- WHATS NEW IN Samba 3.0 alphaX
- =============================
-
-Changes in alpha20
- - Rework the 'guest account gets RID 501' code again...
- - Change to use NT-based session key negotiated for Win2k SPNEGO
- - Support printer data registry keys other than the default
- PrinterDriverData
- - Moved internal printerdata to REGISTRY_VALUE object
- - Corrected bug in dependentfiles list of DRIVER_INFO_3
- - fixed logic bug in blocking locks code
- - Updated registry api code to work with new printer data key
- support
- - Added vfstest tool
- - round lock timeouts in lockingX upwards to multiples of 1 second
- - Fixed bugs in Printer Change Notify code
- - added a 'net ads lookup' command that does a CLDAP NetLogon
- query to a win2000 server
- - Added script to find undocumented smb.conf parameters
- - Added missing parameters to smb.conf(5)
- - receive & parse main CLDAP reply from win2k server
- - removed "admin log" & "alternate permissions" parameters from smb.conf
- - added a generic print_guid utility, and get the byte order handing
- - fixed memory corruption in cli_full_connection()
- - remove unused 'max packet' and 'packet size' options
- - add support for the "value,OID" format described in MSDN for Printer
- Data values
- - moves NT_TOKEN generation into our authentication code
- - Update documentation build system
- - Several fixes for IRIX compiler
- - Correctly handle "max data count" value in smb transacts
- - Fix for permissions error when adding/modifying using a Print
- server handle
- - Fix pam_smbpass to always check the return value of pdb_getsampwnam()
- - Use the 'init' flag to determine if the UID is set, rather than testing
- the uid for -1
- - Cope with non-unix accounts - we just won't get the groups for those users
- - Add 'net rpc getsid' to fetch the PDC's SID into the local secrets.tdb.
- Print domain SID on 'net rpc info'
- - don't use lp_passwd_file() to retrieve NIS domain name, but use location
- instead
- - Various POSIX compatibility fixes
- - Show only non-default values in testparm
- - Fix longstanding bug in Win2k clients by clearing the shortname
- buffer before returning ascii short name.
- - Add example backtrace script
- - Added NETLOGON NetServerAuthenticate3 include and parser file
- - fix for difference in strsep and strtok semantics in nmbd
- - Ensure we don't change to a user that we can't get an NT_TOKEN for
- - Put back in BDC support in set_server_role()
- - added a 'net rpc samdump' command for dumping the whole sam via
- samsync operations (as a BDC)
- - don't use spnego in the client unless enabled in smb.conf
- - Added some new delta types discovered by Ronnie from ethereal
- - Cope with negative cache dns entries better
- - do not expose special files, only files, directories and links
- - attempts to simplify Samba's external lib dependencies
- - support non-root-mode systems without getgrouplist()
- - Some fixes for SMB signing
- - Pass the object name down to the enum_printers client rpc
- - add the netatalk VFS module
- - Ensure we have at least smb_size bytes before processing a packet
- - Allow us to "lock" printer tdb entries in memory to stop them being
- re-used as cache
- - fix 2 byte alignment/offset bug that prevented Win2k/XP clients
- from receiving all the printer data in EnumPrinterDataEx()
- - Add option to compile new sam system can be enabled with the
- configure option --with-sam
- - Added SGML/DocBook version of developer oriented docs to build process
- - Return correct FILE_SUPERSEDED response
- - Added example sam module (skeleton)
- - Add plugin support for the sam system (based on passdb code)
- - show builtin groups in samdump
- - Adding samtest utility used to test sam backends
- - fix connecting to a BDC when the PDC is down but in WINS and no bcast
- can be used to find a BDC
- - convert the LDAP/SASL code to use GSS-SPNEGO if possible
- - added cli_net_auth_3 client code
- - merge of phant0m key fix from APP_HEAD
- - allow rpcclient's samlogon command to use cli_net_3()
- - Added attribute specific OPEN tests
- - Fix bug with stat mode open being done on read-only open with
- truncate
- - Add lots of const casts to function parameters
- - Implemented some more client side spoolss functions
- - usrmgr expects unicode as ProductType
- - Change JOB_INFO_CTR to return a pointer to an array rather than array of
- pointers in client code
- - Various NTLMSSP fixes
- - fixed crash bug in cli_connection code
- - DeletePrinterDriver[Ex]() fixes from APP_HEAD
- - remove some inet_aton() calls for portability
- - Set default ACB attributes on 'unixsam' accounts
- - Add bcast_msg_flags to connection struct
- - aggregate change notify events in the smbd sender and when transmitting
- - Added better error code on out of space in printer spool directory
- - Removed total jobs check - not applicable any more
- - fixed bug in share enumeration RPC code
- - extend the ADS_STATUS system to include NTSTATUS
- - commit trusted domain patch n+3
- - remove block VFS module
- - restrict readline headers to readline.c
- - merge of various recycle bin VFS patches
- - Winbind client-side cleanups
- - change parametric option name to vfs_recycle_bin it is more
- sane and do not pollute standard options namespace too much
- - added --enable-python configure option for building the samba-python
- unit tests
- - correct trans2 bugs in client for enumerating files/directories
- - Re-add OS/2 EA error codes
- - Added patch for required attributes in directory listings to reply code
- - Fix browse synchronization bug by noticing that W2K DMB's return empty
- NetServerEnum2 on port 445, but not on port 139
- - Fix semantics of AbortPrinter() spoolss call in server code
- - Ensure we've failed a lock with a lock denied message before automatically
- pushing it onto the blocking queue
- - Added experimental sendfile code
- - Initialize user_rid value in WINBIND_USERINFO structure returned by
- the rpc version of query_user()
- - added gencache implementation
- - Merge the cli_shutdown change from 2_2
- - Fixes for DeletePrinterDriverEx()
- - Fixed alignment error in spoolss code
- - Changed Major/Minor version info reported to Server Manager to 4.9
- - Applied new display mode FLAGS for SWAT
- - Update to add DEVELOPER option to more parameters
- - Added --with-ads option, defaults to yes
- - Added --with-ldap option to configure
- - Add clock skew handling to our kerberos code
- - correct race condition in password change code for out machine account
- when a member of a domain
- - First implementation for 'net rpc vampire'
- - store current handle's Device Mode with print job
- - Move functionality to check whether entries for lp_workgroup() and
- "BUILTIN" exist and add them if necessary from check_correct_backend_entries
- into sam_context_check_default_backends
- - allow --with-krb5 to override the location of the kerberos libs on
- redhat
- - unlink spool file after submitting print job when using CUPS api
- - Add framework for samtest commands
- - Add the ability to view/set the current local domain SIDs to net command
- - When creating a group you have to take care of the fact that the
- underlying unix might not like the group name
- - Don't uppercase the username and domain in a session setup
- - Merge of "profile acls" code from SAMBA_2_2
- - Check for existing of security descriptor in PRINTER_INFO_2 structure
- in rpc client code
- - Move to common user token debugging, and ensure we always print both the
- NT_TOKEN and the unix credentials
- - If adding a user to ldap, make sure we have the 'account' structural class,
- or else we can't add to OpenLDAP 2.1
- - Kill of Get_Pwnam_Modify and smb_getpwnam()
- - add a 'ldap passwd sync' option to smb.conf
- - Whenever we deal with adding machine/trusted domain accounts, always reset
- the flag to what we expect
- - Fix the circular dependency that was preventing 'domain master = auto' (the
- default) from working
- - move all the passdb internal interface to NTSTATUS
- - to expand % values (ie we go \\%L\%U -> \\server\user, we don't want to
- store \\server\user back) and to correctly notice 'not set' compared to 'null
- string' etc.
- - get some more of our access control bits right on the SAMR pipe
- - Add -r parameter to smbgroupedit. With -r you can manually choose
- a rid
-
-Changes in alpha19
- - Virtual registry framework with printing hooks (jerry)
- - Heavy registry updates (jerry)
- - Use 850 as the default DOS character set in smb.conf (tpot)
- - printer fixes - removed encoding of queueid in job number (jra)
- - A lot of small fixes (jra)
- - Don't crash on setfileinfo on printer fsp(jra)
- - fixed line buffer mode in XFILE(jra)
- - update samba.schema from 2.2 (jerry,idra)
- - Fix problem with oplock breaks and win2k -
- noticed by Lev Iserovich <lev@ciprico.com> (jra)
- - Update smbgroupedit to document -d - thanks to metze (abartlet)
- - Support weird behaviour used by win9x pass-through auth (abartlet,tpot)
- - Support for duplicating stderr in log files (abartlet)
- - Move startup time initialisation to server.c (abartlet)
- - *A lot* of fixes and cleanups (abartlet)
- - Fix up compiler warnings (abartlet)
- - Few small fixes (tpot)
- - Renamed new_cli_netlogon_* -> cli_netlogon_* (tpot)
- - Fixed segfault in net time when host is unavailable (tridge)
- - Ensure to be root when opening printer backend tdb (jra)
- - Merges from APPLIANCE_HEAD (tpot,jerry)
- - configure updates (tridge)
- - getgrouplist() updates (tridge)
- - Support for pdbedit to query account policy values (abartlet)
- - Allow one to create trusting domain account using smbpasswd (mimir,abartlet)
- - 'Net rpc trustdom list' (mimir, abartlet)
- - Fix fallback to anonymous connection (mimir, abartlet)
- - Fix for pdb_ldap and OpenLDAP 2.1
- - Added support in swat to determine whether winbind is running (idra)
- - Add 'hide unwritable' option (idra)
- - Correct pickup of [homes] share after subsequent session setups (abartlet)
- - Update rebind code in pdb_ldap (abartlet)
- - Add some info levels to RPC srvsvc code -
- thanks to Nigel Williams" <nigel@veritas.com> (abartlet)
- - Small doc fixes (tridge)
- - good security patch from Timothy.Sell@unisys.com (tridge)
- - fix minor nits in nmbd from adtam@cup.hp.com (tridge)
- - make sure async dns nmbd child dies (tridge)
- - interim fix for nmbd not registering DOMAIN#1b (tridge)
- - fix for smbtar filename matching (tridge)
- - Better quote handling in smb.conf (abartlet)
- - Support browsers setting multiple languages in swat (idra)
- - Changed str_list_make to be able to use a different separator string (idra)
- - Samsync support to insert account info into the pdb (tpot)
- - Don't hide unwritable dirs when 'hide unwritable' is enabled -
- suggested by Alexander Oswald <oswald@is.haw-hamburg.de> (idra)
- - Fix for handling sparse files in smbd (tridge)
- - Merges from 2_2 (jerry)
- - Minor printer fixes (jerry)
- - Add some checks to SID lookup code (abartlet)
- - Cascaded VFS (Alexander Bokovoy, idra)
- - Some netbios-less connections support in ADS mode (tridge)
- - ADS tweaks (tridge)
- - Fix plaintext passwords with win2k (tridge)
- - 'net ads info' reports IP of LDAP server (tridge)
- - Add some more RPC functions (jmcd)
- - Add 'smb ports = ' option (tridge)
- - Various small fixes (tridge)
- - Passdb security checks (abartlet)
- - Large winbind updates (abartlet)
- - Moved rpc client routines from libsmb to rpc_client (tpot)
- - Few nmbd fixes (jmcd)
- - Fix swat to handle new debug level code (idra)
- - Fix name length bug in namequeries (tridge)
- - Don't have client binaries depend on libs they don't use -
- patch from Steve Langasek <vorlon@netexpress.net> (abartlet)
- - Printing change notification (merged from HEAD_APPLIANCE) (jerry)
- - fix delete printer driver (from HEAD_APPLIANCE) (jerry)
- - Added pdb_xml and pdb_mysql (jelmer)
- - Update pdb_test (jelmer)
- - Fix security issues with %m (abartlet)
- - Support for service joins from win2k AND use SPNEGO (jmcd)
- - pdbedit -i and -e fix, add -b (idra)
- - textdocs converted to sgml (jelmer, jerry)
- - Merge netbios namecache code from APPLIANCE_HEAD (tpot)
- - Fix segs in new NTLMSSP code (abartlet)
- - Always make guest rid 501 (abartlet)
-
-Changes in alpha18
- - huge number of changes! really too many to list ... (and its 1am
- here, and I'm too tired)
- See the cvs tree at http://build.samba.org/
-
-
-Changes in alpha17
-- OpenLinux packaging updates (jht)
-- Locking updates - fix zero timeout (tridge, jra)
-- Default ACL support (jra, based on code from Olaf Frczyk <olaf@cbk.poznan.pl>)
-- printing updates - spoolss stuff (tpot)
-- 'make install' directory creation fixes (abartlet)
-- Lots of fixes for SID handling, local v domain sids etc
-- better mangle debugging (abartlet)
-- fixes to allow 'net' to return more than 1000 users from ADS (jmcd)
- - winbind support to come very shortly
-- lock some more tdbs to allow concurrent access for backups
-- 'net' help cleanups (jmcd)
-- 'net join' automatic transport detection
-
-Changes in alpha16
-- LDAP schema updates (jerry)
-- initial ADS LDAP printer advertising (jmcd)
-- spoolss and printing updates (tpot, jerry)
- (the is the major update in this alpha, and work continues)
-- Winbindd connection cache improvements (abartlet)
-- spnego segfault fixes (abartlet)
-- net ads segfault fixes ( Alexander Bokovoy <a.bokovoy@sam-solutions.net>)
-- header cleanups (tpot)
-- Serialise domain auth requests - win2k bug (tridge)
-- fix winbind talloced memory leak (dleducq@arkoon.net, tridge)
-- call unmangle in don_unmangle (abartlet)
-- UTF8 Charset functions - for ADS LDAP calls (Hasch@t-online.de)
-- Fix security tab for mapped drives on unicode clients (tridge)
-- Better configure tests for snprintf and immidiate structures (abartlet)
-- allow 'passdb backend = plugin : /path/to/plugin.so : plguin args'
- (loads a passdb module) (Jelmer Vernooij <jelmer@nl.linux.org>)
-- change the way we store our domain join info - you will need to
-rejoin the domain (tridge)
-- xcopy /o fixes (tridge)
-- fix the 'convert_string' level 0 debugs.
-- Patch for Domain users not showing up from "Ivan Zhakov" <vunny@mail.ru>
-- tdb backup support
-- The beginning of trusted and trusting domain support - net commands
- (Rafal Szczesniak <mimir@diament.ists.pwr.wroc.pl>)
-- nmbd signal processing fixes (jra)
-- lseek-on-pipe support (jra)
-- Allow Samba to trust NT4 Domains (abartlet)
-- LDAPsam updates (abartlet):
- - Now runtime selectable (when configured)
- - ldap user suffix and ldap group suffix support.
- - non unix account support
- - select with 'passdb backend = ldapsam' or 'passdb backend =
- ldapsam_nua'
-- start to allow NT4 domains to trust Samba, netlogon fixes (abartlet)
-- make default unix charset UTF8 (tridge)
-- Fix SIGSEGV on error message when trying to add a user to smbpasswd
-file without a unix account (jmcd)
-- better detection of dead ADS connections, so we have some chance of
-reconnecting (tridge)
-- removed bogus prepend_domain() call which was screwing up getpwuid()
-with the new default domain code
-- Domain/workstation SID fixes.
-- patch from Alexey Kotovich <a.kotovich@sam-solutions.net> that adds
- the security decsriptor code for ADS workstation accounts.
- (allow self password change, self remove)
- (after much review and disscussion with abartlet and tridge)
-
-Changes in alpha15
-- Improvements in pam_winbind/winbindd_pam.c: (abartlet)
- - Much better error reporting
- - Password changing is now stackable
- - now returns multiple PAM errors based on the NTSTATUS
- that winbind got.
- - returns an error string the client can use in their own logs.
-- Print form updates (tpot)
-- added 'wbinfo --sequence' to show sequence numbers of
- all domains (tridge)
-- better winbind memory mangement (tridge)
-- make signal processing work correctly in winbindd
- Michael Steffens <michael_steffens@hp.com>
-- Inital ADS printer publishing work. (jmcd)
-- Debian packaging
-- large debian packaging checking from Eloy. (merge by jerry)
-- Make smbgroupedit a little easier on the user (select groups
- by name rather than by sid) (abartlet)
-- rework parts of smbtorture (tridge)
-
-Changes in alpha14
-- 'Winbind Default Domain' support:
- This allows winbind to supply usernames without a 'DOMAIN\'
- prefix. Particularly handy for shell and e-mail servers,
- as well as Unix workstations in NT domains.
-- Associated cleanups in winbindd and smbd.
- (Alexander Bokovoy <a.bokovoy@sam-solutions.net> and
- abartlet)
-- Winbind protocol changes for better Squid intergration
- (current version is 3) (abartlet)
-- pam_winbind password changing
- (Samuel Ziegler <sam@xpedion.com>, tpot)
-- runtime selectable pluggable passdb interface.
- (abartlet)
-- 'non unix account' support (abartlet)
- (This allows machines and even users not to exist
- in /etc/passwd)
-- Inital implementation of the WINS replication deamon
- (jfm)
-- Changes for better winbind PDC/BDC failover support
- (tpot)
-- Various Winbind/ADS mode stabilty and flexablity fixes
- (tridge)
-- Mangle names like .bashrc properly (trige)
-- CIFS UNIX extensions (client and server) (jra)
-- Universal group support outside smbd (via a cache)
- (Alexander Bokovoy <a.bokovoy@sam-solutions.net>)
-- Write cache fixes (jra)
-
-Changes in alpha13
-- updates to try to get more out-of-the-box compiles
- (mostly kerberos and ldap stuff) (various)
-- 'net rpc shutdown' remote shutdown of servers
- (abartlet, original code from idra)
-- authentication subsystem rework, including move to
- new RPC client code (abartlet)
-- winbind changes:
- - use new client code (abartlet)
- - change winbind_auth_pam_crap interface for squid's
- benifit. (abartlet)
- - new interface versioning functionality (abartlet)
- - cope better when inteface does change (tpot)
- - better winbind trusted domain code (tpot)
-- doc updates (jerry)
-- new NTSTAUS -> DOS error map (abartlet)
-- large user list (> 1500) enumeration (jra)
-- dmalloc support (mbp)
-- spoolss changes (tpot)
-- talloc accounting (mbp)
-- rename fixes (jra)
-- smbmount trivial fixup (abartlet)
-- start of new unix extenions to CIFS (jra)
-
-Changes in alpha12
-- doc updates (jerry)
-- store domain sid on ADS join (tridge)
-- allow a winbind username on ADS connection (tridge)
-
-Changes in alpha11
-- fixed fallback to "ads server" option (tridge)
-- fix ACL failure on HP HFS (jra)
-- net ads password and net ads chostpass commands (Remus Koos)
-- fixed valid char array generation (tridge)
-- fixed QFS_INFO for win98 long filenames (tridge)
-- added net lookup command (tridge)
-- fixed map to guest with spnego (tridge)
-- fixed irix warnings (tridge)
-
-
-Changes in alpha10
-- hide unreadable fix using acl fns (jra)
-- lsa_open_policy cleanup (jfm)
-- mangled directories fix (jra)
-- fix error return on bad pipe (jra)
-- fix homes share with no home dir (tpot)
-- fixed handling of dead or empty domains in winbindd (tridge)
-- added talloc torture program (mbp)
-- talloc debug code (mbp)
-- added trusted domains to winbindd/ADS (tridge)
-- fix trusted domains in auth code (tridge)
-- new gss error handling code (a.bokovoy@sam-solutions.net & tridge)
-- support mixed ADS/NT4 domains (tridge)
-
-Changes in alpha9
-- nicer net error messages (tpot)
-- trust account patches (mimir)
-- solaris link option update (davecb)
-- added lsa_query_secobj() server fn (jfm)
-- spoolss changeid fix (jerry)
-- domain auth error fix (jmcd)
-- HPUX acl code (jra)
-- set filetime on close fix (jra)
-- allow select of org unit in ads join (tridge)
-
-Changes in alpha8
-- fixed compile of wb_client.c (tridge)
-- fixed net time to use localtime (tridge)
-- net help cleanups (jmcd)
-- debug level fix (tpot)
-- utmp string length fixes (monyo)
-
-
-Changes in alpha7
-
-- added "net ads info" to probe basic into on your ads server without
- any authentication
-- improved some error handling
-
-Changes in alpha6
-
-- added "net time zone" command (tridge)
-- pam_smbpass updates (a.bokovoy@sam-solutions.net)
-- irix updates (herb)
-- net rpc join handles existing machine acct (tridge)
-
-Changes in alpha5
-
-- added "net time" command (tridge)
-- allow client tools to specify a hostname of form HOST#xx (tridge)
-- added wbinfo --set-auth-user (tpot)
-- added lsaquerysecobj to rpcclient (tpot)
-
-Changes in alpha4
-
-- fixed nexus/win9x user list (jfm)
-- fixed large user/group lists in winbindd (tridge)
-- fixed gssapi headers in redhat (jmcd)
-- fixed rap error code handling (jra)
-- more usermanager rpc calls (jfm)
-- re-added RAP calls at top level to net command (tridge)
-
-Changes in alpha3
-
-- fixed a silly tdb bug in alpha2 that affected internal databases
-
-Changes in alpha2
-
-- we no longer use cyrus-sasl for LDAP SASL/gssapi. This makes our ADS
- code much more robust.
-- winbindd cache code rewritten to be much more efficient. It also
- copes much better with server outages.
-- jfm implemented full group mapping and smb.conf option 'domain admin
- group' is now gone. Consult the GROUP-MAPPING-HOWTO.txt to know how
- to gain back administrator rights.
-- docs update started
-- numerous small bugfixes
-
-Changes in alpha1
-
- - winbindd now uses LDAP and works correctly with an ADS server in
- native mode
- - XFS quotas code on Linux
- - group mapping code from JFM
- - "net rpc join" command replaces smbpasswd -j
- - fixed winbind initgroups
-
---------------
-
-This is a pre-release of Samba 3.0 alpha0. This is NOT a stable
-release. Use at your own risk.
-
-The purpose of this alpha release is to get wider testing of the major
-new pieces of code in the current Samba 3.0 development tree. We are
-planning on ceasing development on the 2.2.x release of Samba very
-shortly and after that we will be concentrating on Samba 3.0. To
-reduce the time before the final Samba 3.0 release we need as many
-poeple as possible to start testing these alpha releases, and
-hopefully giving us some high quality feedback on what needs fixing.
-
-Note that Samba 3.0 is not anywhere near feature complete yet. There
-is a lot more coding we have planned, but unless we get what we have
-done already more widely tested we will have a hard time doing a
-stable release in a reasonable time frame.
-
-This release is also missing major pieces of documentation, and there
-are many parts of the docs that have not been updated to reflect the
-new options and features in 3.0.
+ WHATS NEW IN Samba 3.0.0 beta3
+ July 16 2003
+ ==============================
+
+This is the third beta release of Samba 3.0.0. This is a
+non-production release intended for testing purposes. Use
+at your own risk.
+
+The purpose of this beta release is to get wider testing of the major
+new pieces of code in the current Samba 3.0 development tree. We have
+officially ceased development on the 2.2.x release of Samba and are
+concentrating on Samba 3.0. To reduce the time before the final
+Samba 3.0 release we need as many people as possible to start testing
+these beta releases, and to provide high quality feedback on what
+needs fixing.
+
+Samba 3.0 is feature complete. However there is still some final
+work to be done on certain pieces of functionality. Please refer to
+the section on "Known Issues" for more details.
+
Major new features:
-------------------
-- Active Directory support. This release is able to join a ADS realm
- as a member server and authenticate users using
- LDAP/kerberos. Please read ADS-HOWTO.txt in the release for a very
- rough guide on how to set this up.
+1) Active Directory support. Samba 3.0 is now able to
+ to join a ADS realm as a member server and authenticate
+ users using LDAP/Kerberos.
+
+2) Unicode support. Samba will now negotiate UNICODE on the wire and
+ internally there is now a much better infrastructure for multi-byte
+ and UNICODE character sets.
+
+3) New authentication system. The internal authentication system has
+ been almost completely rewritten. Most of the changes are internal,
+ but the new auth system is also very configurable.
+
+4) New filename mangling system. The filename mangling system has been
+ completely rewritten. An internal database now stores mangling maps
+ persistently. This needs lots of testing.
+
+5) A new "net" command has been added. It is somewhat similar to
+ the "net" command in windows. Eventually we plan to replace
+ numerous other utilities (such as smbpasswd) with subcommands
+ in "net".
+
+6) Samba now negotiates NT-style status32 codes on the wire. This
+ improves error handling a lot.
+
+7) Better Windows 2000/XP/2003 printing support including publishing
+ printer attributes in active directory.
+
+8) New loadable RPC modules.
+
+9) New dual-daemon winbindd support for better performance.
+
+10) Support for migrating from a Windows NT 4.0 domain to a Samba
+ domain and maintaining user, group and domain SIDs.
+
+11) Support for establishing trust relationships with Windows NT 4.0
+ domain controllers.
+
+12) Initial support for a distributed Winbind architecture using
+ an LDAP directory for storing SID to uid/gid mappings.
+
+13) Major updates to the Samba documentation tree.
+
+Plus lots of other improvements!
+
+
+Additional Documentation
+------------------------
+
+Please refer to Samba documentation tree (including in the docs/
+subdirectory) for extensive explanations of installing, configuring
+and maintaining Samba 3.0 servers and clients. It is advised to
+begin with the Samba-HOWTO-Collection for overviews and specific
+tasks (the current book is up to approximately 400 pages) and to
+refer to the various man pages for information on individual options.
+
+######################################################################
+Changes since 3.0beta2
+######################
+
+Please refer to the CVS log for the SAMBA_3_0 branch for complete
+details
+
+1) Added fix for Japanese case names in statcache code;
+ these can change size on upper casing.
+2) Correct issues with iconv detection in configure script
+ (support needed to find iconv libraries on FreeBSD).
+3) Fix bug that caused a WINS server to be marked as dead
+ incorrectly (bug #190).
+4) Removing additional deadlocks conditions that prevented
+ winbindd from running on a Samba PDC (used for trust
+ relationships).
+5) Add support for searching for Active Directory for
+ published printers (net ads printer search).
+6) Separate UNIX username from DOMAIN\username in pipe
+ credentials.
+7) Auth modules now support returning NT_STATUS_NOT_IMPLEMENTED
+ for cases that they cannot handle.
+8) Flush winbindd connection cache when the machine trust account
+ password is changed while a connection is open (bug #200).
+9) Add support for 'OSVersion' server printer data string
+ (corrects problem with uploading printer drivers from
+ WinXP clients).
+10) Numerous memory leak fixes.
+11) LDAP fixes ("passdb backend = ldapsam" & "idmap backend = ldap"):
+ - Store domain SID in LDAP directory.
+ - store idmap information in existing entries (use sambaSID=...
+ if adding a new entry).
+12) Fix incorrect usage of primary group SID when looking up user
+ groups (bug #109).
+13) Remove idmap_XX_to_XX calls from smbd. Move back to the the
+ winbind_XXX and local_XXX calls used in 2.2.
+14) All uid/gid allocation must involve winbindd now (we do not
+ attempt to map unknown SIDs to a UNIX identify).
+15) Add 'winbind trusted domains only' parameter to force a domain
+ member. The server to use matching users names from /etc/passwd
+ for its domain (needed for domain member of a Samba domain).
+16) Rename 'idmap only' to 'enable rid algorithm' for better clarity
+ (defaults to "yes").
+17) Add support for multi-byte statcache code (bug #185)
+18) Fix open mode race condition.
+19) Implement winbindd local account management functions. Refer to
+ the "Winbind Changes" section for details.
+20) Move RID allocation functions into idmap backend.
+21) Fix parsing error that prevented publishing printers from a
+ Samba server in an AD domain.
+22) Revive NTLMSSP support for named pipes.
+23) More SCHANNEL fixes.
+24) Correct SMB signing with NTLMSSP.
+25) Fix coherency bug in print handle/printer object caching code
+ that could cause XP clients to infinitely loop while updating
+ their local printer cache.
+26) Make winbindd use its dual-daemon mode by default (use -Y to
+ start as a single process).
+27) Add support to nmbd and winbindd for 'smbcontrol <pid>
+ reload-config'.
+28) Correct problem with smbtar when dealing with files > 8Gb
+ (bug #102).
+
+
+
+Changes since 3.0beta1
+######################
+
+1) Rework our smb signing code again, this factors out some of
+ the common MAC calculation code, and now supports multiple
+ outstanding packets (bug #40).
+2) Enforce 'client plaintext auth', 'client lanman auth' and 'client
+ ntlmv2 auth'.
+3) Correct timestamp problem on 64-bit machines (bug #140).
+4) Add extra debugging statements to winbindd for tracking down
+ failures.
+5) Fix bug when aliased 'winbind uid/gid' parameters are used.
+ ('winbind uid/gid' are now replaced with 'idmap uid/gid').
+6) Added an auth flag that indicates if we should be allowed
+ to fall back to NTLMSSP for SASL if krb5 fails.
+7) Fixed the bug that forced us not to use the winbindd cache when
+ we have a primary ADS domain and a secondary (trusted) NT4
+ domain.
+8) Use lp_realm() to find the default realm for 'net ads password'.
+9) Removed editreg from standard build until it is portable..
+10) Fix domain membership for servers not running winbindd.
+11) Correct race condition in determining the high water mark
+ in the idmap backend (bug #181).
+12) Set the user's primary unix group from usrmgr.exe (partial
+ fix for bug #45).
+13) Show comments when doing 'net group -l' (bug #3).
+14) Add trivial extension to 'net' to dump current local idmap
+ and restore mappings as well.
+15) Modify 'net rpc vampire' to add new and existing users to
+ both the idmap and the SAM. This code needs further testing.
+16) Fix crash bug in ADS searches.
+17) Build libnss_wins.so as part of nsswitch target (bug #160).
+18) Make net rpc vampire return an error if the sam sync RPC
+ returns an error.
+19) Fail to join an NT 4 domain as a BDC if a workstation account
+ using our name exists.
+20) Fix various memory leaks in server and client code
+21) Remove the short option to --set-auth-user for wbinfo (-A) to
+ prevent confusion with the -a option (bug #158).
+22) Added new 'map acl inherit' parameter.
+23) Removed unused 'privileges' code from group mapping database.
+24) Don't segfault on empty passdb backend list (bug #136).
+25) Fixed acl sorting algorithm for Windows 2000 clients.
+26) Replace universal group cache with netsamlogon_cache
+ from APPLIANCE_HEAD branch.
+27) Fix autoconf detection issues surrounding --with-ads=yes
+ but no Krb5 header files installed (bug #152).
+28) Add LDAP lookup for domain sequence number in case we are
+ joined using NT4 protocols to a native mode AD domain.
+29) Fix backend method selection for trusted NT 4 (or 2k
+ mixed mode) domains.
+30) Fixed bug that caused us to enumerate domain local groups
+ from native mode AD domains other than our own.
+31) Correct group enumeration for viewing in the Windows
+ security tab (bug #110).
+32) Consolidate the DC location code.
+33) Moved 'ads server' functionality into 'password server' for
+ backwards compatibility.
+34) Fix winbindd_idmap tdb upgrades from a 2.2 installation.
+ ( if you installed beta1, be sure to
+ 'mv idmap.tdb winbindd_idmap.tdb' ).
+35) Fix pdb_ldap segfaults, and wrong default values for
+ ldapsam_compat.
+36) Enable negative connection cache for winbindd's ADS backend
+ functions.
+37) Enable address caching for active directory DC's so we don't
+ have to hit DNS so much.
+38) Fix bug in idmap code that caused mapping to randomly be
+ redefined.
+39) Add tdb locking code to prevent race condition when adding a
+ new mapping to idmap.
+40) Fix 'map to guest = bad user' when acting as a PDC supporting
+ trust relationships.
+41) Prevent deadlock issues when running winbindd on a Samba PDC
+ to handle allocating uids & gids for trusted users and groups
+42) added LOCALE patch from Steve Langasek (bug #122).
+43) Add the 'guest' passdb backend automatically to the end of
+ the 'passdb backend' list if 'guest account' has a valid
+ username.
+44) Remove samstrict_dc auth method. Rework 'samstrict' to only
+ handle our local names (or domain name if we are a PDC).
+ Move existing permissive 'sam' method to 'sam_ignoredomain'
+ and make 'samstrict' the new default 'sam' auth method.
+45) Match Windows NT4/2k behavior when authenticating a user with
+ and unknown domain (default to our domain if we are a DC or
+ domain member; default to our local name if we are a
+ standalone server).
+46) Fix Get_Pwnam() to always fall back to lookup 'user' if the
+ 'DOMAIN\user' lookup fails. This matches 2.2. behavior.
+47) Fix the trustdom_cache code to update the list of trusted
+ domains when operating as a domain member and not using
+ winbindd.
+48) Remove 'nisplussam' passdb backend since it has suffered for
+ too long without a maintainer.
+
+
+
+
+######################################################################
+Upgrading from a previous Samba 3.0 beta
+########################################
+
+Beginning with Samba 3.0.0beta3, the RID allocation functions
+have been moved into winbindd. Previously these were handled
+by each passdb backend. This means that winbindd must be running
+to automatically allocate RIDs for users and/or groups. Otherwise,
+smbd will use the 2.2 algorithm for generating new RIDs.
+
+If you are using 'passdb backend = tdbsam' with a previous Samba
+3.0 beta release (or possibly alpha), it may be necessary to
+move the RID_COUNTER entry from /usr/local/samba/private/passdb.tdb
+to winbindd_idmap.tdb. To do this:
+
+1) Ensure that winbindd_idmap.tdb exists (launch winbindd at least
+ once)
+2) build tdbtool by executing 'make tdbtool' in the source/tdb/
+ directory
+3) run: (note that 'tdb>' is the tool's prompt for input)
+
+ root# ./tdbtool /usr/local/samba/private/passdb.tdb
+ tdb> show RID_COUNTER
+ key 12 bytes
+ RID_COUNTER
+ data 4 bytes
+ [000] 0A 52 00 00 .R.
+
+ tdb> move RID_COUNTER /usr/local/samba/var/locks/winbindd_idmap.tdb
+ ....
+ record moved
+
+If you are using 'passdb backend = ldapsam', it will be necessary to
+store idmap entries in the LDAP directory as well (i.e. idmap backend
+= ldap). Refer to the 'net idmap' command for more information on
+migrating SID<->UNIX id mappings from one backend to another.
+
+If the RID_COUNTER record does not exist, then these instructions are
+unneccessary and the new RID_COUNTER record will be correctly generated
+if needed.
+
+
+
+########################
+Upgrading from Samba 2.2
+########################
+
+This section is provided to help administrators understand the details
+involved with upgrading a Samba 2.2 server to Samba 3.0.
+
+
+Building
+--------
+
+Many of the options to the GNU autoconf script have been modified
+in the 3.0 release. The most noticeable are:
+
+ * removal of --with-tdbsam (is now included by default; see section
+ on passdb backends and authentication for more details)
+
+ * --with-ldapsam is now on used to provided backward compatible
+ parameters for LDAP enabled Samba 2.2 servers. Refer to the passdb
+ backend and authentication section for more details
+
+ * inclusion of non-standard passdb modules may be enabled using
+ --with-expsam. This includes an XML backend and a mysql backend.
+
+ * removal of --with-msdfs (is now enabled by default)
+
+ * removal of --with-ssl (no longer supported)
+
+ * --with-utmp now defaults to 'yes' on supported systems
+
+ * --with-sendfile-support is now enabled by default on supported
+ systems
+
+
+Parameters
+----------
+
+This section contains a brief listing of changes to smb.conf options
+in the 3.0.0 release. Please refer to the smb.conf(5) man page for
+complete descriptions of new or modified parameters.
+
+Removed Parameters (order alphabetically):
+
+ * admin log
+ * alternate permissions
+ * character set
+ * client codepage
+ * code page directory
+ * coding system
+ * domain admin group
+ * domain guest group
+ * force unknown acl user
+ * nt smb support
+ * post script
+ * printer driver
+ * printer driver file
+ * printer driver location
+ * status
+ * total print jobs
+ * use rhosts
+ * valid chars
+ * vfs options
+
+New Parameters (new parameters have been grouped by function):
+
+ Remote management
+ -----------------
+ * abort shutdown script
+ * shutdown script
+
+ User and Group Account Management
+ ---------------------------------
+ * add group script
+ * add machine script
+ * add user to group script
+ * algorithmic rid base
+ * delete group script
+ * delete user from group script
+ * passdb backend
+ * set primary group script
+
+ Authentication
+ --------------
+ * auth methods
+ * realm
+
+ Protocol Options
+ ----------------
+ * client lanman auth
+ * client NTLMv2 auth
+ * client schannel
+ * client signing
+ * client use spnego
+ * disable netbios
+ * ntlm auth
+ * paranoid server security
+ * server schannel
+ * smb ports
+ * use spnego
+
+ File Service
+ ------------
+ * get quota command
+ * hide special files
+ * hide unwriteable files
+ * hostname lookups
+ * kernel change notify
+ * mangle prefix
+ * map acl inherit
+ * msdfs proxy
+ * set quota command
+ * use sendfile
+ * vfs objects
+
+ Printing
+ --------
+ * max reported print jobs
+
+ UNICODE and Character Sets
+ --------------------------
+ * display charset
+ * dos charset
+ * unicode
+ * unix charset
+
+ SID to uid/gid Mappings
+ -----------------------
+ * idmap backend
+ * idmap gid
+ * idmap uid
+ * winbind enable local accounts
+ * winbind trusted domains only
+ * template primary group
+ * enable rid algorithm
+
+ LDAP
+ ----
+ * ldap delete dn
+ * ldap group suffix
+ * ldap idmap suffix
+ * ldap machine suffix
+ * ldap passwd sync
+ * ldap trust ids
+ * ldap user suffix
+
+ General Configuration
+ ---------------------
+ * preload modules
+ * privatedir
+
+Modified Parameters (changes in behavior):
+
+ * encrypt passwords (enabled by default)
+ * mangling method (set to 'hash2' by default)
+ * passwd chat
+ * passwd program
+ * restrict anonymous (integer value)
+ * security (new 'ads' value)
+ * strict locking (enabled by default)
+ * winbind cache time (increased to 5 minutes)
+ * winbind uid (deprecated in favor of 'idmap uid')
+ * winbind gid (deprecated in favor of 'idmap gid')
+
+
+Databases
+---------
+
+This section contains brief descriptions of any new databases
+introduced in Samba 3.0. Please remember to backup your existing
+${lock directory}/*tdb before upgrading to Samba 3.0. Samba will
+upgrade databases as they are opened (if necessary), but downgrading
+from 3.0 to 2.2 is an unsupported path.
+
+Name Description Backup?
+---- ----------- -------
+account_policy User policy settings yes
+gencache Generic caching db no
+group_mapping Mapping table from Windows yes
+ groups/SID to unix groups
+winbindd_idmap ID map table from SIDS to UNIX yes
+ uids/gids.
+namecache Name resolution cache entries no
+netsamlogon_cache Cache of NET_USER_INFO_3 structure no
+ returned as part of a successful
+ net_sam_logon request
+printing/*.tdb Cached output from 'lpq no
+ command' created on a per print
+ service basis
+registry Read-only samba registry skeleton no
+ that provides support for exporting
+ various db tables via the winreg RPCs
+
+
+Changes in Behavior
+-------------------
+
+The following issues are known changes in behavior between Samba 2.2 and
+Samba 3.0 that may affect certain installations of Samba.
+
+ 1) When operating as a member of a Windows domain, Samba 2.2 would
+ map any users authenticated by the remote DC to the 'guest account'
+ if a uid could not be obtained via the getpwnam() call. Samba 3.0
+ rejects the connection as NT_STATUS_LOGON_FAILURE. There is no
+ current work around to re-establish the 2.2 behavior.
+
+ 2) When adding machines to a Samba 2.2 controlled domain, the
+ 'add user script' was used to create the UNIX identity of the
+ machine trust account. Samba 3.0 introduces a new 'add machine
+ script' that must be specified for this purpose. Samba 3.0 will
+ not fall back to using the 'add user script' in the absence of
+ an 'add machine script'
+
+
+######################################################################
+Passdb Backends and Authentication
+##################################
+
+There have been a few new changes that Samba administrators should be
+aware of when moving to Samba 3.0.
+
+ 1) encrypted passwords have been enabled by default in order to
+ inter-operate better with out-of-the-box Windows client
+ installations. This does mean that either (a) a samba account
+ must be created for each user, or (b) 'encrypt passwords = no'
+ must be explicitly defined in smb.conf.
+
+ 2) Inclusion of new 'security = ads' option for integration
+ with an Active Directory domain using the native Windows
+ Kerberos 5 and LDAP protocols.
+
+Samba 3.0 also includes the possibility of setting up chains
+of authentication methods (auth methods) and account storage
+backends (passdb backend). Please refer to the smb.conf(5)
+man page for details. While both parameters assume sane default
+values, it is likely that you will need to understand what the
+values actually mean in order to ensure Samba operates correctly.
+
+The recommended passdb backends at this time are
+
+ * smbpasswd - 2.2 compatible flat file format
+ * tdbsam - attribute rich database intended as an smbpasswd
+ replacement for stand alone servers
+ * ldapsam - attribute rich account storage and retrieval
+ backend utilizing an LDAP directory.
+ * ldapsam_compat - a 2.2 backward compatible LDAP account
+ backend
+
+Certain functions of the smbpasswd(8) tool have been split between the
+new smbpasswd(8) utility, the net(8) tool, and the new pdbedit(8)
+utility. See the respective man pages for details.
+
+
+######################################################################
+LDAP
+####
+
+This section outlines the new features affecting Samba / LDAP
+integration.
+
+New Schema
+----------
+
+A new object class (sambaSamAccount) has been introduced to replace
+the old sambaAccount. This change aids us in the renaming of attributes
+to prevent clashes with attributes from other vendors. There is a
+conversion script (examples/LDAP/convertSambaAccount) to modify and LDIF
+file to the new schema.
+
+Example:
+
+ $ ldapsearch .... -b "ou=people,dc=..." > old.ldif
+ $ convertSambaAccount <DOM SID> old.ldif new.ldif
+
+The <DOM SID> can be obtained by running 'net getlocalsid <DOMAINNAME>'
+on the Samba PDC as root.
+
+The old sambaAccount schema may still be used by specifying the
+"ldapsam_compat" passdb backend. However, the sambaAccount and
+associated attributes have been moved to the historical section of
+the schema file and must be uncommented before use if needed.
+The 2.2 object class declaration for a sambaAccount has not changed
+in the 3.0 samba.schema file.
+
+Other new object classes and their uses include:
+
+ * sambaDomain - domain information used to allocate rids
+ for users and groups as necessary. The attributes are added
+ in 'ldap suffix' directory entry automatically if
+ an idmap uid/gid range has been set and the 'ldapsam'
+ passdb backend has been selected.
+
+ * sambaGroupMapping - an object representing the
+ relationship between a posixGroup and a Windows
+ group/SID. These entries are stored in the 'ldap
+ group suffix' and managed by the 'net groupmap' command.
+
+ * sambaUnixIdPool - created in the 'ldap idmap suffix' entry
+ automatically and contains the next available 'idmap uid' and
+ 'idmap gid'
+
+ * sambaIdmapEntry - object storing a mapping between a
+ SID and a UNIX uid/gid. These objects are created by the
+ idmap_ldap module as needed.
+
+ * sambaSidEntry - object representing a SID alone, as a Structural
+ class on which to build the sambaIdmapEntry.
+
+
+New Suffix for Searching
+------------------------
+
+The following new smb.conf parameters have been added to aid in directing
+certain LDAP queries when 'passdb backend = ldapsam://...' has been
+specified.
+
+ * ldap suffix - used to search for user and computer accounts
+ * ldap user suffix - used to store user accounts
+ * ldap machine suffix - used to store machine trust accounts
+ * ldap group suffix - location of posixGroup/sambaGroupMapping entries
+ * ldap idmap suffix - location of sambaIdmapEntry objects
+
+If an 'ldap suffix' is defined, it will be appended to all of the
+remaining sub-suffix parameters. In this case, the order of the suffix
+listings in smb.conf is important. Always place the 'ldap suffix' first
+in the list.
+
+Due to a limitation in Samba's smb.conf parsing, you should not surround
+the DN's with quotation marks.
+
+
+IdMap LDAP support
+------------------
+
+Samba 3.0 supports an ldap backend for the idmap subsystem. The
+following options would inform Samba that the idmap table should be
+stored on the directory server onterose in the "ou=idmap,dc=plainjoe,
+dc=org" partition.
+
+ [global]
+ ...
+ idmap backend = ldap:ldap://onterose/
+ ldap idmap suffix = ou=idmap,dc=plainjoe,dc=org
+ idmap uid = 40000-50000
+ idmap gid = 40000-50000
+
+This configuration allows winbind installations on multiple servers to
+share a uid/gid number space, thus avoiding the interoperability problems
+with NFS that were present in Samba 2.2.
+
+
+
+######################################################################
+Trust Relationships and a Samba Domain
+######################################
+
+Samba 3.0.0beta2 is able to utilize winbindd as the means of
+allocating uids and gids to trusted users and groups. More
+information regarding Samba's support for establishing trust
+relationships can be found in the Samba-HOWTO-Collection included
+in the docs/ directory of this release.
+
+First create your Samba PDC and ensure that everything is
+working correctly before moving on the trusts.
+
+To establish Samba as the trusting domain (named SAMBA) from a Windows NT
+4.0 domain named WINDOWS:
+
+ 1) create the trust account for SAMBA in "User Manager for Domains"
+ 2) connect the trust from the Samba domain using
+ 'net rpc trustdom establish GLASS'
+
+To create a trustlationship with SAMBA as the trusted domain:
+
+ 1) create the initial trust account for GLASS using
+ 'smbpasswd -a -i GLASS'. You may need to create a UNIX
+ account for GLASS$ prior to this step (depending on your
+ local configuration).
+ 2) connect the trust from a WINDOWS DC using "User Manager
+ for Domains"
+
+Now join winbindd on the Samba PDC to the SAMBA domain using
+the normal steps for adding a Samba server to an NT4 domain:
+(note that smbd & nmbd must be running at this point)
+
+ root# net rpc join -U root
+ Password: <enter root password from smbpasswd file here>
+
+Start winbindd and test the join with 'wbinfo -t'.
+
+Now test the trust relationship by connecting to the SAMBA DC
+(e.g. POGO) as a user from the WINDOWS domain:
+
+ $ smbclient //pogo/netlogon -U Administrator -W WINDOWS
+ Password:
+
+Now connect to the WINDOWS DC (e.g. CRYSTAL) as a Samba user:
+
+ $ smbclient //crystal/netlogon -U root -W WINDOWS
+ Password:
+
+######################################################################
+Changes in Winbind
+##################
+
+Beginning with Samba3.0.0beta3, winbindd has been given new account
+manage functionality equivalent to the 'add user script' family of
+smb.conf parameters. The idmap design has also been changed to
+centralize control of foreign SID lookups and matching to UNIX
+uids and gids.
+
-- Unicode support. Samba will now negotiate unicode on the wire and
- interally there is now a much better infrastructure for multi-byte
- and unicode character sets. You may need the "dos charset", "unix
- charset" and "display charset" options. The unicode support is not
- yet documented.
+Brief Description of Changes
+----------------------------
-- New authentication system. The internal authentication system has
- been almost completely rewritten. Most of the changes are internal,
- but the new auth system is also very configurable. Not documented
- yet.
+1) The sid_to_uid() family of functions (smbd/uid.c) have been
+ reverted to the 2.2.x design. This means that when resolving a
+ SID to a UID or similar mapping:
-- new filename mangling system. The filename mangling system has been
- completely rewritten. An internal database now stores mangling maps
- persistantly. This needs lots of testing.
+ a) First consult winbindd
+ b) perform a local lookup only if winbindd fails to
+ return a successful answer
-- new "net" command. A new "net" command has been added. It is
- somewhat similar to the "net" command in windows. Eventually we plan
- to replace a bunch of other utilities (such as smbpasswd) with
- subcommands in "net", at the moment only a few things are
- implemented.
+ There are some variations to this, but these two rules generally
+ apply.
-- Samba now negotiates NT-style status32 codes on the wire. This
- improves error handling a lot.
+2) All idmap lookups have been moved into winbindd. This means that
+ a server must run winbindd (and support NSS) in order to achieve
+ any mappings of SID to dynamically allocated UNIX ids. This was
+ a conscious design choice.
-- better w2k printing support. The support for printing from win2000
- clients has improved greatly.
+3) New functions have been added to winbindd to emulate the 'add user
+ script' family of smbd functions without requiring that external
+ scripts be defined. This functionality is controlled by the 'winbind
+ enable local accounts' smb.conf parameter (enabled by default).
-Plus lots of other changes!
+ However, this account management functionality is only supported
+ in a local tdb (winbindd_idmap.tdb). If these new UNIX accounts
+ must be shared among multiple Samba servers (such as a PDC and BDCs),
+ it will be necessary to define your own 'add user script', et. al.
+ programs that place the accounts/groups in some form of directory
+ such as NIS or LDAP. This requirement was deemed beyond the scope
+ of winbind's account management functions. Solutions for
+ distributing UNIX system information have been deployed and tested
+ for many years. We saw no need to reinvent the wheel.
-Note that many new features are not documented. Don't let this stop
-you from using Samba 3.0. It is particularly important that the basic
-file/print serving abilities of Samba 3.0 are widely tested to ensure
-that we have not broken any of the basic functionality. As we do more
-alpha releases we will start to document the new features.
+4) A member of a Samba controlled domain running winbindd is now able
+ to map domain users directly onto existing UNIX accounts while still
+ automatically creating accounts for trusted users and groups. This
+ behavior is controlled by the 'winbind trusted domains only' smb.conf
+ parameter (disabled by default to provide 2.2.x winbind behavior).
+5) Group mapping support is wrapped in the local_XX_to_XX() functions
+ in smbd/uid.c. The reason that group mappings are not included
+ in winbindd is because the purpose of Samba's group map is to
+ match any Windows SID with an existing UNIX group. These UNIX
+ groups can be created by winbindd (see next section), but the
+ SID<->gid mapping is retreived by smbd, not winbindd.
+
+Examples
+--------
+
+* security = server running winbindd to allocate accounts on demand
+
+* Samba PDC running winbindd to handle the automatic creation of UNIX
+ identities for machine trust accounts
+
+* Automtically creating UNIX user and groups when migrating a Windows NT
+ 4.0 PDC to a Samba PDC. Winbindd must be running when executing
+ 'net rpc vampire' for this to work.
+
+
+######################################################################
+Known Issues
+############
+
+* The smbldap perl scripts for managing user entries in an LDAP
+ directory have not be updated to function with the Samba 3.0
+ schema changes. This (or an equivalent solution) work is planned
+ to be completed prior to the stable 3.0.0 release.
+
+Please refer to https://bugzilla.samba.org/ for a current list of bugs
+filed against the Samba 3.0 codebase.
+
+
+######################################################################
Reporting bugs & Development Discussion
----------------------------------------
+#######################################
Please discuss this release on the samba-technical mailing list or by
-joining the #samba-technical IRC channel on irc.openprojects.net
+joining the #samba-technical IRC channel on irc.freenode.net.
If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
-the problem then you will probably be ignored.
+the problem then you will probably be ignored.
+
+A new bugzilla installation has been established to help support the
+Samba 3.0 community of users. This server, located at
+https://bugzilla.samba.org/, will replace the existing jitterbug server
+and the old http://bugs.samba.org now points to the new bugzilla server.