- =================================
- Release Notes for Samba 3.0.3pre1
- XXXXXX XX, 2004
- =================================
+ =================================
+ Release Notes for Samba 3.2.0pre3
+ Apr 25, 2008
+ =================================
+
+This is the third preview release of Samba 3.2.0. This is *not*
+intended for production environments and is designed for testing
+purposes only. Please report any defects via the Samba bug reporting
+system at https://bugzilla.samba.org/.
+
+Please be aware that Samba is now distributed under the version 3
+of the new GNU General Public License. You may refer to the COPYING
+file that accompanies these release notes for further licensing details.
+
+Major enhancements in Samba 3.2.0 include:
+
+ File Serving:
+ o Use of IDL generated parsing layer for several DCE/RPC
+ interfaces.
+ o Removal of the 1024 byte limit on pathnames and 256 byte limit on
+ filename components to honor the MAX_PATH setting from the host OS.
+ o Introduction of a registry based configuration system.
+ o Improved CIFS Unix Extensions support.
+ o Experimental support for file serving clusters.
+ o Support for IPv6 in the server, and client tools and libraries.
+ o Support for storing alternate data streams in xattrs.
+ o Encrypted SMB transport in client tools and libraries, and server.
+ o Support for Vista clients authenticating via Kerberos.
+
+ Winbind and Active Directory Integration:
+ o Full support for Windows 2003 cross-forest, transitive trusts
+ and one-way domain trusts.
+ o Support for userPrincipalName logons via pam_winbind and NSS
+ lookups.
+ o Expansion of nested domain groups via NSS calls.
+ o Support for Active Directory LDAP Signing policy.
+ o New LGPL Winbind client library (libwbclient.so).
+ o Support for establishing interdomain trust relationships with
+ Windows 2008.
+
+ Joining:
+ o New NetApi library for domain join related queries (libnetapi.so)
+ and example GTK+ Domain join gui.
+ o New client and server support for remotely joining and unjoining
+ Domains.
+ o Support for joining into Windows 2008 domains.
+
+ Users & Groups:
+ o New ldb backend for local group mapping tables
+ o Raised level of security defaults for authentication operations.
+ o New NetApi library for user account related queries.
+
+
+ Documentation:
+ o Inclusion of an HTML version of the 3rd edition of "Using Samba"
+ from O'Reilly Publishing.
+
+
+Now Licensed under the GNU GPLv3
+================================
+
+The Samba Team has adopted the Version 3 of the GNU General Public
+License for the 3.2 and later releases. The GPLv3 is the updated
+version of the GPLv2 license under which Samba is currently
+distributed. It has been updated to improve compatibility with other
+licenses and to make it easier to adopt internationally, and is an
+improved version of the license to better suit the needs of Free
+Software in the 21st Century.
+
+The original announcement is available on-line at
+
+ http://news.samba.org/announcements/samba_gplv3/
+
+
+New Security Defaults for Authentication
+========================================
+
+Support for LanMan passwords is now disabled in both client and server
+applications. Additionally, clear text authentication requests are
+disabled by default in client utilities such as smbclient and all
+libsmbclient based applications. This will affect connection both
+to and from hosts running DOS, Windows 9x/ME, and OS/2. Please refer
+to the "Changes" section for details on the exact parameters that were
+updated.
+
+
+Registry Configuration Backend
+==============================
+
+Samba is now able to use a registry based configuration backed to
+supplement smb.conf settings. This feature may be enabled by setting
+"config backend = registry" in the [global] section of smb.conf for a
+registry only configuration, or by specifying "include = registry" to
+include global options from registry for a mixed setup.
+
+The new parameter "registry shares = yes" in the [global] section of
+smb.conf can be used to activate share definitions from registry.
+These shares are loaded on demand by the server. Registry shares are
+automatically activated by the global registry options above.
+
+The configuration stored in registry can be conveniently managed using
+the "net conf" command.
+
+More information may be obtained from the smb.conf(5) and net(8) man
+pages.
+
+
+Removed Features
+================
+
+Both the Python bindings and the libmsrpc shared library have been
+removed from the tree due to lack of an official maintainer.
+
+As smbfs is no longer supported in current kernel versions, smbmount has
+been removed in this Samba version. Please use cifs (mount.cifs) instead.
+See examples/scripts/mount/mount.smbfs as an example for a wrapper which
+calls mount.cifs instead of smbmount/mount.smbfs.
+
+
+Modified API for libsmbclient
+==============================================================================
+
+Maintaining ABI compatibility for libsmbclient has become increasingly
+difficult to accomplish, while also keeping the code organization such that it
+is easily readable. Towards the goal of maintaining ABI compatibility and
+also keeping the code easy to maintain and enhance, the API has been enhanced.
+In particular, the fields in the SMBCCTX context structure are no longer
+intended to be read/write by the user, and are marked as deprecated. An
+application that previously accessed the members of the SMBCCTX context
+structure will now encounter warnings if recompiled. This is intentional, to
+encourage implementation of the small changes required for the new interface.
+The number of changes is expected to be quite small for the vast majority of
+applications, and no changes need be made for many applications. The changes
+required for KDE (konqueror) to conform to the new interface, for example, are
+only four lines in only one file.
-This is a preview release of the Samba 3.0.3 code base and is
-provided for testing only. This release is *not* intended for
-production servers. Use at your own risk.
+Instead of the application manually changing or reading values in the context
+structure, there are now setter and getter functions for each configurable
+member in that structure. Similarly, the smbc_option_get() and
+smbc_option_set() functions are deprecated in favor of the setter/getter
+interface. The setters and getters are all documented in libsmbclient.h
+under these comment blocks:
-There have been several bug fixes since the 3.0.2a release that
-we feel are important to make available to the Samba community
-for wider testings. See the "Changes" section for details on
-exact updates.
+ Getters and setters for CONFIGURATION
+ Getters and setters for OPTIONS
+ Getters and setters for FUNCTIONS
+ Callable functions for files
+ Callable functions for directories
+ Callable functions applicable to both files and directories
-Common bugs fixed in this preview release include:
+Example changes that may be required to eliminate "deprecated" warnings:
- o <FILL THIS IN>
+ /* Set the debug level */
+ context->debug = 99;
+changes to:
+ smbc_setDebug(context, 99);
+ /* Specify the authentication callback function */
+ context->callbacks.auth_fn = auth_smbc_get_data;
+changes to:
+ smbc_setFunctionAuthData(context, auth_smbc_get_data);
-######################################################################
-Changes
-#######
-Changes since 3.0.2a
---------------------
-smb.conf changes
-----------------
-
- Parameter Name Action
- -------------- ------
- only user Deprecated
- use cracklib New
-
-
-Please refer to the CVS log for the SAMBA_3_0 branch for complete
-details. The list of changes per contributor are as follows:
-
-
-commits
--------
-o Jeremy Allison <jra@samba.org>
- * Ensure that Kerberos mutex is always properly unlocked.
- * Removed Heimdal "in-memory keytab" support.
- * Fixup the 'multiple-vuids' bugs in our server code.
- * Correct return code from lsa_lookup_sids() on unmapped
- sids (based on work by vlendecke).
- * Fix the "too many fcntl locks" scalability problem
- raised by tridge.
- * Fixup correct (as per W2K3) returns for lookupsids
- as well as lookupnames.
- * Fixups for delete-on-close semantics as per Win2k3 behavior.
- * Make SMB_FILE_ACCESS_INFORMATION call work correctly.
- * Fix "unable to initialize" bug when smbd hasn't been run with
- new system and a user is being added via pdbedit/smbpasswd.
- * Added NTrename SMB (0xA5).
- * Fixup correct timeout values for blocking lock timeouts.
- * Fix various bugs reported by 'gentest'.
- * More locking fixes in the case where we own the lock.
- * Fix up regression in IS_NAME_VALID and renames.
- * Don't set allocation size on directories.
- * Return correct error code on fail if file exists and target
- is a directory.
- * Added client "hardlink" commant to test doing NT rename with
- hard links. Added hardlink_internals() code - UNIX extensions
- now use this as well.
- * Use a common function to parse all pathnames from the wire for
- much closer emulation of Win2k3 error return codes.
- * More fixes for internal multibyte string handling.
-
-
-o Timur Bakeyev <timur@com.bat.ru>
- * BUG 1144: only set --with-fhs when the argumenet is 'yes'
-
-
-o Andrew Bartlet <abartlet@samba.org>
- * Include support for linking with cracklib for enforcing
- strong password changes.
- * Add support for >14 character password changes from Windows
- clients.
- * Add 'admin set password' capability to 'net rpc'.
- * Allow 'net rpc samdump' to work with any joined domain
- regardless of smb.conf settings.
- * Use an allocated buffer for count_chars.
- * Add sanity checks for changes in the domain SID in an
- LDAP DIT.
-
-
-o Alexander Bokovoy <ab@samba.org>
-
-
-o Gerald (Jerry) Carter <jerry@samba.org>
- * Fix 'make installmodules' bug on True64.
- * BUG 66: mark 'only user' deprecated.
- * Remove corrupt tdb and shutdown (only for printing tdbs,
- connections, sessionid & locking).
- * decrement smbd counter in connections.tdb in smb_panic().
- * RedHat specfile updates.
- * Fix xattr.h build issue on Debian testing and SuSE 8.2.
- * BUG 1147; bad pointer case in get_stored_queue_info()
- causing seg fault.
- * BUG 761: read the config file before initialized default
- values for printing options; don't default to bsd printing
- Linux.
- * Allow the 'printing' parameter to be set on a per share basis.
- * BUG 503: RedHat/Fedora packaging fixes regarding logrotate.
- * BUG 848: don't create winbind local users/groups that already
- exist in the tdb.
- * BUG 1080: fix declaration of SMB_BIG_UINT (broek compile on
- LynxOS/ppc).
-
-
-o Guenther Deschner <gd@suse.com>
- * Remove hard coded attribute name in the ads ranged retrieval
- code.
-
-
-o Bostjan Golob <golob@gimb.org>
- * BUG 1046: Fix getpwent_list() so that the username is not
- overwritten by other fields.
-
-
-o Steve French <sfrench@us.ibm.com>
- * Update moun.cifs to version 1.1.
- * Disable dev (MS_NODEV) on user mounts from cifs vfs.
- * Fixes to minor security bug in the mount helper.
-
-
-o SATOH Fumiyasu <fumiya@miraclelinux.com>
- * BUG 1055; formatting fixes for 'net share'.
- * BUG 692: correct truncation of share names and workgroup
- names in smbclient.
-
-
-o Chris Hertel <crh@samba.org>
- * fix enumeration of shares 12 characters in length via
- smbclient.
-
-
-o John Klinger <john.klinger@lmco.com>
- * Return NSS_SUCCESS once the max number of gids possible
- has been found in initgroups() on Solaris.
-
-
-o Volker Lendecke <vl@samba.org>
- * Fix success message for net groupmap modify.
- * Fix errors when enumerating members of groups in 'net rpc'.
- * Match Windows behavior in samr_lookup_names() by returning
- ALIAS(4) when you search in BUILTIN.
- * Fix server SAMR code to be able to set alias info for
- builtin as well.
- * Fix duplication of logic when creating groups via smbd.
- * Ensure that the HWM values are set correctly after running
- 'net idmap'.
- * Add 'net rpc group add'.
- * Implement 'net groupmap set' and 'net groupmap cleanup'.
- * Add 'net rpc group [add|del]mem' for domain groups and aliases.
-
-
-o Herb Lewis <herb@samba.org>
-
+ /* Specify the new-style authentication callback with context parameter */
+ smbc_option_set("auth_function", auth_smbc_get_data_with_ctx);
+changes to:
+ smbc_setFunctionAuthDataWithContext(context, auth_smbc_get_data_with_ctx);
-o Jianliang Lu <j.lu@tiesse.com>
- * Enforce the 'user must change password at nmext login' flag.
- * Decode meaning of 'fields present' flags (improves support
- for usewrmgr.exe).
+ /* Set kerberos flags */
+ context->flags = (SMB_CTX_FLAG_USE_KERBEROS |
+ SMB_CTX_FLAG_FALLBACK_AFTER_KERBEROS);
+changes to:
+ smbc_setOptionUseKerberos(context, 1);
+ smbc_setOptionFallbackAfterKerberos(context, 1);
-o L. Lucius <ib@digicron.com>.
- * type fixes.
-
-
-o Jim McDonough <jmcd@us.ibm.com>
- * Add versioning support to tdbsam.
- * Update the IBM Directory Server schema with the OpenLDAP
- file.
- * Various decoding fixes to improve usermgr.exe support.
- * Fix statfs redeclaration of statfs struct on ppc
- * Implement support for password lockout of Samba domain
- controllers and standalone servers.
-
-
-o Stefan Metzmacher <metze@samba.org>
-
-
-o James Peach <jpeach@sgi.com>
- * Correct check for printf() format when using the SGI MIPSPro
- compiler.
- * BUG 1038: support backtrace for 'panic action' on IRIX.
-
-
-o Tim Potter <tpot@samba.org>
- * Fix logic bug in tdb non-blocking lock routines when
- errno == EAGAIN.
- * BUG 1025: Include sys/acl.h in check for broken nisplus
- include files.
- * BUG 1066: s/printf/d_printf/g in SWAT.
- * BUG 1098: rename internal msleep() function to fix build
- problems on AIX.
- * BUG 1112: Fix for writable printerdata problem in python bindings.
-
-
-o Simo Source <idra@samba.org>
- * Replace unknown_3 with fields_present in SAMR code.
-
-
-o Richard Sharpe <rsharpe@samba.org>
- * Add support to smbclient for multiple logins on the same
- session (based on work by abartlet).
-
-
-o Andrew Tridgell <tridge@samba.org>
- * Rewrote the AIX UESS backend for winbindd.
- * Fixed compilation with --enable-dmalloc.
-
-
-o Jelmer Vernooij <jelmer@samba.org>
- * Fix ETA Calculation when resuming downloads in smbget.
-
-
-o TAKEDA yasuma <yasuma@miraclelinux.com>
- * BUG 900: fix token processing in cmd_symlink, cmd_link,
- cmd_chown, cmd_chmod smbclient functions.
-
-
-o Shiro Yamada <shiro@miraclelinux.com>
- * BUG 1129: install image files for SWAT.
-
-
-Changes for older versions follow below:
-
- --------------------------------------------------
-
- ==============================
- Release Notes for Samba 3.0.2a
- February 13, 2004
- ==============================
-
-Samba 3.0.2a is a minor patch release for the 3.0.2 code base
-to address, in particular, a problem when using pdbedit to
-sanitize (--force-initialized-passwords) Samba's tdbsam
-backend. This is the latest stable release of Samba. This
-is the version that all production Samba servers should be
-running for all current bug-fixes.
-
-******************* Attention! Achtung! Kree! *********************
-
-Beginning with Samba 3.0.2, passwords for accounts with a last
-change time (LCT-XXX in smbpasswd, sambaPwdLastSet attribute in
-ldapsam, etc...) of zero (0) will be regarded as uninitialized
-strings. This will cause authentication to fail for such
-accounts. If you have valid passwords that meet this criteria,
-you must update the last change time to a non-zero value. If you
-do not, then 'pdbedit --force-initialized-passwords' will disable
-these accounts and reset the password hashes to a string of X's.
-
-******************* Attention! Achtung! Kree! *********************
######################################################################
Changes
#######
-Changes since 3.0.2
--------------------
-
-commits
--------
-
-Please refer to the CVS log for the SAMBA_3_0 branch for complete
-details. The list of changes per contributor are as follows:
-
-
-o Jeremy Allison <jra@samba.org>
- * Added paranoia checks in parsing code.
-
-
-o Andrew Bartlet <abartlet@samba.org>
- * Ensure that changes to uninitialized passwords in ldapsam
- are written to the DIT.
-
-
-o Gerald (Jerry) Carter <jerry@samba.org>
- * Fixed iterator in tdbsam.
- * Fix bug that disabled accounts with a valid NT password
- hash, but no LanMan hash.
-
-
-o Steve French <sfrench@us.ibm.com>
- * Added missing nosetuid and noexec options.
-
-
-o Bostjan Golob <golob@gimb.org>
- * BUG 1046: Don't overwrite usernames of entries returned
- by getpwent_list().
-
-
-o Sebastian Krahmer <krahmer@suse.de>
- * Fixed potential crash bug in NTLMSSP parsing code.
-
-
-o Tim Potter <tpot@samba.org>
- * Fixed logic in tdb_brlock error checking.
-
-
-o Urban Widmark <urban@teststation.com>
- * Set nosuid,nodev flags in smbmnt by default.
-
-
- --------------------------------------------------
-
- =============================
- Release Notes for Samba 3.0.2
- February 9, 2004
- =============================
-
-It has been confirmed that previous versions of Samba 3.0 are
-susceptible to a password initialization bug that could grant an
-attacker unauthorized access to a user account created by the
-mksmbpasswd.sh shell script.
-
-The Common Vulnerabilities and Exposures project (cve.mitre.org)
-has assigned the name CAN-2004-0082 to this issue.
-
-Samba administrators not wishing to upgrade to the current
-version should download the 3.0.2 release, build the pdbedit
-tool, and run
-
- root# pdbedit-3.0.2 --force-initialized-passwords
-
-This will disable all accounts not possessing a valid password
-(e.g. the password field has been set a string of X's).
-
-Samba servers running 3.0.2 are not vulnerable to this bug
-regardless of whether or not pdbedit has been used to sanitize
-the passdb backend.
-
-Some of the more visible bugs in 3.0.1 addressed in the 3.0.2
-release include:
-
- o Joining a Samba domain from Pre-SP2 Windows 2000 clients.
- o Logging onto a Samba domain from Windows XP clients.
- o Problems with the %U and %u smb.conf variables in relation to
- Windows 9x/ME clients.
- o Kerberos failures due to an invalid in memory keytab detection
- test.
- o Updates to the ntlm_auth tool.
- o Fixes for various SMB signing errors.
- o Better separation of WINS and DNS queries for domain controllers.
- o Issues with nss_winbind FreeBSD and Solaris.
- o Several crash bugs in smbd and winbindd.
- o Output formatting fixes for smbclient for better compatibility
- with scripts based on the 2.2 version.
-
-
-Changes since 3.0.1
--------------------
-
smb.conf changes
----------------
- Parameter Name Action
- -------------- ------
- ldap replication sleep New
- read size removed (unused)
- source environment removed (unused)
+ Parameter Name Description Default
+ -------------- ----------- -------
+ administrative share New No
+ client lanman auth Changed Default No
+ client ldap sasl wrapping New plain
+ client plaintext auth Changed Default No
+ clustering New No
+ cluster addresses New ""
+ config backend New file
+ ctdb socket New ""
+ debug class New No
+ lanman auth Changed Default No
+ ldap debug level New 0
+ ldap debug threshold New 10
+ mangle map Removed
+ min receive file size New 0
+ open files database hashsize Removed
+ read bmpx Removed
+ registry shares New No
+ winbind expand groups New 1
+ winbind rpc only New No
+
+ New special meaning of "include = registry".
+
+
+Changes since 3.2.0pre2:
+-----------------------
+
+
+o Michael Adam <obnox@samba.org>
+ * Fix session setup with security = share.
+ * Fix segfault in testparm.
+ * Fix several Makefile issues.
+ * Fix build of bin/net on Solaris.
+ * Reformat the parm table of loadparm to use named initializers.
+ * Fix %I macro expansion for IPv4 mapped IPv6 addresses.
+ * Convert registry.tdb to use dbwrap and fix memleaks.
+ * Several make test fixes and improvements.
+ * Several libreplace extensions and fixes (portet from v4-0-test).
+ * Rename libnet_conf to libsmbconf and introduce backend abstraction layer.
+ * Add text backend to libsmbconf, based on params.c.
+ * Fix handling of includes in registry libsmbconf backend.
+ * Fix net conf import by reading from text backend.
+ * Add a "net registry" command to locally access the registry.
+ * Add getvalue subcommand to "net rpc registry".
+ * Add testsuites for libsmbconf and "net registry".
+ * Fix Coverity IDs 517, 536, 545.
+ * Remove unneeded REGISTRY_HOOKS layer from reghook cache
+ to allow plugging one backend to multiple keys more easily.
+ * Add smbconf_init dispatcher taking source strings like "backend:path"
+ * Fix handling of dangling parameters (without share) in libsmbconf.
+ * Introduce special meaning of "include = registry" to complement
+ the registry-only configuration of "config backend = registry".
+ * Enhance error propagation by making several registry functions
+ return WERROR.
+ * Fix loading of registry shares in smbd by fixing the token.
+ * Fix a segfault in tdb_wrap_log().
-commits
--------
-
-Please refer to the CVS log for the SAMBA_3_0 branch for complete
-details. The list of changes per contributor are as follows:
-
o Jeremy Allison <jra@samba.org>
- * Revert change that broke Exchange clear text samlogons.
- * Fix gcc 3.4 warning in MS-DFS code.
- * Tidy up of NTLMSSP code.
- * Fixes for SMB signing errors
- * BUG 815: Workaround NT4 bug to support plaintext
- password logins and UNICODE.
- * Fix SMB signing bug when copying large files.
- * Correct error logic in mkdir_internals() (caused a panic
- when combined with --enable-developer).
- * BUG 830: Protect against crashes due to bad character
- conversions.
-
-
-o Petri Asikainen <paca@sci.fi>
- * BUG 330, 387:Fix single valued attribute updates when
- working with Novell NDS.
-
-
-o Andrew Bartlet <abartlet@samba.org>
- * Correctly handle per-pipe NTLMSSP inside a NULL session.
- * Fix segfault in gencache
- * Fix early free() of encrypted_session_key.
- * Change DC lookup routines to more carefully separate
- DNS names (realms) from NetBIOS domain names.
- * Add new sid_to_dn() function for internal winbindd use.
- * Refactor cli_ds_enum_domain_trusts().
- * BUG 707: Implement range retrieval of ADS attributes (based
- on work from Volker <vl@samba.org> and Guenther Deschner
- <gd@suse.com>).
- * Automatically initialize the signing engine if a session key
- is available.
- * BUG 916: Do not perform a + -> ' ' substitution for squid URL
- encoded strings, only form input in SWAT.
- * Resets the NTLMSSP state for new negotiate packets.
- * Add 2-byte alignments in net_samlogon() queries to parse
- odd-length plain text passwords.
- * Allow Windows groups with no members in winbindd.
- * Allow normal authentication in the absence of a server
- generated session key.
- * More optimizations for looking up UNIX group lists.
- * Clean up error codes and return values for pam_winbindd
- and winbindd PAM interface.
- * Fix string return values in ntlm_auth tool.
- * Fix segfault when 'security = ads' but no realm is defined.
- * BUG 722: Allow winbindd to map machine accounts to uids.
- * More cleanups for winbindd's find_our_domain().
- * More clearly detect whether a domain controller is an NT4
- or mixed-mode AD DC (additional bug fixes by jerry & jmcd).
- * Increase separation between DNS queries for hosts and queries
- for AD domain controllers.
- * Include additional NT_STATUS to PAM error mappings.
- * Password initialization fixes.
-
-
-o Justin Baugh <justin.baugh@request.com>
- * BUG 948: Implement missing functions required for FreeBSD
- nss_winbind support.
-
-
-o Alexander Bokovoy <ab@samba.org>
- * BUG 922: Make sure enable fast path for strlower_m() and
- strupper_m().
-
-
-o Luca Bolcioni <Luca.Bolcioni@yacme.com>
- * Fix crash when using 'security = server' and 'encrypt
- passwords = no' by always initializing the session key.
-
-
-o Dmitry Butskoj <buc@odusz.elektra.ru>
- * Fix for special files being hidden from admins.
-
-
-o Gerald (Jerry) Carter <jerry@samba.org>
- * Fix bug in the lanman session key generation. Caused
- "decode_pw: incorrect password length" error messages.
- * Save the right case for the located user name in
- fill_sam_account(). Fixes %U/%u expansion for win9x clients.
- * BUG 897: Add well known rid for pre win2k compatible access
- group.
- * BUG 887: Correct typo in delete user script example.
- * Use short lived TALLOC_CTX* for allocating printer objects
- from the print handle cache.
- * BUG 912: Fix check for HAVE_MEMORY_KEYTAB.
- * Fix several warnings reported by the SUN Forte C compiler.
- * Fully control DNS queries for AD DC's using 'name resolve order'.
- * BUG 770: Send the SMBjobid for UNIX jobs back to the client.
- * BUG 972: Fix segfault in cli_ds_getprimarydominfo().
- * BUG 936: fix bind credentials for schannel binds in smbd.
- * BUG 446: Fix output of smbclient for better compatibility
- with scripts based on the 2.2 version (including Amanda).
- * BUG 891, 949: Fedora packaging fixes.
- * Fix bug that caused rpcclient to incorrectly retrieve
- the SID for a server (this causing all calls that required
- this information to fail).
- * BUG 977: Don't create a homes share for a user if a static
- share already exists by the same name.
- * Removed unused smb.conf options.
- * Password initialization fixes.
- * Set the disable flag for template accounts created by
- mksmbpasswd.sh.
- * Disable any account has no passwords and does not have the
- ACB_PWNOTREQ bit set.
-
-
-o Guenther Deschner <gd@suse.com>
- * Install smbwrapper.so should be put into the $(libdir)
- and not $(bindir).
- * Add the capability to specify the new user password
- for "net ads password" on the command line.
- * Correctly detect AFS headers on SuSE.
-
-
-o James Flemer <jflemer@uvm.edu>
- * Fix AIX compile bug by linking HAVE_ATTR_LIST to
- HAVE_SYS_ATTRIBUTES_H.
-
-
-o Luke Howard <lukeh@PADL.COM>
- * Fix segfault in session setup reply caused by a early free().
-
-
-o Stoian Ivanov <sdr@bultra.com>
- * Implement grepable output for smbclient -L.
-
-
-o LaMont Jones <lamont@debian.org>
- * BUG 225328 (Debian): Correct false failure LFS test that resulted
- in _GNU_SOURCE not being defined (thus resulting in strndup()
- not being defined).
-
-
-o Volker Lendecke <vl@samba.org>
- * BUG 583: Ensure that user names always contain the short
- version of the domain name.
- * Fix our parsing of the LDAP uri.
- * Don't show the 'afs username map' in the SWAT basic view.
- * Fix SMB signing issues in relation to failed NTLMSSP logins.
- * BUG 924: Fix return codes in smbtorture harness.
- * Always lower-case usernames before handing it to AFS code.
- * Add a German translation for SWAT.
- * Fix a segfaults in winbindd.
- * Fix the user's domain passed to register_vuid() from
- reply_spnego_kerberos().
- * Add NSS example code in nss_winbind to convert UNIX
- id's <-> Windows SIDs.
- * Display more descriptive error messages for login via 'net'.
- * Fix compiler warning in the net tool.
- * Fix length bug when decoding base64 strings.
- * Ensure we don't call getpwnam() inside a loop that is iterating
- over users with getpwent(). This broke on glibc 2.3.2.
-
+ * BUG 5311: Fix IPv6 issue with hosts allow/deny settings.
+ * BUG 5372: Fix client timeouts in large CUPS installations.
+ * Fix problem with nmbd not waiting until interfaces come up.
+ * Fix S3 to pass the test_raw_oplock_exclusive3 test.
+ * Fix MSDFS bug breaking MS clients in some cases by ensuring
+ the target host is ourselves.
+ * Rewrite the wrap checks to deal with gcc 4.x optimisations.
-o Herb Lewis <herb@samba.org>
- * Fix bit rot in psec.
+o Kai Blin <kai@samba.org>
+ * BUG 4235: Prevent ntlm_auth from sending BH responses without a message.
+ * Fix one BH message.
-o Jianliang Lu <j.lu@tiesse.com>
- * Ensure we delete the group mapping before calling the delete
- group script.
- * Define well known RID for managing the "Power Users" group.
- * BUG 381: check builtin (not local) group SID when updating
- group membership.
- * BUG 101: set the SV_TYPE_PRINTQ_SERVER flag in host announcement
- packet.
-
-o John Klinger <john.klinger@lmco.com>
- * Implement initgroups() call in nss_winbind on Solaris.
-
-
-o Jim McDonough <jmcd@us.ibm.com>
- * Fix regression in net rpc join caused by recent changes
- to cli_lsa_query_info_policy().
- * BUG 964: Fix crash bug in 'net rpc join' using a preexisting
- machine account.
+o Gerald (Jerry) Carter <jerry@samba.org>
+ * Fix libtdb some to move back towards allowing out of tree builds.
+ * Ignore port when pulling IP addr from struct sockaddr_storage..
+
+
+o Guenther Deschner <gd@samba.org>
+ * Fix build of pam_smbpass.
+ * Fix lp_load with an empty registry and "config backend = registry".
+ * Fix build targets for bin/net.
+ * Fix _dssetup_DsRoleGetPrimaryDomainInformation().
+ * Fix the build of cifs.spnego.
+ * Migration of the SRVSVC client and server DCE/RPC code to IDL
+ based structures and autogenerated code
+ * Fix Kerberos session setup with Vista SP1 (ignore PAC type 12)
+ * Fix support for vampire of lockout policies and
+ for storing dialin/terminal server settings.
+ * Fix remote join/unjoin server implementation.
+ * BUG 5328: Fix netlogon credential chain with Windows 2008
+ (this also fixes joining Windows 2008 with rpc methods).
+ * Various fixes for establishing and validating interdomain trust
+ relationships with Windows 2008.
+ * Use IDL for storing domain controller information in dsgetdcname.
+ * Re-arranged internal structure of libnetapi.
+ * Add support for domain\dcname syntax in libnetjoin.
+ * Add support for browsing/joining OUs in netdomjoin-gui.
+ * Add various new calls to libnetapi.
+
+
+o Björn Jacke <bj@sernet.de>
+ * Add AC_TRY_RUN_STRICT support for Sun Studio compiler.
-o MORIYAMA Masayuki <moriyama@miraclelinux.com>
- * BUG 570: Ensure that configure honors the LDFLAGS variable.
+o Volker Lendecke <vl@samba.org>
+ * Add support for async SMB requests.
+ * Add transactions to the dbwrap API.
+ * Add "net idmap aclmapset".
+ * Change default bufsize to 512k.
+ * Fix Coverity IDs 473, 481, 506, 507, 525, 526, 527, 528, 529, 530, 537,
+ 538, 547, 548, 551, 552, 553, 554, 555, 557, 558, 559, 563, 564, 567.
+ ... and half a ton more
+ * Fix some warnings in the tsmsm module.
+ * Fix warnings.
+ * BUG 4901: Fix "ldap passwd sync = only".
+ * BUG 5334: Fix download of empty files using smbclient.
+ * BUG 5307: Fix notify changes.
+ * BUG 5317: Fix debug output in domain_client_validate.
+ * BUG 5338: Fix format string issue in rpcclient.
+ * Convert account_pol.tdb and share_info.tdb to dbwrap.
+ * Protect group_mapping.tdb ops with transactions.
+ * BUG 5366: "passwd program" should work on Solaris 10 again now.
+ * A level 25 setuserinfo does change the pwdlastset, fixes XP joins.
+ * BUG 5350: A Samba DC trusting NT4 should do an anon session setup.
+ * BUG 5375: Fix a segfault with "security=share" and [in]valid users.
+ * Fix printing from DOS clients -- introduced by inbuf/outbuf rewrite.
+ * Fix wbinfo -a trusted\\user%password on a Samba DC with trusts.
+ * BUG 5341: Fix async smbclient get command on Solaris.
+ * Make winbind use NetSamLogonEx when possible.
+ * Merge fixes in the 3-0-ctdb cluster code.
+ * Fix a segfault in snprintf replacement code.
+ * Fix a regression for wbinfo --group-info if winbind separator is set
+
+
+o Derrell Lipman <derrell@samba.org>
+ * Check for NULL pointers before dereferencing them.
+ * Fix use of AuthDataWithContext capability.
o Stefan Metzmacher <metze@samba.org>
- * Implement LDAP rebind sleep patch.
- * Revert to 2.2 quota code because of so many broken quota files
- out there.
- * Fix XFS quotas: HAVE_XFS_QUOTA -> HAVE_XFS_QUOTAS
- XFS_USER_QUOTA -> USRQUOTA
- XFS_GROUP_QUOTA -> GRPQUOTA
- * Fix disk_free calculation with group quotas.
- * Add debug class 'quota' and a lot of DEBUG()'s
- to the quota code.
- * Fix sys_chown() when no chown() is present.
- * Add SIGABRT to fault handling in order to catch got a
- backtrace if an error occurs the OpenLDAP client libs.
-
-
-o <ndb@theghet.to>
- * Allow an existing LDAP machine account to be re-used when
- joining an AD domain.
-
-
-o James Peach <jpeach@sgi.com>
- * BUG 889: Change smbd to use pread/pwrite on platforms that
- support these calls. Can lead to a significant speed increase.
-
-
-o Tim Potter <tpot@samba.org>
- * BUG 905: Remove POBAD_CC to fix Solaris Forte compiles.
- * BUG 924: Fix typo in RW2 torture test.
-
-
-o Richard Sharpe <shape@samba.org>
- * Small fixes to torture.c to cleanup the error handling
- and prevent crashes.
-
-
-o J. Tournier <jerome.tournier@IDEALX.com>
- * Small fixes for the smbldap-tool scripts.
+ * Add dbwrap_tdb2 backend, useful for cluster setups.
+ * Add more functions to libwbclient:
+ - wbcGetGroups()
+ - wbcInterfaceDetails()
+ - wbcListUsers()
+ - wbcListGroups()
+ - wbcLookupUserSids()
+ - wbcSetUidMapping()
+ - wbcSetGidMapping()
+ - wbcSetUidHwm()
+ - wbcSetGidHwm()
+ - wbcResolveWinsByName()
+ - wbcResolveWinsByIP()
+ - wbcCheckTrustCredentials()
+ * Let wbinfo use libwbclient where possible.
+ * Let net use only libwbclient to access winbindd.
+ * Make socket wrapper pcap support more portable.
+ * Some libreplace backports from v4-0-test.
+ * Store the write time in the locking.tdb,
+ so that smbd passes the BASE-DELAYWRITE test.
+ * Run RAW-SEARCH and BASE-DELAYWRITE by 'make test'.
+ * Let each process use its own connection to ctdb
+ in cluster mode.
+ * Add a reinit_after_fork() helper function to correct
+ reinitialize the same things in all cases.
+ * Fix a chicken and egg problem with "include = registry".
+
+
+o Karolin Seeger <kseeger@samba.org>
+ * Fix usage message for "net idmap dump".
o Andrew Tridgell <tridge@samba.org>
- * Fix src len check in pull_usc2().
-
-
-o Jelmer Vernooij <jelmer@samba.org>
- * Put functions for generating SQL queries in pdb_sql.c
- * Add pgSQL backend (based on patch by Hamish Friedlander)
- * BUG 908: Fix -s option to smbcontrol.
- * Add smbget utility - a wget-clone for the SMB/CIFS protocol.
- * Fix for libnss_wins on IRIX platforms.
- * Fix swatdir for --with-fhs.
-
-
- --------------------------------------------------
-
- =============================
- Release Notes for Samba 3.0.1
- December 15, 2003
- =============================
-
-Some of the more common bugs in 3.0.0 addressed in the release
-include:
-
- o Substitution problems with smb.conf variables.
- o Errors in return codes which caused some applications
- to fail to open files.
- o General Protection Faults on Windows 2000/XP clients
- using Samba point-n-print features.
- o Several miscellaneous crash bugs.
- o Access problems when enumerating group mappings are
- stored in an LDAP Directory.
- o Several common SWAT bugs when writing changes to
- smb.conf.
- o Internal inconsistencies when 'winbind use default
- domain = yes'
-
-
-
-Changes since 3.0.0
-----------------------
-
- Parameter Name Action
- -------------- ------
- hide local users Removed
- mangled map Deprecated
- mangled stack Removed
- passwd chat timeout New
-
-
-commits
--------
-
-o Change the interface for init_unistr2 to not take a length
- but a flags field. We were assuming that
- 2*strlen(mb_string) == length of ucs2-le string. (bug 480).
-o Allow d_printf() to handle strings with escaped quotation
- marks since the msg file includes the escape character (bug 489).
-o Fix bad html table row termination in SWAT wizard code (bug 413).
-o Fix to parse the level-2 strings.
-o Fix for "valid users = %S" in [homes]. Fix read/write
- list as well.
-o Change AC_CHECK_LIB_EXT to prepend libraries instead of append.
- This is the same way AC_CHECK_LIB works (bug 508).
-o Testparm output fixes for clarity.
-o Fix broken wins hook functionality -- i18n bug (bug 528).
-o Take care of condition where DOS and NT error codes must differ.
-o Default to using only built-in charsets when a working iconv
- implementation cannot be located.
-o Wrap internals of sys_setgroups() so the sys_XX() call can
- be done unconditionally (bug 550).
-o Remove duplicate smbspool link on SWAT's front page (bug 541).
-o Save and restore CFLAGS before/after AC_PROG_CC. Ensures that
- --enable-debug=[yes|no] works correctly.
-o Allow ^C to interrupt smbpasswd if using our getpass
- (e.g. smbpasswd command).
-o Support signing only on RPC's (bug 167).
-o Correct bug that prevented Excel 2000 clients from opening
- files marked as read-only.
-o Portability fix bugs 546 - 549).
-o Explicitly initialize the value of AR for vendor makes that don't
- do this (e.g. HPUX 11). (bug 552).
-o More i18n fixes for SWAT (bug 413).
-o Change the cwd before the postexec script to ensure that a
- umount will succeed.
-o Correct double free that caused winbindd to crash when a DC
- is rebooted (bug 437).
-o Fix incorrect mode sum (bug 562).
-o Canonicalize SMB_INFO_ALLOCATION in the same was as
- SMB_FS_FULL_SIZE_INFORMATION (bug 564).
-o Add script to generate *msg files.
-o Add Dutch SWAT translation file.
-o Make sure to call get_user_groups() with the full winbindd
- name for a user if he/she has one (bug 406).
-o Fix up error code returns from Samba4 tester. Ensure invalid
- paths are validated the same way.
-o Allow Samba3 to pass the Samba4 RAW-READ tests.
-o Refuse to configure if --with-expsam=$BACKEND was used but no
- libraries were found for $BACKEND.
-o Move sysquotas autoconf tests to a separate file.
-o Match W2K w.r.t. writelock and writeclose. Samba4 torture
- tester
-o Make sure that the files that contain the static_init_$subsystem;
- macro get recompiled after configure by removing the object
- files.
-o Ensure canceling a blocking lock returns the correct error
- message.
-o Match Samba 2.2 behavior; make ACB_NORMAL the default ACB value.
-o Updated Japanese welcome file in SWAT.
-o Fix to nt-time <-> unix-time functions reversible.
-o Ensure that winbindd uses the the escaped DN when querying
- an AD ldap server.
-o Fix portability issues when compiling (bug 505, 550)
-o Compile fix for tdbbackup when Samba needs to override
- non-C99 compliant implementations of snprintf().
-o Use @PICSUFFIX@ instead of .po in Makefile.in (bug 574).
-o Make sure we break out of samsync loop on error.
-o Ensure error code path doesn't free unmalloc()'d memory
- (bug 628).
-o Add configure test for krb5_keytab_entry keyblock vs key
- member (bug 636).
-o Fixed spinlocks.
-o Modified testparm so that all output so all debug output goes
- to stderr, and all file processing goes to stdout.
-o Fix error return code for BUFFER_TOO_SMALL in smbcacls
- and smbcquotas.
-o Fix "NULL dest in safe_strcpy()" log message by ensuring that
- we have a devmode before copying a string to the devicename.
-o Support mapping REALM.COM\user to a local user account (without
- running winbindd) for compatibility with 2.2.x release.
-o Ensure we don't use mmap() on blacklisted systems.
-o fixed a number of bugs and memory leaks in the AIX
- winbindd shim
-o Call initgroups() in SWAT before becomming the user so that
- secondary group permissions can be used when writing to
- smb.conf.
-o Fix signing problems when reverse connecting back to a
- client for printer notify
-o Fix signing problems caused by a miss-sequence bug.
-o Missing map in errormap for ERROR_MORE_DATA -> ERRDOS, ERRmoredata.
- Fixes NEXUS tools running on Win9x clients (bug 64).
-o Don't leave the domain field uninitialized in cli_lsa.c if some
- SID could not be mapped.
-o Fix segfault in mount.cifs helper when there is no options
- specified during mount.
-o Change the \n after the password prompt to go to tty instead
- of stdout (bug 668).
-o Stop net -P from prompting for machine account password (bug 451).
-o Change in behavior to Not only change the effective uid but also
- the real uid when becoming unprivileged.
-o Cope with Exchange 5.5 cleartext pop password auth.
-o New files for support of initshutdown pipe. Win2k doesn't
- respond properly to all requests on the winreg pipe, so we need
- to handle this new pipe (bug 534).
-o Added more va_copy() checks in configure.in.
-o Include fixes for libsmbclient build problems.
-o Missing UNIX -> DOS codepage conversion in lanman.c.
-o Allow DFMS-S filenames can now have arbitrary case (bug 667).
-o Parameterize the listen backlog in smbd and make it larger by
- default. A backlog of 5 is way too small these days.
-o Check for an invalid fid before dereferencing the fsp pointer
- (bug 696).
-o Remove invalid memory frees and return codes in pdb_ldap.c.
-o Prompt for password when invoking --set-auth-user and no
- password is given.
-o Bind the nmbd sending socket to the 'socket address'.
-o Re-order link command for smbd, rpcclient and smbpasswd to ensure
- $LDFLAGS occurs before any library specification (bug 661).
-o Fix large number of printf() calls for 64-bit size_t.
-o Fix AC_CHECK_MEMBER so that SLES8 does correctly finds the
- keyblock in the krb5 structs.
-o Remove #include <compat.h> in hopes to avoid problems with
- apache header files.
-o Correct winbindd build problems on HP-UX 11.
-o Lowercase netgroups lookups (bug 703).
-o Use the actual size of the buffer in strftime instead of a made
- up value which just happens to be less than sizeof(fstring).
- (bug 713).
-o Add ldaplibs to pdbedit link line (bug 651).
-o Fix crash bug in smbclient completion (bug 659).
-o Fix packet length for browse list reply (bug 771).
-o Fix coredump in cli_get_backup_list().
-o Make sure that we expand %N (bug 612).
-o Allow rpcclient adddriver command to specify printer driver
- version (bug 514).
-o Compile tdbdump by default.
-o Apply patches to fix iconv detection for FreeBSD.
-o Do not allow the 'guest account' to be added to a passdb backend
- using smbpasswd or pdbedit (bug 624).
-o Save LDFLAGS during iconv detection (bug 57).
-o Run krb5 logins through the username map if the winbindd
- lookup fails (bug 698).
-o Add const for lp_set_name_resolve_order() to avoid compiler
- warnings (bug 471).
-o Add support for the %i macro in smb.conf to stand in for the for
- the local IP address to which a client connected.
-o Allow winbindd to match local accounts to domain SID when
- 'winbind trusted domains only = yes' (bug 680).
-o Remove code in idmap_ldap that searches the user suffix and group
- suffix. It's not needed and provides inconsistent functionality
- from the tdb backend.
-o Patch to handle munged dial string for Windows 2000 TSE.
- Thanks to Gaz de France, Direction de la Recherche, Service
- Informatique Métier for their supporting this work by Aurelien
- Degrémont <adegremont@idealx.com>.
-o Correct the "smbldap_open: cannot access when not root error"
- messages when looking up group information (bug 281).
-o Skip over the winbind separator when looking up a user.
- This fixes the bug that prevented local users from
- matching an AD user when not running winbindd (bug 698).
-o Fix a problem with configure on *BSD systems. Make sure
- we add -liconv etc to LDFLAGS.
-o Fix core dump bug when "security = server" and the authentication
- server goes away.
-o Correct crash bug due to an empty munged dial string.
-o Show files locked by a specific user (smbstatus -u 'user')
- (bug 590).
-o Fix bug preventing print jobs from display in the queue
- monitor used by Windows NT and later clients (bug 660).
-o Fix several reported problems with point-n-print from
- Windows 2000/XP clients due to a bug in the EnumPrinterDataEx()
- reply (bug 338, 527 & 643).
-o Fix a handful of potential memory leaks in the LDAP code used
- by ldapsam[_compat] and the LDAP idmap backend.
-o Fix for pdbedit error code returns (bug 763).
-o Make sure we only enumerate group mapping entries (not
- /etc/group) even when doing local aliases.
-o Relax check on the pipe name in a dce/rpc bind response to work
- around issues with establishing trusts to a Windows 2003 domain.
-o Ensure we mangle names ending in '.' in hash2 mangling method.
-o Correct parsing issues with munged dial string.
-o Fix bugs in quota support for XFS.
-o Add a cleaner method for applications that need to provide
- name->SID mappings to do this via NSS rather than having to
- know the winbindd pipe protocol.
-o Adds a variant of the winbindd_getgroups() call called
- winbindd_getusersids() that provides direct SID->SIDs listing of
- a users supplementary groups. This is enough to allow non-Samba
- applications to do ACL checking.
-o Make sure we don't append the 'ldap suffix' when writing out the
- 'ldap XXX suffix' values in SWAT (bug 328).
-o Fix renames across file systems.
-o Ensure that items in a list of strings containing whitespace are
- written out surrounded by single quotes. This means that both
- double and single quotes are now used to surround strings in
- smb.conf (bug 481).
-o Enable SWAT to correctly determine if winbindd is running (bug
- 398).
-o Include WWW-Authenticate field in 401 response for bad auth
- attempt (bug 629).
-o Add support for NTLM2 (NTLMv2 session security).
-o Add support for variable-length session keys.
-o More privilege fixes for group enumeration in LDAP (bug 281).
-o Use the dns name (or IP) as the originating client name when
- using CUPS (bug 467).
-o Fix various SMB signing bugs.
-o Fix ACL propagation on a DFS root (bug 263).
-o Disable NTLM2 for RPC pipes.
-o Allow the client to specify the NTLM2 flags got NTLMSSP
- authentication.
-o Change the name of the job passed off to cups from "Test Page"
- to "smbprn.00000033 Test Page" so that we can get the smb
- jobid back. This allow users to delete jobs with cups printing
- backend (partial work on bug 770).
-o Fix build of winbindd with static pdb modules.
-o Retrieve the correct ACL group bits if the file has an ACL
- (bug 802).
-o Implement "net rpc group members": Get members of a domain group
- in human-readable format.
-o Add MacOSX (Darwin) specific charset module code.
-o Use samr_dispinfo(level == 1) for enumerating domain users so we
- can include the full name in gecos field (bug 587).
-o Add support for winbind's NSS library on FeeeBSD 5.1 (bug 797).
-o Implement 'net rpc group list [global|local|builtin]*' for a
- select listing of the respective user databases.
-o Don't automatically set NT status code flag unless client tells
- us it can cope.
-o Add 'net status [sessions|shares] [parseable]'.
-o Don't mistake pre-existing UNIX jobs for smb jobs (remainder of
- bug 770).
-o Add 'Replicator' and 'RAS Servers' to list of builtin SIDs
- (bug 608).
-o Fix inverted logic in hosts allow/deny checks caused by
- s/strcmp/strequal/ (bug 846).
-o Implement correct version SamrRemoveSidForeignDomain() (bug 252).
-o Fix typo in 'hash' mangling algorithm.
-o Support munged dial for ldapsam (bug 800).
-o Fix process_incoming_data() to return the number of bytes handled
- this call whether we have a complete PDU or not; fixes bug
- with multiple PDU request rpc's broken over SMBwriteX calls
- each.
-o Fix incorrect smb flags2 for connections to pre-NT servers
- (causes smbclient to fail to OS2 for example) (bug 821).
-o Update version string in smbldap-tools Makefile to 0.8.2.
-o Correct a problem with "net rpc vampire" mis-parsing the
- alias member info reply.
-o Ensure the ${libdir} is created by the installclientlib script.
-o Fix detection of Windows 2003 client architecture in the smb.conf
- %a variable.
-o Ensure that smbd calls the add user script for a missing UNIX
- user on kerberos auth call (bug 445).
-o Fix bugs in hosts allow/deny when using a mismatched
- network/netmask pair.
-o Protect alloc_sub_basic() from crashing when the source string
- is NULL (partial work on bug 687).
-o Fix spinlocks on IRIX.
-o Corrected some bad destination paths when running "configure
- --with-fhs".
-o Add packaging files for Fedora Core 1.
-o Correct bug in SWAT install script for non-english languages.
-o Support character set ISO-8859-1 internally (bug 558).
-o Fixed more LDAP access errors when looking up group mappings
- (bug 281).
-o Fix UNISTR2 length bug in LsaQueryInfo(3) that caused SID
- resolution to fail on local files on on domain members
- (bug 875).
-o Fix uninitialized variable in passdb.c.
-o Fix formal parameter type in get_static() in nsswitch/wins.c.
-o Fix problem mounting directories when mount.cifs is installed
- with the setuid bit on.
-o Fix bug that prevent --mandir from overriding the defaults
- given in the --with-fhs macro.
-o Fix bug in in-memory Kerberos keytab detection routines
- in configure.in
+ * Suppress superfluous message.
+
+
+o Marc VanHeyningen <marc.vanheyningen@isilon.com>
+ * Coverity fixes.
+
+
+Changes since 3.2.0pre1:
+-----------------------
+
+o Michael Adam <obnox@samba.org>
+ * Add library for access to the registry configuration data.
+ * BUG 5023: Separate NFS4 and POSIX ACL code in file access checks.
+ * BUG 4308: Fix Excel save operation ACL bug.
+ * Refactor and consolidate logic for retrieving the machine
+ trust password information.
+ * VFS API cleanup (remove redundant parameter).
+ * BUG 4801: Correctly implement LSA lookup levels for LookupNames.
+ * Add new option "debug class" to control printing of the debug class.
+ in debug headers.
+ * Enable building of the zfsacl and notify_fam vfs modules.
+ * BUG 5083: Fix memleak in solarisacl module.
+ * BUG 5063: Fix build on RHEL5.
+ * New smb.conf parameter "config backend = registry" to enable registry
+ only configuration.
+ * Move "net conf" functionality into a separate module libnet_conf.c
+ * Restructure registry code, eliminating the dynamic overlay.
+ Make use of reg_api instead of backend code in most places.
+ * Add support for intercepting LDAP libraries' debug output and print
+ it in Samba's debugging system.
+ * Libreplace fixes.
+ * Build fixes.
+ * Initial support for using subsystems as shared libraries.
+ Use talloc, tdb, and libnetapi as shared libraries internally.
+o Jeremy Allison <jra@samba.org>
+ * Added support for IPv6 client and server connections.
+ * Add in the recvfile entry to the VFS layer.
+ * Removal of pstring data type.
+ * Remove unused utilities: smbctool and rpctorture.
+ * Fix service principal detection to match Windows Vista
+ (based on work from Andreas Schneider).
+ * Encrypted SMB transport in client tools and libraries, and server.
-######################################################################
-
- The original 3.0.0 release notes follow
- =======================================
- WHATS NEW IN Samba 3.0.0
- September 24, 2003
- =======================================
-
-
-Major new features:
--------------------
-
-1) Active Directory support. Samba 3.0 is now able to
- join a ADS realm as a member server and authenticate
- users using LDAP/Kerberos.
-
-2) Unicode support. Samba will now negotiate UNICODE on the wire
- and internally there is now a much better infrastructure for
- multi-byte and UNICODE character sets.
-
-3) New authentication system. The internal authentication system
- has been almost completely rewritten. Most of the changes are
- internal, but the new auth system is also very configurable.
-
-4) New default filename mangling system.
-5) A new "net" command has been added. It is somewhat similar to
- the "net" command in windows. Eventually we plan to replace
- numerous other utilities (such as smbpasswd) with subcommands
- in "net".
+o Kai Blin <kai@samba.org>
+ * Added support for an SMB_CONF_PATH environment variable
+ containing the path to smb.conf.
+ * Various fixes to ntlm_auth.
+ * make test now supports more extensive SPOOLSS testing using vlp.
+ * Correctly handle mixed-case hostnames in NTLMv2 authentication.
-6) Samba now negotiates NT-style status32 codes on the wire. This
- improves error handling a lot.
-7) Better Windows 2000/XP/2003 printing support including publishing
- printer attributes in active directory.
+o Gerald (Jerry) Carter <jerry@samba.org>
+ * Add Winbind client library.
+ * Decouple static linking between smbd and winbindd's client
+ interface.
+
+
+o Guenther Deschner <gd@samba.org>
+ * Enhance client and server remote registry access.
+ * Add client calls for remotely joining a computer to a domain
+ (including calls from "net dom" command).
+ * Add libnetapi.so library for joining domains including
+ sample GTK+ app.
+ * Fixes for Vista SP1 Kerberos authdata handling to only pickup
+ the PAC.
+ * Various error code and error message fixes.
+ * Add initial draft of libnetconf to allow programmatic
+ configuration changes.
+ * Add libnet_join internal library for programmatically joining
+ and unjoining Domains.
+ * Add various fixes and new calls to libnetapi.so library.
+ * Various fixes for DsGetDcName and conversion to IDL based
+ structures.
+ * Fixes for pidl to correctly generate WERROR based client calls.
+ * Fixes for pidl to generate output that complies to coding
+ conventions.
+ * Various IDL fixes.
+ * Add ads_get_joinable_ous() to libads to get list of joinable ous.
+ * Add get_logon_hours_from_pdb() to comply with new IDL based
+ structures.
+ * Add debugging capabilities to dump AD connections to libads
+ (using ndr_print).
+ * Add "dump-domain-list" command for smbcontrol to retrieve better
+ debugging information out of winbindd.
+ * Migration of the entire client and server DCE/RPC code to IDL
+ based structures and autogenerated code for DSSETUP, LSA, SAMR
+ and NETLOGON.
+ * Started migration of client and server DCE/RPC code to IDL based
+ structures and autogenerated code for NTSSVC, SVCCTL and
+ EVENTLOG.
+ * Use IDL and autogenerated code for samlogoncache and Kerberos
+ PAC handling.
+ * Various fixes and cleanup of Kerberos PAC handling.
+ * Fix segfault in _srv_net_file_enum.
+ * Conversion of client join and unjoin code to libnet_join.
+ * Add remote join/unjoin server-side implementation.
+ * Removed a lot of code which has become obsolete.
+
+
+o Steve Langasek <vorlon@debian.org>
+ * Integrate 2 out of 3 --with-fhs patches from Debian packaging
+ for better adherence to the FHS standard.
-8) New loadable module support for passdb backends and character
- sets.
-9) New default dual-daemon winbindd support for better performance.
+o Volker Lendecke <vl@samba.org>
+ * Add talloc_stackframe() and talloc_pool() features.
+ * Removal of pstring data type.
+ * Add generic a in-memory cache.
+ * Import the Linux red-black tree implementation.
+ * Remove large amount of global variables.
+ * Support for storing xattrs in tdb files.
+ * Support for storing alternate data streams in xattrs.
+ * Implement a generic in-memory cache based on rb-trees.
+ * Add implicit temporary talloc contexts via talloc_stack().
+ * Speed up the smbclient "get" command
+ * Add the aio_fork module
+ * Fix bug 4901
+
+o Derrell Lipman <derrell@samba.org>
+ * Modified libsmbclient API for more easily maintaining ABI compatibility
+ while adding new features to libsmbclient.
-10) Support for migrating from a Windows NT 4.0 domain to a Samba
- domain and maintaining user, group and domain SIDs.
+o Stefan Metzmacher <metze@samba.org>
+ * Refactor Winbind internal parent-child interface tables
+ to achieve better unit testing support.
+ * Add nss_wrapper API for local Winbind unit tests.
+ * Networking fixes to the libreplace library.
+ * Pidl fixes.
+ * Remove unused Winbind pipe calls.
+ * Build fixes.
+ * Fix for a crash bug in pidl generated client code.
+ This could have happend with [in,out,unique] pointers
+ when the client sends a valid pointer, but the server
+ responds with a NULL pointer (as samba-3.0.26a does for some calls).
+ * Change NTSTATUS into enum ndr_err_code in librpc/ndr.
+ * Remove unused calls in the struct based winbindd protocol.
+ * Add --configfile option to wbinfo.
+ * Convert winbind_env_set(), winbind_on() and winbind_off() into macros.
+ * Return rids and other_sids arrays in WBFLAG_PAM_INFO3_TEXT mode.
+ * Implement wbcErrorString() and wbcAuthenticateUserEx().
+ * Convert auth_winbind to use wbcAuthenticateUserEx().
-11) Support for establishing trust relationships with Windows NT 4.0
- domain controllers.
-
-12) Initial support for a distributed Winbind architecture using
- an LDAP directory for storing SID to uid/gid mappings.
-
-13) Major updates to the Samba documentation tree.
-14) Full support for client and server SMB signing to ensure
- compatibility with default Windows 2003 security settings.
+o James Peach <jpeach@samba.org>
+ * Add support for DNS Service Discovery. Based on work from
+ Rishi Srivatsavai <rishisv@gmail.com>.
-15) Improvement of ACL mapping features based on code donated by
- Andreas Grünbacher.
+o Andreas Schneider <anschneider@suse.de>
+ * Don't restart winbind if a corrupted tdb is found during
+ initialization.
+ * Fix Windows 2008 (Longhorn) join.
+ * Fix crashbug in winbindd.
+ * Add share parameter "administrative share".
-Plus lots of other improvements!
+o Karolin Seeger <ks@sernet.de>
+ * Improve error messages of net subcommands.
+ * Add 'net rap file user'.
+ * Change LDAP search filter to find machine accounts which
+ are not located in the user suffix.
+ * Remove smbmount.
-Additional Documentation
-------------------------
-Please refer to Samba documentation tree (included in the docs/
-subdirectory) for extensive explanations of installing, configuring
-and maintaining Samba 3.0 servers and clients. It is advised to
-begin with the Samba-HOWTO-Collection for overviews and specific
-tasks (the current book is up to approximately 400 pages) and to
-refer to the various man pages for information on individual options.
+o David Shaw <dshaw@jabberwocky.com>
+ * BUG 5073: Allow "delete readonly = yes" to correctly override
+ deletion of a file.
-We are very glad to be able to include the second edition of
-"Using Samba" by Jay Ts, Robert Eckstein, and David Collier-Brown
-(O'Reilly & Associates) in this release. The book is available
-on-line at http://samba.org/samba/docs/ and is included with
-the Samba Web Administration Tool (SWAT). Thanks to the authors and
-publisher for making "Using Samba" under the GNU Free Documentation
-License.
+o Rishi Srivatsavai <rishisv@gmail.com>
+ * Register the smb service with mDNS if mDNS is supported.
+ * Add smbclient support for basic mDNS browsing.
-######################################################################
-Upgrading from a previous Samba 3.0 beta
-########################################
-
-Beginning with Samba 3.0.0beta3, the RID allocation functions
-have been moved into winbindd. Previously these were handled
-by each passdb backend. This means that winbindd must be running
-to automatically allocate RIDs for users and/or groups. Otherwise,
-smbd will use the 2.2 algorithm for generating new RIDs.
-
-If you are using 'passdb backend = tdbsam' with a previous Samba
-3.0 beta release (or possibly alpha), it may be necessary to
-move the RID_COUNTER entry from /usr/local/samba/private/passdb.tdb
-to winbindd_idmap.tdb. To do this:
-
-1) Ensure that winbindd_idmap.tdb exists (launch winbindd at least
- once)
-2) build tdbtool by executing 'make tdbtool' in the source/tdb/
- directory
-3) run: (note that 'tdb>' is the tool's prompt for input)
-
- root# ./tdbtool /usr/local/samba/private/passdb.tdb
- tdb> show RID_COUNTER
- key 12 bytes
- RID_COUNTER
- data 4 bytes
- [000] 0A 52 00 00 .R.
-
- tdb> move RID_COUNTER /usr/local/samba/var/locks/winbindd_idmap.tdb
- ....
- record moved
-
-If you are using 'passdb backend = ldapsam', it will be necessary to
-store idmap entries in the LDAP directory as well (i.e. idmap backend
-= ldap). Refer to the 'net idmap' command for more information on
-migrating SID<->UNIX id mappings from one backend to another.
-
-If the RID_COUNTER record does not exist, then these instructions are
-unneccessary and the new RID_COUNTER record will be correctly generated
-if needed.
-
-
-
-########################
-Upgrading from Samba 2.2
-########################
-
-This section is provided to help administrators understand the details
-involved with upgrading a Samba 2.2 server to Samba 3.0.
-
-
-Building
---------
-
-Many of the options to the GNU autoconf script have been modified
-in the 3.0 release. The most noticeable are:
-
- * removal of --with-tdbsam (is now included by default; see section
- on passdb backends and authentication for more details)
-
- * --with-ldapsam is now on used to provided backward compatible
- parameters for LDAP enabled Samba 2.2 servers. Refer to the passdb
- backend and authentication section for more details
-
- * inclusion of non-standard passdb modules may be enabled using
- --with-expsam. This includes an XML backend and a mysql backend.
-
- * removal of --with-msdfs (is now enabled by default)
-
- * removal of --with-ssl (no longer supported)
-
- * --with-utmp now defaults to 'yes' on supported systems
-
- * --with-sendfile-support is now enabled by default on supported
- systems
-
-
-Parameters
-----------
-
-This section contains a brief listing of changes to smb.conf options
-in the 3.0.0 release. Please refer to the smb.conf(5) man page for
-complete descriptions of new or modified parameters.
-
-Removed Parameters (order alphabetically):
-
- * admin log
- * alternate permissions
- * character set
- * client codepage
- * code page directory
- * coding system
- * domain admin group
- * domain guest group
- * force unknown acl user
- * hide local users
- * mangled stack
- * nt smb support
- * postscript
- * printer driver
- * printer driver file
- * printer driver location
- * read size
- * source environment
- * status
- * strip dot
- * total print jobs
- * use rhosts
- * valid chars
- * vfs options
-
-New Parameters (new parameters have been grouped by function):
-
- Remote management
- -----------------
- * abort shutdown script
- * shutdown script
-
- User and Group Account Management
- ---------------------------------
- * add group script
- * add machine script
- * add user to group script
- * algorithmic rid base
- * delete group script
- * delete user from group script
- * passdb backend
- * set primary group script
-
- Authentication
- --------------
- * auth methods
- * realm
- * passwd chat timeout
-
- Protocol Options
- ----------------
- * client lanman auth
- * client NTLMv2 auth
- * client schannel
- * client signing
- * client use spnego
- * disable netbios
- * ntlm auth
- * paranoid server security
- * server schannel
- * server signing
- * smb ports
- * use spnego
-
- File Service
- ------------
- * get quota command
- * hide special files
- * hide unwriteable files
- * hostname lookups
- * kernel change notify
- * mangle prefix
- * map acl inherit
- * msdfs proxy
- * set quota command
- * use sendfile
- * vfs objects
-
- Printing
- --------
- * max reported print jobs
-
- UNICODE and Character Sets
- --------------------------
- * display charset
- * dos charset
- * unicode
- * unix charset
-
- SID to uid/gid Mappings
- -----------------------
- * idmap backend
- * idmap gid
- * idmap uid
- * winbind enable local accounts
- * winbind trusted domains only
- * template primary group
- * enable rid algorithm
-
- LDAP
- ----
- * ldap delete dn
- * ldap group suffix
- * ldap idmap suffix
- * ldap machine suffix
- * ldap passwd sync
- * ldap replication sleep
- * ldap user suffix
-
- General Configuration
- ---------------------
- * preload modules
- * private dir
-
-Modified Parameters (changes in behavior):
-
- * encrypt passwords (enabled by default)
- * mangling method (set to 'hash2' by default)
- * passwd chat
- * passwd program
- * restrict anonymous (integer value)
- * security (new 'ads' value)
- * strict locking (enabled by default)
- * unix extensions (enabled by default)
- * winbind cache time (increased to 5 minutes)
- * winbind uid (deprecated in favor of 'idmap uid')
- * winbind gid (deprecated in favor of 'idmap gid')
-
-
-Databases
----------
-
-This section contains brief descriptions of any new databases
-introduced in Samba 3.0. Please remember to backup your existing
-${lock directory}/*tdb before upgrading to Samba 3.0. Samba will
-upgrade databases as they are opened (if necessary), but downgrading
-from 3.0 to 2.2 is an unsupported path.
-
-Name Description Backup?
----- ----------- -------
-account_policy User policy settings yes
-gencache Generic caching db no
-group_mapping Mapping table from Windows yes
- groups/SID to unix groups
-winbindd_idmap ID map table from SIDS to UNIX yes
- uids/gids.
-namecache Name resolution cache entries no
-netsamlogon_cache Cache of NET_USER_INFO_3 structure no
- returned as part of a successful
- net_sam_logon request
-printing/*.tdb Cached output from 'lpq no
- command' created on a per print
- service basis
-registry Read-only samba registry skeleton no
- that provides support for exporting
- various db tables via the winreg RPCs
-
-
-Changes in Behavior
--------------------
-
-The following issues are known changes in behavior between Samba 2.2 and
-Samba 3.0 that may affect certain installations of Samba.
-
- 1) When operating as a member of a Windows domain, Samba 2.2 would
- map any users authenticated by the remote DC to the 'guest account'
- if a uid could not be obtained via the getpwnam() call. Samba 3.0
- rejects the connection as NT_STATUS_LOGON_FAILURE. There is no
- current work around to re-establish the 2.2 behavior.
-
- 2) When adding machines to a Samba 2.2 controlled domain, the
- 'add user script' was used to create the UNIX identity of the
- machine trust account. Samba 3.0 introduces a new 'add machine
- script' that must be specified for this purpose. Samba 3.0 will
- not fall back to using the 'add user script' in the absence of
- an 'add machine script'
-
-######################################################################
-Passdb Backends and Authentication
-##################################
-
-There have been a few new changes that Samba administrators should be
-aware of when moving to Samba 3.0.
-
- 1) encrypted passwords have been enabled by default in order to
- inter-operate better with out-of-the-box Windows client
- installations. This does mean that either (a) a samba account
- must be created for each user, or (b) 'encrypt passwords = no'
- must be explicitly defined in smb.conf.
-
- 2) Inclusion of new 'security = ads' option for integration
- with an Active Directory domain using the native Windows
- Kerberos 5 and LDAP protocols.
-
- MIT kerberos 1.3.1 supports the ARCFOUR-HMAC-MD5 encryption
- type which is neccessary for servers on which the
- administrator password has not been changed, or kerberos-enabled
- SMB connections to servers that require Kerberos SMB signing.
- Besides this one difference, either MIT or Heimdal Kerberos
- distributions are usable by Samba 3.0.
-
-
-Samba 3.0 also includes the possibility of setting up chains
-of authentication methods (auth methods) and account storage
-backends (passdb backend). Please refer to the smb.conf(5)
-man page for details. While both parameters assume sane default
-values, it is likely that you will need to understand what the
-values actually mean in order to ensure Samba operates correctly.
-
-The recommended passdb backends at this time are
-
- * smbpasswd - 2.2 compatible flat file format
- * tdbsam - attribute rich database intended as an smbpasswd
- replacement for stand alone servers
- * ldapsam - attribute rich account storage and retrieval
- backend utilizing an LDAP directory.
- * ldapsam_compat - a 2.2 backward compatible LDAP account
- backend
-
-Certain functions of the smbpasswd(8) tool have been split between the
-new smbpasswd(8) utility, the net(8) tool, and the new pdbedit(8)
-utility. See the respective man pages for details.
-
-
-######################################################################
-LDAP
-####
-
-This section outlines the new features affecting Samba / LDAP
-integration.
-
-New Schema
-----------
-
-A new object class (sambaSamAccount) has been introduced to replace
-the old sambaAccount. This change aids us in the renaming of
-attributes to prevent clashes with attributes from other vendors.
-There is a conversion script (examples/LDAP/convertSambaAccount) to
-modify and LDIF file to the new schema.
-
-Example:
-
- $ ldapsearch .... -b "ou=people,dc=..." > sambaAcct.ldif
- $ convertSambaAccount --sid=<Domain SID> \
- --input=sambaAcct.ldif --output=sambaSamAcct.ldif \
- --changetype=[modify|add]
-
-The <DOM SID> can be obtained by running 'net getlocalsid
-<DOMAINNAME>' on the Samba PDC as root. The changetype determines
-the format of the generated LDIF output--either create new entries
-or modify existing entries.
-
-The old sambaAccount schema may still be used by specifying the
-"ldapsam_compat" passdb backend. However, the sambaAccount and
-associated attributes have been moved to the historical section of
-the schema file and must be uncommented before use if needed.
-The 2.2 object class declaration for a sambaAccount has not changed
-in the 3.0 samba.schema file.
-
-Other new object classes and their uses include:
-
- * sambaDomain - domain information used to allocate rids
- for users and groups as necessary. The attributes are added
- in 'ldap suffix' directory entry automatically if
- an idmap uid/gid range has been set and the 'ldapsam'
- passdb backend has been selected.
-
- * sambaGroupMapping - an object representing the
- relationship between a posixGroup and a Windows
- group/SID. These entries are stored in the 'ldap
- group suffix' and managed by the 'net groupmap' command.
-
- * sambaUnixIdPool - created in the 'ldap idmap suffix' entry
- automatically and contains the next available 'idmap uid' and
- 'idmap gid'
-
- * sambaIdmapEntry - object storing a mapping between a
- SID and a UNIX uid/gid. These objects are created by the
- idmap_ldap module as needed.
-
- * sambaSidEntry - object representing a SID alone, as a Structural
- class on which to build the sambaIdmapEntry.
-
-
-New Suffix for Searching
-------------------------
-
-The following new smb.conf parameters have been added to aid in directing
-certain LDAP queries when 'passdb backend = ldapsam://...' has been
-specified.
-
- * ldap suffix - used to search for user and computer accounts
- * ldap user suffix - used to store user accounts
- * ldap machine suffix - used to store machine trust accounts
- * ldap group suffix - location of posixGroup/sambaGroupMapping entries
- * ldap idmap suffix - location of sambaIdmapEntry objects
-
-If an 'ldap suffix' is defined, it will be appended to all of the
-remaining sub-suffix parameters. In this case, the order of the suffix
-listings in smb.conf is important. Always place the 'ldap suffix' first
-in the list.
-
-Due to a limitation in Samba's smb.conf parsing, you should not surround
-the DN's with quotation marks.
-
-
-IdMap LDAP support
-------------------
-
-Samba 3.0 supports an ldap backend for the idmap subsystem. The
-following options would inform Samba that the idmap table should be
-stored on the directory server onterose in the "ou=idmap,dc=plainjoe,
-dc=org" partition.
-
- [global]
- ...
- idmap backend = ldap:ldap://onterose/
- ldap idmap suffix = ou=idmap,dc=plainjoe,dc=org
- idmap uid = 40000-50000
- idmap gid = 40000-50000
-
-This configuration allows winbind installations on multiple servers to
-share a uid/gid number space, thus avoiding the interoperability problems
-with NFS that were present in Samba 2.2.
-
+o Andrew Tridgell <tridge@samba.org>
+ * Fix padding between Winbind 32bit/64bit client library in
+ the request/response structures.
+ * Added a syncops VFS module for file systems which do not
+ guarantee meta-data operations are immediately committed to
+ disk in stable form.
-######################################################################
-Trust Relationships and a Samba Domain
-######################################
+o Jelmer Vernooij <jelmer@samba.org>
+ * Additional portability support for building shared libraries.
-Samba 3.0.0beta2 is able to utilize winbindd as the means of
-allocating uids and gids to trusted users and groups. More
-information regarding Samba's support for establishing trust
-relationships can be found in the Samba-HOWTO-Collection included
-in the docs/ directory of this release.
-First create your Samba PDC and ensure that everything is
-working correctly before moving on the trusts.
+o Corinna Vinschen <corinna@vinschen.de>
+ * Get Samba version or capability information from Windows user space.
-To establish Samba as the trusting domain (named SAMBA) from a Windows NT
-4.0 domain named WINDOWS:
- 1) create the trust account for SAMBA in "User Manager for Domains"
- 2) connect the trust from the Samba domain using
- 'net rpc trustdom establish GLASS'
+Original 3.2.0pre1 commits:
+---------------------------
+o Michael Adam <obnox@samba.org>
+ * Unified POSIX ACL detection including support for FreeBSD and
+ HP-UX.
+ * Performance improvements for Winbind's lookup functions (names,
+ SIDs, and group membership) when joined to an AD domain.
+ * Winbind cache validation support.
+ * Store domain trust passwords for Samba domain controller's in
+ the domain's passdb backend.
+ * Merged \winreg server code from the SAMBA_3_2 development branch.
+ * Fixes for libreplace.
+ * Implement new registry configuration backend.
-To create a trustlationship with SAMBA as the trusted domain:
- 1) create the initial trust account for GLASS using
- 'smbpasswd -a -i GLASS'. You may need to create a UNIX
- account for GLASS$ prior to this step (depending on your
- local configuration).
- 2) connect the trust from a WINDOWS DC using "User Manager
- for Domains"
+o Jeremy Allison <jra@samba.org>
+ * Add support for file system objectIDs.
+ * Winbind cache validation support.
+ * Add in the UNIX capability for 24-bit readX.
+ * Improve Delete-on-Close semantics.
+ * Removal of static file and path name buffers in SMB file serving
+ code.
-Now join winbindd on the Samba PDC to the SAMBA domain using
-the normal steps for adding a Samba server to an NT4 domain:
-(note that smbd & nmbd must be running at this point)
- root# net rpc join -U root
- Password: <enter root password from smbpasswd file here>
+o Danilo Almeida <dalmeida@centeris.com>
+ * Move the machine account to the OU specified when running "net
+ ads join".
-Start winbindd and test the join with 'wbinfo -t'.
-Now test the trust relationship by connecting to the SAMBA DC
-(e.g. POGO) as a user from the WINDOWS domain:
+o Andrew Bartlett <abartlet@samba.org>
+ * Tighten authentication protocol defaults in client tools and
+ servers.
- $ smbclient //pogo/netlogon -U Administrator -W WINDOWS
- Password:
-Now connect to the WINDOWS DC (e.g. CRYSTAL) as a Samba user:
+o Gerald (Jerry) Carter <jerry@samba.org>
+ * Implement support for one-way trusts and two-way cross-forest
+ transitive trust in winbindd.
+ * Fixes for Winbind's offline/disconnected logon support when
+ using remote idmap backends.
+ * Fix LookupNames and LookupSids to use the same resolution
+ heuristics as Windows XP.
+ * Fix lockups in Winbind when running nscd.
+ * UPN logon support in pam_winbind.
+ * Add support for GNU linker scripts when build shared libraries
+ (based on work by Julien Cristau <jcristau@debian.org> and James
+ Peach).
+
+
+o Guenther Deschner <gd@samba.org>
+ * Additional support for decoding and downloading group policy
+ objects from Active Directory.
+ * Improvements to "net ads keytab" command.
+ * Fixes for linking against Heimdal Kerberos client libs.
+ * Support LDAP range retrieval searches.
+ * Fixes for failure to refresh user ticket caches in Winbind.
+ * UPN logon support in pam_winbind.
+ * Add KDC locator plugin for MIT kerberos 1.6 or later.
+
+
+o Steve Langasek <vorlon@debian.org>
+ * Allow SIGTERM to cause nmbd to exit while awaiting a interface
+ to come up.
- $ smbclient //crystal/netlogon -U root -W WINDOWS
- Password:
-######################################################################
-Changes in Winbind
-##################
+o Volker Lendecke <vl@samba.org>
+ * Merge experimental cluster support patches from the ctdb branch.
+ * Add tdb storage abstraction for ctdb.
+ * Use IDL for internal message passing system.
+ * Add client support for the SamLogonEx() authentication request.
+ * Implement RPC proxy stubs in the Samba server code to allow
+ replacing implementation functions one by one.
+ * Remove static incoming and outgoing buffers from core server SMB
+ packet processing code.
+ * Add "net sam rights" command.
-Beginning with Samba3.0.0beta3, winbindd has been given new account
-manage functionality equivalent to the 'add user script' family of
-smb.conf parameters. The idmap design has also been changed to
-centralize control of foreign SID lookups and matching to UNIX
-uids and gids.
+o Steve French <sfrench@samba.org>
+ * Fixes for mount.cifs Linux utility.
-Brief Description of Changes
-----------------------------
-1) The sid_to_uid() family of functions (smbd/uid.c) have been
- reverted to the 2.2.x design. This means that when resolving a
- SID to a UID or similar mapping:
+o Stefan Metzmacher <metze@samba.org>
+ * Fixes for libreplace.
+ * Add support for LDAP digital signing policy.
+ * Experimental clustered file system support.
- a) First consult winbindd
- b) perform a local lookup only if winbindd fails to
- return a successful answer
- There are some variations to this, but these two rules generally
- apply.
+o Lars Mueller <lars@samba.org>
+ * Makefile and build fixes.
+ * Add pam_pwd_expire for pam_winbind (original patch from Andreas
+ Schneider).
-2) All idmap lookups have been moved into winbindd. This means that
- a server must run winbindd (and support NSS) in order to achieve
- any mappings of SID to dynamically allocated UNIX ids. This was
- a conscious design choice.
-3) New functions have been added to winbindd to emulate the 'add user
- script' family of smbd functions without requiring that external
- scripts be defined. This functionality is controlled by the 'winbind
- enable local accounts' smb.conf parameter (enabled by default).
+o James Peach <jpeach@apple.com>
+ * Fixes for setgroups() and *BSD and Darwin.
+ * Support membership of >16 groups on Darwin.
- However, this account management functionality is only supported
- in a local tdb (winbindd_idmap.tdb). If these new UNIX accounts
- must be shared among multiple Samba servers (such as a PDC and BDCs),
- it will be necessary to define your own 'add user script', et. al.
- programs that place the accounts/groups in some form of directory
- such as NIS or LDAP. This requirement was deemed beyond the scope
- of winbind's account management functions. Solutions for
- distributing UNIX system information have been deployed and tested
- for many years. We saw no need to reinvent the wheel.
-4) A member of a Samba controlled domain running winbindd is now able
- to map domain users directly onto existing UNIX accounts while still
- automatically creating accounts for trusted users and groups. This
- behavior is controlled by the 'winbind trusted domains only' smb.conf
- parameter (disabled by default to provide 2.2.x winbind behavior).
+o Jiri Sasek <Jiri.Sasek@Sun.COM>
+ * Added vfs_zfsacl module.
-5) Group mapping support is wrapped in the local_XX_to_XX() functions
- in smbd/uid.c. The reason that group mappings are not included
- in winbindd is because the purpose of Samba's group map is to
- match any Windows SID with an existing UNIX group. These UNIX
- groups can be created by winbindd (see next section), but the
- SID<->gid mapping is retreived by smbd, not winbindd.
+o Karolin Seeger <ks@sernet.de>
+ * Add deletelocalgroup and unmapunixgroup subcommand to "net sam".
+ * Cleanup internal passdb functions.
-Examples
---------
-* security = server running winbindd to allocate accounts on demand
+o Simo Sorce <idra@samba.org>
+ * Fixes for IDmap and Passdb backends.
-* Samba PDC running winbindd to handle the automatic creation of UNIX
- identities for machine trust accounts
-* Automtically creating UNIX user and groups when migrating a Windows NT
- 4.0 PDC to a Samba PDC. Winbindd must be running when executing
- 'net rpc vampire' for this to work.
+o Andrew Tridgell <tridge@samba.org>
+ * Port ldb from the Samba 4 tree and add ldb group mapping plugin.
+ * Move several file serving related tdb files to use the dbwrap
+ API internally.
+ * Cleanup the GPFS VFS plugin.
+ * Experimental clustered file system support.
-
-######################################################################
-Known Issues
-############
-* There are several bugs currently logged against the 3.0 codebase
- that affect the use of NT 4.0 GUI domain management tools when run
- against a Samba 3.0 PDC. This bugs should be released in an early
- 3.0.x release.
+o Jelmer Vernooij <jelmer@samba.org>
+ * Implement NDR basic to support utilizing IDL files from Samba 4
+ tree for general DCE/RPC parsing stubs.
-Please refer to https://bugzilla.samba.org/ for a current list of bugs
-filed against the Samba 3.0 codebase.
######################################################################
If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
-the problem then you will probably be ignored.
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 3.2 product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
-A new bugzilla installation has been established to help support the
-Samba 3.0 community of users. This server, located at
-https://bugzilla.samba.org/, has replaced the older jitterbug server
-previously located at http://bugs.samba.org/.
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================