X-Git-Url: http://git.samba.org/samba.git/?p=ira%2Fwip.git;a=blobdiff_plain;f=WHATSNEW.txt;h=76a66b3d297910ff484999d6b403514da9be3afd;hp=6e587f263cf147ca9733d8d55d050d782e86048f;hb=18206a4cb52fba13253339c1b166d3df27345380;hpb=950a6d980a738f0494a4f58ea588a0f5194da8c6 diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 6e587f263cf..76a66b3d297 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,1053 +1,404 @@ - WHATS NEW IN Samba 3.0.2pre1 - January XX, 2004 - =============================== + ================================= + Release Notes for Samba 3.2.0pre2 + Feb 29, 2008 + ================================= -This is a preview release of the Samba 3.0.2 code base and is -provided for testing only. This release is *not* intended for -production servers. Use at your own risk. +This is the second preview release of Samba 3.2.0. This is *not* +intended for production environments and is designed for testing +purposes only. Please report any defects via the Samba bug reporting +system at https://bugzilla.samba.org/. -There have been several bug fixes since the 3.0.1 release that -we feel are important to make available to the Samba community -for wider testings. See the "Changes" section for details on -exact updates. +Please be aware that Samba is now distributed under the version 3 +of the new GNU General Public License. You may refer to the COPYING +file that accompanies these release notes for further licensing details. +Major enhancements in Samba 3.2.0 include: -###################################################################### -Changes -####### -Changes since 3.0.1 ----------------------- + File Serving: + o Use of IDL generated parsing layer for several DCE/RPC + interfaces. + o Removal of the 1024 byte limit on pathnames and 256 byte limit on + filename components to honor the MAX_PATH setting from the host OS. + o Introduction of a registry based configuration system. + o Improved CIFS Unix Extensions support. + o Experimental support for file serving clusters. + o Support for IPv6 in the server, and client tools and libraries. + o Support for storing alternate data streams in xattrs. + o Encrypted SMB transport in client tools and libraries, and server. -Please refer to the CVS log for the SAMBA_3_0 branch for complete -details. The list of changes per contributor are as follows: + Winbind and Active Directory Integration: + o Full support for Windows 2003 cross-forest, transitive trusts + and one-way domain trusts. + o Support for userPrincipalName logons via pam_winbind and NSS + lookups. + o Support in pam_winbind for logging on using the userPrincipalName. + o Expansion of nested domain groups via NSS calls. + o Support for Active Directory LDAP Signing policy. + o New LGPL Winbind client library (libwbclient.so). - Parameter Name Action - -------------- ------ - ldap replication sleep New + Users & Groups: + o New ldb backend for local group mapping tables + o Raised level of security defaults for authentication operations. -Commits -------- -o Jeremy Allison - * Tidy up of NTLMSSP code. - * Fixes for SMB signing errors - * BUG 815: Workaround NT4 bug to support plaintext - password logins and UNICODE. - - -o Petri Asikainen - * BUG 330, 387:Fix single valued attribute updates when - working with Novell NDS. - - -o Andrew Bartlet - * Correctly handle per-pipe NTLMSSP inside a NULL session. - * Fix segfault in gencache - * Fix early free() of encrypted_session_key. - * Change DC lookup routines to more carefully separate - DNS names (realms) from NetBIOS domain names. - * Add new sid_to_dn() utility function for internal winbindd use. - * Refactor cli_ds_enum_domain_trusts(). - * BUG 707: Implement range retrieval of ADS attributes (based on - work from Volker and Guenther Deschner - ). - * Automatically initialize the signing engine if a session key is - available. - * BUG 916: Do not perform a + -> ' ' substitution for squid URL - encoded strings, only form input in SWAT. - * Ensure Samba resets the NTLMSSP state for new negotiate packets. - * Add 2-byte alignments in net_samlogon() queries to parse odd-length - plain text passwords. - * Allow Windows groups with no members in winbindd. - * Allow normal authentication in the absence of a server - generated session key. - * More optimizations for looking up UNIX group lists. - * Clean up error codes and return values for pam_winbindd - and winbindd PAM interface. - * Fix restring return values in ntlm_auth tool. - - -o Dmitry Butskoj - * Fix for special files being hidden from admins. - - -o Gerald (Jerry) Carter - * Fix bug in the lanman session key generation. Caused - "decode_pw: incorrect password length" error messages. - * Save the right case for the located user name in - fill_sam_account(). Fixes %U/%u expansion for win9x clients. - * BUG 897: Add well known rid for pre win2k compatible access - group. - * BUG 887: Correct typo in delete user script example. - * Use short lived TALLOC_CTX* for allocating printer objects - from the print handle cache. - * BUG 912: Fix check for HAVE_MEMORY_KEYTAB. - - -o Guenther Deschner - * Install smbwrapper.so should be put into the $(libdir) - and not $(bindir). - * Add the capability to specify the new user password - for "net ads password" on the command line. - * Correctly detect AFS headers on SuSE. - - -o James Flemer - * Fix AIX compile bug by linking HAVE_ATTR_LIST to HAVE_SYS_ATTRIBUTES_H. - - -o Volker Lendecke - * BUG 583: Ensure that user names always contain the short version - of the domain name. - * Fix our parsing of the LDAP uri. - * Don't show the 'afs username map' in the SWAT basic view. - * Fix SMB signing issues in relation to failed NTLMSSP logins. - * BUG 924: Fix return codes in smbtorture harness. - * Always lower-case usernames before handing it to AFS code. - - -o Jianliang Lu - * Ensure we delete the group mapping before calling the delete - group script. - * Define well known RID for managing the "Power Users" group. - - -o Stefan Metzmacher - * Implement LDAP rebind sleep patch. - * Revert to 2.2 quota code because of so many broken quota files - out there. - -o - * Allow an existing LDAP machine account to be re-used when - joining an AD domain. - - -o James Peach - * BUG 889: Change smbd to use pread/pwrite on platforms that - support these calls. Can lead to a significant speed increase. - - -o Tim Potter - * BUG 924: Fix typo in RW2 torture test. - -o Richard Sharpe - * Small fixes to torture.c to cleanup the error handling - and prevent crashes. - - -o J. Tournier - * Small fixes for the smbldap-tool scripts. - - -o Jelmer Vernooij - * Put functions for generating SQL queries in pdb_sql.c - * Add pgSQL backend (based on patch by Hamish Friedlander) - * BUG 908: Fix -s option to smbcontrol. - * Add smbget utility - a wget-clone for the SMB/CIFS protocol - - - -Changes since 3.0.0 ----------------------- - - Parameter Name Action - -------------- ------ - hide local users Removed - mangled map Deprecated - mangled stack Removed - passwd chat timeout New - -commits -------- - -o Change the interface for init_unistr2 to not take a length - but a flags field. We were assuming that - 2*strlen(mb_string) == length of ucs2-le string. (bug 480). -o Allow d_printf() to handle strings with escaped quotation - marks since the msg file includes the escape character (bug 489). -o Fix bad html table row termination in SWAT wizard code (bug 413). -o Fix to parse the level-2 strings. -o Fix for "valid users = %S" in [homes]. Fix read/write - list as well. -o Change AC_CHECK_LIB_EXT to prepend libraries instead of append. - This is the same way AC_CHECK_LIB works (bug 508). -o Testparm output fixes for clarity. -o Fix broken wins hook functionality -- i18n bug (bug 528). -o Take care of condition where DOS and NT error codes must differ. -o Default to using only built-in charsets when a working iconv - implementation cannot be located. -o Wrap internals of sys_setgroups() so the sys_XX() call can - be done unconditionally (bug 550). -o Remove duplicate smbspool link on SWAT's front page (bug 541). -o Save and restore CFLAGS before/after AC_PROG_CC. Ensures that - --enable-debug=[yes|no] works correctly. -o Allow ^C to interrupt smbpasswd if using our getpass - (e.g. smbpasswd command). -o Support signing only on RPC's (bug 167). -o Correct bug that prevented Excel 2000 clients from opening - files marked as read-only. -o Portability fix bugs 546 - 549). -o Explicitly initialize the value of AR for vendor makes that don't - do this (e.g. HPUX 11). (bug 552). -o More i18n fixes for SWAT (bug 413). -o Change the cwd before the postexec script to ensure that a - umount will succeed. -o Correct double free that caused winbindd to crash when a DC - is rebooted (bug 437). -o Fix incorrect mode sum (bug 562). -o Canonicalize SMB_INFO_ALLOCATION in the same was as - SMB_FS_FULL_SIZE_INFORMATION (bug 564). -o Add script to generate *msg files. -o Add Dutch SWAT translation file. -o Make sure to call get_user_groups() with the full winbindd - name for a user if he/she has one (bug 406). -o Fix up error code returns from Samba4 tester. Ensure invalid - paths are validated the same way. -o Allow Samba3 to pass the Samba4 RAW-READ tests. -o Refuse to configure if --with-expsam=$BACKEND was used but no - libraries were found for $BACKEND. -o Move sysquotas autoconf tests to a separate file. -o Match W2K w.r.t. writelock and writeclose. Samba4 torture - tester -o Make sure that the files that contain the static_init_$subsystem; - macro get recompiled after configure by removing the object - files. -o Ensure canceling a blocking lock returns the correct error - message. -o Match Samba 2.2 behavior; make ACB_NORMAL the default ACB value. -o Updated Japanese welcome file in SWAT. -o Fix to nt-time <-> unix-time functions reversible. -o Ensure that winbindd uses the the escaped DN when querying - an AD ldap server. -o Fix portability issues when compiling (bug 505, 550) -o Compile fix for tdbbackup when Samba needs to override - non-C99 compliant implementations of snprintf(). -o Use @PICSUFFIX@ instead of .po in Makefile.in (bug 574). -o Make sure we break out of samsync loop on error. -o Ensure error code path doesn't free unmalloc()'d memory - (bug 628). -o Add configure test for krb5_keytab_entry keyblock vs key - member (bug 636). -o Fixed spinlocks. -o Modified testparm so that all output so all debug output goes - to stderr, and all file processing goes to stdout. -o Fix error return code for BUFFER_TOO_SMALL in smbcacls - and smbcquotas. -o Fix "NULL dest in safe_strcpy()" log message by ensuring that - we have a devmode before copying a string to the devicename. -o Support mapping REALM.COM\user to a local user account (without - running winbindd) for compatibility with 2.2.x release. -o Ensure we don't use mmap() on blacklisted systems. -o fixed a number of bugs and memory leaks in the AIX - winbindd shim -o Call initgroups() in SWAT before becomming the user so that - secondary group permissions can be used when writing to - smb.conf. -o Fix signing problems when reverse connecting back to a - client for printer notify -o Fix signing problems caused by a miss-sequence bug. -o Missing map in errormap for ERROR_MORE_DATA -> ERRDOS, ERRmoredata. - Fixes NEXUS tools running on Win9x clients (bug 64). -o Don't leave the domain field uninitialized in cli_lsa.c if some - SID could not be mapped. -o Fix segfault in mount.cifs helper when there is no options - specified during mount. -o Change the \n after the password prompt to go to tty instead - of stdout (bug 668). -o Stop net -P from prompting for machine account password (bug 451). -o Change in behavior to Not only change the effective uid but also - the real uid when becoming unprivileged. -o Cope with Exchange 5.5 cleartext pop password auth. -o New files for support of initshutdown pipe. Win2k doesn't - respond properly to all requests on the winreg pipe, so we need - to handle this new pipe (bug 534). -o Added more va_copy() checks in configure.in. -o Include fixes for libsmbclient build problems. -o Missing UNIX -> DOS codepage conversion in lanman.c. -o Allow DFMS-S filenames can now have arbitrary case (bug 667). -o Parameterize the listen backlog in smbd and make it larger by - default. A backlog of 5 is way too small these days. -o Check for an invalid fid before dereferencing the fsp pointer - (bug 696). -o Remove invalid memory frees and return codes in pdb_ldap.c. -o Prompt for password when invoking --set-auth-user and no - password is given. -o Bind the nmbd sending socket to the 'socket address'. -o Re-order link command for smbd, rpcclient and smbpasswd to ensure - $LDFLAGS occurs before any library specification (bug 661). -o Fix large number of printf() calls for 64-bit size_t. -o Fix AC_CHECK_MEMBER so that SLES8 does correctly finds the - keyblock in the krb5 structs. -o Remove #include in hopes to avoid problems with - apache header files. -o Correct winbindd build problems on HP-UX 11. -o Lowercase netgroups lookups (bug 703). -o Use the actual size of the buffer in strftime instead of a made - up value which just happens to be less than sizeof(fstring). - (bug 713). -o Add ldaplibs to pdbedit link line (bug 651). -o Fix crash bug in smbclient completion (bug 659). -o Fix packet length for browse list reply (bug 771). -o Fix coredump in cli_get_backup_list(). -o Make sure that we expand %N (bug 612). -o Allow rpcclient adddriver command to specify printer driver - version (bug 514). -o Compile tdbdump by default. -o Apply patches to fix iconv detection for FreeBSD. -o Do not allow the 'guest account' to be added to a passdb backend - using smbpasswd or pdbedit (bug 624). -o Save LDFLAGS during iconv detection (bug 57). -o Run krb5 logins through the username map if the winbindd - lookup fails (bug 698). -o Add const for lp_set_name_resolve_order() to avoid compiler - warnings (bug 471). -o Add support for the %i macro in smb.conf to stand in for the for - the local IP address to which a client connected. -o Allow winbindd to match local accounts to domain SID when - 'winbind trusted domains only = yes' (bug 680). -o Remove code in idmap_ldap that searches the user suffix and group - suffix. It's not needed and provides inconsistent functionality - from the tdb backend. -o Patch to handle munged dial string for Windows 200 TSE. -o Correct the "smbldap_open: cannot access when not root error" - messages when looking up group information (bug 281). -o Skip over the winbind separator when looking up a user. - This fixes the bug that prevented local users from - matching an AD user when not running winbindd (bug 698). -o Fix a problem with configure on *BSD systems. Make sure - we add -liconv etc to LDFLAGS. -o Fix core dump bug when "security = server" and the authentication - server goes away. -o Correct crash bug due to an empty munged dial string. -o Show files locked by a specific user (smbstatus -u 'user') - (bug 590). -o Fix bug preventing print jobs from display in the queue - monitor used by Windows NT and later clients (bug 660). -o Fix several reported problems with point-n-print from - Windows 2000/XP clients due to a bug in the EnumPrinterDataEx() - reply (bug 338, 527 & 643). -o Fix a handful of potential memory leaks in the LDAP code used - by ldapsam[_compat] and the LDAP idmap backend. -o Fix for pdbedit error code returns (bug 763). -o Make sure we only enumerate group mapping entries (not - /etc/group) even when doing local aliases. -o Relax check on the pipe name in a dce/rpc bind response to work - around issues with establishing trusts to a Windows 2003 domain. -o Ensure we mangle names ending in '.' in hash2 mangling method. -o Correct parsing issues with munged dial string. -o Fix bugs in quota support for XFS. -o Add a cleaner method for applications that need to provide name->SID - mappings to do this via NSS rather than having to know the - winbindd pipe protocol. -o Adds a variant of the winbindd_getgroups() call called - winbindd_getusersids() that provides direct SID->SIDs listing of a - users supplementary groups. This is enough to allow non-Samba - applications to do ACL checking. -o Make sure we don't append the 'ldap suffix' when writing out the - 'ldap XXX suffix' values in SWAT (bug 328). -o Fix renames across file systems. -o Ensure that items in a list of strings containing whitespace are - written out surrounded by single quotes. This means that both - double and single quotes are now used to surround strings in - smb.conf (bug 481). -o Enable SWAT to correctly determine if winbindd is running (bug - 398). -o Include WWW-Authenticate field in 401 response for bad auth - attempt (bug 629). -o Add support for NTLM2 (NTLMv2 session security). -o Add support for variable-length session keys. -o More privilege fixes for group enumeration in LDAP (bug 281). -o Use the dns name (or IP) as the originating client name when - using CUPS (bug 467). -o Fix various SMB signing bugs. -o Fix ACL propagation on a DFS root (bug 263). -o Disable NTLM2 for RPC pipes. -o Allow the client to specify the NTLM2 flags got NTLMSSP - authentication. -o Change the name of the job passed off to cups from "Test Page" to - "smbprn.00000033 Test Page" so that we can get the smb jobid back. - This allow users to delete jobs with cups printing backend (partial - work on bug 770). -o Fix build of winbindd with static pdb modules. -o Retrieve the correct ACL group bits if the file has an ACL - (bug 802). -o Implement "net rpc group members": Get members of a domain group - in human-readable format. -o Add MacOSX (Darwin) specific charset module code. -o Use samr_dispinfo(level == 1) for enumerating domain users so we - can include the full name in gecos field (bug 587). -o Add support for winbind's NSS library on FeeeBSD 5.1 (bug 797). -o Implement 'net rpc group list [global|local|builtin]*' for a - select listing of the respective user databases. -o Don't automatically set NT status code flag unless client tells - us it can cope. -o Add 'net status [sessions|shares] [parseable]'. -o Don't mistake pre-existing UNIX jobs for smb jobs (remainder of - bug 770). -o Add 'Replicator' and 'RAS Servers' to list of builtin SIDs - (bug 608). -o Fix inverted logic in hosts allow/deny checks caused by s/strcmp/strequal/ - (bug 846). -o Implement correct version SamrRemoveSidForeignDomain() (bug 252). -o Fix typo in 'hash' mangling algorithm. -o Support munged dial for ldapsam (bug 800). -o Fix process_incoming_data() to return the number of bytes handled this - call whether we have a complete PDU or not; fixes bug with multiple - PDU request rpc's broken over SMBwriteX calls each. -o Fix incorrect smb flags2 for connections to pre-NT servers (causes - smbclient to fail to OS2 for example) (bug 821). -o Update version string in smbldap-tools Makefile to 0.8.2. -o Correct a problem with "net rpc vampire" mis-parsing the - alias member info reply. -o Ensure the ${libdir} is created by the installclientlib script. -o Fix detection of Windows 2003 client architecture in the smb.conf - %a variable. -o Ensure that smbd calls the add user script for a missing UNIX - user on kerberos auth call (bug 445). -o Fix bugs in hosts allow/deny when using a mismatched - network/netmask pair. -o Protect alloc_sub_basic() from crashing when the source string - is NULL (partial work on bug 687). -o Fix spinlocks on IRIX. -o Corrected some bad destination paths when running "configure - --with-fhs". -o Add packaging files for Fedora Core 1. -o Correct bug in SWAT install script for non-english languages. -o Support character set ISO-8859-1 internally (bug 558). -o Fixed more LDAP access errors when looking up group mappings - (bug 281). -o Fix UNISTR2 length bug in LsaQueryInfo(3) that caused SID - resolution to fail on local files on on domain members - (bug 875). -o Fix uninitialized variable in passdb.c. -o Fix formal parameter type in get_static() in nsswitch/wins.c. -o Fix problem mounting directories when mount.cifs is installed - with the setuid bit on. -o Fix bug that prevent --mandir from overriding the defaults - given in the --with-fhs macro. -o Fix bug in in-memory Kerberos keytab detection routines - in configure.in + Documentation: + o Inclusion of an HTLM version of the 3rd edition of "Using Samba" + from O'Reilly Publishing. -###################################################################### - - ======================================= - The original 3.0.0 release notes follow - ======================================= +Now Licensed under the GNU GPLv3 +================================ +The Samba Team has adopted the Version 3 of the GNU General Public +License for the 3.2 and later releases. The GPLv3 is the updated +version of the GPLv2 license under which Samba is currently +distributed. It has been updated to improve compatibility with other +licenses and to make it easier to adopt internationally, and is an +improved version of the license to better suit the needs of Free +Software in the 21st Century. -Major new features: -------------------- +The original announcement is available on-line at -1) Active Directory support. Samba 3.0 is now able to - join a ADS realm as a member server and authenticate - users using LDAP/Kerberos. + http://news.samba.org/announcements/samba_gplv3/ -2) Unicode support. Samba will now negotiate UNICODE on the wire - and internally there is now a much better infrastructure for - multi-byte and UNICODE character sets. -3) New authentication system. The internal authentication system - has been almost completely rewritten. Most of the changes are - internal, but the new auth system is also very configurable. +New Security Defaults for Authentication +======================================== -4) New default filename mangling system. +Support for LanMan passwords is now disabled in both client and server +applications. Additionally, clear text authentication requests are +disabled by default in client utilities such as smbclient and all +libsmbclient based applications. This will affect connection both +to and from hosts running DOS, Windows 9x/ME, and OS/2. Please refer +to the "Changes" section for details on the exact parameters that were +updated. -5) A new "net" command has been added. It is somewhat similar to - the "net" command in windows. Eventually we plan to replace - numerous other utilities (such as smbpasswd) with subcommands - in "net". -6) Samba now negotiates NT-style status32 codes on the wire. This - improves error handling a lot. +Registry Configuration Backend +============================== -7) Better Windows 2000/XP/2003 printing support including publishing - printer attributes in active directory. +Samba is now able to use a registry based configuration backed to +supplement smb.conf setting. This feature may be enabled by setting +"config backend = registry" and "registry shares = yes" in the [global] +section of smb.conf and may be managed using the "net conf" command. -8) New loadable module support for passdb backends and character - sets. +More information may be obtained from the smb.conf(5) and net(8) man +pages. -9) New default dual-daemon winbindd support for better performance. -10) Support for migrating from a Windows NT 4.0 domain to a Samba - domain and maintaining user, group and domain SIDs. +Removed Features +================ -11) Support for establishing trust relationships with Windows NT 4.0 - domain controllers. - -12) Initial support for a distributed Winbind architecture using - an LDAP directory for storing SID to uid/gid mappings. - -13) Major updates to the Samba documentation tree. +Both the Python bindings and the libmsrpc shared library have been +removed from the tree due to lack of an official maintainer. -14) Full support for client and server SMB signing to ensure - compatibility with default Windows 2003 security settings. +As smbfs is no longer supported in current kernel versions, smbmount has +been removed in this Samba version. Please use cifs (mount.cifs) instead. +See examples/scripts/mount/mount.smbfs as an example for a wrapper which +calls mount.cifs instead of smbmount/mount.smbfs. -15) Improvement of ACL mapping features based on code donated by - Andreas Grünbacher. -Plus lots of other improvements! +###################################################################### +Changes +####### +smb.conf changes +---------------- + + Parameter Name Description Default + -------------- ----------- ------- + client lanman auth Changed Default No + client ldap sasl wrapping New plain + client plaintext auth Changed Default No + clustering New No + cluster addresses New "" + config backend New file + ctdb socket New "" + debug class New No + hidden New No + lanman auth Changed Default No + ldap debug level New 0 + ldap debug threshold New 10 + mangle map Removed + open files database hashsize Removed + read bmpx Removed + registry shares New No + winbind expand groups New 1 + winbind rpc only New No + + +Changes since 3.2.0pre1: +----------------------- + +o Michael Adam + * Add library for access to the registry configuration data. + * BUG 5023: Separate NFS4 and POSIX ACL code in file access checks. + * BUG 4308: Fix Excel save operation ACL bug. + * Refactor and consolidate logic for retrieving the machine + trust password information. + * VFS API cleanup (remove redundant parameter). + * BUG 4801: Correctly implement LSA lookup levels for LookupNames. + * Add new option "debug class" to control printing of the debug class. + in debug headers. + * Enable building of the zfsacl and notify_fam vfs modules. + * BUG 5083: Fix memleak in solarisacl module. + * BUG 5063: Fix build on RHEL5. + * New smb.conf parameter "config backend = registry" to enable registry + only configuration. + * Move "net conf" functionality into a separate module libnet_conf.c + * Restructure registry code, eliminating the dynamic overlay. + Make use of reg_api instead of backend code in most places. + * Add support for intercepting LDAP libraries' debug output and print + it in Samba's debugging system. + * Libreplace fixes. + * Build fixes. + * Initial support for using subsystems as shared libraries. + Use talloc, tdb, and libnetapi as shared libraries internally. -Additional Documentation ------------------------- -Please refer to Samba documentation tree (included in the docs/ -subdirectory) for extensive explanations of installing, configuring -and maintaining Samba 3.0 servers and clients. It is advised to -begin with the Samba-HOWTO-Collection for overviews and specific -tasks (the current book is up to approximately 400 pages) and to -refer to the various man pages for information on individual options. +o Jeremy Allison + * Added support for IPv6 client and server connections. + * Add in the recvfile entry to the VFS layer. + * Removal of pstring data type. + * Remove unused utilities: smbctool and rpctorture. + * Fix service principal detection to match Windows Vista + (based on work from Andreas Schneider). + * Encrypted SMB transport in client tools and libraries, and server. -We are very glad to be able to include the second edition of -"Using Samba" by Jay Ts, Robert Eckstein, and David Collier-Brown -(O'Reilly & Associates) in this release. The book is available -on-line at http://samba.org/samba/docs/ and is included with -the Samba Web Administration Tool (SWAT). Thanks to the authors and -publisher for making "Using Samba" under the GNU Free Documentation -License. +o Kai Blin + * Added support for an SMB_CONF_PATH environment variable + containing the path to smb.conf. + * Various fixes to ntlm_auth. + * make test now supports more extensive SPOOLSS testing using vlp. + * Correctly handle mixed-case hostnames in NTLMv2 authentication. -###################################################################### -Upgrading from a previous Samba 3.0 beta -######################################## - -Beginning with Samba 3.0.0beta3, the RID allocation functions -have been moved into winbindd. Previously these were handled -by each passdb backend. This means that winbindd must be running -to automatically allocate RIDs for users and/or groups. Otherwise, -smbd will use the 2.2 algorithm for generating new RIDs. - -If you are using 'passdb backend = tdbsam' with a previous Samba -3.0 beta release (or possibly alpha), it may be necessary to -move the RID_COUNTER entry from /usr/local/samba/private/passdb.tdb -to winbindd_idmap.tdb. To do this: - -1) Ensure that winbindd_idmap.tdb exists (launch winbindd at least - once) -2) build tdbtool by executing 'make tdbtool' in the source/tdb/ - directory -3) run: (note that 'tdb>' is the tool's prompt for input) - - root# ./tdbtool /usr/local/samba/private/passdb.tdb - tdb> show RID_COUNTER - key 12 bytes - RID_COUNTER - data 4 bytes - [000] 0A 52 00 00 .R. - - tdb> move RID_COUNTER /usr/local/samba/var/locks/winbindd_idmap.tdb - .... - record moved - -If you are using 'passdb backend = ldapsam', it will be necessary to -store idmap entries in the LDAP directory as well (i.e. idmap backend -= ldap). Refer to the 'net idmap' command for more information on -migrating SID<->UNIX id mappings from one backend to another. - -If the RID_COUNTER record does not exist, then these instructions are -unneccessary and the new RID_COUNTER record will be correctly generated -if needed. - - - -######################## -Upgrading from Samba 2.2 -######################## - -This section is provided to help administrators understand the details -involved with upgrading a Samba 2.2 server to Samba 3.0. - - -Building --------- - -Many of the options to the GNU autoconf script have been modified -in the 3.0 release. The most noticeable are: - - * removal of --with-tdbsam (is now included by default; see section - on passdb backends and authentication for more details) - - * --with-ldapsam is now on used to provided backward compatible - parameters for LDAP enabled Samba 2.2 servers. Refer to the passdb - backend and authentication section for more details - - * inclusion of non-standard passdb modules may be enabled using - --with-expsam. This includes an XML backend and a mysql backend. - - * removal of --with-msdfs (is now enabled by default) - - * removal of --with-ssl (no longer supported) - - * --with-utmp now defaults to 'yes' on supported systems - - * --with-sendfile-support is now enabled by default on supported - systems - - -Parameters ----------- - -This section contains a brief listing of changes to smb.conf options -in the 3.0.0 release. Please refer to the smb.conf(5) man page for -complete descriptions of new or modified parameters. - -Removed Parameters (order alphabetically): - - * admin log - * alternate permissions - * character set - * client codepage - * code page directory - * coding system - * domain admin group - * domain guest group - * force unknown acl user - * hide local users - * nt smb support - * postscript - * printer driver - * printer driver file - * printer driver location - * status - * strip dot - * total print jobs - * use rhosts - * valid chars - * vfs options - -New Parameters (new parameters have been grouped by function): - - Remote management - ----------------- - * abort shutdown script - * shutdown script - - User and Group Account Management - --------------------------------- - * add group script - * add machine script - * add user to group script - * algorithmic rid base - * delete group script - * delete user from group script - * passdb backend - * set primary group script - - Authentication - -------------- - * auth methods - * realm - * passwd chat timeout - - Protocol Options - ---------------- - * client lanman auth - * client NTLMv2 auth - * client schannel - * client signing - * client use spnego - * disable netbios - * ntlm auth - * paranoid server security - * server schannel - * server signing - * smb ports - * use spnego - - File Service - ------------ - * get quota command - * hide special files - * hide unwriteable files - * hostname lookups - * kernel change notify - * mangle prefix - * map acl inherit - * msdfs proxy - * set quota command - * use sendfile - * vfs objects - - Printing - -------- - * max reported print jobs - - UNICODE and Character Sets - -------------------------- - * display charset - * dos charset - * unicode - * unix charset - - SID to uid/gid Mappings - ----------------------- - * idmap backend - * idmap gid - * idmap uid - * winbind enable local accounts - * winbind trusted domains only - * template primary group - * enable rid algorithm - - LDAP - ---- - * ldap delete dn - * ldap group suffix - * ldap idmap suffix - * ldap machine suffix - * ldap passwd sync - * ldap user suffix - - General Configuration - --------------------- - * preload modules - * private dir - -Modified Parameters (changes in behavior): - - * encrypt passwords (enabled by default) - * mangling method (set to 'hash2' by default) - * passwd chat - * passwd program - * restrict anonymous (integer value) - * security (new 'ads' value) - * strict locking (enabled by default) - * unix extensions (enabled by default) - * winbind cache time (increased to 5 minutes) - * winbind uid (deprecated in favor of 'idmap uid') - * winbind gid (deprecated in favor of 'idmap gid') - - -Databases ---------- - -This section contains brief descriptions of any new databases -introduced in Samba 3.0. Please remember to backup your existing -${lock directory}/*tdb before upgrading to Samba 3.0. Samba will -upgrade databases as they are opened (if necessary), but downgrading -from 3.0 to 2.2 is an unsupported path. - -Name Description Backup? ----- ----------- ------- -account_policy User policy settings yes -gencache Generic caching db no -group_mapping Mapping table from Windows yes - groups/SID to unix groups -winbindd_idmap ID map table from SIDS to UNIX yes - uids/gids. -namecache Name resolution cache entries no -netsamlogon_cache Cache of NET_USER_INFO_3 structure no - returned as part of a successful - net_sam_logon request -printing/*.tdb Cached output from 'lpq no - command' created on a per print - service basis -registry Read-only samba registry skeleton no - that provides support for exporting - various db tables via the winreg RPCs - - -Changes in Behavior -------------------- - -The following issues are known changes in behavior between Samba 2.2 and -Samba 3.0 that may affect certain installations of Samba. - - 1) When operating as a member of a Windows domain, Samba 2.2 would - map any users authenticated by the remote DC to the 'guest account' - if a uid could not be obtained via the getpwnam() call. Samba 3.0 - rejects the connection as NT_STATUS_LOGON_FAILURE. There is no - current work around to re-establish the 2.2 behavior. - - 2) When adding machines to a Samba 2.2 controlled domain, the - 'add user script' was used to create the UNIX identity of the - machine trust account. Samba 3.0 introduces a new 'add machine - script' that must be specified for this purpose. Samba 3.0 will - not fall back to using the 'add user script' in the absence of - an 'add machine script' - -###################################################################### -Passdb Backends and Authentication -################################## - -There have been a few new changes that Samba administrators should be -aware of when moving to Samba 3.0. - - 1) encrypted passwords have been enabled by default in order to - inter-operate better with out-of-the-box Windows client - installations. This does mean that either (a) a samba account - must be created for each user, or (b) 'encrypt passwords = no' - must be explicitly defined in smb.conf. - - 2) Inclusion of new 'security = ads' option for integration - with an Active Directory domain using the native Windows - Kerberos 5 and LDAP protocols. - - MIT kerberos 1.3.1 supports the ARCFOUR-HMAC-MD5 encryption - type which is neccessary for servers on which the - administrator password has not been changed, or kerberos-enabled - SMB connections to servers that require Kerberos SMB signing. - Besides this one difference, either MIT or Heimdal Kerberos - distributions are usable by Samba 3.0. - - -Samba 3.0 also includes the possibility of setting up chains -of authentication methods (auth methods) and account storage -backends (passdb backend). Please refer to the smb.conf(5) -man page for details. While both parameters assume sane default -values, it is likely that you will need to understand what the -values actually mean in order to ensure Samba operates correctly. - -The recommended passdb backends at this time are - - * smbpasswd - 2.2 compatible flat file format - * tdbsam - attribute rich database intended as an smbpasswd - replacement for stand alone servers - * ldapsam - attribute rich account storage and retrieval - backend utilizing an LDAP directory. - * ldapsam_compat - a 2.2 backward compatible LDAP account - backend - -Certain functions of the smbpasswd(8) tool have been split between the -new smbpasswd(8) utility, the net(8) tool, and the new pdbedit(8) -utility. See the respective man pages for details. - - -###################################################################### -LDAP -#### - -This section outlines the new features affecting Samba / LDAP -integration. - -New Schema ----------- - -A new object class (sambaSamAccount) has been introduced to replace -the old sambaAccount. This change aids us in the renaming of attributes -to prevent clashes with attributes from other vendors. There is a -conversion script (examples/LDAP/convertSambaAccount) to modify and LDIF -file to the new schema. - -Example: - - $ ldapsearch .... -b "ou=people,dc=..." > old.ldif - $ convertSambaAccount old.ldif new.ldif - -The can be obtained by running 'net getlocalsid ' -on the Samba PDC as root. - -The old sambaAccount schema may still be used by specifying the -"ldapsam_compat" passdb backend. However, the sambaAccount and -associated attributes have been moved to the historical section of -the schema file and must be uncommented before use if needed. -The 2.2 object class declaration for a sambaAccount has not changed -in the 3.0 samba.schema file. - -Other new object classes and their uses include: - - * sambaDomain - domain information used to allocate rids - for users and groups as necessary. The attributes are added - in 'ldap suffix' directory entry automatically if - an idmap uid/gid range has been set and the 'ldapsam' - passdb backend has been selected. - - * sambaGroupMapping - an object representing the - relationship between a posixGroup and a Windows - group/SID. These entries are stored in the 'ldap - group suffix' and managed by the 'net groupmap' command. - - * sambaUnixIdPool - created in the 'ldap idmap suffix' entry - automatically and contains the next available 'idmap uid' and - 'idmap gid' - - * sambaIdmapEntry - object storing a mapping between a - SID and a UNIX uid/gid. These objects are created by the - idmap_ldap module as needed. - - * sambaSidEntry - object representing a SID alone, as a Structural - class on which to build the sambaIdmapEntry. - - -New Suffix for Searching ------------------------- - -The following new smb.conf parameters have been added to aid in directing -certain LDAP queries when 'passdb backend = ldapsam://...' has been -specified. - - * ldap suffix - used to search for user and computer accounts - * ldap user suffix - used to store user accounts - * ldap machine suffix - used to store machine trust accounts - * ldap group suffix - location of posixGroup/sambaGroupMapping entries - * ldap idmap suffix - location of sambaIdmapEntry objects - -If an 'ldap suffix' is defined, it will be appended to all of the -remaining sub-suffix parameters. In this case, the order of the suffix -listings in smb.conf is important. Always place the 'ldap suffix' first -in the list. - -Due to a limitation in Samba's smb.conf parsing, you should not surround -the DN's with quotation marks. - - -IdMap LDAP support ------------------- - -Samba 3.0 supports an ldap backend for the idmap subsystem. The -following options would inform Samba that the idmap table should be -stored on the directory server onterose in the "ou=idmap,dc=plainjoe, -dc=org" partition. - - [global] - ... - idmap backend = ldap:ldap://onterose/ - ldap idmap suffix = ou=idmap,dc=plainjoe,dc=org - idmap uid = 40000-50000 - idmap gid = 40000-50000 - -This configuration allows winbind installations on multiple servers to -share a uid/gid number space, thus avoiding the interoperability problems -with NFS that were present in Samba 2.2. - +o Gerald (Jerry) Carter + * Add Winbind client library. + * Decouple static linking between smbd and winbindd's client + interface. + + +o Guenther Deschner + * Enhance client and server remote registry access. + * Add client calls for remotely joining a computer to a domain + (including calls from "net dom" command). + * Add libnetapi.so library for joining domains including + sample GTK+ app. + + +o Steve Langasek + * Integrate 2 out of 3 --with-fhs patches from Debian packaging + for better adherence to the FHS standard. + + +o Volker Lendecke + * Add talloc_stackframe() and talloc_pool() features. + * Removal of pstring data type. + * Add generic a in-memory cache. + * Import the Linux red-black tree implementation. + * Remove large amount of global variables. + * Support for storing xattrs in tdb files. + * Support for storing alternate data streams in xattrs. + * Implement a generic in-memory cache based on rb-trees. + * Add implicit temporary talloc contexts via talloc_stack(). + * Speed up the smbclient "get" command + * Add the aio_fork module + + +o Stefan Metzmacher + * Fixes for libreplace. + * Pidl fixes. + * Build fixes. + * Add nss_wrapper support. + * Start and test winbindd by 'make test'. + * Split up child_dispatch_table into domain, idmap and locator tables + in winbindd. + * Fix for a crash bug in pidl generated client code. + This could have happend with [in,out,unique] pointers + when the client sends a valid pointer, but the server + responds with a NULL pointer (as samba-3.0.26a does for some calls). + * Change NTSTATUS into enum ndr_err_code in librpc/ndr. + * Remove unused calls in the struct based winbindd protocol. + * Add --configfile option to wbinfo. + * Convert winbind_env_set(), winbind_on() and winbind_off() into macros. + * Return rids and other_sids arrays in WBFLAG_PAM_INFO3_TEXT mode. + * Implement wbcErrorString() and wbcAuthenticateUserEx(). + * Convert auth_winbind to use wbcAuthenticateUserEx(). + + +o James Peach + * Add support for DNS Service Discovery. Based on work from + Rishi Srivatsavai . + + +o Andreas Schneider + * Don't restart winbind if a corrupted tdb is found during + initialization. + * Fix Windows 2008 (Longhorn) join. + * Fix crashbug in winbindd. + * Add share parameter "hidden". + + +o Karolin Seeger + * Improve error messages of net subcommands. + * Add 'net rap file user'. + * Change LDAP search filter to find machine accounts which + are not located in the user suffix. + * Remove smbmount. + + +o David Shaw + * BUG 5073: Allow "delete readonly = yes" to correctly override + deletion of a file. + + +o Rishi Srivatsavai + * Register the smb service with mDNS if mDNS is supported. + * Add smbclient support for basic mDNS browsing. + + +o Andrew Tridgell + * Fix padding between Winbind 32bit/64bit client library in + the request/response structures. + * Added a syncops VFS module for file systems which do not + guarantee meta-data operations are immediately committed to + disk in stable form. -###################################################################### -Trust Relationships and a Samba Domain -###################################### +o Jelmer Vernooij + * Additional portability support for building shared libraries. -Samba 3.0.0beta2 is able to utilize winbindd as the means of -allocating uids and gids to trusted users and groups. More -information regarding Samba's support for establishing trust -relationships can be found in the Samba-HOWTO-Collection included -in the docs/ directory of this release. -First create your Samba PDC and ensure that everything is -working correctly before moving on the trusts. +o Corinna Vinschen + * Get Samba version or capability information from Windows user space. -To establish Samba as the trusting domain (named SAMBA) from a Windows NT -4.0 domain named WINDOWS: - 1) create the trust account for SAMBA in "User Manager for Domains" - 2) connect the trust from the Samba domain using - 'net rpc trustdom establish GLASS' +Original 3.2.0pre1 commits: +--------------------------- +o Michael Adam + * Unified POSIX ACL detection including support for FreeBSD and + HP-UX. + * Performance improvements for Winbind's lookup functions (names, + SIDs, and group membership) when joined to an AD domain. + * Winbind cache validation support. + * Store domain trust passwords for Samba domain controller's in + the domain's passdb backend. + * Merged \winreg server code from the SAMBA_3_2 development branch. + * Fixes for libreplace. + * Implement new registry configuration backend. -To create a trustlationship with SAMBA as the trusted domain: - 1) create the initial trust account for GLASS using - 'smbpasswd -a -i GLASS'. You may need to create a UNIX - account for GLASS$ prior to this step (depending on your - local configuration). - 2) connect the trust from a WINDOWS DC using "User Manager - for Domains" +o Jeremy Allison + * Add support for file system objectIDs. + * Winbind cache validation support. + * Add in the UNIX capability for 24-bit readX. + * Improve Delete-on-Close semantics. + * Removal of static file and path name buffers in SMB file serving + code. -Now join winbindd on the Samba PDC to the SAMBA domain using -the normal steps for adding a Samba server to an NT4 domain: -(note that smbd & nmbd must be running at this point) - root# net rpc join -U root - Password: +o Danilo Almeida + * Move the machine account to the OU specified when running "net + ads join". -Start winbindd and test the join with 'wbinfo -t'. -Now test the trust relationship by connecting to the SAMBA DC -(e.g. POGO) as a user from the WINDOWS domain: +o Andrew Bartlett + * Tighten authentication protocol defaults in client tools and + servers. - $ smbclient //pogo/netlogon -U Administrator -W WINDOWS - Password: -Now connect to the WINDOWS DC (e.g. CRYSTAL) as a Samba user: +o Gerald (Jerry) Carter + * Implement support for one-way trusts and two-way cross-forest + transitive trust in winbindd. + * Fixes for Winbind's offline/disconnected logon support when + using remote idmap backends. + * Fix LookupNames and LookupSids to use the same resolution + heuristics as Windows XP. + * Fix lockups in Winbind when running nscd. + * UPN logon support in pam_winbind. + * Add support for GNU linker scripts when build shared libraries + (based on work by Julien Cristau and James + Peach). + + +o Guenther Deschner + * Additional support for decoding and downloading group policy + objects from Active Directory. + * Improvements to "net ads keytab" command. + * Fixes for linking against Heimdal Kerberos client libs. + * Support LDAP range retrieval searches. + * Fixes for failure to refresh user ticket caches in Winbind. + * UPN logon support in pam_winbind. + * Add KDC locator plugin for MIT kerberos 1.6 or later. + + +o Steve Langasek + * Allow SIGTERM to cause nmbd to exit while awaiting a interface + to come up. - $ smbclient //crystal/netlogon -U root -W WINDOWS - Password: -###################################################################### -Changes in Winbind -################## +o Volker Lendecke + * Merge experimental cluster support patches from the ctdb branch. + * Add tdb storage abstraction for ctdb. + * Use IDL for internal message passing system. + * Add client support for the SamLogonEx() authentication request. + * Implement RPC proxy stubs in the Samba server code to allow + replacing implementation functions one by one. + * Remove static incoming and outgoing buffers from core server SMB + packet processing code. + * Add "net sam rights" command. -Beginning with Samba3.0.0beta3, winbindd has been given new account -manage functionality equivalent to the 'add user script' family of -smb.conf parameters. The idmap design has also been changed to -centralize control of foreign SID lookups and matching to UNIX -uids and gids. +o Steve French + * Fixes for mount.cifs Linux utility. -Brief Description of Changes ----------------------------- -1) The sid_to_uid() family of functions (smbd/uid.c) have been - reverted to the 2.2.x design. This means that when resolving a - SID to a UID or similar mapping: +o Stefan Metzmacher + * Fixes for libreplace. + * Add support for LDAP digital signing policy. + * Experimental clustered file system support. - a) First consult winbindd - b) perform a local lookup only if winbindd fails to - return a successful answer - There are some variations to this, but these two rules generally - apply. +o Lars Mueller + * Makefile and build fixes. + * Add pam_pwd_expire for pam_winbind (original patch from Andreas + Schneider). -2) All idmap lookups have been moved into winbindd. This means that - a server must run winbindd (and support NSS) in order to achieve - any mappings of SID to dynamically allocated UNIX ids. This was - a conscious design choice. -3) New functions have been added to winbindd to emulate the 'add user - script' family of smbd functions without requiring that external - scripts be defined. This functionality is controlled by the 'winbind - enable local accounts' smb.conf parameter (enabled by default). +o James Peach + * Fixes for setgroups() and *BSD and Darwin. + * Support membership of >16 groups on Darwin. - However, this account management functionality is only supported - in a local tdb (winbindd_idmap.tdb). If these new UNIX accounts - must be shared among multiple Samba servers (such as a PDC and BDCs), - it will be necessary to define your own 'add user script', et. al. - programs that place the accounts/groups in some form of directory - such as NIS or LDAP. This requirement was deemed beyond the scope - of winbind's account management functions. Solutions for - distributing UNIX system information have been deployed and tested - for many years. We saw no need to reinvent the wheel. -4) A member of a Samba controlled domain running winbindd is now able - to map domain users directly onto existing UNIX accounts while still - automatically creating accounts for trusted users and groups. This - behavior is controlled by the 'winbind trusted domains only' smb.conf - parameter (disabled by default to provide 2.2.x winbind behavior). +o Jiri Sasek + * Added vfs_zfsacl module. -5) Group mapping support is wrapped in the local_XX_to_XX() functions - in smbd/uid.c. The reason that group mappings are not included - in winbindd is because the purpose of Samba's group map is to - match any Windows SID with an existing UNIX group. These UNIX - groups can be created by winbindd (see next section), but the - SID<->gid mapping is retreived by smbd, not winbindd. +o Karolin Seeger + * Add deletelocalgroup and unmapunixgroup subcommand to "net sam". + * Cleanup internal passdb functions. -Examples --------- -* security = server running winbindd to allocate accounts on demand +o Simo Sorce + * Fixes for IDmap and Passdb backends. -* Samba PDC running winbindd to handle the automatic creation of UNIX - identities for machine trust accounts -* Automtically creating UNIX user and groups when migrating a Windows NT - 4.0 PDC to a Samba PDC. Winbindd must be running when executing - 'net rpc vampire' for this to work. +o Andrew Tridgell + * Port ldb from the Samba 4 tree and add ldb group mapping plugin. + * Move several file serving related tdb files to use the dbwrap + API internally. + * Cleanup the GPFS VFS plugin. + * Experimental clustered file system support. - -###################################################################### -Known Issues -############ -* There are several bugs currently logged against the 3.0 codebase - that affect the use of NT 4.0 GUI domain management tools when run - against a Samba 3.0 PDC. This bugs should be released in an early - 3.0.x release. +o Jelmer Vernooij + * Implement NDR basic to support utilizing IDL files from Samba 4 + tree for general DCE/RPC parsing stubs. -Please refer to https://bugzilla.samba.org/ for a current list of bugs -filed against the Samba 3.0 codebase. ###################################################################### @@ -1059,10 +410,13 @@ joining the #samba-technical IRC channel on irc.freenode.net. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down -the problem then you will probably be ignored. +the problem then you will probably be ignored. All bug reports should +be filed under the Samba 3.2 product in the project's Bugzilla +database (https://bugzilla.samba.org/). + -A new bugzilla installation has been established to help support the -Samba 3.0 community of users. This server, located at -https://bugzilla.samba.org/, has replaced the older jitterbug server -previously located at http://bugs.samba.org/. +====================================================================== +== Our Code, Our Bugs, Our Responsibility. +== The Samba Team +======================================================================