- =================================
- Release Notes for Samba 3.3.0pre2
-
- =================================
+ =============================
+ Release Notes for Samba 3.3.0
+ January, 27 2009
+ =============================
-This is the second preview release of Samba 3.3.0. This is *not*
-intended for production environments and is designed for testing
-purposes only. Please report any defects via the Samba bug reporting
-system at https://bugzilla.samba.org/.
+This is the first stable release of Samba 3.3.0.
Major enhancements in Samba 3.3.0 include:
+ General changes:
+ o The passdb tdbsam version has been raised.
+
Configuration/installation:
o Splitting of library directory into library directory and separate
modules directory.
+ o The default value of "ldap ssl" has been changed to "start tls".
File Serving:
o Extended Cluster support.
+ o New experimental VFS modules "vfs_acl_xattr" and "vfs_acl_tdb"
+ to store NTFS ACLs on Samba file servers.
Winbind:
- o Simplyfied idmap configuration.
+ o Simplified idmap configuration.
+ o New idmap backends "adex" and "hash".
o Added new parameter "winbind reconnect delay".
+ o Added support for user and group aliasing.
+ o Added support for multiple domains to idmap_ad.
Administrative tools:
o The destination "all" of smbcontrol does now affect all running
daemons including nmbd and winbindd.
o New 'net rpc vampire keytab' and 'net rpc vampire ldif' commands.
o The 'net' utility can now use kerberos for joining and authentication.
+ o The 'wbinfo' utility can now add, modify and remove identity mapping entries.
Libraries:
o NetApi library implements various new calls for User- and Group
Account Management.
+General changes
+===============
+
+The passdb tdbsam version has been raised as among other things the RID counter
+has been moved from the winbindd_idmap.tdb to the passdb.tdb file to make
+"passdb backend = tdbsam" working in clustered environments.
+
+Please note that an updated passdb.tdb file is _not_ compatible with Samba
+versions before 3.3.0! Please backup your passdb.tdb file if
+you use "passdb backend = tdbsam". That can be achieved by running
+
+'tdbbackup /etc/samba/passdb.tdb'
+
+before the update.
+
+
Configure changes
=================
of a separate directory for the shared modules.
+Configuration changes
+=====================
+
+The default value of "ldap ssl" has been changed to "start tls". This means,
+Samba will use the LDAPv3 StartTLS extended operation (RFC2830) for
+communicating with directory servers by default. If your directory servers
+do not support this extended operation, you will have to set
+"ldap ssl = no". Otherwise, Samba could not contact the directory servers
+anymore!
+
+
Winbind idmap backend changes
=============================
that is determined to be down or not contactable.
+Winbind's Name Aliasing
+=======================
+
+Name aliasing in Winbind is a feature that allows an administrator to
+map a fully qualified user or group name from a Windows domain to a
+convenient short name for Unix access. This is similar to the username
+map functionality supported by smbd but is primary intended for
+clients and servers making use of Winbind's PAM and NSS libraries.
+
+For example, the user "DOMAIN\fred" has been mapped to the Unix name
+"freddie".
+
+ $ getent passwd "DOMAIN\fred"
+ freddie:x:1000:1001:Fred Jones:/home/freddie:/bin/bash
+
+ $ getent passwd freddie
+ freddie:x:1000:1001:Fred Jones:/home/freddie:/bin/bash
+
+The name aliasing support is provided by individual nss_info plugins.
+For example, the new "adex" plugin reads the uid attribute from Active
+Directory to make a short login name to the fully qualified name.
+While the new "hash" module utilizes a local file to map "short_name
+= QUALIFIED\name". Both user and group name mapping is supported.
+Please refer to the "winbind nss info" option in smb.conf(5) and
+to individual plugin man pages for further details.
+
+
+idmap_hash
+==========
+
+The idmap_hash plugin provides similar support as the idmap_rid
+module. However, uids and gids are generated from the full domain
+SID using a hashing algorithm that maps the lower 19 bits from the user
+or group RID to bits 0 - 19 in the Unix id and hashes 96 bits from
+the domain SID to bits 20 - 30 in the Unix id. The result is a 31 bit
+uid or gid that is consistent across machines and provides support for
+trusted domains.
+
+Please refer to the idmap_hash(8) man page for more details.
+
+
+idmap_adex
+==========
+
+The adex idmap/nss_info plugin is an adaptation of the Likewise
+Enterprise plugin with support for OU based cells removed
+(since the Windows pieces to manage the cells are not available).
+
+This plugin supports
+
+ * The RFC2307 schema for users and groups.
+ * Connections to trusted domains
+ * Global catalog searches
+ * Cross forest trusts
+ * User and group aliases
+
+Prerequisite: Add the following attributes to the Partial Attribute
+Set in global catalog:
+
+ * uidNumber
+ * uid
+ * gidNumber
+
+A basic config using the current trunk code would look like:
+
+[global]
+ idmap backend = adex
+ idmap uid = 10000 - 29999
+ idmap gid = 10000 - 29999
+ winbind nss info = adex
+
+ winbind normalize names = yes
+ winbind refresh tickets = yes
+ template homedir = /home/%D/%U
+ template shell = /bin/bash
+
+Please refer to the idmap_adex(8) man page for more details.
+
+
######################################################################
Changes
#######
Parameter Name Description Default
-------------- ----------- -------
+ cups connection timeout New 30
+ idmap config DOM:range Removed
idmap domains Removed
init logon delayed hosts New ""
init logon delay New 100
+ ldap ssl Changed Default start tls
winbind reconnect delay New 30
-Changes since 3.3.0pre1:
-------------------------
+Changes since 3.3.0rc2:
+-----------------------
o Jeremy Allison <jra@samba.org>
- * BUG 5729: Explicitly allow "-valid".
- * Add st_birthtime and friends for accurate create times on *BSD
- and MacOSX).
- * Fix the wcache_invalidate_samlogon calls.
- * Clarify usage of "force create mode".
- * Get smbd to look (read-only) into the winbindd cache for uid/gid <--> sid
- mappings.
+ * BUG 5979: Fix level 2 oplocks being granted improperly.
+ * BUG 5980: Race condition when granting level2 oplocks can cause break
+ notify to be missed.
+ * BUG 5986: Editing a stream is broken (rename problems).
+ * BUG 5990: Strict allocate should be checked before ftruncate.
+ * BUG 6009: Setting "min receivefile size = 1" breaks writes.
+ * Fix gcc 4.3.2 warnings.
+ * Fix more asprintf errors and error code paths.
-o Steven Danneman <steven.danneman@isilon.com>
- * Cleanup of DC enumeration in get_dcs().
-
-
-o Günther Deschner <gd@samba.org>
- * BUG 5710: Fix changing of machine account passwords.
- * Fix invalid sid copy (hit when enumerating sibling domains) in Winbind.
-
+o Michael Adam <obnox@samba.org>
+ * Fix build of pam_winbind.so on older Linux systems.
+ * Packaging RHEL-CTDB: Fix build of [u]mount.cifs.
+ * Prevent access to root filesystem when connecting with empty service name.
-o James Ding <ding_cc@hotmail.com>
- * BUG 5736: Fix Winbind crash bug with trusted domains.
+o Kai Blin <kai@samba.org>
+ * BUG 5953: Fix smbclient crashes.
-o Ephi Dror <Ephi.Dror@datadomain.com>
- * Correct the netsamlogon_clear_cached_user function.
+o Gerald (Jerry) Carter <jerry@samba.org>
+ * Fix "allow trusted domain" so it disables trusted domains.
-o Volker Lendecke <vl@sernet.de>
- * Fix Coverity IDs 587 and 589.
- * Increase the default positive idmap cache time to a week.
- * BUG 5707: Do proper error handling if the socket is closed.
+o SATOH Fumiyasu <fumiyas@osstech.jp>
+ * Fix gmem->numgids and gmem->maxgids breakage on Solaris 64-bit.
+ * Fix SIGBUS on non-x86 CPUs in libsmbclient.
+ * Fix a compile-time warning.
-o Andrew Tridgell <tridge@samba.org>
- * Fix permissions of group_mapping.ldb (CVE-2008-3789).
- * Avoid a race condition in glibc between AIO and setresuid().
- * Add missing become root for AIO operations.
- * Fix an errno handling bug that could lead to an infinite loop.
- * Fix logic of tsmsm_sendfile().
- * Fix handling of arbitrary new PAC types.
+o Holger Hetterich <hhetter@novell.com>
+ * Add a simple tdb integrity check to tdbtool.
-o Qiao Yang <geoyang@ironport.com>
- * Fix a memleak.
+o Björn Jacke <bj@sernet.de>
+ * Correct the description of the "ldap timeout" parameter.
-Commit Highlights:
-------------------
-o Michael Adam <obnox@samba.org>
- * BUG 5492: Fix RHEL SPEC file by removing libmsrpc stuff.
- * BUG 5609: Remove configure option "--with-libdir" and add
- "--with-modulesdir".
- * Extend "net rpc vampire keytab" to support differential replication
- and storing of kerberos keys.
- * Rework internal logic of registry tdb code.
- * Freeze autogenerated prototype headers (good bye "make proto").
+o Volker Lendecke <vl@samba.org>
+ * BUG 5913: Fix build error with at least GCC 4.2.2.
+ * BUG 5933: Fix incrementing/decrementing of num_validated_vuids.
+ * BUG 5953: Make cli_send_smb_direct_writeX use writev.
+ * BUG 5969: Optimize smbclient put command.
+ * BUG 6012: Add "get_real_filename" to full_audit.
+ * BUG 6014: Fix segfault when calling mget without arguments.
+ * Fix a spinning smbd when printing.
+ * Fix a memory leak in cups_pull_comment_location.
+ * Fix a valgrind error.
+ * Fix a "ignoring function call result" warning.
+ * Fix some C++ warnings.
+ * Fix an ancient uninitialized variable read.
+ * Fix a bad memleak in vfs_full_audit.
-o Jeremy Allison <jra@samba.org>
- * Add new "winbind reconnect delay" parameter.
- * Make the change to smbcontrol for "all" to mean broadcast,
- and "smbd" to mean the main smb daemon.
- * Write times code update.
+o Stefan Metzmacher <metze@samba.org>
+ * net_status: Use dbwrap to open sessionid.tdb.
+ * Fix dbwrap_store_uint32() to match dbwrap_store_int32().
+ * Make marshalling struct samu from and to a buffer more generic.
+ * Store the next rid counter in passdb.tdb instead of winbind_idmap.tdb.
+ * Register the client connection via CTDB_CONTROL_TCP_ADD.
+ * Don't need to call messaging_reinit() twice.
+ * Raise TDBSAM_VERSION.
-o Guenther Deschner <gd@samba.org>
- * BUG 5710: Fix changing of machine account passwords.
- * Add "net rpc vampire keytab" and "net rpc vampire ldif".
+o Lars Müller <lars@samba.org>
+ * Tweak with pam defines of older Linux versions.
-o Volker Lendecke <vl@samba.org>
- * Rework of the Winbind idmap backend.
- * Fix calculation of useable_space for trans2 and nttrans replies.
- * Add mapping of generic bits when setting an NFSv4 ACL.
+o Tim Prouty <tprouty@samba.org>
+ * Fix stream marshalling to return the correct streaminfo status.
-o Stefan Metzmacher <metze@samba.org>
- * Some write time fixes.
+o Karolin Seeger <kseeger@samba.org>
+ * Change default value of "ldap ssl" to "start tls".
+ * Update version number in the manpages.
+ * Fix several small issues and typos in the manpages.
######################################################################