1 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
2 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3 <html xmlns="http://www.w3.org/1999/xhtml">
6 <title>Samba - Release Notes Archive</title>
11 <h2>Samba 3.0.2 Available for Download</h2>
15 This is the latest stable release of Samba. This is the version
16 that all production Samba servers should be running for all
19 <em>Security Announcement:</em> It has been confirmed that
20 previous versions of Samba 3.0 are susceptible to a password
21 initialization bug that could grant an attacker unauthorized
22 access to a user account created by the mksmbpasswd.sh shell
25 The Common Vulnerabilities and Exposures project (cve.mitre.org)
26 has assigned the name CAN-2004-0082 to this issue.
28 Samba administrators not wishing to upgrade to the current
29 version should download the 3.0.2 release, build the pdbedit
32 root# pdbedit-3.0.2 --force-initialized-passwords
34 This will disable all accounts not possessing a valid password
35 (e.g. the password field has been set a string of X's).
37 Samba servers running 3.0.2 are not vulnerable to this bug
38 regardless of whether or not pdbedit has been used to sanitize
41 Additionally, some of the more visible bugs in 3.0.1 addressed
42 in the 3.0.2 release include:
44 o Joining a Samba domain from Pre-SP2 Windows 2000 clients.
45 o Logging onto a Samba domain from Windows XP clients.
46 o Problems with the %U and %u smb.conf variables in relation
47 to Windows 9x/ME clients.
48 o Kerberos failures due to an invalid in memory keytab
50 o Updates to the ntlm_auth tool.
51 o Fixes for various SMB signing errors.
52 o Better separation of WINS and DNS queries for domain
54 o Issues with nss_winbind FreeBSD and Solaris.
55 o Several crash bugs in smbd and winbindd.
56 o Output formatting fixes for smbclient for better
57 compatibility with scripts based on the 2.2 version.
59 The source code can be downloaded from :
61 <a href="http://download.samba.org/samba/ftp/">http://download.samba.org/samba/ftp/</a>
63 The uncompressed tarball and patch file have been signed
64 using GnuPG. The Samba public key is available at
66 <a href="http://download.samba.org/samba/ftp/samba-pubkey.asc">http://download.samba.org/samba/ftp/samba-pubkey.asc</a>
68 Binary packages are available at
70 <a href="http://download.samba.org/samba/ftp/Binary_Packages/">http://download.samba.org/samba/ftp/Binary_Packages/</a>
72 A simplified version of the CVS log of updates since 3.0.1
73 can be found in the the download directory under the name
74 <a href="/samba/ftp/ChangeLog-3.0.1-3.0.2">ChangeLog-3.0.1-3.0.2</a>.
76 Please file any bugs you find in this release at
78 <a href="https://bugzilla.samba.org/">https://bugzilla.samba.org/</a>
80 As always, all bugs are our responsibility.
86 #######################################################################
87 =============================
88 Release Notes for Samba 3.0.2
90 =============================
92 This is the latest stable release of Samba. This is the version
93 that all production Samba servers should be running for all current
96 It has been confirmed that previous versions of Samba 3.0 are
97 susceptible to a password initialization bug that could grant an
98 attacker unauthorized access to a user account created by the
99 mksmbpasswd.sh shell script.
101 The Common Vulnerabilities and Exposures project (cve.mitre.org)
102 has assigned the name CAN-2004-0082 to this issue.
104 Samba administrators not wishing to upgrade to the current
105 version should download the 3.0.2 release, build the pdbedit
108 root# pdbedit-3.0.2 --force-initialized-passwords
110 This will disable all accounts not possessing a valid password
111 (e.g. the password field has been set a string of X's).
113 Samba servers running 3.0.2 are not vulnerable to this bug
114 regardless of whether or not pdbedit has been used to sanitize
117 Some of the more visible bugs in 3.0.1 addressed in the 3.0.2
120 o Joining a Samba domain from Pre-SP2 Windows 2000 clients.
121 o Logging onto a Samba domain from Windows XP clients.
122 o Problems with the %U and %u smb.conf variables in relation to
123 Windows 9x/ME clients.
124 o Kerberos failures due to an invalid in memory keytab detection
126 o Updates to the ntlm_auth tool.
127 o Fixes for various SMB signing errors.
128 o Better separation of WINS and DNS queries for domain controllers.
129 o Issues with nss_winbind FreeBSD and Solaris.
130 o Several crash bugs in smbd and winbindd.
131 o Output formatting fixes for smbclient for better compatibility
132 with scripts based on the 2.2 version.
135 ######################################################################
144 Parameter Name Action
145 -------------- ------
146 ldap replication sleep New
147 read size removed (unused)
148 source environment removed (unused)
154 Please refer to the CVS log for the SAMBA_3_0 branch for complete
155 details. The list of changes per contributor are as follows:
157 o Jeremy Allison <jra@samba.org>
158 * Revert change that broke Exchange clear text samlogons.
159 * Fix gcc 3.4 warning in MS-DFS code.
160 * Tidy up of NTLMSSP code.
161 * Fixes for SMB signing errors
162 * BUG 815: Workaround NT4 bug to support plaintext
163 password logins and UNICODE.
164 * Fix SMB signing bug when copying large files.
165 * Correct error logic in mkdir_internals() (caused a panic
166 when combined with --enable-developer).
169 o Petri Asikainen <paca@sci.fi>
170 * BUG 330, 387:Fix single valued attribute updates when
171 working with Novell NDS.
174 o Andrew Bartlet <abartlet@samba.org>
175 * Correctly handle per-pipe NTLMSSP inside a NULL session.
176 * Fix segfault in gencache
177 * Fix early free() of encrypted_session_key.
178 * Change DC lookup routines to more carefully separate
179 DNS names (realms) from NetBIOS domain names.
180 * Add new sid_to_dn() function for internal winbindd use.
181 * Refactor cli_ds_enum_domain_trusts().
182 * BUG 707: Implement range retrieval of ADS attributes (based
183 on work from Volker <vl@samba.org> and Guenther Deschner
185 * Automatically initialize the signing engine if a session key
187 * BUG 916: Do not perform a + -> ' ' substitution for squid URL
188 encoded strings, only form input in SWAT.
189 * Resets the NTLMSSP state for new negotiate packets.
190 * Add 2-byte alignments in net_samlogon() queries to parse
191 odd-length plain text passwords.
192 * Allow Windows groups with no members in winbindd.
193 * Allow normal authentication in the absence of a server
194 generated session key.
195 * More optimizations for looking up UNIX group lists.
196 * Clean up error codes and return values for pam_winbindd
197 and winbindd PAM interface.
198 * Fix string return values in ntlm_auth tool.
199 * Fix segfault when 'security = ads' but no realm is defined.
200 * BUG 722: Allow winbindd to map machine accounts to uids.
201 * More cleanups for winbindd's find_our_domain().
202 * More clearly detect whether a domain controller is an NT4
203 or mixed-mode AD DC (additional bug fixes by jerry & jmcd).
204 * Increase separation between DNS queries for hosts and queries
205 for AD domain controllers.
206 * Include additional NT_STATUS to PAM error mappings.
209 o Justin Baugh <justin.baugh@request.com>
210 * BUG 948: Implement missing functions required for FreeBSD
214 o Alexander Bokovoy <ab@samba.org>
215 * BUG 922: Make sure enable fast path for strlower_m() and
219 o Luca Bolcioni <Luca.Bolcioni@yacme.com>
220 * Fix crash when using 'security = server' and 'encrypt
221 passwords = no' by always initializing the session key.
224 o Dmitry Butskoj <buc@odusz.elektra.ru>
225 * Fix for special files being hidden from admins.
228 o Gerald (Jerry) Carter <jerry@samba.org>
229 * Fix bug in the lanman session key generation. Caused
230 "decode_pw: incorrect password length" error messages.
231 * Save the right case for the located user name in
232 fill_sam_account(). Fixes %U/%u expansion for win9x clients.
233 * BUG 897: Add well known rid for pre win2k compatible access
235 * BUG 887: Correct typo in delete user script example.
236 * Use short lived TALLOC_CTX* for allocating printer objects
237 from the print handle cache.
238 * BUG 912: Fix check for HAVE_MEMORY_KEYTAB.
239 * Fix several warnings reported by the SUN Forte C compiler.
240 * Fully control DNS queries for AD DC's using 'name resolve order'.
241 * BUG 770: Send the SMBjobid for UNIX jobs back to the client.
242 * BUG 972: Fix segfault in cli_ds_getprimarydominfo().
243 * BUG 936: fix bind credentials for schannel binds in smbd.
244 * BUG 446: Fix output of smbclient for better compatibility
245 with scripts based on the 2.2 version (including Amanda).
246 * BUG 891, 949: Fedora packaging fixes.
247 * Fix bug that caused rpcclient to incorrectly retrieve
248 the SID for a server (this causing all calls that required
249 this information to fail).
250 * BUG 977: Don't create a homes share for a user if a static
251 share already exists by the same name.
252 * Removed unused smb.conf options.
253 * Set the disable flag for template accounts created by
255 * Disable any account has no passwords and does not have the
256 ACB_PWNOTREQ bit set.
259 o Guenther Deschner <gd@suse.com>
260 * Install smbwrapper.so should be put into the $(libdir)
262 * Add the capability to specify the new user password
263 for "net ads password" on the command line.
264 * Correctly detect AFS headers on SuSE.
267 o James Flemer <jflemer@uvm.edu>
268 * Fix AIX compile bug by linking HAVE_ATTR_LIST to
269 HAVE_SYS_ATTRIBUTES_H.
272 o Luke Howard <lukeh@PADL.COM>
273 * Fix segfault in session setup reply caused by a early free().
276 o Stoian Ivanov <sdr@bultra.com>
277 * Implement grepable output for smbclient -L.
280 o LaMont Jones <lamont@debian.org>
281 * BUG 225328 (Debian): Correct false failure LFS test that resulted
282 in _GNU_SOURCE not being defined (thus resulting in strndup()
286 o Volker Lendecke <vl@samba.org>
287 * BUG 583: Ensure that user names always contain the short
288 version of the domain name.
289 * Fix our parsing of the LDAP uri.
290 * Don't show the 'afs username map' in the SWAT basic view.
291 * Fix SMB signing issues in relation to failed NTLMSSP logins.
292 * BUG 924: Fix return codes in smbtorture harness.
293 * Always lower-case usernames before handing it to AFS code.
294 * Add a German translation for SWAT.
295 * Fix a segfaults in winbindd.
296 * Fix the user's domain passed to register_vuid() from
297 reply_spnego_kerberos().
298 * Add NSS example code in nss_winbind to convert UNIX
299 id's <-> Windows SIDs.
300 * Display more descriptive error messages for login via 'net'.
301 * Fix compiler warning in the net tool.
302 * Fix length bug when decoding base64 strings.
303 * Ensure we don't call getpwnam() inside a loop that is iterating
304 over users with getpwent(). This broke on glibc 2.3.2.
307 o Herb Lewis <herb@samba.org>
308 * Fix bit rot in psec.
311 o Jianliang Lu <j.lu@tiesse.com>
312 * Ensure we delete the group mapping before calling the delete
314 * Define well known RID for managing the "Power Users" group.
315 * BUG 381: check builtin (not local) group SID when updating
317 * BUG 101: set the SV_TYPE_PRINTQ_SERVER flag in host announcement
321 o John Klinger <john.klinger@lmco.com>
322 * Implement initgroups() call in nss_winbind on Solaris.
325 o Jim McDonough <jmcd@us.ibm.com>
326 * Fix regression in net rpc join caused by recent changes
327 to cli_lsa_query_info_policy().
328 * BUG 964: Fix crash bug in 'net rpc join' using a preexisting
332 o MORIYAMA Masayuki <moriyama@miraclelinux.com>
333 * BUG 570: Ensure that configure honors the LDFLAGS variable.
336 o Stefan Metzmacher <metze@samba.org>
337 * Implement LDAP rebind sleep patch.
338 * Revert to 2.2 quota code because of so many broken quota files
340 * Fix XFS quotas: HAVE_XFS_QUOTA -> HAVE_XFS_QUOTAS
341 XFS_USER_QUOTA -> USRQUOTA
342 XFS_GROUP_QUOTA -> GRPQUOTA
343 * Fix disk_free calculation with group quotas.
344 * Add debug class 'quota' and a lot of DEBUG()'s
346 * Fix sys_chown() when no chown() is present.
347 * Add SIGABRT to fault handling in order to catch got a
348 backtrace if an error occurs the OpenLDAP client libs.
352 * Allow an existing LDAP machine account to be re-used when
353 joining an AD domain.
356 o James Peach <jpeach@sgi.com>
357 * BUG 889: Change smbd to use pread/pwrite on platforms that
358 support these calls. Can lead to a significant speed increase.
361 o Tim Potter <tpot@samba.org>
362 * BUG 905: Remove POBAD_CC to fix Solaris Forte compiles.
363 * BUG 924: Fix typo in RW2 torture test.
366 o Richard Sharpe <shape@samba.org>
367 * Small fixes to torture.c to cleanup the error handling
371 o J. Tournier <jerome.tournier@IDEALX.com>
372 * Small fixes for the smbldap-tool scripts.
375 o Jelmer Vernooij <jelmer@samba.org>
376 * Put functions for generating SQL queries in pdb_sql.c
377 * Add pgSQL backend (based on patch by Hamish Friedlander)
378 * BUG 908: Fix -s option to smbcontrol.
379 * Add smbget utility - a wget-clone for the SMB/CIFS protocol.
380 * Fix for libnss_wins on IRIX platforms.
381 * Fix swatdir for --with-fhs.
386 ----------------------
388 Parameter Name Action
389 -------------- ------
390 hide local users Removed
391 mangled map Deprecated
392 mangled stack Removed
393 passwd chat timeout New
399 o Change the interface for init_unistr2 to not take a length
400 but a flags field. We were assuming that
401 2*strlen(mb_string) == length of ucs2-le string. (bug 480).
402 o Allow d_printf() to handle strings with escaped quotation
403 marks since the msg file includes the escape character (bug 489).
404 o Fix bad html table row termination in SWAT wizard code (bug 413).
405 o Fix to parse the level-2 strings.
406 o Fix for "valid users = %S" in [homes]. Fix read/write
408 o Change AC_CHECK_LIB_EXT to prepend libraries instead of append.
409 This is the same way AC_CHECK_LIB works (bug 508).
410 o Testparm output fixes for clarity.
411 o Fix broken wins hook functionality -- i18n bug (bug 528).
412 o Take care of condition where DOS and NT error codes must differ.
413 o Default to using only built-in charsets when a working iconv
414 implementation cannot be located.
415 o Wrap internals of sys_setgroups() so the sys_XX() call can
416 be done unconditionally (bug 550).
417 o Remove duplicate smbspool link on SWAT's front page (bug 541).
418 o Save and restore CFLAGS before/after AC_PROG_CC. Ensures that
419 --enable-debug=[yes|no] works correctly.
420 o Allow ^C to interrupt smbpasswd if using our getpass
421 (e.g. smbpasswd command).
422 o Support signing only on RPC's (bug 167).
423 o Correct bug that prevented Excel 2000 clients from opening
424 files marked as read-only.
425 o Portability fix bugs 546 - 549).
426 o Explicitly initialize the value of AR for vendor makes that don't
427 do this (e.g. HPUX 11). (bug 552).
428 o More i18n fixes for SWAT (bug 413).
429 o Change the cwd before the postexec script to ensure that a
431 o Correct double free that caused winbindd to crash when a DC
432 is rebooted (bug 437).
433 o Fix incorrect mode sum (bug 562).
434 o Canonicalize SMB_INFO_ALLOCATION in the same was as
435 SMB_FS_FULL_SIZE_INFORMATION (bug 564).
436 o Add script to generate *msg files.
437 o Add Dutch SWAT translation file.
438 o Make sure to call get_user_groups() with the full winbindd
439 name for a user if he/she has one (bug 406).
440 o Fix up error code returns from Samba4 tester. Ensure invalid
441 paths are validated the same way.
442 o Allow Samba3 to pass the Samba4 RAW-READ tests.
443 o Refuse to configure if --with-expsam=$BACKEND was used but no
444 libraries were found for $BACKEND.
445 o Move sysquotas autoconf tests to a separate file.
446 o Match W2K w.r.t. writelock and writeclose. Samba4 torture
448 o Make sure that the files that contain the static_init_$subsystem;
449 macro get recompiled after configure by removing the object
451 o Ensure canceling a blocking lock returns the correct error
453 o Match Samba 2.2 behavior; make ACB_NORMAL the default ACB value.
454 o Updated Japanese welcome file in SWAT.
455 o Fix to nt-time <-> unix-time functions reversible.
456 o Ensure that winbindd uses the the escaped DN when querying
458 o Fix portability issues when compiling (bug 505, 550)
459 o Compile fix for tdbbackup when Samba needs to override
460 non-C99 compliant implementations of snprintf().
461 o Use @PICSUFFIX@ instead of .po in Makefile.in (bug 574).
462 o Make sure we break out of samsync loop on error.
463 o Ensure error code path doesn't free unmalloc()'d memory
465 o Add configure test for krb5_keytab_entry keyblock vs key
468 o Modified testparm so that all output so all debug output goes
469 to stderr, and all file processing goes to stdout.
470 o Fix error return code for BUFFER_TOO_SMALL in smbcacls
472 o Fix "NULL dest in safe_strcpy()" log message by ensuring that
473 we have a devmode before copying a string to the devicename.
474 o Support mapping REALM.COM\user to a local user account (without
475 running winbindd) for compatibility with 2.2.x release.
476 o Ensure we don't use mmap() on blacklisted systems.
477 o fixed a number of bugs and memory leaks in the AIX
479 o Call initgroups() in SWAT before becomming the user so that
480 secondary group permissions can be used when writing to
482 o Fix signing problems when reverse connecting back to a
483 client for printer notify
484 o Fix signing problems caused by a miss-sequence bug.
485 o Missing map in errormap for ERROR_MORE_DATA -> ERRDOS, ERRmoredata.
486 Fixes NEXUS tools running on Win9x clients (bug 64).
487 o Don't leave the domain field uninitialized in cli_lsa.c if some
488 SID could not be mapped.
489 o Fix segfault in mount.cifs helper when there is no options
490 specified during mount.
491 o Change the \n after the password prompt to go to tty instead
493 o Stop net -P from prompting for machine account password (bug 451).
494 o Change in behavior to Not only change the effective uid but also
495 the real uid when becoming unprivileged.
496 o Cope with Exchange 5.5 cleartext pop password auth.
497 o New files for support of initshutdown pipe. Win2k doesn't
498 respond properly to all requests on the winreg pipe, so we need
499 to handle this new pipe (bug 534).
500 o Added more va_copy() checks in configure.in.
501 o Include fixes for libsmbclient build problems.
502 o Missing UNIX -> DOS codepage conversion in lanman.c.
503 o Allow DFMS-S filenames can now have arbitrary case (bug 667).
504 o Parameterize the listen backlog in smbd and make it larger by
505 default. A backlog of 5 is way too small these days.
506 o Check for an invalid fid before dereferencing the fsp pointer
508 o Remove invalid memory frees and return codes in pdb_ldap.c.
509 o Prompt for password when invoking --set-auth-user and no
511 o Bind the nmbd sending socket to the 'socket address'.
512 o Re-order link command for smbd, rpcclient and smbpasswd to ensure
513 $LDFLAGS occurs before any library specification (bug 661).
514 o Fix large number of printf() calls for 64-bit size_t.
515 o Fix AC_CHECK_MEMBER so that SLES8 does correctly finds the
516 keyblock in the krb5 structs.
517 o Remove #include <compat.h> in hopes to avoid problems with
519 o Correct winbindd build problems on HP-UX 11.
520 o Lowercase netgroups lookups (bug 703).
521 o Use the actual size of the buffer in strftime instead of a made
522 up value which just happens to be less than sizeof(fstring).
524 o Add ldaplibs to pdbedit link line (bug 651).
525 o Fix crash bug in smbclient completion (bug 659).
526 o Fix packet length for browse list reply (bug 771).
527 o Fix coredump in cli_get_backup_list().
528 o Make sure that we expand %N (bug 612).
529 o Allow rpcclient adddriver command to specify printer driver
531 o Compile tdbdump by default.
532 o Apply patches to fix iconv detection for FreeBSD.
533 o Do not allow the 'guest account' to be added to a passdb backend
534 using smbpasswd or pdbedit (bug 624).
535 o Save LDFLAGS during iconv detection (bug 57).
536 o Run krb5 logins through the username map if the winbindd
537 lookup fails (bug 698).
538 o Add const for lp_set_name_resolve_order() to avoid compiler
540 o Add support for the %i macro in smb.conf to stand in for the for
541 the local IP address to which a client connected.
542 o Allow winbindd to match local accounts to domain SID when
543 'winbind trusted domains only = yes' (bug 680).
544 o Remove code in idmap_ldap that searches the user suffix and group
545 suffix. It's not needed and provides inconsistent functionality
546 from the tdb backend.
547 o Patch to handle munged dial string for Windows 200 TSE.
548 o Correct the "smbldap_open: cannot access when not root error"
549 messages when looking up group information (bug 281).
550 o Skip over the winbind separator when looking up a user.
551 This fixes the bug that prevented local users from
552 matching an AD user when not running winbindd (bug 698).
553 o Fix a problem with configure on *BSD systems. Make sure
554 we add -liconv etc to LDFLAGS.
555 o Fix core dump bug when "security = server" and the authentication
557 o Correct crash bug due to an empty munged dial string.
558 o Show files locked by a specific user (smbstatus -u 'user')
560 o Fix bug preventing print jobs from display in the queue
561 monitor used by Windows NT and later clients (bug 660).
562 o Fix several reported problems with point-n-print from
563 Windows 2000/XP clients due to a bug in the EnumPrinterDataEx()
564 reply (bug 338, 527 & 643).
565 o Fix a handful of potential memory leaks in the LDAP code used
566 by ldapsam[_compat] and the LDAP idmap backend.
567 o Fix for pdbedit error code returns (bug 763).
568 o Make sure we only enumerate group mapping entries (not
569 /etc/group) even when doing local aliases.
570 o Relax check on the pipe name in a dce/rpc bind response to work
571 around issues with establishing trusts to a Windows 2003 domain.
572 o Ensure we mangle names ending in '.' in hash2 mangling method.
573 o Correct parsing issues with munged dial string.
574 o Fix bugs in quota support for XFS.
575 o Add a cleaner method for applications that need to provide
576 name->SID mappings to do this via NSS rather than having to
577 know the winbindd pipe protocol.
578 o Adds a variant of the winbindd_getgroups() call called
579 winbindd_getusersids() that provides direct SID->SIDs listing of
580 a users supplementary groups. This is enough to allow non-Samba
581 applications to do ACL checking.
582 o Make sure we don't append the 'ldap suffix' when writing out the
583 'ldap XXX suffix' values in SWAT (bug 328).
584 o Fix renames across file systems.
585 o Ensure that items in a list of strings containing whitespace are
586 written out surrounded by single quotes. This means that both
587 double and single quotes are now used to surround strings in
589 o Enable SWAT to correctly determine if winbindd is running (bug
591 o Include WWW-Authenticate field in 401 response for bad auth
593 o Add support for NTLM2 (NTLMv2 session security).
594 o Add support for variable-length session keys.
595 o More privilege fixes for group enumeration in LDAP (bug 281).
596 o Use the dns name (or IP) as the originating client name when
597 using CUPS (bug 467).
598 o Fix various SMB signing bugs.
599 o Fix ACL propagation on a DFS root (bug 263).
600 o Disable NTLM2 for RPC pipes.
601 o Allow the client to specify the NTLM2 flags got NTLMSSP
603 o Change the name of the job passed off to cups from "Test Page"
604 to "smbprn.00000033 Test Page" so that we can get the smb
605 jobid back. This allow users to delete jobs with cups printing
606 backend (partial work on bug 770).
607 o Fix build of winbindd with static pdb modules.
608 o Retrieve the correct ACL group bits if the file has an ACL
610 o Implement "net rpc group members": Get members of a domain group
611 in human-readable format.
612 o Add MacOSX (Darwin) specific charset module code.
613 o Use samr_dispinfo(level == 1) for enumerating domain users so we
614 can include the full name in gecos field (bug 587).
615 o Add support for winbind's NSS library on FeeeBSD 5.1 (bug 797).
616 o Implement 'net rpc group list [global|local|builtin]*' for a
617 select listing of the respective user databases.
618 o Don't automatically set NT status code flag unless client tells
620 o Add 'net status [sessions|shares] [parseable]'.
621 o Don't mistake pre-existing UNIX jobs for smb jobs (remainder of
623 o Add 'Replicator' and 'RAS Servers' to list of builtin SIDs
625 o Fix inverted logic in hosts allow/deny checks caused by
626 s/strcmp/strequal/ (bug 846).
627 o Implement correct version SamrRemoveSidForeignDomain() (bug 252).
628 o Fix typo in 'hash' mangling algorithm.
629 o Support munged dial for ldapsam (bug 800).
630 o Fix process_incoming_data() to return the number of bytes handled
631 this call whether we have a complete PDU or not; fixes bug
632 with multiple PDU request rpc's broken over SMBwriteX calls
634 o Fix incorrect smb flags2 for connections to pre-NT servers
635 (causes smbclient to fail to OS2 for example) (bug 821).
636 o Update version string in smbldap-tools Makefile to 0.8.2.
637 o Correct a problem with "net rpc vampire" mis-parsing the
638 alias member info reply.
639 o Ensure the ${libdir} is created by the installclientlib script.
640 o Fix detection of Windows 2003 client architecture in the smb.conf
642 o Ensure that smbd calls the add user script for a missing UNIX
643 user on kerberos auth call (bug 445).
644 o Fix bugs in hosts allow/deny when using a mismatched
645 network/netmask pair.
646 o Protect alloc_sub_basic() from crashing when the source string
647 is NULL (partial work on bug 687).
648 o Fix spinlocks on IRIX.
649 o Corrected some bad destination paths when running "configure
651 o Add packaging files for Fedora Core 1.
652 o Correct bug in SWAT install script for non-english languages.
653 o Support character set ISO-8859-1 internally (bug 558).
654 o Fixed more LDAP access errors when looking up group mappings
656 o Fix UNISTR2 length bug in LsaQueryInfo(3) that caused SID
657 resolution to fail on local files on on domain members
659 o Fix uninitialized variable in passdb.c.
660 o Fix formal parameter type in get_static() in nsswitch/wins.c.
661 o Fix problem mounting directories when mount.cifs is installed
662 with the setuid bit on.
663 o Fix bug that prevent --mandir from overriding the defaults
664 given in the --with-fhs macro.
665 o Fix bug in in-memory Kerberos keytab detection routines
670 ######################################################################
672 =======================================
673 The original 3.0.0 release notes follow
674 =======================================
680 1) Active Directory support. Samba 3.0 is now able to
681 join a ADS realm as a member server and authenticate
682 users using LDAP/Kerberos.
684 2) Unicode support. Samba will now negotiate UNICODE on the wire
685 and internally there is now a much better infrastructure for
686 multi-byte and UNICODE character sets.
688 3) New authentication system. The internal authentication system
689 has been almost completely rewritten. Most of the changes are
690 internal, but the new auth system is also very configurable.
692 4) New default filename mangling system.
694 5) A new "net" command has been added. It is somewhat similar to
695 the "net" command in windows. Eventually we plan to replace
696 numerous other utilities (such as smbpasswd) with subcommands
699 6) Samba now negotiates NT-style status32 codes on the wire. This
700 improves error handling a lot.
702 7) Better Windows 2000/XP/2003 printing support including publishing
703 printer attributes in active directory.
705 8) New loadable module support for passdb backends and character
708 9) New default dual-daemon winbindd support for better performance.
710 10) Support for migrating from a Windows NT 4.0 domain to a Samba
711 domain and maintaining user, group and domain SIDs.
713 11) Support for establishing trust relationships with Windows NT 4.0
716 12) Initial support for a distributed Winbind architecture using
717 an LDAP directory for storing SID to uid/gid mappings.
719 13) Major updates to the Samba documentation tree.
721 14) Full support for client and server SMB signing to ensure
722 compatibility with default Windows 2003 security settings.
724 15) Improvement of ACL mapping features based on code donated by
728 Plus lots of other improvements!
731 Additional Documentation
732 ------------------------
734 Please refer to Samba documentation tree (included in the docs/
735 subdirectory) for extensive explanations of installing, configuring
736 and maintaining Samba 3.0 servers and clients. It is advised to
737 begin with the Samba-HOWTO-Collection for overviews and specific
738 tasks (the current book is up to approximately 400 pages) and to
739 refer to the various man pages for information on individual options.
741 We are very glad to be able to include the second edition of
742 "Using Samba" by Jay Ts, Robert Eckstein, and David Collier-Brown
743 (O'Reilly & Associates) in this release. The book is available
744 on-line at http://samba.org/samba/docs/ and is included with
745 the Samba Web Administration Tool (SWAT). Thanks to the authors and
746 publisher for making "Using Samba" under the GNU Free Documentation
750 ######################################################################
751 Upgrading from a previous Samba 3.0 beta
752 ########################################
754 Beginning with Samba 3.0.0beta3, the RID allocation functions
755 have been moved into winbindd. Previously these were handled
756 by each passdb backend. This means that winbindd must be running
757 to automatically allocate RIDs for users and/or groups. Otherwise,
758 smbd will use the 2.2 algorithm for generating new RIDs.
760 If you are using 'passdb backend = tdbsam' with a previous Samba
761 3.0 beta release (or possibly alpha), it may be necessary to
762 move the RID_COUNTER entry from /usr/local/samba/private/passdb.tdb
763 to winbindd_idmap.tdb. To do this:
765 1) Ensure that winbindd_idmap.tdb exists (launch winbindd at least
767 2) build tdbtool by executing 'make tdbtool' in the source/tdb/
769 3) run: (note that 'tdb>' is the tool's prompt for input)
771 root# ./tdbtool /usr/local/samba/private/passdb.tdb
772 tdb> show RID_COUNTER
776 [000] 0A 52 00 00 .R.
778 tdb> move RID_COUNTER /usr/local/samba/var/locks/winbindd_idmap.tdb
782 If you are using 'passdb backend = ldapsam', it will be necessary to
783 store idmap entries in the LDAP directory as well (i.e. idmap backend
784 = ldap). Refer to the 'net idmap' command for more information on
785 migrating SID<->UNIX id mappings from one backend to another.
787 If the RID_COUNTER record does not exist, then these instructions are
788 unneccessary and the new RID_COUNTER record will be correctly generated
793 ########################
794 Upgrading from Samba 2.2
795 ########################
797 This section is provided to help administrators understand the details
798 involved with upgrading a Samba 2.2 server to Samba 3.0.
804 Many of the options to the GNU autoconf script have been modified
805 in the 3.0 release. The most noticeable are:
807 * removal of --with-tdbsam (is now included by default; see section
808 on passdb backends and authentication for more details)
810 * --with-ldapsam is now on used to provided backward compatible
811 parameters for LDAP enabled Samba 2.2 servers. Refer to the passdb
812 backend and authentication section for more details
814 * inclusion of non-standard passdb modules may be enabled using
815 --with-expsam. This includes an XML backend and a mysql backend.
817 * removal of --with-msdfs (is now enabled by default)
819 * removal of --with-ssl (no longer supported)
821 * --with-utmp now defaults to 'yes' on supported systems
823 * --with-sendfile-support is now enabled by default on supported
830 This section contains a brief listing of changes to smb.conf options
831 in the 3.0.0 release. Please refer to the smb.conf(5) man page for
832 complete descriptions of new or modified parameters.
834 Removed Parameters (order alphabetically):
837 * alternate permissions
840 * code page directory
844 * force unknown acl user
850 * printer driver file
851 * printer driver location
861 New Parameters (new parameters have been grouped by function):
865 * abort shutdown script
868 User and Group Account Management
869 ---------------------------------
872 * add user to group script
873 * algorithmic rid base
874 * delete group script
875 * delete user from group script
877 * set primary group script
883 * passwd chat timeout
894 * paranoid server security
904 * hide unwriteable files
906 * kernel change notify
916 * max reported print jobs
918 UNICODE and Character Sets
919 --------------------------
925 SID to uid/gid Mappings
926 -----------------------
930 * winbind enable local accounts
931 * winbind trusted domains only
932 * template primary group
933 * enable rid algorithm
940 * ldap machine suffix
942 * ldap replication sleep
945 General Configuration
946 ---------------------
950 Modified Parameters (changes in behavior):
952 * encrypt passwords (enabled by default)
953 * mangling method (set to 'hash2' by default)
956 * restrict anonymous (integer value)
957 * security (new 'ads' value)
958 * strict locking (enabled by default)
959 * unix extensions (enabled by default)
960 * winbind cache time (increased to 5 minutes)
961 * winbind uid (deprecated in favor of 'idmap uid')
962 * winbind gid (deprecated in favor of 'idmap gid')
968 This section contains brief descriptions of any new databases
969 introduced in Samba 3.0. Please remember to backup your existing
970 ${lock directory}/*tdb before upgrading to Samba 3.0. Samba will
971 upgrade databases as they are opened (if necessary), but downgrading
972 from 3.0 to 2.2 is an unsupported path.
974 Name Description Backup?
975 ---- ----------- -------
976 account_policy User policy settings yes
977 gencache Generic caching db no
978 group_mapping Mapping table from Windows yes
979 groups/SID to unix groups
980 winbindd_idmap ID map table from SIDS to UNIX yes
982 namecache Name resolution cache entries no
983 netsamlogon_cache Cache of NET_USER_INFO_3 structure no
984 returned as part of a successful
985 net_sam_logon request
986 printing/*.tdb Cached output from 'lpq no
987 command' created on a per print
989 registry Read-only samba registry skeleton no
990 that provides support for exporting
991 various db tables via the winreg RPCs
997 The following issues are known changes in behavior between Samba 2.2 and
998 Samba 3.0 that may affect certain installations of Samba.
1000 1) When operating as a member of a Windows domain, Samba 2.2 would
1001 map any users authenticated by the remote DC to the 'guest account'
1002 if a uid could not be obtained via the getpwnam() call. Samba 3.0
1003 rejects the connection as NT_STATUS_LOGON_FAILURE. There is no
1004 current work around to re-establish the 2.2 behavior.
1006 2) When adding machines to a Samba 2.2 controlled domain, the
1007 'add user script' was used to create the UNIX identity of the
1008 machine trust account. Samba 3.0 introduces a new 'add machine
1009 script' that must be specified for this purpose. Samba 3.0 will
1010 not fall back to using the 'add user script' in the absence of
1011 an 'add machine script'
1014 ######################################################################
1015 Passdb Backends and Authentication
1016 ##################################
1018 There have been a few new changes that Samba administrators should be
1019 aware of when moving to Samba 3.0.
1021 1) encrypted passwords have been enabled by default in order to
1022 inter-operate better with out-of-the-box Windows client
1023 installations. This does mean that either (a) a samba account
1024 must be created for each user, or (b) 'encrypt passwords = no'
1025 must be explicitly defined in smb.conf.
1027 2) Inclusion of new 'security = ads' option for integration
1028 with an Active Directory domain using the native Windows
1029 Kerberos 5 and LDAP protocols.
1031 MIT kerberos 1.3.1 supports the ARCFOUR-HMAC-MD5 encryption
1032 type which is neccessary for servers on which the
1033 administrator password has not been changed, or kerberos-enabled
1034 SMB connections to servers that require Kerberos SMB signing.
1035 Besides this one difference, either MIT or Heimdal Kerberos
1036 distributions are usable by Samba 3.0.
1039 Samba 3.0 also includes the possibility of setting up chains
1040 of authentication methods (auth methods) and account storage
1041 backends (passdb backend). Please refer to the smb.conf(5)
1042 man page for details. While both parameters assume sane default
1043 values, it is likely that you will need to understand what the
1044 values actually mean in order to ensure Samba operates correctly.
1046 The recommended passdb backends at this time are
1048 * smbpasswd - 2.2 compatible flat file format
1049 * tdbsam - attribute rich database intended as an smbpasswd
1050 replacement for stand alone servers
1051 * ldapsam - attribute rich account storage and retrieval
1052 backend utilizing an LDAP directory.
1053 * ldapsam_compat - a 2.2 backward compatible LDAP account
1056 Certain functions of the smbpasswd(8) tool have been split between the
1057 new smbpasswd(8) utility, the net(8) tool, and the new pdbedit(8)
1058 utility. See the respective man pages for details.
1061 ######################################################################
1065 This section outlines the new features affecting Samba / LDAP
1071 A new object class (sambaSamAccount) has been introduced to replace
1072 the old sambaAccount. This change aids us in the renaming of
1073 attributes to prevent clashes with attributes from other vendors.
1074 There is a conversion script (examples/LDAP/convertSambaAccount) to
1075 modify and LDIF file to the new schema.
1079 $ ldapsearch .... -b "ou=people,dc=..." > sambaAcct.ldif
1080 $ convertSambaAccount --sid=<Domain SID> \
1081 --input=sambaAcct.ldif --output=sambaSamAcct.ldif \
1082 --changetype=[modify|add]
1084 The <DOM SID> can be obtained by running 'net getlocalsid
1085 <DOMAINNAME>' on the Samba PDC as root. The changetype determines
1086 the format of the generated LDIF output--either create new entries
1087 or modify existing entries.
1089 The old sambaAccount schema may still be used by specifying the
1090 "ldapsam_compat" passdb backend. However, the sambaAccount and
1091 associated attributes have been moved to the historical section of
1092 the schema file and must be uncommented before use if needed.
1093 The 2.2 object class declaration for a sambaAccount has not changed
1094 in the 3.0 samba.schema file.
1096 Other new object classes and their uses include:
1098 * sambaDomain - domain information used to allocate rids
1099 for users and groups as necessary. The attributes are added
1100 in 'ldap suffix' directory entry automatically if
1101 an idmap uid/gid range has been set and the 'ldapsam'
1102 passdb backend has been selected.
1104 * sambaGroupMapping - an object representing the
1105 relationship between a posixGroup and a Windows
1106 group/SID. These entries are stored in the 'ldap
1107 group suffix' and managed by the 'net groupmap' command.
1109 * sambaUnixIdPool - created in the 'ldap idmap suffix' entry
1110 automatically and contains the next available 'idmap uid' and
1113 * sambaIdmapEntry - object storing a mapping between a
1114 SID and a UNIX uid/gid. These objects are created by the
1115 idmap_ldap module as needed.
1117 * sambaSidEntry - object representing a SID alone, as a Structural
1118 class on which to build the sambaIdmapEntry.
1121 New Suffix for Searching
1122 ------------------------
1124 The following new smb.conf parameters have been added to aid in directing
1125 certain LDAP queries when 'passdb backend = ldapsam://...' has been
1128 * ldap suffix - used to search for user and computer accounts
1129 * ldap user suffix - used to store user accounts
1130 * ldap machine suffix - used to store machine trust accounts
1131 * ldap group suffix - location of posixGroup/sambaGroupMapping entries
1132 * ldap idmap suffix - location of sambaIdmapEntry objects
1134 If an 'ldap suffix' is defined, it will be appended to all of the
1135 remaining sub-suffix parameters. In this case, the order of the suffix
1136 listings in smb.conf is important. Always place the 'ldap suffix' first
1139 Due to a limitation in Samba's smb.conf parsing, you should not surround
1140 the DN's with quotation marks.
1146 Samba 3.0 supports an ldap backend for the idmap subsystem. The
1147 following options would inform Samba that the idmap table should be
1148 stored on the directory server onterose in the "ou=idmap,dc=plainjoe,
1153 idmap backend = ldap:ldap://onterose/
1154 ldap idmap suffix = ou=idmap,dc=plainjoe,dc=org
1155 idmap uid = 40000-50000
1156 idmap gid = 40000-50000
1158 This configuration allows winbind installations on multiple servers to
1159 share a uid/gid number space, thus avoiding the interoperability problems
1160 with NFS that were present in Samba 2.2.
1164 ######################################################################
1165 Trust Relationships and a Samba Domain
1166 ######################################
1168 Samba 3.0.0beta2 is able to utilize winbindd as the means of
1169 allocating uids and gids to trusted users and groups. More
1170 information regarding Samba's support for establishing trust
1171 relationships can be found in the Samba-HOWTO-Collection included
1172 in the docs/ directory of this release.
1174 First create your Samba PDC and ensure that everything is
1175 working correctly before moving on the trusts.
1177 To establish Samba as the trusting domain (named SAMBA) from a Windows NT
1178 4.0 domain named WINDOWS:
1180 1) create the trust account for SAMBA in "User Manager for Domains"
1181 2) connect the trust from the Samba domain using
1182 'net rpc trustdom establish GLASS'
1184 To create a trustlationship with SAMBA as the trusted domain:
1186 1) create the initial trust account for GLASS using
1187 'smbpasswd -a -i GLASS'. You may need to create a UNIX
1188 account for GLASS$ prior to this step (depending on your
1189 local configuration).
1190 2) connect the trust from a WINDOWS DC using "User Manager
1193 Now join winbindd on the Samba PDC to the SAMBA domain using
1194 the normal steps for adding a Samba server to an NT4 domain:
1195 (note that smbd & nmbd must be running at this point)
1197 root# net rpc join -U root
1198 Password: <enter root password from smbpasswd file here>
1200 Start winbindd and test the join with 'wbinfo -t'.
1202 Now test the trust relationship by connecting to the SAMBA DC
1203 (e.g. POGO) as a user from the WINDOWS domain:
1205 $ smbclient //pogo/netlogon -U Administrator -W WINDOWS
1208 Now connect to the WINDOWS DC (e.g. CRYSTAL) as a Samba user:
1210 $ smbclient //crystal/netlogon -U root -W WINDOWS
1213 ######################################################################
1217 Beginning with Samba3.0.0beta3, winbindd has been given new account
1218 manage functionality equivalent to the 'add user script' family of
1219 smb.conf parameters. The idmap design has also been changed to
1220 centralize control of foreign SID lookups and matching to UNIX
1224 Brief Description of Changes
1225 ----------------------------
1227 1) The sid_to_uid() family of functions (smbd/uid.c) have been
1228 reverted to the 2.2.x design. This means that when resolving a
1229 SID to a UID or similar mapping:
1231 a) First consult winbindd
1232 b) perform a local lookup only if winbindd fails to
1233 return a successful answer
1235 There are some variations to this, but these two rules generally
1238 2) All idmap lookups have been moved into winbindd. This means that
1239 a server must run winbindd (and support NSS) in order to achieve
1240 any mappings of SID to dynamically allocated UNIX ids. This was
1241 a conscious design choice.
1243 3) New functions have been added to winbindd to emulate the 'add user
1244 script' family of smbd functions without requiring that external
1245 scripts be defined. This functionality is controlled by the 'winbind
1246 enable local accounts' smb.conf parameter (enabled by default).
1248 However, this account management functionality is only supported
1249 in a local tdb (winbindd_idmap.tdb). If these new UNIX accounts
1250 must be shared among multiple Samba servers (such as a PDC and BDCs),
1251 it will be necessary to define your own 'add user script', et. al.
1252 programs that place the accounts/groups in some form of directory
1253 such as NIS or LDAP. This requirement was deemed beyond the scope
1254 of winbind's account management functions. Solutions for
1255 distributing UNIX system information have been deployed and tested
1256 for many years. We saw no need to reinvent the wheel.
1258 4) A member of a Samba controlled domain running winbindd is now able
1259 to map domain users directly onto existing UNIX accounts while still
1260 automatically creating accounts for trusted users and groups. This
1261 behavior is controlled by the 'winbind trusted domains only' smb.conf
1262 parameter (disabled by default to provide 2.2.x winbind behavior).
1264 5) Group mapping support is wrapped in the local_XX_to_XX() functions
1265 in smbd/uid.c. The reason that group mappings are not included
1266 in winbindd is because the purpose of Samba's group map is to
1267 match any Windows SID with an existing UNIX group. These UNIX
1268 groups can be created by winbindd (see next section), but the
1269 SID<->gid mapping is retreived by smbd, not winbindd.
1275 * security = server running winbindd to allocate accounts on demand
1277 * Samba PDC running winbindd to handle the automatic creation of UNIX
1278 identities for machine trust accounts
1280 * Automtically creating UNIX user and groups when migrating a Windows NT
1281 4.0 PDC to a Samba PDC. Winbindd must be running when executing
1282 'net rpc vampire' for this to work.
1285 ######################################################################
1289 * There are several bugs currently logged against the 3.0 codebase
1290 that affect the use of NT 4.0 GUI domain management tools when run
1291 against a Samba 3.0 PDC. This bugs should be released in an early
1294 Please refer to https://bugzilla.samba.org/ for a current list of bugs
1295 filed against the Samba 3.0 codebase.
1298 ######################################################################
1299 Reporting bugs & Development Discussion
1300 #######################################
1302 Please discuss this release on the samba-technical mailing list or by
1303 joining the #samba-technical IRC channel on irc.freenode.net.
1305 If you do report problems then please try to send high quality
1306 feedback. If you don't provide vital information to help us track down
1307 the problem then you will probably be ignored.
1309 A new bugzilla installation has been established to help support the
1310 Samba 3.0 community of users. This server, located at
1311 https://bugzilla.samba.org/, has replaced the older jitterbug server
1312 previously located at http://bugs.samba.org/.