-What's new in Samba 4 alpha18
+What's new in Samba 4 alpha20
=============================
Samba 4.0 will be the next version of the Samba suite and incorporates
support for the Active Directory logon protocols used by Windows 2000
and above.
+SECURITY RELEASE
+================
+
+This is a security release in order to address CVE-2012-2111
+(Incorrect permission checks when granting/removing privileges can
+compromise file server security).
+
+o CVE-2012-2111:
+ Samba 3.4.x to 3.6.4 are affected by a
+ vulnerability that allows arbitrary users
+ to modify privileges on a file server.
+
+This is in regards to the smbd file server, which is shipped in Samba
+4.0 alpha. The AD DC is not directly impacted, as the LSA
+implementation differs.
+
WARNINGS
========
-Samba4 alpha18 is not a final Samba release, however we are now making
+Samba4 alpha20 is not a final Samba release, however we are now making
good progress towards a Samba 4.0 release, of which this is a preview.
Be aware the this release contains both the technology of Samba 3.6
(that you can reasonably expect to upgrade existing Samba 3.x releases
internal workings of the DC code is now implemented in python.
-CHANGES SINCE alpha17
+CHANGES SINCE alpha19
=====================
-For a list of changes since alpha 17, please see the git log.
+For a list of changes since alpha 19, please see the git log.
$ git clone git://git.samba.org/samba.git
$ cd samba.git
-$ git log samba-4.0.0alpha17..samba-4.0.0alpha18
+$ git log samba-4.0.0alpha19..samba-4.0.0alpha20
Some major user-visible changes include:
-Improvements to DNS servers. Samba4 now has 3 options for the
-handling of DNS: The default option is to use the BIND 9.8 DLZ plugin,
-which stores the information about the DNS zone in the directory.
-There is also an internal DNS server (but which does not support
-secure DNS updates at this time) and the flat file BIND 9.8 backend
-(storing the data in traditional zone files).
+Improvements to the 'samba-tool domain samba3upgrade' and
+samba_upgradedns tools
-To migrate from zone files to directory based DNS servers, a migration
-tool (upgradedns) has been added.
+Stability improvements in the Samba4 winbind implementation (that
+used in the AD DC mode).
-samba-tool dns commands to manage DNS records stored in directory.
+The BIND 9 DLZ plugin is now compatible with both BIND 9.8, and BIND 9.9.
-smbwrapper (a user-space file system based on LD_PRELOAD) has been
-removed.
+dbcheck and runtime protection for the fSMORoleOwner attribute. This
+allows us to recover from a situation where the fSMORoleOwner is
+deleted.
-Improvement to the upgrade process between Samba 3.x domains and Samba
-4.0 AD domains (samba-tool domain samba3upgrade).
+Support for storing the posixAccount and other auxiliary objectClass
+values (the values are not used by Samba as an AD DC at this stage,
+but may be used by clients).
-Some major but less visible changes include:
-Major work to bridge the code gap between the major parts of the code
-base, including a common loadparm wrapper, smb client library, as well
-as NTLMSSP, GSSAPI and SPNEGO code as part of the GENSEC
-authentication and authorization stack.
-
-Preparation work for moving to TDB2, a new version of Samba's core TDB
-database.
+Some major but less visible changes include:
-smbtorture tests for SMB 2 and SMB 2.2 as the team improves and
-develops support these new protocols.
+Continued early implementation work on the SMB 2.2 protocol client and server as
+the team improves and develops support these new protocols.
-Major cleanup and removal of global variables in the smbd SMB and SMB2 server.
+Initial work to build Samba using MIT kerberos in the top level waf
+build system. This is not complete at this time, but good progress is
+being made.
-Heimdal security issue 2012-01-11 - libkrb5 checksum - denial of serice
-http://www.h5l.org//advisories.html?show=2012-01-11
KNOWN ISSUES
============
from a recent release. No important database format changes have
been made since alpha16.
-- The BIND 9 DLZ plugin is compatible only with BIND 9.8, not BIND 9.9.
-
-- Systems with tdb or ldb installed as a system library may have
- difficulty building this release of Samba4. The --disable-tdb2
- configure switch may be of assistance. (Distributors who (rightly)
- have difficulty with this may wish to wait until a future release,
- which will soon fix this issue).
-
- Installation on systems without a system iconv (and developer
headers at compile time) is known to cause errors when dealing with
non-ASCII characters.