--- /dev/null
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Release Notes Archive</title>
+</head>
+
+<body>
+
+ <H2>Samba 3.0.10 Available for Download</H2>
+
+<p>
+<pre>
+</pre>
+ ==============================
+ Release Notes for Samba 3.0.10
+ Dec 16, 2004
+ ==============================
+
+This is the latest stable release of Samba. This is the version
+that production Samba servers should be running for all current
+bug-fixes. This is primarily a security release to address
+CAN-2004-1154. See the "Changes" section for details on exact
+updates.
+
+Common bugs fixed in 3.0.10 include:
+
+ o Fix for security issues described in CAN-2004-1154.
+
+
+
+######################################################################
+Changes
+#######
+
+Changes since 3.0.9
+-------------------
+
+
+commits
+-------
+
+o Jeremy Allison <jra@samba.org>
+ * Added checks surrounding all *alloc() calls to fix
+ CAN-2004-1154.
+ * Fix long standing memory size bug in bitmap_allocate().
+ * Remove bogus error check in deferred open file serving
+ code.
+
+
+o Thomas Bork <tombork@web.de>
+ * Fix autoconf script on platforms using a version of GNU ld
+ that does not include a date stamp in the output of --version.
+
+
+o Luke Mewburn <lukem@NetBSD.org>
+ * Fix the swat install script to deal with the new image
+ destination directory used by the docs.
+
+
+
+Changes for older versions follow below:
+
+ --------------------------------------------------
+
+ =============================
+ Release Notes for Samba 3.0.9
+ Nov 15, 2004
+ =============================
+
+Common bugs fixed in 3.0.9 include:
+
+ o Problem updating roaming user profiles.
+ o Crash in smbd when printing from a Windows 9x client.
+ o Unresolved symbols in libsmbclient which caused
+ applications such as KDE's konqueror to fail when
+ accessing smb:// URLs.
+
+
+Changes since 3.0.8
+-------------------
+
+
+commits
+-------
+
+o Jeremy Allison <jra@samba.org>
+ * Correctly detect errno for no acl/ea support.
+ * BUG 2036: Fix seg fault in 'net ads join'.
+
+
+o Gerald (Jerry) Carter <jerry@samba.org>
+ * Solaris packaging fixes.
+ * Fix seg fault in lanman printing code.
+ * BUG 2017: fix testparm reporting for the passwd program
+ string.
+ * Fix output of smbstatus to match the man page.
+ * BUG 2027: fix conflict with declaration MD5_CTX in system
+ headers.
+ * 2028: Avoid false error messages when copying a long
+ printer name to the device mode.
+
+
+o Guenther Deschner <gd@samba.org>
+ * Allow deldriverex in rpcclient to delete drivers for a
+ specific architecture and a specific version.
+ * Fix a couple of rpcclient spoolss commands (setprinter,
+ setprintername, getdriver) w.r.t to printer-naming scheme.
+ Allow 'localhost' in the server string for certain server-side
+ spoolss functions.
+ * BUG 2015: Do not fail on setting file attributes with
+ acl support enabled.
+
+
+o Michel Gravey <michel.gravey@optogone.com>
+ * Fix build when using gcc 3.0.
+
+
+o Volker Lendecke <vl@samba.org>
+ * Fix tdb open logic when checking our local_pid after
+ the fork().
+
+
+o Jim McDonough <jmcd@us.ibm.com>
+ * BUG 1932: Fix crash in 'net getlocalsid' when run as
+ non-root user.
+
+
+o Luke Mewburn <lukem@NetBSD.org>
+ BUG 1661: Fix KRB5_SETPW-defines
+
+
+o Buchan Milne <bgmilne@mandrake.org>
+ * BUG 2023: Mandrake packaging fixes for building 3.0.9.
+
+
+o Lars Müller <lmuelle@suse.de>
+ * BUG 2013: Fix unresolved symbols in libsmbclient.so.
+
+
+o Martin Zielinski <mz@seh.de>
+ * Add DeletePrinterDriverEx() functionality to rpcclient.
+
+
+ --------------------------------------------------
+
+ =============================
+ Release Notes for Samba 3.0.8
+ Nov 7, 2004
+ =============================
+
+Common bugs fixed in 3.0.8 include:
+
+ o Compile fixes for HP-UX
+ o Fixes for the printer publishing code used when joined to
+ an AD domain.
+ o Incompatibilities with file system quotas.
+ o Several bugs in the spoolss printing code and print system
+ backends.
+ o Inconsistencies in the username map functionality when
+ configured on domain member servers.
+ o Various compile warnings and errors on various platforms.
+ o Fixes for kerberos interoperability with Windows 200x
+ domains when using DES keys.
+ o Fix for CAN-2004-0930 -- smbd remote DoS vulnerability.
+ o Fix for CAN-2004-0882 -- possible buffer overrun in smbd.
+
+
+New features included in the 3.0.8 release are:
+
+ o New migration functionality added the the net tool
+ for files/directories, printers, and shares.
+ o New experimental idmap backend for assigning uids/gids
+ directly based on the user/group RID when acting as a
+ member of single domain without any trusts.
+ o Additional printer migration support for XP/2003 platforms.
+
+
+Change in Winbindd Behavior
+---------------------------
+
+All usernames returned by winbindd are now converted to lower
+case for better consistency. This means any winbind installation
+relying on the winbind username will need to rename existing
+directories and/or files based on the username (%u and %U) to lower
+case (e.g. mv $name `echo $name | tr '[A-Z]' '[a-z]'`). This may
+include mail spool files, home directories, valid user lines in
+smb.conf, etc....
+
+
+Change in Username Map
+----------------------
+
+Previous Samba releases would only support reading the fully qualified
+username (e.g. DOMAIN\user) from the username map when performing a
+kerberos login from a client. However, when looking up a map
+entry for a user authenticated by NTLM[SSP], only the login name would be
+used for matches. This resulted in inconsistent behavior sometimes
+even on the same server.
+
+Samba 3.0.8 obeys the following rules when applying the username
+map functionality:
+
+ * When performing local authentication, the username map is
+ applied to the login name before attempting to authenticate
+ the connection.
+ * When relying upon a external domain controller for validating
+ authentication requests, smbd will apply the username map
+ to the fully qualified username (i.e. DOMAIN\user) only
+ after the user has been successfully authenticated.
+
+
+######################################################################
+Changes
+#######
+
+Changes since 3.0.7
+-------------------
+
+smb.conf changes
+----------------
+ Parameter Name Action
+ -------------- ------
+ force printername New
+ sendfile disabled by default
+
+
+commits
+-------
+
+o Jeremy Allison <jra@samba.org>
+ * Ensure extended security bit is on only if we negotiated
+ extended security.
+ * Simplify statcache to use an in-memory tdb.
+ * If you're selecting a hash algorithm for tdb, you need
+ to do it at open time.
+ * Removed old dir caching code - not being used now we
+ have the statcache anyway.
+ * Simplify the mangle hash code to use an in-memory tdb.
+ * Merge iconv changes from Samba 4 branch.
+ * Fix parsing of names ending in dot and a few other error
+ returns.
+ * BUG 1667: Smbpasswd file could be left locked on some
+ error exits.
+ * Fixes for smbclient tar functionality.
+ * BUG 1743: Fix logic bug the deferred open code.
+ * Don't try to set security descriptors on shares where
+ this has been turned off.
+ * Return correct error codes on old SEARCH call.
+ * Ensure we set errno = E2BIG when we overflow in the
+ fast-path character conversion code.
+ * Fix the roundup problem (returning 1mb roundup) for
+ non-Windows clients.
+ * Added 'stat' command to smbclient to exercise the
+ UNIX_FILE_BASIC info level.
+ * Fix bug where we could incorrectly set sparse attribute.
+ * Fix incorrect locks/unlocks in tdb_lockkeys()/tdb_unlockkeys()
+ (reported by Taj Khattra <taj.khattra@gmail.com>).
+ * Remove locked keys tdb code.
+ * BUG 1886: Prevent delete on close being set for readonly files
+ (and return the correct error code).
+ * Ensure we pass most of the new lock tests except for the cancel
+ lock which is yet to be added (merged from Samba 4 branch).
+ * BUG 1947: Fix incorrect use of getpwnam() etc. interface.
+ * BUG 1956: Ensure errno is saved and restored consistently on a
+ normal_close.
+ * BUG 1651: Adapted patch from Nalin Dahyabhai for ensuring
+ that all of the appropriate service principal names are set
+ upon joining an AD domain.
+ * Fix the correct use of resume name in the trans2 code.
+ * BUG 1717: Adapted patch from Nalin Dahyabhai to detect the
+ correct salt used when generated the DES key after joining an
+ AD domain.
+ * Enhanced krb5 detection routines in the autoconf scripts.
+
+
+o Andrew Bartlett <abartlet@samba.org>
+ * Avoid changing the machine account password in the passdb
+ backend, when it has 'already been changed'. This occurs
+ in situations where the secure channel between the workstation
+ and the DC breaks down, such as occurred in the MS04-11
+ security patch.
+ * Fix utility name in error message in ntlm_auth.
+ * Fix NTLMv2 for use with pam_winbind.
+ * Remove conversion to and from UTF8 on the winbind pipe.
+ * Allow 'require_membership_of' and 'require-membership-of'.
+ * Fix the error code for 'you didn't specify a domain' in
+ ntlm_auth.
+ * Use sys_getgroups() rather than scanning all groups
+ when generating SAMR replies.
+
+
+o Igor Belyi <sambauser@katehok.ac93.org>
+ * Ensure pdb user is deleted first before deleting UNIX
+ user (LDAP backend needs this ordering).
+
+
+o Cornelio Bondad Jr <Corny.Bondad@hp.com>
+ * Fix core dump in 'net rpc vampire'.
+
+
+o Vince Brimhall <vbrimhall@novell.com>
+ * Make ldapsam_compat robust against NULL attributes.
+
+
+o Gerald Carter <jerry@samba.org>
+ * Don't limit the number of groups returned by winbindd_getgroups()
+ by NGROUPS_MAX.
+ * BUG 1519: Match Windows 2000 behavior when opening a
+ printer using a servername in the form of an IP address or
+ DNS name.
+ * BUG 1907: remove extra slashes from the printer name in
+ getprinterdriverdir_1().
+ * Fix standard_sub_snum() to use the current user's gid.
+ * Fix background queue update bug (based on Volker's initial work
+ in 3.1.0).
+ * Add 'force printername' service parameter for people that want
+ to enforce printername == sharename for spoolss printing.
+ * Ensure consistent usage of the username map. Use the fully
+ qualified DOMAIN\user format for 'security = domain|ads' and
+ apply after authentication has succeeded.
+ * Cosmetic fix for getent output -- lowercase the username only
+ and not the complete domain\username string.
+ * Packaging fixes for Solaris, Redhat, & Fedora.
+
+
+o Sean Chandler <sean.chandler@verizon.net>
+ * Fix memlieak in cliconnect.c.
+
+
+o Darren Chew <darrenc@vicscouts.asn.au>
+ * Solaris packaging fixes.
+
+
+o Nalin Dahyabhai <nalin@redhat.com>
+ * SMB signing fix for 56-bit DES session keys.
+
+
+o Guenther Deschner <gd@samba.org>
+ * add IA64 to the architecture table of printer-drivers.
+ * Add file/share/printer migration functionality to
+ the net command.
+ * Show correct help for net groupmap commands.
+ * Fix deadlock loop in winbind's required_membership_sid
+ verification.
+ * Bring the same level of "required_membership"-functionality
+ that ntlm_auth uses, to pam_winbindd as well.
+ * Prevent "net lookup kdc" from seg-faulting when
+ using our own implementation of krb5_lookup_kdc with
+ heimdal.
+ * Adding getprinter level 7 to rpcclient.
+ * Support migrating printers|shares|files from Server A
+ to Server B while running the net-command on client C.
+ * Fixed krb5_krbhost_get_addrinfo()-parameters and make
+ failure of this call non-critical (Thanks to Love @ Heimdal
+ for the explanation and patch).
+ * Fix typos in net's usage-output.
+ * Fix the paranoia-check to ensure the ldap-attribute and the
+ smb.conf-parameter for samba's "algorithmic rid base" in ldapsam
+ are identical.
+ * Fix several bugs in the _samr_query_useraliases() rpc reply.
+ * Check correct string length when verifying password-policies
+ and using extended characters (Thanks to Uwe Morgenroth from CC
+ Compunet and Volker).
+ * Make 'password history'-behavior in ldapsam more consistent.
+ * Adding "Windows x64" as architecture string and driverdir "x64"
+ for the 64bit AMD platform.
+ * BUG 1343: Readd WKGUID-binding to match the correct default-
+ locations of new User-, Group- and Machine-Accounts in Active
+ Directory (this got lost during the last trunk-merge).
+ * Fix printer-migration w.r.t. to new naming-convention for
+ policy-handles.
+ * Allow to migrate win2k3/xp-drivers as well.
+ * Add client-side support of triggering ads printer publishing
+ over msrpc setprinter calls inside the net-tool.
+ * Add the idmap_rid module (written in conjunction with
+ Sumit Bose <sbose@suse.de>).
+ * BUG 1661: Fix build with recent heimdal releases.
+ * Prevent idmap_rid from making unnecessary calls to domain
+ controllers for trusted domains.
+
+
+o Arthur van Dongen <avdongen@xs4all.nl>
+ * Fix typos in pam_winbind log messages and SuSE
+ packaging files.
+
+
+o Rob Foehl <rwf@loonybin.net>
+ * Typo fixes for log messages in printer publishing code.
+ * Fix memory leak in printer publishing code.
+ * Ensure print_backend_init() only gets called once.
+ * Have smbd check the published status of all printers
+ at startup.
+ * Cleanup up the XXX_a_printer() API for consistency.
+ * Refactored the printer publishing code and include better
+ error handling.
+
+
+o Steve French <sfrench@us.ibm.com>
+ * Fix IP address override in mount.cifs mount helper and clean
+ up warning messages from the sparse tool and expand syntax help.
+ * Strip guest mount option off before sending to kernel mount
+ routine to avoid logging spurious message.
+
+
+o Satoh Fumiyasu <fumiya@samba.gr.jp>
+ * BUG 1732: Limit share names returned by RAP based on windows
+ character width, not unix character width.
+ * BUG 1498: Ensure that acl entries are stored in the correct
+ order.
+
+
+o Brett Funderburg <brett@deepfile.com>
+ * Pass create options parameter to nt_create_andx() function
+ from the python bindings.
+ * BUG 1864: Add sd->type field to security descriptor Python
+ representation.
+ * Return an error if a Netapp filer returns NT_STATUS_ACCESS_DENIED
+ when trying to return the security descriptor for a file.
+ * BUG 1884: Fixes for the Python bindings to use the value
+ of the desired_access filed passed into the lsa_open_policy()
+ routines.
+
+
+o Michael Gravey <michel.gravey@optogone.com>
+ * BUG 1776: Fix warnings when building modules caused by
+ certain versions of GNU ld not using the the default
+ --allow-shlib-undefined flag.
+
+
+o Chris Hertel <crh@samba.org>
+ * Fix logic bug in splay tree data structure when finding
+ a leaf node.
+ * Fix bug where an invalid MAC address would be printed by
+ a node status lookup from nmblookup.
+
+
+o Uli Iske <iske@elkb.de>
+ * Update the DNS/eDirectory LDAP schema file.
+
+
+o Björn Jacke <bjacke@sernet.de>
+ * BUG 1766: Unify charset-handling in Content-Type:-headers to
+ UTF-8. Reformat msgstr in msg-files to UTF-8.
+ * Do not use display charset for swat output.
+ * Convert the share names correctly from unix encoding to web
+ encoding and vice versa.
+ * Convert files from status page from unix charset to UTF-8.
+
+
+o Guenter Kukkukk <guenter.kukkukk@kukkukk.com>
+ * BUG 1590: Fix for talking to OS/2 clients (max_mux ignored).
+
+
+o Tom Lackemann <cessnatomny@yahoo.com>
+ * BUG 1954: Fix memory leak in posix acl code.
+
+
+o Volker Lendecke <vl@samba.org>
+ * Robustnss fix for winbindd when sending multiple requests
+ at a high rate for a slow operation.
+ * Solve the problem of user sids ending up with gid's
+ and vice versa.
+ * Use sys_fork instead of fork for the dual daemon so that
+ we get the correct debug pid in the logfiles.
+ * Based on patch from jmcd, implement special lists for the LDAP
+ user attributes to delete.
+ * Fix creation of aliases via usrmgr. Winbind was too strict
+ checking the type of sids.
+ * Lowercase all usernames returned by winbind.
+ * BUG 1545, 1823: Only issue the ldap extended password change
+ operation if the ldap server supports it. Also ignore object
+ class violation errors from the extended operation.
+ * Optimization for 'idmap backend = ldap': When asking sid2id
+ for the wrong type, don't ask ldap when we have the opposite mapping
+ in the local tdb.
+ * Fix ldapsam_compat homeDrive.
+ * Add usersidlist and allowedusers subcommands to the net tool
+ in order to support scanning a file server's share and list
+ all users who have permission to connect there.
+ * Allow for multiple DC's to be named as #1c names in lmhosts.
+ * Memory leak fixes.
+ * Fix checks for the local pid of an smbd process after
+ reopening tdbs.
+
+
+o Herb Lewis <herb@samba.org>
+ * Added tdbtool to be built by default.
+
+
+o Love <lha@stacken.kth.se>
+ * BUG 1955: Inconsistent error return.
+
+
+o Sorin Manolache <sorinm@gmail.com>
+ * Memory leak fix.
+
+
+o Jim McDonough <jmcd@us.ibm.com>
+ * Allow 'net ads lookup' to rely on command line arguments
+ if contacting an ADS server fails; utilize cldap for lookups.
+ * Fixup formatting errors in TDB_LOG calls; add printf attribute
+ support to tdb log functions.
+
+
+o Bill McGonigle <bill+samba@bfccomputing.com>
+ * BUG 1926: Type in debug message.
+
+
+o Sean McGrath
+ * BUG 1822: Add -D_REENTRANT to CPPFLAGS and -lthread to LDFLAGS
+ for libsmbclient.
+
+
+o Luke Mewburn <lukem@NetBSD.org>
+ * BUG 1782: Prevent testparm from displaying parameter synonyms.
+
+
+o Stefan Metzmacher <metze@samba.org>
+ * Fix crash in smbcquotas and smbcacls caused by setup_logging().
+ * Fix client quota support.
+ * Fix opening of system quota file.
+
+
+o Lars Mueller <lmuelle@suse.de>
+ * Small fixes for autogen.sh to deal with version detection
+ of autoconf and autoheader; fixes for examples using
+ libtool to adhere to stricter syntax of newer version.
+
+
+o Henrik Nordstrom <hno@squid-cache.org>
+ * Allow winbindd to return the correct number of groups
+ when the groups array must be enlarged.
+
+
+o Narayana Pattipati <narayana.pattipati@wipro.com>
+ * Solaris autoconf detection fixes.
+
+
+o Tim Potter <tpot@samba.org>
+ * BUG 1360: (correct fix) Use -Wl when passing flags to
+ the linker.
+ * HP-UX compile fixes (from JBravo on #samba-technical).
+ * BUG 1731: More HP-UX compiles fixes.
+ * BUG 1778: Include yp_prot.h before ypclnt.h as AIX 5.2
+ spits the dummy otherwise.
+ * Fix bug in Python printerdata wrapper.
+ * BUG 1762: nss_winbind fixes on AIX 5.x (patch from
+ <bugzilla-samba@thewrittenword.com>).
+ * Fix parameter confusion in priming of name-to-sid cache
+ (Found by Qiao Yang).
+ * BUG 1888: Remove '..' from all pre-processor commands.
+ * BUG 1903: Change some #if DEBUG_PASSWORD's to #ifdef
+ DEBUG_PASSWORD.
+
+
+o Matt Selsky <selsky@columbia.edu>
+ * BUG 350: use autoconf 2.57 feature for checking header file
+ preprocessing (fixes configure warnings on Solaris).
+
+
+o Richard Renard <rrenard@idealx.com>
+ * Fix usermgr.exe and trust relationships.
+
+
+o Paul Szabo <psz@maths.usyd.edu.au>
+ * Fix to make find_workgroup use the same
+ truncation as create_workgroup.
+
+
+o Richard Sharpe <rsharpe@samba.org>
+ * Ensure cli_write() can support writes >= 65536 bytes.
+
+
+o Simo Sorce <idra@samba.org>
+ * Added check password script code in examples/auth/crackcheck/
+ * Fix memory corruption bug caused in freeing static memory.
+
+
+o Andrew Tridgell <tridge@samba.org>
+ * Remove lp_use_mmap() from map_file() since the latter
+ is for read only and does not require coherence.
+ * Ensure that the uuid pack/unpack routines do not go past
+ the end of the structure.
+ * Converted Samba 3 tree to use the new utf-16 aware iconv
+ code.
+ * Changed iconv to recognise UCS-2LE and UTF-16LE as synonyms.
+ * Ensure configure only uses '=' instead of the bashism '=='.
+ * Reduces the number of tdb locking calls made on file IO.
+
+
+o Jelmer Vernooij <jelmer@samba.org>
+ * Convert internal data to UTF-8 before calling libxml2.
+ * Complain if 'password chat' doesn't contain the %u variable
+ (based on a patch by Ronan Waide).
+
+
+o Josef Zlomek
+ * BUG 1541: Fix recursive ls in smbclient.
+
+
+o Igor Zhbanov <bsg@uniyar.ac.ru>
+ * BUG 1797: Prevent winbind and nmbd from ignoring the "-l"
+ option.
+
+ --------------------------------------------------
+
+ =============================
+ Release Notes for Samba 3.0.7
+ Sept 13, 2004
+ =============================
+
+This is the latest stable release of Samba. This is the version
+that production Samba servers should be running for all
+current bug-fixes. There have been several important issues
+fixes since the 3.0.6 release. See the "Changes" section for
+details on exact updates.
+
+Common bugs fixed in 3.0.7 include:
+
+ o Fixes for two Denial of Service vulnerabilities
+ (CVE ID# CAN-2004-0807 & CAN-2004-0808).
+ o Winbind failure to return user entries under certain
+ conditions.
+ o Syntax errors in the OpenLDAP schema file (samba.schema).
+ o Printing errors caused by not setting default values
+ for the various printing commands.
+
+
+Changes since 3.0.6
+-------------------
+
+smb.conf changes
+----------------
+
+ Parameter Name Action
+ -------------- ------
+ winbind enable local accounts disabled by default
+
+
+commits
+-------
+o Jeremy Allison <jra@samba.org>
+ * Fix parsing of names ending in dot and a few other error
+ returns.
+ * BUG 1674: Move the symlinks checks into reduce_name().
+ * Fix memleak when checking the valid names smb.conf option.
+ * Fix memleak on error return path in the file open code.
+ * More paranoia checks in the hash2 mangling code.
+ * Fix syntax error in configure.in.
+ * Match Win2k3's behavior for pathname parsing error returns.
+ * Make nmbd more robust against bad netbios packets
+ (CAN-2004-0808).
+ * Add more checks for invalid ASN.1 packets for SPNEGO packets
+ (CAN-2004-0807).
+
+
+o Andrew Bartlett <abartlet@samba.org>
+ * Janitor work in loadparm.c -- remove unused parameters.
+
+
+o Gerald Carter <jerry@samba.org>
+ * BUG 1464: Ensure that printing commands are initialized even
+ if the 'printing' parameter is not explicitly set.
+ * Resolve name conflict on DEC OSF-5.1 (inspired by patch from
+ Adharsh Praveen <rprav@india.hp.com>)
+ * Work around parsing error in the print change notify code.
+ * remove duplicate declaration of getprintprocdir from
+ rpcclient.
+ * Only use sAMAccountName and not userPrincipalName when looking
+ up a username in AD since the breaks winbindd (lookup_name()
+ only works with the sAMAccountName).
+ * Fix bug with winbindd_getpwnam() caused by Microsoft DC's not
+ filling in the username in the user_info3.
+ * Fix logic bug in the check for creating a user's home directory
+ in register_vuid(); caused home directory to be mismatched to
+ the first share in smb.conf under certain conditions.
+ * BUG 1656: rename auto.a to auto.smb.
+ * Ensure that we assign our pid to print jobs (and not our
+ parent's pid); ensures that spooling jobs from dead smbds
+ are removed from the tdb.
+ * Disable 'winbind enable local accounts' by default.
+ * Adding some initial checks for DragonFly (same as
+ FreeBSD 4.1).
+
+
+o Guenther Deschner <gd@samba.org>
+ * Use SMB_ASSERT() to track down NULL printer names in
+ the tdb open code.
+ * Revert fix for BUG 1474 to avoid unnecessary packaging
+ dependencies.
+
+
+o Olaf Flebbe <o.flebbe@science-computing.de>.
+ * BUG 1627: fix for NIS compiles on HPUX 11.00, AIX 4.3
+ and 5.1.
+ * BUG 1626: More compile fixes.
+
+
+o Rob Foehl <rwf@loonybin.net>
+ * Don't clear the PRINT_ATTRIBUTE_PUBLISHED was getting reset
+ by attempts to sanitize the defined attributes.
+
+
+o SATOH Fumiyasu <fumiya@miraclelinux.com>
+ * BUG 1546: Preserve errno in MB strupper_m/strlower_m.
+
+
+o Helmut Heinreichsberger <helmut.heinreichsberger@chello.at>.
+ * BUG 1657: Remove used initialized variable,
+ * BUG 1658: Add a little bit of const.
+
+
+o Volker Lendecke <vl@samba.org>
+ * If there's garbage in the pidfile, we should not panic
+ but assume that no one else is around. We can't find the
+ other guy anyway.
+
+
+o Jim McDonough <jmcd@us.ibm.com>
+ * Fixup format string in the tdb error messages.
+
+
+o Jonas Olsson <lexicon@lysator.liu.se>
+ * BUG 1416: Don't reuncture a users list to NGROUPS_MAX when
+ reporting the list in usrmgr.exe.
+
+
+o Tim Potter <tpot@samba.org>
+ * Fix out-of-tree builds (problem with the script to generate
+ the svn version number).
+ * BUG 1360: Need to use -Wl when passing flags to the linker.
+ * BUG 1741: Define a struct nss_groupsbymem for HPUX 11 which
+ doesn't have one of its own.
+
+o Simo Sorce <idra@samba.org>
+ * Fixup compile issues on AIX caused by broken strlen() and
+ strdup().
+ * Update debian packaging files.
+
+
+o Dimitri van der Spek <dwspek@aboveit.nl>
+ * Use the correct counter when copying group rids from the
+ user_info3 struct in pam_winbind.
+
+
+o Qiao Yang <qyang@stbernard.com>
+ * BUG 1622: Only cache the user
+
+
+ --------------------------------------------------
+
+ =============================
+ Release Notes for Samba 3.0.6
+ Aug 19, 2004
+ =============================
+
+Common bugs fixed in 3.0.6 include:
+
+ o Schannel failure in winbindd.
+ o Numerous memory leaks.
+ o Incompatibilities between the 'write list' and 'force user'
+ smb.conf options.
+ o Premature optimization of the open_directory() internal
+ function that broke tools such as the ArcServe backup
+ agent, Macromedia HomeSite, and Robocopy.
+ o Corrupt workgroup names in nmbd's browse.dat.
+ o Sharing violation errors commonly seen when opening
+ when serving Microsoft Office documents from a Samba
+ file share.
+ o Browsing problems caused by an apostrophe (') in the
+ computer's description field.
+ o Problems creating special file types from UNIX CIFS
+ clients and enabling 'unix extensions'.
+ o Fix stalls in smbd caused by inaccessible LDAP servers.
+ o Remove various memory leaks.
+ o Fix issues in the password lockout feature.
+
+New features introduced in this release include:
+
+ O Support symlinks created by CIFS clients which
+ can be followed on the server.
+ o Using a cups server other than localhost.
+ o Maintaining the service principal entry in the system
+ keytab for integration with other kerberized services.
+ Please refer to the 'use kerberos keytab' entry in
+ smb.conf(5). When using the heimdal kerberos libraries,
+ you must also specify the following in /etc/krb5.conf:
+ [libdefaults]
+ default_keytab_name = FILE:/etc/krb5.keytab
+ o Support for maintaining individual printer names
+ stored separately from the printer's sharename.
+ o Support for maintaining user password history.
+ o Support for honoring the logon times for user in a
+ Samba domain.
+
+--------------------------------------------
+unix extensions = yes (default) and symlinks
+--------------------------------------------
+
+Beginning with Samba 3.0.6pre1 (formerly known as 3.0.5pre1),
+clients supporting the UNIX extensions to the CIFS protocol
+can create symlinks to absolute paths which will be **followed**
+by the server. This functionality has been requested in order
+to correctly support certain applications when the user's home
+directory is mounted using some type of CIFS client (e.g. the
+cifsvfs in the Linux 2.6 kernel).
+
+If this behavior is not acceptable for your production environment
+you can set 'wide links = no' in the specific share declaration in
+the server's smb.conf. Be aware that disabling wide link support
+out of a share in Samba may impact the server's performance due
+to the fact that smbd will now have to check each path additional
+times before traversing it.
+
+------------------------
+Password History Support
+------------------------
+
+The new password history feature allows smbd to check the new
+password in password change requests against a list of the user's
+previous passwords. The number of previous passwords to save can
+be set using pdbedit (4 in this example):
+
+ root# pdbedit -P "password history" -C 4
+
+When using the ldapsam passdb backend, it is vital to secure the
+following attributes from access by non-administrative users:
+
+ * sambaNTPassword
+ * sambaLMPassword
+ * sambaPasswordHistory
+
+You should refer to your directory server's documentation on how
+to implement this restriction.
+
+
+Changes since 3.0.5
+-------------------
+
+smb.conf changes
+----------------
+
+ Parameter Name Action
+ -------------- ------
+ cups server New
+ defer sharing violations New
+ force unknown acl user New
+ ldap timeout New
+ printcap cache time New
+ use kerberos keytab New
+
+commits
+-------
+o Jeremy Allison <jra@samba.org>
+ * Correct path parsing bug that broke DeletePrinterDriverEx().
+ * Fix bugs in check_path_syntax() caught by asserts.
+ * Internal change - rearrange internal global case setting
+ variables to a per connection basis.
+ * BUG 1345: Fix premature optimization in unix_convert().
+ * Allow clients to truncate a locked file.
+ * BUG 1319: Always check to see if a user as write access
+ to a share, even when 'force user' is set.
+ * Fix specific case of open that doesn't cause oplock break,
+ or share mode check.
+ * Correct sid type is WKN_GROUP, not alias. Added some
+ more known types (inspired by patch from Jianliang Lu).
+ * Allow creation of absolute symlink paths via CIFS clients.
+ * Fix charset bug in when invoking send_mailslot().
+ * When using widelinks = no, use realpath to canonicalize
+ the connection path on connection create for the user.
+ * Enhance stat open code.
+ * Fix unix extensions mknod code path.
+ * Allow unix domain socket creation via unix extensions.
+ * Auto disable the 'store dos attribute' parameter if the
+ underlying filesystem doesn't support EAs.
+ * Implement deferred open code to fix a bug with Excel files
+ on Samba shares.
+ * BUG 1427: Catch bad path errors at the right point. Ensure
+ all our pathname parsing is consistent.
+ * Fix SMB signing error introduced by the new deferred open
+ code.
+ * Change default setting for case sensitivity to "auto". (see
+ commit message -- r1154 -- for details).
+ * Add new remote client arch -- CIFSFS.
+ * Allow smbd to maintain the service principal entry in the
+ system keytab file (based on patch Dan Perry <dperry@pppl.gov>,
+ Guenther Deschner, et. al.).
+ * Fix longstanding memleak bug with logfile name.
+ * Fix incorrect type in printer publishing (struct uuid,
+ not UUID_FLAT).
+ * Heimdal compile fixes after introduction of the new ketyab
+ feature.
+ * Ensure we check attributes correctly on rename request.
+ * Ensure we defer a sharing violation on rename correctly.
+ * BUG 607: Ensure we remove DNS and DNSFAIL records immediately
+ on timeout.
+ * Fix bogus error message when using "mangling method = hash"
+ rather than hash2.
+ * Turn on sendfile by default for non-Win9x clients.
+ * Handle non-io opens that cause oplock breaks correctly.
+ * Ensure ldap replication sleep time is not more than 5 seconds.
+ * Add support for storing a user's password history.
+ LDAP portion of the code was based on a patch from
+ Jianliang Lu <j.lu@tiesse.com>.
+ * Correct memory leaks found in the password change code.
+ * Fix support for the mknod command with the Linux CIFS client.
+ * Remove support for passing the new password to smbpasswd
+ on the command line without using the -s option.
+ * Ensure home directory service number is correctly reused
+ (inspired by patches from Michael Collin Nielsen
+ <michael@hum.aau.dk>).
+ * Fix to stop printing accounts from resetting the bas
+ password and account lockout flags.
+ * If a account was locked out by an admin (and has a bad
+ password count of zero) leave it locked out until an admin
+ unlocks it (but log a message).
+ * Ensure we return the same ACL revision on the wire that
+ W2K3 does.
+ * BUG 1578: Hardcode replacement for invalid characters as '_'
+ (based on fix from Alexander E. Patrakov <patrakov@ums.usu.ru>).
+ * Fix hashed password history for LDAP backends.
+ * Enforce logon hours restrictions if confiogured (based on code
+ from Richard Renard <rrenard@idealx.com>).
+ * BUG 1606: Force smbd to disable sendfile with DOS clients
+ and ensure that the chained header is filled in for ...&X
+ commands.
+ * BUG 1602: Fix access to shares when all symlink support
+ has been disabled.
+
+
+
+o Tom Alsberg <alsbergt@cs.huji.ac.il>
+ * Allow pdbedit to export a single user from a passdb backend.
+
+
+o Andrew Bartlett <abartlet@samba.org>
+ * Fix parsing bug in GetDomPwInfo().
+ * Fix segfault in 'ntlm_auth --diagnostics'.
+ * Re-enable code to allow sid_to_gid() to perform a group
+ mapping lookup before checking with winbindd.
+ * Fix memory leak in the trans2 signing code.
+ * Allow more flexible GSS-SPENGO client and server operation
+ in ntlm_auth.
+ * Improve smbd's internal random number generation.
+ * Fix a few outstanding long password changes in smbd.
+ * Fix LANMAN2 session setup code.
+
+
+o Eric Boehm <boehm@nortelnetworks.com>
+ BUG 703: Final touches on netgroup case lookups.
+
+
+o Jerome Borsboom <j.borsboom@erasmusmc.nl>
+ * Ensure error status codes don't get overwritten in
+ lsa_lookup_sids() server code.
+ * Correct bug that caused smbd to overwrite certain error
+ codes when returning up the call stack.
+ * Ensure the correct sid type returned for builtin sids.
+
+
+o Gerald Carter <jerry@samba.org>
+ * Fix a few bugs in the Fedora Packaging files.
+ * Fix for setting the called name to by our IP if the
+ called name was *SMBSERVER and *SMBSERV. Fixes issue
+ with connecting to printers via \\ip.ad.dr.ess\printer
+ UNC path.
+ * BUG 1315: fix for schannel client connections to servers
+ when we haven't specifically negotiated AUTH_PIPE_SEAL.
+ * Allow PrinterDriverData valuenames with embedded backslashes
+ (Fixes bug with one of the Konica Fiery drivers).
+ * Fixed string length miscalculation in netbios names that
+ resulted in corrupt workgroup names in browse.dat.
+ * When running smbd as a daemon, launch child smbd to update
+ the lpq cache listing in the background.
+ * Allow printers "Printers..." folder to be renamed to a string
+ other than the share name.
+ * Allow winbindd to use domain trust account passwords when
+ running on a Samba DC to establish an schannel to remote
+ domains.
+ * Fix bad merge and ensure that we always use tdb_open_log()
+ instead of tdb_open_ex() (the former call enforce the 'use
+ mmap' parameter).
+ * BUG 1221: revert old change that used single and double
+ quotes as delimeters in next_token(), and change
+ print_parameter() to print out parm values surrounded by
+ double quotes (instead of single quotes).
+ * Prevent home directories added during the SMBsesssetup&X from
+ being removed as unused services.
+ * Invalidate the print object cache for open printer handles when
+ smbd receives a message that an attribute on a given printer
+ has been changed.
+ * Cause the configure script to exit if --enable-cups[=yes] is
+ defined and the system does not have the cups devel files
+ installed.
+ * BUG 1297: Prevent map_username() from being called twice
+ during logon.
+ * Ensure that we use the userPrincipalName AD attribute
+ value for LDAP SASL binds.
+ * Ensure we remove the tdb entry when deleting a job that
+ is being spooled.
+ * BUG 1520: Work around bug in Windows XP SP2 RC2 where the
+ client sends a FindNextPrintChangeNotify() request without
+ previously sending a FindFirstPrintChangeNotify(). Return
+ the same error code as Windows 2000 SP4.
+ * BUG 1516: Manually declare ldap_open_with_timeout() to
+ workaround compiler errors on IRIX (or other systems without
+ LDAP headers).
+ * Merge security fixes for CAN-2004-0600, CAN-2004-0686 from
+ 3.0.5.
+ * Corrected syntax error in the OID for sambaUnixIdPool,
+ sambaSidEntry, & sambaIdmapEntry object classes.
+ * Tighten the cache consistency with the ntprinters.tdb entry
+ an the in memory cache associated with open printer handles.
+ * Make sure that register_messages_flags() doesn't overwrite
+ the originally registered flags.
+
+
+o Fabien Chevalier <fabien.chevalier@supelec.fr>
+ * Debian BUG 252591: Ensure that the return value from the
+ number of available interfaces is initialized in case no
+ interfaces are actually available.
+
+
+o Guenther Deschner <gd@sernet.de>
+ * Implement 'rpcclient setprintername'.
+ * Add local groups to the user's NT_TOKEN since they are
+ actually supported now.
+ * Heimdal compile fixes after introduction of the new keytab
+ feature.
+ * Correctly honor the info level parameter in 'rpcclient
+ enumprinters'.
+ * Reintroduce 'force unknown acl user' parameter. When getting a
+ security descriptor for a file, if the owner sid is not known,
+ the owner uid is set to the current uid. Same for group sid.
+ * Ensure that REG_SZ values in the SetPrinterData actually
+ get written in UNICODE strings rather than ASCII.
+ * Ensure that the last kerberos error return is not invalid.
+ * Display share ACL entries from rpcclient.
+ * Correct infinite loop in pam_winbind's verification of
+ group membership in the 'other sids' field in the user_info3
+ struct.
+
+
+o Fabian Franz <FabianFranz@gmx.de>
+ * Support specifying a port in the device URL passed to smbspool.
+
+
+o Steve French <sfrench@us.ibm.com>
+ * Handle -S and user mount parms in mount.cifs.
+ * Fix user unmount of shares mount with suid mount.cifs.
+ * prevent infinite recusion in reopen_logs() when expanding
+ the smb.conf variable %I.
+
+
+o Bjoern Jacke <bj@sernet.de>
+ * Install libsmbclient into $(LIBDIR), not into hard coded
+ ${prefix}/lib. This helps amd64 systems with /lib and /lib64
+ and an explicit configure --libdir setting.
+
+
+o <kawasa_r@itg.hitachi.co.jp>
+ * Correct more memory leaks and initialization bugs.
+ * Fix bug that prevented core dumps from being generated
+ even if you tried.
+ * Connect to the winbind pipe in non-blocking mode to
+ prevent processes from hanging.
+ * Memory leak fixes.
+
+
+o Stephan Kulow <coolo@suse.de>
+ * Fix crash bug in libsmbclient.
+
+
+o Volker Lendecke <vl@samba.org>
+ * Added vfs_full_audit module.
+ * Add vfs_afsacl.c which can display & set AFS acls via
+ the NT security editor.
+ * Fix crash bug caused by trying to Base64 encode a NULL string.
+ * Fix DOS error code bug in reply_chkpath().
+ * Correct misunderstanding of the max_size field in
+ cli_samr_enum_als_groups; it is more like an account_control
+ field with individual bits what to retrieve.
+ * Implement 'net rpc group rename' -- rename domain groups.
+ * Implement the 'cups server' option. This makes it possible
+ to have virtual smbd's connect to different cups daemons.
+ * Paranoia fixes when adding local aliases to a user's NT_TOKEN.
+ * Fix sid_to_gid() calls in winbindd to prevent loops.
+ * Ensure that local_sid_to_gid() sets the type of the group on
+ return.
+ * Make sure that the clients are given back the IP address to
+ which they connected in the case of a multi-homed host. Only
+ affects strings the spoolss printing replies.
+ * Fix the bad password lockout. This has not worked as pdb_ldap.c
+ did not ask for the modifyTimestamp attribute, so it could
+ not find it. Try not to regress by not putting that attrib
+ in the main list but append it manually for the relevant searches.
+ * Fix two memleaks in login_cache.c.
+ * fixes memory bloat when unmarshalling strings.
+ * Fix compile errors using gcc 3.2 on SuSE 8.2.
+ * Fix the build for systems without kerberos headers.
+ * Allow winbindd to handle authentication requests only when
+ started without either an 'idmap uid' or 'idmap gid' range.
+ * Fix the build for systems without ldap headers.
+ * Fix interaction between share security descriptor and the
+ 'read only' smb.conf option.
+ * Fix bug that caused _samr_lookupsids() with more than 32 (
+ MAX_REF_DOMAINS) SIDs to fail.
+ * Allow the 'idmap backend' parameter to accept a list of
+ LDAP servers for failover purposes.
+ * Revert code in smbd to remove a tdb when it has become
+ corrupted.
+ * Add paranoid checks when mapping SIDs to a uid/gid to
+ ensure that the type is correct.
+ * Initial work on getting client support for sending mailslot
+ datagrams.
+ * Add 'ldap timeout' parameter.
+ * Dont always uppercase 'afs username map'.
+ * Expand aliases for getusersids as well.
+ * Improved NT->AFS ACL mapping VFS module.
+
+
+o Herb Lewis <herb@samba.org>
+ * Add the acls debug class.
+ * Fix logic bug in netbios name truncate routine.
+ * Fix smbd crash caused by smbtorture IOCTL test.
+ * Fix errno tromping before calling iconv to reset the
+ conversion state.
+ * need to leave empty dacl so we can remove last ACE.
+
+
+o Jianliang Lu <Jianliang.Lu@getronics.com>
+ * Fix to stop smbd hanging on missing group member in
+ get_memberuids().
+ * Make sure Samba returns the correct group types.
+ * Reset the bad password count password counts upon a successful login.
+
+
+o Jason Mader <jason@ncac.gwu.edu>
+ * BUG 1385: Don't use non-consts in a structure initialization.
+
+
+o Jim McDonough <jmcd@us.ibm.com>
+ * BUG 1279: SMBjobid fix for Samba print servers running on
+ Big-Endian platforms.
+
+
+o Joe Meadows <jameadows@webopolis.com>
+ * Add optional timeout parameter to ldap open calls.
+ * Allow get_dc_list() to check the negative cache.
+
+
+o Stefan Metzmacher <metze@samba.org>
+ * fix a configure logic bug for linux/XFS quotas when
+ using --with-sys-quotas.
+ * Use quota debug class in quota code.
+ * print out the SVN revision by configure,
+
+
+o Buchan Milne <bgmilne@mandrake.org>
+ * Mandrake packaging fixes.
+
+
+o Lars Mueller <lmuelle@suse.de>
+ * BUG 1279: Added 'printcap cache time' parameter.
+ * Fix afs related build issues on SuSE.
+ * Fix compiler warnings in the kerberos client code.
+
+
+o James Peach <jpeach@sgi.com>
+ * More iconv detection fixes for IRIX.
+ * Compile fixed for systems that do not have C99/UNIX98 compliant
+ vsnprintf by default.
+ * Prevent smbd from attempting to use sendfile at all if it is
+ not supported by the server's OS.
+ * Allow SWAT to search for index.html when serving html files
+ in a directory.
+
+
+o Dan Peterson
+ * Implement NFS quota support on FreeBSD.
+
+
+o Tim Potter <tpot@samba.org>
+ * BUG 1360: Use -Bsymbolic when creating shared libraries to
+ avoid conflicts with identical symbols in the global namespace
+ when loading libnss_wins.so.
+
+
+o Richard Renard <rrenard@idealx.com>
+ * Save the current password as it is being changed into the
+ password history list.
+
+
+o Richard Sharpe <rsharpe@samba.org>
+ * Fix error return codes on some lock messages.
+ * BUG 1178: Make the libsmbclient routines callable
+ by C++ programs.
+ * BUG 1333: Make sure we return an error code when
+ things go wrong.
+ * BUG 1301: Return NT_STATUS_SHARING_VIOLATION when
+ share mode locking requests fail.
+
+
+o Simo Sorce <idra@samba.org>
+ * Update Debian stable & unstable packaging.
+ * Tidy up parametric options in testparm output.
+
+
+o Richard Sharpe <rsharpe@samba.org>
+ * Add sigchild handling to winbindd to restart the child
+ daemon if necessary.
+
+
+o Tom Shaw <tomisfaraway@gmail.com>
+ * Use winbindd_fill_pwent() consistently.
+
+
+o Nick Thompson <nickthompson@agere.com>
+ * Protect smbd against broken filesystems which return zero
+ blocksize.
+
+
+o Andrew Tridgell <tridge@samba.org>
+ * Fixed bug in handling of timeout in socket connections.
+
+
+o Nick Wellnhofer <wellnhofer@aevum.de>
+ * Prevent lp_interfaces() list from being corrupted. Fixes
+ bug where nmbd would lose the list of network interfaces
+ on the system and consequently shutdown.
+
+
+o James Wilkinson <jwilk@alumni.cse.ucsc.edu>
+ * Fix ntlm_auth memory leaks.
+
+
+o Jelmer Vernooij <jelmer@samba.org>
+ * Additional NT status to unix error mappings.
+ * BUG 478: Rename vsnprintf to smb_vsnprintf so we don't
+ get duplicate symbol errors.
+ * Return an error when the last command read from stdin
+ fails in smbclient.
+ * Prepare for better error checking in tar.
+ * BUG 1474: Fix build of --with-expsam stuff on Solaris.
+
+
+Changes for older versions follow below:
+
+ --------------------------------------------------
+
+ =============================
+ Release Notes for Samba 3.0.5
+ July 20, 2004
+ =============================
+
+Please note that Samba 3.0.5 is identical to Samba 3.0.4 with
+the exception of correcting the two security issues outlined
+below.
+
+######################## SECURITY RELEASE ########################
+
+Summary: Multiple Potential Buffer Overruns in Samba 3.0.x
+CVE ID: CAN-2004-0600, CAN-2004-0686
+ (http://cve.mitre.org/)
+
+
+This is the latest stable release of Samba. This is the version
+that production Samba servers should be running for all current
+bug-fixes.
+
+It has been confirmed that versions of Samba 3 prior to v3.0.4
+are vulnerable to two potential buffer overruns. The individual
+details are given below.
+
+-------------
+CAN-2004-0600
+-------------
+
+Affected Versions: Samba 3.0.2 and later
+
+The internal routine used by the Samba Web Administration
+Tool (SWAT v3.0.2 and later) to decode the base64 data
+during HTTP basic authentication is subject to a buffer
+overrun caused by an invalid base64 character. It is
+recommended that all Samba v3.0.2 or later installations
+running SWAT either (a) upgrade to v3.0.5, or (b) disable
+the swat administration service as a temporary workaround.
+
+This same code is used internally to decode the
+sambaMungedDial attribute value when using the ldapsam
+passdb backend. While we do not believe that the base64
+decoding routines used by the ldapsam passdb backend can
+be exploited, sites using an LDAP directory service with
+Samba are strongly encouraged to verify that the DIT only
+allows write access to sambaSamAccount attributes by a
+sufficiently authorized user.
+
+The Samba Team would like to heartily thank Evgeny Demidov
+for analyzing and reporting this bug.
+
+-------------
+CAN-2004-0686
+-------------
+
+Affected Versions: Samba 3.0.0 and later
+
+A buffer overrun has been located in the code used to support
+the 'mangling method = hash' smb.conf option. Please be aware
+that the default setting for this parameter is 'mangling method
+= hash2' and therefore not vulnerable.
+
+Affected Samba 3 installations can avoid this possible security
+bug by using the default hash2 mangling method. Server
+installations requiring the hash mangling method are encouraged
+to upgrade to Samba 3.0.5.
+
+
+##################################################################
+
+ --------------------------------------------------
+
+ =============================
+ Release Notes for Samba 3.0.4
+ May 8, 2004
+ =============================
+
+Common bugs fixed in Samba 3.0.4 include:
+
+ o Password changing after applying the patch described in
+ the Microsoft KB828741 article to Windows clients.
+ o Crashes in smbd.
+ o Managing print jobs via Windows on Big-Endian servers.
+ o Several memory leaks in winbindd and smbd.
+ o Compile issues on AIX and *BSD.
+
+Changes since 3.0.3
+--------------------
+
+commits
+-------
+
+o Jeremy Allison <jra@samba.org>
+ * Fix path processing for DeletePrinterDriverEx().
+ * BUG 1303: Fix for Microsoft hotfix MS04-011 password change
+ breakage.
+
+
+o Andrew Bartlett <abartlet@samba.org>
+ * Fix alignment bug in GetDomPwInfo().
+
+
+o Alexander Bokovoy <ab@samba.org>
+ * Fix utime[s]() issues in smbwrapper on systems
+ that can boot both the 2.4 and 2.6 Linux kernels.
+
+
+o Gerald Carter <jerry@samba.org>
+ * Fedora packaging fixes.
+ * BUG 1302: Fix seg fault by not trying to optimize a list of
+ invalid gids using the wrong array size.
+ * BUG 1309: fix seg fault caused by trying to strdup(NULL)
+ seen when 'security = share'.
+ * Fix problems when using IBM's compiler on AIX.
+ * Link Developer's Guide, Example Guide, and multi-page HOWTO
+ into SWAT's welcome page.
+ * BUG 1293: fix double free in printer publishing code.
+
+
+o Wim Delvaux <wim.delvaux@adaptiveplanet.com>
+ * Fix for handling timeouts in socket connections.
+
+
+o Michel Gravey <michel.gravey@optogone.com>
+ * BUG 483: patch from to fix password hash creation in SWAT.
+
+
+o Volker Lendecke <vl@samba.org>
+ * Close the open NT pipes before the tdis.
+ * Fix AFS related build issues.
+ * Handle error conditions when base64 encoding a blob of 0 bytes.
+
+
+o Herb Lewis <herb@samba.org>
+ * Added 'acls' debug class.
+
+o kawasa_r@itg.hitachi.co.jp
+ * Multiple variable initialization and memory leak fixes.
+
+
+o Stephan Kulow <coolo@suse.de>
+ * Fix string length bug in libsmbclient that caused KDE's
+ Konqueror to crash.
+ * BUG 429: More libsmbclient fixes.
+
+
+o Jim McDonough <jmcd@us.ibm.com>
+ * BUG 1007, 1279: Store the print job using a little-endian key.
+
+
+o Eric Mertens
+ o Compile fix for OpenBSD (ENOTSUP not supported).
+
+
+o Stefan Metzmacher <metze@samba.org>
+ * Correct bug in disks quota views from explorer.
+
+
+o Tim Potter <tpot@samba.org>
+ BUG 1305: Correct debug output.
+
+
+o Richard Sharpe <rsharpe@samba.org>
+ * Fix incorrect error code mapping.
+
+
+o Jelmer Vernooij <jelmer@samba.org>
+ * Add additional NT_STATUS errorm mappings.
+
+
+Changes for older versions follow below:
+
+ --------------------------------------------------
+
+ =============================
+ Release Notes for Samba 3.0.3
+ April 29, 2004
+ =============================
+
+
+Common bugs fixed in Samba 3.0.3 include:
+
+ o Crash bugs and change notify issues in Samba's printing code.
+ o Honoring secondary group membership on domain member servers.
+ o TDB scalability issue surrounding the TDB_CLEAR_IF_FIRST flag.
+ o Substitution errors for %[UuGg] in smb.conf.
+ o winbindd crashes when using ADS security mode.
+ o SMB signing errors.
+ o Delays in winbindd startup caused by unnecessary
+ connections to trusted domain controllers.
+ o Various small memory leaks.
+ o Winbindd failing due to expired Kerberos tickets.
+
+New features introduced in Samba 3.0.3 include:
+
+ o Improved support for i18n character sets.
+ o Support for account lockout policy based on
+ bad password attempts.
+ o Improved support for long password changes (>14
+ characters) and strong password enforcement.
+ o Support for Windows aliases (i.e. nested groups).
+ o Experimental support for storing DOS attribute on files
+ and folders in Extended Attributes.
+ o Support for local nested groups via winbindd.
+ o Specifying options to be passed directly to the CUPS libraries.
+
+Please be aware that the Samba source code repository was
+migrated from CVS to Subversion on April 4, 2004. Details on
+accessing the Samba source tree via anonymous svn can be found
+at http://svn.samba.org/samba/subversion.html.
+
+
+Changes since 3.0.2a
+--------------------
+smb.conf changes
+----------------
+
+ Parameter Name Action
+ -------------- ------
+ cups options New
+ ea support New
+ only user Deprecated
+ store dos attributes New
+ unicode Removed
+ winbind nested groups New
+
+
+commits
+-------
+
+o Jeremy Allison <jra@samba.org>
+ * Ensure that Kerberos mutex is always properly unlocked.
+ * Removed Heimdal "in-memory keytab" support.
+ * Fixup the 'multiple-vuids' bugs in our server code.
+ * Correct return code from lsa_lookup_sids() on unmapped
+ sids (based on work by vl@samba.org).
+ * Fix the "too many fcntl locks" scalability problem
+ raised by tridge.
+ * Fixup correct (as per W2K3) returns for lookupsids
+ as well as lookupnames.
+ * Fixups for delete-on-close semantics as per Win2k3 behavior.
+ * Make SMB_FILE_ACCESS_INFORMATION call work correctly.
+ * Fix "unable to initialize" bug when smbd hasn't been run with
+ new system and a user is being added via pdbedit/smbpasswd.
+ * Added NTrename SMB (0xA5).
+ * Fixup correct timeout values for blocking lock timeouts.
+ * Fix various bugs reported by 'gentest'.
+ * More locking fixes in the case where we own the lock.
+ * Fix up regression in IS_NAME_VALID and renames.
+ * Don't set allocation size on directories.
+ * Return correct error code on fail if file exists and target
+ is a directory.
+ * Added client "hardlink" comment to test doing NT rename with
+ hard links. Added hardlink_internals() code - UNIX extensions
+ now use this as well.
+ * Use a common function to parse all pathnames from the wire for
+ much closer emulation of Win2k3 error return codes.
+ * Implement check_path_syntax() and rewrite string sub
+ functions for better multibyte support.
+ * Ensure msdfs referrals are multibyte safe.
+ * Allow msdfs symlink syntax to be more forgiving.
+ eg. sym_link -> msdfs://server/share/path/in/share
+ or sym_link -> msdfs:\\server\share\path\in\share.
+ * Cleanup multibyte netbios name support in nmbd ( based on patch
+ by MORIYAMA Masayuki <moriyama@miraclelinux.com>).
+ * Fix check_path_syntax() for multibyte encodings which have
+ no '\' as second byte (based on work by ab@samba.org.
+ * Fix the "dfs self-referrals as anonymous user" problem
+ (based on patch from vl@samba.org).
+ * BUG 1064: Ensure truncate attribute checking is done correctly
+ on "hidden" dot files.
+ * Fix bug in anonymous dfs self-referrals again.
+ * Fix get/set of EA's in client library
+ * Added support for OS/2 EA's in smbd server.
+ * Added 'ea support' parameter to smb.conf.
+ * Added 'store dos attributes' parameter to smb.conf.
+ * Fix wildcard identical rename.
+ * Fix reply_ctemp - make compatible with w2k3.
+ * Fix wildcard unlink.
+ * Fix wildcard src with wildcard dest renames.
+ * BUG 1139: Fix based on suggestion by jdev@panix.com.
+ swap lookups for user and group - group will do an
+ algorithmic lookup if it fails, user won't.
+ * Make EA's lookups case independent.
+ * Fix SETPATHINFO in 'unix extensions' support.
+ * Make 3.x pass the Samba 4.x RAW-SEARCH tests - except for
+ the UNIX info levels, and the short case preserve names.
+
+
+o Timur Bakeyev <timur@com.bat.ru>
+ * BUG 1144: only set --with-fhs when the argument is 'yes'
+ * BUG 1152: Allow python modules to build despite libraries added
+ to LDFLAGS instead of LDPATH.
+ * BUG 1141: Fix nss*.so names on FreeBSD 5.x.
+
+
+o Craig Barratt <cbarratt@users.sourceforge.net>
+ * BUG 389: Allow multiple exclude arguments with smbclient
+ tar -Xr options (better support for Amanda backup client).
+
+
+o Andrew Bartlett <abartlet@samba.org>
+ * Include support for linking with cracklib for enforcing strong
+ password changes.
+ * Add support for >14 character password changes from Windows
+ clients.
+ * Add 'admin set password' capability to 'net rpc'.
+ * Allow 'net rpc samdump' to work with any joined domain
+ regardless of smb.conf settings.
+ * Use an allocated buffer for count_chars.
+ * Add sanity checks for changes in the domain SID in an
+ LDAP DIT.
+ * Implement python unit tests for Samba's multibyte string
+ support.
+ * Remove 'unicode' smb.conf option.
+ * BUG 1138: Fix support for 'optional' SMB signing and other
+ signing bugs.
+ * BUG 169: Fix NTLMv2-only behavior.
+ * Ensure 'net' honors the 'netbios name' in the smb.conf by
+ default.
+ * Support SMB signing on connections using only the LANMAN
+ password and generate the correct the 'session key' for these
+ connections.
+ * Implement --required-membership-of=, an ntlm_auth option
+ that restricts all authentication to members of this particular
+ group.
+ * Improve our fall back code for password changes.
+ * Only send the ntlm_auth 'ntlm-server-1' helper client a '.'
+ after the server had said something (such as an error).
+ * Add 'ntlm-server-1' helper protocol to ntlm_auth.
+
+
+o Alexander Bokovoy <ab@samba.org>
+ * Fix incorrect size calculation of the directory name
+ in recycle.so.
+ * Fix problems with very long filenames in both smbd and smbclient
+ caused by truncating paths during character conversions.
+ * Fix smbfs problem with Tree Disconnect issued before smbfs
+ starts its work.
+
+
+o Gerald Carter <jerry@samba.org>
+ * BUG 850: Fix 'make installmodules' bug on True64.
+ * BUG 66: mark 'only user' deprecated.
+ * Remove corrupt tdb and shutdown (only for printing tdbs,
+ connections, sessionid & locking).
+ * decrement smbd counter in connections.tdb in smb_panic().
+ * RedHat specfile updates.
+ * Fix xattr.h build issue on Debian testing and SuSE 8.2.
+ * BUG 1147; bad pointer case in get_stored_queue_info()
+ causing seg fault.
+ * BUG 761: read the config file before initialized default
+ values for printing options; don't default to bsd printing
+ Linux.
+ * Allow the 'printing' parameter to be set on a per share basis.
+ * BUG 503: RedHat/Fedora packaging fixes regarding logrotate.
+ * BUG 848: don't create winbind local users/groups that already
+ exist in the tdb.
+ * BUG 1080: fix declaration of SMB_BIG_UINT (broke compile on
+ LynxOS/ppc).
+ * BUG 488: fix the 'show client in col 1' button and correctly
+ enumerate active connections.
+ * BUG 1007 (partial): Fix abort in smbd caused by byte ordering
+ problem when storing the updating pid for the lpq cache.
+ * BUG 1007 (partial): Fix print change notify bugs.
+ * BUG 1165, 1126: Fix bug with secondary groups (security = ads)
+ and winbind use default domain = yes. Also ensures that
+ * BUG 1151: Ensure that winbindd users are passed through
+ the username map.
+ * Fix client rpc binds for ASU derived servers (pc netlink,
+ etc...).
+ * BUG 417, 1128: Ensure that the current_user_info is set
+ consistently so that %[UuGg] is expanded correctly.
+ * BUG 1195: Fix crash in winbindd when the ADS server is
+ unavailable.
+ * BUG 1185: Set reconnect time to be the same as the
+ 'winbind cache time'.
+ * Ensure that we return the sec_desc in smb_io_printer_info_2.
+ * Change Samba printers Win32 attribute to PRINTER_ATTRIBUTE_LOCAL.
+ * BUG 1095: Honor the '-l' option in smbclient.
+ * BUG 1023: surround get_group_from_gid() with become_unbecome_root()
+ block.
+ * Ensure server schannel uses the auth level requested by the
+ client.
+ * Removed --with-cracklib option due to potential crash issue.
+ * Fix -lcrypto linking problem with wbinfo.
+ * BUG 761: allow printing parameter to set defaults on a per
+ share basis.
+ * Add 'cups options' parameter to allow raw printing without
+ changing /etc/cups/cupsd.conf.
+ * BUG 1081, 1183: Added remove_duplicate_gids() to smbd and
+ winbindd.
+ * BUG 1246: Fix typo in Fedora /etc/init.d/winbind.
+ * BUG 1288: resolve any machine netbios name (0x00) and not just
+ servers (0x20).
+ * BUG 1199: Fix potential symlink issue in
+ examples/printing/smbprint.
+
+
+o Robert Dahlem <Robert.Dahlem@gmx.net>
+ * BUG 1048: Don't return short names when when 'mangled names = no'
+
+
+o Guenther Deschner <gd@suse.com>
+ * Remove hard coded attribute name in the ads ranged retrieval
+ code.
+ * Add --with-libdir and --with-mandir to autoconf script.
+
+
+o Bostjan Golob <golob@gimb.org>
+ * BUG 1046: Fix getpwent_list() so that the username is not
+ overwritten by other fields.
+
+
+o Landon Fuller <landonf@opendarwin.org>
+ * BUG 1232: patch from landonf@opendarwin.org (Landon Fuller)
+ to fix user/group enumeration on systems whose libc does not
+ call setgrent() before trying to enumerate users (i.e.
+ FreeBSD 5.2).
+
+
+o Steve French <sfrench@us.ibm.com>
+ * Update mount.cifs to version 1.1.
+ * Disable dev (MS_NODEV) on user mounts from cifs vfs.
+ * Fixes to minor security bug in the mount helper.
+ * Fix credential file mounting for cifs vfs.
+ * Fix free of incremented pointer in cifsvfs mount helper.
+ * Fix path canonicalization of the mount target path and help
+ text display in the cifs mount helper.
+ * Add missing guest mount option for mount.cifs.
+
+
+o SATOH Fumiyasu <fumiya@miraclelinux.com>
+ * BUG 1055; formatting fixes for 'net share'.
+ * BUG 692: correct truncation of share names and workgroup
+ names in smbclient.
+ * BUG 1088: use strchr_m() for query_host (smbclient -L).
+ * Patch from to internally count characters correctly.
+
+
+o Paul Green <paulg@samba.org>
+ * Update VOS _POSIX_C_SOURCE macro to 200112L.
+ * Fix bug in configure.ion by moving the first use of
+ AC_CHECK_HEADERS so it is always executed.
+ * Fix configure.in to only use $BLDSHARED to select whether to
+ build static or shared libraries.
+
+
+o Pat Haywarrd <Pat.Hayward@propero.net>
+ * Make the session_users list dynamic (max of 128K).
+
+
+o Cal Heldenbrand <calzplace@yahoo.com>
+ * Fix for for 'pam_smbpass migrate' functionality.
+
+
+o Chris Hertel <crh@samba.org>
+ * fix enumeration of shares 12 characters in length via
+ smbclient.
+
+
+o Ulrich Holeschak <ulrich@holeschak.de>
+ * BUG 932: fix local password change using pam_smbpass
+
+
+o Krischan Jodies <kj@sernet.de>
+ * Implement 'net rpc group delete'
+
+
+o John Klinger <john.klinger@lmco.com>
+ * Return NSS_SUCCESS once the max number of gids possible
+ has been found in initgroups() on Solaris.
+ * BUG 1182: Re-enable the -n 'no cache' option for winbindd.
+
+
+o Volker Lendecke <vl@samba.org>
+ * Fix success message for net groupmap modify.
+ * Fix errors when enumerating members of groups in 'net rpc'.
+ * Match Windows behavior in samr_lookup_names() by returning
+ ALIAS(4) when you search in BUILTIN.
+ * Fix server SAMR code to be able to set alias info for
+ builtin as well.
+ * Fix duplication of logic when creating groups via smbd.
+ * Ensure that the HWM values are set correctly after running
+ 'net idmap'.
+ * Add 'net rpc group add'.
+ * Implement 'net groupmap set' and 'net groupmap cleanup'.
+ * Add 'net rpc group [add|del]mem' for domain groups and aliases.
+ * Fix wb_delgrpmem (wbinfo -o).
+ * As a DC we should not reply to lsalookupnames on DCNAME\\user.
+ * Fix sambaUserWorkstations on a Samba DC.
+ * Implement wbinfo -k: Have winbind generate an AFS token after
+ authenticating the user.
+ * Add expand_msdfs VFS module for providing referrals based on the
+ the client's IP address.
+ * Implement client side NETLOGON GetDCName function.
+ * Fix caching of name->sid lookups.
+ * Add support in winbindd for expanding nested local groups.
+ * Fix memleak in winbindd.
+ * Fix msdfs proxy.
+ * Don't list domain groups from BUILTIN.
+ * Fix memleak in policy handle utility functions.
+ * Decrease winbindd startup time by only contacting trusted
+ domains as necessary.
+ * Allow winbindd to ask the DC for its domain for a trusted
+ DC.
+ * Fix Netscape DS schema based on comments from
+ <thomas.mueller@christ-wasser.de>.
+ * Correct case where adding a domain user to a XP local group
+ did a lsalookupname on the user without domain prefix, and
+ failed.
+ * Fix segfault in winbindd caused by 'wbinfo -a'.
+
+
+o Herb Lewis <herb@samba.org>
+ * Fix typo for tag in proto file.
+ * Add missing #ifdef HAVE_BICONV stuff.
+ * Truncate Samba's netbios name at the first '.' (not
+ right to left).
+
+
+o Derrell Lipman <Derrell.Lipman@UnwiredUniverse.com>
+ * Bug fixes and enhancements to libsmbclient library.
+
+
+o Jianliang Lu <j.lu@tiesse.com>
+ * Enforce the 'user must change password at next login' flag.
+ * Decode meaning of 'fields present' flags (improves support
+ for usrmgr.exe).
+ * NTLMv2 fixes.
+ * Don't force an upper case domain name in the ntlmssp code.
+
+
+o L. Lucius <ib@digicron.com>.
+ * type fixes.
+
+
+o Jim McDonough <jmcd@us.ibm.com>
+ * Add versioning support to tdbsam.
+ * Update the IBM Directory Server schema with the OpenLDAP
+ file.
+ * Various decoding fixes to improve usrmgr.exe support.
+ * Fix statfs redeclaration of statfs struct on ppc
+ * Implement support for password lockout of Samba domain
+ controllers and standalone servers.
+ * Get MungedDial attribute actually working with full TS
+ strings in it for pdb_ldap.
+ * BUG 1208 (partial): Improvements for working with expired krb5
+ tickets in winbindd.
+ * Use timegm, or our already existing replacement instead of
+ timezone (spotted by Andrzej Tobola <san@iem.pw.edu.pl>).
+ * Remove modifyTimestamp from list of our attributes.
+ * Fix lsalookupnames to check for domain users as well as local
+ users.
+ * Merge struct uuid replacement for GUID from trunk.
+ * BUG 1208: Finish support for handling expired tickets in
+ winbindd (in conjunction with Guenther Deschner <gd@suse.de>).
+
+
+o Stefan Metzmacher <metze@samba.org>
+ * Implement new VERSION schema based on subversion revision
+ numbers.
+ * Add shadow_copy vfs module.
+ * Fix segault in login_cache support.
+
+
+o Heinrich Mislik <Heinrich.Mislik@univie.ac.at>
+ o BUG 979 -- Fix quota display on AIX.
+
+
+o James Peach <jpeach@sgi.com>
+ * Correct check for printf() format when using the SGI MIPSPro
+ compiler.
+ * BUG 1038: support backtrace for 'panic action' on IRIX.
+ * BUG 768: Accept profileing arg to IRIX init script.
+ * BUG 748: Relax arg parsing to sambalp script (IRIX).
+ * BUG 758: Fix pdma build.
+ * Search IRIX ABI paths for libiconv. Based on initial fix from
+ Jason Mader.
+
+
+o Kurt Pfeifle <kpfeifle@danka.de>
+ * Add example shell script for migrating drivers and printers
+ from a Windows print server to a Samba print server using
+ smbclient/rpcclient (examples/printing/VamireDriversFunctions).
+
+
+o Tim Potter <tpot@samba.org>
+ * Fix logic bug in tdb non-blocking lock routines when
+ errno == EAGAIN.
+ * BUG 1025: Include sys/acl.h in check for broken nisplus
+ include files.
+ * BUG 1066: s/printf/d_printf/g in SWAT.
+ * BUG 1098: rename internal msleep() function to fix build
+ problems on AIX.
+ * BUG 1112: Fix for writable printerdata problem in python bindings.
+ * BUG 1154: Remove reference to <sys/mman.h> in tdbdump.c.
+ * BUG 1155: enclose use of fchown() with guards.
+ * Relicense tdb python module as LGPL.
+
+
+o Richard Sharpe <rsharpe@samba.org>
+ * Add support to smbclient for multiple logins on the same
+ session (based on work by abartlet@samba.org).
+ * Correct blocking condition in smbd's use of accept() on IRIX.
+ * Add support for printing out the MAC address on nmblookup.
+
+
+o Simo Sorce <idra@samba.org>
+ * Replace unknown_3 with fields_present in SAMR code.
+ * More length checks in strlcat().
+
+
+o Andrew Tridgell <tridge@samba.org>
+ * Rewrote the AIX UESS backend for winbindd.
+ * Fixed compilation with --enable-dmalloc.
+ * Change tdb license to LGPL (see source/tdb/tdb.c).
+ * Force winbindd to use schannel in clients connections to
+ DC's if possible.
+
+
+o Jelmer Vernooij <jelmer@samba.org>
+ * Fix ETA Calculation when resuming downloads in smbget.
+ * Add -O (for writing downloaded files to standard out)
+ based on patch by Bas van Sisseren <bas@dnd.utwente.nl>.
+ * Fix syntax error in example mysql table
+
+
+o TAKEDA yasuma <yasuma@miraclelinux.com>
+ * BUG 900: fix token processing in cmd_symlink, cmd_link,
+ cmd_chown, cmd_chmod smbclient functions.
+
+
+o Shiro Yamada <shiro@miraclelinux.com>
+ * BUG 1129: install image files for SWAT.
+
+
+ --------------------------------------------------
+
+ ==============================
+ Release Notes for Samba 3.0.2a
+ February 13, 2004
+ ==============================
+
+Samba 3.0.2a is a minor patch release for the 3.0.2 code base
+to address, in particular, a problem when using pdbedit to
+sanitize (--force-initialized-passwords) Samba's tdbsam
+backend. This is the latest stable release of Samba. This
+is the version that all production Samba servers should be
+running for all current bug-fixes.
+
+******************* Attention! Achtung! Kree! *********************
+
+Beginning with Samba 3.0.2, passwords for accounts with a last
+change time (LCT-XXX in smbpasswd, sambaPwdLastSet attribute in
+ldapsam, etc...) of zero (0) will be regarded as uninitialized
+strings. This will cause authentication to fail for such
+accounts. If you have valid passwords that meet this criteria,
+you must update the last change time to a non-zero value. If you
+do not, then 'pdbedit --force-initialized-passwords' will disable
+these accounts and reset the password hashes to a string of X's.
+
+******************* Attention! Achtung! Kree! *********************
+
+
+Changes since 3.0.2
+-------------------
+
+commits
+-------
+
+Please refer to the CVS log for the SAMBA_3_0 branch for complete
+details. The list of changes per contributor are as follows:
+
+
+o Jeremy Allison <jra@samba.org>
+ * Added paranoia checks in parsing code.
+
+
+o Andrew Bartlett <abartlet@samba.org>
+ * Ensure that changes to uninitialized passwords in ldapsam
+ are written to the DIT.
+
+
+o Gerald (Jerry) Carter <jerry@samba.org>
+ * Fixed iterator in tdbsam.
+ * Fix bug that disabled accounts with a valid NT password
+ hash, but no LanMan hash.
+
+
+o Steve French <sfrench@us.ibm.com>
+ * Added missing nosetuid and noexec options.
+
+
+o Bostjan Golob <golob@gimb.org>
+ * BUG 1046: Don't overwrite usernames of entries returned
+ by getpwent_list().
+
+
+o Sebastian Krahmer <krahmer@suse.de>
+ * Fixed potential crash bug in NTLMSSP parsing code.
+
+
+o Tim Potter <tpot@samba.org>
+ * Fixed logic in tdb_brlock error checking.
+
+
+o Urban Widmark <urban@teststation.com>
+ * Set nosuid,nodev flags in smbmnt by default.
+
+
+ --------------------------------------------------
+
+ =============================
+ Release Notes for Samba 3.0.2
+ February 9, 2004
+ =============================
+
+It has been confirmed that previous versions of Samba 3.0 are
+susceptible to a password initialization bug that could grant an
+attacker unauthorized access to a user account created by the
+mksmbpasswd.sh shell script.
+
+The Common Vulnerabilities and Exposures project (cve.mitre.org)
+has assigned the name CAN-2004-0082 to this issue.
+
+Samba administrators not wishing to upgrade to the current
+version should download the 3.0.2 release, build the pdbedit
+tool, and run
+
+ root# pdbedit-3.0.2 --force-initialized-passwords
+
+This will disable all accounts not possessing a valid password
+(e.g. the password field has been set a string of X's).
+
+Samba servers running 3.0.2 are not vulnerable to this bug
+regardless of whether or not pdbedit has been used to sanitize
+the passdb backend.
+
+Some of the more visible bugs in 3.0.1 addressed in the 3.0.2
+release include:
+
+ o Joining a Samba domain from Pre-SP2 Windows 2000 clients.
+ o Logging onto a Samba domain from Windows XP clients.
+ o Problems with the %U and %u smb.conf variables in relation to
+ Windows 9x/ME clients.
+ o Kerberos failures due to an invalid in memory keytab detection
+ test.
+ o Updates to the ntlm_auth tool.
+ o Fixes for various SMB signing errors.
+ o Better separation of WINS and DNS queries for domain controllers.
+ o Issues with nss_winbind FreeBSD and Solaris.
+ o Several crash bugs in smbd and winbindd.
+ o Output formatting fixes for smbclient for better compatibility
+ with scripts based on the 2.2 version.
+
+
+Changes since 3.0.1
+-------------------
+
+smb.conf changes
+----------------
+
+ Parameter Name Action
+ -------------- ------
+ ldap replication sleep New
+ read size removed (unused)
+ source environment removed (unused)
+
+
+commits
+-------
+
+Please refer to the CVS log for the SAMBA_3_0 branch for complete
+details. The list of changes per contributor are as follows:
+
+o Jeremy Allison <jra@samba.org>
+ * Revert change that broke Exchange clear text samlogons.
+ * Fix gcc 3.4 warning in MS-DFS code.
+ * Tidy up of NTLMSSP code.
+ * Fixes for SMB signing errors
+ * BUG 815: Workaround NT4 bug to support plaintext
+ password logins and UNICODE.
+ * Fix SMB signing bug when copying large files.
+ * Correct error logic in mkdir_internals() (caused a panic
+ when combined with --enable-developer).
+ * BUG 830: Protect against crashes due to bad character
+ conversions.
+
+
+o Petri Asikainen <paca@sci.fi>
+ * BUG 330, 387:Fix single valued attribute updates when
+ working with Novell NDS.
+
+
+o Andrew Bartlett <abartlet@samba.org>
+ * Correctly handle per-pipe NTLMSSP inside a NULL session.
+ * Fix segfault in gencache
+ * Fix early free() of encrypted_session_key.
+ * Change DC lookup routines to more carefully separate
+ DNS names (realms) from NetBIOS domain names.
+ * Add new sid_to_dn() function for internal winbindd use.
+ * Refactor cli_ds_enum_domain_trusts().
+ * BUG 707: Implement range retrieval of ADS attributes (based
+ on work from Volker <vl@samba.org> and Guenther Deschner
+ <gd@suse.com>).
+ * Automatically initialize the signing engine if a session key
+ is available.
+ * BUG 916: Do not perform a + -> ' ' substitution for squid URL
+ encoded strings, only form input in SWAT.
+ * Resets the NTLMSSP state for new negotiate packets.
+ * Add 2-byte alignments in net_samlogon() queries to parse
+ odd-length plain text passwords.
+ * Allow Windows groups with no members in winbindd.
+ * Allow normal authentication in the absence of a server
+ generated session key.
+ * More optimizations for looking up UNIX group lists.
+ * Clean up error codes and return values for pam_winbindd
+ and winbindd PAM interface.
+ * Fix string return values in ntlm_auth tool.
+ * Fix segfault when 'security = ads' but no realm is defined.
+ * BUG 722: Allow winbindd to map machine accounts to uids.
+ * More cleanups for winbindd's find_our_domain().
+ * More clearly detect whether a domain controller is an NT4
+ or mixed-mode AD DC (additional bug fixes by jerry & jmcd).
+ * Increase separation between DNS queries for hosts and queries
+ for AD domain controllers.
+ * Include additional NT_STATUS to PAM error mappings.
+ * Password initialization fixes.
+
+
+o Justin Baugh <justin.baugh@request.com>
+ * BUG 948: Implement missing functions required for FreeBSD
+ nss_winbind support.
+
+
+o Alexander Bokovoy <ab@samba.org>
+ * BUG 922: Make sure enable fast path for strlower_m() and
+ strupper_m().
+
+
+o Luca Bolcioni <Luca.Bolcioni@yacme.com>
+ * Fix crash when using 'security = server' and 'encrypt
+ passwords = no' by always initializing the session key.
+
+
+o Dmitry Butskoj <buc@odusz.elektra.ru>
+ * Fix for special files being hidden from admins.
+
+
+o Gerald (Jerry) Carter <jerry@samba.org>
+ * Fix bug in the lanman session key generation. Caused
+ "decode_pw: incorrect password length" error messages.
+ * Save the right case for the located user name in
+ fill_sam_account(). Fixes %U/%u expansion for win9x clients.
+ * BUG 897: Add well known rid for pre win2k compatible access
+ group.
+ * BUG 887: Correct typo in delete user script example.
+ * Use short lived TALLOC_CTX* for allocating printer objects
+ from the print handle cache.
+ * BUG 912: Fix check for HAVE_MEMORY_KEYTAB.
+ * Fix several warnings reported by the SUN Forte C compiler.
+ * Fully control DNS queries for AD DC's using 'name resolve order'.
+ * BUG 770: Send the SMBjobid for UNIX jobs back to the client.
+ * BUG 972: Fix segfault in cli_ds_getprimarydominfo().
+ * BUG 936: fix bind credentials for schannel binds in smbd.
+ * BUG 446: Fix output of smbclient for better compatibility
+ with scripts based on the 2.2 version (including Amanda).
+ * BUG 891, 949: Fedora packaging fixes.
+ * Fix bug that caused rpcclient to incorrectly retrieve
+ the SID for a server (this causing all calls that required
+ this information to fail).
+ * BUG 977: Don't create a homes share for a user if a static
+ share already exists by the same name.
+ * Removed unused smb.conf options.
+ * Password initialization fixes.
+ * Set the disable flag for template accounts created by
+ mksmbpasswd.sh.
+ * Disable any account has no passwords and does not have the
+ ACB_PWNOTREQ bit set.
+
+
+o Guenther Deschner <gd@suse.com>
+ * Install smbwrapper.so should be put into the $(libdir)
+ and not $(bindir).
+ * Add the capability to specify the new user password
+ for "net ads password" on the command line.
+ * Correctly detect AFS headers on SuSE.
+
+
+o James Flemer <jflemer@uvm.edu>
+ * Fix AIX compile bug by linking HAVE_ATTR_LIST to
+ HAVE_SYS_ATTRIBUTES_H.
+
+
+o Luke Howard <lukeh@PADL.COM>
+ * Fix segfault in session setup reply caused by a early free().
+
+
+o Stoian Ivanov <sdr@bultra.com>
+ * Implement grepable output for smbclient -L.
+
+
+o LaMont Jones <lamont@debian.org>
+ * BUG 225328 (Debian): Correct false failure LFS test that resulted
+ in _GNU_SOURCE not being defined (thus resulting in strndup()
+ not being defined).
+
+
+o Volker Lendecke <vl@samba.org>
+ * BUG 583: Ensure that user names always contain the short
+ version of the domain name.
+ * Fix our parsing of the LDAP uri.
+ * Don't show the 'afs username map' in the SWAT basic view.
+ * Fix SMB signing issues in relation to failed NTLMSSP logins.
+ * BUG 924: Fix return codes in smbtorture harness.
+ * Always lower-case usernames before handing it to AFS code.
+ * Add a German translation for SWAT.
+ * Fix a segfaults in winbindd.
+ * Fix the user's domain passed to register_vuid() from
+ reply_spnego_kerberos().
+ * Add NSS example code in nss_winbind to convert UNIX
+ id's <-> Windows SIDs.
+ * Display more descriptive error messages for login via 'net'.
+ * Fix compiler warning in the net tool.
+ * Fix length bug when decoding base64 strings.
+ * Ensure we don't call getpwnam() inside a loop that is iterating
+ over users with getpwent(). This broke on glibc 2.3.2.
+
+
+o Herb Lewis <herb@samba.org>
+ * Fix bit rot in psec.
+
+
+o Jianliang Lu <j.lu@tiesse.com>
+ * Ensure we delete the group mapping before calling the delete
+ group script.
+ * Define well known RID for managing the "Power Users" group.
+ * BUG 381: check builtin (not local) group SID when updating
+ group membership.
+ * BUG 101: set the SV_TYPE_PRINTQ_SERVER flag in host announcement
+ packet.
+
+
+o John Klinger <john.klinger@lmco.com>
+ * Implement initgroups() call in nss_winbind on Solaris.
+
+
+o Jim McDonough <jmcd@us.ibm.com>
+ * Fix regression in net rpc join caused by recent changes
+ to cli_lsa_query_info_policy().
+ * BUG 964: Fix crash bug in 'net rpc join' using a preexisting
+ machine account.
+
+
+o MORIYAMA Masayuki <moriyama@miraclelinux.com>
+ * BUG 570: Ensure that configure honors the LDFLAGS variable.
+
+
+o Stefan Metzmacher <metze@samba.org>
+ * Implement LDAP rebind sleep patch.
+ * Revert to 2.2 quota code because of so many broken quota files
+ out there.
+ * Fix XFS quotas: HAVE_XFS_QUOTA -> HAVE_XFS_QUOTAS
+ XFS_USER_QUOTA -> USRQUOTA
+ XFS_GROUP_QUOTA -> GRPQUOTA
+ * Fix disk_free calculation with group quotas.
+ * Add debug class 'quota' and a lot of DEBUG()'s
+ to the quota code.
+ * Fix sys_chown() when no chown() is present.
+ * Add SIGABRT to fault handling in order to catch got a
+ backtrace if an error occurs the OpenLDAP client libs.
+
+
+o <ndb@theghet.to>
+ * Allow an existing LDAP machine account to be re-used when
+ joining an AD domain.
+
+
+o James Peach <jpeach@sgi.com>
+ * BUG 889: Change smbd to use pread/pwrite on platforms that
+ support these calls. Can lead to a significant speed increase.
+
+
+o Tim Potter <tpot@samba.org>
+ * BUG 905: Remove POBAD_CC to fix Solaris Forte compiles.
+ * BUG 924: Fix typo in RW2 torture test.
+
+
+o Richard Sharpe <rsharpe@samba.org>
+ * Small fixes to torture.c to cleanup the error handling
+ and prevent crashes.
+
+
+o J. Tournier <jerome.tournier@IDEALX.com>
+ * Small fixes for the smbldap-tool scripts.
+
+
+o Andrew Tridgell <tridge@samba.org>
+ * Fix src len check in pull_usc2().
+
+
+o Jelmer Vernooij <jelmer@samba.org>
+ * Put functions for generating SQL queries in pdb_sql.c
+ * Add pgSQL backend (based on patch by Hamish Friedlander)
+ * BUG 908: Fix -s option to smbcontrol.
+ * Add smbget utility - a wget-clone for the SMB/CIFS protocol.
+ * Fix for libnss_wins on IRIX platforms.
+ * Fix swatdir for --with-fhs.
+
+
+ --------------------------------------------------
+
+ =============================
+ Release Notes for Samba 3.0.1
+ December 15, 2003
+ =============================
+
+Some of the more common bugs in 3.0.0 addressed in the release
+include:
+
+ o Substitution problems with smb.conf variables.
+ o Errors in return codes which caused some applications
+ to fail to open files.
+ o General Protection Faults on Windows 2000/XP clients
+ using Samba point-n-print features.
+ o Several miscellaneous crash bugs.
+ o Access problems when enumerating group mappings are
+ stored in an LDAP Directory.
+ o Several common SWAT bugs when writing changes to
+ smb.conf.
+ o Internal inconsistencies when 'winbind use default
+ domain = yes'
+
+
+
+Changes since 3.0.0
+----------------------
+
+ Parameter Name Action
+ -------------- ------
+ hide local users Removed
+ mangled map Deprecated
+ mangled stack Removed
+ passwd chat timeout New
+
+
+commits
+-------
+
+o Change the interface for init_unistr2 to not take a length
+ but a flags field. We were assuming that
+ 2*strlen(mb_string) == length of ucs2-le string. (bug 480).
+o Allow d_printf() to handle strings with escaped quotation
+ marks since the msg file includes the escape character (bug 489).
+o Fix bad html table row termination in SWAT wizard code (bug 413).
+o Fix to parse the level-2 strings.
+o Fix for "valid users = %S" in [homes]. Fix read/write
+ list as well.
+o Change AC_CHECK_LIB_EXT to prepend libraries instead of append.
+ This is the same way AC_CHECK_LIB works (bug 508).
+o Testparm output fixes for clarity.
+o Fix broken wins hook functionality -- i18n bug (bug 528).
+o Take care of condition where DOS and NT error codes must differ.
+o Default to using only built-in charsets when a working iconv
+ implementation cannot be located.
+o Wrap internals of sys_setgroups() so the sys_XX() call can
+ be done unconditionally (bug 550).
+o Remove duplicate smbspool link on SWAT's front page (bug 541).
+o Save and restore CFLAGS before/after AC_PROG_CC. Ensures that
+ --enable-debug=[yes|no] works correctly.
+o Allow ^C to interrupt smbpasswd if using our getpass
+ (e.g. smbpasswd command).
+o Support signing only on RPC's (bug 167).
+o Correct bug that prevented Excel 2000 clients from opening
+ files marked as read-only.
+o Portability fix bugs 546 - 549).
+o Explicitly initialize the value of AR for vendor makes that don't
+ do this (e.g. HPUX 11). (bug 552).
+o More i18n fixes for SWAT (bug 413).
+o Change the cwd before the postexec script to ensure that a
+ umount will succeed.
+o Correct double free that caused winbindd to crash when a DC
+ is rebooted (bug 437).
+o Fix incorrect mode sum (bug 562).
+o Canonicalize SMB_INFO_ALLOCATION in the same was as
+ SMB_FS_FULL_SIZE_INFORMATION (bug 564).
+o Add script to generate *msg files.
+o Add Dutch SWAT translation file.
+o Make sure to call get_user_groups() with the full winbindd
+ name for a user if he/she has one (bug 406).
+o Fix up error code returns from Samba4 tester. Ensure invalid
+ paths are validated the same way.
+o Allow Samba3 to pass the Samba4 RAW-READ tests.
+o Refuse to configure if --with-expsam=$BACKEND was used but no
+ libraries were found for $BACKEND.
+o Move sysquotas autoconf tests to a separate file.
+o Match W2K w.r.t. writelock and writeclose. Samba4 torture
+ tester
+o Make sure that the files that contain the static_init_$subsystem;
+ macro get recompiled after configure by removing the object
+ files.
+o Ensure canceling a blocking lock returns the correct error
+ message.
+o Match Samba 2.2 behavior; make ACB_NORMAL the default ACB value.
+o Updated Japanese welcome file in SWAT.
+o Fix to nt-time <-> unix-time functions reversible.
+o Ensure that winbindd uses the the escaped DN when querying
+ an AD ldap server.
+o Fix portability issues when compiling (bug 505, 550)
+o Compile fix for tdbbackup when Samba needs to override
+ non-C99 compliant implementations of snprintf().
+o Use @PICSUFFIX@ instead of .po in Makefile.in (bug 574).
+o Make sure we break out of samsync loop on error.
+o Ensure error code path doesn't free unmalloc()'d memory
+ (bug 628).
+o Add configure test for krb5_keytab_entry keyblock vs key
+ member (bug 636).
+o Fixed spinlocks.
+o Modified testparm so that all output so all debug output goes
+ to stderr, and all file processing goes to stdout.
+o Fix error return code for BUFFER_TOO_SMALL in smbcacls
+ and smbcquotas.
+o Fix "NULL dest in safe_strcpy()" log message by ensuring that
+ we have a devmode before copying a string to the devicename.
+o Support mapping REALM.COM\user to a local user account (without
+ running winbindd) for compatibility with 2.2.x release.
+o Ensure we don't use mmap() on blacklisted systems.
+o fixed a number of bugs and memory leaks in the AIX
+ winbindd shim
+o Call initgroups() in SWAT before becomming the user so that
+ secondary group permissions can be used when writing to
+ smb.conf.
+o Fix signing problems when reverse connecting back to a
+ client for printer notify
+o Fix signing problems caused by a miss-sequence bug.
+o Missing map in errormap for ERROR_MORE_DATA -> ERRDOS, ERRmoredata.
+ Fixes NEXUS tools running on Win9x clients (bug 64).
+o Don't leave the domain field uninitialized in cli_lsa.c if some
+ SID could not be mapped.
+o Fix segfault in mount.cifs helper when there is no options
+ specified during mount.
+o Change the \n after the password prompt to go to tty instead
+ of stdout (bug 668).
+o Stop net -P from prompting for machine account password (bug 451).
+o Change in behavior to Not only change the effective uid but also
+ the real uid when becoming unprivileged.
+o Cope with Exchange 5.5 cleartext pop password auth.
+o New files for support of initshutdown pipe. Win2k doesn't
+ respond properly to all requests on the winreg pipe, so we need
+ to handle this new pipe (bug 534).
+o Added more va_copy() checks in configure.in.
+o Include fixes for libsmbclient build problems.
+o Missing UNIX -> DOS codepage conversion in lanman.c.
+o Allow DFMS-S filenames can now have arbitrary case (bug 667).
+o Parameterize the listen backlog in smbd and make it larger by
+ default. A backlog of 5 is way too small these days.
+o Check for an invalid fid before dereferencing the fsp pointer
+ (bug 696).
+o Remove invalid memory frees and return codes in pdb_ldap.c.
+o Prompt for password when invoking --set-auth-user and no
+ password is given.
+o Bind the nmbd sending socket to the 'socket address'.
+o Re-order link command for smbd, rpcclient and smbpasswd to ensure
+ $LDFLAGS occurs before any library specification (bug 661).
+o Fix large number of printf() calls for 64-bit size_t.
+o Fix AC_CHECK_MEMBER so that SLES8 does correctly finds the
+ keyblock in the krb5 structs.
+o Remove #include <compat.h> in hopes to avoid problems with
+ apache header files.
+o Correct winbindd build problems on HP-UX 11.
+o Lowercase netgroups lookups (bug 703).
+o Use the actual size of the buffer in strftime instead of a made
+ up value which just happens to be less than sizeof(fstring).
+ (bug 713).
+o Add ldaplibs to pdbedit link line (bug 651).
+o Fix crash bug in smbclient completion (bug 659).
+o Fix packet length for browse list reply (bug 771).
+o Fix coredump in cli_get_backup_list().
+o Make sure that we expand %N (bug 612).
+o Allow rpcclient adddriver command to specify printer driver
+ version (bug 514).
+o Compile tdbdump by default.
+o Apply patches to fix iconv detection for FreeBSD.
+o Do not allow the 'guest account' to be added to a passdb backend
+ using smbpasswd or pdbedit (bug 624).
+o Save LDFLAGS during iconv detection (bug 57).
+o Run krb5 logins through the username map if the winbindd
+ lookup fails (bug 698).
+o Add const for lp_set_name_resolve_order() to avoid compiler
+ warnings (bug 471).
+o Add support for the %i macro in smb.conf to stand in for the for
+ the local IP address to which a client connected.
+o Allow winbindd to match local accounts to domain SID when
+ 'winbind trusted domains only = yes' (bug 680).
+o Remove code in idmap_ldap that searches the user suffix and group
+ suffix. It's not needed and provides inconsistent functionality
+ from the tdb backend.
+o Patch to handle munged dial string for Windows 2000 TSE.
+ Thanks to Gaz de France, Direction de la Recherche, Service
+ Informatique Métier for their supporting this work by Aurelien
+ Degrémont <adegremont@idealx.com>.
+o Correct the "smbldap_open: cannot access when not root error"
+ messages when looking up group information (bug 281).
+o Skip over the winbind separator when looking up a user.
+ This fixes the bug that prevented local users from
+ matching an AD user when not running winbindd (bug 698).
+o Fix a problem with configure on *BSD systems. Make sure
+ we add -liconv etc to LDFLAGS.
+o Fix core dump bug when "security = server" and the authentication
+ server goes away.
+o Correct crash bug due to an empty munged dial string.
+o Show files locked by a specific user (smbstatus -u 'user')
+ (bug 590).
+o Fix bug preventing print jobs from display in the queue
+ monitor used by Windows NT and later clients (bug 660).
+o Fix several reported problems with point-n-print from
+ Windows 2000/XP clients due to a bug in the EnumPrinterDataEx()
+ reply (bug 338, 527 & 643).
+o Fix a handful of potential memory leaks in the LDAP code used
+ by ldapsam[_compat] and the LDAP idmap backend.
+o Fix for pdbedit error code returns (bug 763).
+o Make sure we only enumerate group mapping entries (not
+ /etc/group) even when doing local aliases.
+o Relax check on the pipe name in a dce/rpc bind response to work
+ around issues with establishing trusts to a Windows 2003 domain.
+o Ensure we mangle names ending in '.' in hash2 mangling method.
+o Correct parsing issues with munged dial string.
+o Fix bugs in quota support for XFS.
+o Add a cleaner method for applications that need to provide
+ name->SID mappings to do this via NSS rather than having to
+ know the winbindd pipe protocol.
+o Adds a variant of the winbindd_getgroups() call called
+ winbindd_getusersids() that provides direct SID->SIDs listing of
+ a users supplementary groups. This is enough to allow non-Samba
+ applications to do ACL checking.
+o Make sure we don't append the 'ldap suffix' when writing out the
+ 'ldap XXX suffix' values in SWAT (bug 328).
+o Fix renames across file systems.
+o Ensure that items in a list of strings containing whitespace are
+ written out surrounded by single quotes. This means that both
+ double and single quotes are now used to surround strings in
+ smb.conf (bug 481).
+o Enable SWAT to correctly determine if winbindd is running (bug
+ 398).
+o Include WWW-Authenticate field in 401 response for bad auth
+ attempt (bug 629).
+o Add support for NTLM2 (NTLMv2 session security).
+o Add support for variable-length session keys.
+o More privilege fixes for group enumeration in LDAP (bug 281).
+o Use the dns name (or IP) as the originating client name when
+ using CUPS (bug 467).
+o Fix various SMB signing bugs.
+o Fix ACL propagation on a DFS root (bug 263).
+o Disable NTLM2 for RPC pipes.
+o Allow the client to specify the NTLM2 flags got NTLMSSP
+ authentication.
+o Change the name of the job passed off to cups from "Test Page"
+ to "smbprn.00000033 Test Page" so that we can get the smb
+ jobid back. This allow users to delete jobs with cups printing
+ backend (partial work on bug 770).
+o Fix build of winbindd with static pdb modules.
+o Retrieve the correct ACL group bits if the file has an ACL
+ (bug 802).
+o Implement "net rpc group members": Get members of a domain group
+ in human-readable format.
+o Add MacOSX (Darwin) specific charset module code.
+o Use samr_dispinfo(level == 1) for enumerating domain users so we
+ can include the full name in gecos field (bug 587).
+o Add support for winbind's NSS library on FeeeBSD 5.1 (bug 797).
+o Implement 'net rpc group list [global|local|builtin]*' for a
+ select listing of the respective user databases.
+o Don't automatically set NT status code flag unless client tells
+ us it can cope.
+o Add 'net status [sessions|shares] [parseable]'.
+o Don't mistake pre-existing UNIX jobs for smb jobs (remainder of
+ bug 770).
+o Add 'Replicator' and 'RAS Servers' to list of builtin SIDs
+ (bug 608).
+o Fix inverted logic in hosts allow/deny checks caused by
+ s/strcmp/strequal/ (bug 846).
+o Implement correct version SamrRemoveSidForeignDomain() (bug 252).
+o Fix typo in 'hash' mangling algorithm.
+o Support munged dial for ldapsam (bug 800).
+o Fix process_incoming_data() to return the number of bytes handled
+ this call whether we have a complete PDU or not; fixes bug
+ with multiple PDU request rpc's broken over SMBwriteX calls
+ each.
+o Fix incorrect smb flags2 for connections to pre-NT servers
+ (causes smbclient to fail to OS2 for example) (bug 821).
+o Update version string in smbldap-tools Makefile to 0.8.2.
+o Correct a problem with "net rpc vampire" mis-parsing the
+ alias member info reply.
+o Ensure the ${libdir} is created by the installclientlib script.
+o Fix detection of Windows 2003 client architecture in the smb.conf
+ %a variable.
+o Ensure that smbd calls the add user script for a missing UNIX
+ user on kerberos auth call (bug 445).
+o Fix bugs in hosts allow/deny when using a mismatched
+ network/netmask pair.
+o Protect alloc_sub_basic() from crashing when the source string
+ is NULL (partial work on bug 687).
+o Fix spinlocks on IRIX.
+o Corrected some bad destination paths when running "configure
+ --with-fhs".
+o Add packaging files for Fedora Core 1.
+o Correct bug in SWAT install script for non-english languages.
+o Support character set ISO-8859-1 internally (bug 558).
+o Fixed more LDAP access errors when looking up group mappings
+ (bug 281).
+o Fix UNISTR2 length bug in LsaQueryInfo(3) that caused SID
+ resolution to fail on local files on on domain members
+ (bug 875).
+o Fix uninitialized variable in passdb.c.
+o Fix formal parameter type in get_static() in nsswitch/wins.c.
+o Fix problem mounting directories when mount.cifs is installed
+ with the setuid bit on.
+o Fix bug that prevent --mandir from overriding the defaults
+ given in the --with-fhs macro.
+o Fix bug in in-memory Kerberos keytab detection routines
+ in configure.in
+
+
+
+######################################################################
+
+ The original 3.0.0 release notes follow
+ =======================================
+ WHATS NEW IN Samba 3.0.0
+ September 24, 2003
+ =======================================
+
+
+Major new features:
+-------------------
+
+1) Active Directory support. Samba 3.0 is now able to
+ join a ADS realm as a member server and authenticate
+ users using LDAP/Kerberos.
+
+2) Unicode support. Samba will now negotiate UNICODE on the wire
+ and internally there is now a much better infrastructure for
+ multi-byte and UNICODE character sets.
+
+3) New authentication system. The internal authentication system
+ has been almost completely rewritten. Most of the changes are
+ internal, but the new auth system is also very configurable.
+
+4) New default filename mangling system.
+
+5) A new "net" command has been added. It is somewhat similar to
+ the "net" command in windows. Eventually we plan to replace
+ numerous other utilities (such as smbpasswd) with subcommands
+ in "net".
+
+6) Samba now negotiates NT-style status32 codes on the wire. This
+ improves error handling a lot.
+
+7) Better Windows 2000/XP/2003 printing support including publishing
+ printer attributes in active directory.
+
+8) New loadable module support for passdb backends and character
+ sets.
+
+9) New default dual-daemon winbindd support for better performance.
+
+10) Support for migrating from a Windows NT 4.0 domain to a Samba
+ domain and maintaining user, group and domain SIDs.
+
+11) Support for establishing trust relationships with Windows NT 4.0
+ domain controllers.
+
+12) Initial support for a distributed Winbind architecture using
+ an LDAP directory for storing SID to uid/gid mappings.
+
+13) Major updates to the Samba documentation tree.
+
+14) Full support for client and server SMB signing to ensure
+ compatibility with default Windows 2003 security settings.
+
+15) Improvement of ACL mapping features based on code donated by
+ Andreas Grünbacher.
+
+
+Plus lots of other improvements!
+
+
+Additional Documentation
+------------------------
+
+Please refer to Samba documentation tree (included in the docs/
+subdirectory) for extensive explanations of installing, configuring
+and maintaining Samba 3.0 servers and clients. It is advised to
+begin with the Samba-HOWTO-Collection for overviews and specific
+tasks (the current book is up to approximately 400 pages) and to
+refer to the various man pages for information on individual options.
+
+We are very glad to be able to include the second edition of
+"Using Samba" by Jay Ts, Robert Eckstein, and David Collier-Brown
+(O'Reilly & Associates) in this release. The book is available
+on-line at http://samba.org/samba/docs/ and is included with
+the Samba Web Administration Tool (SWAT). Thanks to the authors and
+publisher for making "Using Samba" under the GNU Free Documentation
+License.
+
+
+######################################################################
+Upgrading from a previous Samba 3.0 beta
+########################################
+
+Beginning with Samba 3.0.0beta3, the RID allocation functions
+have been moved into winbindd. Previously these were handled
+by each passdb backend. This means that winbindd must be running
+to automatically allocate RIDs for users and/or groups. Otherwise,
+smbd will use the 2.2 algorithm for generating new RIDs.
+
+If you are using 'passdb backend = tdbsam' with a previous Samba
+3.0 beta release (or possibly alpha), it may be necessary to
+move the RID_COUNTER entry from /usr/local/samba/private/passdb.tdb
+to winbindd_idmap.tdb. To do this:
+
+1) Ensure that winbindd_idmap.tdb exists (launch winbindd at least
+ once)
+2) build tdbtool by executing 'make tdbtool' in the source/tdb/
+ directory
+3) run: (note that 'tdb>' is the tool's prompt for input)
+
+ root# ./tdbtool /usr/local/samba/private/passdb.tdb
+ tdb> show RID_COUNTER
+ key 12 bytes
+ RID_COUNTER
+ data 4 bytes
+ [000] 0A 52 00 00 .R.
+
+ tdb> move RID_COUNTER /usr/local/samba/var/locks/winbindd_idmap.tdb
+ ....
+ record moved
+
+If you are using 'passdb backend = ldapsam', it will be necessary to
+store idmap entries in the LDAP directory as well (i.e. idmap backend
+= ldap). Refer to the 'net idmap' command for more information on
+migrating SID<->UNIX id mappings from one backend to another.
+
+If the RID_COUNTER record does not exist, then these instructions are
+unneccessary and the new RID_COUNTER record will be correctly generated
+if needed.
+
+
+
+########################
+Upgrading from Samba 2.2
+########################
+
+This section is provided to help administrators understand the details
+involved with upgrading a Samba 2.2 server to Samba 3.0.
+
+
+Building
+--------
+
+Many of the options to the GNU autoconf script have been modified
+in the 3.0 release. The most noticeable are:
+
+ * removal of --with-tdbsam (is now included by default; see section
+ on passdb backends and authentication for more details)
+
+ * --with-ldapsam is now on used to provided backward compatible
+ parameters for LDAP enabled Samba 2.2 servers. Refer to the passdb
+ backend and authentication section for more details
+
+ * inclusion of non-standard passdb modules may be enabled using
+ --with-expsam. This includes an XML backend and a mysql backend.
+
+ * removal of --with-msdfs (is now enabled by default)
+
+ * removal of --with-ssl (no longer supported)
+
+ * --with-utmp now defaults to 'yes' on supported systems
+
+ * --with-sendfile-support is now enabled by default on supported
+ systems
+
+
+Parameters
+----------
+
+This section contains a brief listing of changes to smb.conf options
+in the 3.0.0 release. Please refer to the smb.conf(5) man page for
+complete descriptions of new or modified parameters.
+
+Removed Parameters (order alphabetically):
+
+ * admin log
+ * alternate permissions
+ * character set
+ * client codepage
+ * code page directory
+ * coding system
+ * domain admin group
+ * domain guest group
+ * force unknown acl user
+ * hide local users
+ * mangled stack
+ * nt smb support
+ * postscript
+ * printer driver
+ * printer driver file
+ * printer driver location
+ * read size
+ * source environment
+ * status
+ * strip dot
+ * total print jobs
+ * use rhosts
+ * valid chars
+ * vfs options
+
+New Parameters (new parameters have been grouped by function):
+
+ Remote management
+ -----------------
+ * abort shutdown script
+ * shutdown script
+
+ User and Group Account Management
+ ---------------------------------
+ * add group script
+ * add machine script
+ * add user to group script
+ * algorithmic rid base
+ * delete group script
+ * delete user from group script
+ * passdb backend
+ * set primary group script
+
+ Authentication
+ --------------
+ * auth methods
+ * realm
+ * passwd chat timeout
+
+ Protocol Options
+ ----------------
+ * client lanman auth
+ * client NTLMv2 auth
+ * client schannel
+ * client signing
+ * client use spnego
+ * disable netbios
+ * ntlm auth
+ * paranoid server security
+ * server schannel
+ * server signing
+ * smb ports
+ * use spnego
+
+ File Service
+ ------------
+ * get quota command
+ * hide special files
+ * hide unwriteable files
+ * hostname lookups
+ * kernel change notify
+ * mangle prefix
+ * map acl inherit
+ * msdfs proxy
+ * set quota command
+ * use sendfile
+ * vfs objects
+
+ Printing
+ --------
+ * max reported print jobs
+
+ UNICODE and Character Sets
+ --------------------------
+ * display charset
+ * dos charset
+ * unicode
+ * unix charset
+
+ SID to uid/gid Mappings
+ -----------------------
+ * idmap backend
+ * idmap gid
+ * idmap uid
+ * winbind enable local accounts
+ * winbind trusted domains only
+ * template primary group
+ * enable rid algorithm
+
+ LDAP
+ ----
+ * ldap delete dn
+ * ldap group suffix
+ * ldap idmap suffix
+ * ldap machine suffix
+ * ldap passwd sync
+ * ldap replication sleep
+ * ldap user suffix
+
+ General Configuration
+ ---------------------
+ * preload modules
+ * private dir
+
+Modified Parameters (changes in behavior):
+
+ * encrypt passwords (enabled by default)
+ * mangling method (set to 'hash2' by default)
+ * passwd chat
+ * passwd program
+ * restrict anonymous (integer value)
+ * security (new 'ads' value)
+ * strict locking (enabled by default)
+ * unix extensions (enabled by default)
+ * winbind cache time (increased to 5 minutes)
+ * winbind uid (deprecated in favor of 'idmap uid')
+ * winbind gid (deprecated in favor of 'idmap gid')
+
+
+Databases
+---------
+
+This section contains brief descriptions of any new databases
+introduced in Samba 3.0. Please remember to backup your existing
+${lock directory}/*tdb before upgrading to Samba 3.0. Samba will
+upgrade databases as they are opened (if necessary), but downgrading
+from 3.0 to 2.2 is an unsupported path.
+
+Name Description Backup?
+---- ----------- -------
+account_policy User policy settings yes
+gencache Generic caching db no
+group_mapping Mapping table from Windows yes
+ groups/SID to unix groups
+winbindd_idmap ID map table from SIDS to UNIX yes
+ uids/gids.
+namecache Name resolution cache entries no
+netsamlogon_cache Cache of NET_USER_INFO_3 structure no
+ returned as part of a successful
+ net_sam_logon request
+printing/*.tdb Cached output from 'lpq no
+ command' created on a per print
+ service basis
+registry Read-only samba registry skeleton no
+ that provides support for exporting
+ various db tables via the winreg RPCs
+
+
+Changes in Behavior
+-------------------
+
+The following issues are known changes in behavior between Samba 2.2 and
+Samba 3.0 that may affect certain installations of Samba.
+
+ 1) When operating as a member of a Windows domain, Samba 2.2 would
+ map any users authenticated by the remote DC to the 'guest account'
+ if a uid could not be obtained via the getpwnam() call. Samba 3.0
+ rejects the connection as NT_STATUS_LOGON_FAILURE. There is no
+ current work around to re-establish the 2.2 behavior.
+
+ 2) When adding machines to a Samba 2.2 controlled domain, the
+ 'add user script' was used to create the UNIX identity of the
+ machine trust account. Samba 3.0 introduces a new 'add machine
+ script' that must be specified for this purpose. Samba 3.0 will
+ not fall back to using the 'add user script' in the absence of
+ an 'add machine script'
+
+
+######################################################################
+Passdb Backends and Authentication
+##################################
+
+There have been a few new changes that Samba administrators should be
+aware of when moving to Samba 3.0.
+
+ 1) encrypted passwords have been enabled by default in order to
+ inter-operate better with out-of-the-box Windows client
+ installations. This does mean that either (a) a samba account
+ must be created for each user, or (b) 'encrypt passwords = no'
+ must be explicitly defined in smb.conf.
+
+ 2) Inclusion of new 'security = ads' option for integration
+ with an Active Directory domain using the native Windows
+ Kerberos 5 and LDAP protocols.
+
+ MIT kerberos 1.3.1 supports the ARCFOUR-HMAC-MD5 encryption
+ type which is neccessary for servers on which the
+ administrator password has not been changed, or kerberos-enabled
+ SMB connections to servers that require Kerberos SMB signing.
+ Besides this one difference, either MIT or Heimdal Kerberos
+ distributions are usable by Samba 3.0.
+
+
+Samba 3.0 also includes the possibility of setting up chains
+of authentication methods (auth methods) and account storage
+backends (passdb backend). Please refer to the smb.conf(5)
+man page for details. While both parameters assume sane default
+values, it is likely that you will need to understand what the
+values actually mean in order to ensure Samba operates correctly.
+
+The recommended passdb backends at this time are
+
+ * smbpasswd - 2.2 compatible flat file format
+ * tdbsam - attribute rich database intended as an smbpasswd
+ replacement for stand alone servers
+ * ldapsam - attribute rich account storage and retrieval
+ backend utilizing an LDAP directory.
+ * ldapsam_compat - a 2.2 backward compatible LDAP account
+ backend
+
+Certain functions of the smbpasswd(8) tool have been split between the
+new smbpasswd(8) utility, the net(8) tool, and the new pdbedit(8)
+utility. See the respective man pages for details.
+
+
+######################################################################
+LDAP
+####
+
+This section outlines the new features affecting Samba / LDAP
+integration.
+
+New Schema
+----------
+
+A new object class (sambaSamAccount) has been introduced to replace
+the old sambaAccount. This change aids us in the renaming of
+attributes to prevent clashes with attributes from other vendors.
+There is a conversion script (examples/LDAP/convertSambaAccount) to
+modify and LDIF file to the new schema.
+
+Example:
+
+ $ ldapsearch .... -b "ou=people,dc=..." > sambaAcct.ldif
+ $ convertSambaAccount --sid=<Domain SID> \
+ --input=sambaAcct.ldif --output=sambaSamAcct.ldif \
+ --changetype=[modify|add]
+
+The <DOM SID> can be obtained by running 'net getlocalsid
+<DOMAINNAME>' on the Samba PDC as root. The changetype determines
+the format of the generated LDIF output--either create new entries
+or modify existing entries.
+
+The old sambaAccount schema may still be used by specifying the
+"ldapsam_compat" passdb backend. However, the sambaAccount and
+associated attributes have been moved to the historical section of
+the schema file and must be uncommented before use if needed.
+The 2.2 object class declaration for a sambaAccount has not changed
+in the 3.0 samba.schema file.
+
+Other new object classes and their uses include:
+
+ * sambaDomain - domain information used to allocate rids
+ for users and groups as necessary. The attributes are added
+ in 'ldap suffix' directory entry automatically if
+ an idmap uid/gid range has been set and the 'ldapsam'
+ passdb backend has been selected.
+
+ * sambaGroupMapping - an object representing the
+ relationship between a posixGroup and a Windows
+ group/SID. These entries are stored in the 'ldap
+ group suffix' and managed by the 'net groupmap' command.
+
+ * sambaUnixIdPool - created in the 'ldap idmap suffix' entry
+ automatically and contains the next available 'idmap uid' and
+ 'idmap gid'
+
+ * sambaIdmapEntry - object storing a mapping between a
+ SID and a UNIX uid/gid. These objects are created by the
+ idmap_ldap module as needed.
+
+ * sambaSidEntry - object representing a SID alone, as a Structural
+ class on which to build the sambaIdmapEntry.
+
+
+New Suffix for Searching
+------------------------
+
+The following new smb.conf parameters have been added to aid in directing
+certain LDAP queries when 'passdb backend = ldapsam://...' has been
+specified.
+
+ * ldap suffix - used to search for user and computer accounts
+ * ldap user suffix - used to store user accounts
+ * ldap machine suffix - used to store machine trust accounts
+ * ldap group suffix - location of posixGroup/sambaGroupMapping entries
+ * ldap idmap suffix - location of sambaIdmapEntry objects
+
+If an 'ldap suffix' is defined, it will be appended to all of the
+remaining sub-suffix parameters. In this case, the order of the suffix
+listings in smb.conf is important. Always place the 'ldap suffix' first
+in the list.
+
+Due to a limitation in Samba's smb.conf parsing, you should not surround
+the DN's with quotation marks.
+
+
+IdMap LDAP support
+------------------
+
+Samba 3.0 supports an ldap backend for the idmap subsystem. The
+following options would inform Samba that the idmap table should be
+stored on the directory server onterose in the "ou=idmap,dc=plainjoe,
+dc=org" partition.
+
+ [global]
+ ...
+ idmap backend = ldap:ldap://onterose/
+ ldap idmap suffix = ou=idmap,dc=plainjoe,dc=org
+ idmap uid = 40000-50000
+ idmap gid = 40000-50000
+
+This configuration allows winbind installations on multiple servers to
+share a uid/gid number space, thus avoiding the interoperability problems
+with NFS that were present in Samba 2.2.
+
+
+
+######################################################################
+Trust Relationships and a Samba Domain
+######################################
+
+Samba 3.0.0beta2 is able to utilize winbindd as the means of
+allocating uids and gids to trusted users and groups. More
+information regarding Samba's support for establishing trust
+relationships can be found in the Samba-HOWTO-Collection included
+in the docs/ directory of this release.
+
+First create your Samba PDC and ensure that everything is
+working correctly before moving on the trusts.
+
+To establish Samba as the trusting domain (named SAMBA) from a Windows NT
+4.0 domain named WINDOWS:
+
+ 1) create the trust account for SAMBA in "User Manager for Domains"
+ 2) connect the trust from the Samba domain using
+ 'net rpc trustdom establish GLASS'
+
+To create a trustlationship with SAMBA as the trusted domain:
+
+ 1) create the initial trust account for GLASS using
+ 'smbpasswd -a -i GLASS'. You may need to create a UNIX
+ account for GLASS$ prior to this step (depending on your
+ local configuration).
+ 2) connect the trust from a WINDOWS DC using "User Manager
+ for Domains"
+
+Now join winbindd on the Samba PDC to the SAMBA domain using
+the normal steps for adding a Samba server to an NT4 domain:
+(note that smbd & nmbd must be running at this point)
+
+ root# net rpc join -U root
+ Password: <enter root password from smbpasswd file here>
+
+Start winbindd and test the join with 'wbinfo -t'.
+
+Now test the trust relationship by connecting to the SAMBA DC
+(e.g. POGO) as a user from the WINDOWS domain:
+
+ $ smbclient //pogo/netlogon -U Administrator -W WINDOWS
+ Password:
+
+Now connect to the WINDOWS DC (e.g. CRYSTAL) as a Samba user:
+
+ $ smbclient //crystal/netlogon -U root -W WINDOWS
+ Password:
+
+######################################################################
+Changes in Winbind
+##################
+
+Beginning with Samba3.0.0beta3, winbindd has been given new account
+manage functionality equivalent to the 'add user script' family of
+smb.conf parameters. The idmap design has also been changed to
+centralize control of foreign SID lookups and matching to UNIX
+uids and gids.
+
+
+Brief Description of Changes
+----------------------------
+
+1) The sid_to_uid() family of functions (smbd/uid.c) have been
+ reverted to the 2.2.x design. This means that when resolving a
+ SID to a UID or similar mapping:
+
+ a) First consult winbindd
+ b) perform a local lookup only if winbindd fails to
+ return a successful answer
+
+ There are some variations to this, but these two rules generally
+ apply.
+
+2) All idmap lookups have been moved into winbindd. This means that
+ a server must run winbindd (and support NSS) in order to achieve
+ any mappings of SID to dynamically allocated UNIX ids. This was
+ a conscious design choice.
+
+3) New functions have been added to winbindd to emulate the 'add user
+ script' family of smbd functions without requiring that external
+ scripts be defined. This functionality is controlled by the 'winbind
+ enable local accounts' smb.conf parameter (enabled by default).
+
+ However, this account management functionality is only supported
+ in a local tdb (winbindd_idmap.tdb). If these new UNIX accounts
+ must be shared among multiple Samba servers (such as a PDC and BDCs),
+ it will be necessary to define your own 'add user script', et. al.
+ programs that place the accounts/groups in some form of directory
+ such as NIS or LDAP. This requirement was deemed beyond the scope
+ of winbind's account management functions. Solutions for
+ distributing UNIX system information have been deployed and tested
+ for many years. We saw no need to reinvent the wheel.
+
+4) A member of a Samba controlled domain running winbindd is now able
+ to map domain users directly onto existing UNIX accounts while still
+ automatically creating accounts for trusted users and groups. This
+ behavior is controlled by the 'winbind trusted domains only' smb.conf
+ parameter (disabled by default to provide 2.2.x winbind behavior).
+
+5) Group mapping support is wrapped in the local_XX_to_XX() functions
+ in smbd/uid.c. The reason that group mappings are not included
+ in winbindd is because the purpose of Samba's group map is to
+ match any Windows SID with an existing UNIX group. These UNIX
+ groups can be created by winbindd (see next section), but the
+ SID<->gid mapping is retreived by smbd, not winbindd.
+
+
+Examples
+--------
+
+* security = server running winbindd to allocate accounts on demand
+
+* Samba PDC running winbindd to handle the automatic creation of UNIX
+ identities for machine trust accounts
+
+* Automtically creating UNIX user and groups when migrating a Windows NT
+ 4.0 PDC to a Samba PDC. Winbindd must be running when executing
+ 'net rpc vampire' for this to work.
+
+
+######################################################################
+Known Issues
+############
+
+* There are several bugs currently logged against the 3.0 codebase
+ that affect the use of NT 4.0 GUI domain management tools when run
+ against a Samba 3.0 PDC. This bugs should be released in an early
+ 3.0.x release.
+
+Please refer to https://bugzilla.samba.org/ for a current list of bugs
+filed against the Samba 3.0 codebase.
+
+
+######################################################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored.
+
+A new bugzilla installation has been established to help support the
+Samba 3.0 community of users. This server, located at
+https://bugzilla.samba.org/, has replaced the older jitterbug server
+previously located at http://bugs.samba.org/.
+</pre>
+</body>
+</html>