X-Git-Url: http://git.samba.org/samba.git/?p=ira%2Fwip.git;a=blobdiff_plain;f=WHATSNEW.txt;h=de8df4b0068bf7f7363598dec3edbef87ed7725e;hp=07c82a8cfa612fe88ed3845143cd42ec08bcb128;hb=118fd6213d5f6419f654e9226a41d527c04346f7;hpb=50f278ddcc046e7578b4397d10c22b424d2b01a3 diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 07c82a8cfa6..de8df4b0068 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,1200 +1,250 @@ - ================================ - Release Notes for Samba 3.0.3pre1 - February XX, 2004 - ================================ + ================================= + Release Notes for Samba 3.2.0pre2 + Oct XX, 2007 + ================================= -This is a release candidate snapshot of the Samba 3.0.2 code -base and should be considered for testing only. A release -candidate (RC) means that we are close to the final, stable -release and in provided for Quality Assurance (QA) purposes. -This release is *not* intended for production servers. Use -at your own risk. +This is the second preview release of Samba 3.2.0. This is *not* +intended for production environments and is designed for testing +purposes only. Please report any defects via the Samba bug reporting +system at https://bugzilla.samba.org/. -There have been several bug fixes since the 3.0.1 release that -we feel are important to make available to the Samba community -for wider testings. See the "Changes" section for details on -exact updates. +Please be aware that Samba is now distributed under the version 3 +of the new GNU General Public License. You may refer to the COPYING +file that accompanies these release notes for further licensing details. -Common bugs fixed in this preview release include: +Major enhancements in Samba 3.2.0 include: - o + File Serving: + o Use of IDL generated parsing layer for several DCE/RPC + interfaces. + o Removal of the 1024 byte limit on pathnames and 256 byte limit on + filename components to honor the MAX_PATH setting from the host OS. + o Introduction of a registry based configuration system. + o Improved CIFS Unix Extensions support. + o Experimental support for file serving clusters. -###################################################################### -Changes -####### -Changes since 3.0.2 -------------------- + Winbind and Active Directory Integration: + o Full support for Windows 2003 cross-forest, transitive trusts + and one-way domain trusts + o Support for userPrincipalName logons via pam_winbind and NSS + lookups. + o Support in pam_winbind for logging on using the userPrincipalName. + o Expansion of nested domain groups via NSS calls. + o Support for Active Directory LDAP Signing policy. -Please refer to the CVS log for the SAMBA_3_0 branch for complete -details. The list of changes per contributor are as follows: -o Jeremy Allison + Users & Groups: + o New ldb backend for local group mapping tables + o Raised level of security defaults for authentication operations. -o Andrew Bartlet + Documentation: + o Inclusion of an HTLM version of the 3rd edition of "Using Samba" + from O'Reilly Publishing. -o Alexander Bokovoy +Now Licensed under the GNU GPLv3 +================================ +The Samba Team has adopted the Version 3 of the GNU General Public +License for the 3.2 and later releases. The GPLv3 is the updated +version of the GPLv2 license under which Samba is currently +distributed. It has been updated to improvecompatibility with other +licenses and to make it easier to adopt internationally, and is an +improved version of the license to better suit the needs of Free +Software in the 21st Century. -o Gerald (Jerry) Carter +The original announcement is available on-line at + http://news.samba.org/announcements/samba_gplv3/ -o Volker Lendecke +New Security Defaults for Authentication +======================================== -o Herb Lewis +Support for LanMan passwords is now disabled in both client and server +applications. Additionally, clear text authentication requests are +disabled by default in client utilities such as smbclient and all +libsmbclient based applications. This will affect connection both +to and from hosts running DOS, Windows 9x/ME, and OS/2. Please refer +to the "Changes" section for details on the exact parameters that were +updated. -o Jianliang Lu +Registry Configuration Backend +============================== -o Jim McDonough +Samba is now able to use a registry based configuration backed to +supplement smb.conf setting. This feature may be enabled by setting +"include = registry" and "registry shares = yes" in the [global] +section of smb.conf and may be managed using the "net conf" command. -o Stefan Metzmacher +More information may be obtained from the smb.conf(5) and net(8) man +pages. -o Tim Potter +Removed Features +================ +Both the Python bindings and the libmsrpc shared library have been +removed from the tree due to lack of an official maintainer. -o Jelmer Vernooij +###################################################################### +Changes +####### -Changes since 3.0.2pre1 +smb.conf changes +---------------- + + Parameter Name Description Default + -------------- ----------- ------- + client lanman auth Changed Default No + client ldap sasl wrapping New plain + client plaintext auth Changed Default No + clustering New No + cluster addresses New "" + ctdb socket New "" + lanman auth Changed Default No + mangle map Removed + open files database hashsize Removed + read bmpx Removed + registry shares New No + winbind expand groups New 1 + winbind rpc only New No + + +Changes since 3.2.0pre1: ----------------------- -o Jeremy Allison - * Revert change that broke Exchange clear text samlogons. - * Fix gcc 3.4 warning in MS-DFS code. - -o Andrew Bartlet - * Fix segfault when 'security = ads' but no realm is defined. - * BUG 722: Allow winbindd to map machine accounts to uids. - * More cleanups for winbindd's find_our_domain(). - * More clearly detect whether a domain controller is an NT4 - or mixed-mode AD DC (additional bug fixes by jerry & jmcd). - * Increase separation between DNS queries for hosts and queries - for AD domain controllers. +Original 3.2.0pre1 commits: +--------------------------- +o Michael Adam + * Unified POSIX ACL detection including support for FreeBSD and + HP-UX. + * Performance improvements for Winbind's lookup functions (names, + SIDs, and group membership) when joined to an AD domain. + * Winbind cache validation support. + * Store domain trust passwords for Samba domain controller's in + the domain's passdb backend. + * Merged \winreg server code from the SAMBA_3_2 development branch. + * Fixes for libreplace. + * Implement new registry configuration backend. + +o Jeremy Allison + * Add support for file system objectIDs. + * Winbind cache validation support. + * Add in the UNIX capability for 24-bit readX. + * Improve Delete-on-Close semantics. + * Removal of static file and path name buffers in SMB file serving + code. + -o Justin Baugh - * BUG 948: Implement missing functions required for FreeBSD - nss_winbind support. +o Danilo Almeida + * Move the machine account to the OU specified when running "net + ads join". -o Alexander Bokovoy - * BUG 922: Make sure enable fast path for strlower_m() and - strupper_m(). +o Andrew Bartlett + * Tighten authentication protocol defaults in client tools and + servers. o Gerald (Jerry) Carter - * Fix several warnings reported by the SUN Forte C compiler. - * Fully control DNS queries for AD DC's using 'name resolve order'. - * BUG 770: Send the SMBjobid for UNIX jobs back to the client. - * BUG 972: Fix segfault in cli_ds_getprimarydominfo(). - * BUG 936: fix bind credentials for schannel binds in smbd. - * BUG 446: Fix output of smbclient for better compatibility - with scripts based on the 2.2 version (including Amanda). - * BUG 891, 949: Fedora packaging fixes. - - -o Luke Howard - * Fix segfault in session setup reply caused by a early free(). - - -o Stoian Ivanov - * Implement grepable output for smbclient -L. + * Implement support for one-way trusts and two-way cross-forest + transitive trust in winbindd. + * Fixes for Winbind's offline/disconnected logon support when + using remote idmap backends. + * Fix LookupNames and LookupSids to use the same resolution + heuristics as Windows XP. + * Fix lockups in Winbind when running nscd. + * UPN logon support in pam_winbind. + * Add support for GNU linker scripts when build shared libraries + (based on work by Julien Cristau and James + Peach). + + +o Guenther Deschner + * Additional support for decoding and downloading group policy + objects from Active Directory. + * Improvements to "net ads keytab" command. + * Fixes for linking against Heimdal Kerberos client libs. + * Support LDAP range retrieval searches. + * Fixes for failure to refresh user ticket caches in Winbind. + * UPN logon support in pam_winbind. + * Add KDC locator plugin for MIT kerberos 1.6 or later. + + +o Steve Langasek + * Allow SIGTERM to cause nmbd to exit while awaiting a interface + to come up. o Volker Lendecke - * Add a German translation for SWAT. - * Fix a segfaults in winbindd. - * Fix the user's domain passed to register_vuid() from - reply_spnego_kerberos(). - * Add NSS example code in nss_winbind to convert UNIX - id's <-> Windows SIDs. - - -o Herb Lewis - * Fix bit rot in psec. - - -o Jianliang Lu - * BUG 381: check builtin (not local) group SID when updating - group membership. - - -o John Klinger - * Implement initgroups() call in nss_winbind on Solaris. + * Merge experimental cluster support patches from the ctdb branch. + * Add tdb storage abstraction for ctdb. + * Use IDL for internal message passing system. + * Add client support for the SamLogonEx() authentication request. + * Implement RPC proxy stubs in the Samba server code to allow + replacing implementation functions one by one. + * Remove static incoming and outgoing buffers from core server SMB + packet processing code. + * Add "net sam rights" command. -o Jim McDonough - * Fix regression in net rpc join caused by recent changes - to cli_lsa_query_info_policy(). - * BUG 964: Fix crash bug in 'net rpc join' using a preexisting - machine account. +o Steve French + * Fixes for mount.cfs Linux utility. o Stefan Metzmacher - * Fix XFS quotas: HAVE_XFS_QUOTA -> HAVE_XFS_QUOTAS - XFS_USER_QUOTA -> USRQUOTA - XFS_GROUP_QUOTA -> GRPQUOTA - * Fix disk_free calculation with group quotas. - * Add debug class 'quota' and a lot of DEBUG()'s - to the quota code. - * Fix sys_chown() when no chown() is present. - + * Fixes for libreplace. + * Add support for LDAP digital signing policy. + * Experimental clustered file system support. -o Tim Potter - * BUG 905: Remove POBAD_CC to fix Solaris Forte compiles. - -o Jelmer Vernooij - * Add smbget utility - a wget-clone for the SMB/CIFS protocol. - * Fix for libnss_wins on IRIX platforms. - * Fix swatdir for --with-fhs. +o Lars Mueller + * Makefile and build fixes. + * Add pam_pwd_expire for pam_winbind (original patch from Andreas + Schneider). +o James Peach + * Fixes for setgroups() and *BSD and Darwin. + * Support membership of >16 groups on Darwin. -Changes since 3.0.1 ----------------------- - Parameter Name Action - -------------- ------ - ldap replication sleep New +o Jiri Sasek + * Added vfs_vfsacl module. -Commits -------- - -o Jeremy Allison - * Tidy up of NTLMSSP code. - * Fixes for SMB signing errors - * BUG 815: Workaround NT4 bug to support plaintext - password logins and UNICODE. - - -o Petri Asikainen - * BUG 330, 387:Fix single valued attribute updates when - working with Novell NDS. - - -o Andrew Bartlet - * Correctly handle per-pipe NTLMSSP inside a NULL session. - * Fix segfault in gencache - * Fix early free() of encrypted_session_key. - * Change DC lookup routines to more carefully separate - DNS names (realms) from NetBIOS domain names. - * Add new sid_to_dn() function for internal winbindd use. - * Refactor cli_ds_enum_domain_trusts(). - * BUG 707: Implement range retrieval of ADS attributes (based - on work from Volker and Guenther Deschner - ). - * Automatically initialize the signing engine if a session key - is available. - * BUG 916: Do not perform a + -> ' ' substitution for squid URL - encoded strings, only form input in SWAT. - * Resets the NTLMSSP state for new negotiate packets. - * Add 2-byte alignments in net_samlogon() queries to parse - odd-length plain text passwords. - * Allow Windows groups with no members in winbindd. - * Allow normal authentication in the absence of a server - generated session key. - * More optimizations for looking up UNIX group lists. - * Clean up error codes and return values for pam_winbindd - and winbindd PAM interface. - * Fix restring return values in ntlm_auth tool. - - -o Dmitry Butskoj - * Fix for special files being hidden from admins. - - -o Gerald (Jerry) Carter - * Fix bug in the lanman session key generation. Caused - "decode_pw: incorrect password length" error messages. - * Save the right case for the located user name in - fill_sam_account(). Fixes %U/%u expansion for win9x clients. - * BUG 897: Add well known rid for pre win2k compatible access - group. - * BUG 887: Correct typo in delete user script example. - * Use short lived TALLOC_CTX* for allocating printer objects - from the print handle cache. - * BUG 912: Fix check for HAVE_MEMORY_KEYTAB. - - -o Guenther Deschner - * Install smbwrapper.so should be put into the $(libdir) - and not $(bindir). - * Add the capability to specify the new user password - for "net ads password" on the command line. - * Correctly detect AFS headers on SuSE. - - -o James Flemer - * Fix AIX compile bug by linking HAVE_ATTR_LIST to - HAVE_SYS_ATTRIBUTES_H. - - -o Volker Lendecke - * BUG 583: Ensure that user names always contain the short - version of the domain name. - * Fix our parsing of the LDAP uri. - * Don't show the 'afs username map' in the SWAT basic view. - * Fix SMB signing issues in relation to failed NTLMSSP logins. - * BUG 924: Fix return codes in smbtorture harness. - * Always lower-case usernames before handing it to AFS code. - - -o Jianliang Lu - * Ensure we delete the group mapping before calling the delete - group script. - * Define well known RID for managing the "Power Users" group. - - -o Stefan Metzmacher - * Implement LDAP rebind sleep patch. - * Revert to 2.2 quota code because of so many broken quota files - out there. +o Karolin Seeger + * Add deletelocalgroup and unmapunixgroup subcommand to "net sam". + * Cleanup internal passdb functions. -o - * Allow an existing LDAP machine account to be re-used when - joining an AD domain. +o Simo Sorce + * Fixes for IDmap and Passdb backends. -o James Peach - * BUG 889: Change smbd to use pread/pwrite on platforms that - support these calls. Can lead to a significant speed increase. +o Andrew Tridgell + * Port ldb from the Samba 4 tree and add ldb group mapping plugin. + * Move several file serving related tdb files to use the dbwrap + API internally. + * Cleanup the GPFS VFS plugin. + * Experimental clustered file system support. -o Tim Potter - * BUG 924: Fix typo in RW2 torture test. - - -o Richard Sharpe - * Small fixes to torture.c to cleanup the error handling - and prevent crashes. - - -o J. Tournier - * Small fixes for the smbldap-tool scripts. - - o Jelmer Vernooij - * Put functions for generating SQL queries in pdb_sql.c - * Add pgSQL backend (based on patch by Hamish Friedlander) - * BUG 908: Fix -s option to smbcontrol. - - -Changes since 3.0.0 ----------------------- - - Parameter Name Action - -------------- ------ - hide local users Removed - mangled map Deprecated - mangled stack Removed - passwd chat timeout New - - -commits -------- - -o Change the interface for init_unistr2 to not take a length - but a flags field. We were assuming that - 2*strlen(mb_string) == length of ucs2-le string. (bug 480). -o Allow d_printf() to handle strings with escaped quotation - marks since the msg file includes the escape character (bug 489). -o Fix bad html table row termination in SWAT wizard code (bug 413). -o Fix to parse the level-2 strings. -o Fix for "valid users = %S" in [homes]. Fix read/write - list as well. -o Change AC_CHECK_LIB_EXT to prepend libraries instead of append. - This is the same way AC_CHECK_LIB works (bug 508). -o Testparm output fixes for clarity. -o Fix broken wins hook functionality -- i18n bug (bug 528). -o Take care of condition where DOS and NT error codes must differ. -o Default to using only built-in charsets when a working iconv - implementation cannot be located. -o Wrap internals of sys_setgroups() so the sys_XX() call can - be done unconditionally (bug 550). -o Remove duplicate smbspool link on SWAT's front page (bug 541). -o Save and restore CFLAGS before/after AC_PROG_CC. Ensures that - --enable-debug=[yes|no] works correctly. -o Allow ^C to interrupt smbpasswd if using our getpass - (e.g. smbpasswd command). -o Support signing only on RPC's (bug 167). -o Correct bug that prevented Excel 2000 clients from opening - files marked as read-only. -o Portability fix bugs 546 - 549). -o Explicitly initialize the value of AR for vendor makes that don't - do this (e.g. HPUX 11). (bug 552). -o More i18n fixes for SWAT (bug 413). -o Change the cwd before the postexec script to ensure that a - umount will succeed. -o Correct double free that caused winbindd to crash when a DC - is rebooted (bug 437). -o Fix incorrect mode sum (bug 562). -o Canonicalize SMB_INFO_ALLOCATION in the same was as - SMB_FS_FULL_SIZE_INFORMATION (bug 564). -o Add script to generate *msg files. -o Add Dutch SWAT translation file. -o Make sure to call get_user_groups() with the full winbindd - name for a user if he/she has one (bug 406). -o Fix up error code returns from Samba4 tester. Ensure invalid - paths are validated the same way. -o Allow Samba3 to pass the Samba4 RAW-READ tests. -o Refuse to configure if --with-expsam=$BACKEND was used but no - libraries were found for $BACKEND. -o Move sysquotas autoconf tests to a separate file. -o Match W2K w.r.t. writelock and writeclose. Samba4 torture - tester -o Make sure that the files that contain the static_init_$subsystem; - macro get recompiled after configure by removing the object - files. -o Ensure canceling a blocking lock returns the correct error - message. -o Match Samba 2.2 behavior; make ACB_NORMAL the default ACB value. -o Updated Japanese welcome file in SWAT. -o Fix to nt-time <-> unix-time functions reversible. -o Ensure that winbindd uses the the escaped DN when querying - an AD ldap server. -o Fix portability issues when compiling (bug 505, 550) -o Compile fix for tdbbackup when Samba needs to override - non-C99 compliant implementations of snprintf(). -o Use @PICSUFFIX@ instead of .po in Makefile.in (bug 574). -o Make sure we break out of samsync loop on error. -o Ensure error code path doesn't free unmalloc()'d memory - (bug 628). -o Add configure test for krb5_keytab_entry keyblock vs key - member (bug 636). -o Fixed spinlocks. -o Modified testparm so that all output so all debug output goes - to stderr, and all file processing goes to stdout. -o Fix error return code for BUFFER_TOO_SMALL in smbcacls - and smbcquotas. -o Fix "NULL dest in safe_strcpy()" log message by ensuring that - we have a devmode before copying a string to the devicename. -o Support mapping REALM.COM\user to a local user account (without - running winbindd) for compatibility with 2.2.x release. -o Ensure we don't use mmap() on blacklisted systems. -o fixed a number of bugs and memory leaks in the AIX - winbindd shim -o Call initgroups() in SWAT before becomming the user so that - secondary group permissions can be used when writing to - smb.conf. -o Fix signing problems when reverse connecting back to a - client for printer notify -o Fix signing problems caused by a miss-sequence bug. -o Missing map in errormap for ERROR_MORE_DATA -> ERRDOS, ERRmoredata. - Fixes NEXUS tools running on Win9x clients (bug 64). -o Don't leave the domain field uninitialized in cli_lsa.c if some - SID could not be mapped. -o Fix segfault in mount.cifs helper when there is no options - specified during mount. -o Change the \n after the password prompt to go to tty instead - of stdout (bug 668). -o Stop net -P from prompting for machine account password (bug 451). -o Change in behavior to Not only change the effective uid but also - the real uid when becoming unprivileged. -o Cope with Exchange 5.5 cleartext pop password auth. -o New files for support of initshutdown pipe. Win2k doesn't - respond properly to all requests on the winreg pipe, so we need - to handle this new pipe (bug 534). -o Added more va_copy() checks in configure.in. -o Include fixes for libsmbclient build problems. -o Missing UNIX -> DOS codepage conversion in lanman.c. -o Allow DFMS-S filenames can now have arbitrary case (bug 667). -o Parameterize the listen backlog in smbd and make it larger by - default. A backlog of 5 is way too small these days. -o Check for an invalid fid before dereferencing the fsp pointer - (bug 696). -o Remove invalid memory frees and return codes in pdb_ldap.c. -o Prompt for password when invoking --set-auth-user and no - password is given. -o Bind the nmbd sending socket to the 'socket address'. -o Re-order link command for smbd, rpcclient and smbpasswd to ensure - $LDFLAGS occurs before any library specification (bug 661). -o Fix large number of printf() calls for 64-bit size_t. -o Fix AC_CHECK_MEMBER so that SLES8 does correctly finds the - keyblock in the krb5 structs. -o Remove #include in hopes to avoid problems with - apache header files. -o Correct winbindd build problems on HP-UX 11. -o Lowercase netgroups lookups (bug 703). -o Use the actual size of the buffer in strftime instead of a made - up value which just happens to be less than sizeof(fstring). - (bug 713). -o Add ldaplibs to pdbedit link line (bug 651). -o Fix crash bug in smbclient completion (bug 659). -o Fix packet length for browse list reply (bug 771). -o Fix coredump in cli_get_backup_list(). -o Make sure that we expand %N (bug 612). -o Allow rpcclient adddriver command to specify printer driver - version (bug 514). -o Compile tdbdump by default. -o Apply patches to fix iconv detection for FreeBSD. -o Do not allow the 'guest account' to be added to a passdb backend - using smbpasswd or pdbedit (bug 624). -o Save LDFLAGS during iconv detection (bug 57). -o Run krb5 logins through the username map if the winbindd - lookup fails (bug 698). -o Add const for lp_set_name_resolve_order() to avoid compiler - warnings (bug 471). -o Add support for the %i macro in smb.conf to stand in for the for - the local IP address to which a client connected. -o Allow winbindd to match local accounts to domain SID when - 'winbind trusted domains only = yes' (bug 680). -o Remove code in idmap_ldap that searches the user suffix and group - suffix. It's not needed and provides inconsistent functionality - from the tdb backend. -o Patch to handle munged dial string for Windows 200 TSE. -o Correct the "smbldap_open: cannot access when not root error" - messages when looking up group information (bug 281). -o Skip over the winbind separator when looking up a user. - This fixes the bug that prevented local users from - matching an AD user when not running winbindd (bug 698). -o Fix a problem with configure on *BSD systems. Make sure - we add -liconv etc to LDFLAGS. -o Fix core dump bug when "security = server" and the authentication - server goes away. -o Correct crash bug due to an empty munged dial string. -o Show files locked by a specific user (smbstatus -u 'user') - (bug 590). -o Fix bug preventing print jobs from display in the queue - monitor used by Windows NT and later clients (bug 660). -o Fix several reported problems with point-n-print from - Windows 2000/XP clients due to a bug in the EnumPrinterDataEx() - reply (bug 338, 527 & 643). -o Fix a handful of potential memory leaks in the LDAP code used - by ldapsam[_compat] and the LDAP idmap backend. -o Fix for pdbedit error code returns (bug 763). -o Make sure we only enumerate group mapping entries (not - /etc/group) even when doing local aliases. -o Relax check on the pipe name in a dce/rpc bind response to work - around issues with establishing trusts to a Windows 2003 domain. -o Ensure we mangle names ending in '.' in hash2 mangling method. -o Correct parsing issues with munged dial string. -o Fix bugs in quota support for XFS. -o Add a cleaner method for applications that need to provide - name->SID mappings to do this via NSS rather than having to - know the winbindd pipe protocol. -o Adds a variant of the winbindd_getgroups() call called - winbindd_getusersids() that provides direct SID->SIDs listing of - a users supplementary groups. This is enough to allow non-Samba - applications to do ACL checking. -o Make sure we don't append the 'ldap suffix' when writing out the - 'ldap XXX suffix' values in SWAT (bug 328). -o Fix renames across file systems. -o Ensure that items in a list of strings containing whitespace are - written out surrounded by single quotes. This means that both - double and single quotes are now used to surround strings in - smb.conf (bug 481). -o Enable SWAT to correctly determine if winbindd is running (bug - 398). -o Include WWW-Authenticate field in 401 response for bad auth - attempt (bug 629). -o Add support for NTLM2 (NTLMv2 session security). -o Add support for variable-length session keys. -o More privilege fixes for group enumeration in LDAP (bug 281). -o Use the dns name (or IP) as the originating client name when - using CUPS (bug 467). -o Fix various SMB signing bugs. -o Fix ACL propagation on a DFS root (bug 263). -o Disable NTLM2 for RPC pipes. -o Allow the client to specify the NTLM2 flags got NTLMSSP - authentication. -o Change the name of the job passed off to cups from "Test Page" - to "smbprn.00000033 Test Page" so that we can get the smb - jobid back. This allow users to delete jobs with cups printing - backend (partial work on bug 770). -o Fix build of winbindd with static pdb modules. -o Retrieve the correct ACL group bits if the file has an ACL - (bug 802). -o Implement "net rpc group members": Get members of a domain group - in human-readable format. -o Add MacOSX (Darwin) specific charset module code. -o Use samr_dispinfo(level == 1) for enumerating domain users so we - can include the full name in gecos field (bug 587). -o Add support for winbind's NSS library on FeeeBSD 5.1 (bug 797). -o Implement 'net rpc group list [global|local|builtin]*' for a - select listing of the respective user databases. -o Don't automatically set NT status code flag unless client tells - us it can cope. -o Add 'net status [sessions|shares] [parseable]'. -o Don't mistake pre-existing UNIX jobs for smb jobs (remainder of - bug 770). -o Add 'Replicator' and 'RAS Servers' to list of builtin SIDs - (bug 608). -o Fix inverted logic in hosts allow/deny checks caused by - s/strcmp/strequal/ (bug 846). -o Implement correct version SamrRemoveSidForeignDomain() (bug 252). -o Fix typo in 'hash' mangling algorithm. -o Support munged dial for ldapsam (bug 800). -o Fix process_incoming_data() to return the number of bytes handled - this call whether we have a complete PDU or not; fixes bug - with multiple PDU request rpc's broken over SMBwriteX calls - each. -o Fix incorrect smb flags2 for connections to pre-NT servers - (causes smbclient to fail to OS2 for example) (bug 821). -o Update version string in smbldap-tools Makefile to 0.8.2. -o Correct a problem with "net rpc vampire" mis-parsing the - alias member info reply. -o Ensure the ${libdir} is created by the installclientlib script. -o Fix detection of Windows 2003 client architecture in the smb.conf - %a variable. -o Ensure that smbd calls the add user script for a missing UNIX - user on kerberos auth call (bug 445). -o Fix bugs in hosts allow/deny when using a mismatched - network/netmask pair. -o Protect alloc_sub_basic() from crashing when the source string - is NULL (partial work on bug 687). -o Fix spinlocks on IRIX. -o Corrected some bad destination paths when running "configure - --with-fhs". -o Add packaging files for Fedora Core 1. -o Correct bug in SWAT install script for non-english languages. -o Support character set ISO-8859-1 internally (bug 558). -o Fixed more LDAP access errors when looking up group mappings - (bug 281). -o Fix UNISTR2 length bug in LsaQueryInfo(3) that caused SID - resolution to fail on local files on on domain members - (bug 875). -o Fix uninitialized variable in passdb.c. -o Fix formal parameter type in get_static() in nsswitch/wins.c. -o Fix problem mounting directories when mount.cifs is installed - with the setuid bit on. -o Fix bug that prevent --mandir from overriding the defaults - given in the --with-fhs macro. -o Fix bug in in-memory Kerberos keytab detection routines - in configure.in + * Implement NDR basic to support utilizing IDL files from Samba 4 + tree for general DCE/RPC parsing stubs. -###################################################################### - - ======================================= - The original 3.0.0 release notes follow - ======================================= - - -Major new features: -------------------- - -1) Active Directory support. Samba 3.0 is now able to - join a ADS realm as a member server and authenticate - users using LDAP/Kerberos. - -2) Unicode support. Samba will now negotiate UNICODE on the wire - and internally there is now a much better infrastructure for - multi-byte and UNICODE character sets. - -3) New authentication system. The internal authentication system - has been almost completely rewritten. Most of the changes are - internal, but the new auth system is also very configurable. - -4) New default filename mangling system. - -5) A new "net" command has been added. It is somewhat similar to - the "net" command in windows. Eventually we plan to replace - numerous other utilities (such as smbpasswd) with subcommands - in "net". - -6) Samba now negotiates NT-style status32 codes on the wire. This - improves error handling a lot. - -7) Better Windows 2000/XP/2003 printing support including publishing - printer attributes in active directory. - -8) New loadable module support for passdb backends and character - sets. - -9) New default dual-daemon winbindd support for better performance. - -10) Support for migrating from a Windows NT 4.0 domain to a Samba - domain and maintaining user, group and domain SIDs. - -11) Support for establishing trust relationships with Windows NT 4.0 - domain controllers. - -12) Initial support for a distributed Winbind architecture using - an LDAP directory for storing SID to uid/gid mappings. - -13) Major updates to the Samba documentation tree. - -14) Full support for client and server SMB signing to ensure - compatibility with default Windows 2003 security settings. - -15) Improvement of ACL mapping features based on code donated by - Andreas Grünbacher. - - -Plus lots of other improvements! - - -Additional Documentation ------------------------- - -Please refer to Samba documentation tree (included in the docs/ -subdirectory) for extensive explanations of installing, configuring -and maintaining Samba 3.0 servers and clients. It is advised to -begin with the Samba-HOWTO-Collection for overviews and specific -tasks (the current book is up to approximately 400 pages) and to -refer to the various man pages for information on individual options. - -We are very glad to be able to include the second edition of -"Using Samba" by Jay Ts, Robert Eckstein, and David Collier-Brown -(O'Reilly & Associates) in this release. The book is available -on-line at http://samba.org/samba/docs/ and is included with -the Samba Web Administration Tool (SWAT). Thanks to the authors and -publisher for making "Using Samba" under the GNU Free Documentation -License. - - -###################################################################### -Upgrading from a previous Samba 3.0 beta -######################################## - -Beginning with Samba 3.0.0beta3, the RID allocation functions -have been moved into winbindd. Previously these were handled -by each passdb backend. This means that winbindd must be running -to automatically allocate RIDs for users and/or groups. Otherwise, -smbd will use the 2.2 algorithm for generating new RIDs. - -If you are using 'passdb backend = tdbsam' with a previous Samba -3.0 beta release (or possibly alpha), it may be necessary to -move the RID_COUNTER entry from /usr/local/samba/private/passdb.tdb -to winbindd_idmap.tdb. To do this: - -1) Ensure that winbindd_idmap.tdb exists (launch winbindd at least - once) -2) build tdbtool by executing 'make tdbtool' in the source/tdb/ - directory -3) run: (note that 'tdb>' is the tool's prompt for input) - - root# ./tdbtool /usr/local/samba/private/passdb.tdb - tdb> show RID_COUNTER - key 12 bytes - RID_COUNTER - data 4 bytes - [000] 0A 52 00 00 .R. - - tdb> move RID_COUNTER /usr/local/samba/var/locks/winbindd_idmap.tdb - .... - record moved - -If you are using 'passdb backend = ldapsam', it will be necessary to -store idmap entries in the LDAP directory as well (i.e. idmap backend -= ldap). Refer to the 'net idmap' command for more information on -migrating SID<->UNIX id mappings from one backend to another. - -If the RID_COUNTER record does not exist, then these instructions are -unneccessary and the new RID_COUNTER record will be correctly generated -if needed. - - - -######################## -Upgrading from Samba 2.2 -######################## - -This section is provided to help administrators understand the details -involved with upgrading a Samba 2.2 server to Samba 3.0. - - -Building --------- - -Many of the options to the GNU autoconf script have been modified -in the 3.0 release. The most noticeable are: - - * removal of --with-tdbsam (is now included by default; see section - on passdb backends and authentication for more details) - - * --with-ldapsam is now on used to provided backward compatible - parameters for LDAP enabled Samba 2.2 servers. Refer to the passdb - backend and authentication section for more details - - * inclusion of non-standard passdb modules may be enabled using - --with-expsam. This includes an XML backend and a mysql backend. - - * removal of --with-msdfs (is now enabled by default) - - * removal of --with-ssl (no longer supported) - - * --with-utmp now defaults to 'yes' on supported systems - - * --with-sendfile-support is now enabled by default on supported - systems - - -Parameters ----------- - -This section contains a brief listing of changes to smb.conf options -in the 3.0.0 release. Please refer to the smb.conf(5) man page for -complete descriptions of new or modified parameters. - -Removed Parameters (order alphabetically): - - * admin log - * alternate permissions - * character set - * client codepage - * code page directory - * coding system - * domain admin group - * domain guest group - * force unknown acl user - * hide local users - * nt smb support - * postscript - * printer driver - * printer driver file - * printer driver location - * status - * strip dot - * total print jobs - * use rhosts - * valid chars - * vfs options - -New Parameters (new parameters have been grouped by function): - - Remote management - ----------------- - * abort shutdown script - * shutdown script - - User and Group Account Management - --------------------------------- - * add group script - * add machine script - * add user to group script - * algorithmic rid base - * delete group script - * delete user from group script - * passdb backend - * set primary group script - - Authentication - -------------- - * auth methods - * realm - * passwd chat timeout - - Protocol Options - ---------------- - * client lanman auth - * client NTLMv2 auth - * client schannel - * client signing - * client use spnego - * disable netbios - * ntlm auth - * paranoid server security - * server schannel - * server signing - * smb ports - * use spnego - - File Service - ------------ - * get quota command - * hide special files - * hide unwriteable files - * hostname lookups - * kernel change notify - * mangle prefix - * map acl inherit - * msdfs proxy - * set quota command - * use sendfile - * vfs objects - - Printing - -------- - * max reported print jobs - - UNICODE and Character Sets - -------------------------- - * display charset - * dos charset - * unicode - * unix charset - - SID to uid/gid Mappings - ----------------------- - * idmap backend - * idmap gid - * idmap uid - * winbind enable local accounts - * winbind trusted domains only - * template primary group - * enable rid algorithm - - LDAP - ---- - * ldap delete dn - * ldap group suffix - * ldap idmap suffix - * ldap machine suffix - * ldap passwd sync - * ldap user suffix - - General Configuration - --------------------- - * preload modules - * private dir - -Modified Parameters (changes in behavior): - - * encrypt passwords (enabled by default) - * mangling method (set to 'hash2' by default) - * passwd chat - * passwd program - * restrict anonymous (integer value) - * security (new 'ads' value) - * strict locking (enabled by default) - * unix extensions (enabled by default) - * winbind cache time (increased to 5 minutes) - * winbind uid (deprecated in favor of 'idmap uid') - * winbind gid (deprecated in favor of 'idmap gid') - - -Databases ---------- - -This section contains brief descriptions of any new databases -introduced in Samba 3.0. Please remember to backup your existing -${lock directory}/*tdb before upgrading to Samba 3.0. Samba will -upgrade databases as they are opened (if necessary), but downgrading -from 3.0 to 2.2 is an unsupported path. - -Name Description Backup? ----- ----------- ------- -account_policy User policy settings yes -gencache Generic caching db no -group_mapping Mapping table from Windows yes - groups/SID to unix groups -winbindd_idmap ID map table from SIDS to UNIX yes - uids/gids. -namecache Name resolution cache entries no -netsamlogon_cache Cache of NET_USER_INFO_3 structure no - returned as part of a successful - net_sam_logon request -printing/*.tdb Cached output from 'lpq no - command' created on a per print - service basis -registry Read-only samba registry skeleton no - that provides support for exporting - various db tables via the winreg RPCs - - -Changes in Behavior -------------------- - -The following issues are known changes in behavior between Samba 2.2 and -Samba 3.0 that may affect certain installations of Samba. - - 1) When operating as a member of a Windows domain, Samba 2.2 would - map any users authenticated by the remote DC to the 'guest account' - if a uid could not be obtained via the getpwnam() call. Samba 3.0 - rejects the connection as NT_STATUS_LOGON_FAILURE. There is no - current work around to re-establish the 2.2 behavior. - - 2) When adding machines to a Samba 2.2 controlled domain, the - 'add user script' was used to create the UNIX identity of the - machine trust account. Samba 3.0 introduces a new 'add machine - script' that must be specified for this purpose. Samba 3.0 will - not fall back to using the 'add user script' in the absence of - an 'add machine script' - - -###################################################################### -Passdb Backends and Authentication -################################## - -There have been a few new changes that Samba administrators should be -aware of when moving to Samba 3.0. - - 1) encrypted passwords have been enabled by default in order to - inter-operate better with out-of-the-box Windows client - installations. This does mean that either (a) a samba account - must be created for each user, or (b) 'encrypt passwords = no' - must be explicitly defined in smb.conf. - - 2) Inclusion of new 'security = ads' option for integration - with an Active Directory domain using the native Windows - Kerberos 5 and LDAP protocols. - - MIT kerberos 1.3.1 supports the ARCFOUR-HMAC-MD5 encryption - type which is neccessary for servers on which the - administrator password has not been changed, or kerberos-enabled - SMB connections to servers that require Kerberos SMB signing. - Besides this one difference, either MIT or Heimdal Kerberos - distributions are usable by Samba 3.0. - - -Samba 3.0 also includes the possibility of setting up chains -of authentication methods (auth methods) and account storage -backends (passdb backend). Please refer to the smb.conf(5) -man page for details. While both parameters assume sane default -values, it is likely that you will need to understand what the -values actually mean in order to ensure Samba operates correctly. - -The recommended passdb backends at this time are - - * smbpasswd - 2.2 compatible flat file format - * tdbsam - attribute rich database intended as an smbpasswd - replacement for stand alone servers - * ldapsam - attribute rich account storage and retrieval - backend utilizing an LDAP directory. - * ldapsam_compat - a 2.2 backward compatible LDAP account - backend - -Certain functions of the smbpasswd(8) tool have been split between the -new smbpasswd(8) utility, the net(8) tool, and the new pdbedit(8) -utility. See the respective man pages for details. - - -###################################################################### -LDAP -#### - -This section outlines the new features affecting Samba / LDAP -integration. - -New Schema ----------- - -A new object class (sambaSamAccount) has been introduced to replace -the old sambaAccount. This change aids us in the renaming of attributes -to prevent clashes with attributes from other vendors. There is a -conversion script (examples/LDAP/convertSambaAccount) to modify and LDIF -file to the new schema. - -Example: - - $ ldapsearch .... -b "ou=people,dc=..." > old.ldif - $ convertSambaAccount old.ldif new.ldif - -The can be obtained by running 'net getlocalsid ' -on the Samba PDC as root. - -The old sambaAccount schema may still be used by specifying the -"ldapsam_compat" passdb backend. However, the sambaAccount and -associated attributes have been moved to the historical section of -the schema file and must be uncommented before use if needed. -The 2.2 object class declaration for a sambaAccount has not changed -in the 3.0 samba.schema file. - -Other new object classes and their uses include: - - * sambaDomain - domain information used to allocate rids - for users and groups as necessary. The attributes are added - in 'ldap suffix' directory entry automatically if - an idmap uid/gid range has been set and the 'ldapsam' - passdb backend has been selected. - - * sambaGroupMapping - an object representing the - relationship between a posixGroup and a Windows - group/SID. These entries are stored in the 'ldap - group suffix' and managed by the 'net groupmap' command. - - * sambaUnixIdPool - created in the 'ldap idmap suffix' entry - automatically and contains the next available 'idmap uid' and - 'idmap gid' - - * sambaIdmapEntry - object storing a mapping between a - SID and a UNIX uid/gid. These objects are created by the - idmap_ldap module as needed. - - * sambaSidEntry - object representing a SID alone, as a Structural - class on which to build the sambaIdmapEntry. - - -New Suffix for Searching ------------------------- - -The following new smb.conf parameters have been added to aid in directing -certain LDAP queries when 'passdb backend = ldapsam://...' has been -specified. - - * ldap suffix - used to search for user and computer accounts - * ldap user suffix - used to store user accounts - * ldap machine suffix - used to store machine trust accounts - * ldap group suffix - location of posixGroup/sambaGroupMapping entries - * ldap idmap suffix - location of sambaIdmapEntry objects - -If an 'ldap suffix' is defined, it will be appended to all of the -remaining sub-suffix parameters. In this case, the order of the suffix -listings in smb.conf is important. Always place the 'ldap suffix' first -in the list. - -Due to a limitation in Samba's smb.conf parsing, you should not surround -the DN's with quotation marks. - - -IdMap LDAP support ------------------- - -Samba 3.0 supports an ldap backend for the idmap subsystem. The -following options would inform Samba that the idmap table should be -stored on the directory server onterose in the "ou=idmap,dc=plainjoe, -dc=org" partition. - - [global] - ... - idmap backend = ldap:ldap://onterose/ - ldap idmap suffix = ou=idmap,dc=plainjoe,dc=org - idmap uid = 40000-50000 - idmap gid = 40000-50000 - -This configuration allows winbind installations on multiple servers to -share a uid/gid number space, thus avoiding the interoperability problems -with NFS that were present in Samba 2.2. - - - -###################################################################### -Trust Relationships and a Samba Domain -###################################### - -Samba 3.0.0beta2 is able to utilize winbindd as the means of -allocating uids and gids to trusted users and groups. More -information regarding Samba's support for establishing trust -relationships can be found in the Samba-HOWTO-Collection included -in the docs/ directory of this release. - -First create your Samba PDC and ensure that everything is -working correctly before moving on the trusts. - -To establish Samba as the trusting domain (named SAMBA) from a Windows NT -4.0 domain named WINDOWS: - - 1) create the trust account for SAMBA in "User Manager for Domains" - 2) connect the trust from the Samba domain using - 'net rpc trustdom establish GLASS' - -To create a trustlationship with SAMBA as the trusted domain: - - 1) create the initial trust account for GLASS using - 'smbpasswd -a -i GLASS'. You may need to create a UNIX - account for GLASS$ prior to this step (depending on your - local configuration). - 2) connect the trust from a WINDOWS DC using "User Manager - for Domains" - -Now join winbindd on the Samba PDC to the SAMBA domain using -the normal steps for adding a Samba server to an NT4 domain: -(note that smbd & nmbd must be running at this point) - - root# net rpc join -U root - Password: - -Start winbindd and test the join with 'wbinfo -t'. - -Now test the trust relationship by connecting to the SAMBA DC -(e.g. POGO) as a user from the WINDOWS domain: - - $ smbclient //pogo/netlogon -U Administrator -W WINDOWS - Password: - -Now connect to the WINDOWS DC (e.g. CRYSTAL) as a Samba user: - - $ smbclient //crystal/netlogon -U root -W WINDOWS - Password: - -###################################################################### -Changes in Winbind -################## - -Beginning with Samba3.0.0beta3, winbindd has been given new account -manage functionality equivalent to the 'add user script' family of -smb.conf parameters. The idmap design has also been changed to -centralize control of foreign SID lookups and matching to UNIX -uids and gids. - - -Brief Description of Changes ----------------------------- - -1) The sid_to_uid() family of functions (smbd/uid.c) have been - reverted to the 2.2.x design. This means that when resolving a - SID to a UID or similar mapping: - - a) First consult winbindd - b) perform a local lookup only if winbindd fails to - return a successful answer - - There are some variations to this, but these two rules generally - apply. - -2) All idmap lookups have been moved into winbindd. This means that - a server must run winbindd (and support NSS) in order to achieve - any mappings of SID to dynamically allocated UNIX ids. This was - a conscious design choice. - -3) New functions have been added to winbindd to emulate the 'add user - script' family of smbd functions without requiring that external - scripts be defined. This functionality is controlled by the 'winbind - enable local accounts' smb.conf parameter (enabled by default). - - However, this account management functionality is only supported - in a local tdb (winbindd_idmap.tdb). If these new UNIX accounts - must be shared among multiple Samba servers (such as a PDC and BDCs), - it will be necessary to define your own 'add user script', et. al. - programs that place the accounts/groups in some form of directory - such as NIS or LDAP. This requirement was deemed beyond the scope - of winbind's account management functions. Solutions for - distributing UNIX system information have been deployed and tested - for many years. We saw no need to reinvent the wheel. - -4) A member of a Samba controlled domain running winbindd is now able - to map domain users directly onto existing UNIX accounts while still - automatically creating accounts for trusted users and groups. This - behavior is controlled by the 'winbind trusted domains only' smb.conf - parameter (disabled by default to provide 2.2.x winbind behavior). - -5) Group mapping support is wrapped in the local_XX_to_XX() functions - in smbd/uid.c. The reason that group mappings are not included - in winbindd is because the purpose of Samba's group map is to - match any Windows SID with an existing UNIX group. These UNIX - groups can be created by winbindd (see next section), but the - SID<->gid mapping is retreived by smbd, not winbindd. - - -Examples --------- - -* security = server running winbindd to allocate accounts on demand - -* Samba PDC running winbindd to handle the automatic creation of UNIX - identities for machine trust accounts - -* Automtically creating UNIX user and groups when migrating a Windows NT - 4.0 PDC to a Samba PDC. Winbindd must be running when executing - 'net rpc vampire' for this to work. - - -###################################################################### -Known Issues -############ - -* There are several bugs currently logged against the 3.0 codebase - that affect the use of NT 4.0 GUI domain management tools when run - against a Samba 3.0 PDC. This bugs should be released in an early - 3.0.x release. - -Please refer to https://bugzilla.samba.org/ for a current list of bugs -filed against the Samba 3.0 codebase. - - ###################################################################### Reporting bugs & Development Discussion ####################################### @@ -1204,10 +254,13 @@ joining the #samba-technical IRC channel on irc.freenode.net. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down -the problem then you will probably be ignored. +the problem then you will probably be ignored. All bug reports should +be filed under the Samba 3.2 product in the project's Bugzilla +database (https://bugzilla.samba.org/). + -A new bugzilla installation has been established to help support the -Samba 3.0 community of users. This server, located at -https://bugzilla.samba.org/, has replaced the older jitterbug server -previously located at http://bugs.samba.org/. +====================================================================== +== Our Code, Our Bugs, Our Responsibility. +== The Samba Team +======================================================================