Kulow <coolo@suse.de>
+ * Fix crash bug in libsmbclient.
+
+
+o Volker Lendecke <vl@samba.org>
+ * Added vfs_full_audit module.
+ * Add vfs_afsacl.c which can display & set AFS acls via
+ the NT security editor.
+ * Fix crash bug caused by trying to Base64 encode a NULL string.
+ * Fix DOS error code bug in reply_chkpath().
+ * Correct misunderstanding of the max_size field in
+ cli_samr_enum_als_groups; it is more like an account_control
+ field with individual bits what to retrieve.
+ * Implement 'net rpc group rename' -- rename domain groups.
+ * Implement the 'cups server' option. This makes it possible
+ to have virtual smbd's connect to different cups daemons.
+ * Paranoia fixes when adding local aliases to a user's NT_TOKEN.
+ * Fix sid_to_gid() calls in winbindd to prevent loops.
+ * Ensure that local_sid_to_gid() sets the type of the group on
+ return.
+ * Make sure that the clients are given back the IP address to
+ which they connected in the case of a multi-homed host. Only
+ affects strings the spoolss printing replies.
+ * Fix the bad password lockout. This has not worked as pdb_ldap.c
+ did not ask for the modifyTimestamp attribute, so it could
+ not find it. Try not to regress by not putting that attrib
+ in the main list but append it manually for the relevant searches.
+ * Fix two memleaks in login_cache.c.
+ * fixes memory bloat when unmarshalling strings.
+ * Fix compile errors using gcc 3.2 on SuSE 8.2.
+ * Fix the build for systems without kerberos headers.
+ * Allow winbindd to handle authentication requests only when
+ started without either an 'idmap uid' or 'idmap gid' range.
+ * Fix the build for systems without ldap headers.
+ * Fix interaction between share security descriptor and the
+ 'read only' smb.conf option.
+ * Fix bug that caused _samr_lookupsids() with more than 32 (
+ MAX_REF_DOMAINS) SIDs to fail.
+ * Allow the 'idmap backend' parameter to accept a list of
+ LDAP servers for failover purposes.
+ * Revert code in smbd to remove a tdb when it has become
+ corrupted.
+ * Add paranoid checks when mapping SIDs to a uid/gid to
+ ensure that the type is correct.
+ * Initial work on getting client support for sending mailslot
+ datagrams.
+ * Add 'ldap timeout' parameter.
+ * Dont always uppercase 'afs username map'.
+ * Expand aliases for getusersids as well.
+
+
+o Herb Lewis <herb@samba.org>
+ * Add the acls debug class.
+ * Fix logic bug in netbios name truncate routine.
+ * Fix smbd crash caused by smbtorture IOCTL test.
+ * Fix errno tromping before calling iconv to reset the
+ conversion state.
+ * need to leave empty dacl so we can remove last ACE.
+
+
+o Jianliang Lu <Jianliang.Lu@getronics.com>
+ * Fix to stop smbd hanging on missing group member in
+ get_memberuids().
+ * Make sure Samba returns the correct group types.
+ * Reset the bad password count password counts upon a successful login.
+
+
+o Jim McDonough <jmcd@us.ibm.com>
+ * BUG 1279: SMBjobid fix for Samba print servers running on
+ Big-Endian platforms.
+
+
+o Joe Meadows <jameadows@webopolis.com>
+ * Add optional timeout parameter to ldap open calls.
+ * Allow get_dc_list() to check the negative cache.
+
+
+o Jason Mader <jason@ncac.gwu.edu>
+ * BUG 1385: Don't use non-consts in a structure initialization.
+
+
+o Stefan Metzmacher <metze@samba.org>
+ * fix a configure logic bug for linux/XFS quotas when
+ using --with-sys-quotas.
+ * Use quota debug class in quota code.
+ * print out the SVN revision by configure,
+
+
+o Lars Mueller <lmuelle@suse.de>
+ * BUG 1279: Added 'printcap cache time' parameter.
+ * Fix afs related build issues on SuSE.
+
+
+o James Peach <jpeach@sgi.com>
+ * More iconv detection fixes for IRIX.
+ * Compile fixed for systems that do not have C99/UNIX98 compliant
+ vsnprintf by default.
+
+
+o Dan Peterson
+ * Implement NFS quota support on FreeBSD.
+
+
+o Tim Potter <tpot@samba.org>
+ * BUG 1360: Use -Bsymbolic when creating shared libraries to
+ avoid conflicts with identical symbols in the global namespace
+ when loading libnss_wins.so.
+
+
+o Richard Renard <rrenard@idealx.com>
+ * Save the current password as it is being changed into the
+ password history list.
+
+
+o Richard Sharpe <rsharpe@samba.org>
+ * Fix error return codes on some lock messages.
+ * BUG 1178: Make the libsmbclient routines callable
+ by C++ programs.
+ * BUG 1333: Make sure we return an error code when
+ things go wrong.
+ * BUG 1301: Return NT_STATUS_SHARING_VIOLATION when
+ share mode locking requests fail.
+
+
+o Simo Source <idra@samba.org>
+ * Update Debian stable & unstable packaging.
+ * Tidy up parametric options in testparm output.
+
+
+o Richard Sharpe <rsharpe@samba.org>
+ * Add sigchild handling to winbindd to restart the child
+ daemon if necessary.
+
+
+o Tom Shaw <tomisfaraway@gmail.com>
+ * Use winbindd_fill_pwent() consistently.
+
+
+o Nick Thompson <nickthompson@agere.com>
+ * Protect smbd against broken filesystems which return zero
+ blocksize.
+
+
+o Andrew Tridgell <tridge@samba.org>
+ * Fixed bug in handling of timeout in socket connections.
+
+
+o Nick Wellnhofer <wellnhofer@aevum.de>
+ * Prevent lp_interfaces() list from being corrupted. Fixes
+ bug where nmbd would lose the list of network interfaces
+ on the system and consequently shutdown.
+
+
+o James Wilkinson <jwilk@alumni.cse.ucsc.edu>
+ * Fix ntlm_auth memory leaks.
+
+
+o Jelmer Vernooij <jelmer@samba.org>
+ * Additional NT status to unix error mappings.
+ * BUG 478: Rename vsnprintf to smb_vsnprintf so we don't
+ get duplicate symbol errors.
+ * Return an error when the last command read from stdin
+ fails in smbclient.
+ * Prepare for better error checking in tar.
+
+
+Changes for older versions follow below:
+
+ --------------------------------------------------
+
+ =============================
+ Release Notes for Samba 3.0.5
+ July 20, 2004
+ =============================
+
+Please note that Samba 3.0.5 is identical to Samba 3.0.4 with
+the exception of correcting the two security issues outlined
+below.
+
+######################## SECURITY RELEASE ########################
+
+Summary: Multiple Potential Buffer Overruns in Samba 3.0.x
+CVE ID: CAN-2004-0600, CAN-2004-0686
+ (http://cve.mitre.org/)
+
+
+This is the latest stable release of Samba. This is the version
+that production Samba servers should be running for all current
+bug-fixes.
+
+It has been confirmed that versions of Samba 3 prior to v3.0.4
+are vulnerable to two potential buffer overruns. The individual
+details are given below.
+
+-------------
+CAN-2004-0600
+-------------
+
+Affected Versions: Samba 3.0.2 and later
+
+The internal routine used by the Samba Web Administration
+Tool (SWAT v3.0.2 and later) to decode the base64 data
+during HTTP basic authentication is subject to a buffer
+overrun caused by an invalid base64 character. It is
+recommended that all Samba v3.0.2 or later installations
+running SWAT either (a) upgrade to v3.0.5, or (b) disable
+the swat administration service as a temporary workaround.
+
+This same code is used internally to decode the
+sambaMungedDial attribute value when using the ldapsam
+passdb backend. While we do not believe that the base64
+decoding routines used by the ldapsam passdb backend can
+be exploited, sites using an LDAP directory service with
+Samba are strongly encouraged to verify that the DIT only
+allows write access to sambaSamAccount attributes by a
+sufficiently authorized user.
+
+The Samba Team would like to heartily thank Evgeny Demidov
+for analyzing and reporting this bug.
+
+-------------
+CAN-2004-0686
+-------------
+
+Affected Versions: Samba 3.0.0 and later
+
+A buffer overrun has been located in the code used to support
+the 'mangling method = hash' smb.conf option. Please be aware
+that the default setting for this parameter is 'mangling method
+= hash2' and therefore not vulnerable.
+
+Affected Samba 3 installations can avoid this possible security
+bug by using the default hash2 mangling method. Server
+installations requiring the hash mangling method are encouraged
+to upgrade to Samba 3.0.5.
+
+
+##################################################################
+
+ --------------------------------------------------
+
+ =============================
+ Release Notes for Samba 3.0.4
+ May 8, 2004
+ =============================
+
+Common bugs fixed in Samba 3.0.4 include:
+
+ o Password changing after applying the patch described in
+ the Microsoft KB828741 article to Windows clients.
+ o Crashes in smbd.
+ o Managing print jobs via Windows on Big-Endian servers.
+ o Several memory leaks in winbindd and smbd.
+ o Compile issues on AIX and *BSD.
+
+Changes since 3.0.3
+--------------------
+
+commits
+-------
+
+o Jeremy Allison <jra@samba.org>
+ * Fix path processing for DeletePrinterDriverEx().
+ * BUG 1303: Fix for Microsoft hotfix MS04-011 password change
+ breakage.
+
+
+o Andrew Bartlett <abartlet@samba.org>
+ * Fix alignment bug in GetDomPwInfo().
+
+
+o Alexander Bokovoy <ab@samba.org>
+ * Fix utime[s]() issues in smbwrapper on systems
+ that can boot both the 2.4 and 2.6 Linux kernels.
+
+
+o Gerald Carter <jerry@samba.org>
+ * Fedora packaging fixes.
+ * BUG 1302: Fix seg fault by not trying to optimize a list of
+ invalid gids using the wrong array size.
+ * BUG 1309: fix seg fault caused by trying to strdup(NULL)
+ seen when 'security = share'.
+ * Fix problems when using IBM's compiler on AIX.
+ * Link Developer's Guide, Example Guide, and multi-page HOWTO
+ into SWAT's welcome page.
+ * BUG 1293: fix double free in printer publishing code.
+
+
+o Wim Delvaux <wim.delvaux@adaptiveplanet.com>
+ * Fix for handling timeouts in socket connections.
+
+
+o Michel Gravey <michel.gravey@optogone.com>
+ * BUG 483: patch from to fix password hash creation in SWAT.
+
+
+o Volker Lendecke <vl@samba.org>
+ * Close the open NT pipes before the tdis.
+ * Fix AFS related build issues.
+ * Handle error conditions when base64 encoding a blob of 0 bytes.
+
+
+o Herb Lewis <herb@samba.org>
+ * Added 'acls' debug class.
+
+o kawasa_r@itg.hitachi.co.jp
+ * Multiple variable initialization and memory leak fixes.
+
+
+o Stephan Kulow <coolo@suse.de>
+ * Fix string length bug in libsmbclient that caused KDE's
+ Konqueror to crash.
+ * BUG 429: More libsmbclient fixes.
+
+
+o Jim McDonough <jmcd@us.ibm.com>
+ * BUG 1007, 1279: Store the print job using a little-endian key.
+
+
+o Eric Mertens
+ o Compile fix for OpenBSD (ENOTSUP not supported).
+
+
+o Stefan Metzmacher <metze@samba.org>
+ * Correct bug in disks quota views from explorer.
+
+
+o Tim Potter <tpot@samba.org>
+ BUG 1305: Correct debug output.
+
+
+o Richard Sharpe <rsharpe@samba.org>
+ * Fix incorrect error code mapping.
+
+
+o Jelmer Vernooij <jelmer@samba.org>
+ * Add additional NT_STATUS errorm mappings.
+
+
+Changes for older versions follow below:
+
+ --------------------------------------------------
+
+ =============================
+ Release Notes for Samba 3.0.3
+ April 29, 2004
+ =============================
+
+
+Common bugs fixed in Samba 3.0.3 include:
+
+ o Crash bugs and change notify issues in Samba's printing code.
+ o Honoring secondary group membership on domain member servers.
+ o TDB scalability issue surrounding the TDB_CLEAR_IF_FIRST flag.
+ o Substitution errors for %[UuGg] in smb.conf.
+ o winbindd crashes when using ADS security mode.
+ o SMB signing errors.
+ o Delays in winbindd startup caused by unnecessary
+ connections to trusted domain controllers.
+ o Various small memory leaks.
+ o Winbindd failing due to expired Kerberos tickets.
+
+New features introduced in Samba 3.0.3 include:
+
+ o Improved support for i18n character sets.
+ o Support for account lockout policy based on
+ bad password attempts.
+ o Improved support for long password changes (>14
+ characters) and strong password enforcement.
+ o Support for Windows aliases (i.e. nested groups).
+ o Experimental support for storing DOS attribute on files
+ and folders in Extended Attributes.
+ o Support for local nested groups via winbindd.
+ o Specifying options to be passed directly to the CUPS libraries.
+
+Please be aware that the Samba source code repository was
+migrated from CVS to Subversion on April 4, 2004. Details on
+accessing the Samba source tree via anonymous svn can be found
+at http://svn.samba.org/samba/subversion.html.
+
+
Changes since 3.0.2a
--------------------
smb.conf changes
Parameter Name Action
-------------- ------
+ cups options New
+ ea support New
only user Deprecated
- use cracklib New
+ store dos attributes New
+ unicode Removed
+ winbind nested groups New
-Please refer to the CVS log for the SAMBA_3_0 branch for complete
-details. The list of changes per contributor are as follows:
-
-
commits
-------
no '\' as second byte (based on work by ab@samba.org.
* Fix the "dfs self-referrals as anonymous user" problem
(based on patch from vl@samba.org).
+ * BUG 1064: Ensure truncate attribute checking is done correctly
+ on "hidden" dot files.
+ * Fix bug in anonymous dfs self-referrals again.
+ * Fix get/set of EA's in client library
+ * Added support for OS/2 EA's in smbd server.
+ * Added 'ea support' parameter to smb.conf.
+ * Added 'store dos attributes' parameter to smb.conf.
+ * Fix wildcard identical rename.
+ * Fix reply_ctemp - make compatible with w2k3.
+ * Fix wildcard unlink.
+ * Fix wildcard src with wildcard dest renames.
+ * BUG 1139: Fix based on suggestion by jdev@panix.com.
+ swap lookups for user and group - group will do an
+ algorithmic lookup if it fails, user won't.
+ * Make EA's lookups case independent.
+ * Fix SETPATHINFO in 'unix extensions' support.
+ * Make 3.x pass the Samba 4.x RAW-SEARCH tests - except for
+ the UNIX info levels, and the short case preserve names.
o Timur Bakeyev <timur@com.bat.ru>
* BUG 1144: only set --with-fhs when the argument is 'yes'
+ * BUG 1152: Allow python modules to build despite libraries added
+ to LDFLAGS instead of LDPATH.
+ * BUG 1141: Fix nss*.so names on FreeBSD 5.x.
+
-
o Craig Barratt <cbarratt@users.sourceforge.net>
* BUG 389: Allow multiple exclude arguments with smbclient
tar -Xr options (better support for Amanda backup client).
-o Andrew Bartlet <abartlet@samba.org>
+o Andrew Bartlett <abartlet@samba.org>
* Include support for linking with cracklib for enforcing strong
password changes.
* Add support for >14 character password changes from Windows
LDAP DIT.
* Implement python unit tests for Samba's multibyte string
support.
+ * Remove 'unicode' smb.conf option.
+ * BUG 1138: Fix support for 'optional' SMB signing and other
+ signing bugs.
+ * BUG 169: Fix NTLMv2-only behavior.
+ * Ensure 'net' honors the 'netbios name' in the smb.conf by
+ default.
+ * Support SMB signing on connections using only the LANMAN
+ password and generate the correct the 'session key' for these
+ connections.
+ * Implement --required-membership-of=, an ntlm_auth option
+ that restricts all authentication to members of this particular
+ group.
+ * Improve our fall back code for password changes.
+ * Only send the ntlm_auth 'ntlm-server-1' helper client a '.'
+ after the server had said something (such as an error).
+ * Add 'ntlm-server-1' helper protocol to ntlm_auth.
-
+
o Alexander Bokovoy <ab@samba.org>
* Fix incorrect size calculation of the directory name
in recycle.so.
* Fix problems with very long filenames in both smbd and smbclient
caused by truncating paths during character conversions.
+ * Fix smbfs problem with Tree Disconnect issued before smbfs
+ starts its work.
-o Gerald (Jerry) Carter <jerry@samba.org>
- * Fix 'make installmodules' bug on True64.
+o Gerald Carter <jerry@samba.org>
+ * BUG 850: Fix 'make installmodules' bug on True64.
* BUG 66: mark 'only user' deprecated.
* Remove corrupt tdb and shutdown (only for printing tdbs,
connections, sessionid & locking).
the username map.
* Fix client rpc binds for ASU derived servers (pc netlink,
etc...).
-
+ * BUG 417, 1128: Ensure that the current_user_info is set
+ consistently so that %[UuGg] is expanded correctly.
+ * BUG 1195: Fix crash in winbindd when the ADS server is
+ unavailable.
+ * BUG 1185: Set reconnect time to be the same as the
+ 'winbind cache time'.
+ * Ensure that we return the sec_desc in smb_io_printer_info_2.
+ * Change Samba printers Win32 attribute to PRINTER_ATTRIBUTE_LOCAL.
+ * BUG 1095: Honor the '-l' option in smbclient.
+ * BUG 1023: surround get_group_from_gid() with become_unbecome_root()
+ block.
+ * Ensure server schannel uses the auth level requested by the
+ client.
+ * Removed --with-cracklib option due to potential crash issue.
+ * Fix -lcrypto linking problem with wbinfo.
+ * BUG 761: allow printing parameter to set defaults on a per
+ share basis.
+ * Add 'cups options' parameter to allow raw printing without
+ changing /etc/cups/cupsd.conf.
+ * BUG 1081, 1183: Added remove_duplicate_gids() to smbd and
+ winbindd.
+ * BUG 1246: Fix typo in Fedora /etc/init.d/winbind.
+ * BUG 1288: resolve any machine netbios name (0x00) and not just
+ servers (0x20).
+ * BUG 1199: Fix potential symlink issue in
+ examples/printing/smbprint.
+
o Robert Dahlem <Robert.Dahlem@gmx.net>
* BUG 1048: Don't return short names when when 'mangled names = no'
overwritten by other fields.
+o Landon Fuller <landonf@opendarwin.org>
+ * BUG 1232: patch from landonf@opendarwin.org (Landon Fuller)
+ to fix user/group enumeration on systems whose libc does not
+ call setgrent() before trying to enumerate users (i.e.
+ FreeBSD 5.2).
+
+
o Steve French <sfrench@us.ibm.com>
* Update mount.cifs to version 1.1.
* Disable dev (MS_NODEV) on user mounts from cifs vfs.
* Fixes to minor security bug in the mount helper.
+ * Fix credential file mounting for cifs vfs.
+ * Fix free of incremented pointer in cifsvfs mount helper.
+ * Fix path canonicalization of the mount target path and help
+ text display in the cifs mount helper.
+ * Add missing guest mount option for mount.cifs.
o SATOH Fumiyasu <fumiya@miraclelinux.com>
* Patch from to internally count characters correctly.
+o Paul Green <paulg@samba.org>
+ * Update VOS _POSIX_C_SOURCE macro to 200112L.
+ * Fix bug in configure.ion by moving the first use of
+ AC_CHECK_HEADERS so it is always executed.
+ * Fix configure.in to only use $BLDSHARED to select whether to
+ build static or shared libraries.
+
+
+o Pat Haywarrd <Pat.Hayward@propero.net>
+ * Make the session_users list dynamic (max of 128K).
+
+
+o Cal Heldenbrand <calzplace@yahoo.com>
+ * Fix for for 'pam_smbpass migrate' functionality.
+
+
o Chris Hertel <crh@samba.org>
* fix enumeration of shares 12 characters in length via
smbclient.
+
o Ulrich Holeschak <ulrich@holeschak.de>
* BUG 932: fix local password change using pam_smbpass
+o Krischan Jodies <kj@sernet.de>
+ * Implement 'net rpc group delete'
+
+
o John Klinger <john.klinger@lmco.com>
* Return NSS_SUCCESS once the max number of gids possible
has been found in initgroups() on Solaris.
* Fix wb_delgrpmem (wbinfo -o).
* As a DC we should not reply to lsalookupnames on DCNAME\\user.
* Fix sambaUserWorkstations on a Samba DC.
-
-
-o Derrell Lipman <Derrell.Lipman@UnwiredUniverse.com>
- * Bug fixes and enhancements to libsmbclient library.
-
+ * Implement wbinfo -k: Have winbind generate an AFS token after
+ authenticating the user.
+ * Add expand_msdfs VFS module for providing referrals based on the
+ the client's IP address.
+ * Implement client side NETLOGON GetDCName function.
+ * Fix caching of name->sid lookups.
+ * Add support in winbindd for expanding nested local groups.
+ * Fix memleak in winbindd.
+ * Fix msdfs proxy.
+ * Don't list domain groups from BUILTIN.
+ * Fix memleak in policy handle utility functions.
+ * Decrease winbindd startup time by only contacting trusted
+ domains as necessary.
+ * Allow winbindd to ask the DC for its domain for a trusted
+ DC.
+ * Fix Netscape DS schema based on comments from
+ <thomas.mueller@christ-wasser.de>.
+ * Correct case where adding a domain user to a XP local group
+ did a lsalookupname on the user without domain prefix, and
+ failed.
+ * Fix segfault in winbindd caused by 'wbinfo -a'.
+
o Herb Lewis <herb@samba.org>
* Fix typo for tag in proto file.
* Add missing #ifdef HAVE_BICONV stuff.
* Truncate Samba's netbios name at the first '.' (not
right to left).
-
+
+o Derrell Lipman <Derrell.Lipman@UnwiredUniverse.com>
+ * Bug fixes and enhancements to libsmbclient library.
+
+
o Jianliang Lu <j.lu@tiesse.com>
* Enforce the 'user must change password at next login' flag.
* Decode meaning of 'fields present' flags (improves support
for usrmgr.exe).
-
+ * NTLMv2 fixes.
+ * Don't force an upper case domain name in the ntlmssp code.
+
o L. Lucius <ib@digicron.com>.
* type fixes.
controllers and standalone servers.
* Get MungedDial attribute actually working with full TS
strings in it for pdb_ldap.
+ * BUG 1208 (partial): Improvements for working with expired krb5
+ tickets in winbindd.
+ * Use timegm, or our already existing replacement instead of
+ timezone (spotted by Andrzej Tobola <san@iem.pw.edu.pl>).
+ * Remove modifyTimestamp from list of our attributes.
+ * Fix lsalookupnames to check for domain users as well as local
+ users.
+ * Merge struct uuid replacement for GUID from trunk.
+ * BUG 1208: Finish support for handling expired tickets in
+ winbindd (in conjunction with Guenther Deschner <gd@suse.de>).
+
+
+o Stefan Metzmacher <metze@samba.org>
+ * Implement new VERSION schema based on subversion revision
+ numbers.
+ * Add shadow_copy vfs module.
+ * Fix segault in login_cache support.
o Heinrich Mislik <Heinrich.Mislik@univie.ac.at>
* BUG 768: Accept profileing arg to IRIX init script.
* BUG 748: Relax arg parsing to sambalp script (IRIX).
* BUG 758: Fix pdma build.
+ * Search IRIX ABI paths for libiconv. Based on initial fix from
+ Jason Mader.
+
+
+o Kurt Pfeifle <kpfeifle@danka.de>
+ * Add example shell script for migrating drivers and printers
+ from a Windows print server to a Samba print server using
+ smbclient/rpcclient (examples/printing/VamireDriversFunctions).
o Tim Potter <tpot@samba.org>
* BUG 1112: Fix for writable printerdata problem in python bindings.
* BUG 1154: Remove reference to <sys/mman.h> in tdbdump.c.
* BUG 1155: enclose use of fchown() with guards.
-
-
-o Simo Source <idra@samba.org>
- * Replace unknown_3 with fields_present in SAMR code.
- * More length checks in strlcat().
+ * Relicense tdb python module as LGPL.
o Richard Sharpe <rsharpe@samba.org>
* Add support to smbclient for multiple logins on the same
session (based on work by abartlet@samba.org).
+ * Correct blocking condition in smbd's use of accept() on IRIX.
+ * Add support for printing out the MAC address on nmblookup.
+
+
+o Simo Source <idra@samba.org>
+ * Replace unknown_3 with fields_present in SAMR code.
+ * More length checks in strlcat().
o Andrew Tridgell <tridge@samba.org>
* Rewrote the AIX UESS backend for winbindd.
* Fixed compilation with --enable-dmalloc.
-
-
+ * Change tdb license to LGPL (see source/tdb/tdb.c).
+ * Force winbindd to use schannel in clients connections to
+ DC's if possible.
+
+
o Jelmer Vernooij <jelmer@samba.org>
* Fix ETA Calculation when resuming downloads in smbget.
* Add -O (for writing downloaded files to standard out)
based on patch by Bas van Sisseren <bas@dnd.utwente.nl>.
+ * Fix syntax error in example mysql table
-
+
o TAKEDA yasuma <yasuma@miraclelinux.com>
* BUG 900: fix token processing in cmd_symlink, cmd_link,
cmd_chown, cmd_chmod smbclient functions.
-o Shiro Yamada <shiro@miraclelinux.com>
- * BUG 1129: install image files for SWAT.
-
-
-Changes for older versions follow below:
+o Shiro Yamada <shiro@miraclelinux.com>
+ * BUG 1129: install image files for SWAT.
- --------------------------------------------------
+
+ --------------------------------------------------
==============================
Release Notes for Samba 3.0.2a
******************* Attention! Achtung! Kree! *********************
-######################################################################
-Changes
-#######
-
Changes since 3.0.2
-------------------
* Added paranoia checks in parsing code.
-o Andrew Bartlet <abartlet@samba.org>
+o Andrew Bartlett <abartlet@samba.org>
* Ensure that changes to uninitialized passwords in ldapsam
are written to the DIT.
working with Novell NDS.
-o Andrew Bartlet <abartlet@samba.org>
+o Andrew Bartlett <abartlet@samba.org>
* Correctly handle per-pipe NTLMSSP inside a NULL session.
* Fix segfault in gencache
* Fix early free() of encrypted_session_key.
* BUG 924: Fix typo in RW2 torture test.
-o Richard Sharpe <shape@samba.org>
+o Richard Sharpe <rsharpe@samba.org>
* Small fixes to torture.c to cleanup the error handling
and prevent crashes.