- WHATS NEW IN Samba 3.0.0 beta2
- July 1 2003
+ ==============================
+ Release Notes for Samba 3.0.28
+ Dec 10, 2007
+ ==============================
+
+Samba 3.0.28 is a security release in order to address the following
+defect:
+
+ o CVE-2007-6015
+ Boundary failure in GETDC mailslot processing can result in
+ a buffer overrun
+
+The original security announcement for this and past advisories can
+be found http://www.samba.org/samba/security/
+
+######################################################################
+Changes
+#######
+
+Changes since 3.0.27a
+---------------------
+
+o Jeremy Allison <jra@samba.org>
+ * Fix for CVE-2007-6015.
+
+o Volker Lendecke <vl@samba.org>
+ * Fix for CVE-2007-6015.
+ * Add missing unbecome_root() calls in error path processing
+ when failing to add local groups in create_local_nt_token().
+
+
+Release notes for older releases follow:
+
+ --------------------------------------------------
+
+ ===============================
+ Release Notes for Samba 3.0.27a
+ Nov 20, 2007
+ ===============================
+
+Samba 3.0.27a is a bug fix release and is the current release
+for production servers running the Samba 3.0 series.
+
+Important fixes in 3.0.27a include:
+
+ o A crash bug regression experienced by smbfs clients caused
+ by the fix for CVE-2007-4572.
+
+
+
+######################################################################
+Changes
+#######
+
+Changes since 3.0.27
+--------------------
+
+o Michael Adam <obnox@samba.org>
+ * BUG 4308: Add missing become_root/unbecome_root around calls of
+ add_aliases. Add same changes in create_token_from_username()
+ surrounding the call to getsampwsid().
+ * BUG 5083: Make solarisacl_sys_acl_get_fd() return a result when
+ there is one (thereby fixing a memleak).
+ * BUG 5023: Fix smbd's interaction with NFSv4 ACL compatible VFS
+ plugins such as GPFS and ZFS.
+
+
+o Jeremy Allison <jra@samba.org>
+ * BUG 4978: Ensure that DOS attributes are copied with folders.
+ * Fix bug where tdb lock call interrupted with an alarm sig would
+ not terminate and could lead to runaway smbd processes.
+ * Fix smbd crash bug which resulted from a regression in the patch
+ for CVE-2007-4572 patch.
+ * Prevent nmbd from adding non-initialized name to IP address
+ mappings to it's WINS database.
+
+
+o Dmitry Butskoy <buc@odusz.so-cdu.ru>
+ * Properly catch errors in the query_user() callback to avoid
+ generated struct passwd replies with zero length usernames.
+
+
+o Gerald (Jerry) Carter <jerry@samba.org>
+ * Prevent segv in winbindd running on a DC using the "idmap
+ backend" syntax.
+
+
+o Steve Langasek <vorlon@debian.org>
+ * BUG 4781: Allow cleaning of /etc/mtab by canonicalizing mountpoint.
+
+
+o Volker Lendecke <vl@samba.org>
+ * BUG 4028: Fix message popup sent via "smbclient -M".
+ * BUG 4984: Filename unix_convert() fixes for WinNT 4.0 clients.
+
+
+o Stefan Metzmacher <metze@samba.org>
+ * Fix crash bug in pidl generated client code caused by
+ [in,out,unique] pointers.
+ * Fix crash bug in the group mapping code.
+
+
+o Heinrich Mislik <Heinrich.Mislik@univie.ac.at>
+ * Fixes for AIX quota support.
+
+
+o Tomasz Ostrowski <tometzky@batory.org.pl>
+ * BUG 4393: Prevent smbclient from dropping 0 bytes files from tar
+ archives.
+
+
+o Simo Sorce <idra@samba.org>
+ * Fixes for internal idmap domain list when "winbind trusted
+ domains only" is enabled.
+ * Fix 32/64-bit compatibility issues in the winbind request/response
+ structures.
+
+
+o Martin Zielinski <mz@seh.de>
+ * Error code path fix for get_mydnsdomname().
+
+
+
+ --------------------------------------------------
+
+ ==============================
+ Release Notes for Samba 3.0.27
+ Nov 15, 2007
+ ==============================
+
+Samba 3.0.27 is a security release in order to address the following
+defects:
+
+ o CVE-2007-4572
+ Stack buffer overflow in nmbd's logon request processing.
+
+ o CVE-2007-5398
+ Remote code execution in Samba's WINS server daemon (nmbd)
+ when processing name registration followed name query requests.
+
+The original security announcement for this and past advisories can
+be found http://www.samba.org/samba/security/
+
+######################################################################
+Changes
+#######
+
+Changes since 3.0.26a
+---------------------
+
+o Jeremy Allison <jra@samba.org>
+ * Fix for CVE-2007-4572.
+ * Fix for CVE-2007-5398.
+
+
+o Simo Sorce <idra@samba.org>
+ * Additional fixes for CVE-2007-4572.
+
+
+ --------------------------------------------------
+ ===============================
+ Release Notes for Samba 3.0.26a
+ Sep 11, 2007
+ ===============================
+
+Major bug fixes included in Samba 3.0.26a are:
+
+ o Memory leaks in Winbind's IDMap manager.
+
+
+######################################################################
+Changes
+#######
+
+Changes since 3.0.26
+--------------------
+
+o Michael Adam <obnox@samba.org>
+ * Fix read_sock() semantics in wb_common.c to address "invalid
+ request size" errors in winbindd logs.
+ * Fix use of pwrite() in tdb IO code paths.
+
+
+o Jeremy Allison <jra@samba.org>
+ * Fix logic error in timeout of blocking lock processing.
+
+
+o Guenther Deschner <gd@samba.org>
+ * Fix error code in the msrpc EnumerateDomainGroups() Winbind
+ method when a memory allocation fails.
+ * Fix Winbind initialization storms when contacting an older Samba DC.
+
+
+o Volker Lendecke <vl@samba.org>
+ * Fix compile failure in NFSv4 VFS module.
+ * Fix compile failures on True64.
+ * Fix compile failure in unmaintained python bindings.
+ * BUG 4917: Fix memory leaks in Winbind's idmap_ldap and
+ idmap_cache backends.
+ * Coverity fixes in the group mapping code.
+
+
+o Derrell Lipman <derrell@samba.org>
+ * Remove NetBIOS keepalives from libsmbclient and consolidate on
+ the use of getpeername() when checking connection health.
+ * Use formal syntax for invoking function pointers in
+ libsmbclient.
+
+
+o Lars Mueller <lars@samba.org>
+ * Fixes for Winbind's AD site support when the host is not
+ configured in any site or nor DC's are present within the host's
+ configured site.
+
+
+o Simo Sorce <idra@samba.org>
+ * Debian packaging updates for 3.0.25c.
+ * Add sanity checks for "smb ports" values.
+ * Fix compile issues related to the VFS "open" method and newer
+ glibc implementations.
+ * Fix a segv in smbldap_set_creds() when using an anonymous
+ connection.
+ * BUG 4772: Fix us of ldap_base_dn for the idmap_ldap plugin.
+
+
+Release notes for older releases follow:
+
+ --------------------------------------------------
+ ==============================
+ Release Notes for Samba 3.0.26
+ Sep 11, 2007
+ ==============================
+
+This is a security release of Samba 3.0 to address
+
+ o CVE-2007-4138
+ Versions: All Samba 3.0.25 releases
+ Incorrect primary group assignment for
+ domain users using the rfc2307 or sfu
+ winbind nss info plugin.
+
+The original security announcement for this and past advisories
+can be found http://www.samba.org/samba/security/
+
+######################################################################
+Changes
+#######
+
+Changes since 3.0.25c
+---------------------
+
+o Gerald (Jerry) Carter <jerry@samba.org>
+ * Fix CVE-2007-4138 in the "winbind nss info = {sfu | rfc2307}"
+ plugin (idmap_ad.c)
+
+
+ --------------------------------------------------
+ ===============================
+ Release Notes for Samba 3.0.25c
+ Aug 20, 2007
+ ===============================
+
+Major bug fixes included in Samba 3.0.25c are:
+
+ o File sharing with Widows 9x clients.
+ o Winbind running out of file descriptors due to stalled
+ child processes.
+ o MS-DFS inter-operability issues.
+
+
+######################################################################
+Changes
+#######
+
+Changes since 3.0.25b
+---------------------
+
+o Michael Adam <obnox@samba.org>
+ * Fix incorrect log messages in tdbbackup.
+ * Fix a bug in pwrite error detection in tdb_expand_file().
+
+
+o Jeremy Allison <jra@samba.org>
+ * BUG 4711: Make cli_connect() return NT_STATUS codes.
+ * Ensure we obey Unicode consortium restrictions. Based on
+ patch from MORIYAMA Masayuki.
+ * BUG 3204: Cope with stalled winbindd child processes and
+ prevent the parent winbindd process from running out of file
+ descriptors.
+ * Fix realloc leak on failure case from Jim Meyering.
+ * BUG 4759: Fix crash in ber_printf() caused invalid tag.
+ * BUG 4763: Limit notify responses to client max buf size.
+ * BUG 4777: Doing a DFS traverse through a deep link could fail
+ (not using explorer).
+ * BUG 4779: Setting the allocation size updates the modified
+ time as a write does.
+ * BUG 4308: Fix interaction with MS Excel and POSIX ACLs.
+ * Fix POSIX unlink bug found by the Linux CIFS fs client.
+ * Stop counting locks if we get a POSIX lock request.
+ * Fix interaction between Linux CIFS fs client and Windows
+ clients when the former tries to remove a file opened by the
+ latter.
+ * Fix incorrect mapping of invalid resume names in FindNext
+ commands.
+ * Cope with dead entries in the locking database tied to
+ non-existent processes (merge from 3.2-ctdb).
+ * Fix MS-DFS related renaming bug in smbclient.
+ * Fix for write cache corruption bug.
+ * Fix invalid vuid from being returned by a failed call to
+ cli_session_setup_spnego.().
+ * Fixes for error mappings from NT_STATUS to the appropriate DOS
+ error codes in reply_opeNXXX() calls.
+
+
+o Ofir Azoulay <Ofir.Azoulay@expand.com>
+ * Only look at errno set by SMB_VFS_CLOSE() if the call actually
+ failed.
+
+
+o Alexander Bokovoy <ab@samba.org>
+ * Fix vfs_readahead: transparent modules should always pass
+ through.
+
+
+o David S. Collier-Brown <davecb@spamcop.net>
+ * BUG 4897: Fix Solaris xattr misdeclarations.
+
+
+o Guenther Deschner <gd@samba.org>
+ * Remove redundant pointer checks when freeing memory in winbindd.
+ * BUG 4408: Remove last traces of Heimdal KCM support.
+ * Fix bug in user Krb5 ticket refresh feature in winbindd.
+ * Fix Heimdal path in the krb5 renew routine.
+ * Unused code cleanup in winbindd.
+
+
+o SATOH Fumiyasu <fumiyas@osstech.co.jp>
+ * BUG 4750: smbc_telldir_ctx() was not returning a value useful
+ to smbc_lseekdir_ctx().
+
+
+o Bjoern Jacke <bj@sernet.de>
+ * Add support for Extended Attributes on Solaris.
+
+
+o Matthijs Kooijman <matthijs@stdin.nl>
+ * BUG 4836: Fix incorrect log message in the nss_info
+ plugin init call.
+ * BUG 4849: Fix "net ads dns register" usage text.
+
+
+o Volker Lendecke <vl@samba.org>
+ * Port cli_connect() NT_STATUS fixes to smbmount.
+ * Add notes about smbfs/cifs to usage() in smb[u]mount.
+ * BUG 4792: Fix pidfile name bug.
+ * Fix missing END_PROFILE() call in the SMBunlink reply.
+ * Coverity fixes.
+ * Correct logic error in change notify code that would result in
+ an endless loop.
+ * Fix uninitialized reads in the spoolss GetPrinterData() replies.
+ * Fix file overwrites from Windows 9x clients.
+
+
+o Herb Lewis <herb@samba.org>
+ * Unused code cleanup.
+ * Avoid a crash in "net rpc info" when no username has
+ been specified.
+ * Remove biconv detection on *BSD.
+
+
+o Derrell Lipman <derrell@samba.org>
+ * Get/Set ACL fixes in libsmbclient.
+
+
+o Jan Martin <Jan.Martin@rwedea.com>
+ * BUG 4860: Patches for fixing MS-DFS links with trailing
+ back slashes.
+
+
+o Jim McDonough <jmcd@us.ibm.com>
+ * BUG 4719: "Must change password" is not set from usrmgr.exe.
+
+
+o Atsushi Nakabayashi <nakabayashi@miraclelinux.com>
+ * Ensure proper exit when nmbd is unable to reopen the wins.tdb.
+ * Fix error path memleaks in the messaging subsystem.
+
+ --------------------------------------------------
+ ===============================
+ Release Notes for Samba 3.0.25b
+ June 26, 2007
+ ===============================
+
+Major bug fixes included in Samba 3.0.25b are:
+
+ o Offline caching of files with Windows XP/Vista clients.
+ o Improper cleanup of expired or invalid byte range locks
+ on files.
+ o Crashes is idmap_ldap and idmap_rid.
+
+
+Changes to 'net idmap dump'
+===========================
+
+A change in command line syntax and behavior was introduced in the
+3.0.25 release series where the command
+
+ $ net idmap dump /.../path/to/idmap.tdb
+
+would overwrite the tdb instead of dumping its contents to standard
+output as was the case in releases prior to Samba 3.0.25. The
+changed has been reverted in 3.0.25b and the semantics from 3.0.24
+and earlier releases have been restored.
+
+
+######################################################################
+Changes
+#######
+
+Changes since 3.0.25a
+---------------------
+
+o Jeremy Allison <jra@samba.org>
+ * BUG 4655: Fix client parsing bug in spoolss EnumPrinterDataEx().
+ * Ensure that proper oplock break requests occur during file open
+ and performing internal checks for compatible open modes.
+ * Fix offline file caching with Windows XP/Vista clients.
+ * Coverity fixes.
+ * Ensure that winbindd reports the correct client connection
+ details in response to a SIGUSR2.
+ * Fix timespec_current() to return the correct nano-second time.
+ * Fix lock logic inconsistencies in tdb_traverse().
+ * Remove restriction on string length for rpcclient commands.
+ * BUG 4683: Fix LSA crash bug.
+ * BUG 3204: Fix file descriptor leak in the parent winbindd when
+ child processes hang.
+ * Avoid calling rename_open_files() when the old and new names
+ are identical.
+ * BUG 4689: Fix bug in new change notify code caused by not
+ ignoring the max_params_return value and as a resulting
+ returning truncated names.
+ * Fix sync_file() to return NTSTATUS and return this on failure in
+ the write reply path.
+ * BUG 4678,4697: Fix token creation for clear text logins.
+ * BUG 4725: Don't crash when no eventlog names are defined in
+ smb.conf.
+ * Ensure we will always release any timeout handler on fsp close
+ or removal of oplock.
+
+
+o Jacob Berkman <jberkman@novell.com>
+ * BUG 4566: Pass password data to krb5_prompter.
+
+
+o Gerald (Jerry) Carter <jerry@samba.org>
+ * BUG 4579: Fix "wbinfo -t" when running winbindd on a Samba DC.
+
+
+o Guenther Deschner <gd@samba.org>
+ * BUG 4657: Fix compilation and linking of pam_smbpass.so.
+ * Add more netlogon GetDcName() client calls.
+ * Fix event based krb5 ticket refreshing in winbindd.
+
+o SATOH Fumiyasu <fumiyas@osstech.co.jp>
+ * BUG 4720: Fix smbclient connections to share names containing
+ multibyte characters.
+
+
+o Steve Langasek <vorlon@debian.org>
+ * Allow SIGTERM to cause nmbd to exit on awaiting an interface
+ to come up.
+
+
+o Volker Lendecke <vl@samba.org>
+ * Fix record state check error when reviewing entries in nmbd's
+ WINS database.
+ * Revert 'net idmap dump' behavior to 3.0.24 behavior to fix change
+ in command line syntax that would overwrite winbindd_idmap.tdb.
+
+
+o Justin Maggard <jmaggard@infrant.com>
+ * Don't expire a password if it's explicitly set as ACB_PWNOTREQ.
+
+
+o <mnix@wanm.com.au>
+ * Fix old old bug in cli_smbwrite() (not incrementing data
+ being sent).
+
+
+o Jens Nissen <jens.nissen@gmx.net>
+ * BUG 4537: Fix smbtorture deny test2.
+
+
+o James Peach <jpeach@apple.com>
+ * Fix structure types in the vfs_catia NT_ACL operations.
+
+
+o Doug Rudoff <doug_rudoff@isilon.com>
+ * Ensure that the the lck struct for invalid locks are correctly
+ saved and therefore cleaned up.
+
+
+o Simo Sorce <idra@samba.org>
+ * Updates for the packaging/Debian directory.
+ * Add missing 'c' character to the list of shell safe characters.
+ * BUG 4667 (partial): Fix crash bug in idmap_ldap.c.
+ * Fix inconsistencies between creating machine and user accounts.
+ * Fix bug deleting LDAP user accounts that used the account
+ objectclass as its structural basis.
+ * BUG 2319: Ensure that smbspool correctly decodes %-encoded
+ characters.
+ * BUG 4624: Fix crashes in idmap_rid.
+
+
+Release notes for older releases follow:
+
+ --------------------------------------------------
+ ===============================
+ Release Notes for Samba 3.0.25a
+ May 25, 2007
+ ===============================
+
+Major bug fixes included in Samba 3.0.25a are:
+
+ o Missing supplementary Unix group membership when using "force
+ group".
+ o Premature expiration of domain user passwords when using a
+ Samba domain controller.
+ o Failure to open the Windows object picker against a server
+ configured to use "security = domain".
+ * Authentication failures when using security = server.
+
+
+Changes to MS-DFS Root Share Behavior
+=====================================
+
+Please be aware that the initial value for the "msdfs root" share
+parameter was changed in the 3.0.25 release series and that this
+option is now disabled by default. Windows clients frequently require
+a reboot in order to clear any cached information about MS-DFS
+root shares on a server and you may experience failures accessing
+file services on Samba 3.0.25 servers until the client reboot
+is performed. Alternately, you may explicitly re-enable the
+parameter in smb.conf. Please refer to the smb.conf(5) man page
+for more details.
+
+
+
+######################################################################
+Changes
+#######
+
+Changes since 3.0.25
+--------------------
+
+o Michael Adam <obnox@samba.org>
+ * Fix logic in detection of the need to replace dlopen, et. al.
+ * Add HP-UX ACL VFS module.
+ * Fix build of Tru64 ACL VFS module.
+
+
+o Jeremy Allison <jra@samba.org>
+ * BUG 4622: Fix authentication failures in security = server.
+ * Fix pointer marshalling in srvsvc parsing code.
+ * BUG 4630: Fix conversion of 8 byte time_t and NT_TIME values.
+ * Ensure that if we're blocked on a POSIX lock we know nothing
+ about that we retry the lock every 10 seconds instead of waiting
+ for the standard select timeout.
+ * BUG 4637: Fix samlogon reply regression that broke domain logons.
+ * Fix rename on open files and improved delete-on-close semantics.
+ * Fix POSIX setfilepathinfo to use lstat.
+
+
+o Alexander Bokovoy <ab@samba.org>
+ * Add -pie support to Python's setup.py.
+ * Strip STYPE_TEMPORARY and STYPE_HIDDEN when printing share
+ listing from 'net rap shares".
+ * Fix argument parsing in "net rap server domain".
+
+
+o Gerald (Jerry) Carter <jerry@samba.org>
+ * BUG 4616: Don't return a dns or forest name when replying to the
+ DsGetPrimaryRoleInfo() and configured for security = domain.
+ * Trim noise by removing redundant WARNING log message that would
+ flood at log level 2.
+ * Fix truncation of supplementary Unix groups when using "force group".
+
+
+o Guenther Deschner <gd@samba.org>
+ * Always fallback to NTLM authentication in pam_winbind when the
+ user's account has UF_DONT_REQUIRE_PREAUTH set.
+
+
+o Steve French <sfrench@us.ibm.com>
+ * Valgrind fixes in mount.cifs.
+
+
+o Volker Lendecke <vl@samba.org>
+ * Fix crash bug in the Solaria ACL VFS module caused by
+ uninitialized variables.
+
+
+o Herb Lewis <herb@samba.org>
+ * Update connection structure definition for tdbtool display
+ output.
+
+
+o Derrell Lipman <derrell@samba.org>
+ * BUG 4601: Fix smbc_getxattr() to properly return the required
+ size of the buffer needed to contain the extended attributes.
+ * BUG 4599: Fix failure when setting attributes.
+ * BUG 4634: Type of the size parameter to getpeername in
+ libsmbclient code was wrong.
+ * Fix libsmbclient interaction with links on Vista and properly
+ detect non-NTSTATUS errors.
+
+
+o Jim McDonough <jmcd@us.ibm.com>
+ * BUG 4630: Fix special case of unix_to_nt_time() for TIME_T_MAX
+ and the output from http_timestring().
+
+
+o Stefan Metzmacher <metze@samba.org>
+ * Merge gdb_backtrace script changes form SAMBA_4_0.
+
+
+o Lars Mueller <lars@samba.org>
+ * Allow idmap_ldap to be built as a shared lib.
+
+
+o James Peach <jpeach@apple.com>
+ * BUG 4426: Move FAM libraries from smbd to vfs_fam_notify.
+ * BUG 2287: Replace unnecessary AC_TRY_RUN with AC_TRY_LINK.
+ * BUG 4589: Fix typo in pdbedit output.
+
+
+o Simo Sorce <idra@samba.org>
+ * Short circuit Unix Users and Unix Groups Domain SID checks
+ in smbd to avoid unnecessary calls to winbindd.
+
+ --------------------------------------------------
+ ==============================
+ Release Notes for Samba 3.0.25
+ May 14, 2007
+ ==============================
+
+The 3.0.25 release is an upgrade release over the 3.0.23/3.0.24
+series which means that a substantial amount of development has
+occurred and many new features have been added since the last
+Samba production release. We would like to thank everyone in
+the Samba community that help to test the preview snapshots and
+release candidates. We believe that the this production release
+is in much better shape due to your help.
+
+Major features included in the 3.0.25 code base include:
+
+ o Significant improvements in the winbind off-line logon support.
+ o Support for secure DDNS updates as part of the 'net ads join'
+ process.
+ o Rewritten IdMap interface which allows for TTL based caching and
+ per domain backends.
+ o New plug-in interface for the "winbind nss info" parameter.
+ o New file change notify subsystem which is able to make use of
+ inotify on Linux.
+ o Support for passing Windows security descriptors to a VFS
+ plug-in allowing for multiple Unix ACL implements to running side
+ by side on the Same server.
+ o Improved compatibility with Windows Vista clients including
+ improved read performance with Linux servers.
+ o Man pages for IdMap and VFS plug-ins.
+
+Security Fixes included in the Samba 3.0.25 release are:
+
+ o CVE-2007-2444
+ Versions: Samba 3.0.23d - 3.0.25pre2
+ Local SID/Name translation bug can result in
+ user privilege elevation
+
+ o CVE-2007-2446
+ Versions: Samba 3.0.0 - 3.0.24
+ Multiple heap overflows allow remote code execution
+
+ o CVE-2007-2447
+ Versions: Samba 3.0.0 - 3.0.24
+ Unescaped user input parameters are passed as
+ arguments to /bin/sh allowing for remote command
+ execution
+
+
+Off-line Logons and AD Site Support
+===================================
+
+Winbind's capability to support offline logons has been greatly
+improved with the 3.0.25 release including support for locating
+domain controllers asynchronously using Active Directory Site
+information.
+
+
+New IdMap Interface for Winbindd
+================================
+
+The 3.0.25 release of Samba includes a rewritten IdMap interface
+for winbindd which replaces the "idmap backend" parameter. Please
+refer to the "idmap domains" description in the smb.conf(5) man
+page for more details.
+
+
+Dynamic DNS Updates
+===================
+
+The "net ads join" command is now able to register the host's DNS A
+records with Windows 2000 SP4 and 2003 DNS servers. This
+feature must be enabled at compile time using the --with-dnsupdate
+when running the ./configure script. There is also a related "net ads
+dns" command for refreshing a host's records which could be launched
+from a dhcp client script when a new IP address is obtained.
+
+
+Support for Additional ACL Modules
+==================================
+
+Samba's POSIX ACL support has been moved inside of the VFS layer
+which means it is now possible to support multiple ACL implementations
+on the same server including NFSv4 and GPFS ACLs.
+
+
+VFS ReadAhead Plugin
+====================
+
+Windows Vista introduces pipe-lined read support for improved
+performance when transferring files. The new vfs_readahead plugin
+allows Linux file servers to utilize additional Kernel buffers
+for caching files in order to avoid Disk I/O wait time when serving
+Vista clients. If you experience poor read performance between
+Linux servers and Vista clients, please test the vfs_readahead
+module by adding the following lines to the share definition
+in smb.conf:
+
+[file_share]
+ vfs objects = readahead
+
+Note that this plugin will result in additional RAM requirements
+due to the increased amount of kernel buffer caches used by smbd.
+Please refer to vfs_readahead(8) for more information.
+
+
+Windows Vista, Office 2007, and Offline Files
+=============================================
+
+Research surrounding offline files, Windows Vista, and Microsoft
+Office 2007 has revealed a incompatibility between these
+applications and the "map acl inherit = no" setting in smb.conf.
+Users requiring support client side caching (csc) and offline
+files are encouraged to enable the "map acl inherit" for any
+affected share definitions in the server's configuration.
+Future versions of Samba will enable this setting by default.
+
+Please refer to the smb.conf(5) man page for more details on
+"map acl inherit".
+
+
+######################################################################
+Changes
+#######
+
+smb.conf changes
+----------------
+
+ Parameter Name Description Default
+ -------------- ----------- -------
+ change notify timeout Removed n/a
+ change notify New Yes
+ debug prefix timestamp New No
+ fam change notify Removed n/a
+ idmap domains New ""
+ idmap alloc backend New ""
+ idmap cache time New 900
+ idmap negative cache time New 120
+ kernel change notify Per share Yes
+ lock spin count Removed n/a
+ max stat cache size Modified 1024KB
+ msdfs root Modified no
+ printjob username New %U
+ winbind normalize names New no
+
+
+
+
+Changes since 3.0.25rc3
+-----------------------
+
+
+o Jeremy Allison <jra@samba.org>
+ * Fix memory corruption bug during string processing.
+ * Instantiate idiom that malloc/tallocs of array of 0 elements
+ returns NULL.
+ * Fix marshalling bugs in samr code based on incorrect
+ assumptions.
+ * Fix DFS MS-RPC enumeration reply when we have no DFS shares.
+ * Fix memory corruption when enumerating accounts in the
+ LsaPrivilege database.
+ * Fixes for CVE-2007-2444, CVE-2007-2446, and CVE-2007-2447.
+
+
+o Gerald (Jerry) Carter <jerry@samba.org>
+ * Fix memory corruption when adding/removing members from Local
+ Groups.
+
+
+o Guenther Deschner <gd@samba.org>
+ * Prevent leaking on full NET_USER_INFO_3 structure memory on each
+ cached login.
+ * Plug memory leak in client SPNEGO session setup code.
+ * Don't clear cached U/SID and UG/SID entries when we want to
+ logon offline.
+
+
+o Steve French <sfrench@us.ibm.com>
+ * Allow prepaths in mount.cifs.
+ * Don't prompt for a password in mount.cifs when sec=none has been
+ specified.
+
+
+o Steve Langasek <vorlon@debian.org>
+ * BUG 4600: Fix compilation of --with-python.
+
+
+o Volker Lendecke <vl@samba.org>
+ * Fix memory corruption bug in string_replace().
+ * Fix valgrind error in parse_domain_user().
+ * Fix compilation of explicit --without-winbind.
+ * Fix an uninitialized variable and other compiler warnings.
+ * Fix memory leak in smbd's claim session code.
+ * BUG 4613: Fix incorrect password expiration caused by stomping on
+ the time values in the NET_USER_INFO_3 for remote users.
+ * Fixes for CVE-2007-2446.
+
+
+o Stefan Metzmacher <metze@samba.org>
+ * Add AC_GNU_SOURCE macro in libreplace for systems which don't have it.
+ * Fix libreplace compiler warnings.
+
+
+o Jens Nissen <jens.nissen@gmx.net>
+ * Fix memory leak on the file/directory ACL processing code.
+
+
+o Simo Sorce <idra@samba.org>
+ * Memory allocation cleanups and sanity checks after the malloc(0)
+ == NULL crusade.
+ * Fix socket leak in idmap_ldap.c.
+ * Fix failure in "net idmap restore".
+ * Fix crash bug in idmap_ldap's get_credentials() code.
+ * Fixes for CVE-2007-2446.
+
+
+o Alison Winters <alisonw@sgi.com>
+ * Add missing return calls in sendfilereadbraw.
+
+
+Changes since 3.0.24
+--------------------
+
+
+commits
+-------
+
+o Michael Adam <ma@sernet.de>
+ * Patch to lib/sysquotas_linux.c replacing some "get"s by "set"s.
+ This makes the difference between the get and set calls for
+ SMB_USER_FS_QUOTA_TYPE and SMB_GROUP_FS_QUOTA_TYPE.
+ * Prevent collision from config.h created by stand alone component
+ builds.
+
+
+o Jeremy Allison <jra@samba.org>
+ * Fix CIFS POSIX unlink behavior.
+ * Change POSIX_UNLINK to allow clients to differentiate between
+ unlink/rmdir calls.
+ * Add smbclient implementations of POSIX open/mkdir/unlink/rmdir.
+ * Refactor MS-DFS server and client code.
+ * Support deep MS-DFS referrals in Samba client applications.
+ * Change the VFS interface to use struct timespec for utimes.
+ * Fix build failures on *BSD platforms caused by introduction of
+ memalign().
+ * Optimize exit path in the byte-range locking code in smbd to
+ only read the locking db if there are outstanding lock requests.
+ * Fix long-standing bug in our chain processing code.
+ * BUG 4384: Fix bug in old search code.
+ * Add support for the UNIX_INFO2 info level.
+ * Add in the "create info" field to the reply from POSIX_OPEN
+ and POSIX_MKDIR.
+ * Refactor the sessionsetupX code a little to allow us to return
+ a NT_STATUS_TIME_DIFFERENCE_AT_DC error to a client.
+ * Fix memory leaks in the LDAP sasl bind code.
+ * Fix crash in vfs audit/full audit modules caused by API changes.
+ * Fix connection problem between pre-3.0.25 smbclient and new DFS
+ server code.
+ * Fix valgrind errors in credentials.c.
+ * Fix logic error in CIFS POSIX extensions for open() and mkdir().
+ * Fix if logic error when checking for password resets of machine
+ trust accounts in Samba's passdb.
+ * Ensure we use the same technique to pull the share mode data out
+ that locking.c does.
+ * Fixes buffer parsing in the server side Lanman and RAP calls.
+ * Fix GetPrinter() info level 3 to fix displaying and setting
+ security descriptors on printers from WinXP x86_64 clients.
+ * Return correct error code to the trans2 GetDfsReferral() request
+ from Vista clients (fixes listing share contents in the Vista
+ explorer.exe).
+ * BUG 4486: Fix the exclude_dir parameter in the VFS recycle
+ plugin.
+ * Consolidate the become_root_uid_only() calls to only use
+ become_root().
+ * Add vfs_readahead module to deal with the pipe-lined reads
+ from Vista clients.
+ * BUG 4404: Fix server SMB/CIFS protocol bugs that broke Vista
+ clients trying to utilize offline file support.
+ * BUG 4494: Make sure to fail immediately if sendfile fails and
+ don't continue on to call chain_reply() (based on report from
+ Kevin Jamieson).
+ * Remove tdb.h from the libsmbsharemodes.so header file.
+ * BUG 3634: Fix crash in nmbd caused by a bad "interfaces" include
+ in smb.conf.
+ * Add initial version to winbindd_cache.tdb file. Automatically
+ delete existing non-versioned cache files.
+ * Fix the storage size of time_t in winbindd_cache.tdb to be 8
+ bytes.
+ * Cope with signature errors on sessionsetupX logins where the
+ server just reflects our signature back to us. Allow the upper
+ layer to see the real error.
+ * BUG 4512: Limit the volume label for a share to 32 UNICODE
+ characters.
+ * Allow arbitrary bases in int and ulong parsing in smb.conf.
+ * Fix off-by-one error in tconX parsing.
+ * Winbind off-line logon fixes.
+ * Support for AD sites when locating domain controllers.
+ * Fix libsmbclient bug with Konqueror and NetApp filers that need
+ a leading / in OpenAndX calls.
+ * BUG 4187: Possible crash in signing on/off code.
+ * Fix memory leaks in pam_winbind.c.
+ * Fix a bug in the sequence number store/fetch routines in
+ winbindd_cache.tdb.
+ * Fix the problem with Linux clients requesting O_WRONLY on write-only
+ files.
+ * Fix a class of memory allocation bugs in the handling of user tokens.
+ * Fix crash bug in winbindd caused by a bug in the messaging dispatch
+ code.
+ * Fix memory bloat in trans calls caused by talloc()'ing memory off the
+ wrong context.
+ * Fix wildcard renames with SMBmv.
+ * Fixes for pathname handling code.
+ * Add in the wdel smbclient command to perform wildcard deletes.
+ * Fix a bug that causes smbd to 'hang' intermittently while updating
+ the trusted domain cache.
+ * Cleanup error path processing in reduce_name().
+ * Fixes for smbtorture tests (BASE-DELETE, ...)
+ * Delete on close fixes ("I completely understand it this time").
+ * Remove unneeded checks on incoming uid/gid for mknod (fifo) Unix
+ extensions code.
+ * More fixes for Unix Extensions include support for POSIX locking.
+ * NTLMv2 fixes for Vista clients.
+ * Add an optimized lookup for Domain Users and only report the current
+ user (which is generally what the calling application wants to know
+ anyways).
+ * Fixes for supporting the Vista backup utility based on work by Joe
+ Meadows <jameadows@webopolis.com>.
+ * Fix 4377: Fix rename of "foo" -> "Foo".
+ * BUG 4188: Fix for Vista delete directory bug.
+ * BUG 4400: Add support for processing large Krb5 tickets in SMB
+ sesssetup&X. Based on work by <todd.stecher@isilon.com>.
+ * Fix trans2 file size reporting for Linux CIFS client.
+ * Allow Well-Known and Local Groups to be stored in POSIX ACLs
+ as long as there is a SID/gid mapping entry available.
+ * Fix memory corruption bug in the CIFS POSIX open/mkdir.
+ * BUG 4536: Correctly delete symlinks pointing to a directory.
+
+
+o Danilo Almeida <dalmeida@centeris.com>
+ * Add additional debug support for pam_winbind.
+ * Add support for listing multiple groups in pam_winbind's
+ require-membership-of option which act as a logical OR.
+
+
+o Andrew Bartlett <abartlet@samba.org>
+ * Ensure debug messages from tools print the correct config file
+ location if the file was defined as a command line option.
+
+
+o Andrew Benham <andrew.benham@thus.net>
+ * BUG 4290: Properly compute time to password expiration in message
+ from pam_winbind.
+
+
+o Alexander Bokovoy <ab@samba.org>
+ * Ensure nfsv4 chown logic is controlled by "nfs4:chown=[yes|no]".
+ * Add GPFS-provided DMAPI support
+
+
+o Kai Blin <kai.blin@gmail.com>
+ * Match Windows NTLMSSP flags.
+
+
+o Gerald (Jerry) Carter <jerry@samba.org>
+ * Implement pluggable "winbind nss info" interface.
+ * Removal of unmaintained smbwrapper utility.
+ * Fix server affinity bugs in the 'net ads join' code to include
+ support for AD sites.
+ * Implement DDNS update client code.
+ * Upper case the host/sAMAccountName in the keytab file.
+ * Fix lookupname call in winbindd when joined to a child domain and
+ trying to resolve a SID in a sibling domain.
+ * Fix password changes against a Windows 2000 DC using pam_winbind.
+ * Fix crash in "pdbedit -L -w"
+ * Add "winbind normalize names" option.
+ * BUG 4093: Make %a resolve correctly for Windows Vista and Windows
+ XP 64bit clients.
+ * Printing fixes for Windows Vista.
+ * Protect the sasl bind against a NULL principal string in the
+ SPNEGO negTokenInit
+ * Fix some "cannot access LDAP when no root" bugs.
+ * NSS and PAM fixes on AIX.
+ * Cached credentials and Krb5 ticket renewal fixes in winbindd.
+ * Fix server affinity bug in Winbind's ADS connection handling.
+ * Fix crash when enumerating local group membership in usrmgr.exe
+ on a Samba DC.
+ * Rework parsing for NetFileEnum() and NetSessionEnum()
+ * Add server stub for NetFileClose()
+ * Return correct information for sessions and open files
+ including session duration, number of open files, and open pipes.
+ * Fixes for "winbind normalize names" functionality:
+ - Fix getgroups() call called using a normalized name
+ - Fix some more name mappings that could cause for example
+ a user to be unable to unlock the screen as the username
+ would not match in the PAM authenticate call.
+ * Blacklist BUILTIN and MACHINE domains from the idmap domains as
+ these should only be handled by the winbindd_passdb.c backend.
+ * Allow the alloc init to fail for backwards compatible
+ configurations such as with idmap_ad.
+ * Remove the deprecated flags from idmap backend, et. al. These
+ are mutually exclusive with the "idmap domains".
+ * Add the osname and osver options to 'net ads join'
+ * Ensure winbindd honors the "idmap domains" option and not
+ default to idmap_tdb.
+ * Fix memory corruption caused by calling free() on talloc()'d
+ memory when adding and removing users from local groups.
+ * BUG 4501 (partial): Fix crash bugs in idmap_ad plugin by adding
+ the schema_mode option when using "winbind nss info = template".
+ * BUG 4491, 4501 (partial): Disable attempts to allocate a uid/gid if no
+ idmap alloc backend has been defined. Do not defined a default
+ alloc backend.
+ * Fix "make install" to include creating the links between
+ idmap_ad and the nss_info_rfc2307 and nss_info_sfu plugins.
+ * Enable the --with-dnsupdate in the Fedora/RHEL RPM packaging
+ files.
+ * BUG 4508: Remove potential loops in the idmap API by requiring
+ the caller defined the SID type rather than having the idmap layer
+ call back up to determine the SID type when allocating
+ uids/gids.
+ * Don't inherit the offline flag for winbindd_domains that have
+ not been initialized yet.
+ * Fix a crash in idmap_ldap caused by a NULL pointer dereference.
+ * Fix deadlock and timeout conditions in idmap_rid.
+
+
+o Steven Danneman <steven.danneman@isilon.com>
+ * Memory leak fixes.
+ * Fix core dump when config file in same directory.
+
+
+o Mathias Dietz <mdietz@de.ibm.com>
+ * Initial implementation of the GPFS VFS module.
+ * Work on NFSv4 ACL VFS plugin.
+ * Add support for share modes to the GPFS VFS plugin.
+
+
+o Guenther Deschner <gd@samba.org>
+ * Winbind off-line logon fixes.
+ * Support for AD sites when locating domain controllers.
+ * Various fixes for 'net ads' user management functions.
+ * Add an CLDAP client written in Perl.
+ * Cleanups to the Krb5 ticket refresh code in winbindd.
+ * Fixes for various error messages from pam_winbind when password
+ policies are being enforced.
+ * Implement grace logons for offline authentications in pam_winbind.
+ * Fixes for idmap_ad.
+ * Memory leak fixes.
+ * BUG 4009: Fixes leaking file descriptors (CLOSE_WAIT) in winbindd
+ with short lived service tickets
+ * Implement basic AD group policy library
+ * Adding experimental krb5 lib locator plugin.
+ * Ensure that Samba clients are correctly reported by the %a
+ smb.conf as "Samba" and not "Vista".
+ * Prevent a user from issuing a PAM_DELETE_CREDS request in
+ pam_close_session() for another user.
+ * Fix tdb keynames in netsamlogon_clear_cached_user().
+ * Add missing proto_exists dependency for the Winbind NSS target
+ in the Makefile.
+ * Build fixes when linking against Heimdal 0.8 Kerberos libraries.
+ * Build fixes when using older Heimdal Krb5 libs (e.g. 0.6.3).
+ * Memory allocation error checks in libgpo.
+
+
+o Steve French <sfrench@us.ibm.com>
+ * Fix mount.cifs compile on old libc missing bind mount #define.
+
+
+o SATOH Fumiyasu <fumiyas@osstech.co.jp>
+ * Fix memory leaks in the error paths used by winbindd's credential
+ cache code.
+ * BUG 4409: Add minsize parameter to the vfs_recycle plugin.
+ * BUG 3319: Ensure that 'hide unreadable' does not filter MS-DFS links.
+
+
+o Krishna Ganugapati <krishnag@centeris.com>
+ * Implement DDNS update client code.
+
+
+o YAMASAKI Hiroyuki <h-yamasaki@pd.jp.nec.com>
+ * BUG 4346: Fix type reported for hidden shares via MS-RPC.
+
+
+o David Hu <david.hu@hp.com>
+ * BUG 4267: Fix memory leaks in ldapsam.
+
+
+o Bjoern Jacke <bj@sernet.de>
+ * BUG 4244: Limit stat cache to a default of 1MB.
+
+
+o William Jojo <jojowil@hvcc.edu>
+ * BUG 3713: Re-add reporting what the profiles tool does (-v).
+ * BUG 3632: Fix for EISCON in open_any_socket_out() on AIX.
+ * BUG 4447: Fix compile failure on AIX 5.2.
+
+
+o Taj Khattra <taj.khattra@gmail.com>
+ * Fix missing lock count release in transaction cancel.
+
+
+o Zack Kirsch <zack.kirsch@isilon.com>
+ * Fix memory leaks on some error paths.
+ * Memory leak fixes on error paths in various places.
+
+
+o Derrell Lipman <derrell@samba.org>
+ * BUG 4115: Fix for using kerberos logins in libsmbclient.so.
+ * BUG 4309: Prevent netbios keepalive on port 445 which causes
+ Vista to disconnect Samba clients.
+ * Ensure that the libsmbclient example programs link with the
+ libsmbclient library that's part of the current tree.
+
+
+o Volker Lendecke <vl@samba.org>
+ * Replace snum references with a structure based array.
+ * Allow changing of the hashsize when running tdbbackup.
+ * Implement secure DDNS update code
+ * Klocwork, Coverity, and IBM Checker fixes.
+ * BUG 4273: Fix crash in 'net rpc vampire'
+ * Refactor older SMB file serving code.
+ * Refactor open directory file serving code.
+ * Implement support for inotify when serving CIFS change notification
+ requests (includes merge work from SAMBA_4_0).
+ * Fixes to allow Samba 3.0 to pass various smbtorture tests (RAW-OPEN,
+ RAW-UNLINK, RAW-CLOSE, ...)
+ * Refactor delete on close file server code.
+ * MS-DFS fixes for Vista clients.
+ * BUG 4372: Long timeout in LDAP setup when accessing files after
+ 10 secs.
+ * Change the static array for the in-memory mirrors of the hash chain
+ locks to a dynamically allocated one.
+ * Use inotify for file change notification on Linux.
+ * Revert "msdfs root" to default to "no".
+ * Refactor AIO code.
+ * Fix memory leaks when returning user lists to clients via SAMR calls.
+ * BUG 4365: Fix NTLMv2 implementation on Samba member servers not
+ running winbindd.
+ * Reduce contention on the tdb free list by periodic reclamation
+ of dead tdb records into groups
+ * Split tdb free lists per hash chain.
+ * Coverity fixes.
+ * Add winbindd_priv_request_response() request that kills the
+ existing winbind pipe connection if it's not privileged to prevent
+ race conditions during the challenge/response authentication sequence.
+ * BUG 4460: Fix compile error in winbind_nss_irix.c.
+ * Fix Coverity bug reports.
+ * Fixes buffer parsing in the server side Lanman and RAP calls.
+
+
+o David Leonard <dleonard@vintela.com>.
+ * Fix file descriptor leak from an error path in winbindd.
+ * BUG 4369: Fix smbclient's showacls on files in subdirectories.
+
+
+o Herb Lewis <herb@samba.org>
+ * Cleanups to sharesec utility.
+ * Compiler warning cleanups.
+ * Compiler warning fixes.
+ * Allow smbcontrol to use POPT_COMMON_SAMBA options to allow setting
+ debug level.
+ * Add "debug prefix timestamp" to allow syslog type timestamps to be
+ added in the Samba log files.
+ * Fix compile error in nmbd_incomingdgrams.c.
+ * Allow profiling level to be set on startup.
+
+
+o Ying Li <ying.li2@hp.com>
+ * Use the default tdb idmap plugin when neither idmap domains
+ nor idmap backend have been defined.
+
+
+o Jason Mader <jason@ncac.gwu.edu>
+ * Various compile warning fixes.
+ * Initial patch set for strptime() in libreplace.
+
+
+o Don McCall <don.mccall@hp.com>
+ * Fix compile bug in vfs_default on platforms without utimes().
+ * HP-UX compile fixes.
+
+
+o Jim McDonough <jmcd@us.ibm.com>
+ * Bug fixes for GPFS VFS module.
+ * Fix "password never expires" policy which would be incorrectly
+ require all users to change their password at login time.
+ * Fix the GPFS VFS module to pass the POSIX ACL tests (Thanks to
+ Gomati Mohanan).
+ * Fix crate_user() access checks when setting the "User Cannot
+ Change Password" flag.
+
+
+o Stefan Metzmacher <metze@samba.org>
+ * POSIX ACL compile warning fixes.
+ * Fix --with-fhs, where confdir is set to \${sysconfdir} but
+ sysconfdir wasn't defined in the Makefile.
+ * Add localstatedir to configure.in for completeness.
+ * BUG 4496: Fix libreplace failure on ulibc systems.
+ * Merge numerous libreplace fixes from the SAMBA_4_0 code base
+ (stdint.h, stdbool.h, unsetenv, strptime(), strtoll(), et. al.).
+ * Move ZERO_*, ARRAY_SIZE and PTR_DIFF macros into libreplace.
+ * Portability fixes for dlopen() (merge from SAMBA_4_0)
+ * Sync libreplace (merge from SAMBA_4_0)
+
+
+o Heinrich Mislik <Heinrich.Mislik@univie.ac.at>
+ * AIX quota fixes.
+
+
+o Gomati Mohanan <gomati.mohanan@in.ibm.com>
+ * Work on NFSv4 ACL VFS plugin.
+
+
+o Lars Mueller <lars@samba.org>
+ * Provide better feedback about deprecated use of multiple passdb
+ backends. Use the first backend to have at least this one working.
+ * Fix make install to include smbmount, et. al. docs.
+ * Merge more proto_exists dependency fixes from SAMBA_3_0.
+ * Makefile cleanups.
+ * Log the reason for failures when not creating a core file on a
+ crash due to restrictive permissions on the log file directory.
+
+
+o James Peach <jpeach@apple.com>
+ * Replace exit_server with exit_server_cleanly where appropriate.
+ * Add docs for VFS modules.
+ * Portability fixes for autoconf and character set modules on
+ OS X.
+ * Only attempt to reload the config file after the fork point
+ if we are in daemon mode.
+ * Support the SMB_QUERY_POSIX_WHOAMI info level on QueryFsInfo.
+ * Changing the FindFirst response for the UNIX_INFO2 level to
+ include a length field before the name.
+ * Add call to chflags(2) in the default VFS module.
+
+
+o Andy Polyakov <appro@fy.chalmers.se>
+ * Pull the CUPS comment and location attributes when not overridden
+ by values stored in Samba's ntprinters.tdb.
+ * BUG 3275: Allow upload of x64 printer drivers by relaxing the COFF
+ header parsing code in smbd.
+
+
+o J Raynor <raynorj@mn.rr.com>
+ * Make sure we are privileged when doing DMAPI operations on systems
+ that don't have capability support.
+
+
+o Jorge Santos <jorge_a_santos@hotmail.com>
+ * BUG 4500: Fix compile bug in quota.c.
+
+
+o Jiri Sasek <jiri.sasek@sun.com>
+ * Fix incorrect Krb5 linking on Solaris.
+ * Fix possible NULL dereference in adt_tree.c
+
+
+o Karolin Seeger <ks@sernet.de>
+ * Fix a compile problem in shadow_copy_test.c.
+ * Add 'net sam policy' commands.
+ * Fixes for "net usershare" and "guest_ok=y"
+
+
+o Robert Shearman <rob@codeweavers.com>
+ * Allow NULL domain and username in the form of user@domain to be
+ interpreted correctly by ntlm_auth for use by Wine applications.
+
+
+o Simo Sorce <idra@samba.org>
+ * Remove redundant log messages from idmap_ad.c.
+ * BUG 3974: Fix ambiguity between the -N option and the -T
+ tar options.
+ * Fix linking flags used when creating shared libraries.
+ * Offline logon fixes in the idmap backend manager.
+ * Cleanup initialization code in the sfu and rfc2307 nss_info
+ plugins to protect against a crash if called before the idmap_ad
+ module has been initialized.
+ * Protect against crashes in get_dc_name() in the idmap_ad code
+ when we are working offline.
+ * BUG 4438, 4440: Fix bugs in "net sam provision".
+ * Initial implementation of new IdMap interface.
+ * Fix crash in pam_winbind caused by referencing a pointer after the
+ memory had been freed.
+ * Implement escaping function for ldap RDN values.
+
+
+o Peter Somogyi <SOMOGYI@de.ibm.com>
+ * Work on NFSv4 ACL VFS plugin.
+
+
+o Andrew Tridgell <tridge@samba.org>
+ * Fix an integer overflow in the ndr library code used by PIDL.
+
+
+o Jelmer Vernooij <jelmer@samba.org>
+ * Implement support for IDL autogenerated code to
+ handle the MS-RPC parsing functions.
+
+
+o Don Watson <dwwatson@us.ibm.com>
+ * Fixes for 'net rpc vampire' and the guest account
+
+
+o Martin Zielinski <mz@seh.de>
+ * Printing fixes for Windows Vista clients.
+
+
+ --------------------------------------------------
+ ==============================
+ Release Notes for Samba 3.0.24
+ Feb 5, 2007
+ ==============================
+
+
+Important issues addressed in 3.0.24 include:
+
+ o Fixes for the following security advisories:
+ - CVE-2007-0452 (Potential Denial of Service bug in smbd)
+ - CVE-2007-0453 (Buffer overrun in NSS host lookup Winbind
+ NSS library on Solaris)
+ - CVE-2007-0454 (Format string bug in afsacl.so VFS plugin)
+
+
+######################################################################
+Changes
+#######
+
+Changes since 3.0.23d
+---------------------
+
+commits
+-------
+
+o Jeremy Allison <jra@samba.org>
+ * Fix for CVE-2007-0452 & CVE-2007-0454
+
+
+o Olivier Gay <ouah@ouah.org>
+ * Fix for CVE-2007-0453
+
+
+o Volker Lendecke <vl@samba.org>
+ * Fix for CVE-2007-0452
+
+
+ --------------------------------------------------
+ ===============================
+ Release Notes for Samba 3.0.23d
+ Nov 14, 2006
+ ===============================
+
+This is the latest stable release of Samba. This is the version
+that production Samba servers should be running for all current
+bug-fixes. Please read the changes in this section and for the
+original 3.0.23 release regarding new features and difference
+in behavior from previous releases.
+
+Important issues addressed in 3.0.23d include:
+
+ o Stability fixes for winbindd
+ o Portability fixes on FreeBSD and Solaris operating systems.
+
+######################################################################
+Changes
+#######
+
+Changes since 3.0.23c
+---------------------
+
+commits
+-------
+
+o Jeremy Allison <jra@samba.org>
+ * Changes to ntlm_auth to better support Firefox's NTLM
+ authentication.
+ * Make the "max usershares" parameter an advisory limit.
+ * BUG 4095: Cleanup bad substitution causing the username
+ to be translated to domain\user twice in spnego path.
+ * BUG 4097: Ensure all pdb_XXX calls are wrapped in
+ [un]become_root() pairs.
+ * Ensure we always return the canonicalized name
+ * Add in fixes to mangling dir code.
+ * Do not assume that gencache can always be opened for RW access.
+ Fall back to RO.
+ * Always initialize variables in winbindd request/response
+ structure.
+ * Fix libsmbclient bug with Konqueror and NetApp filers that
+ need a leading / in OpenAndX calls.
+ * Added showacls toggle in the smbclient code.
+ * Add a suffix to the pidfile's program name if this is a process
+ with a non-default configuration file name.
+ * Fix protection from invalid struct tm values.
+ * BUG 4187: Possible crash in signing on/off code.
+ * BUG 4214: Fix crash bug in find_forced_group().
+ * BUG 4224: Fix enforcement of the deadtime parameter.
+
+
+o Timur Bakeyev <timur@com.bat.ru>
+ * BUG 3856: Set the nss soname version on FreeBSD.
+ * BUG 4109: Fix bug causing smbd to turn off winbindd and
+ fail to disable the _NO_WINBIND environment.
+ * BUG 3868: Prevent --with-aio-support from trimming the
+ $LIBS variable in configure.in.
+
+
+o Dmitry Butskoy <dmitry@butskoy.name>
+ * BUG 4075: Allow smbd to use winbindd to lookup uids/gids
+ outside the idmap range if 'winbind trusted domains
+ only = yes'.
+
+
+o Gerald (Jerry) Carter <jerry@samba.org>
+ * Fix primary group lookup failures. Use the Get_Pwnam_alloc()
+ call to ensure it finds the Unix user first.
+ * Only grant privs to Administrators if privileges are enabled
+ to avoid bogus error messages in the logs.
+
+
+o Alex Deiter <tiamat@komi.mts.ru>
+ * BUG 3524: Fix for quota support on Solaris.
+
+
+o Guenther Deschner <gd@samba.org>
+ * Close socket when the CLDAP request has failed.
+ * Memory leak fixes in the libads/ldap.c code.
+ * Printer publishing fixes for "net ads".
+ * Fix error code returns in the CLDAP client code.
+ * Do not anonymously query for AD schema items in winbindd.
+ * Protect against storing null-sids in the winbind cache.
+ * Fallback to non-paging LDAP searches for anonymous bound
+ connections.
+ * More workarounds when nscd.
+ * Fix error code typoe in the GetDcName() netlogon call
+ (including two new error codes).
+ * Fix valgrind warnings in pam_winbind
+ * Add two missing refresh_sequence_number calls where they are
+ missing just before writing to the winbind cache tdb.
+ * Attempt to locate a valid domain controller before prompting
+ for credentials in "net ads".
+ * Set 35 second timeout in winbindd's netlogon code when sending
+ a GETDC request.
+ * Stop "net ads {user,group} delete" from doing funny things.
+ * Fix container handling for "net ads user" and "net ads group"
+ functions.
+ * Fix various memleaks and seg faults in "net ads {user,group}".
+
+
+o Udo Eberhardt <udo.eberhardt@thesycon.de>
+ * BUG 4100: Fix crash in the server spooler code by initializing
+ values for smb_io_notify_info_data_strings.
+
+
+o Olaf Flebbe <o.flebbe@science-computing.de>
+ * BUG 4133: pam_winbind.c compile fix on AIX 5.1.
+
+
+o David Hu <david.hu@hp.com>
+ * BUG 4212: Fix memleak in the default_ou_string handling.
+
+
+o Mikhail Kshevetskiy <kl@laska.dorms.spbu.ru>
+ * BUG 4229: Compile fix for systems without kerberos.
+
+
+o Volker Lendecke <vl@samba.org>
+ * NTLMSSP LanMan session key fixes.
+ * Various potential seg fault fixes.
+ * Extra logic in share access checks for bad smb.conf parameter
+ settings.
+ * Fixes to allow smbclient to connect to Vista RC1 workstations.
+ * Fix bad search filter in ldapsam when enumerating group
+ members.
+
+
+o Jim McDonough <jmcd@us.ibm.com>
+ * Correctly handle the password expiration policy on Samba DCs.
+
+
+o Nils Nordman <nils.nordman@nordman.org>
+ * BUG 4085: Allow smbpasswd to change expired passwords on
+ remote servers.
+
+
+o Simo Sorce <idra@samba.org>
+ * Merge uid2sid and gid2sid async calls for SAMBA_3_0.
+ * Better fqdn handling when parsing the /etc/hosts file.
+ * Fix crash bug in pam_winbind.
+
+o Andrew Tridgell <tridge@samba.org>
+ * Fix string alignment problem in password change code.
+
+
+o Jim Wang
+ * BUG 4211: Logic error when enforcing "acl group control"
+ behavior.
+
+
+Release Notes for older release follow:
+
+ --------------------------------------------------
+ ===============================
+ Release Notes for Samba 3.0.23c
+ Aug 30, 2006
+ ===============================
+
+We would like to thank the developers of the Saturn code analysis
+tool from Stanford University (http://glide.stanford.edu/saturn).
+This release includes several code fixes based on its reports.
+
+Common bugs fixed in 3.0.23c include:
+
+ o Authentication failures in pam_winbind when the AD domain
+ policy is set to not expire passwords.
+ o Authorization failures when using smb.conf options such
+ as "valid users" with the smbpasswd passdb backend.
+
+
+RID Algorithms & Passdb
+=======================
+
+Starting with the 3.0.23c release, the officially supported passdb
+backends (smbpasswd, tdbsam, and ldapsam) now operate identically
+with regards to the historical RID algorithm for unmapped users
+and groups (i.e. accounts not in the passdb or group mapping table).
+The resulting behavior is that all unmapped users are resolved
+to a SID in the S-1-22-1 domain and all unmapped groups resolve
+to a SID in the S-1-22-2 domain. Previously, when using the
+smbpasswd passdb, such users and groups would resolve to an
+algorithmic SID in the machine's own domain (S-1-5-XX-XX-XX).
+However, the smbpasswd backend still utilizes the RID algorithm
+when creating new user accounts or allocating a RID for a new
+group mapping entry.
+
+With the changes in the 3.0.23c release, it is now possible to
+resolve a uid/gid, name, or SID in any direction and always obtain
+a symmetric mapping. This is important so that values for smb.conf
+parameters such as "valid users" resolve to the same SIDs as those
+included in the local user's initial token.
+
+Most installations will notice no change. However, because
+an unmapped account's SID will now change even when using
+smbpasswd it is possible that any security descriptors on files
+previously copied from a Samba host to a Windows NTFS partition
+may now fail to give access. The workaround is to either manually
+map all affect groups (or add impacted users to the server's
+passdb) or to manually reset the file's ACL.
+
+
+######################################################################
+Changes
+#######
+
+Changes since 3.0.23b
+---------------------
+
+commits
+-------
+o Michael Adam <ma@sernet.de>
+ * Fix incorrect logic in internal_resolve_name() caused by if
+ statement.
+
+
+o Jeremy Allison <jra@samba.org>
+ * Don't store a NULL SID in winbindd's offline cache.
+ * Ensure we store the offline password hash in the correct format.
+ * OS/2 fixes for large Extended Attributes data.
+ * Fix nmbd crashes caused by miscalculation in pushing
+ announcements.
+ * Handle times consistently across all client utils including
+ libsmbclient.
+ * Fix a file descriptor leak in nmbd sync DNS lookup code.
+ * Fix inconsistency found in checking for NULL in DLIST_REMOVE
+ macro.
+ * Pointer dereference fixes based on the Saturn analysis tool.
+ * Fix memory leak in the AD DC lookup code.
+
+
+o Gerald (Jerry) Carter <jerry@samba.org>
+ * RHEL4 and Fedora packaging updates.
+ * Remove RID algorithm support for unmapped users and groups
+ when using an smbpasswd backend.
+ * Extend the NT token for local users' with the S-1-22-2
+ SID for each supplementary group
+ * BUG 3969: Fix unsigned time comparison with expiration
+ policy from AD DC.
+ * Merge Guenther's fixes from the SuSE SLES10 tree to ensure
+ that winbindd talks to the correct DC when servicing PAM
+ authentication requests.
+ * Do not use the generic IP address sort routines for AD DCs
+ since the SRV lookup include a sorting algorithm based
+ on priority and weight.
+ * Fix our DNS SRV lookup code to deal with multi-homed hosts.
+ * More changes to ensure that the primary group SID for
+ a local user is based on the primary Unix group and not the
+ primaryGroupSID passdb attribute.
+ * Disable storing SIDs in the S-1-22-1 and S-1-22-2 domain
+ to the SID<->uid/gid cache.
+
+
+o Guenther Deschner <gd@samba.org>
+ * Fix msdfs RPC client and server management RPCs.
+ * Align idmap_ad with the current idmap_methods interface.
+
+
+o Volker Lendecke <vl@samba.org>
+ * Re-add support for "username level" when looking up the
+ matching Unix user for an smbpasswd entry.
+ * snprintf() fixes.
+
+
+o Simo Sorce <idra@samba.org>
+ * Let innetgr() work without binding its use to a
+ NIS domain to support netgroups in local files.
+
+
+o Ben Winslow <rain@bluecherry.net>
+ * Allow client smb signing to be turned off correctly.
+
+
+ --------------------------------------------------
+ ===============================
+ Release Notes for Samba 3.0.23b
+ Aug 7, 2006
+ ===============================
+
+Common bugs fixed in 3.0.23b include:
+
+ o Ambiguity with unqualified names in smb.conf parameters
+ such as "force user" and "valid users".
+ o Errors in 'net ads join' caused by bad IP address in the list
+ of domain controllers.
+ o SMB signing errors in the client and server code.
+ o Domain join failures when using smbpasswd on a Samba PDC.
+
+
+Member servers, domain accounts, and smb.conf
+=============================================
+
+Since Samba 3.0.8, it has been recommended that all domain accounts
+listed in smb.conf on a member server be fully qualified with the
+domain name. This is now a requirement. All unqualified names are
+assumed to be local to the Unix host, either as part of the server's
+local passdb or in the local system list of accounts (e.g. /etc/passwd
+or /etc/group).
+
+The reason for this change is that smbd has transitioned from
+access checks based on string comparisons to token based
+authorization. All names are resolved to a SID and then verified
+against the logged on user's NT user token. Local names will
+resolve to a local SID, while qualified domain names will resolve
+to the appropriate domain SID.
+
+If the member server is not running winbindd at all, domain
+accounts will be implicitly mapped to local accounts and their
+tokens will be modified appropriately to reflect the local
+SID and group membership.
+
+For example, the following share will restrict access to the
+domain group "Linux Admins" and the local group srvadmin.
+
+[restricted]
+ path = /data
+ valid users = +"DOMAIN\Linux Admins" +srvadmin
+
+Note that to restrict the [homes] share on a member server to the
+owner of that directory, it is necessary to prefix the %S value
+to "valid users".
+
+[global]
+ security = {domain,ads}
+ workgroup = DOM
+ winbind separator = +
+[homes]
+ valid users = DOM+%S
+
+
+
+######################################################################
+Changes
+#######
+
+Changes since 3.0.23a
+---------------------
+
+commits
+-------
+o Michael Adams <ma@sernet.de>
+ * Fix memory leaks on error paths in 'net ads join'.
+
+
+o Jeremy Allison <jra@samba.org>
+ * BUG 3962: Fix memory leak when enumerating print jobs.
+ * Fix file access flags for the Linux CIFS fs client.
+ * Fix memory leaks in the smbclient DFS code.
+ * BUG 3967: Fix SMB signing client bug in trans calls.
+ * BUG 3985: Ensure in msdfs we check for our NetBIOS aliases.
+ * Added lookup_name_smbconf() to be called when looking up names
+ from smb.conf. Unqualified names are assumed to be local.
+ * BUG 4003: Fix SMB signing server error in NTcancel reply.
+
+
+o Gerald (Jerry) Carter <jerry@samba.org>
+ * Fix a few "smbldap_open(): Cannot open when not root" bugs when
+ viewing or modifying local group membership.
+ * Make LsaLookupSids() reply include the full SID of unresolved
+ SIDs.
+ * BUG 3957: Prevent returning strange DC IP addresses by zeroing
+ memory in the SRV hostlist in case there is not an A record for
+ each SRV name.
+ * BUG 3964: normalize the case of usernames prior to getpwnam()
+ call in the smbpasswd backend.
+ * Cleanup the 'net ads help join' output and document createupn
+ and createcomputer options.
+ * Fix a regression in the ldapsam URI syntax. Allow multiple
+ LDAP URIs to be grouped by "".
+
+
+o William Charles <william@charles.name>
+ * BUG 3959: Remove rand() from SRV RR comparison to fix crashes
+ in qsort().
+
+
+o Guenther Deschner <gd@samba.org>
+ * Fix memory leaks in pam_winbind.
+ * Save the logon script path from the info3 in the PAM session
+ allowing other PAM modules to pick it up from there.
+
+
+o Volker Lendecke <vl@samba.org>
+ * BUG 3991: Fix problem with user tokens on standalone systems
+ configured to use a username map.
+ * Fix bug where qualified user or group names in smb.conf
+ were assumed to use the '\' character as the winbind separator.
+
+ --------------------------------------------------
+ ===============================
+ Release Notes for Samba 3.0.23a
+ Jul 21, 2006
+ ===============================
+
+Common bugs fixed in 3.0.23a include:
+
+ o Failure to strip the domain name from groups when 'winbind
+ use default domain = yes'
+ o Failure in pam_winbind to correctly parse arguments.
+ o Bad token creation of local users on member servers not
+ running winbindd.
+ o Failure to add users or groups to ACLs using the Windows
+ object picker.
+ o Failure in file serving code when 'kernel oplocks = yes'.
+
+New features in 3.0.23a include:
+
+ o New "createupn" option to "net ads join"
+ o Rewritten Kerberos keytab generation when 'use kerberos
+ keytab = yes'
+
+
+
+######################################################################
+Changes
+#######
+
+Changes since 3.0.23
+--------------------
+
+commits
+-------
+o Jeremy Allison <jra@samba.org>
+ * Fix memory leaks in the POSIX locking for for the Linux CIFS fs
+ client.
+ * Fix memory leaks in the AD schema parsing code.
+ * Fixed bug in interaction with Linux kernel oplocks.
+
+
+o Gerald (Jerry) Carter <jerry@samba.org>
+ * Rewrite the detection of the correct DES salting principal name
+ when joining an Active Directory Domain.
+ * Rewrite the keytab generation code based on existing SPN,
+ UPN, and sAMAccountName attributes in the AD machine object.
+ * Cleanup of dead code from idmap_ad.
+ * Fix Winbind 32bit/64bit portability issues.
+ * Fail 'net ads join' and disable the machine account if we cannot
+ set any SPNs for ourselves.
+ * Make sure to lower case all usernames before calling the create,
+ delete, or rename hooks.
+ * Preserve case for usernames in passdb
+ * Flush the getpwnam cache after renaming a user
+ * Add become/unbecome root block in _samr_delete_dom_user() when
+ trying to verify the account's existence.
+ * Changed 'net ads join' syntax for specifying an alternate
+ OU. New syntax is createcomputer=<ou path top to bottom>.
+ * Add createupn=[UPN] option to 'net ads join' for setting the
+ userPrincipalName attribute.
+ * Bug 3920: Restore winbind use default domain behavior for domain
+ groups. This break local users and 'winbind nested groups' on
+ domain members.
+
+
+o Guenther Deschner <gd@samba.org>
+ * Don't clear the cache when starting winbindd in off line mode.
+ * Fix errno reporting in pam_winbind debug messages.
+ * BUG 3937: Fix segv in libnss_wins.so.
+
+
+o Volker Lendecke <vl@samba.org>
+ * Fix memory leaks in the in error paths out of the CLDAP
+ request code.
+ * AIX portability fixes for DNS client code.
+ * BUG 3811, 3948: Fix alignment bug in on lsaquery.
+ * BUG 3949: Fixed authorization issue on domain member
+ servers not running winbindd.
+
+
+o Andrew Tridgell <tridge@samba.org>
+ * Fixed a bug which caused resolve_ads() to spin forever if
+ one of the DCs isn't resolvable in DNS.
+
+
+o Simo Sorce <idra@samba.org>
+ * Debian packaging fixes.
+
+
+o Dietrich Streifert <dietrich.streifert@visionet.de>
+ * BUG 3916: Fix error parsing pam_winbind config arguments.
+
+
+Release Notes for older release follow:
+
+ --------------------------------------------------
+
+ ==============================
+ Release Notes for Samba 3.0.23
+ Jul 10, 2006
+ ==============================
+
+There has been a substantial amount of cleanup work done during
+this development cycle. We would like to thank both Coverity
+(http://www.coverity.com/) and Klocwork (http://www.klocwork.com/)
+for analyzing the Samba source code. As a result, this release
+includes fixes for over 400 defects. The coverage was approximately
+even with over 200 defects reported by each tool.
+
+Thanks very much to those people who spent time testing the
+release candidates and reported their findings. We would like to
+especially thank Thomas Bork <tombork@web.de> for his numerous
+reports. We believe that the final release is in much better shape
+in large part due to his efforts.
+
+New features in 3.0.23 include:
+
+ o Improved 'make test'
+ o New offline mode in winbindd.
+ o New Kerberos support for pam_winbind.so.
+ o New handling of unmapped users and groups.
+ o New non-root share management tools.
+ o Improved support for local and BUILTIN groups.
+ o Winbind IDMAP integration with RFC2307 schema objects supported
+ by Windows 2003 R2.
+ o Rewritten 'net ads join' to mimic Windows XP without requiring
+ administrative rights to join a domain.
+
+
+User and Group changes
+======================
+
+The user and group internal management routines have been
+rewritten to prevent overlaps of assigned Relative Identifiers
+(RIDs). In the past the has been a potential problem when either
+manually mapping Unix groups with the 'net groupmap' command or
+when migrating a Windows domain to a Samba domain using 'net rpc
+vampire'.
+
+Unmapped users are now assigned a SID in the S-1-22-1 domain and
+unmapped groups are assigned a SID in the S-1-22-2 domain.
+Previously they were assign a RID within the SAM on the Samba
+server. For a DC this would have been under the authority of the
+domain SID where as on a member server or standalone host, this
+would have been under the authority of the local SAM (hint: net
+getlocalsid).
+
+The result is that any unmapped users or groups on an upgraded
+Samba domain controller may be assigned a new SID. Because the
+SID rather than a name is stored in Windows security descriptors,
+this can cause a user to no longer have access to a resource for
+example if a file was copied from a Samba file server to a local
+NTFS partition. Any files stored on the Samba server itself will
+continue to be accessible because Unix stores the Unix gid and not
+the SID for authorization checks.
+
+A further example will help illustrate the change. Assume that a
+group named 'developers' exists with a Unix gid of 782 but this
+user does not exist in Samba's group mapping table. it would be
+perfectly normal for this group to be appear in an ACL editor.
+Prior to 3.0.23, the group SID might appear as
+S-1-5-21-647511796-4126122067-3123570092-2565. With 3.0.23, the
+group SID would be reported as S-1-22-2-782. Any security
+descriptors associated with files stored on an NTFS disk partition
+would not allow access based on the group permissions if the user
+was not a member of the
+S-1-5-21-647511796-4126122067-3123570092-2565 group. Because this
+group SID not reported in a user's token is S-1-22-2-782, Windows
+would fail the authorization check even though both SIDs in some
+respect referred to the same Unix group.
+
+The current workaround is to create a manual domain group mapping
+entry for the group 'developers' to point at the
+S-1-5-21-647511796-4126122067-3123570092-2565 SID.
+
+
+Passdb Changes
+==============
+
+The "passdb backend" parameter no long accepts multiple backends
+in a chaining configuration. Also be aware that the SQL and XML
+based passdb modules have been removed in this release. More
+information of external support for a SQL passdb module can be
+found at http://pdbsql.sourceforge.net/.
+
+
+Group Mapping Changes
+=====================
+
+The default mapping entries for groups such as "Domain Admins" are
+no longer created when using an smbpasswd file or a tdbsam passdb
+backend. This means that it is necessary to use 'net groupmap
+add' rather than 'net groupmap modify' to set these entries.
+This change has no effect on winbindd's IDmap functionality for
+domain groups.
+
+
+LDAP Changes
+============
+
+There has also been a minor update the Samba LDAP schema file. A
+substring matching rule has been added to the sambaSID attribute
+definition. For OpenLDAP servers, this will require the addition
+of 'index sambaSID sub' to the slapd.conf configuration file. It
+will be necessary to run slapindex after making this change. There
+has been no change to actual data storage schema.
+
+
+######################################################################
+Changes
+#######
+
+smb.conf changes
+----------------
+
+ Parameter Name Description Default
+ -------------- ----------- -------
+ acl group control Deprecated No
+ add port command New ""
+ change notify timeout Changed Scope
+ dmapi support New No
+ dos filemode Modified No
+ enable asu support Changed default No
+ enable core files New Yes
+ enable privileges Changed default Yes
+ enable rid algorithm Removed
+ fam change notify New Yes
+ hosts equiv Removed
+ host msdfs Changed default Yes
+ msdfs root Changed default Yes
+ open files database hash size New 10007
+ passdb expand explicit Changed default No
+ strict locking Changed default auto
+ usershare allow guests New No
+ usershare max shares New 0
+ usershare owner only New Yes
+ usershare path New ${lockdir}
+ usershare prefix allow list New ""
+ usershare prefix deny list New ""
+ usershare template share New ""
+ winbind enum users Changed default No
+ winbind enum groups Changed default No
+ winbind nested groups Changed default Yes
+ winbind offline logon New No
+ winbind refresh tickets New No
+ winbind max idle children Removed
+ wins partners Removed
+
+
+Changes since 3.0.22
+--------------------
+
+commits
+-------
+o Jeremy Allison <jra@samba.org>
+ * Fixes for various Klocwork defect reports.
+ * Cleanup pdb_get_XXX() methods and ensure that a failure
+ to allocate memory for a samu user structure is reported
+ as a failure to the calling function.
+ * Fix memleak in printing gencache contents.
+ * Fix warnings reported by gcc4 -O6 on 64-bit systems
+ * Fix naming conflicts with 'net usershare' structures and
+ Solaris header files.
+ * Fix memleaks on error paths from the ASN.1 parsing code.
+ * Add uid to share_mode_entry structure so we can report who
+ opened the file.
+ * Ensure we use sys_write in password chats so we're not
+ interrupted.
+ * Ensure all new rid allocation goes through the same pdb_ldap
+ interface.
+ * BUG 3308: Stop us returning duplicate mid replies on path
+ based set-EOF trans2 calls.
+ * Pass RAW-OPLOCK with kernel oplocks off.
+ * Fix bug in OS/2 Warp - it doesn't set the ff_last offset
+ correctly when doing info level 1 directory scans.
+ * Add Samba4 replacement for timegm() to work on Solaris.
+ * Remove extra add-byte in the trans2 UNIX_BASIC infolevel.
+ * BUG 3592: Ignore a file in the tar output from smbclient if the
+ read failed (e.g. due to ACCESS_DENIED). (Based on ideas from
+ Justin Best <justinb@pdxmission.org>).
+ * BUG 3668: Workaround issues in Windows server code with LARGE_READX.
+ * Push/Pull Kerberos principal and realm names to/from UTF-8.
+ * Fix incorrect boolean in assert to make POSIX lock tests
+ pass with CIFSFS.
+ * Don't ever set O_SYNC on open unless "strict sync = yes".
+ * Remove dead printing code.
+ * Allow configurable guest access to Samba's usershare functionality.
+ * BUG 3587: Make byte-range locking tdb self-cleaning.
+ * Ensure every exit error path in the session setup code calls
+ nt_status_squash().
+ * Use portable wrapper functions instead of seteuid directly in
+ winbindd.
+ * Make "change notify timeout" a per-share parameter.
+ * Fix regression in SAMBA_4_0's smbtorture DENY tests.
+ * Fix valgrind-spotted issue in BASE-DELETE test.
+ * Fix early termination condition in winbindd when trying to
+ connect to a remote DC.
+ * Instruct winbindd to ignore fd_set when select() returns -1.
+ * BUG 3779: Make nmbd udp sockets non-blocking to prevent problem
+ with select returning true but no data being available.
+ * Back port talloc_steal() fixes from SAMBA_4_0 (original fixes by
+ Andrew Tridgell).
+ * BUG 3467: Fix delete on close semantics needed by WinXP Media
+ Center Ed. for simultaneous recording and playback (thanks to
+ Jason Qian for the debugging assistance).
+ * BUG 3347: Save the Unix user token used to set the
+ delete-on-close flag.
+ * Fix parsing of SAMR_Q_CONNECT_ANON.
+ * Add in support for userinfo26 structure and re-enable
+ userinfo25
+ * Schannel server fixes. Fix the credentials chaining across
+ \netlogon pipe disconnects.
+ * Replace ubqix code in nmbd with an internal tdb.
+ * Fix struct timespec checks in configure.in.
+ * Add in server support for the NetSamLogonEx().
+ * Add support for LsaLookupSids2() and LsaLookupSids3().
+ * Add LsaLookupNames[2-4]().
+ * Add support for 'net usershare'.
+ * BUG 3522: Fix error code return on SMBmkdir(foo) when foo
+ already exists (thanks to Sandeep Tamhankar).
+ * BUG 3510: Fix 'net rpc join' against a server when
+ schannel is disabled.
+ * Get rid of poor errno mapping table. Bounce through NTSTATUS
+ instead.
+ * Check for SeMachineAccountPrivilege when deleting machine
+ accounts.
+ * Fix a logic bug with multiple oplock contention.
+ * Add the replacements for opendir/readdir etc from SAMBA_4_0.
+ Attempt to fix the broken directory handling in the *BSD.
+ * Allow run time tuning of the locking tdb hash size for
+ very busy servers.
+ * BUG 3642: Ensure we don't call FD_SET on read with
+ fd == -1.
+ * BUG 3569: Work around linear posix locking issue on AIX
+ which was causing high loads due to the tdb CLEAR_IF_FIRST
+ flag (based on work from William JoJo).
+ * Fix OS/2 directory delete bug found by kukks.
+ * Match the Windows 2003 NTLMSSP signature.
+ * Performance tuning work in core read & write file serving
+ paths.
+ * Change default to 'strict locking' to better reflect
+ real world clients.
+ * Fix error return on session setup. Ensure no data blob is
+ added if the logon call failed so that Windows clients
+ interpret the NT_STATUS code correctly.
+ * Teach Samba the difference between exclusive and batch
+ oplocks.
+ * BUG 3592: Ignore a file in a smbtar output if the first
+ read fails (inspired by Justin Best).
+ * BUG 3668: Workaround Windows bug with LARGE_READX where if
+ you ask for exactly 64k bytes it returns 0.
+ * BUG 3858: Ensure that all files are removed by a wildcard
+ delete when 'hide unreadable = yes'.
+ * Fix various issues raised by the Klocwork code analyzer.
+ * Fix nmbd WINS serving bug causing duplicate IPs in the *<1b>
+ query reply ("enhanced browsing = yes").
+ * Fix SMB signing failures in client tools.
+ * BUG 3909: Avoid EA lookups on MS-DFS links.
+
+
+o Andrew Bartlett <abartlet@samba.org>
+ * Work around abort() in the OpenLDAP client libs caused by a NULL
+ msg pointer.
+
+
+o Timur Bakeyev <timur@com.bat.ru>
+ * BUG 2961: Fix compile warnings for pam_smbpass.
+ * BUG 2746, 3763: Fix compile warnings in pam_winbind.
+
+
+o Alexander Bokovoy <ab@samba.org>
+ * Fix 'smbcontrol shutdown' messages for nmbd and winbindd.
+ * Fix absolute symlinks in the installbin.sh script.
+
+
+o Max N. Boyarov <m.boyarov@sam-solutions.net>
+ * Fix crash bug in perfmon daemon example code.
+
+
+o Nicholas Brealey <nick@brealey.org>
+ * Compile fix for pam_winbind.
+
+
+o Gerald (Jerry) Carter <jerry@samba.org>
+ * Fix 'make install' problem when building outside source/.
+ * Fix 'net ads join' when the workgroup is set incorrectly in
+ smb.conf.
+ * Re-add code to include the BUILTIN\Administrators SID when
+ winbindd is not running, but the user's token includes the
+ Domain Admin SID. Fixes access problem for managing Services.
+ * Only call the printer publishing calls if 'security = ads'.
+ * Normalize printing keys when deleting.
+ * Only store LANMAN passwords on a change if 'lanman auth = yes'.
+ * Look at the NT password (not lanman one) when determining if 'smbpasswd
+ -e' should probably for a password.
+ * Default eventlog tdbs to mode 0660 to allow easier access by
+ BUILTIN\Administrators.
+ * Remove extra call to create_user on member servers without winbindd.
+ * Replace the use of OpenLDAP's ldap_domain2hostlist() for locating
+ AD DC's with out own DNS SRV queries.
+ * Fix compile error on HP-UX reported by Ryan Novosielski.
+ * Rewrite 'net ads join' to share common code with 'net rpc join'
+ and behave more like a Windows XP client.
+ * Remove --with-ldapsam option from configure (only used for
+ backwards compatibility for 2.2 smb.conf files).
+ * Remove 'wins partners' and 'hosts equiv' smb.conf parameters.
+ * Remove rhosts authentication module.
+ * Reimplement 'net ads leave' to disable the machine account in the
+ domain rather than removing it.
+ * Rewrite of tdbsam file descriptor handling.
+ * Add server affinity support when selecting a remote
+ domain controller.
+ * Remove chaining of passdb modules.
+ * Generate a local users primary group SID based on his
+ or her primary Unix group rather than storing the attribute
+ in the passdb entry.
+ * Default primary group SID to 'Domain Users' if the real Unix
+ primary group maps to the S-1-22-2 domain.
+ * Refactor memory management in passdb user objects.
+ * RHEL and Fedora packaging fixes.
+ * Implement XcvDataPort() spooler call and supporting 'add
+ port command'.
+ * BUG 3534: Ignore lines in the username map file with no right
+ hand list.
+ * Add support for the experimental %(DomainSID) smb.conf
+ variable.
+ * Add support for parsing SIDs in smb.conf value lists.
+ * Fix vuid allocation in Kerberos SMBsesssetup reply.
+ * Ensure that local group membership is included in the
+ getgroups() NSS reply.
+ * Automatically create a BUILTIN\{Administrators,Users} if
+ winbindd is running.
+ * Automatically grant all privileges to members of the local
+ Administrators group.
+ * Protect against NULL cli_state* pointers in
+ cli_rpc_pipe_open().
+ * Add a SUBSTR matching rule the the Samba LDAP schema
+ file for the sambaSID attribute. This will allow for
+ Searching group mapping entries within a given domain
+ without reorganizing the directory namespace. Also
+ requires 'index sambaSID sub' in slapd.conf.
+ * Fix parsing of 'idmap uid/gid' values that broke when
+ the range included any whitespace.
+ * Support renaming local groups (protect against renaming
+ BUILTIN groups).
+ * Do not allow the root account to be deleted via MS-RPC.
+ * Fix RID allocation to skip over RIDs that resolve in our
+ own domain (work around upgraded users and groups).
+ * Store the name/ip address combination when we do a reverse
+ look up in case future forward lookups would fail.
+ Fixes cases where a DC name could not be resolved via
+ NetBIOS queries,
+ * Allow winbindd to run on standalone servers in order to
+ provide support for local groups.
+ * Deprecate 'acl group control' and replace it with added
+ functionality to 'dos filemode'.
+ * Ensure that all global memory is freed from pam_winbind
+ when unloading the shared library (based on work from Arkady
+ Glabek).
+ * Fix 32-bit/64-bit portability issues between PAM & NSS winbind
+ libraries and winbindd.
+ * Add defensive checks about create local accounts (i.e. calling
+ 'add user script') on domain member servers when winbindd
+ is running but having problems.
+ * Use system provided killproc() in RedHat init scripts for
+ more robust shutdown.
+ * Fix a crash in the printer publishing code when adding a
+ new printer via the APW.
+ * Fix broken compile of unsupported smbwrapper utility.
+ * BUG 3905: Fix smbd startup failure caused by a failure to
+ create an NT token for the guest account.
+ * BUG 3908: Fix RPC bind authentication failure which broke
+ user password changes.
+ * Ensure that "net ads join" reports failure correctly if
+ it cannot set the machine account password.
+
+
+o Mathias Dietz <MDIETZ@de.ibm.com>
+ * EPERM can be a valid return from getting an xattr.
+ Don't disable if we get it.
+
+
+o Guenther Deschner <gd@samba.org>
+ * Fix memleaks in winbindd ads searches.
+ * Fix timestamp bug in pam_winbindd which forced users to change
+ passwords prematurely.
+ * Small debug message cleanups.
+ * Small fixes for 'net ads password'.
+ * BUG 3843: Allow to set passwords directly when creating users
+ via "net rpc user add"
+ * Add "rpc shell" to the usage text for the net command.
+ * Winbindd user aliases lookup fixes for large domains.
+ * Fix memleak in the CLDAP processing code.
+ * Enable AD features in winbindd's PAM support only when
+ communicating with an AD domain controller.
+ * Set our internal domains to "online" by default in winbindd.
+ * BUG 3800: Fill the password_policy method in winbindd for
+ winbindd_passdb.
+ * Fix memory leak when LDAP POSIX attribute queries fail.
+ * Honor the krb5 principal name change (of the new ads join code)
+ in the kerberized winbind pam_auth.
+ * Correctly handle the case when there is no configuration file
+ for pam_winbind.
+ * Adding "own-domain" switch to wbinfo which is handy from time
+ to time.
+ * BUG 3823: Fix in-forest domain trust enumeration in winbindd.
+ * Fix winbindd group enumeration for groups with no members.
+ * Correct "net ads changetrustpw" to use the sAMAccountName.
+ * Fix winbindd in ADS domains by removing code using the
+ UPN and rely upon the sAMAccountName.
+ * Fix a eDir related memory leak.
+ * Don't try to add the sn attribute twice to an LDAP
+ inetOrgPerson + samSamAccount entry.
+ * Fix winbind function table typo.
+ * Attempt to send the correct warning from pam_winbind when a password
+ change was attempted too early.
+ * Don't use cached credentials when changing passwords.
+ * Correctly disallow unauthorized access when logging on with the
+ kerberized pam_winbind and workstation restrictions are in effect.
+ * Save useless round trips in pam_winbind's auth calls.
+ * Make the existence of the /etc/security/pam_winbind.conf file
+ non-critical and fallback to only parse the argv options in that
+ case.
+ * Add winbind debug class to the main winbindd process.
+ * Be consistent between rpc and ads winbind backend: let the
+ ads backend query the samlogon cache first as well.
+ * Ignore BUILTIN groups when searching AD for group memberships.
+ * Fix KRB5KDC_ERR_POLICY -> NTSTATUS mapping.
+ * Cleanup credential caches from winbind's linked list.
+ * Fix 'winbindd -n' for new persistent caches.
+ * Fix searching by SID in winbindd.
+ * Add "smbcontrol winbind onlinestatus" for debugging purpose.
+ * Prefer to use the indexed objectCategory attribute (instead of
+ objectClass which is not indexed on AD) in LDAP queries.
+ * Free LDAP result in ads_get_attrname_by_oid().
+ * Prevent unnecessary storing of password in a WINBINDD_CCACHE_ENTRY.
+ * Prevent passwords of winbindd's list of credential caches from
+ being swapped to disk using mlock().
+ * BUG 3345: Expand the "winbind nss info" to also take "rfc2307" to
+ support the plain posix attributes LDAP schema from win2k3-r2
+ (based on patches from Howard Wilkinson and Bob Gautier).
+ * Add more robust code for fallback when lookup_usergroups() fails.
+ * Fix 'net rpc join' for winbindd running on a Samba DC.
+ * Add help text for new 'net rpc audit' utility.
+ * Add net ads search SID.
+ * samrQueryDomainInfo level 5 should return the domain name, not our
+ NetBIOS name when we are a DC.
+ * Add some more client rpc for the querydominfo calls (from samba4 idl).
+ * Process all the supported info levels in the samr_query_domain_info2
+ call.
+ * Wrap the samr_query_domain_info2() call around
+ samr_query_domain_info().
+ * Fix segv in smbctool.
+ * Honor the time_offset also when verifying Kerberos tickets.
+ * Prevent unnecessary longstanding LDAP connection to eDirectory.
+ * Fix segv in smbspool.
+ * BUG 1914: Allow to store 24 password history entries in ldapsam.
+ * Enhancements to various commands in rpcclient
+ * Don't force 'Administrator' to change an expired password on
+ logon.
+ * Add support for offline mode in winbindd.
+ * Provide support in pam_winbind for initializing a user's
+ ticket cache.
+ * Implement samr_chgpasswd_user3 server-side.
+ * Make pam_winbind more robust when detecting domain users.
+ * Add client side support for SAMR_GET_USRDOM_PWINFO.
+ * Re-enable strict checking on C++ reserved keywords since Heimdal
+ 0.7.2 has been released.
+ * Allow renaming of machine accounts in a Samba domain.
+ * BUG 3539: Let winbindd try to obtain the gecos field from
+ the msSFU30Gecos attribute when "winbind nss info = sfu" is
+ set.
+ * Correctly handle acb_info/acct_flags as uint32 not as uint16.
+ * Return the real ACB-flags in the SamLogon() reply.
+ * Some client side cleanup for the samr set security object
+ functions.
+ * Make sure we always reset the userAccountControl bits when
+ re-joining (net ads join) with an existing account.
+ * Document some more MSV1_0 bits and their behavior.
+ * Only set the last rebind timestamp when we did rebind
+ after a update LDAP operation to avoid the ldap replication
+ sleep period.
+ * Fix incorrect error checking in winbindd for domains with
+ no trusts.
+ * Consolidate the parsing of the Krb5 PAC and NET_USER_INFO3
+ structure.
+ * Work around crash bug in MIT krb5 libs when reading a
+ keytab file. Stop trying to decrypt a ticket as soon as
+ we have a clear indication that the ticket is bad.
+ * Merge DCERPC_FAULT constants from the SAMBA_4_0 tree.
+ * Adding client side samr querygroup infolevels 2 & 5.
+ * Make smbpasswd -a root work for eDirectory where there
+ is no "account" structural objectclass.
+ * Make sure we only send out a CLDAP request (net ads) to
+ an connected AD server.
+ * Fix a broken LDAP search filter when looking for groups.
+ * Add in-tree version of iniparser library from
+ http://ndevilla.free.fr/iniparser/ for use by pam_winbind
+ (rather than linking in loadparm.c). Settings are now stored
+ in /etc/security/pam_winbind.conf.
+ * Fix different extended_dn handling in adssearch.pl
+ (Thanks to Frederic Brin at Novell).
+ * Fix a memleak in winbindd's credentials cache.
+ * Protect against crashes in CLDAP request processing.
+ * Remove incomplete DfsEnum() info level to avoid an smbd crash.
+
+
+o Aleksey Fedoseev <fedoseev@ru.ibm.com>
+ * Fix parameter type for 'acl compatibility'.
+ * Fixes for msgtest torture tool.
+ * Fix crash bug in the file locking code.
+
+
+o Arek Glabek <aglabek@centeris.com>
+ * Fix parsing error on input parameters in eventlogadm.
+
+
+o Paul Green <paulg@samba.org>
+ * Properly rebuild time limit on systems with executable extensions.
+ * Fix build on platforms that do not support shared libs.
+ * Remove dead code in the auth_script module.
+
+
+o Bjoern Jacke <samba@j3e.de>.
+ * Fix DMAPI compile failures on AIX and True64.
+ * Fix AIX PIC suffix (use .o instead of .po).
+ * Fall back to less-preferred clocks until we find one that we
+ can use if clock_gmtime() is not available at run-time.
+ * Fix EA support on AIX platforms.
+ * Automatically disable file shares with no explicit path set.
+ * Remove the local hack to set the RO bit on directories in
+ user profiles when profile acls = yes. Rely on EAs instead.
+ * Compile fixes for Solaris LDAP client libs.
+ * Add DMAPI/XDSM support for AIX.
+ * Find JFS DMAPI libs on Linux when only they are available.
+
+
+o William Jojo <jojowil@hvcc.edu>
+ * Fixes for the winbind NSS library on AIX.
+ * Fix VFS builds on AIX platforms.
+ * Fixes for the AIX version of libnss_winbind.so
+
+
+o Leonid Kabanov <lkabanov@mail.ru>
+ * BUG 3711: Shell portability fixes for 'make test'.
+
+
+o Volker Lendecke <vl@samba.org>
+ * Fixes for various Klocwork defect reports.
+ * Fixes for various Coverity defect reports.
+ * BUG 3848: Fix WinXP join error in a Samba domain using ldapsam.
+ * Fix more potential seg-faults when something on our way to a
+ DC connection fails.
+ * Never fall back to using the IP address for a DC's name in RPC
+ connections.
+ * Implement recycle:subdir_mode.
+ * Activate RPC-AUTHCONTEXT in "make test".
+ * Portability fixes for 'make test'.
+ * Correctly set the group RID in init_sam_from_buffer.
+ * Fix missing prompt in smbclient.
+ * Return correct error code upon success from _net_srv_pwset().
+ * Fix Windows XP joins to a Samba domain.
+ * Fix 'valid users = +unixgroup' which was failing with smbpasswd
+ when mapped to a non-algorithmic rid.
+ * Fix regression which upper-cased machine names passed to the
+ 'add machine script'.
+ * Correct parsing error in parse_net.c for user's with no group
+ membership.
+ * Fix off by one error in client SPNEGO code and other klocwork
+ bug fixes.
+ * Memory leak fixes in 'net sam'.
+ * BUG 3720: Fix uninitialized error return variable.
+ * Default "passdb expand explicit" to no.
+ * BUG 3741: Re-enable algorithmic SID mapping in one critical place.
+ * Fix user NT token creation when utilizing a username map.
+ * More coverity fixes.
+ * Fix a VUID bug in 'security = share'.
+ * Correctly fill in the gid for local users.
+ * Fix some warnings on True64.
+ * Add special close handling for fake files.
+ * BUG 3788: Fix nss_winbind's getgrouplist() call on AIX.
+ * BUG 3435: Fix 'msdfs root = yes' in [homes].
+ * Instruct winbindd to find a trusted DC on its own when running on
+ a Samba DC.
+ * Fix segv in child winbindd processes caused by a failed tconX
+ to the DC.
+ * Dynamically compute the maximum password age based no the
+ last change time rather than reading the must change time
+ from the passdb record.
+ * Rewrite mechanisms for handling lookup_{name,sid} resolution.
+ * Assign unmapped users to the S-1-22-1 domain and unmapped
+ groups to the S-1-22-2 domain
+ * Disable algorithmic mapping for RIDs in tdbsam & ldapsam
+ * Remove sql passdb backends.
+ * Implement rpccli_samr_set_domain_info()
+ * Add initial support for 'net sam' command.
+ * BUG 2413: Remove anonymous connections in 'net rpc info'.
+ * Implement asynchronous support for trans2 calls.
+ * Make smbclient -L use RPC to list shares, fall back to RAP.
+ * Ensure that the global SAM SID is initialized before any
+ dependent routines are called.
+ * Enhance consistency checks on local configuration when joining
+ a domain.
+ * Fix a memleak in the server registry code for enumeration
+ shares.
+ * Fix an invalid munlock() call in winbindd's credentials cache.
+ * Fix compile warnings when passing NULL to snprintf().
+ * BUG 3915: Fall back to a pure unix user with S-1-22 SIDs in the
+ token in case anything weird is going on with the 'force user'.
+ * CVE-2006-3403: Fix minor memory exhaustion DoS in smbd.
+
+
+o Derrell Lipman <derrell@samba.org>
+ [libsmbclient]
+ * BUG 3814: Only set the DFS capability flag in client requests
+ if the share is a DFS root.
+ * Fix bug causing previous settings to be re-initialized
+ when parsing new configuration files.
+ * BUG 3446: Don't ignore the authentication domain when parsing
+ the SMB URI.
+ * Fix cli_setpathinfo() to actually do what it's supposed to.
+ * Fix libsmbclient to make correct use of the new "one connection
+ per server feature".
+
+
+o Jason Mader <jason@ncac.gwu.edu>
+ * Numerous compiler warning fixes.
+
+
+o John E. Malmberg <wb8tyw@qsl.net>
+ * Make smbldap obey config tests.
+
+
+o Jim McDonough <jmcd@us.ibm.com>
+ * Fixes for 'make test' on AIX.
+ * Ensure we do a wildcard search for SID's starting with the global SAM
+ sid, not an exact search (from John Janosik).
+ * Adapt smbclient fix to smbtree to enable long share names.
+ * Prevent machines and users with no home directory from
+ getting the previous entries home path when migrating via
+ 'net rpc vampire' (based on a patch from Richard Renard).
+ * Remove hard-coded LDIF names when dumping a migrated
+ domain's users and groups.
+ * BUG 1374: Can't join an OU with name that contains '#'.
+
+
+o Stefan Metzmacher <metze@samba.org>
+ * Add more tests to 'make test'.
+ * Try to make timelimit.c more portable.
+ * Fix linking of smbmount tools with --enable-socket-wrapper.
+ * Pass 'target:samba3=yes' to samba4's smbtorture when running
+ samba3's make test.
+ * Miscellaneous fixes for 'make test'.
+ * Add improved support for 'make test' including making
+ use of smbtorture from SAMBA_4_0.
+ * Add --no-process-group to all server programs
+ (e.g. timelimit 20000 bin/nmbd -F -S --no-process-group).
+ * Add configure tests --with-selftest-prefix=/tmp/samba-test
+
+
+o Lars Müller <lmuelle@samba.org>
+ * Fix lock calls in the python tdb bindings.
+ * Add -k switch to tdbdump for accessing a single key.
+ * Debian packaging fixes.
+ * Add -t|--password-from-stdin option to pdbedit as we had
+ with Samba 2.2.
+ * Various minor fixes to install scripts used by 'make install'.
+
+
+o James Peach <jpeach@sgi.com>
+ * Ensure smbclient always prompts on standard output when in
+ interactive mode.
+ * BUG 3801, 3805: Fix MIPSPro compiler warnings on IRIX.
+ * Introduce command line options to set the remainder of the
+ parameters in dynconfig.c.
+ * Avoid pulling in -lpthreads caused by -lrt.
+ * Fix build failures on IRIX 6.4 due to DMAPI support.
+ * Isolate the slow CLOCK_REALTIME message in the profiling code.
+ * Correct comparison logic so that libunwind can be correctly detected.
+ * Implement a "stacktrace" smbcontrol option using libunwind's remote
+ stack tracing support (ia64 only).
+ * Use dynamic buffers in the IRIX nsswitch module to prevent truncation
+ of long group lists.
+ * New autoconf macro to test for sysconf variables.
+ * Change profiling data macros to use stack variables rather than
+ globals. This catches mismatched start/end calls and removes
+ the need for special nested profiling calls.
+ * Rewrite AC_LIBTESTFUNC so that it works like the callers
+ of it expect.
+ * Use clock_gettime for profiling timstamps if it is available. Use
+ the fastest clock available on uniprocessors.
+ * Preserve errno in fcntl lock wrappers.
+ * Initialize our saved uid and gid so that we can tell when we
+ created the profiling shmem segment and don't bogusly refuse to
+ look at it.
+ * Add a new option "enable core files" which can be used to disable
+ automatic core file dumping.
+ * Update our internal copy of popt to that distributed with the RPM
+ 4.2 source code.
+ * Add support for FAM for file change notification.
+ * Disable sendfile if the 'write cache;' has been enabled.
+ * Refactor capability interface from being IRIX-specific to
+ using only the POSIX interface.
+ * Consolidate core dumping code to aid in debugging.
+ * Add support for libunwind to generating a backtrace.
+ * BUG 3490: Don't test for ldap or krb5 libs if --without-ldap
+ and --without-ads are specified.
+ * Allow the user to set winbind nss timeouts in seconds on IRIX.
+ * Set the FILE_STATUS_OFFLINE bit by observing the events
+ a DMAPI-based HSM is interested in.
+
+
+o Tim Potter <tpot@samba.org>
+ * Build janitorial duties.
+ * BUG 3725: Put references to $PICFLAGS in quotes.
+
+
+o Aruna Prabakar <aruna.prabakar@hp.com>
+ * Show -W option in smbpasswd usage text.
+
+
+o ISHIKAWA Tomonori <toishika@fsi.co.jp>
+ * BUG 2715: Fix nmbd datagram comment buffer size for multibyte
+ character strings
+
+
+o Andreas Schwab
+ * Correct syntax error in aclocal.m4.
+
+
+o Simo Sorce <idra@samba.org>
+ * Pam modules install fix.
+ * Allow "net changesecretpw" to accept a password via stdin.
+ * Implement 'net setdomainsid' command.
+ * Ensure that sid -> group conversion are done as root.
+ * BUG 3413: Sanity check for existence of 'ldap admin
+ dn' before setting a password in secrets.tdb (based on
+ work by William Jojo).
+ * New revision of the snprintf replace code.
+ * Set the correct sid type when looking up a gid.
+
+
+o Todd Stecher <tstecher@isilon.com>
+ * Add TCP fallback for our implementation of the CHANGEPW
+ kpasswd calls.
+
+
+o Ronan Waide <waider@waider.ie>
+ * Add 'wbinfo -i' functionality to exercise winbindd's getpwnam()
+ functionality.
+
+
+o Shlomi Yaakobovich <Shlomi@exanet.com>
+ * Fix for machine password time_t overflow.
+
+
+ --------------------------------------------------
+ ==============================
+ Release Notes for Samba 3.0.22
+ Mar 30, 2006
+ ==============================
+
+This is a security release of Samba. The Samba 3.0.21 release
+series (including the patch releases a through c) has been
+discovered to expose the clear text of the server's machine
+account credentials in the winbind log files when the log
+level is set to 5 or higher. This defect has been assigned
+the CVE number CAN-2006-1059.
+
+Summary
+=======
+
+The machine trust account password is the secret shared
+between a domain controller and a specific member server.
+Access to the member server machine credentials allows
+an attacker to impersonate the server in the domain and
+gain access to additional information regarding domain
+users and groups.
+
+The winbindd daemon included in Samba 3.0.21 and subsequent
+patch releases (3.0.21a-c) writes the clear text of server's
+machine credentials to its log file at level 5. The winbindd
+log files are world readable by default and often log files
+are requested on open mailing lists as tools used to debug
+server misconfigurations.
+
+This affects servers configured to use domain or ads security
+and possibly Samba domain controllers as well (if configured
+to use winbindd).
+
+=======
+
+ --------------------------------------------------
+
+ ===============================
+ Release Notes for Samba 3.0.21c
+ Feb 24, 2006
+ ===============================
+
+Common bugs fixed in 3.0.21c include:
+
+ o Access checks when deleting printer driver meta-data.
+ o Several non-default combinations schannel and SPNEGO support.
+ o Password changes with NT4 and Win2k pre-SP4 clients.
+ o High load issues on IRIX caused by a bug when interfacing
+ with kernel oplocks.
+
+
+######################################################################
+Changes
+#######
+
+Changes since 3.0.21b
+---------------------
+
+commits
+-------
+o Michael Adam <ma@SerNet.DE>
+ * Add popt to the include path for examples/VFS.
+
+
+o Jeremy Allison <jra@samba.org>
+ * Fix bug in the USC2 macros on big-endian CPUs.
+ * Filter deleted oplocks from the output of smbstatus.
+ * Remove invalid test check_for_pipe().
+ * BUG 3515: Fix kernel oplock support on IRIX.
+ * BUG 3522: Fix return value for mkdir request when the directory
+ already exists.
+ * BUG 3526: Add missing FindNext info levels (diagnosed by Corinna
+ Vinschen).
+ * BUG 3330: Fix username parsing in Kerberos PAC (based on work
+ by Guenther).
+ * BUG 3512: Fix cause of "use spnego=no" and "server signing=auto"
+ resulting in a client disconnect after negprot.
+ * BUG 3510: Fix 'net join' against a server with client schannel
+ disabled.
+ * Fix negprot bug causing a 2k client with cached domain
+ credentials to refuse to connect to a standalone Samba host.
+ * Ensure that the correct error is checked when encountering a
+ socket error (fixes crashes in winbindd).
+
+
+o Andrew Bartlett <abartlet@samba.org>
+ * Fix domain joins from NT4 clients and password changes.
+
+
+o Richard Bollinger <rabollinger@gmail.com>.
+ * Compile fix in pdbedit.
+
+
+o Gerald (Jerry) Carter <jerry@samba.org>
+ * Break RHEL/Fedora packaging out to include a samba-docs rpm.
+ * Remove use of /var/cache/samba from RHEL/Fedora packaging.
+ * Fix bug in loadparm.c that caused builtin services to be also
+ listed as external services (e.g. Spooler, NETLOGON, etc..).
+ * Fix bug in the samr dispinfo enumeration code.
+ * Add earlier checks to deny deleting a printer driver meta-data.
+
+
+o Guenther Deschner <gd@samba.org>
+ * Add Account Policy LDAP attributes for eDirectory schema.
+
+
+o William JoJo <jojowil@hvcc.edu>
+ * BUG 1870: Make nmblookup do a node status on all IP's when
+ requested.
+ * BUG 2353: Fix clitar -F processing.
+
+
+o Volker Lendecke <vl@samba.org>
+ * Fix the build for --with-aio-support.
+ * Fix remote password changing if password must change is set.
+ * Fix rpcclient to obey the -W parameter.
+ * Fix segv in smbmount and the profiles tool.
+ * Fix typo in pdbedit help text (reported by Karolin Seeger).
+
+
+o Vladimir Lettiev
+ * Honour the $(DESTDIR) Makefile variable when installing
+ Python extensions.
+
+
+o Jason Mader <jason@ncac.gwu.edu>
+ * Compiler warning fixes.
+
+
+o Lars Müller <lmuelle@samba.org>
+ * Fix python build with older python versions.
+ * Update dhcp.conf files in Debian packaging
+ * SWAT welcome file updates
+ * Compiler warning fixes.
+ * Add .2 to the SONAME as version suffix if we link the nss
+ modules on linux.
+ * Add -t|--password-from-stdin option to pdbedit.
+
+
+o James Peach <jpeach@sgi.com>
+ * Continue not enabling valgrind on 64-bit Linux.
+
+
+o Tim Potter <tpot@samba.org>
+ * Remove unused #defines.
+
+
+o Simo Sorce <idra@samba.org>
+ * Debian packaging updates.
+
+
+o Qiao Yang <qyang@stbernard.com>
+ * Make sure to refresh the timestamp on entries in the failed
+ connection code in winbindd.
+
+
+ --------------------------------------------------
+ ===============================
+ Release Notes for Samba 3.0.21b
+ Jan 30, 2006
+ ===============================
+
+Common bugs fixed in 3.0.21b include:
+
+ o Server crashes in smbd.
+ o Compile issues on 64-bit platforms.
+ o Crash bugs on big-endian systems.
+ o Packaging fixes for RHEL/Fedora, Solaris, & Debian.
+ o Over 30 bugzilla reports closed.
+
+
+######################################################################
+Changes
+#######
+
+Changes since 3.0.21a
+---------------------
+
+commits
+-------
+o Jeremy Allison <jra@samba.org>
+ * Fix the SAMR cache across handles opens and closes.
+ * Re-add the talloc_describe_all() function for reporting pool
+ usage.
+ * Merge talloc license change from Samba 4.
+ * Fix 64-bit compile warnings reported by gcc.
+ * Add the share path into the sharemode db.
+ * Consistency fixes: Remove use of uint8_t -> uint8.
+ * BUG 3346: Fix crash bug in big-endian boxes by linearizing
+ structure when passing through the messaging API.
+ * BUG 3421: Fix segv in the Kerberos key tab code (Thanks to
+ Luke Deller).
+ * Force smbd to exit if the guest account internal setup fails.
+ * BUG 3419: vfs_full_audit fixes for multiple connections.
+ * Ensure SWAT lists running processes.
+ * Fix NTLMv2 interoperability bug between Samba servers.
+ * Oplock break logic fixes.
+
+
+o Andrew Bartlett <abartlet@samba.org>
+ * BUG 3401: Fix crash bug caused by incorrect handling of weak
+ session keys. Based on original patch from Yau Lam Yiu.
+
+
+o Alexander Bokovoy <ab@samba.org>
+ * BUG 3397: Add USER_INFO_9 for SMS 2003 support (ported from
+ Samba TNG code).
+
+
+o Stefan Burkei <stefan@burkei.de>
+ * BUG 3248: When doing auth_crap authentication use the client
+ given workstation name not our own.
+
+
+o Gerald (Jerry) Carter <jerry@samba.org>
+ * Fixing net rpc registry enumerate from overwriting the open
+ subkey handle.
+ * BUG 3380: fix crash when changing printer drivers.
+ * BUG 3391: ensure we can lookup account policies for failed
+ logons.
+ * Adding query/set ops for security descriptors on services.
+ * BUG 3329: Solaris packaging fixes.
+ * Better formatting for smbstatus output (based on patch from
+ Adam Neilson).
+ * Hook the max connections spin box in the share properties
+ MMC plug-in dialog to the 'max connections' smb.conf parameter
+ and the 'modify share command' option.
+ * Work around building libnss_winbind.so on Solaris when
+ --enable-developer is specified.
+ * Add vendor patch level string to VERSION.
+ * Consolidate packaging for RHEL4 and Fedora based on initial
+ work by jht.
+
+
+o Albert Chin <@thewrittenword.com>
+ * BUG 3374: Build failures on True64.
+
+
+o Guenther Deschner <gd@samba.org>
+ * Fill in samr_get_dom_pwinfo based on Samba4.
+ * Fill in the clientside TRUSTED_DOMAIN_INFO_EX query.
+ * Fixes for adssearch.pl example script.
+ * Prevent 'net rpc' from dumping clear text password at high log
+ levels unless built with DEBUG_PASSWORD.
+ * Fix 'net ads user add' with a Windows 2003 SP1 DC.
+ * Fix python build.
+ * Fix segfault in pdb_nds.c.
+ * Don't write null sid mappings into the winbindd_cache.tdb.
+ * Save sid_to_name lookup result in winbindd already after doing
+ a successful name_to_sid.
+ * BUG 3390: Fix segfault in "net rpc vampire|samdump".
+ * BUG 1524, 3205: Support changing expired passwords in
+ pam_winbindd.
+ * Fix netfileenum returning WERR_BUF_TOO_SMALL in rpcclient.
+ * BUG 3264: Allow idmap_ad to load as 'ad'. Cleanup the way
+ idmap modules are build and loaded, idmap_rid now will have
+ to be loaded without prefix, just "rid".
+ * Prevent cli_krb5_get_ticket of getting into an infinite loop.
+
+
+o Andrew Esh <Andrew_Esh@adaptec.com>
+ * BUG 1061: Fix nmbd to correctly the path to an lmhosts files
+ specified on the command line with -H.
+
+
+o SATOH Fumiyasu <fumiya@samba.gr.jp>
+ * End profile fixes.
+ * BUG 3348: Don't assume owning sticky bit directory means
+ write access allowed.
+ * Fix double free in on failure path in POSIX acl code.
+
+
+o Andriy Gapon <avg@icyb.net.ua>
+ * BUG 3458: Fix crash bug in smbd and winbindd caused by
+ accessing freed memory.
+
+
+o Björn Jacke <bj@sernet.de>
+ * Configure check for Tru64 EA functions (not yet implemented).
+ * Find Tru64 AIO lib in configure.
+ * Cut-n-paste fixes in configure.in.
+
+
+o John Janosik <jpjanosi@us.ibm.com>
+ * IBM Tivoli Directory Server schema updates.
+
+
+o Michael James <michael@james.st>
+ * sid2string fix in adssearch.pl.
+
+
+o William JoJo <jojowil@hvcc.edu>
+ * BUG 3340: Prevent automatic inclusion of AIO support on AIX.
+ * BUG 3389: Failures on AIX in linking smbd when the symbol
+ table for ld exceeds 65536 bytes.
+ * Add -W to smbpassword so that the ldap admin dn password does
+ not have to be specified on the command line.
+ * BUG 3408: Fix for external password change programs on AIX.
+ * BUG 1779: 64-bit compile fixes.
+
+
+o Martin Koeppe <mkoeppe@gmx.de>
+ * BUG 3287: Match SFU behavior for dev/inode numbers.
+
+
+o Volker Lendecke <vl@samba.org>
+ * BUG 3291: Fix valgrind error in client connection code.
+ * BUG 3292: Prevent smbclient from spinning if server terminates
+ connection.
+ * BUG 3293: Use SMBecho instead of chkpath to keep a smbclient
+ connection alive smbclient.
+ * Add lookupname to rpcclient query_user as a fallback, we now
+ accept both rid and username.
+ * Introduce yet another copy of the string_sub function:
+ talloc_string_sub use by AFS token code in winbindd.
+ * BUG 3351: pdb_mysql again overwrites password fields.
+ * BUG 3384: Fix segv in tdbtool.
+ * Use the same CFLAGS for generating the pch as we use to
+ actually compile.
+ * Correct typo when compiling the vfs_catia module.
+ * Fix automatic recreation of a new tdb sam file.
+
+
+o Derrell Lipman <derrell@samba.org>
+ [libsmbclient]
+ * Fix parsing of file times (w_time and m_time were reversed).
+ * Add additional libsmbclient test programs.
+ * BUG 3336: Load networks interfaces in libsmbcliebt after parsing
+ the configuration files.
+ * Avoid doing a NetBIOS name query for each server and workgroup
+ enumeration call.
+ * Do not open connection when only looking for cached connection.
+ * BUG 2651: Add option to log debug messages to stderr instead
+ of stdout.
+ * Added flag to not request authentication information.
+ * Enhancements to smbwrapper example code.
+ * Replace smbwrapper call to dlopen(/lib/libc...) with direct
+ use of RTLD_NEXT.
+
+
+o David May <mayd@cygnus.uwa.edu.au>
+ * BUG 3329: Shell scripting portability fixes on 'make test'.
+
+
+o Tony Mountifield <tony@softins.co.uk>
+ * BUG 3327: fix bad access to gencache.tdb after fork() in
+ smbmount.
+
+
+o Lars Müller <lmuelle@samba.org>
+ * BUG 3264: Support backwards compatible setups using
+ 'idmap backend = idmap_rid'.
+ * Add %w macro for the winbind separator.
+ * Convert net command to use stderr for error messages rather
+ than stdout.
+
+
+o James Peach <jpeach@sgi.com>
+ * Portability fixes in LDAP code. Don't use non-static array
+ initializers.
+ * Support the TCP_FASTACK socket option if it is available.
+ * Tell the MIPSPro compiler to push DEBUG calls out of line.
+
+
+o Makr Proehl <m.proehl@science-computing.de>
+ * BUG 1336: Print the server role when calling testparm in
+ non-verbose mode.
+
+
+o Simo Sorce <idra@samba.org>
+ * Crackcheck utility enhancement based on patch sent by
+ Tom Geissler.
+ * BUG 3405: Fix segv in vfs_recycle module on platforms wither
+ mode_t is not 32-bits.
+
+
+o John Terpstra <jht@samba.org>
+ * RHEL/Fedora spec file patches.
+
+
+ --------------------------------------------------
+ ===============================
+ Release Notes for Samba 3.0.21a
+ Dec 30, 2005
+ ===============================
+
+Common bugs fixed in 3.0.21a include:
+
+ o Deadlocks when multiple users access an oplocked file
+ concurrently
+
+
+######################################################################
+Changes
+#######
+
+Changes since 3.0.21
+--------------------
+
+commits
+-------
+o Gerald (Jerry) Carter <jerry@samba.org>
+ * RedHat 9 packaging Fixes.
+
+
+o Guenther Deschner <gd@samba.org>
+ * eDirectory schema syntax fixes.
+
+
+o Volker Lendecke <vl@samba.org>
+ * BUG 3349: Deadlock caused logic error in oplock code.
+
+ --------------------------------------------------
+ ==============================
+ Release Notes for Samba 3.0.21
+ Dec 20, 2005
+ ==============================
+
+Common bugs fixed in 3.0.21 include:
+
+ o Missing groups in a user's token when logging in via Kerberos
+ o Incompatibilities with newer MS Windows hotfixes and
+ embedded OS platforms
+ o Portability and crash bugs.
+ o Performance issues in winbindd.
+
+New features introduced in Samba 3.0.21 include:
+
+ o Complete NTLMv2 support by consolidating authentication
+ mechanism used at the CIFS and RPC layers.
+ o The capability to manage Unix services using the Win32
+ Service Control API.
+ o The capability to view external Unix log files via the
+ Microsoft Event Viewer.
+ o New libmsrpc share library for application developers.
+ o Rewrite of CIFS oplock implementation.
+ o Performance Counter external daemon.
+ o Winbindd auto-detection query methods when communicating with
+ a domain controller.
+ o The ability to enumerate long share names in libsmbclient
+ applications.
+
+
+######################################################################
+Changes
+#######
+
+smb.conf changes
+----------------
+
+ Parameter Name Action
+ -------------- ------
+ dfree cache time New
+ dfree command Per share
+ eventlog list New
+ iprint server New
+ map read only New
+ passdb expand explicit New
+ rename user script New
+ reset on zero vc New
+ svcctl list Renamed from 'enable svcctl'
+
+
+
+Changes since 3.0.20b
+---------------------
+
+o Jeremy Allison <jra@samba.org>
+ * BUG 1828: Fixed SPNEGO issues with PocketPC clients.
+ * Added 'map readonly' parameter.
+ * BUG 3166: Fix crash in libsmbclient if the $HOME environment is
+ not defined.
+ * Maintain schannel client session keys in volatile
+ $(privatedir)/schannel_store.tdb.
+ * BUG 2769: Ensure we mangle filenames ending in a space
+ * Catch corner case of renaming a symlinked directory into
+ itself
+ * Ensure that smb.conf requests for hidden files are honored,
+ even when DOS attributes are stored in EA's
+ * Add new auth method "auth_script" for calling an external
+ program
+ * BUG 2152: Fix for mangled filenames when the client does
+ support long filenames
+ * Rewritten implementation of client and server DCE/RPC infrastructure
+ * BUG 3192: Adds a "dfree cache time" parameter.
+ * Fix acl evaluation bug found by Marc Cousin. Only evaluate
+ the S_IWGRP mask in the absence of a POSIX ACL.
+ * Remove use of 'long long' in libsmbclient code.
+ * Ensure the new canonicalize_servicename() in name/snum hash
+ is multi-byte safe.
+ * BUG 2922: Integration of FreeBSD AIO patches from Timur
+ Bakeyev.
+ * BUG 3216: Put directory opens into the share mode db so we
+ can treat them similarly to file opens (delete on close,
+ share mode violations etc.).
+ * Fix bug in name mangling code when case sensitivity is enabled.
+ * Remove external dependencies from the sharemodes library.
+ * BUG 3212: Ignore bogus OS/2 set EA values on trans2 calls.
+ * Don't misinterpret wild card characters in file names on disk
+ as they are actually valid characters.
+ * BUG 3223: Fix bug in account policy management when
+ account_pol.tdb settings have been migrating to an LDAP
+ backend.
+ * Allow the hash size of the tdb open (locking) database to be
+ set in local.h.
+ * Fix error code returns on client spoolss code.
+ * Remove unneeded strncpy use.
+ * Fix uninitialized variables warnings.
+ * Cleanup smbcacls security descriptor parsing and error codes.
+ * BUG 3224: Correctly use machine_account_name and client_name
+ when doing netlogon credential setup. Fixes winbindd running
+ on a Samba PDC.
+ * Backport Samba 4 time zone handling.
+ * Fix core dump if setmntent() returns NULL.
+ * Replace old crc32 code with one from the FreeBSD tree.
+ * Filter stored DOS attributes by SAMBA_ATTRIBUTES_MASK.
+ * Remove #define of close -> close_fn macro in libsmbclient.
+ * Return early if -1 returned from *BSD EA call (reported by
+ Timur).
+ * Name space cleanup by marking local functions static.
+ * Move samr enumeration cache from per handle basis to a shared
+ cache.
+ * BUG 3274: Fix invalid smbclient qpath_basic() queries against
+ OS/2 servers (based on patch from Guenter Kukkukk).
+ * Ensure default applies to new files (reported by Thomas
+ Neumann).
+ * BUG 3293: Use SMBecho to testing the server in client rather
+ than SMBchkpath.
+ * Merge talloc fixes from Samba 4 branch.
+ * Add support DCE/RPC cancel operation.
+ * Don't reset attrs to zero in EA get. Fixes 'hide dot files'
+ when using EA for DOS attributes.
+ * Fix bug in returning remote time (reported by Thomas Bork).
+ * No users or groups to return in BUILTIN domain.
+ * Removed separate "builtin" search enumeration.
+ * Added count_sam_aliases to return the correct alias count.
+ * Correctly handle the LDAP_UNWILLING_TO_PERFORM error from
+ eDirectory when accessing the universal password.
+ * Fix deadlock condition in share mode locking code.
+ * Fix logic bug in unix_mask_match().
+ * Fix memory leak in SMB client code found by Mikhail Kshevetskiy.
+
+
+
+o Rashid N. Achilov <shelton@granch.ru>
+ * Add better service description names to the svcctl code.
+
+
+o Timur Bakeyev <timur@com.bat.ru>
+ * BUG 3262: Improve FreeBSD DOS attribute error reporting.
+
+
+o Andrew Bartlett <abartlet@samba.org>
+ * Remove another ancient NTLMSSP implementation.
+ * Allow machine account logons work if the client gives the
+ appropriate flags.
+
+
+o Alexander Bokovoy <ab@samba.org>
+ * Add POSIX statvfs() to VFS api.
+
+
+o Gerald (Jerry) Carter <jerry@samba.org>
+ * Eventlog and ServiceControl support.
+ * BUG 1051: store the directory path so we can send the full
+ name in the unlink call from smbclient.
+ * Use reference count strategy for keeping the registry tdb
+ open.
+ * Convert internal registry objects to new hierarchical talloc
+ * Allow the root user a free pass for access checks in the
+ registry and service control checks.
+ * Sanity checks in the privilege code to prevent empty SID
+ entries
+ * Add basic infrastructure for 'make test' when the socket
+ wrapper library is configured at compile time
+ * Convert profiles utility to use the current regfio interface
+ for reading and writing user profiles
+ * Remove netsamlogon_cache interface
+ * Ensure that print jobs are removed even when the cancel
+ command is received before the print cache has been updated
+ * Fix linking problem on Solaris when including ACL support.
+ * Give root a free pass to open the eventlog tdb files.
+ * Fix segfault in addprinter due to mixing talloc() and
+ malloc()'d memory.
+ * fix invalid read reported by valgrind in the spoolss
+ backchannel connection.
+ * Remove use of 'long long' in perfcounter registry code.
+ * BUG 3201: make sure request structure is cleared prior to
+ sending the request to winbindd.
+ * Don't count open pipes in the num_files_open on a connection
+ (regression from Samba 2.2).
+ * Ensure servername hashing code normalizes the name.
+ * Fix checks for connect() in -lnsl[_s].
+ * Convert eventlog API to use NTSTATUS return codes rather
+ than WERROR.
+ * Fix segv in winbindd caused by an uninitialized variable
+ in winbindd_dual_getsidaliases().
+ * Allow winbindd to select the appropriate backend methods
+ based on the DC attributes and not the security parameter.
+ * Re-add the netsamlogon_cache tdb and ensure that user entries
+ are updated from the PAC data during Kerberos ticket
+ validation.
+ * Fix lockup when running 'wbinfo -t' on a Samba PDC caused
+ by mangling machine names in sub_set_smb_name().
+ * Add smbget to the list of tools built by default.
+ * Fix clearing of eventlog tdb files.
+ * Fix sequential reads in eventlog support.
+ * BUG 2718: Don't use qpathinfo_basic() call when remote server
+ is Win9x.
+ * Fix build issues with the Sun compiler.
+ * BUG 3156: Don't use find_service() when explicitly looking
+ for a printer.
+ * Fix nss_winbind_solaris.c build breakage on HP-UX.
+ * Initialize the local group description.
+ * Disable WINS and NetLogon services in the MMC services
+ plugin when the associated smb.conf features are not enabled.
+ * Add checks for invalid characters in new share names on the
+ srvsvc pipe.
+ * Fix SWAT installation issues with 'make install'.
+ * Always add the BUILTIN\Administrators SID to a Domain
+ Admins token.
+
+
+o Alex Deiter <tiamat@komi.mts.ru>
+ * BUG 3196: Patch to compile against the Sun LDAP client libs.
+ (not for AD support; just ldap support).
+
+
+o Guenther Deschner <gd@samba.org>
+ * Fixed compile problems and warnings with newer OpenLDAP
+ and OpenSSL libs
+ * Fix bug when enumerating trusted domains via 'wbinfo -m'
+ * Parse the MS Kerberos PAC to obtain the user group
+ membership during logon.
+ * Add support for SeRestorePrivilege to allow a process to
+ change the ownership of a file to any arbitrary account
+ * Fix password history storage when using Novell eDirectory for
+ ldapsam storage
+ * Backport Kerberos PAC parsing from Samba 4 branch in order to
+ correctly create the NT User Token when logging into a Samba
+ member server
+ * Add small helper function to return a PAC_LOGON_INFO.
+ * Use LDAP bitwise matching rule when searching for groups
+ in ADS.
+ * Avoid an infinite loop when retrying to connect in smbspool.
+ * Memory leak fixes in the Kerberos PAC parsing code.
+ * Improve NT_STATUS error messages returned from pam_winbind.
+ * Rename unknown samr group fields in samr structures with
+ the correct name.removed separate "builtin" search enumeration.
+ * Cleanup redundant StartTLS code.
+ * Allow StartTLS support when connecting to Windows 2003 by
+ setting 'ldap ssl = start_tls'.
+ * Support raw NTLMSSP session setups in smbspool.
+ * Add rpccli_samr_chgpasswd3().
+ * Add 'wbinfo --separator'.
+ * Uninitialized warnings fixes.
+ * Fix return value in client spooler code.
+ * Require forced migration of account policies.
+
+
+o Steve French <sfrench@us.ibm.com>
+ * Fix cifs to handle non-numeric uid and gid parameters.
+ * Merge trunk and SAMBA_3_0 mount.cifs code.
+ * Cleanup cifs cfs help message.
+
+
+o Paul Green <paulg@samba.org>
+ * Update to the latest config.guess and config.sub files.
+
+
+o Deryck Hodge <deryck@samba.org>
+ * Allow control of syslog facility and level in audit vfs modules.
+
+
+o S Murthy Kambhampaty <smk_va@yahoo.com>
+ * Patches for Fedora RPM specfile and init script
+
+
+o Krishna Ganugapati <krishnag@centeris.com>
+ * Use the subtree delete ldap control when running 'net ads
+ leave'.
+
+
+o Volker Lendecke <vl@samba.org>
+ * New oplock implementation.
+ * Add assert() call if winbindd cannot locate the domain SID in
+ secrets.tdb on startup
+ * Fix an annoying timeout in winbindd when nmbd is not running.
+ * Speed up loading smb.conf for large numbers of share
+ definitions by adding an internal hashing of names to snums.
+ Thanks to Michael Adam.
+ * Fix potential segv in rpcclient's lsarpc calls.
+ * Fix bugs in winbindd's use of rpccli_netlogon_getdcname().
+ * Fix alignment in getdc response.
+ * Allow pdbedit to set the domain for a user account.
+ * Fix fallback logic in rpc binds.
+ * Fix memleak in message handling code.
+ * Fix connection bug to port 445 and 139 after a successful
+ getdcname response.
+ * Add additional calls to initialize_krb5_error_table() for
+ Kerberos client code.
+ * Implement the possibility to have AFS users as SIDs in pts.
+ * Removed unused alternative_name code from winbindd.
+ * Protect against NULL alternative_name strings in winbindd.
+ * Define a default panic action with -DEVELOPER is defined.
+ * Add the capability to reset smbd connections on a zero VC id.
+ * Allow smb.conf variable expansion to be disabled in passdb
+ backends.
+ * Add lookupname to rpcclient query_user as a fallback.
+ * BUG 3292: Prevent smbclient from spinning when the server
+ disconnects.
+ * BUG 2191: Fix valgrind error in cli_session_setup_guest().
+ * Add samr_lookup_rids for the builtin domain.
+ * Memory allocation cleanups in passdb.
+ * Restrict samr_open_domain() to our domain only.
+ * Change local_lookup_sid() to local_lookup_rid() since it
+ is responsible for our domain only.
+ * Fix some uninitialized variable warnings.
+ * Fix winbind_lookup_name for the local domain,
+
+
+o Derrell Lipman <derrell@samba.org>
+ * Cleanup libmsrpc version numbers.
+ * BUG 3257, 3267, 3273: Plug memory and file descriptor leaks.
+ * Fix crash bug in libsmbclient.
+ * Add long share name support to libsmbclient when enumerating
+ shares.
+
+
+o Jason Mader <jason@ncac.gwu.edu>
+ * Removed compiler various warnings.
+
+
+o Alex Masterov <alex@infobit.ru>
+ * BUG 3218: Fix XATTR calls on *BSD systems.
+
+
+o Jim McDonough <jmcd@us.ibm.com>
+ * Speed up string_to_sid by removing next_token calls and
+ unneeded strncmp() calls.
+ * Implement user rename for smbpasswd and LDAP backends.
+ * BUG 2961 (partial): Add rename support for user accounts to tdbsam
+ * BUG 3187: Fix time zone offset in logon hours restrictions.
+
+
+o Stefan Metzmacher <metze@samba.org>
+ * Fix setting of quotas on linux kernel with the struct
+ if_dqblk interface
+ * Enable sysquota interface on Linux by default
+ * Use lp_socket_address() when binding to port 138/udp in nmbd.
+
+
+o Brian Moran <bmoran@centeris.com>
+ * Eventlog and ServiceControl support.
+ * Added eventlogadm tool for writing Eventlog records.
+ * Fix typo when creating Eventlog source DLL registry paths.
+ * Add simple script to tail syslog and write records to
+ eventlog tdb.
+ * Fix segv in eventlogadm when not event logs are listed in
+ smb.conf.
+
+
+o Lars Müller <lmuelle@samba.org>
+ * Only install smbsh manpage if smbwrapper has been successfully
+ built.
+ * Ensure setmntent() returns with != NULL in the disk_quotas()
+ Linux version.
+ * Add configure switch to disable libmsrpc build.
+ * Add a soname to libmsrpc.
+
+
+o Ricky Nance <ricky.nance@gmail.com>
+ * Updates for the mklogon perl scripts.
+
+
+o Chris Nicholls <skel@samba.org>
+ * New libmsrpc library (Google SoC Project).
+ * Fix libmsrpc build of on the Sun compiler by removing empty
+ structure declarations.
+
+
+o James Peach <jpeach@sgi.com>
+ * Fix parsing error for smb ports parameter.
+
+
+o Tim Potter <tpot@samba.org>
+ * BUG 3260: Fix DYNEXP flags on HPUX.
+
+
+o Marcin Porwit <mporwit@centeris.com>
+ * Eventlog and ServiceControl support.
+ * Added basic Performance Counter daemon which can feed data
+ for the Windows perfmon.exe tool.
+ * Fix directory permissions in the perfcounter daemon.
+ * Add the 'File' registry value for the eventlog keys.
+
+
+o Aruna Prabakar <aruna.prabakar@hp.com.
+ * Add checks to verify that the spooler is running on HP-UX when
+ reloading the printer name cache.
+
+
+o Joel Smith <joel.j.smith@novell.com>
+ * Add iPrint printing backend support.
+
+
+o Toomas Soome <Toomas.Soome@mls.ee>
+ * Implement host lookups in nss_winbind.so.1 on Solaris
+
+
+o Simo Sorce <idra@samba.org>
+ * Update Debian packaging.
+
+
+o John Terpstra <jht@samba.org>
+ * Add 'net idmap' usage help text.
+
+
+o Andrew Tridgell <tridge@samba.org>
+ * Change license notice of standalone talloc library to LGPL.
+
+
+o Darren Tucker <dtucker@zip.com.au>
+ o Crash fix for snprintf() code.
+
+
+o Rainer Weikusat <rainer.weikusat@sncag.com>
+ * Fix function name typo in skeleton VFS code.
+
+
+
+Release Notes for older release follow:
+
+ --------------------------------------------------
+ ===============================
+ Release Notes for Samba 3.0.20b
+ Oct 12, 2005
+ ===============================
+
+Common bugs fixed in 3.0.20b include:
+
+ o A crash bug in winbindd
+ o Reporting files as read-only instead of returning the
+ correct error code of "access denied"
+ o File system quota support defects
+
+
+######################################################################
+Changes
+#######
+
+
+Changes since 3.0.20a
+---------------------
+
+commits
+-------
+
+o Jeremy Allison <jra@samba.org>
+ * BUG 3088: Fix error condition for files on a read-write share
+ which cannot be read due to permissions.
+
+
+o Gerald (Jerry) Carter <jerry@samba.org>
+ * BUG 3070: Fix crash bug in qfsinfo when retrieving fs quota
+ details.
+ * BUG 1473, 3090: Quota detection and compilation problems on
+ Solaris.
+
+
+o Marc Balmer <marc@msys.ch>
+ * Build fixes when builddir != srcdir
+
+
+o Alex Deiter <tiamat@komi.mts.ru>
+ * BUG 3145: Fix build issue regarding quota support on Solaris.
+
+
+o Volker Lendecke <vl@samba.org>
+ * BUG 3068: Fix for winbindd crashed by empty DC alternative
+ name.
+
+
+ --------------------------------------------------
+ ===============================
+ Release Notes for Samba 3.0.20a
+ Sept 30, 2005
+ ===============================
+
+Common bugs fixed in 3.0.20a include:
+
+ o Stability problems with winbindd.
+ o Crash bugs caused by incompatibilities on 64-bit systems.
+ o Missing files from directory listings on AIX servers
+ o User Manager interoperability problems.
+ o Minor build difficulties on various platforms such as
+ Solaris and OpenBSD,
+
+
+Winbind, security = domain, and Active Directory
+================================================
+
+Recent security updates for Windows 2000 and Windows 2003 have
+changed the fashion in which user and group lists can be obtained
+from domain controllers. In short, the RPC mechanisms used by
+"security = domain" to retrieve users and groups is not compatible
+with these changes. The "security = ads" configuration is not
+affected by the Windows protocol changes.
+
+Samba developers are actively working to correct this problem in
+the 3.0.21 release. In the meantime, Administrators who are unable
+to migrate to "security = ads" and must continue using "security =
+domain", can define credentials to be used by winbindd for account
+enumeration by executing the following command as root.
+
+ wbinfo --set-auth-user='DOMAIN\username%password'
+
+
+
+######################################################################
+Changes
+#######
+
+
+Changes since 3.0.20
+--------------------
+
+commits
+-------
+
+o Jeremy Allison <jra@samba.org>
+ * BUG 3065: Fix for legacy clients retrieving a listing of
+ an empty directory.
+ * Added external library for accessing Samba's share mode
+ database.
+ * Fix winbindd credentials chain which caused logon failures
+ after attempting to authenticate an unknown user.
+ * Fix recursive looping bug in winbindd.
+ * Fix build errors on 64-bit systems.
+ * Posix ACL memory leak and crash bug fixes.
+ * BUG 3044: Ensure OPEN-EXEC is honored as read-only.
+ * BUG 3060: Ensure SMBcreate truncates the file if it exists.
+ * Hide dot files and directory logic fixes.
+ * Correct display of open file modes by smbstatus.
+ * BUG 3010: Fix missing files bug on AIX systems.
+
+
+o Gerald (Jerry) Carter <jerry@samba.org>
+ * Allow the root user to automatically pass se_access_checks()
+ in the registry and service control server code.
+ * Ensure that winbindd uses the correct name in the net_auth2()
+ request when running on a Samba PDC.
+ * Fix linking problem with tdb utilities.
+ * BUG 3080: Fix regression in 'net rpc shutdown' command.
+ * Fix segv in 'net rpc' when the pipe open fails.
+ * Fix upload bug when installing 64-bit Windows printer drivers.
+ * Fix regression in the smburi syntax used by smbspool.
+ * Fix sorting of subkey hash records in registry files.
+ * Correct REG_CREATE_KEY_EX parsing error.
+ * Interoperability issues with usrmgr.exe and Samba groups.
+ * Use the display names and not the Unix names when enumerating
+ groups in the ldapsam passdb backend.
+ * Ensure that Windows domain user names are converted to lower case.
+
+
+o Guenther Deschner <gd@samba.org>
+ * Prevent BUILTIN sids returned in the user's token from
+ a Windows DC from being applied to any local group mappings
+ on the Samba host.
+ * Plug memory leaks in the Kerberos keytab code.
+ * Ensure BUILTIN groups are returned from winbindd's idmap_rid
+ backend when 'winbind nested groups' is enabled.
+ * Fix crash bug in winbindd caused by 64-bit build issues.
+ * Improve debug messages in smbspool.
+ * Give better error-message when "NDS Universal Password" change fails.
+ * Fix password history error in the eDirectory schema file.
+ * Ensure that Windows domain group names are converted to lower case.
+
+
+o Steve French <sfrench@us.ibm.com>
+ * Allow disabling mandatory byte range lock mount flag, and fix
+ corresponding entry in mtab.
+
+
+o Volker Lendecke <vl@samba.org>
+ * Fix race condition in the NTcreate&X open code when the
+ disposition is NTCREATEX_DISP_CREATE.
+ * Correct logic error when checking the pid for pending print
+ change notify messages.
+ * Ensure that winbindd child process complete startup even when
+ the parent is receiving authentication requests.
+ * Return the full NTSTATUS code to ntlm_auth and pam_winbindd
+ when authentication fails.
+
+
+o Jason Mader <jason@ncac.gwu.edu>
+ * Compile warning fixes.
+
+
+o Uli Meis <a.sporto@gmail.com>
+ * Patches for pdb_*sql.c
+
+
+o Luke Mewburn <lukem@NetBSD.org>
+ * Autoconf syntax fixes.
+
+
+o James Peach <jpeach@sgi.com>
+ * Correct problem with creating a core file in Linux.
+
+
+o Stefan Metzmacher <metze@samba.org>
+ * Quota fixes in smbd.
+
+
+o Peter Rindfuss <rindfuss@wz-berlin.de>
+ * Patches for pdb_*sql.c
+
+
+o Jiri Sasek <Jiri.Sasek@Sun.COM>
+ * Solaris toolchain patches for autoconf scripts.
+
+
+o Andrew Tridgell <tridge@samba.org>
+ * Fix for tdb clear-if-first race condition.
+
+
+o Leo Weppelman <leo@wau.mis.ah.nl>
+ * BUG 3104: Don't allow time updates to files on read-only shares.
+
+
+o Steve Williams <steve@celineandsteve.com>
+ * BUG 3052: Fix compile issues on OpenBSD.
+
+
+ --------------------------------------------------
+ ==============================
+ Release Notes for Samba 3.0.20
+ Aug 19, 2005
+ ==============================
+
+Additional features introduced in Samba 3.0.20 include:
+
+ o Support for several new Win32 rpc pipes.
+ o Improved support for OS/2 clients.
+ o New 'net rpc service' tool for managing Win32 services.
+ o Capability to set the owner on new files and directory
+ based on the parent's ownership.
+ o Experimental, asynchronous IO file serving support.
+ o Completed Support for Microsoft Print Migrator.
+ o New Winbind IDmap plugin (ad) for retrieving uid and gid
+ from AD servers which maintain the SFU user and group
+ attributes.
+ o Rewritten support for POSIX pathnames when utilizing
+ the Linux CIFS fs client.
+ o New asynchronous winbindd.
+ o Support for Microsoft Print Migrator.
+ o New Windows NT registry file I/O library.
+ o New user right (SeTakeOwnershipPrivilege) added.
+ o New "net share migrate" options.
+
+
+What happened to 3.0.15 - 3.0.19?
+==================================
+
+After some discussion it was deemed that the amount of changes
+going into the next Samba 3.0 release needed something to catch
+people's attention. Skipping several releases was chosen as
+the best solution with the least overhead. There will be no
+3.0.15 - 3.0.19 ever released. The next production release
+following 3.0.20 should be 3.0.21.
+
+The original announcement about the version number change can
+be found in the samba mailing list archives:
+
+http://marc.theaimsgroup.com/?l=samba&m=111721010206997&w=2
+
+
+Asynchronous Winbind Implementation
+===================================
+
+Winbindd has been completely rewritten in this release to support
+an almost completely non-blocking, asynchronous request/reply
+model. This means that winbindd will scale much better in
+large domain environments and on high latency networks. Neither
+the client interface nor the command line tools (i.e. wbinfo) have
+changed in their calling conventions or syntax. However, due to
+internal structure changes, it is required (more so than normal)
+that you install the nss_winbind.so library included in this release.
+
+
+Support for Microsoft Print Migrator
+====================================
+
+Samba 3.0.20 includes full support for migrating printers from
+Windows servers or other Samba servers via the Microsoft Print
+Migrator tool. Restoring printers requires a working "add printer
+command" defined in smb.conf. Current support also allows
+administrators to create a master list of printer drivers which
+can be restored in bulk on new (or existing) Samba installations.
+
+
+Asynchronous IO Support
+=======================
+
+Experimental support for async IO has been added to smbd for
+certain platforms. To enable this new feature, Samba must be
+compiled to include the --with-aio-support configure option.
+In addition, the "aio read size" and "aio write size" to non-zero
+values. See the smb.conf(5) man page for more details on these
+settings.
+
+
+######################################################################
+Changes
+#######
+
+smb.conf changes
+----------------
+
+ Parameter Name Action
+ -------------- ------
+ acl check permissions New
+ acl group control New
+ acl map full control New
+ aio read size New
+ aio write size New
+ enable asu support New
+ inherit owner New
+ ldap filter Removed
+ map to guest Modified (new value added)
+ max stat cache size New
+ min password length Removed
+ printer admin Deprecated
+ username map script New
+ winbind enable local accounts Removed
+ winbindd nss info New
+
+
+Changes since 3.0.14a
+---------------------
+
+
+commits
+-------
+
+o Jeremy Allison <jra@samba.org>
+ * BUG 2533: Fix incorrect directory listings for OS/2 clients.
+ * Ensure the old SMB search calls always ask mask_match() to
+ translate patterns like ????????.???.
+ * Split out the check_path_syntax() into a findfirst, findnext,
+ & wildcard versions.
+ * Fix checks for matching groups in an file ACL against the
+ user's primary and supplementary group list.
+ * BUG 2541: Ensure we recognize LANMAN2.1 as OS/2 and select
+ LANMAN2 protocol, ensure the EA size is always correctly
+ set on a query for a file with no EA's.
+ * BUG 2551: Look at the incoming flags2 flag
+ FLAGS2_LONG_PATH_COMPONENTS determines if a reply is
+ uppercased on a SMBsearch request, not the protocol level.
+ * Added "volume" command to smbclient that prints out the
+ volume name and serial number.
+ * Added "fix for broken SMB_INFO_VOLUME level used by OS/2.
+ * Add support for OS/2 Extended Attributes.
+ * Correctly check OpenX open modes.
+ * Ensure allocation size is correctly returned for OpenX.
+ * Only set allocation on create/truncate for nttrans.
+ * Fix oplock bug in trans2open() code.
+ * Remove unix_ERR_XXX global nastiness.
+ * Only do the strange DOS error for openX, not trans2open.
+ * Ensure SMBopen replies includes the share modes as well as
+ open modes.
+ * BUG 2581: Add size limit (in kb) to stat cache.
+ * Fix bug in the trans2 secondary processing.
+ * BUG 2601: Enforce DOS_OPEN_EXEC to mean read-only.
+ * Add an SMB counter per connection struct for gathering
+ profiling data.
+ * BUG 2605: Ensure smbclient doesn't perform commands if
+ the "chdir" fails in a scripted set.
+ * Ensure a 'forced group' is added to the list of effective
+ gids when processing ACLs.
+ * Refactor rpc_bind structures for better future work.
+ * BUG 2942: Add missing value in debug message.
+ * BUG 2946: Fix regressions in str[n]cmp_w) functions found
+ by 'mangling method = hash'.
+ * Fix memory leaks in the msdfs trans2 server code.
+ * Convert msdfs server to be talloc'd based.
+ * Fix up stackable vfs interface.
+ * Fix rpc fault when encountering an unknown rpc_bind auth
+ type.
+ * BUG 2954: More AIX 5.1 AIO compile fixes.
+ * Fix valgrind bug in interaction with new aio buffer (found
+ by Volker).
+ * BUG 2878: Fix Norton commander not running on OS/2 clients.
+ * Cleanup SAMR user info structure naming.
+ * BUG 2889: Fix directly listings from OS/2 clients.
+ * Added "acl group control" parameter.
+ * Add debug warning if AddPrinterEx() is called without having
+ an 'add printer command' defined.
+ * Add better log messages when modifying ldap entries.
+ * BUG 2829: Fix strXX_w() functions on non-x86 platforms when
+ when string is unaligned.
+ * BUG 2918: Fix SMB chaining by ensuring that deferred open
+ message buffer is nor reused.
+ * Add support for client setting capabilities to select posix
+ pathnames on the wire.
+ * Stop using C++ reserved words so that Samba can be compiled
+ using g++. Also allows VFS modules in C++.
+ * More fixes to allow better large directory scaling.
+ * BUG 2827: Ensure we call the vfs connection hook before
+ doing a vfs stat. Allows database vfs backends to initialize
+ with a working connection.
+ * BUG 2826: Ensure the correct return value for symlink and
+ readlink in the VFS.
+ * Merge handling of ASN.1 objects bigger than 64k from Samba 4.
+ * Added AIO support to smbd.
+ * Add "acl map full control", true by default, to allow people
+ to change mapping of rwx to full control or not.
+ * Transition smbd to use NTcreate&X for internal file opens.
+ * Add checks against the current effective group id (e.g. force
+ user) when testing write permissions one ACLs.
+ * Fix FindFirst/FindNext server code when parsing directories
+ on old IRIX XFS file systems (thanks to Cale Fairchild
+ for the debugging help).
+ * BUG 2644: Test for special files to be ignored was reversed.
+ * Ensure yield_connection() is called on all appropriate error
+ conditions.
+ * Fix EDEADLCK problem with deferred open calls.
+ * BUG 2622: Remove DPTR_MASK as it makes no sense.
+ * Fix the write cache based on some VERY good detective work
+ from Ingo Kilian.
+ * BUG 2346: Fix read-only excel file bugs.
+ * Don't wrap the setfsinfo call in HAVE_QUOTA as they'll just
+ return ENOSYS if not implemented.
+ * Add new CAP for POSIX pathnames.
+ * BUG 2703: Add NULL guard for disp_fields[0].
+ * BUG 2681: With "strict allocate = yes" we now zero fill when
+ a file is extended. Should catch disk full errors on write
+ from MS-Office.
+ * Add "acl check permissions" to turn on/off the new
+ behavior of checking for write access in a directory
+ before delete.
+ * Refactor printing interface to take offset into job.
+ * Allow mapping of POSIX ACLs to NT perms to differentiate
+ between directories and files.
+ * Added encrypt/decrypt function for LSA secrets and trusted
+ domain passwords on the wire.
+ * BUG 2729: Resume keys are *mandatory* for a search when
+ listing a W2K and above server from a FATxx filesystem only.
+ * BUG 2735: Ensure that smbd mangles control characters in file
+ and directory names.
+ * Refactor small pieces of socket handling code (in conjunction
+ with Derrell).
+ * BUG 2698: Fix infinite listing loop in smbclient caused by
+ an invalid character set conversion.
+ * Add client code that will abort a directory listing if we
+ see the same name twice between packets.
+ * Performance improvements in trans2 qfilepathinfo code by
+ removing unnecessary memset() calls.
+ * Rewrite the RPC bind parsing functions to follow the
+ spec; fixes bug with 64-bit Windows XP and OS X 10.4.
+ * BUG 2774: Set sparse flag if needed when returning
+ file attributes.
+ * Fix errors listing directories from Windows NT clients
+ which caused "." and ".." to show up in explorer.exe.
+ * Merge of error code fixes from SAMBA_4_0 branch.
+ * BUG 2801: Fix regression in the "delete veto files" option.
+ * Fix based on work from Shlomi Yaakobovich to catch loops
+ in corrupted tdb files.
+ * Allow someone with SeTakeOwnershipPrivilege to chown the
+ user of a file to herself.
+ * Fix minor compiler warnings in printing/printing.c.
+ * Merge new DOS error code from SAMBA_4.
+ * Fix issue when non-English characters in filenames and
+ directories.
+ * Fix bogus error message in smbstatus about unknown share modes.
+
+
+o Andrew Bartlett <abartlet@samba.org>
+ * Support raw NTLMSSP authentication for Windows Vista
+ clients.
+ * Fix parallel NTLMSSP processing by removing global state.
+ * BUG 2684: Add per service hosts allow/deny checks for
+ printers when connecting via MS-RPC.
+ * BUG 2391: Fix segv caused by free a static pointer returned
+ from getpwnam().
+ * Support Kerberos authentication in smbd when using a keytab
+ and participating in a non-Microsoft Kerberos realm.
+
+
+o Timur Bakeyev <timur@com.bat.ru>
+ * BUG 2546: Add support for FreeBSD EA API
+ * Fix detection of FreeBSD 7.x platforms in autoconf checks.
+ * BUG 2908: Fix string length logic error in msdfs code.
+ * BUG 2909: Fix typo that caused smbd to call the wrong
+ aio_fsync function.
+
+
+o Ed Boraas <ed.boraas@concordia.ab.ca>.
+ * Added Linux per-socket TCP settings.
+
+
+o Gerald (Jerry) Carter <jerry@samba.org>
+ * Added support for \svcctl pipe rpcs.
+ * Added 'net rpc service' subcommand for managing Win32
+ services.
+ * Refactoring work on the rpc [un]marshalling layer and
+ structures.
+ * Verify privilege name in 'net rpc rights privileges' in
+ order to provide better error messages.
+ * Cleanup rpc structures in rpc_spoolss.h.
+ * Cleanups and fixes for the \winreg server code.
+ * Cleanup of rpc structures used by LsaEnumerateTrustedDomains.
+ * Fix bugs in client spoolss code after refactoring work.
+ * Fix Valgrind warnings of invalid reads in the spoolss
+ server code.
+ * Fixed a segv when enumerating services on a Samba host.
+ * Fix segv in the service control server code.
+ * Fix crashes in client spoolss calls caused by not checking
+ for a valid pointer from the caller.
+ * Fix regression in DeleteDriver() server routines.
+ * Fix dup_a_regval() when size is 0.
+ * Fix usrmgr.exe crash when viewing user properties at
+ debuglevel 10.
+ * Do not enumerate any privileges when 'enable privileges = no'
+ and log a message if a client tries.
+ * BUG 2872: Fix cut-n-paste error when checking pointer value
+ in ntlmssp_set_workstation().
+ * Fix upgrade path from earlier nt*tdb files.
+ * Removed print handle object cache.
+ * BUG 2853: Don't strip out characters like '$' from printer
+ names when substituting for the lpq command.
+ * BUG 2557: Gracefully fail on unsupported SetPrinter() levels.
+ * Fix build issues on x86_64-linux systems caused by valgrind
+ headers. Thanks to Bent Vangli to the suggestions.
+ * Refactor spoolss client calls.
+ * Adding 'username map script'.
+ * Disable schannel on the LSA and SAMR pipes in winbindd client
+ code to deal with Windows 2003 SP1 and Windows 2000 SP4 SR1.
+ * Cleanup of winreg API functions.
+ * Add server stubs for RegSetKeySec() and RegGetKeySec().
+ * Map generic bits to specific bits in reg_open_entry()
+ requests.
+ * Add write support to registry tdb and printing backends.
+ * Use tdb lookups rather than hard-coding certain registry
+ value names and data.
+ * BUG 2808: don't try to install man pages if they are not
+ present.
+ * Fix initialized variables reported by valgrind.
+ * Normalize key lookups in ntprinters.tdb.
+ * Mark "enumports command" as deprecated.
+ * Add missing class file for python share command example.
+ * Fix smbclient build issue on Solaris.
+ * BUG 2626: ensure that the calling_name is set to something
+ after parsing smb.conf (if not set via -n).
+ * Use "add machine script" when creating a user (ACB_NORMAL)
+ who has a name ending in '$' (e.g. usrmgr.exe creating
+ domain trust accounts).
+ * Add 'rid' synonym for idmap_rid IDMap module.
+ * Ensure that we set full access on the handle returned
+ from _samr_create_dom_{alias,group}() so that future
+ set_{alias,group}() commands succeed.
+ * Fix bug when looking for internal domains in winbindd
+ (caused winbindd_getgrgid() for local groups to fail).
+ * Fix query and set alias info calls (level 1 from the MMC
+ manage computer plug-in.
+ * Remove bogus log messages about unknown specversions.
+ * BUG 2680: copy files from an MS-DFS win2k root share
+ * BUG 2688: re-implement support for the -P (--port) option
+ * Support connecting to an 'msdfs proxy' share on a Samba
+ server.
+ * Strip the directory path from cups command line printing
+ defaults.
+ * Fix bug that prevented smbclient from creating directories
+ on non-dfs paths.
+ * Deprecate the "printer admin" parameter in favor of the
+ SePrintOperatorPrivilege.
+ * Add the capability to read and write WinNT regf registry
+ files.
+ * Implement access checks for RegOpenXXX() server calls.
+ * Extend registry client rpc calls.
+ * Add "net rpc registry" set of commands.
+ * Remove testprns tool.
+ * Ensure that printer ACLs use the specific bits as well as
+ the generic bits. Upgrade existing ntprinters.tdb SECDESC
+ records.
+ * Add server support for RegSaveKey() for dumping registry
+ trees to a regf file.
+ * Add "enable asu support" smb.conf parameter.
+ * Merge various small file changes from trunk.
+ * Remove "winbind enable local accounts" support.
+ * Remove "ldap filter" smb.conf option.
+ * Remove editreg utility (needs to be rewritten using regfio.c).
+ * Fix build failure when running 'make torture' without first
+ running 'make all' first.
+ * BUG 1261: Remove unusable libbiconv from iconv detection
+ in configure.
+ * Add new option for "map to guest". "Bad Uid" re-enables the
+ Samba 2.2 behavior of mapping authenticated users to the
+ guest account if there does not exist a valid Unix account
+ for the Windows domain user (based on patch from
+ aruna.prabakar@hp.com).
+ * Fix a couple of regressions after introduction of new winbindd.
+ * Fix smbpasswd user password change (still worked by bad error
+ messages) due to trying to strdup a NULL pointer.
+ * Implement default security descriptors for the
+ OpenService[Manager]() calls and check requested access mask
+ at connect time.
+ * Include access checks on handle mask for \svcctl operations
+ such as ControlService() and StartService().
+ * Implement simulated start and stop service control for
+ the spooler service as a per smbd service state value.
+ * Add interface structure for controlling service via rc.init
+ scripts (incomplete).
+ * Convert move_driver_to_download_area() to use copy_file()
+ rather than moving the files.
+ * Add version number to registry.tdb file since it can be
+ modified now.
+ * Remove over-paranoid assert() call when checking spoolss
+ buffer pointers
+ * Fix error in EnumPrinterData() reported by valgrind.
+ * Fix broken help links in SWAT editor caused by new doc layout.
+ * Ensure that a domain structure in winbind is initialized prior
+ to assigning the methods for communicating to a DC.
+ * BUG 3000: Remove background updates of winbind cache and allow
+ child processes to immediately update and expired cache entry.
+
+
+o David.Collier-Brown <David.Collier-Brown@sun.com>
+ * Added panic action script for Solaris.
+
+
+o Jeremy Cooper <jeremy@ncircle.com>
+ * Added support for several new \winreg client rpcs.
+
+
+o <core@road-star.jp>
+ * BUG 2792: Ensure the shadow copy module hooks seekdir,
+ telldir, rewinddir to match updated large directory code.
+
+
+o Guenther Deschner <gd@samba.org>
+ * Close handles on group creation in rpcclient to better
+ support mass group account creation.
+ * Fix account policy key lookup for minimum and maximum
+ password lengths.
+ * Fix some compiler warnings and add missing exclude-block
+ in 'net rpc share migrate'.
+ * Allow use of a non-default smb.conf by rpcclient.
+ * Fix querydispinfo search semantics in rpcclient test code.
+ * Fix querydispinfo server semantics to allow to list more
+ then 511 users.
+ * Fix server crash bug in ancient OpenPrinter() call.
+ * Fix a crash bug when enumerating privileges via the LSA
+ calls.
+ * Fix crash in EnumPrinterKey() client calls caused by previous
+ refactoring work.
+ * Various compiler warning fixes.
+ * Fix segfault in the client AddPrinterEx-call of 'net
+ rpc printer'.
+ * Fix build issues when --with-aio-support is enabled.
+ * BUG 2502: Removed the deprecated 'min passwd length parameter'.
+ * Honour the CC environment variable in python build.
+ * Fix searches in pdb_ldap for inter-domain trust accounts.
+ * Don't expand the %L in %LOGONSERVER% from user attributes.
+ * Fix bug in 'net rpc vampire' that caused accounts to be created
+ with no assigned ACB flags.
+ * Fix enumeration of builtin-aliases.
+ * Avoid unset rids for builtin-aliases.
+ * Add 'recycle:touch_mtime = true' vfs option for the recycle bin.
+ * More "net rpc share migrate" fixes.
+ * Merge PADL's idmap_ad plugin (taken from the latest
+ xad_oss_plugins-tarball).
+ * Add support for "idmap backend = ad" when "security = ads".
+ * Add home directory and shell support from AD via "winbindd nss
+ support = sfu" and "security = ads".
+ * Provide better feedback when we fail share-manipulation
+ due to missing scripts.
+ * Correctly substitute "\" as default winbind separator in
+ generate_parm_table.py example share command script.
+ * Document pam_winbind.c to clarify the working status of
+ require-membership-of option.
+ * Added client-support for various lsa_query_trust_dom_info()
+ calls and a rpcclient-tester for some info-levels.
+ * Add "net rpc trustdom vampire" tool (in conjunction with
+ Lars Mueller).
+ * Add missing cli_srvsvc_net_share_set_info-function and
+ rpcclient-testers (in preparation for net share acl migration).
+ * Print trusted domain passwords returned via rpcclient in
+ display charset.
+ * Error code fixes when attempting to manipulating
+ non-existent shares.
+ * Cleanup "net share migrate" code.
+ * Allow to touch mtime in vfs-recycle with "recycle:touch_mtime
+ = true".
+ * Allow admins to uncheck the "User must change Password at
+ next Logon" checkbox in User manager (merge from trunk).
+
+
+o Renaud Duhaut <rd@duhaut.com>
+ * BUG 1040: Add directory_mode parameter when creating recycle
+ directories.
+
+
+o Steven Edwards <steven_ed4153@yahoo.com>.
+ * Use chsize() if we don't have ftruncate().
+
+
+o Rodrigo Fernandez-Vizarra <Rodrigo.Fernandez-Vizarra@Sun.COM>
+ * BUG 1780: Add Kerberos (file based ticket cache) support
+ to smbspool.
+
+
+o Steve French <sfrench@us.ibm.com>
+ * Update list of mount options for mount.cifs.
+ * Add more defines for POSIX extensions to match the newly
+ added client implementation.
+ * Add initial support for cifs umount utility.
+ * Fix cifs mounts to handle commas embedded in prompted
+ password, and password and credential files.
+ * Fix cifs mounts to handle domain name and user name in
+ username field (in form domain\user).
+ * Add missing error code mappings when a client unsuccessfully
+ tries to create a hard-link.
+ * Add support so umount.cifs can update mtab.
+ * Add two newer mount options to syntax help for mount.cifs.
+ * Add missing remount flag handling.
+ * Allow domain= to be specified in credentials file.
+ * Fix umount.cifs help, allow root to unmount someone else's
+ mount.
+ * Lock mtab when updating it during umount.cifs, also delete
+ only one matching entry at a time.
+ * Fix minor compiler warnings in the mount.cifs helper.
+
+
+o Deryck Hodge <deryck@samba.org>
+ * BUG 2137: Encode quotes for display in HTML (original patch
+ from Jay Fenlason).
+
+
+o Olaf Imig <Olaf.Imig@bifab.de>
+ * BUG 1998: Correct byte ordering bug when storing 16-bit RAP
+ print job ids.
+ * BUG 2653: Fix segv in rpcclient OpenPrinterEx() call.
+
+
+o Björn Jacke <bj@sernet.de>
+ * Added ioctl constants reported by msbackup.exe and filemon.exe.
+
+
+o Kevin Jamieson <bugzilla@kevinjamieson.com>
+ * BUG 2819: Fix typo when checking for ".." in smbd's statcache.
+
+
+o John Janosik <jpjanosi@us.ibm.com>
+ * BUG 2077: Correctly fill in the correct server name when
+ processing trusted domain logins.
+ * BUG 2976: Mark logons for unknown domains with a
+ non-authoritative response.
+
+
+o William Jojo <jojowil@hvcc.edu>
+ * AIX AIO fixes.
+
+
+o Guenter Kukkukk <guenter.kukkukk@kukkukk.com>
+ * BUG 2541: Fix copying of file(s) from samba share to an OS/2
+ local drive.
+
+
+o Tom Lackemann <cessnatomny@yahoo.com>
+ * BUG 2242: Patch to ensure that we only set the security
+ descriptor on an NTtransact create if we created the file.
+
+
+o Volker Lendecke <vl@samba.org>
+ * Port some of the non-critical changes from HEAD to 3_0.
+ The main one is the change in pdb_enum_alias_memberships
+ to match samr.idl a bit closer.
+ * Close handles on user creation in rpcclient to better
+ support mass user account creation.
+ * Implement client RAP calls for enumusers/enumgroups level 0.
+ * Implement a new caching API for enumerating the pdb elements.
+ * Convert the RAP user and group enumeration functions to the
+ utilized the pdb_search API.
+ * BUG 2438: Partial fix for 'net rpc trustdom establish' in
+ RestrictAnonymous environments.
+ * Internal passdb API changes for better search capabilities
+ (based on original work by Guenther Deschner).
+ * Fix various compiler warnings.
+ * Add chain length statistics to tdbtool.
+ * Fix set afs ACL calls on files and directories in the root of
+ a share.
+ * Refactoring work on internal open code
+ * Correctly initialize the version in a new set of nt*tdb files.
+ * Remove smb_run_idle_events() from main process loop in smbd
+ and instead rely upon the timeout processing to handle
+ dropping idle LDAP connections.
+ * Fix the bug where users show up as trusting domains.
+ * Fix an assertion failure in winbindd.
+ * Fix a memleak in vfs_afsacl.
+ * Various compiler warning fixes.
+ * Fix compile when --enable-socket-wrapper is defined.
+ * Fixes for top level acls in vfs_acl.c.
+ * Refactor passdb interface functions.
+ * Compile fixes when '#define PARANOID_MALLOC_CHECKER 1'.
+ * Correct 2 segv's in "net rpc printer migrate".
+ * Return correct group type from smbd for BUILTIN groups.
+ * Backport the talloc() layer from Samba 4.
+ * BUG 2701: Fix segv in ldap reconnection code.
+ * BUG 2705: Fix segv when connecting from usrmgr.exe.
+ * Use the SID in the user token for the %s expansion in 'afs
+ username map'.
+ * Memory leak fixes in passdb code.
+ * BUG 2720: Fixes for "net usersidlist".
+ * BUG 2725: Fix segv in "net ads user".
+ * Only allow schannel connections if a successful Auth2
+ has been previously performed.
+ * Don't look at gencache.tdb for the trusted domains if
+ winbind is present.
+ * Rewrite winbindd using an asynchronous process model.
+
+
+o Herb Lewis <herb@samba.org>
+ * Compiler warning cleanups.
+ * smbwrapper Makefile and compile time check cleanups.
+ * Adding robustness checks for tdbdump and tdbtool.
+ * Extend tdb command line parsing to arbitrary hex characters.
+ * Add LOCKING debug class.
+ * Fix more compiler warnings.
+
+
+o Derrell Lipman <derrell@samba.org>
+ * add support for opening a file for write with O_APPEND
+ in libsmbclient.
+ * Added smbsh/smbwrapper for Linux to example/libsmbclient
+ tree.
+ * Fix smbc_stat() from returning incorrect timestamps IFF
+ it used cli_qpathinfo2() to retrieve the timestamps (Win2k)
+ and not if it used cli-getatr() to retrieve the timestamps
+ (Win98).
+ * Fix handful of compiler warnings.
+ * BUG 2498, 2484: smbc_getxattr() fixes.
+ * BUG 1133: Added provision for overloading some global
+ configuration options via the new, per-user file
+ ~/.smb/smb.conf.append.
+ * BUG 2543: Properly cache anonymous username when reverting
+ to anonymous login, in libsmbclient.
+ * BUG 2505: Fix large file support in libsmbclient.
+ * BUG 2564: Ensure correct errno when smbc_opendir() was called
+ with a file rather than a directory.
+ * Correct deprecated lvalue casts in testsuite/libsmbclient.
+ * BUG 2663. cli_getattrE() and cli_setattrE() were not
+ formatting or parsing the timestamp values correctly.
+ * Correctly detect AF_LOCAL support in configure.
+ * Fix problem updating file times on Windows 98 hosts using
+ libsmbclient.
+ * Fix compile breakage on Solaris by eliminating the use of
+ ctime_r() in libsmbclient DEBUG statement.
+
+
+o Jason Mader <jason@ncac.gwu.edu>
+ * BUG 2483, 2468. 2469, 2478, 2093: Compiler warning fixes.
+ * Various compiler warning fixes about mistyped variables.
+ * BUG 2882, 2885, 2890, 2891, 2900: Various compiler warning fixes
+ and code cleanups.
+ * BUG 2527, 2538: Removed unused variables.
+
+
+o Marcel <samba.10.maazl@spamgourmet.com>
+ * Fix regression in OS/2 trans2 open code.
+
+
+o Jim McDonough <jmcd@us.ibm.com>
+ * Fixes for samr_lookup_rids() when using ldapsam:trusted=yes
+ (in conjunction with Volker).
+ * BUG 2953: Prevent the credentials chain on DC gets out
+ of sync with client when NT_STATUS_NO_USER is returned.
+ * Added subcommands to "net rpc vampire" (mostly done by Don
+ Watson <dwatson@us.ibm.com>) to allow data to be put into an
+ ldif file instead of actually writing to the passdb.
+ * BUG 2736: Add retries to workaround winbind race condition
+ with detecting idle clients.
+ * BUG 2953: Additional fixes for domain trusts. Also clears
+ up the "bad stub" error when attempting to logon to a Samba
+ domain with a bad username.
+
+
+o Luke Mewburn <lukem@NetBSD.org>
+ * Compiler warning fixes.
+
+
+o Kalim Moghul <kalim@samba.org>
+ * Removed unused printmode command from smbclient.
+
+
+o Lars Müller <lmuelle@samba.org>
+ * Re-enable the VERSION_REVISION option in case of another
+ letter release.
+ * Fix spoolss python bindings after C++ compiler changes and
+ other python fixes.
+ * BUG 2659: Don't trump on memory in smbtorture.
+ * BUG 2060: Add -fPIC which is the case for all other Samba
+ shared libs.
+ * Fix argv parsing in "net rpc".
+ * Add support to create position independent executable (PIE)
+ code if the compiler supports it.
+ * BUG 2767: Add new options to testparm (--show-all-parameters,
+ --parameter-name, and --section-name).
+ * Fix net share migrate files to also migrate the ACLs of
+ the top level dir of a share.
+
+
+o Marcel Muller <mueller@maazl.de>
+ * Patch to fix the OS/2 EA_FROM_LIST info level call.
+ * Mangled names fix for OS/2 clients.
+ * Ensure we correctly set the return packet size to include the
+ pad bytes in reply_readbmpx().
+ * Fix for bug in SMBwriteBraw that incorrectly returned the
+ number of bytes written.
+
+
+o Ricky Nance <ricky.nance@gmail.com>
+ * Implemented mklogon script generator for domain logon scripts.
+
+
+o James Peach <jpeach@sgi.com>
+ * BUG 1843: Fix quotas (with no soft limits) on IRIX.
+ * BUG 2285: Patch for hires timestamps and efficient notify code.
+ * MS-DFS tidyup patches.
+ * Build fixes on IRIX.
+ * IRIX compiler warning fixes.
+ * BUG 2596: Fix become_root link issues and one IRIX stack
+ backtrace bug.
+ * Fix for null pointer ACL free.
+ * BUG 2314: Fix const compiler warnings in the quota code.
+
+
+o Ed Plese <ed@edplese.com>
+ * Fix faulty logic which caused winbindd to return failure
+ when a user possessed no supplementary groups.
+
+
+o Marcin Porwit <mporwit@centeris.com>
+ * Initial support for the \eventlog pipe.
+ * Fix a memleak in the eventlog code.
+ * Miscellaneous fixes for Samba's experimental event log support.
+ * Add ServiceQueryConfig2() and ServiceQueryStatusEx() server
+ calls.
+
+
+o Tim Potter <tpot@samba.org>
+ * BUG 2940, 2943: Fixed various compiler warnings regarding
+ mismatched types and unused variables.
+ * BUG 1888, 1894: Fix warnings when time_t is an unsigned type.
+ * BUG 2733: Fix incorrect SHLIBEXT is set when running
+ configure script on HPUX IA.
+ * Remove unused autoconf #define's.
+ * BUG 2893: Fix inverted assignment in 'net rpc printer' code.
+ * Removed unused function declarations in tdb.h.
+ * BUG 2895: Don't wrap non-existent functions in the python
+ tdb bindings.
+ * BUG 2623, 2630: $< and $* are not valid in explicit rules
+ according to POSIX.
+ * BUG 2560: Fix compile error lurking where PATH_MAX is not
+ defined.
+ * BUG 2625: Remove configure check for FTRUNCATE_NEEDS_ROOT.
+ * BUG 2611: Add fflush(stdout) after displaying username prompt
+ in smbsh if username not specified on command line.
+ * BUG 2699: Fix for segfault in samba.winbind.auth_crap module
+ * BUG 2808: Update install swat message to reflect the fact
+ that swat/README no longer exists.
+
+
+o Denis Sbragion <d.sbragion@infotecna.it>
+ * BUG 2196: Allow absolute path (system wide) recycle bin.
+
+
+o Fernando Schapachnik <fernando@mecon.gov.ar>
+ * Add logon hours support for the Postgres backend.
+
+
+o Richard Sharpe <rsharpe@samba.org>
+ * Fix bug in profiles tool caused by use of MAP_PRIVATE.
+
+o Joerg Sonnenberger <joerg@leaf.dragonflybsd.org>
+ * BUG 2362: Quota support fix for DragonFly.
+ * Fix dragonfly detection in configure.
+
+
+o Simo Sorce <idra@samba.org>
+ * Allow Domain Admins to force user sessions to close via the
+ Windows Server Manager.
+ * Add support to 'net rpc right privileges <name>' to enumerate
+ accounts which possess a specific privilege.
+ * Fix memory issues issues in vfstest (reported by Rainer Link).
+ * Randomize reloading as to not overload cupsd.
+
+
+o Smitty <smitty@plainjoe.org>
+ * Compile fixes for smbget when using --enable-developer.
+ * Include LUID values to match Windows privileges since
+ apparently this matters to printmig.exe
+
+
+o John Terpstra <jht@samba.org>
+ * Solaris packaging fixes.
+ * Clean up usage help text in "net rpc user"
+
+
+o Andrew Tridgell <tridge@samba.org>
+ * Merge socket wrapper library fixes from Samba 4.
+
+
+o Brett Trotter <blt@iastate.edu>
+ * Fix definition of global_sid_* in vfs_acl.c.
+
+
+o Mark Weaver <mark-clist@npsl.co.uk>
+ * Patch to fix sys_select so it can't drop signals if another
+ fd is ready to read.
+
+
+o Jelmer Vernooij <jelmer@samba.org>
+ * Remove --with-manpage-languages configure option.
+ * Merge socket wrapper fixes for IRIX systems from the
+ Samba 4 branch.
+ * Add socket_wrapper library to 3.0. Can be enabled by passing
+ --enable-socket-wrapper to configure.
+ * Fix build of the various sql pdb backends after new talloc.
+
+
+o Qiao Yang <qyang@stbernard.com>
+ * Use our own DC when getting the SID for a domain.
+
+
+
+Release Notes for older release follow:
+
+ --------------------------------------------------
+ ===============================
+ Release Notes for Samba 3.0.14a
+ Apr 14, 2005
+ ===============================
+
+Common bugs fixed in 3.0.14a include:
+
+ o Compatibility issues between Winbind and Windows 2003 SP1
+ domain controllers (*2k3sp1*).
+ o MS-DFS errors with Windows XP SP2 clients.
+ o High CPU loads caused by infinite loops in the FindNext()
+ server code.
+ o Invalid SMB_ASSERT() which caused smbd to panic on ACL'd
+ files.
+
+
+######################################################################
+Changes
+#######
+
+Changes since 3.0.14
+--------------------
+
+commits
+-------
+o Jeremy Allison <jra@samba.org>
+ * Fixed invalid SMB_ASSERT() triggered by checking access on
+ ACL'd files.
+
+
+Changes since 3.0.13
+--------------------
+
+smb.conf changes
+----------------
+
+ Parameter Name Action
+ -------------- ------
+ dos filetimes Enabled by default
+
+
+commits
+-------
+o Jeremy Allison <jra@samba.org>
+ * Prevent nt_status code support when negotiating protocols
+ earlier than NT1.
+ * BUG 2533: Remove the UNICODE flags2 bit from SMBsearch calls
+ as this SMB is DOS codepage only.
+ * BUG 2585: Fix printf() issues in smbpasswd which caused
+ seg faults.
+ * BUG 2563: Fix infinite loop on non-existent file with
+ FindNext().
+ * BUG 2581 (partial): Ensure if realloc fails on an internal
+ tdb we fail gracefully.
+ * Ensure that 'dos filetimes' works with ACLs.
+ * Set 'dos filetimes = yes' as the default for smb.conf.
+
+
+o Gerald (Jerry) Carter <jerry@samba.org>
+ * Workaround autoconf issue to prevent debug symbols from
+ being included in the default build.
+ * Disable schannel on the \lsarpc pipe in order to successfully
+ enumerate users and groups (*2k3sp1*)
+ * Fix parsing error in rpc binds which broke NTLMSSP
+ authentication. And as a result broke CTL+ALT+DEL password
+ changes from a Windows 2003 SP1 member of a Samba domain
+ (*2k3sp1*).
+ * Revert change to FindFirst() server code that broke WinXP
+ SP2 clients from launching *.exe files from a dfs target
+ share.
+ * BUG 2588: Force smbclient to send netbios messages to port
+ 139 unless otherwise instructed (based on patch from Thomas
+ Bork).
+
+
+o Volker Lendecke <vl@samba.org>
+ * Fix build on FreeBSD 4 where Winbind is not supported.
+ * Fix 'wbinfo --user-sids' when using domain local groups.
+ * Restrict domain local groups reported by 'wbinfo -r' to
+ the Samba server domain and not the users domain.
+
+
+o Lin Li <linl@xandros.com>
+ * Ensure that winbind initializes internal trusted domain
+ structures when enumerating users and groups.
+
+
+o Tim Potter <tpot@samba.org>
+ * BUG 2565: Fix crash bug and compiler warnings in strchr_m()
+ test.
+ * Fix compiler warnings.
+
+
+o <psz@maths.usyd.edu.au>
+ * Fix for possible root squash NFS bugs.
+
+
+o Simo Sorce <irda@samba.org>
+ * Debian packaging fixes.
+
+
+ --------------------------------------------------
+ ==============================
+ Release Notes for Samba 3.0.13
+ Mar 24, 2005
+ ==============================
+
+Common bugs fixed in 3.0.13 include:
+
+ o Infinite FindNext() loop from Windows 9x client when
+ copying or deleting files on a Samba file share using
+ explorer.exe.
+ o Numerous smbclient bugs when listing directories.
+ o Failures in smbclient when connecting to a Windows 9x
+ file server.
+
+
+######################################################################
+Changes
+#######
+
+Changes since 3.0.12
+--------------------
+
+o Jeremy Allison <jra@samba.org>
+ * Fix typo bug in smbclient where flags overwrote info level
+ in the cli_list_new().
+ * Fix old smbclient bug where ff_searchcount was being compared
+ to -1 resulting in processing a filename twice.
+ * Fix segv in smbclient caused by overwriting the last 2 bytes
+ in cli_list_new().
+ * BUG 2530: Fix potential segv in smbclient when talking to a
+ Windows 9x file server.
+ * Fix last entry offset in cli_list_new() when using a
+ FindFirst/FindNext info level of 0x104.
+ * BUG 2501: Stop Win98 from looping doing FindNext on a
+ singleton directory.
+ * BUG 2521: Fix error in access checks when user group ACLs.
+
+
+o Gerald (Jerry) Carter <jerry@samba.org>
+ * BUG 2497: Fix bug in rpcclient's deletedriverex when asking
+ to delete all versions of a driver.
+ * BUG 2517: use the realm from smb.conf for 'net ads info' when
+ 'disable netbios = yes'.
+ * BUG 2530: Ensure that smbclient correctly detects MS-DFS root
+ shares.
+ * Update RedHat packaging files to require cups support. Also
+ remove requirement for 'idmap {uid,gid}' settings in smb.conf
+ from winbindd init script.
+ * BUG 2516: fix compile issue on True64.
+
+
+
+o Guenther Deschner <gd@samba.org>
+ * Check for the correct cli-struct when copying files in 'net
+ rpc printer' routines.
+
+
+o Herb Lewis <herb@samba.org>
+ * Fix incorrect test in 'net rpc user' when the user is not
+ a member of any groups.
+
+
+o Jim McDonough <jmcd@us.ibm.com>
+ * Make sure that enum_group_members() searches the correct suffix.
+
+
+ --------------------------------------------------
+ ==============================
+ Release Notes for Samba 3.0.12
+ Mar 18, 2005
+ ==============================
+
+Common bugs fixed in 3.0.12 include:
+
+ o Winbind failures when using 'disable netbios = yes'
+ o Failure to establish a trust relationship via 'net rpc trust
+ establish'
+ o Various portability & compiler issues.
+ o Read only file deletion failure caused by new delete semantics
+ in Windows XP SP2 and the MS 04-044 security hotfix.
+ o Error messages from shared Excel workbooks residing on Samba
+ file shares.
+ o Missing files in the output of smbclient -c 'dir' when run
+ against Windows file servers.
+ o Inability for Print Administrators to pause/resume/purge print
+ queues.
+
+Additional features introduced in Samba 3.0.12:
+
+ o Performance enhancements when serving directories containing
+ large number of files.
+ o MS-DFS support added to smbclient.
+ o More performance improvements when using Samba/OpenLDAP based
+ DC's via the 'ldapsam:trusted=yes' option.
+ o Support for the Novell NDS universal password when using the
+ ldapsam passdb backend.
+ o New 'net rpc trustdom {add,del}' functionality to eventually
+ replace 'smbpasswd {-a,-x} -i'.
+ o New libsmbclient functionality.
+
+
+
+=======================
+Large Directory Support
+=======================
+
+Samba 3.0.12pre1 introduces a specific mechanism for dealing
+with file services that frequently contain a large number of files
+per directory. Historically Samba's performance has suffered
+in such environments due to the translation from case
+insensitive lookups by Windows client to the case sensitive
+storage mechanisms used by UNIX filesystems.
+
+Configuration details along with a short HOWTO can be found at:
+
+http://www.samba.org/samba/ftp/HOWTO/Samba-LargeDirectory-HOWTO
+
+
+==================================
+libsmbclient Binary Compatibility
+==================================
+
+Please note that a change has been made to the _SMBCCTX structure
+in source/include/libsmbclient.h. This change is not backwards
+compatible with applications linked against the libsmbclient.so
+library from Samba 3.0.11. However, it is compatible with all
+other Samba 3.0.x releases. This means that it will be most likely
+be necessary to recompile any applications linked against the
+3.0.11 version of the library.
+
+
+######################################################################
+Changes
+#######
+
+smb.conf changes
+----------------
+
+ Parameter Name Action
+ -------------- ------
+ allocation roundup size New
+ log nt token command New
+ write cache Deprecated
+
+
+
+Changes since 3.0.11
+--------------------
+
+commits
+-------
+o Jeremy Allison <jra@samba.org>
+ * BUG 2146: Return correct allocation sizes so as not to crash
+ the VC++ compiler.
+ * BUG 962: Ensure that parsing of service names in smb.conf is
+ multibyte safe.
+ * BUG 2201, 2227: Support new delete semantics used by MS04-044
+ and XP SP2.
+ * BUG 1525: Correctly timestamps interpreted on 64-bit time_t
+ values (patch submitted by Jay Fenlason <fenlason@redhat.com>).
+ * Add special hooks when serving directories containing large
+ numbers of files.
+ * Ensure that WINS negative name query responses and WACK
+ packets use the correct RR type of 0xA instead of reflecting
+ back what the query RR type was (0x20).
+ * BUG 2310: Only do 16-bit normalization on small dfree request.
+ * BUG 2323: Correct authentication failure when using plaintext
+ passwords from Windows XP clients.
+ * BUG 2146: Add new smb.conf option 'allocation roundup size' to
+ work around issues building MS Visual Studio 6.0 project
+ on a Samba file share while restoring the pre-3.0.21pre1
+ behavior by default.
+ * BUG 2399 (partial): Ensure we use SMB_VFS_STAT instead of
+ stat when checking for existence of a pathname.
+ * Check the sticky bit on the parent directory for supporting
+ the new WinXP SP2 file deletion semantics.
+ * Various oplock, share mode, and byte range locking fixes
+ found by Connectathon tests.
+ * BUG 2271: Fix resume key issues in trans2FindFirst() client
+ code (inspired by patch from Satwik Hebbar).
+ * BUG 2382, 2045: More pending modtime and delayed write fixes
+ for MS Excel (incorporates partial patches from
+ ke_miyata@itg.hitachi.co.jp).
+ * Debug log message cleanups.
+ * Add case insensitive search for a principal match on logon
+ verification in the system keytab (based on patch by
+ Michael Brown <mbrown@fensystems.co.uk>).
+ * Revert the previous SMB signing change from Nalin Dahyabhai
+ when using DES keys.
+ * Add missing RESOLVE_DFSPATH() calls for older SMB commands.
+ * Fix FindFirst() server code to deal with resume names of ".."
+ and "." (found by Jim McDonough).
+ * BUG 2451: Fix missing functions in full audit VFS module.
+ * Ensure that smbd logs failures reported by DISK_FREE()
+ (reported by Ying Li <ying.li2@hp.com>).
+ * Ensure that smbclient obeys the max protocol argument again.
+ * BUG 2335: Return correct error code for OS/2 clients (based on
+ negotiated protocol level).
+ * BUG 2460, 2464: remove dead code and unused variables
+ (reported by Jason Mader).
+
+
+o Andrew Bartlett <abartlet@samba.org>
+ * Avoid length-limited intermediate copy of NT and LM responses
+ in NETLOGON client.
+ * Debug message cleanups in the NTLMSSP implementation.
+
+
+o Manuel Baena <mbaena@lcc.uma.es>
+ * Print actual error message in smbmnt.c:fullpath().
+
+
+o Vince Brimhall <vbrimhall@novell.com>
+ * Add support for Novell NDS universal password.
+ * BUG 2424: Ensure that uidNumber and gidNumber use match
+ the RFC2307 schema.
+ * BUG 2453: Change the way pdb_nds.c handles users with no
+ Universal or Simple Password.
+ * NDS schema file corrections.
+
+
+o Gerald (Jerry) Carter <jerry@samba.org>
+ * Add trans2 client call for checking dfs referrals
+ * Convert smbclient to use TRANS_QPATHINFO(SMB_QUERY_FILE_BASIC_INFO)
+ when checking directories on modern CIFS servers.
+ * Add MS-DFS support to smbclient.
+ * Code cleanup of adt_tree.[ch].
+ * Add missing checks to allow root to manage user rights.
+ * Allow domain admins to manage rights assignments on domain members
+ servers.
+ * BUG 2333: Use the lpq command to pass in the correct printer name
+ for cups_queue_get(). CUPS backend now sets 'lpq command= %p' as
+ the default.
+ * BUG 1439: make sure to initialize pointer to prevent invalid
+ free()'s on exit.
+ * BUG 2329: fix to re-enable winbindd to locate DC's when 'disable
+ netbios = yes'.
+ * Add cups-devel to BuidlRequires directive in Fedora spec file.
+ * BUG 858: Fix order of popt args evaluation so we don't crash
+ when given no command line args.
+ * Remove dependency on bash for source/autogen.sh.
+ * Fix clitar.c compile issues caused by broken MIT 1.4 headers.
+ * Implement MS-DFS for recursive directory listings in smbclient.
+ * BUG 2394: Fix nmbd linking issue on IRIX.
+ * Only display the publish check box in the client's printer
+ properties dialog if we are a member of an AD domain.
+ * BUG 2363: allow 'in use' driver to be removed as long as
+ one 'Windows NT x86' driver remains.
+ * BUG 1881: Allow PRINT_SPOOL_PREFIX to be set in local.h for
+ porting purposes.
+ * Enforce better printer.tdb cache consistency when removing
+ jobs from a print queue via SMB.
+ * Ensure that pause/resume/purge print queue commands are run
+ with the appropriate level of privilege necessary to actually
+ work.
+ * BUG 2355: Use bsd style commands (lpq, lpr, etc...) for default
+ for 'printing = cups' installations that do not actually have
+ libcups.
+ * BUG 2425: Remove incorrect checks for Win98 DFS clients.
+ * BUG 2215: Rewrite questionable code that was causing gcc to
+ choke.
+ * Add server support for LsaLookupPrivValue().
+ * Various small compile fixes and cleanup warnings.
+ * BUG 2456: Fix compile failure on non-gcc platforms due to
+ non-standard pragma.
+
+
+o Kevin Dalley <kevin@kelphead.org>
+ * BUG 2398: Don't force smbclient to assume a dry run if the
+ target tarfile is /dev/null.
+
+
+o Guenther Deschner <gd@samba.org>
+ * Fix crash bug in the client-spoolss enumdataex-call.
+ * Expand the valid-workstation-scheme by expanding names
+ beginning with a plus (+) as a unix group.
+ * Allow own netbios name to be set in smbclient's session setup.
+ * Better handling of LDAP over IPC connections that have expired
+ on the LDAP-Server.
+ * Fix pipe-mismatch for NETDFS in cli_dfs.c.
+ * Add examples/misc/adssearch.pl.
+ * BUG 2343: Build fixes.
+ * Support get_user_info_7 in SAMR server RPC.
+ * Fix server_role in the samr_query_dom_info calls.
+ * Add example perl script to check for multiple LDAP entries
+ after running 'net rpc vampire'.
+ * Add more output when listing printer forms via rpcclient.
+ * Debug log message cleanup.
+
+
+o Steve French <sfrench@us.ibm.com>
+ * On failed mount (ENXIO) retry share name in uppercase (fix
+ mount to FastConnect AIX SMB server).
+ * Add missing FILE_ATTRIBUTE_XXX defines to smb.h.
+ * Ignore user_xattr mount parm (mount.cifs) so as not to confuse
+ it with a user name.
+ * Update for new CIFS POSIX info levels.
+ * Ignore users mount parm in mount.cifs.
+
+o SATOH Fumiyasu <fumiya@samba.gr.jp>
+ * BUG 1549: Don't truncate service names in smbstatus.
+
+
+o William Jojo <jojowil@hvcc.edu>
+ * BUG 2445: Patch to avoid default ACLs on AIX.
+
+
+o S Murthy Kambhampaty <smk_va@yahoo.com>
+ * Add idmap_rid module to Fedora and RedHat spec files.
+
+
+o Volker Lendecke <vl@samba.org>
+ * BUG 2401: Flush internal getpwnam() cache after deleting a
+ user.
+ * BUG 1604: Make winbind work with more than 10 trusted domains.
+ * Cleanup various compiler warnings.
+ * Fix a memory leaks in privileges code and passdb backends.
+ * Fixes for samr_lookup_sids() client call.
+ * Optimize _samr_query_groupmem with LDAP backend for large
+ domains.
+ * Support SIDs as %s replacements in the afs username map
+ parameter.
+ * Add 'log nt token command' parameter. If set, %s is replaced
+ with the user sid, and %t takes all the group sids.
+ * Do not use the "Local Unix Group"-default description for
+ all kinds of group-mappings.
+ * Fix uninitialized variable in Linux nss_winbind library.
+ * Move 'net afskey' into a subcommand of its own, 'net afs key'.
+ * Implement 'net afs impersonate'.
+
+
+o Herb Lewis <herb@samba.org>
+ * Fix build problem when HAVE_POSIX_ACL is not defined.
+ * BUG 2417: Add help lines for net rpc group addmem and
+ delmem commands.
+
+
+o Derrell Lipman <derrell.lipman@unwireduniverse.com>
+ * Add support to libsmbclient for getting and setting DOS
+ attributes using EA functions.
+ * Fix libsmbclient's URL encoding/decoding.
+ * Replace browse listing URI queries with an internal options
+ structure (previous method violated the SMB URI syntax).
+ * Allow tree connects to be multiplexed over a single CIFS server
+ connection context.
+ * Ensure that cli_tdis() sets the cnum field to -1 so that callers
+ can determine a dead tree connection.
+ * Implement better solution for backwards binary compatibility
+ in libsmbclient while adding new fields to struct _SMBCCTX.
+
+
+o Mark Loeser <halcy0n@gentoo.org>
+ * BUG 2443: Compile fix for gcc4.
+
+
+o Jim McDonough <jmcd@us.ibm.com>
+ * BUG 2338: Fix coredump when OS/2 checks for long file name
+ support (with .+,;=[].) (thanks to Guenter Kukkukk).
+
+
+o Jason Mader <jason@ncac.gwu.edu>
+ * Compiler warning fixes (BUGS BUG 2132, 2134, 2289, 2327, 2340,
+ 2341, 2342)
+
+
+o Jim McDonough <jmcd@us.ibm.com>
+ * Fixes for server schannel implementation when 'restrict
+ anonymous = 1' is set in smb.conf.
+ * Fix bug in server side lookupsids reply that crashed lsass.exe
+ on Windows clients.
+ * Fix 'net rpc trustdom establish'.
+ * BUG 2062: Turn off broadcast for all 390 NICs.
+ * Fix 'net rpc trustdom add' to correctly add new domain trust
+ accounts. This will eventually replace 'smbpasswd -a -i'.
+ * Implement 'net rpc trustdom del', including client side of
+ samr_remove_sid_from_foreign_domain.
+ * Bring IBM Directory Server schema up to date with openldap
+ schema.
+ * Allow for better protection of sensitive attributes in IBM
+ Directory Server.
+
+
+o Stefan Metzmacher <metze@samba.org>
+ * Fix memleaks in the nttrans code.
+
+
+o Mike Nix <mnix@wanm.com.au>
+ * Add SMBsplopen and SMBsplclose client calls.
+
+
+o Justin Ossevoort <justin@snt.utwente.nl>
+ * BUG 2316: Fix crashes in pdb_pgsql.
+
+
+o James Peach <jpeach@sgi.com>
+ * Fixes in string handling code.
+ * Fix oplock2 test in client smbtorture.
+
+
+o Tim Potter <tpot@samba.org>
+ * Fix up example pdb modules after prototype change for
+ setsampwent.
+ * BUG 2058: Fix for shared object creation in examples.
+ * BUG 2315: Fix segv in LSA privileges server code.
+ * Build fixes for python wrapper libraries.
+
+
+o Richard Sharpe <rsharpe@samba.org>
+ * BUG 2044: Fix segv in profiles tool.
+ * Fix bogus error messages when enumerating user group
+ membership via 'net rpc'.
+
+
+o Simo Sorce <idra@samba.org>
+ * Debian packaging fixes.
+
+
+o John Terpstra <jht@samba.org>
+ * Add the capability to set account description using pdbedit.
+
+
+o Doug VanLeuven <roamdad@sonic.net>
+ * Add more case/realm/name permutations to the Kerberos keytab.
+ * AIX compile fixes.
+
+
+o Jelmer Vernooij <jelmer@samba.org>
+ * BUG 892: Default unknown_6 field to 1260 in mySQL pdb module.
+ * BUG 1957: Implement minimal update of fields in mySQL pdb
+ module.
+
+
+o Torsten Werner <torsten.werner@assyst-intl.com>
+ * BUG 2405: Define 'lpstat' printcap output on HPUX.
+
+
+o Shlomi Yaakobovich" <Shlomi@exanet.com>
+ * Detect infinite loops when traversing tdbs.
+
+
+ --------------------------------------------------
+ ==============================
+ Release Notes for Samba 3.0.11
+ Feb 5, 2005
+ ==============================
+
+Common bugs fixed in 3.0.11 include:
+
+ o Crash in smbd when using CUPS printing.
+ o Parsing error of other SIDs included in the user_info_3
+ structure returned from domain controllers.
+ o Inefficiencies when searching non-AD LDAP directories.
+ o Failure to expand variables in user domain attributes
+ in tdbsam and ldapsam.
+ o Memory leaks.
+ o Failure to retrieve certain attribute when migrating from
+ a Windows DC to a Samba DC via 'net rpc vampire'.
+ o Numerous printing bugs bugs including memory
+ bloating on large/busy print servers.
+ o Compatibility issues with Exchange 5.5 SP4.
+ o sendfile fixes.
+
+Additional features introduced in Samba 3.0.11:
+
+ o Winbindd performance improvements.
+ o More 'net rpc vampire' functionality.
+ o Support for the Windows privilege model to assign rights
+ to specific SIDs.
+ o New administrative options to the 'net rpc' command.
+
+
+============
+LDAP Changes
+============
+
+If "ldap user suffix" or "ldap machine suffix" are defined in
+smb.conf, all user-accounts must reside below the user suffix,
+and all machine and inter-domain trust-accounts must be located
+below the machine suffix. Previous Samba releases would fall
+back to searching the 'ldap suffix' in some cases.
+
+
+===============
+Privilege Model
+===============
+
+Samba 3.0.11 supports the following assignable rights
+
+SeMachineAccountPrivilege Add machines to domain
+SePrintOperatorPrivilege Manage printers
+SeAddUsersPrivilege Add users and groups to the domain
+SeRemoteShutdownPrivilege Force shutdown from a remote system
+SeDiskOperatorPrivilege Manage disk shares
+
+These rights can be assigned to arbitrary users or groups
+via the 'net rpc rights grant/revoke' command. More details
+of Samba's privilege implementation can be found in the
+Samba-HOWTO-Collection.
+
+
+######################################################################
+Changes
+#######
+
+Changes since 3.0.10
+--------------------
+
+smb.conf changes
+----------------
+
+ Parameter Name Action
+ -------------- ------
+ afs token lifetime New
+ enable privileges New
+ ldap password sync Alias
+ min password length Deprecated
+ winbind enable local accounts Deprecated
+
+
+commits
+-------
+o Jeremy Allison <jra@samba.org>
+ * Extend vfs to add seekdir/telldir/rewinddir.
+ * Fix dirent return.
+ * Fix bugs when handling secondary trans2 requests.
+ * Implementation of get posix acls in UNIX extensions.
+ * Added set posix acl functionality into the UNIX extensions code.
+ * Updated config.guess/config.sub .
+ * Fix error reply when 'follow symlinks = no'.
+ * BUG 1061, 2045: Only set mtime from pending_modtime if it's
+ not already zero.
+ * Fixes for LARGE_READX support.
+ * Fix the problem we get on Linux where sendfile fails, but we've
+ already sent the header using send().
+ * BUG 2081: Ensure SE_DESC_DACL_PROTECTED is set if 'map acl
+ inherit = no'.
+ * BUG 2088: Ensure inherit permissions is only applied on a new
+ file, not an existing one.
+ * Don't go fishing for the krb5 authorization data unless we know
+ it's there.
+ * Fixes for libsmbclient to ensure that interrupted system calls
+ are restarted minus the already expired portion of the timeout
+ (based on work by Derrell Lipman).
+ * More Unicode string parsing fixes.
+ * Convert the winreg pipe to use WERROR returns.
+ * Make all LDAP timeouts consistent (input from Joe Meadows
+ <jameadows@webopolis.com>).
+ * BUG 2231: Remove double "\\" from client findfirst.
+ * BUG 2238: Fix memory leak in shadow copy vfs.
+ * Return correct DOS/NT error code on transact named pipe on
+ closed pipe handle.
+ * BUG 2211: Fix security descriptor parsing bug (based on work by
+ Mrinal Kalakrishnan <mail@mrinal.net>).
+ * BUG 2270: Fix memory leaks in cups printing backend support
+ (based on work by Lars Mueller).
+ * BUG 2255: Fix debug level in Kerberos error messages.
+ * BUG 2110: Ensure we convert to ucs2 correctly after the
+ CAN-2004-0930 patch.
+ * Make strict locking an enum. Auto means use oplock optimization.
+ * Fix client & server to allow 127k READX calls.
+ * More *alloc fixes (includes additional fixes by Albert Chin.
+ * Catch sendfile errors correctly and return the correct values
+ we want the caller to return.
+ * BUG 2092: Prevent auto-anonymous logins via libsmbclient
+ for better use by desktop environments such as GNOME.
+ * Ensure we can't remove a level II oplock without having the
+ shared memory area locked.
+
+
+o Timur Bakeyev <timur@com.bat.ru>
+ * BUG 2100: change the way we check for errors after a dlopen().
+ * BUG 2263: Guard base64_encode_data_blob() against empty blobs.
+
+
+o Andrew Bartlett <abartlet@samba.org>
+ * Clarify error message when 'lanman auth = no'.
+ * Remove the unnecessary UTF-8 conversion calls in the calls to
+ auth_winbind from smbd.
+ * Don't store the auth-user credentials with the cli_state* as
+ this can cause the schannel setup to fail when the auth-user
+ domain is not our primary domain.
+
+
+o Grigory Batalov <bga@altlinux.org>
+ * Fix encoding while receiving of a message which was actually
+ sent using STR_ASCII.
+
+
+o Daniel Beschorner <db@unit-netz.de>
+ * BUG 603: Correct access mask check for _samr_lookup_domain()
+ to work with Windows RAS server
+
+
+o Jerome Borsboom <j.borsboom@erasmusmc.nl>
+ * Fix missing printer_tdb reference decrement.
+
+
+o Gerald (Jerry) Carter <jerry@samba.org>
+ * BUG 2073: fall back to smb_name if current_user_info is not
+ available in lp_file_list_changed().
+ * Fixes the spurious 'register_message_flags: tdb fetch failed'
+ errors.
+ * Don't run the background LPQ daemon when we are running in
+ interactive mode.
+ * prevent the background LPQ daemon from updating the print queue
+ cache just because multiple smbd processes sent a message that
+ it was out of date.
+ * consolidate printer searches to use find_service rather than
+ for(...) loops.
+ * BUG 2091: don't remove statically defined printers in
+ remove_stale_printers().
+ * Fix logic error in add_a_form() that only compared N characters
+ instead of the entire form name.
+ * BUG 2107: fix memory bloating caused by large numbers of
+ print_queue_updates() requests sent via messages.tdb.
+ * Check the setprinter(3) based on the access permissions on
+ the handle and avoid the call to print_access_check().
+ * Re-instantiate previous semantics for calling init_unistr2()
+ with a NULL source buffer.
+ * Support Windows privilege model for assigning rights
+ to specific SIDs. Based on work by Simo Sorce in the trunk
+ svn branch. This feature is controlled by the 'enable
+ privileges = [yes|no]' smb.conf(5) option.
+ * Add some smb.conf scripts for add/delete/change shares and
+ deleting cups printers.
+ * Expand variables in the profile path, logon home and logon script
+ values when using either tdbsam or ldapsam.
+ * Add Domain Admins (Full Control) to the default printer security
+ descriptor if we are a DC.
+ * RedHat and Fedora Packaging fixes for perl dependencies.
+ * Remove unused schema items from OpenLDAP schema file.
+ * Remove duplicate enumeration of "Windows x86" architecture
+ when listing printer drivers via rpcclient.
+ * Fail set_privileges() if 'enable privileges = no' to prevent
+ confused admins.
+ * Fix segfault in cups_queue_get().
+ * Tighten restrictions on changing user passwords when
+ the connected user possesses the SeMachineAccountPrivilege.
+ * Ensure we set NETBIOSNAME.domainname for the long machine name
+ when publishing printers in AD (based on input from Rob Foehl).
+ * Mark 'winbind enable local accounts' as deprecated.
+ * Mark testprns tool as deprecated.
+ * Allow root to grant/revoke privilege assignments.
+ * Correct interaction between user rights and se_access_check() on
+ SAMR objects.
+ * BUG 2286: Fix typo OpenLDAP schema file for sambaConfig object
+ class.
+ * BUG 2262: Add support in configure.in for *freebsd6*.
+ * BUG 2266: Portability fixes for quota code on FreeBSD4.
+ * BUG 2264: Remove shutdown and abortshutdown commands from
+ rpcclient in favor of using the same functions in 'net'.
+ * BUG 2295: Prevent smbd from returning an empty server name
+ in certain lanman api calls.
+ * BUG 2290: Fix autogen.sh script in examples (based on original
+ patch from Lars Mueller).
+ * Fix bug enumerating domain trusts in security = ads.
+ * Fix segv in rpcclient's dsenumdomtrusts.
+ * Fix bug in expansion of %U and %G in included filenames.
+ * BUG 2291: Restrict creation of server trust and domain trust
+ accounts to members of the "Domain Admins" group.
+
+o Nadav Danieli <nadavd@exanet.com>
+ * Short circuit some is_locked() tests if we are oplocked.
+
+
+o Guenther Deschner <gd@samba.org>
+ * Allow 'localhost' as a valid server name in the smbd for the
+ spoolss calls.
+ * Fix KRB5_SETPW-defines, no change in behavior (Thanks to Luke
+ Mewburn for the input).
+ * BUG 2059: Add additional checks needed after logic change to the
+ HAVE_WRFILE_KEYTAB detection test.
+ * BUG 1076: Fix interaction with Exchange 5.5. SP4 and a
+ Samba DC. Allow us to lookup at least our own SID.
+ * More fixes to have proper German in swat (Thanks to Reiner
+ Klaproth and Björn Jacke.
+ * BUG 404, 2076: Allow to set OWNER- and GROUP-entries while
+ setting security descriptors with smbcacls and using with
+ the -S or -M switch.
+ * Include the munged_dial, bad_password_count, logon_count, and
+ logon_hours attributes when running 'net rpc vampire'.
+ * Fix segfault in idmap_rid.
+ * When winbindd is operating in the multi-mapping mode of
+ idmap_rid, allow BUILTIN domain-mapping.
+ * Display infolevel 12 in query_dom_info in rpcclient.
+ * Fix bug in winbindd's lowercasing of usernames.
+ * Allow -v or -l for displaying verbose groupmap-listing
+ as well as "verbose".
+ * Backport Samba4 SAM_DELTA_DOMAIN_INFO for use in 'net rpc
+ vampire'.
+ * Close LDAP-Connection before retrying to open a new connection
+ in the retry-loop.
+ * Marking "min password length" as depreciated.
+ * Implement SAMR query_dom_info-call info-level 8 server- and
+ client-side, based on samba4-idl.
+ * Allow rpcclient to define a port to use when connecting
+ to a remote server.
+ * Allow Account Lockout with Lockout Duration "forever" (until
+ admin unlocks) to be set and displayed in User Manager.
+ * Allow to set acb_mask in rpcclient's enumdomusers.
+ * Add more generic rootDSE inspection function to check
+ for given controls or extensions and remember these on a
+ per server basis.
+ * Improve LDAP search efficiency by passing the acb_mask to
+ pdb_setsampwent().
+ * Fixes for ldapsam_enum_group_memberships().
+ * Add createdomgroup to rpcclient.
+ * Add "net rpc user RENAME"-command.
+ * Display sam_user_info_7 in rpcclient.
+ * Make multi-domain-mode in idmap_rid accessible from outside
+ (can be compiled with -DIDMAP_RID_SUPPORT_TRUSTED_DOMAINS).
+ * When vampiring account policy AP_LOCK_ACCOUNT_DURATION honor
+ "Lockout Duration: Forever".
+ * Fix configure.in tests using KRB5_CONFIG variable and krb5-
+ config utility.
+ * Require assignment of Administrator SID in the passdb
+ backend. Fall back to the default name of 'Administrator' if
+ the lookup fails rather than using the first name in the
+ default 'admin users' list.
+ * Enhance LDAP failure debug messages.
+ * BUG 2291: Call the 'add machine script' for server trust and
+ domain trust accounts as well as workstation accounts.
+
+
+o Levente Farkas <lfarkas@lfarkas.org>
+ * BUG 2299: Better logrotate scripts for RedHat and Fedora
+ packages.
+
+
+o Jay Fenlason <fenlason@redhat.com>
+ * Fix crash in 'net join' due to calling free on
+ static buffers.
+ * Several patches from RedHat's Fedora Core RPMS.
+
+
+o Rob Foehl <rwf@loonybin.net>.
+ * Compiler warnings.
+ * Try modifying printer published attributes before adding it a
+ new entry in AD.
+ * Solaris packaging fixes.
+ * Don't force the cups printer-make-and-model tag as the comment
+ for autoloaded printers.
+ * Implement caching of names from printcap to support a true
+ 'printcap cache time'.
+
+
+o Johann Hanne <jhml@gmx.net>
+ * BUG 2038: Only fail winbindd_getgroups() if all lookups fail.
+
+
+o Jeff Hardy <hardyjm@potsdam.edu>
+ * Example script for 'add print command' when using CUPS.
+
+
+o Deryck Hodge <deryck@samba.org>
+ * Add -P (--password-only-menu) to SWAT for displaying only the
+ password change page to non-root users.
+
+
+o David Hu <david.hu@hp.com>
+ * Copy structure from print_queue_update() message rather than
+ referencing it. Fixes seg fault on HP-UX.
+
+
+o Buck Huppmann <buckh@pobox.com>
+ * BUG 2186: Don't free uninitialized credentials.
+ * BUG 2189: Add the HOST/fqdn servicePrincipalName even when
+ dnsDomainName != realm.
+
+
+o Björn Jacke <bjoern@j3e.de>
+ * BUG 2040: Ensure the locale is reset to C to get ASCII-
+ compatible toupper/lower functions.
+
+
+o William Jojo <jojowil@hvcc.edu>
+ * Fix HPUX sendfile and add configure.in tests and code for
+ sendfile on AIX.
+ * AIX 5.3 compile fixes.
+
+
+o Volker Lendecke <vl@samba.org>
+ * Optimize anonymous session setups by workstations in a
+ Samba domain.
+ * Reimplment the QueryUserAliases() server RPC reply.
+ * Re-add the getpwnam-cache for performance.
+ * Cache the result of a pdb_getsampwnam for later SID lookup
+ queries.
+ * Unify the means of localtaing a user's global groups on a
+ Samba DC.
+ * Fix bug when serving the 'Start Menu' in a roaming user profile..
+ * Map more pre-defined NT security descriptors to AFS acls.
+ * Add timeout to AD search requests.
+ * If a connection to a DC is requested (in winbindd), open
+ connections simultaneously to all DCs found.
+ * Memleak fixes.
+ * Fix logic error in handling of 'printcap name' parameter.
+ * Prevent winbindd from SPAM'ing the log files with 'user root
+ does not exist'.
+ * Backport samr_DomInfo2 IDL specification from Samba 4.
+ * Implement smbstatus -n, don't lookup users and groups.
+ * Implement simple mapping that maps the space to another character
+ defined by afsacl:space.
+ * Add support for 'net idmap delete <idmap-file> <SID>'.
+ * Add new parameter 'afs token lifetime' tells the AFS client
+ when to throw away a token (patch from kllin@it.su.se).
+ * Initial work to allow support for multiple pipe opens on a
+ single cli_state*.
+ * Ensure that we still retrieve the netbios name of any DC
+ listed as a 'password server' to work around cases where the
+ DC was defined using an IP address or fqdn.
+ * Fix memleak in winbindd connection code.
+ * Fix cli_samr_queryuseraliases.
+ * Allow wbinfo --user-sids to expand expand domain local groups.
+ * Allow 'rpcclient -c enumtrust' to enumerate more than 10 trusts.
+ * Fix parsing of other_sids in net_user_info3.
+ * Correct bad failure logic when user was not a member of any
+ domain local groups.
+
+
+o Jason Mader <jason@ncac.gwu.edu>
+ * BUG 2113, 2289: Remove dead code.
+
+
+o Jim McDonough <jmcd@us.ibm.com>
+ * BUG 1952: Try INITSHUTDOWN pipe first, used by newer
+ clients. If it fails, fall back to WINREG.
+ * BUG 1770: Remove READ_ATTRIBUTES from GENERIC_EXECUTE.
+ * BUG 2198: Set password last change time when running 'net rpc
+ vampire'.
+ * Add "refuse machine password change" policy field.
+
+
+o Luke Mewburn <lukem@NetBSD.org>
+ * BUG 2150: shmget() - Use POSIX definitions instead of non-
+ standard SHM_.
+
+
+o Stefan Metzmacher <metze@samba.org>
+ * autogen.sh fixes.
+
+
+o Buchan Milne <bgmilne@mandrake.org>
+ * Mandrake packaging fixes.
+
+
+o Lars Mueller <lmuelle@samba.org>
+ * Fix build of libsmbclient on x86_64.
+ * BUG 2013: Fix testsuite build issues when libsmbclient.so
+ is installed in a non-default location.
+ * BUG 2050: Calculate max_fd for select correctly.
+ * Fix inverted logic heck for HAVE_WRFILE_KEYTAB in autoconf
+ script.
+
+
+o Jason Mader <jason@ncac.gwu.edu>
+ * BUG 2069: Remove unused variables.
+ * BUG 2075: Remove dead code paths.
+ * BUG 2083: Fix compiler warnings caused by bad type casts.
+
+
+o James Peach <jpeach@sgi.com>
+ * Fix rewinddir -> rewind_dir when using VFS macros.
+
+
+o Gavrie Philipson <gavrie@disksites.com>
+ * BUG 1838: Remove stale printers imeeddiately when
+ processing a SIGHUP and during smb.conf reload.
+
+
+o Tim Potter <tpot@samba.org>
+ * BUG 2080: Fix duplicate call to pdb_get_acct_desc().
+ * BUG 2168: Fix cast in SMB_XMALLOC_ARRAY.
+ * Change the license for the winbindd external interface
+ more liberal.
+ * HP-UX compile fixes.
+ * Compile fixes after new setsampwent() API.
+
+
+o Richard Renard <rrenard@idealx.com>
+ * Update Netscape DS 5.2 LDAP schema.
+
+
+o Simo Sorce <idra@samba.org>
+ * Backport pdbedit changes from trunk.
+ * Allows the add/change share command to create the shared
+ directory directory on disk.
+ * Log a warning in testparm if a print command is defined for
+ a print service using 'printing = cups'.
+
+o Jelmer Vernooij <jelmer@samba.org>
+ * Bug fixes for pdb_{xml,pqsql,xml}
+ * Fixes for pdb_mysql.
+
+
+o Andrew Tridgell <tridge@samba.org>
+ * Bring Samba3 into line with the Samba4 password change code.
+
+
+o Shiro Yamada <shiro@miraclelinux.com>
+ * BUG 2190: Force SWAT to display parameters in unix charset and
+ not UTF-8.
+
+
+ --------------------------------------------------
+ ==============================
+ Release Notes for Samba 3.0.10
+ Dec 16, 2004
+ ==============================
+
+Common bugs fixed in 3.0.10 include:
+
+ o Fix for security issues described in CAN-2004-1154.
+
+
+Changes since 3.0.9
+-------------------
+
+commits
+-------
+
+o Jeremy Allison <jra@samba.org>
+ * Added checks surrounding all *alloc() calls to fix
+ CAN-2004-1154.
+ * Fix long standing memory size bug in bitmap_allocate().
+ * Remove bogus error check in deferred open file serving
+ code.
+
+
+o Thomas Bork <tombork@web.de>
+ * Fix autoconf script on platforms using a version of GNU ld
+ that does not include a date stamp in the output of --version.
+
+
+o Luke Mewburn <lukem@NetBSD.org>
+ * Fix the swat install script to deal with the new image
+ destination directory used by the docs.
+
+
+
+ --------------------------------------------------
+
+ =============================
+ Release Notes for Samba 3.0.9
+ Nov 15, 2004
+ =============================
+
+Common bugs fixed in 3.0.9 include:
+
+ o Problem updating roaming user profiles.
+ o Crash in smbd when printing from a Windows 9x client.
+ o Unresolved symbols in libsmbclient which caused
+ applications such as KDE's konqueror to fail when
+ accessing smb:// URLs.
+
+
+Changes since 3.0.8
+-------------------
+
+
+commits
+-------
+
+o Jeremy Allison <jra@samba.org>
+ * Correctly detect errno for no acl/ea support.
+ * BUG 2036: Fix seg fault in 'net ads join'.
+
+
+o Gerald (Jerry) Carter <jerry@samba.org>
+ * Solaris packaging fixes.
+ * Fix seg fault in lanman printing code.
+ * BUG 2017: fix testparm reporting for the passwd program
+ string.
+ * Fix output of smbstatus to match the man page.
+ * BUG 2027: fix conflict with declaration MD5_CTX in system
+ headers.
+ * 2028: Avoid false error messages when copying a long
+ printer name to the device mode.
+
+
+o Guenther Deschner <gd@samba.org>
+ * Allow deldriverex in rpcclient to delete drivers for a
+ specific architecture and a specific version.
+ * Fix a couple of rpcclient spoolss commands (setprinter,
+ setprintername, getdriver) w.r.t to printer-naming scheme.
+ Allow 'localhost' in the server string for certain server-side
+ spoolss functions.
+ * BUG 2015: Do not fail on setting file attributes with
+ acl support enabled.
+
+
+o Michel Gravey <michel.gravey@optogone.com>
+ * Fix build when using gcc 3.0.
+
+
+o Volker Lendecke <vl@samba.org>
+ * Fix tdb open logic when checking our local_pid after
+ the fork().
+
+
+o Jim McDonough <jmcd@us.ibm.com>
+ * BUG 1932: Fix crash in 'net getlocalsid' when run as
+ non-root user.
+
+
+o Luke Mewburn <lukem@NetBSD.org>
+ BUG 1661: Fix KRB5_SETPW-defines
+
+
+o Buchan Milne <bgmilne@mandrake.org>
+ * BUG 2023: Mandrake packaging fixes for building 3.0.9.
+
+
+o Lars Mueller <lmuelle@samba.org>
+ * BUG 2013: Fix unresolved symbols in libsmbclient.so.
+
+
+o Martin Zielinski <mz@seh.de>
+ * Add DeletePrinterDriverEx() functionality to rpcclient.
+
+
+ --------------------------------------------------
+
+ =============================
+ Release Notes for Samba 3.0.8
+ Nov 7, 2004
+ =============================
+
+Common bugs fixed in 3.0.8 include:
+
+ o Compile fixes for HP-UX
+ o Fixes for the printer publishing code used when joined to
+ an AD domain.
+ o Incompatibilities with file system quotas.
+ o Several bugs in the spoolss printing code and print system
+ backends.
+ o Inconsistencies in the username map functionality when
+ configured on domain member servers.
+ o Various compile warnings and errors on various platforms.
+ o Fixes for Kerberos interoperability with Windows 200x
+ domains when using DES keys.
+ o Fix for CAN-2004-0930 -- smbd remote DoS vulnerability.
+ o Fix for CAN-2004-0882 -- possible buffer overrun in smbd.
+
+
+New features included in the 3.0.8 release are:
+
+ o New migration functionality added the the net tool
+ for files/directories, printers, and shares.
+ o New experimental idmap backend for assigning uids/gids
+ directly based on the user/group RID when acting as a
+ member of single domain without any trusts.
+ o Additional printer migration support for XP/2003 platforms.
+
+
+===========================
+Change in Winbindd Behavior
+===========================
+
+All usernames returned by winbindd are now converted to lower
+case for better consistency. This means any winbind installation
+relying on the winbind username will need to rename existing
+directories and/or files based on the username (%u and %U) to lower
+case (e.g. mv $name `echo $name | tr '[A-Z]' '[a-z]'`). This may
+include mail spool files, home directories, valid user lines in
+smb.conf, etc....
+
+
+======================
+Change in Username Map
+======================
+
+Previous Samba releases would only support reading the fully qualified
+username (e.g. DOMAIN\user) from the username map when performing a
+Kerberos login from a client. However, when looking up a map
+entry for a user authenticated by NTLM[SSP], only the login name would be
+used for matches. This resulted in inconsistent behavior sometimes
+even on the same server.
+
+Samba 3.0.8 obeys the following rules when applying the username
+map functionality:
+
+ * When performing local authentication, the username map is
+ applied to the login name before attempting to authenticate
+ the connection.
+ * When relying upon a external domain controller for validating
+ authentication requests, smbd will apply the username map
+ to the fully qualified username (i.e. DOMAIN\user) only
+ after the user has been successfully authenticated.
+
+
+######################################################################
+Changes
+#######
+
+Changes since 3.0.7
+-------------------
+
+smb.conf changes
+----------------
+ Parameter Name Action
+ -------------- ------
+ force printername New
+ sendfile disabled by default
+
+
+commits
+-------
+
+o Jeremy Allison <jra@samba.org>
+ * Ensure extended security bit is on only if we negotiated
+ extended security.
+ * Simplify statcache to use an in-memory tdb.
+ * If you're selecting a hash algorithm for tdb, you need
+ to do it at open time.
+ * Removed old dir caching code - not being used now we
+ have the statcache anyway.
+ * Simplify the mangle hash code to use an in-memory tdb.
+ * Merge iconv changes from Samba 4 branch.
+ * Fix parsing of names ending in dot and a few other error
+ returns.
+ * BUG 1667: Smbpasswd file could be left locked on some
+ error exits.
+ * Fixes for smbclient tar functionality.
+ * BUG 1743: Fix logic bug the deferred open code.
+ * Don't try to set security descriptors on shares where
+ this has been turned off.
+ * Return correct error codes on old SEARCH call.
+ * Ensure we set errno = E2BIG when we overflow in the
+ fast-path character conversion code.
+ * Fix the roundup problem (returning 1mb roundup) for
+ non-Windows clients.
+ * Added 'stat' command to smbclient to exercise the
+ UNIX_FILE_BASIC info level.
+ * Fix bug where we could incorrectly set sparse attribute.
+ * Fix incorrect locks/unlocks in tdb_lockkeys()/tdb_unlockkeys()
+ (reported by Taj Khattra <taj.khattra@gmail.com>).
+ * Remove locked keys tdb code.
+ * BUG 1886: Prevent delete on close being set for readonly files
+ (and return the correct error code).
+ * Ensure we pass most of the new lock tests except for the cancel
+ lock which is yet to be added (merged from Samba 4 branch).
+ * BUG 1947: Fix incorrect use of getpwnam() etc. interface.
+ * BUG 1956: Ensure errno is saved and restored consistently on a
+ normal_close.
+ * BUG 1651: Adapted patch from Nalin Dahyabhai for ensuring
+ that all of the appropriate service principal names are set
+ upon joining an AD domain.
+ * Fix the correct use of resume name in the trans2 code.
+ * BUG 1717: Adapted patch from Nalin Dahyabhai to detect the
+ correct salt used when generated the DES key after joining an
+ AD domain.
+ * Enhanced krb5 detection routines in the autoconf scripts.
+
+
+o Andrew Bartlett <abartlet@samba.org>
+ * Avoid changing the machine account password in the passdb
+ backend, when it has 'already been changed'. This occurs
+ in situations where the secure channel between the workstation
+ and the DC breaks down, such as occurred in the MS04-11
+ security patch.
+ * Fix utility name in error message in ntlm_auth.
+ * Fix NTLMv2 for use with pam_winbind.
+ * Remove conversion to and from UTF8 on the winbind pipe.
+ * Allow 'require_membership_of' and 'require-membership-of'.
+ * Fix the error code for 'you didn't specify a domain' in
+ ntlm_auth.
+ * Use sys_getgroups() rather than scanning all groups
+ when generating SAMR replies.
+
+
+o Igor Belyi <sambauser@katehok.ac93.org>
+ * Ensure pdb user is deleted first before deleting UNIX
+ user (LDAP backend needs this ordering).
+
+
+o Cornelio Bondad Jr <Corny.Bondad@hp.com>
+ * Fix core dump in 'net rpc vampire'.
+
+
+o Vince Brimhall <vbrimhall@novell.com>
+ * Make ldapsam_compat robust against NULL attributes.
+
+
+o Gerald Carter <jerry@samba.org>
+ * Don't limit the number of groups returned by winbindd_getgroups()
+ by NGROUPS_MAX.
+ * BUG 1519: Match Windows 2000 behavior when opening a
+ printer using a servername in the form of an IP address or
+ DNS name.
+ * BUG 1907: remove extra slashes from the printer name in
+ getprinterdriverdir_1().
+ * Fix standard_sub_snum() to use the current user's gid.
+ * Fix background queue update bug (based on Volker's initial work
+ in 3.1.0).
+ * Add 'force printername' service parameter for people that want
+ to enforce printername == sharename for spoolss printing.
+ * Ensure consistent usage of the username map. Use the fully
+ qualified DOMAIN\user format for 'security = domain|ads' and
+ apply after authentication has succeeded.
+ * Cosmetic fix for getent output -- lowercase the username only
+ and not the complete domain\username string.
+ * Packaging fixes for Solaris, Redhat, & Fedora.
+
+
+o Sean Chandler <sean.chandler@verizon.net>
+ * Fix memlieak in cliconnect.c.
+
+
+o Darren Chew <darrenc@vicscouts.asn.au>
+ * Solaris packaging fixes.
+
+
+o Nalin Dahyabhai <nalin@redhat.com>
+ * SMB signing fix for 56-bit DES session keys.
+
+
+o Guenther Deschner <gd@samba.org>
+ * add IA64 to the architecture table of printer-drivers.
+ * Add file/share/printer migration functionality to
+ the net command.
+ * Show correct help for net groupmap commands.
+ * Fix deadlock loop in winbind's required_membership_sid
+ verification.
+ * Bring the same level of "required_membership"-functionality
+ that ntlm_auth uses, to pam_winbindd as well.
+ * Prevent "net lookup kdc" from seg-faulting when
+ using our own implementation of krb5_lookup_kdc with
+ heimdal.
+ * Adding getprinter level 7 to rpcclient.
+ * Support migrating printers|shares|files from Server A
+ to Server B while running the net-command on client C.
+ * Fixed krb5_krbhost_get_addrinfo()-parameters and make
+ failure of this call non-critical (Thanks to Love @ Heimdal
+ for the explanation and patch).
+ * Fix typos in net's usage-output.
+ * Fix the paranoia-check to ensure the ldap-attribute and the
+ smb.conf-parameter for samba's "algorithmic rid base" in ldapsam
+ are identical.
+ * Fix several bugs in the _samr_query_useraliases() rpc reply.
+ * Check correct string length when verifying password-policies
+ and using extended characters (Thanks to Uwe Morgenroth from CC
+ Compunet and Volker).
+ * Make 'password history'-behavior in ldapsam more consistent.
+ * Adding "Windows x64" as architecture string and driverdir "x64"
+ for the 64bit AMD platform.
+ * BUG 1343: Readd WKGUID-binding to match the correct default-
+ locations of new User-, Group- and Machine-Accounts in Active
+ Directory (this got lost during the last trunk-merge).
+ * Fix printer-migration w.r.t. to new naming-convention for
+ policy-handles.
+ * Allow to migrate win2k3/xp-drivers as well.
+ * Add client-side support of triggering ads printer publishing
+ over msrpc setprinter calls inside the net-tool.
+ * Add the idmap_rid module (written in conjunction with
+ Sumit Bose <sbose@suse.de>).
+ * BUG 1661: Fix build with recent heimdal releases.
+ * Prevent idmap_rid from making unnecessary calls to domain
+ controllers for trusted domains.
+
+
+o Arthur van Dongen <avdongen@xs4all.nl>
+ * Fix typos in pam_winbind log messages and SuSE
+ packaging files.
+
+
+o Rob Foehl <rwf@loonybin.net>
+ * Typo fixes for log messages in printer publishing code.
+ * Fix memory leak in printer publishing code.
+ * Ensure print_backend_init() only gets called once.
+ * Have smbd check the published status of all printers
+ at startup.
+ * Cleanup up the XXX_a_printer() API for consistency.
+ * Refactored the printer publishing code and include better
+ error handling.
+
+
+o Steve French <sfrench@us.ibm.com>
+ * Fix IP address override in mount.cifs mount helper and clean
+ up warning messages from the sparse tool and expand syntax help.
+ * Strip guest mount option off before sending to kernel mount
+ routine to avoid logging spurious message.
+
+
+o Satoh Fumiyasu <fumiya@samba.gr.jp>
+ * BUG 1732: Limit share names returned by RAP based on windows
+ character width, not unix character width.
+ * BUG 1498: Ensure that acl entries are stored in the correct
+ order.
+
+
+o Brett Funderburg <brett@deepfile.com>
+ * Pass create options parameter to nt_create_andx() function
+ from the python bindings.
+ * BUG 1864: Add sd->type field to security descriptor Python
+ representation.
+ * Return an error if a Netapp filer returns NT_STATUS_ACCESS_DENIED
+ when trying to return the security descriptor for a file.
+ * BUG 1884: Fixes for the Python bindings to use the value
+ of the desired_access filed passed into the lsa_open_policy()
+ routines.
+
+
+o Michael Gravey <michel.gravey@optogone.com>
+ * BUG 1776: Fix warnings when building modules caused by
+ certain versions of GNU ld not using the the default
+ --allow-shlib-undefined flag.
+
+
+o Chris Hertel <crh@samba.org>
+ * Fix logic bug in splay tree data structure when finding
+ a leaf node.
+ * Fix bug where an invalid MAC address would be printed by
+ a node status lookup from nmblookup.
+
+
+o Uli Iske <iske@elkb.de>
+ * Update the DNS/eDirectory LDAP schema file.
+
+
+o Björn Jacke <bjacke@sernet.de>
+ * BUG 1766: Unify charset-handling in Content-Type:-headers to
+ UTF-8. Reformat msgstr in msg-files to UTF-8.
+ * Do not use display charset for swat output.
+ * Convert the share names correctly from unix encoding to web
+ encoding and vice versa.
+ * Convert files from status page from unix charset to UTF-8.
+
+
+o Guenter Kukkukk <guenter.kukkukk@kukkukk.com>
+ * BUG 1590: Fix for talking to OS/2 clients (max_mux ignored).
+
+
+o Tom Lackemann <cessnatomny@yahoo.com>
+ * BUG 1954: Fix memory leak in posix acl code.
+
+
+o Volker Lendecke <vl@samba.org>
+ * Robustnss fix for winbindd when sending multiple requests
+ at a high rate for a slow operation.
+ * Solve the problem of user sids ending up with gid's
+ and vice versa.
+ * Use sys_fork instead of fork for the dual daemon so that
+ we get the correct debug pid in the logfiles.
+ * Based on patch from jmcd, implement special lists for the LDAP
+ user attributes to delete.
+ * Fix creation of aliases via usrmgr. Winbind was too strict
+ checking the type of sids.
+ * Lowercase all usernames returned by winbind.
+ * BUG 1545, 1823: Only issue the ldap extended password change
+ operation if the ldap server supports it. Also ignore object
+ class violation errors from the extended operation.
+ * Optimization for 'idmap backend = ldap': When asking sid2id
+ for the wrong type, don't ask ldap when we have the opposite mapping
+ in the local tdb.
+ * Fix ldapsam_compat homeDrive.
+ * Add usersidlist and allowedusers subcommands to the net tool
+ in order to support scanning a file server's share and list
+ all users who have permission to connect there.
+ * Allow for multiple DC's to be named as #1c names in lmhosts.
+ * Memory leak fixes.
+ * Fix checks for the local pid of an smbd process after
+ reopening tdbs.
+
+
+o Herb Lewis <herb@samba.org>
+ * Added tdbtool to be built by default.
+
+
+o Love <lha@stacken.kth.se>
+ * BUG 1955: Inconsistent error return.
+
+
+o Sorin Manolache <sorinm@gmail.com>
+ * Memory leak fix.
+
+
+o Jim McDonough <jmcd@us.ibm.com>
+ * Allow 'net ads lookup' to rely on command line arguments
+ if contacting an ADS server fails; utilize cldap for lookups.
+ * Fixup formatting errors in TDB_LOG calls; add printf attribute
+ support to tdb log functions.
+
+
+o Bill McGonigle <bill+samba@bfccomputing.com>
+ * BUG 1926: Type in debug message.
+
+
+o Sean McGrath
+ * BUG 1822: Add -D_REENTRANT to CPPFLAGS and -lthread to LDFLAGS
+ for libsmbclient.
+
+
+o Luke Mewburn <lukem@NetBSD.org>
+ * BUG 1782: Prevent testparm from displaying parameter synonyms.
+
+
+o Stefan Metzmacher <metze@samba.org>
+ * Fix crash in smbcquotas and smbcacls caused by setup_logging().
+ * Fix client quota support.
+ * Fix opening of system quota file.
+
+
+o Lars Mueller <lmuelle@samba.org>
+ * Small fixes for autogen.sh to deal with version detection
+ of autoconf and autoheader; fixes for examples using
+ libtool to adhere to stricter syntax of newer version.
+
+
+o Henrik Nordstrom <hno@squid-cache.org>
+ * Allow winbindd to return the correct number of groups
+ when the groups array must be enlarged.
+
+
+o Narayana Pattipati <narayana.pattipati@wipro.com>
+ * Solaris autoconf detection fixes.
+
+
+o Tim Potter <tpot@samba.org>
+ * BUG 1360: (correct fix) Use -Wl when passing flags to
+ the linker.
+ * HP-UX compile fixes (from JBravo on #samba-technical).
+ * BUG 1731: More HP-UX compiles fixes.
+ * BUG 1778: Include yp_prot.h before ypclnt.h as AIX 5.2
+ spits the dummy otherwise.
+ * Fix bug in Python printerdata wrapper.
+ * BUG 1762: nss_winbind fixes on AIX 5.x (patch from
+ <bugzilla-samba@thewrittenword.com>).
+ * Fix parameter confusion in priming of name-to-sid cache
+ (Found by Qiao Yang).
+ * BUG 1888: Remove '..' from all pre-processor commands.
+ * BUG 1903: Change some #if DEBUG_PASSWORD's to #ifdef
+ DEBUG_PASSWORD.
+
+
+o Matt Selsky <selsky@columbia.edu>
+ * BUG 350: use autoconf 2.57 feature for checking header file
+ preprocessing (fixes configure warnings on Solaris).
+
+
+o Richard Renard <rrenard@idealx.com>
+ * Fix usermgr.exe and trust relationships.
+
+
+o Paul Szabo <psz@maths.usyd.edu.au>
+ * Fix to make find_workgroup use the same
+ truncation as create_workgroup.
+
+
+o Richard Sharpe <rsharpe@samba.org>
+ * Ensure cli_write() can support writes >= 65536 bytes.
+
+
+o Simo Sorce <idra@samba.org>
+ * Added check password script code in examples/auth/crackcheck/
+ * Fix memory corruption bug caused in freeing static memory.
+
+
+o Andrew Tridgell <tridge@samba.org>
+ * Remove lp_use_mmap() from map_file() since the latter
+ is for read only and does not require coherence.
+ * Ensure that the uuid pack/unpack routines do not go past
+ the end of the structure.
+ * Converted Samba 3 tree to use the new utf-16 aware iconv
+ code.
+ * Changed iconv to recognise UCS-2LE and UTF-16LE as synonyms.
+ * Ensure configure only uses '=' instead of the bashism '=='.
+ * Reduces the number of tdb locking calls made on file IO.
+
+
+o Jelmer Vernooij <jelmer@samba.org>
+ * Convert internal data to UTF-8 before calling libxml2.
+ * Complain if 'password chat' doesn't contain the %u variable
+ (based on a patch by Ronan Waide).
+
+
+o Josef Zlomek
+ * BUG 1541: Fix recursive ls in smbclient.
+
+
+o Igor Zhbanov <bsg@uniyar.ac.ru>
+ * BUG 1797: Prevent winbind and nmbd from ignoring the "-l"
+ option.
+
+ --------------------------------------------------
+
+ =============================
+ Release Notes for Samba 3.0.7
+ Sept 13, 2004
+ =============================
+
+Common bugs fixed in 3.0.7 include:
+
+ o Fixes for two Denial of Service vulnerabilities
+ (CVE ID# CAN-2004-0807 & CAN-2004-0808).
+ o Winbind failure to return user entries under certain
+ conditions.
+ o Syntax errors in the OpenLDAP schema file (samba.schema).
+ o Printing errors caused by not setting default values
+ for the various printing commands.
+
+
+Changes since 3.0.6
+-------------------
+
+smb.conf changes
+----------------
+
+ Parameter Name Action
+ -------------- ------
+ winbind enable local accounts disabled by default
+
+
+commits
+-------
+o Jeremy Allison <jra@samba.org>
+ * Fix parsing of names ending in dot and a few other error
+ returns.
+ * BUG 1674: Move the symlinks checks into reduce_name().
+ * Fix memleak when checking the valid names smb.conf option.
+ * Fix memleak on error return path in the file open code.
+ * More paranoia checks in the hash2 mangling code.
+ * Fix syntax error in configure.in.
+ * Match Win2k3's behavior for pathname parsing error returns.
+ * Make nmbd more robust against bad netbios packets
+ (CAN-2004-0808).
+ * Add more checks for invalid ASN.1 packets for SPNEGO packets
+ (CAN-2004-0807).
+
+
+o Andrew Bartlett <abartlet@samba.org>
+ * Janitor work in loadparm.c -- remove unused parameters.
+
+
+o Gerald Carter <jerry@samba.org>
+ * BUG 1464: Ensure that printing commands are initialized even
+ if the 'printing' parameter is not explicitly set.
+ * Resolve name conflict on DEC OSF-5.1 (inspired by patch from
+ Adharsh Praveen <rprav@india.hp.com>)
+ * Work around parsing error in the print change notify code.
+ * remove duplicate declaration of getprintprocdir from
+ rpcclient.
+ * Only use sAMAccountName and not userPrincipalName when looking
+ up a username in AD since the breaks winbindd (lookup_name()
+ only works with the sAMAccountName).
+ * Fix bug with winbindd_getpwnam() caused by Microsoft DC's not
+ filling in the username in the user_info3.
+ * Fix logic bug in the check for creating a user's home directory
+ in register_vuid(); caused home directory to be mismatched to
+ the first share in smb.conf under certain conditions.
+ * BUG 1656: rename auto.a to auto.smb.
+ * Ensure that we assign our pid to print jobs (and not our
+ parent's pid); ensures that spooling jobs from dead smbds
+ are removed from the tdb.
+ * Disable 'winbind enable local accounts' by default.
+ * Adding some initial checks for DragonFly (same as
+ FreeBSD 4.1).
+
+
+o Guenther Deschner <gd@samba.org>
+ * Use SMB_ASSERT() to track down NULL printer names in
+ the tdb open code.
+ * Revert fix for BUG 1474 to avoid unnecessary packaging
+ dependencies.
+
+
+o Olaf Flebbe <o.flebbe@science-computing.de>.
+ * BUG 1627: fix for NIS compiles on HPUX 11.00, AIX 4.3
+ and 5.1.
+ * BUG 1626: More compile fixes.
+
+
+o Rob Foehl <rwf@loonybin.net>
+ * Don't clear the PRINT_ATTRIBUTE_PUBLISHED was getting reset
+ by attempts to sanitize the defined attributes.
+
+
+o SATOH Fumiyasu <fumiya@miraclelinux.com>
+ * BUG 1546: Preserve errno in MB strupper_m/strlower_m.
+
+
+o Helmut Heinreichsberger <helmut.heinreichsberger@chello.at>.
+ * BUG 1657: Remove used initialized variable,
+ * BUG 1658: Add a little bit of const.
+
+
+o Volker Lendecke <vl@samba.org>
+ * If there's garbage in the pidfile, we should not panic
+ but assume that no one else is around. We can't find the
+ other guy anyway.
+
+
+o Jim McDonough <jmcd@us.ibm.com>
+ * Fixup format string in the tdb error messages.
+
+
+o Jonas Olsson <lexicon@lysator.liu.se>
+ * BUG 1416: Don't reuncture a users list to NGROUPS_MAX when
+ reporting the list in usrmgr.exe.
+
+
+o Tim Potter <tpot@samba.org>
+ * Fix out-of-tree builds (problem with the script to generate
+ the svn version number).
+ * BUG 1360: Need to use -Wl when passing flags to the linker.
+ * BUG 1741: Define a struct nss_groupsbymem for HPUX 11 which
+ doesn't have one of its own.
+
+o Simo Sorce <idra@samba.org>
+ * Fixup compile issues on AIX caused by broken strlen() and
+ strdup().
+ * Update debian packaging files.
+
+
+o Dimitri van der Spek <dwspek@aboveit.nl>
+ * Use the correct counter when copying group rids from the
+ user_info3 struct in pam_winbind.
+
+
+o Qiao Yang <qyang@stbernard.com>
+ * BUG 1622: Only cache the user
+
+
+ --------------------------------------------------
+
+ =============================
+ Release Notes for Samba 3.0.6
+ Aug 19, 2004
+ =============================
+
+Common bugs fixed in 3.0.6 include:
+
+ o Schannel failure in winbindd.
+ o Numerous memory leaks.
+ o Incompatibilities between the 'write list' and 'force user'
+ smb.conf options.
+ o Premature optimization of the open_directory() internal
+ function that broke tools such as the ArcServe backup
+ agent, Macromedia HomeSite, and Robocopy.
+ o Corrupt workgroup names in nmbd's browse.dat.
+ o Sharing violation errors commonly seen when opening
+ when serving Microsoft Office documents from a Samba
+ file share.
+ o Browsing problems caused by an apostrophe (') in the
+ computer's description field.
+ o Problems creating special file types from UNIX CIFS
+ clients and enabling 'unix extensions'.
+ o Fix stalls in smbd caused by inaccessible LDAP servers.
+ o Remove various memory leaks.
+ o Fix issues in the password lockout feature.
+
+New features introduced in this release include:
+
+ O Support symlinks created by CIFS clients which
+ can be followed on the server.
+ o Using a cups server other than localhost.
+ o Maintaining the service principal entry in the system
+ keytab for integration with other kerberized services.
+ Please refer to the 'use Kerberos keytab' entry in
+ smb.conf(5). When using the heimdal Kerberos libraries,
+ you must also specify the following in /etc/krb5.conf:
+ [libdefaults]
+ default_keytab_name = FILE:/etc/krb5.keytab
+ o Support for maintaining individual printer names
+ stored separately from the printer's sharename.
+ o Support for maintaining user password history.
+ o Support for honoring the logon times for user in a
+ Samba domain.
+
+
+============================================
+unix extensions = yes (default) and symlinks
+============================================
+
+Beginning with Samba 3.0.6pre1 (formerly known as 3.0.5pre1),
+clients supporting the UNIX extensions to the CIFS protocol
+can create symlinks to absolute paths which will be **followed**
+by the server. This functionality has been requested in order
+to correctly support certain applications when the user's home
+directory is mounted using some type of CIFS client (e.g. the
+cifsvfs in the Linux 2.6 kernel).
+
+If this behavior is not acceptable for your production environment
+you can set 'wide links = no' in the specific share declaration in
+the server's smb.conf. Be aware that disabling wide link support
+out of a share in Samba may impact the server's performance due
+to the fact that smbd will now have to check each path additional
+times before traversing it.
+
+
+========================
+Password History Support
+========================
+
+The new password history feature allows smbd to check the new
+password in password change requests against a list of the user's
+previous passwords. The number of previous passwords to save can
+be set using pdbedit (4 in this example):
+
+ root# pdbedit -P "password history" -C 4
+
+When using the ldapsam passdb backend, it is vital to secure the
+following attributes from access by non-administrative users:
+
+ * sambaNTPassword
+ * sambaLMPassword
+ * sambaPasswordHistory
+
+You should refer to your directory server's documentation on how
+to implement this restriction.
+
+
+Changes since 3.0.5
+-------------------
+
+smb.conf changes
+----------------
+
+ Parameter Name Action
+ -------------- ------
+ cups server New
+ defer sharing violations New
+ force unknown acl user New
+ ldap timeout New
+ printcap cache time New
+ use Kerberos keytab New
+
+commits
+-------
+o Jeremy Allison <jra@samba.org>
+ * Correct path parsing bug that broke DeletePrinterDriverEx().
+ * Fix bugs in check_path_syntax() caught by asserts.
+ * Internal change - rearrange internal global case setting
+ variables to a per connection basis.
+ * BUG 1345: Fix premature optimization in unix_convert().
+ * Allow clients to truncate a locked file.
+ * BUG 1319: Always check to see if a user as write access
+ to a share, even when 'force user' is set.
+ * Fix specific case of open that doesn't cause oplock break,
+ or share mode check.
+ * Correct sid type is WKN_GROUP, not alias. Added some
+ more known types (inspired by patch from Jianliang Lu).
+ * Allow creation of absolute symlink paths via CIFS clients.
+ * Fix charset bug in when invoking send_mailslot().
+ * When using widelinks = no, use realpath to canonicalize
+ the connection path on connection create for the user.
+ * Enhance stat open code.
+ * Fix unix extensions mknod code path.
+ * Allow unix domain socket creation via unix extensions.
+ * Auto disable the 'store dos attribute' parameter if the
+ underlying filesystem doesn't support EAs.
+ * Implement deferred open code to fix a bug with Excel files
+ on Samba shares.
+ * BUG 1427: Catch bad path errors at the right point. Ensure
+ all our pathname parsing is consistent.
+ * Fix SMB signing error introduced by the new deferred open
+ code.
+ * Change default setting for case sensitivity to "auto". (see
+ commit message -- r1154 -- for details).
+ * Add new remote client arch -- CIFSFS.
+ * Allow smbd to maintain the service principal entry in the
+ system keytab file (based on patch Dan Perry <dperry@pppl.gov>,
+ Guenther Deschner, et. al.).
+ * Fix longstanding memleak bug with logfile name.
+ * Fix incorrect type in printer publishing (struct uuid,
+ not UUID_FLAT).
+ * Heimdal compile fixes after introduction of the new ketyab
+ feature.
+ * Ensure we check attributes correctly on rename request.
+ * Ensure we defer a sharing violation on rename correctly.
+ * BUG 607: Ensure we remove DNS and DNSFAIL records immediately
+ on timeout.
+ * Fix bogus error message when using "mangling method = hash"
+ rather than hash2.
+ * Turn on sendfile by default for non-Win9x clients.
+ * Handle non-io opens that cause oplock breaks correctly.
+ * Ensure ldap replication sleep time is not more than 5 seconds.
+ * Add support for storing a user's password history.
+ LDAP portion of the code was based on a patch from
+ Jianliang Lu <j.lu@tiesse.com>.
+ * Correct memory leaks found in the password change code.
+ * Fix support for the mknod command with the Linux CIFS client.
+ * Remove support for passing the new password to smbpasswd
+ on the command line without using the -s option.
+ * Ensure home directory service number is correctly reused
+ (inspired by patches from Michael Collin Nielsen
+ <michael@hum.aau.dk>).
+ * Fix to stop printing accounts from resetting the bas
+ password and account lockout flags.
+ * If a account was locked out by an admin (and has a bad
+ password count of zero) leave it locked out until an admin
+ unlocks it (but log a message).
+ * Ensure we return the same ACL revision on the wire that
+ W2K3 does.
+ * BUG 1578: Hardcode replacement for invalid characters as '_'
+ (based on fix from Alexander E. Patrakov <patrakov@ums.usu.ru>).
+ * Fix hashed password history for LDAP backends.
+ * Enforce logon hours restrictions if confiogured (based on code
+ from Richard Renard <rrenard@idealx.com>).
+ * BUG 1606: Force smbd to disable sendfile with DOS clients
+ and ensure that the chained header is filled in for ...&X
+ commands.
+ * BUG 1602: Fix access to shares when all symlink support
+ has been disabled.
+
+
+
+o Tom Alsberg <alsbergt@cs.huji.ac.il>
+ * Allow pdbedit to export a single user from a passdb backend.
+
+
+o Andrew Bartlett <abartlet@samba.org>
+ * Fix parsing bug in GetDomPwInfo().
+ * Fix segfault in 'ntlm_auth --diagnostics'.
+ * Re-enable code to allow sid_to_gid() to perform a group
+ mapping lookup before checking with winbindd.
+ * Fix memory leak in the trans2 signing code.
+ * Allow more flexible GSS-SPENGO client and server operation
+ in ntlm_auth.
+ * Improve smbd's internal random number generation.
+ * Fix a few outstanding long password changes in smbd.
+ * Fix LANMAN2 session setup code.
+
+
+o Eric Boehm <boehm@nortelnetworks.com>
+ BUG 703: Final touches on netgroup case lookups.
+
+
+o Jerome Borsboom <j.borsboom@erasmusmc.nl>
+ * Ensure error status codes don't get overwritten in
+ lsa_lookup_sids() server code.
+ * Correct bug that caused smbd to overwrite certain error
+ codes when returning up the call stack.
+ * Ensure the correct sid type returned for builtin sids.
+
+
+o Gerald Carter <jerry@samba.org>
+ * Fix a few bugs in the Fedora Packaging files.
+ * Fix for setting the called name to by our IP if the
+ called name was *SMBSERVER and *SMBSERV. Fixes issue
+ with connecting to printers via \\ip.ad.dr.ess\printer
+ UNC path.
+ * BUG 1315: fix for schannel client connections to servers
+ when we haven't specifically negotiated AUTH_PIPE_SEAL.
+ * Allow PrinterDriverData valuenames with embedded backslashes
+ (Fixes bug with one of the Konica Fiery drivers).
+ * Fixed string length miscalculation in netbios names that
+ resulted in corrupt workgroup names in browse.dat.
+ * When running smbd as a daemon, launch child smbd to update
+ the lpq cache listing in the background.
+ * Allow printers "Printers..." folder to be renamed to a string
+ other than the share name.
+ * Allow winbindd to use domain trust account passwords when
+ running on a Samba DC to establish an schannel to remote
+ domains.
+ * Fix bad merge and ensure that we always use tdb_open_log()
+ instead of tdb_open_ex() (the former call enforce the 'use
+ mmap' parameter).
+ * BUG 1221: revert old change that used single and double
+ quotes as delimeters in next_token(), and change
+ print_parameter() to print out parm values surrounded by
+ double quotes (instead of single quotes).
+ * Prevent home directories added during the SMBsesssetup&X from
+ being removed as unused services.
+ * Invalidate the print object cache for open printer handles when
+ smbd receives a message that an attribute on a given printer
+ has been changed.
+ * Cause the configure script to exit if --enable-cups[=yes] is
+ defined and the system does not have the cups devel files
+ installed.
+ * BUG 1297: Prevent map_username() from being called twice
+ during logon.
+ * Ensure that we use the userPrincipalName AD attribute
+ value for LDAP SASL binds.
+ * Ensure we remove the tdb entry when deleting a job that
+ is being spooled.
+ * BUG 1520: Work around bug in Windows XP SP2 RC2 where the
+ client sends a FindNextPrintChangeNotify() request without
+ previously sending a FindFirstPrintChangeNotify(). Return
+ the same error code as Windows 2000 SP4.
+ * BUG 1516: Manually declare ldap_open_with_timeout() to
+ workaround compiler errors on IRIX (or other systems without
+ LDAP headers).
+ * Merge security fixes for CAN-2004-0600, CAN-2004-0686 from
+ 3.0.5.
+ * Corrected syntax error in the OID for sambaUnixIdPool,
+ sambaSidEntry, & sambaIdmapEntry object classes.
+ * Tighten the cache consistency with the ntprinters.tdb entry
+ an the in memory cache associated with open printer handles.
+ * Make sure that register_messages_flags() doesn't overwrite
+ the originally registered flags.
+
+
+o Fabien Chevalier <fabien.chevalier@supelec.fr>
+ * Debian BUG 252591: Ensure that the return value from the
+ number of available interfaces is initialized in case no
+ interfaces are actually available.
+
+
+o Guenther Deschner <gd@sernet.de>
+ * Implement 'rpcclient setprintername'.
+ * Add local groups to the user's NT_TOKEN since they are
+ actually supported now.
+ * Heimdal compile fixes after introduction of the new keytab
+ feature.
+ * Correctly honor the info level parameter in 'rpcclient
+ enumprinters'.
+ * Reintroduce 'force unknown acl user' parameter. When getting a
+ security descriptor for a file, if the owner sid is not known,
+ the owner uid is set to the current uid. Same for group sid.
+ * Ensure that REG_SZ values in the SetPrinterData actually
+ get written in UNICODE strings rather than ASCII.
+ * Ensure that the last Kerberos error return is not invalid.
+ * Display share ACL entries from rpcclient.
+ * Correct infinite loop in pam_winbind's verification of
+ group membership in the 'other sids' field in the user_info3
+ struct.
+
+
+o Fabian Franz <FabianFranz@gmx.de>
+ * Support specifying a port in the device URL passed to smbspool.
+
+
+o Steve French <sfrench@us.ibm.com>
+ * Handle -S and user mount parms in mount.cifs.
+ * Fix user unmount of shares mount with suid mount.cifs.
+ * prevent infinite recusion in reopen_logs() when expanding
+ the smb.conf variable %I.
+
+
+o Bjoern Jacke <bj@sernet.de>
+ * Install libsmbclient into $(LIBDIR), not into hard coded
+ ${prefix}/lib. This helps amd64 systems with /lib and /lib64
+ and an explicit configure --libdir setting.
+
+
+o <kawasa_r@itg.hitachi.co.jp>
+ * Correct more memory leaks and initialization bugs.
+ * Fix bug that prevented core dumps from being generated
+ even if you tried.
+ * Connect to the winbind pipe in non-blocking mode to
+ prevent processes from hanging.
+ * Memory leak fixes.
+
+
+o Stephan Kulow <coolo@suse.de>
+ * Fix crash bug in libsmbclient.
+
+
+o Volker Lendecke <vl@samba.org>
+ * Added vfs_full_audit module.
+ * Add vfs_afsacl.c which can display & set AFS acls via
+ the NT security editor.
+ * Fix crash bug caused by trying to Base64 encode a NULL string.
+ * Fix DOS error code bug in reply_chkpath().
+ * Correct misunderstanding of the max_size field in
+ cli_samr_enum_als_groups; it is more like an account_control
+ field with individual bits what to retrieve.
+ * Implement 'net rpc group rename' -- rename domain groups.
+ * Implement the 'cups server' option. This makes it possible
+ to have virtual smbd's connect to different cups daemons.
+ * Paranoia fixes when adding local aliases to a user's NT_TOKEN.
+ * Fix sid_to_gid() calls in winbindd to prevent loops.
+ * Ensure that local_sid_to_gid() sets the type of the group on
+ return.
+ * Make sure that the clients are given back the IP address to
+ which they connected in the case of a multi-homed host. Only
+ affects strings the spoolss printing replies.
+ * Fix the bad password lockout. This has not worked as pdb_ldap.c
+ did not ask for the modifyTimestamp attribute, so it could
+ not find it. Try not to regress by not putting that attrib
+ in the main list but append it manually for the relevant searches.
+ * Fix two memleaks in login_cache.c.
+ * fixes memory bloat when unmarshalling strings.
+ * Fix compile errors using gcc 3.2 on SuSE 8.2.
+ * Fix the build for systems without Kerberos headers.
+ * Allow winbindd to handle authentication requests only when
+ started without either an 'idmap uid' or 'idmap gid' range.
+ * Fix the build for systems without ldap headers.
+ * Fix interaction between share security descriptor and the
+ 'read only' smb.conf option.
+ * Fix bug that caused _samr_lookupsids() with more than 32 (
+ MAX_REF_DOMAINS) SIDs to fail.
+ * Allow the 'idmap backend' parameter to accept a list of
+ LDAP servers for failover purposes.
+ * Revert code in smbd to remove a tdb when it has become
+ corrupted.
+ * Add paranoid checks when mapping SIDs to a uid/gid to
+ ensure that the type is correct.
+ * Initial work on getting client support for sending mailslot
+ datagrams.
+ * Add 'ldap timeout' parameter.
+ * Dont always uppercase 'afs username map'.
+ * Expand aliases for getusersids as well.
+ * Improved NT->AFS ACL mapping VFS module.
+
+
+o Herb Lewis <herb@samba.org>
+ * Add the acls debug class.
+ * Fix logic bug in netbios name truncate routine.
+ * Fix smbd crash caused by smbtorture IOCTL test.
+ * Fix errno tromping before calling iconv to reset the
+ conversion state.
+ * need to leave empty dacl so we can remove last ACE.
+
+
+o Jianliang Lu <Jianliang.Lu@getronics.com>
+ * Fix to stop smbd hanging on missing group member in
+ get_memberuids().
+ * Make sure Samba returns the correct group types.
+ * Reset the bad password count password counts upon a successful login.
+
+
+o Jason Mader <jason@ncac.gwu.edu>
+ * BUG 1385: Don't use non-consts in a structure initialization.
+
+
+o Jim McDonough <jmcd@us.ibm.com>
+ * BUG 1279: SMBjobid fix for Samba print servers running on
+ Big-Endian platforms.
+
+
+o Joe Meadows <jameadows@webopolis.com>
+ * Add optional timeout parameter to ldap open calls.
+ * Allow get_dc_list() to check the negative cache.
+
+
+o Stefan Metzmacher <metze@samba.org>
+ * fix a configure logic bug for linux/XFS quotas when
+ using --with-sys-quotas.
+ * Use quota debug class in quota code.
+ * print out the SVN revision by configure,
+
+
+o Buchan Milne <bgmilne@mandrake.org>
+ * Mandrake packaging fixes.
+
+
+o Lars Mueller <lmuelle@samba.org>
+ * BUG 1279: Added 'printcap cache time' parameter.
+ * Fix afs related build issues on SuSE.
+ * Fix compiler warnings in the Kerberos client code.
+
+
+o James Peach <jpeach@sgi.com>
+ * More iconv detection fixes for IRIX.
+ * Compile fixed for systems that do not have C99/UNIX98 compliant
+ vsnprintf by default.
+ * Prevent smbd from attempting to use sendfile at all if it is
+ not supported by the server's OS.
+ * Allow SWAT to search for index.html when serving html files
+ in a directory.
+
+
+o Dan Peterson
+ * Implement NFS quota support on FreeBSD.
+
+
+o Tim Potter <tpot@samba.org>
+ * BUG 1360: Use -Bsymbolic when creating shared libraries to
+ avoid conflicts with identical symbols in the global namespace
+ when loading libnss_wins.so.
+
+
+o Richard Renard <rrenard@idealx.com>
+ * Save the current password as it is being changed into the
+ password history list.
+
+
+o Richard Sharpe <rsharpe@samba.org>
+ * Fix error return codes on some lock messages.
+ * BUG 1178: Make the libsmbclient routines callable
+ by C++ programs.
+ * BUG 1333: Make sure we return an error code when
+ things go wrong.
+ * BUG 1301: Return NT_STATUS_SHARING_VIOLATION when
+ share mode locking requests fail.
+
+
+o Simo Sorce <idra@samba.org>
+ * Update Debian stable & unstable packaging.
+ * Tidy up parametric options in testparm output.
+
+
+o Richard Sharpe <rsharpe@samba.org>
+ * Add sigchild handling to winbindd to restart the child
+ daemon if necessary.
+
+
+o Tom Shaw <tomisfaraway@gmail.com>
+ * Use winbindd_fill_pwent() consistently.
+
+
+o Nick Thompson <nickthompson@agere.com>
+ * Protect smbd against broken filesystems which return zero
+ blocksize.
+
+
+o Andrew Tridgell <tridge@samba.org>
+ * Fixed bug in handling of timeout in socket connections.
+
+
+o Nick Wellnhofer <wellnhofer@aevum.de>
+ * Prevent lp_interfaces() list from being corrupted. Fixes
+ bug where nmbd would lose the list of network interfaces
+ on the system and consequently shutdown.
+
+
+o James Wilkinson <jwilk@alumni.cse.ucsc.edu>
+ * Fix ntlm_auth memory leaks.
+
+
+o Jelmer Vernooij <jelmer@samba.org>
+ * Additional NT status to unix error mappings.
+ * BUG 478: Rename vsnprintf to smb_vsnprintf so we don't
+ get duplicate symbol errors.
+ * Return an error when the last command read from stdin
+ fails in smbclient.
+ * Prepare for better error checking in tar.
+ * BUG 1474: Fix build of --with-expsam stuff on Solaris.
+
+
+ --------------------------------------------------
+
+ =============================
+ Release Notes for Samba 3.0.5
+ July 20, 2004
+ =============================
+
+Please note that Samba 3.0.5 is identical to Samba 3.0.4 with
+the exception of correcting the two security issues outlined
+below.
+
+######################## SECURITY RELEASE ########################
+
+Summary: Multiple Potential Buffer Overruns in Samba 3.0.x
+CVE ID: CAN-2004-0600, CAN-2004-0686
+ (http://cve.mitre.org/)
+
+
+This is the latest stable release of Samba. This is the version
+that production Samba servers should be running for all current
+bug-fixes.
+
+It has been confirmed that versions of Samba 3 prior to v3.0.4
+are vulnerable to two potential buffer overruns. The individual
+details are given below.
+
+=============
+CAN-2004-0600
+=============
+
+Affected Versions: Samba 3.0.2 and later
+
+The internal routine used by the Samba Web Administration
+Tool (SWAT v3.0.2 and later) to decode the base64 data
+during HTTP basic authentication is subject to a buffer
+overrun caused by an invalid base64 character. It is
+recommended that all Samba v3.0.2 or later installations
+running SWAT either (a) upgrade to v3.0.5, or (b) disable
+the swat administration service as a temporary workaround.
+
+This same code is used internally to decode the
+sambaMungedDial attribute value when using the ldapsam
+passdb backend. While we do not believe that the base64
+decoding routines used by the ldapsam passdb backend can
+be exploited, sites using an LDAP directory service with
+Samba are strongly encouraged to verify that the DIT only
+allows write access to sambaSamAccount attributes by a
+sufficiently authorized user.
+
+The Samba Team would like to heartily thank Evgeny Demidov
+for analyzing and reporting this bug.
+
+-------------
+CAN-2004-0686
+-------------
+
+Affected Versions: Samba 3.0.0 and later
+
+A buffer overrun has been located in the code used to support
+the 'mangling method = hash' smb.conf option. Please be aware
+that the default setting for this parameter is 'mangling method
+= hash2' and therefore not vulnerable.
+
+Affected Samba 3 installations can avoid this possible security
+bug by using the default hash2 mangling method. Server
+installations requiring the hash mangling method are encouraged
+to upgrade to Samba 3.0.5.
+
+
+##################################################################
+
+ --------------------------------------------------
+
+ =============================
+ Release Notes for Samba 3.0.4
+ May 8, 2004
+ =============================
+
+Common bugs fixed in Samba 3.0.4 include:
+
+ o Password changing after applying the patch described in
+ the Microsoft KB828741 article to Windows clients.
+ o Crashes in smbd.
+ o Managing print jobs via Windows on Big-Endian servers.
+ o Several memory leaks in winbindd and smbd.
+ o Compile issues on AIX and *BSD.
+
+Changes since 3.0.3
+--------------------
+
+commits
+-------
+
+o Jeremy Allison <jra@samba.org>
+ * Fix path processing for DeletePrinterDriverEx().
+ * BUG 1303: Fix for Microsoft hotfix MS04-011 password change
+ breakage.
+
+
+o Andrew Bartlett <abartlet@samba.org>
+ * Fix alignment bug in GetDomPwInfo().
+
+
+o Alexander Bokovoy <ab@samba.org>
+ * Fix utime[s]() issues in smbwrapper on systems
+ that can boot both the 2.4 and 2.6 Linux kernels.
+
+
+o Gerald Carter <jerry@samba.org>
+ * Fedora packaging fixes.
+ * BUG 1302: Fix seg fault by not trying to optimize a list of
+ invalid gids using the wrong array size.
+ * BUG 1309: fix seg fault caused by trying to strdup(NULL)
+ seen when 'security = share'.
+ * Fix problems when using IBM's compiler on AIX.
+ * Link Developer's Guide, Example Guide, and multi-page HOWTO
+ into SWAT's welcome page.
+ * BUG 1293: fix double free in printer publishing code.
+
+
+o Wim Delvaux <wim.delvaux@adaptiveplanet.com>
+ * Fix for handling timeouts in socket connections.
+
+
+o Michel Gravey <michel.gravey@optogone.com>
+ * BUG 483: patch from to fix password hash creation in SWAT.
+
+
+o Volker Lendecke <vl@samba.org>
+ * Close the open NT pipes before the tdis.
+ * Fix AFS related build issues.
+ * Handle error conditions when base64 encoding a blob of 0 bytes.
+
+
+o Herb Lewis <herb@samba.org>
+ * Added 'acls' debug class.
+
+o kawasa_r@itg.hitachi.co.jp
+ * Multiple variable initialization and memory leak fixes.
+
+
+o Stephan Kulow <coolo@suse.de>
+ * Fix string length bug in libsmbclient that caused KDE's
+ Konqueror to crash.
+ * BUG 429: More libsmbclient fixes.
+
+
+o Jim McDonough <jmcd@us.ibm.com>
+ * BUG 1007, 1279: Store the print job using a little-endian key.
+
+
+o Eric Mertens
+ o Compile fix for OpenBSD (ENOTSUP not supported).
+
+
+o Stefan Metzmacher <metze@samba.org>
+ * Correct bug in disks quota views from explorer.
+
+
+o Tim Potter <tpot@samba.org>
+ BUG 1305: Correct debug output.
+
+
+o Richard Sharpe <rsharpe@samba.org>
+ * Fix incorrect error code mapping.
+
+
+o Jelmer Vernooij <jelmer@samba.org>
+ * Add additional NT_STATUS errorm mappings.
+
+
+ --------------------------------------------------
+
+ =============================
+ Release Notes for Samba 3.0.3
+ April 29, 2004
+ =============================
+
+
+Common bugs fixed in Samba 3.0.3 include:
+
+ o Crash bugs and change notify issues in Samba's printing code.
+ o Honoring secondary group membership on domain member servers.
+ o TDB scalability issue surrounding the TDB_CLEAR_IF_FIRST flag.
+ o Substitution errors for %[UuGg] in smb.conf.
+ o winbindd crashes when using ADS security mode.
+ o SMB signing errors.
+ o Delays in winbindd startup caused by unnecessary
+ connections to trusted domain controllers.
+ o Various small memory leaks.
+ o Winbindd failing due to expired Kerberos tickets.
+
+New features introduced in Samba 3.0.3 include:
+
+ o Improved support for i18n character sets.
+ o Support for account lockout policy based on
+ bad password attempts.
+ o Improved support for long password changes (>14
+ characters) and strong password enforcement.
+ o Support for Windows aliases (i.e. nested groups).
+ o Experimental support for storing DOS attribute on files
+ and folders in Extended Attributes.
+ o Support for local nested groups via winbindd.
+ o Specifying options to be passed directly to the CUPS libraries.
+
+Please be aware that the Samba source code repository was
+migrated from CVS to Subversion on April 4, 2004. Details on
+accessing the Samba source tree via anonymous svn can be found
+at http://svn.samba.org/samba/subversion.html.
+
+
+Changes since 3.0.2a
+--------------------
+smb.conf changes
+----------------
+
+ Parameter Name Action
+ -------------- ------
+ cups options New
+ ea support New
+ only user Deprecated
+ store dos attributes New
+ unicode Removed
+ winbind nested groups New
+
+
+commits
+-------
+
+o Jeremy Allison <jra@samba.org>
+ * Ensure that Kerberos mutex is always properly unlocked.
+ * Removed Heimdal "in-memory keytab" support.
+ * Fixup the 'multiple-vuids' bugs in our server code.
+ * Correct return code from lsa_lookup_sids() on unmapped
+ sids (based on work by vl@samba.org).
+ * Fix the "too many fcntl locks" scalability problem
+ raised by tridge.
+ * Fixup correct (as per W2K3) returns for lookupsids
+ as well as lookupnames.
+ * Fixups for delete-on-close semantics as per Win2k3 behavior.
+ * Make SMB_FILE_ACCESS_INFORMATION call work correctly.
+ * Fix "unable to initialize" bug when smbd hasn't been run with
+ new system and a user is being added via pdbedit/smbpasswd.
+ * Added NTrename SMB (0xA5).
+ * Fixup correct timeout values for blocking lock timeouts.
+ * Fix various bugs reported by 'gentest'.
+ * More locking fixes in the case where we own the lock.
+ * Fix up regression in IS_NAME_VALID and renames.
+ * Don't set allocation size on directories.
+ * Return correct error code on fail if file exists and target
+ is a directory.
+ * Added client "hardlink" comment to test doing NT rename with
+ hard links. Added hardlink_internals() code - UNIX extensions
+ now use this as well.
+ * Use a common function to parse all pathnames from the wire for
+ much closer emulation of Win2k3 error return codes.
+ * Implement check_path_syntax() and rewrite string sub
+ functions for better multibyte support.
+ * Ensure msdfs referrals are multibyte safe.
+ * Allow msdfs symlink syntax to be more forgiving.
+ eg. sym_link -> msdfs://server/share/path/in/share
+ or sym_link -> msdfs:\\server\share\path\in\share.
+ * Cleanup multibyte netbios name support in nmbd ( based on patch
+ by MORIYAMA Masayuki <moriyama@miraclelinux.com>).
+ * Fix check_path_syntax() for multibyte encodings which have
+ no '\' as second byte (based on work by ab@samba.org.
+ * Fix the "dfs self-referrals as anonymous user" problem
+ (based on patch from vl@samba.org).
+ * BUG 1064: Ensure truncate attribute checking is done correctly
+ on "hidden" dot files.
+ * Fix bug in anonymous dfs self-referrals again.
+ * Fix get/set of EA's in client library
+ * Added support for OS/2 EA's in smbd server.
+ * Added 'ea support' parameter to smb.conf.
+ * Added 'store dos attributes' parameter to smb.conf.
+ * Fix wildcard identical rename.
+ * Fix reply_ctemp - make compatible with w2k3.
+ * Fix wildcard unlink.
+ * Fix wildcard src with wildcard dest renames.
+ * BUG 1139: Fix based on suggestion by jdev@panix.com.
+ swap lookups for user and group - group will do an
+ algorithmic lookup if it fails, user won't.
+ * Make EA's lookups case independent.
+ * Fix SETPATHINFO in 'unix extensions' support.
+ * Make 3.x pass the Samba 4.x RAW-SEARCH tests - except for
+ the UNIX info levels, and the short case preserve names.
+
+
+o Timur Bakeyev <timur@com.bat.ru>
+ * BUG 1144: only set --with-fhs when the argument is 'yes'
+ * BUG 1152: Allow python modules to build despite libraries added
+ to LDFLAGS instead of LDPATH.
+ * BUG 1141: Fix nss*.so names on FreeBSD 5.x.
+
+
+o Craig Barratt <cbarratt@users.sourceforge.net>
+ * BUG 389: Allow multiple exclude arguments with smbclient
+ tar -Xr options (better support for Amanda backup client).
+
+
+o Andrew Bartlett <abartlet@samba.org>
+ * Include support for linking with cracklib for enforcing strong
+ password changes.
+ * Add support for >14 character password changes from Windows
+ clients.
+ * Add 'admin set password' capability to 'net rpc'.
+ * Allow 'net rpc samdump' to work with any joined domain
+ regardless of smb.conf settings.
+ * Use an allocated buffer for count_chars.
+ * Add sanity checks for changes in the domain SID in an
+ LDAP DIT.
+ * Implement python unit tests for Samba's multibyte string
+ support.
+ * Remove 'unicode' smb.conf option.
+ * BUG 1138: Fix support for 'optional' SMB signing and other
+ signing bugs.
+ * BUG 169: Fix NTLMv2-only behavior.
+ * Ensure 'net' honors the 'netbios name' in the smb.conf by
+ default.
+ * Support SMB signing on connections using only the LANMAN
+ password and generate the correct the 'session key' for these
+ connections.
+ * Implement --required-membership-of=, an ntlm_auth option
+ that restricts all authentication to members of this particular
+ group.
+ * Improve our fall back code for password changes.
+ * Only send the ntlm_auth 'ntlm-server-1' helper client a '.'
+ after the server had said something (such as an error).
+ * Add 'ntlm-server-1' helper protocol to ntlm_auth.
+
+
+o Alexander Bokovoy <ab@samba.org>
+ * Fix incorrect size calculation of the directory name
+ in recycle.so.
+ * Fix problems with very long filenames in both smbd and smbclient
+ caused by truncating paths during character conversions.
+ * Fix smbfs problem with Tree Disconnect issued before smbfs
+ starts its work.
+
+
+o Gerald Carter <jerry@samba.org>
+ * BUG 850: Fix 'make installmodules' bug on True64.
+ * BUG 66: mark 'only user' deprecated.
+ * Remove corrupt tdb and shutdown (only for printing tdbs,
+ connections, sessionid & locking).
+ * decrement smbd counter in connections.tdb in smb_panic().
+ * RedHat specfile updates.
+ * Fix xattr.h build issue on Debian testing and SuSE 8.2.
+ * BUG 1147; bad pointer case in get_stored_queue_info()
+ causing seg fault.
+ * BUG 761: read the config file before initialized default
+ values for printing options; don't default to bsd printing
+ Linux.
+ * Allow the 'printing' parameter to be set on a per share basis.
+ * BUG 503: RedHat/Fedora packaging fixes regarding logrotate.
+ * BUG 848: don't create winbind local users/groups that already
+ exist in the tdb.
+ * BUG 1080: fix declaration of SMB_BIG_UINT (broke compile on
+ LynxOS/ppc).
+ * BUG 488: fix the 'show client in col 1' button and correctly
+ enumerate active connections.
+ * BUG 1007 (partial): Fix abort in smbd caused by byte ordering
+ problem when storing the updating pid for the lpq cache.
+ * BUG 1007 (partial): Fix print change notify bugs.
+ * BUG 1165, 1126: Fix bug with secondary groups (security = ads)
+ and winbind use default domain = yes. Also ensures that
+ * BUG 1151: Ensure that winbindd users are passed through
+ the username map.
+ * Fix client rpc binds for ASU derived servers (pc netlink,
+ etc...).
+ * BUG 417, 1128: Ensure that the current_user_info is set
+ consistently so that %[UuGg] is expanded correctly.
+ * BUG 1195: Fix crash in winbindd when the ADS server is
+ unavailable.
+ * BUG 1185: Set reconnect time to be the same as the
+ 'winbind cache time'.
+ * Ensure that we return the sec_desc in smb_io_printer_info_2.
+ * Change Samba printers Win32 attribute to PRINTER_ATTRIBUTE_LOCAL.
+ * BUG 1095: Honor the '-l' option in smbclient.
+ * BUG 1023: surround get_group_from_gid() with become_unbecome_root()
+ block.
+ * Ensure server schannel uses the auth level requested by the
+ client.
+ * Removed --with-cracklib option due to potential crash issue.
+ * Fix -lcrypto linking problem with wbinfo.
+ * BUG 761: allow printing parameter to set defaults on a per
+ share basis.
+ * Add 'cups options' parameter to allow raw printing without
+ changing /etc/cups/cupsd.conf.
+ * BUG 1081, 1183: Added remove_duplicate_gids() to smbd and
+ winbindd.
+ * BUG 1246: Fix typo in Fedora /etc/init.d/winbind.
+ * BUG 1288: resolve any machine netbios name (0x00) and not just
+ servers (0x20).
+ * BUG 1199: Fix potential symlink issue in
+ examples/printing/smbprint.
+
+
+o Robert Dahlem <Robert.Dahlem@gmx.net>
+ * BUG 1048: Don't return short names when when 'mangled names = no'
+
+
+o Guenther Deschner <gd@suse.com>
+ * Remove hard coded attribute name in the ads ranged retrieval
+ code.
+ * Add --with-libdir and --with-mandir to autoconf script.
+
+
+o Bostjan Golob <golob@gimb.org>
+ * BUG 1046: Fix getpwent_list() so that the username is not
+ overwritten by other fields.
+
+
+o Landon Fuller <landonf@opendarwin.org>
+ * BUG 1232: patch from landonf@opendarwin.org (Landon Fuller)
+ to fix user/group enumeration on systems whose libc does not
+ call setgrent() before trying to enumerate users (i.e.
+ FreeBSD 5.2).
+
+
+o Steve French <sfrench@us.ibm.com>
+ * Update mount.cifs to version 1.1.
+ * Disable dev (MS_NODEV) on user mounts from cifs vfs.
+ * Fixes to minor security bug in the mount helper.
+ * Fix credential file mounting for cifs vfs.
+ * Fix free of incremented pointer in cifsvfs mount helper.
+ * Fix path canonicalization of the mount target path and help
+ text display in the cifs mount helper.
+ * Add missing guest mount option for mount.cifs.
+
+
+o SATOH Fumiyasu <fumiya@miraclelinux.com>
+ * BUG 1055; formatting fixes for 'net share'.
+ * BUG 692: correct truncation of share names and workgroup
+ names in smbclient.
+ * BUG 1088: use strchr_m() for query_host (smbclient -L).
+ * Patch from to internally count characters correctly.
+
+
+o Paul Green <paulg@samba.org>
+ * Update VOS _POSIX_C_SOURCE macro to 200112L.
+ * Fix bug in configure.ion by moving the first use of
+ AC_CHECK_HEADERS so it is always executed.
+ * Fix configure.in to only use $BLDSHARED to select whether to
+ build static or shared libraries.
+
+
+o Pat Haywarrd <Pat.Hayward@propero.net>
+ * Make the session_users list dynamic (max of 128K).
+
+
+o Cal Heldenbrand <calzplace@yahoo.com>
+ * Fix for for 'pam_smbpass migrate' functionality.
+
+
+o Chris Hertel <crh@samba.org>
+ * fix enumeration of shares 12 characters in length via
+ smbclient.
+
+
+o Ulrich Holeschak <ulrich@holeschak.de>
+ * BUG 932: fix local password change using pam_smbpass
+
+
+o Krischan Jodies <kj@sernet.de>
+ * Implement 'net rpc group delete'
+
+
+o John Klinger <john.klinger@lmco.com>
+ * Return NSS_SUCCESS once the max number of gids possible
+ has been found in initgroups() on Solaris.
+ * BUG 1182: Re-enable the -n 'no cache' option for winbindd.
+
+
+o Volker Lendecke <vl@samba.org>
+ * Fix success message for net groupmap modify.
+ * Fix errors when enumerating members of groups in 'net rpc'.
+ * Match Windows behavior in samr_lookup_names() by returning
+ ALIAS(4) when you search in BUILTIN.
+ * Fix server SAMR code to be able to set alias info for
+ builtin as well.
+ * Fix duplication of logic when creating groups via smbd.
+ * Ensure that the HWM values are set correctly after running
+ 'net idmap'.
+ * Add 'net rpc group add'.
+ * Implement 'net groupmap set' and 'net groupmap cleanup'.
+ * Add 'net rpc group [add|del]mem' for domain groups and aliases.
+ * Fix wb_delgrpmem (wbinfo -o).
+ * As a DC we should not reply to lsalookupnames on DCNAME\\user.
+ * Fix sambaUserWorkstations on a Samba DC.
+ * Implement wbinfo -k: Have winbind generate an AFS token after
+ authenticating the user.
+ * Add expand_msdfs VFS module for providing referrals based on the
+ the client's IP address.
+ * Implement client side NETLOGON GetDCName function.
+ * Fix caching of name->sid lookups.
+ * Add support in winbindd for expanding nested local groups.
+ * Fix memleak in winbindd.
+ * Fix msdfs proxy.
+ * Don't list domain groups from BUILTIN.
+ * Fix memleak in policy handle utility functions.
+ * Decrease winbindd startup time by only contacting trusted
+ domains as necessary.
+ * Allow winbindd to ask the DC for its domain for a trusted
+ DC.
+ * Fix Netscape DS schema based on comments from
+ <thomas.mueller@christ-wasser.de>.
+ * Correct case where adding a domain user to a XP local group
+ did a lsalookupname on the user without domain prefix, and
+ failed.
+ * Fix segfault in winbindd caused by 'wbinfo -a'.
+
+
+o Herb Lewis <herb@samba.org>
+ * Fix typo for tag in proto file.
+ * Add missing #ifdef HAVE_BICONV stuff.
+ * Truncate Samba's netbios name at the first '.' (not
+ right to left).
+
+
+o Derrell Lipman <Derrell.Lipman@UnwiredUniverse.com>
+ * Bug fixes and enhancements to libsmbclient library.
+
+
+o Jianliang Lu <j.lu@tiesse.com>
+ * Enforce the 'user must change password at next login' flag.
+ * Decode meaning of 'fields present' flags (improves support
+ for usrmgr.exe).
+ * NTLMv2 fixes.
+ * Don't force an upper case domain name in the ntlmssp code.
+
+
+o L. Lucius <ib@digicron.com>.
+ * type fixes.
+
+
+o Jim McDonough <jmcd@us.ibm.com>
+ * Add versioning support to tdbsam.
+ * Update the IBM Directory Server schema with the OpenLDAP
+ file.
+ * Various decoding fixes to improve usrmgr.exe support.
+ * Fix statfs redeclaration of statfs struct on ppc
+ * Implement support for password lockout of Samba domain
+ controllers and standalone servers.
+ * Get MungedDial attribute actually working with full TS
+ strings in it for pdb_ldap.
+ * BUG 1208 (partial): Improvements for working with expired krb5
+ tickets in winbindd.
+ * Use timegm, or our already existing replacement instead of
+ timezone (spotted by Andrzej Tobola <san@iem.pw.edu.pl>).
+ * Remove modifyTimestamp from list of our attributes.
+ * Fix lsalookupnames to check for domain users as well as local
+ users.
+ * Merge struct uuid replacement for GUID from trunk.
+ * BUG 1208: Finish support for handling expired tickets in
+ winbindd (in conjunction with Guenther Deschner <gd@suse.de>).
+
+
+o Stefan Metzmacher <metze@samba.org>
+ * Implement new VERSION schema based on subversion revision
+ numbers.
+ * Add shadow_copy vfs module.
+ * Fix segault in login_cache support.
+
+
+o Heinrich Mislik <Heinrich.Mislik@univie.ac.at>
+ o BUG 979 -- Fix quota display on AIX.
+
+
+o James Peach <jpeach@sgi.com>
+ * Correct check for printf() format when using the SGI MIPSPro
+ compiler.
+ * BUG 1038: support backtrace for 'panic action' on IRIX.
+ * BUG 768: Accept profileing arg to IRIX init script.
+ * BUG 748: Relax arg parsing to sambalp script (IRIX).
+ * BUG 758: Fix pdma build.
+ * Search IRIX ABI paths for libiconv. Based on initial fix from
+ Jason Mader.
+
+
+o Kurt Pfeifle <kpfeifle@danka.de>
+ * Add example shell script for migrating drivers and printers
+ from a Windows print server to a Samba print server using
+ smbclient/rpcclient (examples/printing/VamireDriversFunctions).
+
+
+o Tim Potter <tpot@samba.org>
+ * Fix logic bug in tdb non-blocking lock routines when
+ errno == EAGAIN.
+ * BUG 1025: Include sys/acl.h in check for broken nisplus
+ include files.
+ * BUG 1066: s/printf/d_printf/g in SWAT.
+ * BUG 1098: rename internal msleep() function to fix build
+ problems on AIX.
+ * BUG 1112: Fix for writable printerdata problem in python bindings.
+ * BUG 1154: Remove reference to <sys/mman.h> in tdbdump.c.
+ * BUG 1155: enclose use of fchown() with guards.
+ * Relicense tdb python module as LGPL.
+
+
+o Richard Sharpe <rsharpe@samba.org>
+ * Add support to smbclient for multiple logins on the same
+ session (based on work by abartlet@samba.org).
+ * Correct blocking condition in smbd's use of accept() on IRIX.
+ * Add support for printing out the MAC address on nmblookup.
+
+
+o Simo Sorce <idra@samba.org>
+ * Replace unknown_3 with fields_present in SAMR code.
+ * More length checks in strlcat().
+
+
+o Andrew Tridgell <tridge@samba.org>
+ * Rewrote the AIX UESS backend for winbindd.
+ * Fixed compilation with --enable-dmalloc.
+ * Change tdb license to LGPL (see source/tdb/tdb.c).
+ * Force winbindd to use schannel in clients connections to
+ DC's if possible.
+
+
+o Jelmer Vernooij <jelmer@samba.org>
+ * Fix ETA Calculation when resuming downloads in smbget.
+ * Add -O (for writing downloaded files to standard out)
+ based on patch by Bas van Sisseren <bas@dnd.utwente.nl>.
+ * Fix syntax error in example mysql table
+
+
+o TAKEDA yasuma <yasuma@miraclelinux.com>
+ * BUG 900: fix token processing in cmd_symlink, cmd_link,
+ cmd_chown, cmd_chmod smbclient functions.
+
+
+o Shiro Yamada <shiro@miraclelinux.com>
+ * BUG 1129: install image files for SWAT.
+
+
+ --------------------------------------------------
+
==============================
+ Release Notes for Samba 3.0.2a
+ February 13, 2004
+ ==============================
+
+Samba 3.0.2a is a minor patch release for the 3.0.2 code base
+to address, in particular, a problem when using pdbedit to
+sanitize (--force-initialized-passwords) Samba's tdbsam
+backend. This is the latest stable release of Samba. This
+is the version that all production Samba servers should be
+running for all current bug-fixes.
+
+******************* Attention! Achtung! Kree! *********************
+
+Beginning with Samba 3.0.2, passwords for accounts with a last
+change time (LCT-XXX in smbpasswd, sambaPwdLastSet attribute in
+ldapsam, etc...) of zero (0) will be regarded as uninitialized
+strings. This will cause authentication to fail for such
+accounts. If you have valid passwords that meet this criteria,
+you must update the last change time to a non-zero value. If you
+do not, then 'pdbedit --force-initialized-passwords' will disable
+these accounts and reset the password hashes to a string of X's.
+
+******************* Attention! Achtung! Kree! *********************
+
+
+Changes since 3.0.2
+-------------------
+
+commits
+-------
+
+Please refer to the CVS log for the SAMBA_3_0 branch for complete
+details. The list of changes per contributor are as follows:
+
+
+o Jeremy Allison <jra@samba.org>
+ * Added paranoia checks in parsing code.
+
+
+o Andrew Bartlett <abartlet@samba.org>
+ * Ensure that changes to uninitialized passwords in ldapsam
+ are written to the DIT.
+
+
+o Gerald (Jerry) Carter <jerry@samba.org>
+ * Fixed iterator in tdbsam.
+ * Fix bug that disabled accounts with a valid NT password
+ hash, but no LanMan hash.
+
+
+o Steve French <sfrench@us.ibm.com>
+ * Added missing nosetuid and noexec options.
+
+
+o Bostjan Golob <golob@gimb.org>
+ * BUG 1046: Don't overwrite usernames of entries returned
+ by getpwent_list().
+
+
+o Sebastian Krahmer <krahmer@suse.de>
+ * Fixed potential crash bug in NTLMSSP parsing code.
+
+
+o Tim Potter <tpot@samba.org>
+ * Fixed logic in tdb_brlock error checking.
+
+
+o Urban Widmark <urban@teststation.com>
+ * Set nosuid,nodev flags in smbmnt by default.
+
+
+ --------------------------------------------------
+
+ =============================
+ Release Notes for Samba 3.0.2
+ February 9, 2004
+ =============================
+
+It has been confirmed that previous versions of Samba 3.0 are
+susceptible to a password initialization bug that could grant an
+attacker unauthorized access to a user account created by the
+mksmbpasswd.sh shell script.
+
+The Common Vulnerabilities and Exposures project (cve.mitre.org)
+has assigned the name CAN-2004-0082 to this issue.
+
+Samba administrators not wishing to upgrade to the current
+version should download the 3.0.2 release, build the pdbedit
+tool, and run
+
+ root# pdbedit-3.0.2 --force-initialized-passwords
+
+This will disable all accounts not possessing a valid password
+(e.g. the password field has been set a string of X's).
+
+Samba servers running 3.0.2 are not vulnerable to this bug
+regardless of whether or not pdbedit has been used to sanitize
+the passdb backend.
+
+Some of the more visible bugs in 3.0.1 addressed in the 3.0.2
+release include:
+
+ o Joining a Samba domain from Pre-SP2 Windows 2000 clients.
+ o Logging onto a Samba domain from Windows XP clients.
+ o Problems with the %U and %u smb.conf variables in relation to
+ Windows 9x/ME clients.
+ o Kerberos failures due to an invalid in memory keytab detection
+ test.
+ o Updates to the ntlm_auth tool.
+ o Fixes for various SMB signing errors.
+ o Better separation of WINS and DNS queries for domain controllers.
+ o Issues with nss_winbind FreeBSD and Solaris.
+ o Several crash bugs in smbd and winbindd.
+ o Output formatting fixes for smbclient for better compatibility
+ with scripts based on the 2.2 version.
-This is the second beta release of Samba 3.0.0. This is a
-non-production release intended for testing purposes. Use
-at your own risk.
-The purpose of this beta release is to get wider testing of the major
-new pieces of code in the current Samba 3.0 development tree. We have
-officially ceased development on the 2.2.x release of Samba and are
-concentrating on Samba 3.0. To reduce the time before the final
-Samba 3.0 release we need as many people as possible to start testing
-these beta releases, and to provide high quality feedback on what
-needs fixing.
+Changes since 3.0.1
+-------------------
+
+smb.conf changes
+----------------
+
+ Parameter Name Action
+ -------------- ------
+ ldap replication sleep New
+ read size removed (unused)
+ source environment removed (unused)
+
+
+commits
+-------
+
+Please refer to the CVS log for the SAMBA_3_0 branch for complete
+details. The list of changes per contributor are as follows:
+
+o Jeremy Allison <jra@samba.org>
+ * Revert change that broke Exchange clear text samlogons.
+ * Fix gcc 3.4 warning in MS-DFS code.
+ * Tidy up of NTLMSSP code.
+ * Fixes for SMB signing errors
+ * BUG 815: Workaround NT4 bug to support plaintext
+ password logins and UNICODE.
+ * Fix SMB signing bug when copying large files.
+ * Correct error logic in mkdir_internals() (caused a panic
+ when combined with --enable-developer).
+ * BUG 830: Protect against crashes due to bad character
+ conversions.
+
+
+o Petri Asikainen <paca@sci.fi>
+ * BUG 330, 387:Fix single valued attribute updates when
+ working with Novell NDS.
+
+
+o Andrew Bartlett <abartlet@samba.org>
+ * Correctly handle per-pipe NTLMSSP inside a NULL session.
+ * Fix segfault in gencache
+ * Fix early free() of encrypted_session_key.
+ * Change DC lookup routines to more carefully separate
+ DNS names (realms) from NetBIOS domain names.
+ * Add new sid_to_dn() function for internal winbindd use.
+ * Refactor cli_ds_enum_domain_trusts().
+ * BUG 707: Implement range retrieval of ADS attributes (based
+ on work from Volker <vl@samba.org> and Guenther Deschner
+ <gd@suse.com>).
+ * Automatically initialize the signing engine if a session key
+ is available.
+ * BUG 916: Do not perform a + -> ' ' substitution for squid URL
+ encoded strings, only form input in SWAT.
+ * Resets the NTLMSSP state for new negotiate packets.
+ * Add 2-byte alignments in net_samlogon() queries to parse
+ odd-length plain text passwords.
+ * Allow Windows groups with no members in winbindd.
+ * Allow normal authentication in the absence of a server
+ generated session key.
+ * More optimizations for looking up UNIX group lists.
+ * Clean up error codes and return values for pam_winbindd
+ and winbindd PAM interface.
+ * Fix string return values in ntlm_auth tool.
+ * Fix segfault when 'security = ads' but no realm is defined.
+ * BUG 722: Allow winbindd to map machine accounts to uids.
+ * More cleanups for winbindd's find_our_domain().
+ * More clearly detect whether a domain controller is an NT4
+ or mixed-mode AD DC (additional bug fixes by jerry & jmcd).
+ * Increase separation between DNS queries for hosts and queries
+ for AD domain controllers.
+ * Include additional NT_STATUS to PAM error mappings.
+ * Password initialization fixes.
+
+
+o Justin Baugh <justin.baugh@request.com>
+ * BUG 948: Implement missing functions required for FreeBSD
+ nss_winbind support.
+
+
+o Alexander Bokovoy <ab@samba.org>
+ * BUG 922: Make sure enable fast path for strlower_m() and
+ strupper_m().
+
+
+o Luca Bolcioni <Luca.Bolcioni@yacme.com>
+ * Fix crash when using 'security = server' and 'encrypt
+ passwords = no' by always initializing the session key.
+
+
+o Dmitry Butskoj <buc@odusz.elektra.ru>
+ * Fix for special files being hidden from admins.
+
+
+o Gerald (Jerry) Carter <jerry@samba.org>
+ * Fix bug in the lanman session key generation. Caused
+ "decode_pw: incorrect password length" error messages.
+ * Save the right case for the located user name in
+ fill_sam_account(). Fixes %U/%u expansion for win9x clients.
+ * BUG 897: Add well known rid for pre win2k compatible access
+ group.
+ * BUG 887: Correct typo in delete user script example.
+ * Use short lived TALLOC_CTX* for allocating printer objects
+ from the print handle cache.
+ * BUG 912: Fix check for HAVE_MEMORY_KEYTAB.
+ * Fix several warnings reported by the SUN Forte C compiler.
+ * Fully control DNS queries for AD DC's using 'name resolve order'.
+ * BUG 770: Send the SMBjobid for UNIX jobs back to the client.
+ * BUG 972: Fix segfault in cli_ds_getprimarydominfo().
+ * BUG 936: fix bind credentials for schannel binds in smbd.
+ * BUG 446: Fix output of smbclient for better compatibility
+ with scripts based on the 2.2 version (including Amanda).
+ * BUG 891, 949: Fedora packaging fixes.
+ * Fix bug that caused rpcclient to incorrectly retrieve
+ the SID for a server (this causing all calls that required
+ this information to fail).
+ * BUG 977: Don't create a homes share for a user if a static
+ share already exists by the same name.
+ * Removed unused smb.conf options.
+ * Password initialization fixes.
+ * Set the disable flag for template accounts created by
+ mksmbpasswd.sh.
+ * Disable any account has no passwords and does not have the
+ ACB_PWNOTREQ bit set.
+
+
+o Guenther Deschner <gd@suse.com>
+ * Install smbwrapper.so should be put into the $(libdir)
+ and not $(bindir).
+ * Add the capability to specify the new user password
+ for "net ads password" on the command line.
+ * Correctly detect AFS headers on SuSE.
+
+
+o James Flemer <jflemer@uvm.edu>
+ * Fix AIX compile bug by linking HAVE_ATTR_LIST to
+ HAVE_SYS_ATTRIBUTES_H.
+
+
+o Luke Howard <lukeh@PADL.COM>
+ * Fix segfault in session setup reply caused by a early free().
+
+
+o Stoian Ivanov <sdr@bultra.com>
+ * Implement grepable output for smbclient -L.
+
+
+o LaMont Jones <lamont@debian.org>
+ * BUG 225328 (Debian): Correct false failure LFS test that resulted
+ in _GNU_SOURCE not being defined (thus resulting in strndup()
+ not being defined).
+
+
+o Volker Lendecke <vl@samba.org>
+ * BUG 583: Ensure that user names always contain the short
+ version of the domain name.
+ * Fix our parsing of the LDAP uri.
+ * Don't show the 'afs username map' in the SWAT basic view.
+ * Fix SMB signing issues in relation to failed NTLMSSP logins.
+ * BUG 924: Fix return codes in smbtorture harness.
+ * Always lower-case usernames before handing it to AFS code.
+ * Add a German translation for SWAT.
+ * Fix a segfaults in winbindd.
+ * Fix the user's domain passed to register_vuid() from
+ reply_spnego_Kerberos().
+ * Add NSS example code in nss_winbind to convert UNIX
+ id's <-> Windows SIDs.
+ * Display more descriptive error messages for login via 'net'.
+ * Fix compiler warning in the net tool.
+ * Fix length bug when decoding base64 strings.
+ * Ensure we don't call getpwnam() inside a loop that is iterating
+ over users with getpwent(). This broke on glibc 2.3.2.
+
+
+o Herb Lewis <herb@samba.org>
+ * Fix bit rot in psec.
+
+
+o Jianliang Lu <j.lu@tiesse.com>
+ * Ensure we delete the group mapping before calling the delete
+ group script.
+ * Define well known RID for managing the "Power Users" group.
+ * BUG 381: check builtin (not local) group SID when updating
+ group membership.
+ * BUG 101: set the SV_TYPE_PRINTQ_SERVER flag in host announcement
+ packet.
+
+
+o John Klinger <john.klinger@lmco.com>
+ * Implement initgroups() call in nss_winbind on Solaris.
+
+
+o Jim McDonough <jmcd@us.ibm.com>
+ * Fix regression in net rpc join caused by recent changes
+ to cli_lsa_query_info_policy().
+ * BUG 964: Fix crash bug in 'net rpc join' using a preexisting
+ machine account.
+
+
+o MORIYAMA Masayuki <moriyama@miraclelinux.com>
+ * BUG 570: Ensure that configure honors the LDFLAGS variable.
+
+
+o Stefan Metzmacher <metze@samba.org>
+ * Implement LDAP rebind sleep patch.
+ * Revert to 2.2 quota code because of so many broken quota files
+ out there.
+ * Fix XFS quotas: HAVE_XFS_QUOTA -> HAVE_XFS_QUOTAS
+ XFS_USER_QUOTA -> USRQUOTA
+ XFS_GROUP_QUOTA -> GRPQUOTA
+ * Fix disk_free calculation with group quotas.
+ * Add debug class 'quota' and a lot of DEBUG()'s
+ to the quota code.
+ * Fix sys_chown() when no chown() is present.
+ * Add SIGABRT to fault handling in order to catch got a
+ backtrace if an error occurs the OpenLDAP client libs.
+
+
+o <ndb@theghet.to>
+ * Allow an existing LDAP machine account to be re-used when
+ joining an AD domain.
+
+
+o James Peach <jpeach@sgi.com>
+ * BUG 889: Change smbd to use pread/pwrite on platforms that
+ support these calls. Can lead to a significant speed increase.
+
+
+o Tim Potter <tpot@samba.org>
+ * BUG 905: Remove POBAD_CC to fix Solaris Forte compiles.
+ * BUG 924: Fix typo in RW2 torture test.
+
+
+o Richard Sharpe <rsharpe@samba.org>
+ * Small fixes to torture.c to cleanup the error handling
+ and prevent crashes.
+
+
+o J. Tournier <jerome.tournier@IDEALX.com>
+ * Small fixes for the smbldap-tool scripts.
+
+
+o Andrew Tridgell <tridge@samba.org>
+ * Fix src len check in pull_usc2().
+
+
+o Jelmer Vernooij <jelmer@samba.org>
+ * Put functions for generating SQL queries in pdb_sql.c
+ * Add pgSQL backend (based on patch by Hamish Friedlander)
+ * BUG 908: Fix -s option to smbcontrol.
+ * Add smbget utility - a wget-clone for the SMB/CIFS protocol.
+ * Fix for libnss_wins on IRIX platforms.
+ * Fix swatdir for --with-fhs.
+
+
+ --------------------------------------------------
+
+ =============================
+ Release Notes for Samba 3.0.1
+ December 15, 2003
+ =============================
+
+Some of the more common bugs in 3.0.0 addressed in the release
+include:
+
+ o Substitution problems with smb.conf variables.
+ o Errors in return codes which caused some applications
+ to fail to open files.
+ o General Protection Faults on Windows 2000/XP clients
+ using Samba point-n-print features.
+ o Several miscellaneous crash bugs.
+ o Access problems when enumerating group mappings are
+ stored in an LDAP Directory.
+ o Several common SWAT bugs when writing changes to
+ smb.conf.
+ o Internal inconsistencies when 'winbind use default
+ domain = yes'
-Samba 3.0 is feature complete. However there is still some final
-work to be done on certain pieces of functionality. Please refer to
-the section on "Known Issues" for more details.
+
+
+Changes since 3.0.0
+----------------------
+
+ Parameter Name Action
+ -------------- ------
+ hide local users Removed
+ mangled map Deprecated
+ mangled stack Removed
+ passwd chat timeout New
+
+
+commits
+-------
+
+o Change the interface for init_unistr2 to not take a length
+ but a flags field. We were assuming that
+ 2*strlen(mb_string) == length of ucs2-le string. (bug 480).
+o Allow d_printf() to handle strings with escaped quotation
+ marks since the msg file includes the escape character (bug 489).
+o Fix bad html table row termination in SWAT wizard code (bug 413).
+o Fix to parse the level-2 strings.
+o Fix for "valid users = %S" in [homes]. Fix read/write
+ list as well.
+o Change AC_CHECK_LIB_EXT to prepend libraries instead of append.
+ This is the same way AC_CHECK_LIB works (bug 508).
+o Testparm output fixes for clarity.
+o Fix broken wins hook functionality -- i18n bug (bug 528).
+o Take care of condition where DOS and NT error codes must differ.
+o Default to using only built-in charsets when a working iconv
+ implementation cannot be located.
+o Wrap internals of sys_setgroups() so the sys_XX() call can
+ be done unconditionally (bug 550).
+o Remove duplicate smbspool link on SWAT's front page (bug 541).
+o Save and restore CFLAGS before/after AC_PROG_CC. Ensures that
+ --enable-debug=[yes|no] works correctly.
+o Allow ^C to interrupt smbpasswd if using our getpass
+ (e.g. smbpasswd command).
+o Support signing only on RPC's (bug 167).
+o Correct bug that prevented Excel 2000 clients from opening
+ files marked as read-only.
+o Portability fix bugs 546 - 549).
+o Explicitly initialize the value of AR for vendor makes that don't
+ do this (e.g. HPUX 11). (bug 552).
+o More i18n fixes for SWAT (bug 413).
+o Change the cwd before the postexec script to ensure that a
+ umount will succeed.
+o Correct double free that caused winbindd to crash when a DC
+ is rebooted (bug 437).
+o Fix incorrect mode sum (bug 562).
+o Canonicalize SMB_INFO_ALLOCATION in the same was as
+ SMB_FS_FULL_SIZE_INFORMATION (bug 564).
+o Add script to generate *msg files.
+o Add Dutch SWAT translation file.
+o Make sure to call get_user_groups() with the full winbindd
+ name for a user if he/she has one (bug 406).
+o Fix up error code returns from Samba4 tester. Ensure invalid
+ paths are validated the same way.
+o Allow Samba3 to pass the Samba4 RAW-READ tests.
+o Refuse to configure if --with-expsam=$BACKEND was used but no
+ libraries were found for $BACKEND.
+o Move sysquotas autoconf tests to a separate file.
+o Match W2K w.r.t. writelock and writeclose. Samba4 torture
+ tester
+o Make sure that the files that contain the static_init_$subsystem;
+ macro get recompiled after configure by removing the object
+ files.
+o Ensure canceling a blocking lock returns the correct error
+ message.
+o Match Samba 2.2 behavior; make ACB_NORMAL the default ACB value.
+o Updated Japanese welcome file in SWAT.
+o Fix to nt-time <-> unix-time functions reversible.
+o Ensure that winbindd uses the the escaped DN when querying
+ an AD ldap server.
+o Fix portability issues when compiling (bug 505, 550)
+o Compile fix for tdbbackup when Samba needs to override
+ non-C99 compliant implementations of snprintf().
+o Use @PICSUFFIX@ instead of .po in Makefile.in (bug 574).
+o Make sure we break out of samsync loop on error.
+o Ensure error code path doesn't free unmalloc()'d memory
+ (bug 628).
+o Add configure test for krb5_keytab_entry keyblock vs key
+ member (bug 636).
+o Fixed spinlocks.
+o Modified testparm so that all output so all debug output goes
+ to stderr, and all file processing goes to stdout.
+o Fix error return code for BUFFER_TOO_SMALL in smbcacls
+ and smbcquotas.
+o Fix "NULL dest in safe_strcpy()" log message by ensuring that
+ we have a devmode before copying a string to the devicename.
+o Support mapping REALM.COM\user to a local user account (without
+ running winbindd) for compatibility with 2.2.x release.
+o Ensure we don't use mmap() on blacklisted systems.
+o fixed a number of bugs and memory leaks in the AIX
+ winbindd shim
+o Call initgroups() in SWAT before becomming the user so that
+ secondary group permissions can be used when writing to
+ smb.conf.
+o Fix signing problems when reverse connecting back to a
+ client for printer notify
+o Fix signing problems caused by a miss-sequence bug.
+o Missing map in errormap for ERROR_MORE_DATA -> ERRDOS, ERRmoredata.
+ Fixes NEXUS tools running on Win9x clients (bug 64).
+o Don't leave the domain field uninitialized in cli_lsa.c if some
+ SID could not be mapped.
+o Fix segfault in mount.cifs helper when there is no options
+ specified during mount.
+o Change the \n after the password prompt to go to tty instead
+ of stdout (bug 668).
+o Stop net -P from prompting for machine account password (bug 451).
+o Change in behavior to Not only change the effective uid but also
+ the real uid when becoming unprivileged.
+o Cope with Exchange 5.5 cleartext pop password auth.
+o New files for support of initshutdown pipe. Win2k doesn't
+ respond properly to all requests on the winreg pipe, so we need
+ to handle this new pipe (bug 534).
+o Added more va_copy() checks in configure.in.
+o Include fixes for libsmbclient build problems.
+o Missing UNIX -> DOS codepage conversion in lanman.c.
+o Allow DFMS-S filenames can now have arbitrary case (bug 667).
+o Parameterize the listen backlog in smbd and make it larger by
+ default. A backlog of 5 is way too small these days.
+o Check for an invalid fid before dereferencing the fsp pointer
+ (bug 696).
+o Remove invalid memory frees and return codes in pdb_ldap.c.
+o Prompt for password when invoking --set-auth-user and no
+ password is given.
+o Bind the nmbd sending socket to the 'socket address'.
+o Re-order link command for smbd, rpcclient and smbpasswd to ensure
+ $LDFLAGS occurs before any library specification (bug 661).
+o Fix large number of printf() calls for 64-bit size_t.
+o Fix AC_CHECK_MEMBER so that SLES8 does correctly finds the
+ keyblock in the krb5 structs.
+o Remove #include <compat.h> in hopes to avoid problems with
+ apache header files.
+o Correct winbindd build problems on HP-UX 11.
+o Lowercase netgroups lookups (bug 703).
+o Use the actual size of the buffer in strftime instead of a made
+ up value which just happens to be less than sizeof(fstring).
+ (bug 713).
+o Add ldaplibs to pdbedit link line (bug 651).
+o Fix crash bug in smbclient completion (bug 659).
+o Fix packet length for browse list reply (bug 771).
+o Fix coredump in cli_get_backup_list().
+o Make sure that we expand %N (bug 612).
+o Allow rpcclient adddriver command to specify printer driver
+ version (bug 514).
+o Compile tdbdump by default.
+o Apply patches to fix iconv detection for FreeBSD.
+o Do not allow the 'guest account' to be added to a passdb backend
+ using smbpasswd or pdbedit (bug 624).
+o Save LDFLAGS during iconv detection (bug 57).
+o Run krb5 logins through the username map if the winbindd
+ lookup fails (bug 698).
+o Add const for lp_set_name_resolve_order() to avoid compiler
+ warnings (bug 471).
+o Add support for the %i macro in smb.conf to stand in for the for
+ the local IP address to which a client connected.
+o Allow winbindd to match local accounts to domain SID when
+ 'winbind trusted domains only = yes' (bug 680).
+o Remove code in idmap_ldap that searches the user suffix and group
+ suffix. It's not needed and provides inconsistent functionality
+ from the tdb backend.
+o Patch to handle munged dial string for Windows 2000 TSE.
+ Thanks to Gaz de France, Direction de la Recherche, Service
+ Informatique Métier for their supporting this work by Aurelien
+ Degrémont <adegremont@idealx.com>.
+o Correct the "smbldap_open: cannot access when not root error"
+ messages when looking up group information (bug 281).
+o Skip over the winbind separator when looking up a user.
+ This fixes the bug that prevented local users from
+ matching an AD user when not running winbindd (bug 698).
+o Fix a problem with configure on *BSD systems. Make sure
+ we add -liconv etc to LDFLAGS.
+o Fix core dump bug when "security = server" and the authentication
+ server goes away.
+o Correct crash bug due to an empty munged dial string.
+o Show files locked by a specific user (smbstatus -u 'user')
+ (bug 590).
+o Fix bug preventing print jobs from display in the queue
+ monitor used by Windows NT and later clients (bug 660).
+o Fix several reported problems with point-n-print from
+ Windows 2000/XP clients due to a bug in the EnumPrinterDataEx()
+ reply (bug 338, 527 & 643).
+o Fix a handful of potential memory leaks in the LDAP code used
+ by ldapsam[_compat] and the LDAP idmap backend.
+o Fix for pdbedit error code returns (bug 763).
+o Make sure we only enumerate group mapping entries (not
+ /etc/group) even when doing local aliases.
+o Relax check on the pipe name in a dce/rpc bind response to work
+ around issues with establishing trusts to a Windows 2003 domain.
+o Ensure we mangle names ending in '.' in hash2 mangling method.
+o Correct parsing issues with munged dial string.
+o Fix bugs in quota support for XFS.
+o Add a cleaner method for applications that need to provide
+ name->SID mappings to do this via NSS rather than having to
+ know the winbindd pipe protocol.
+o Adds a variant of the winbindd_getgroups() call called
+ winbindd_getusersids() that provides direct SID->SIDs listing of
+ a users supplementary groups. This is enough to allow non-Samba
+ applications to do ACL checking.
+o Make sure we don't append the 'ldap suffix' when writing out the
+ 'ldap XXX suffix' values in SWAT (bug 328).
+o Fix renames across file systems.
+o Ensure that items in a list of strings containing whitespace are
+ written out surrounded by single quotes. This means that both
+ double and single quotes are now used to surround strings in
+ smb.conf (bug 481).
+o Enable SWAT to correctly determine if winbindd is running (bug
+ 398).
+o Include WWW-Authenticate field in 401 response for bad auth
+ attempt (bug 629).
+o Add support for NTLM2 (NTLMv2 session security).
+o Add support for variable-length session keys.
+o More privilege fixes for group enumeration in LDAP (bug 281).
+o Use the dns name (or IP) as the originating client name when
+ using CUPS (bug 467).
+o Fix various SMB signing bugs.
+o Fix ACL propagation on a DFS root (bug 263).
+o Disable NTLM2 for RPC pipes.
+o Allow the client to specify the NTLM2 flags got NTLMSSP
+ authentication.
+o Change the name of the job passed off to cups from "Test Page"
+ to "smbprn.00000033 Test Page" so that we can get the smb
+ jobid back. This allow users to delete jobs with cups printing
+ backend (partial work on bug 770).
+o Fix build of winbindd with static pdb modules.
+o Retrieve the correct ACL group bits if the file has an ACL
+ (bug 802).
+o Implement "net rpc group members": Get members of a domain group
+ in human-readable format.
+o Add MacOSX (Darwin) specific charset module code.
+o Use samr_dispinfo(level == 1) for enumerating domain users so we
+ can include the full name in gecos field (bug 587).
+o Add support for winbind's NSS library on FeeeBSD 5.1 (bug 797).
+o Implement 'net rpc group list [global|local|builtin]*' for a
+ select listing of the respective user databases.
+o Don't automatically set NT status code flag unless client tells
+ us it can cope.
+o Add 'net status [sessions|shares] [parseable]'.
+o Don't mistake pre-existing UNIX jobs for smb jobs (remainder of
+ bug 770).
+o Add 'Replicator' and 'RAS Servers' to list of builtin SIDs
+ (bug 608).
+o Fix inverted logic in hosts allow/deny checks caused by
+ s/strcmp/strequal/ (bug 846).
+o Implement correct version SamrRemoveSidForeignDomain() (bug 252).
+o Fix typo in 'hash' mangling algorithm.
+o Support munged dial for ldapsam (bug 800).
+o Fix process_incoming_data() to return the number of bytes handled
+ this call whether we have a complete PDU or not; fixes bug
+ with multiple PDU request rpc's broken over SMBwriteX calls
+ each.
+o Fix incorrect smb flags2 for connections to pre-NT servers
+ (causes smbclient to fail to OS2 for example) (bug 821).
+o Update version string in smbldap-tools Makefile to 0.8.2.
+o Correct a problem with "net rpc vampire" mis-parsing the
+ alias member info reply.
+o Ensure the ${libdir} is created by the installclientlib script.
+o Fix detection of Windows 2003 client architecture in the smb.conf
+ %a variable.
+o Ensure that smbd calls the add user script for a missing UNIX
+ user on Kerberos auth call (bug 445).
+o Fix bugs in hosts allow/deny when using a mismatched
+ network/netmask pair.
+o Protect alloc_sub_basic() from crashing when the source string
+ is NULL (partial work on bug 687).
+o Fix spinlocks on IRIX.
+o Corrected some bad destination paths when running "configure
+ --with-fhs".
+o Add packaging files for Fedora Core 1.
+o Correct bug in SWAT install script for non-english languages.
+o Support character set ISO-8859-1 internally (bug 558).
+o Fixed more LDAP access errors when looking up group mappings
+ (bug 281).
+o Fix UNISTR2 length bug in LsaQueryInfo(3) that caused SID
+ resolution to fail on local files on on domain members
+ (bug 875).
+o Fix uninitialized variable in passdb.c.
+o Fix formal parameter type in get_static() in nsswitch/wins.c.
+o Fix problem mounting directories when mount.cifs is installed
+ with the setuid bit on.
+o Fix bug that prevent --mandir from overriding the defaults
+ given in the --with-fhs macro.
+o Fix bug in in-memory Kerberos keytab detection routines
+ in configure.in
+
+
+
+######################################################################
+
+ The original 3.0.0 release notes follow
+ =======================================
+ WHATS NEW IN Samba 3.0.0
+ September 24, 2003
+ =======================================
Major new features:
-------------------
-1) Active Directory support. This release is able to join a ADS realm
- as a member server and authenticate users using LDAP/kerberos.
+1) Active Directory support. Samba 3.0 is now able to
+ join a ADS realm as a member server and authenticate
+ users using LDAP/Kerberos.
-2) Unicode support. Samba will now negotiate UNICODE on the wire and
- internally there is now a much better infrastructure for multi-byte
- and UNICODE character sets.
+2) Unicode support. Samba will now negotiate UNICODE on the wire
+ and internally there is now a much better infrastructure for
+ multi-byte and UNICODE character sets.
-3) New authentication system. The internal authentication system has
- been almost completely rewritten. Most of the changes are internal,
- but the new auth system is also very configurable.
+3) New authentication system. The internal authentication system
+ has been almost completely rewritten. Most of the changes are
+ internal, but the new auth system is also very configurable.
-4) New filename mangling system. The filename mangling system has been
- completely rewritten. An internal database now stores mangling maps
- persistently. This needs lots of testing.
+4) New default filename mangling system.
-5) New "net" command. A new "net" command has been added. It is
- somewhat similar to the "net" command in windows. Eventually we
- plan to replace a bunch of other utilities (such as smbpasswd)
- with subcommands in "net", at the moment only a few things are
- implemented.
+5) A new "net" command has been added. It is somewhat similar to
+ the "net" command in windows. Eventually we plan to replace
+ numerous other utilities (such as smbpasswd) with subcommands
+ in "net".
6) Samba now negotiates NT-style status32 codes on the wire. This
improves error handling a lot.
-7) Better Windows 2000/XP/2003 printing support including publishing
- printer attributes in active directory
+7) Better Windows 2000/XP/2003 printing support including publishing
+ printer attributes in active directory.
-8) New loadable RPC modules
+8) New loadable module support for passdb backends and character
+ sets.
-9) New dual-daemon winbindd support (-B) for better performance
+9) New default dual-daemon winbindd support for better performance.
10) Support for migrating from a Windows NT 4.0 domain to a Samba
- domain and maintaining user, group and domain SIDs
+ domain and maintaining user, group and domain SIDs.
11) Support for establishing trust relationships with Windows NT 4.0
- domain controllers
+ domain controllers.
12) Initial support for a distributed Winbind architecture using
- an LDAP directory for storing SID to uid/gid mappings
+ an LDAP directory for storing SID to uid/gid mappings.
13) Major updates to the Samba documentation tree.
+14) Full support for client and server SMB signing to ensure
+ compatibility with default Windows 2003 security settings.
+
+15) Improvement of ACL mapping features based on code donated by
+ Andreas Grünbacher.
+
+
Plus lots of other improvements!
Additional Documentation
------------------------
-Please refer to Samba documentation tree (including in the docs/
+Please refer to Samba documentation tree (included in the docs/
subdirectory) for extensive explanations of installing, configuring
and maintaining Samba 3.0 servers and clients. It is advised to
begin with the Samba-HOWTO-Collection for overviews and specific
tasks (the current book is up to approximately 400 pages) and to
refer to the various man pages for information on individual options.
+We are very glad to be able to include the second edition of
+"Using Samba" by Jay Ts, Robert Eckstein, and David Collier-Brown
+(O'Reilly & Associates) in this release. The book is available
+on-line at http://samba.org/samba/docs/ and is included with
+the Samba Web Administration Tool (SWAT). Thanks to the authors and
+publisher for making "Using Samba" under the GNU Free Documentation
+License.
+
+
######################################################################
-Changes since 3.0beta1
-######################
-
-Please refer to the CVS log for the SAMBA_3_0 branch for complete
-details
-
-1) Rework our smb signing code again, this factors out some of
- the common MAC calcuation code, and now supports multiple
- outstanding packets (bug #40)
-2) Enforce 'client plaintext auth', 'client lanman auth' and 'client
- ntlmv2 auth'
-3) Correct timestamp problem on 64-bit machines (bug #140)
-4) Add extra debugging staements to winbindd for tracking down
- failures
-5) Fix bug when aliased 'winbind uid/gid' parameters
-6) Added an auth flag that indicates if we should be allowed
- to fallback to NTLMSSP for SASL if krb5 fails
-7) Fixed the bug that forced us not to use the winbindd cache when
- we have a primary ADS domain and a secondary (trusted) NT4 domain.
-8) Use lp_realm() to find the default realm for 'net ads password'
-9) Removed editreg from standard build until it is portable.
-10) Fix domain membership for servers not running winbindd
-11) Correct race condition in determining the high water make
- in the idmap backend (bug #181)
-12) Set the user's primary unix group from usrmgr.exe (partial
- fix for bug #45)
-13) Show comments when doing 'net group -l' (bug #3)
-14) Add trivial extension to 'net' to dump current local idmap
- and restore mappings as well
-15) Modify 'net rpc vampire' to add new and existing users to
- both the idmap and the SAM.
-16) Fix crash bug in ADS searches
-17) Build libnss_wins.so as part of nsswitch target (bug #160)
-18) Make net rpc vampire return an error if the sam sync RPC
- returns an error
-19) Fail to join an NT 4 domain as a BDC if an workstation account
- using our name exists
-20) Fix various memory leaks in server and client code
-21) Remove the short option to --set-auth-user for wbinfo (-A) to
- prevent confusion with the -a option (bug #158)
-22) Added new 'map acl inheritence' parameter
-23) Removed unused 'privileges' code from group mapping database
-24) Don't segfault on empty passdb backend list (bug #136)
-25) Fixed acl sorting algorithm forWwindows 2000 clients
-26) Replace universal group cache with netsamlogon_cache
- from APPLIANCE_HEAD branch
-27) Fix autoconf detection issues surrounding --with-ads=yes
- but no Krb5 header files installed (bug #152)
-28) Add LDAP lookup for domain sequence number in case we are
- joined using NT4 protocols to a native mode AD domain
-29) Fix backend method selection for trusted NT 4 (or 2k
- mixed mode) domains
-30) Fixed bug that caused us to enuemrate dmain local groups
- from native mode AD domains other than our own
-31) Correct group enumeration for viewing in the Windows
- security tab (bug #110)
-32) Consolidate the DC location code
-33) Moved 'ads server' functionality into 'password server' for
- backwards compatibility
-34) Fix winbindd_idmap tdb upgrades from a 2.2 installation
- ( if you installed beta1, be sure to
- 'mv idmap.tdb winbindd_idamap.tdb' )
-35) Fix pdb_ldap segfaults, and wrong default values for
- ldapsam_compat
-36) Enable negative connection cache for winbindd's ADS backend
- functions
-37) Enable address caching for active directory DC's so we don't
- have to hit DNS so much
-38) Fix bug in idmap code that caused mapping to randomly be
- redefined
-39) Add tdb locking code to prevent race condition when adding a
- new mapping to idmap
-40) Fix 'map to guest = bad user' when acting as a PDC supporting
- trust relationships
-41) Prevent deadlock issues when running winbindd on a Samba PDC
- to handle allocating uids & gids for trusted users and groups
-42) added LOCALE patch from Steve Langasek (bug #122)
-43) Add the 'guest' passdb backend automatically to the end of
- the 'passdb backend' list if 'guest account' has a valid
- username.
-44) Remove samstrict_dc auth method. Rework 'samstrict' to only
- handle our local names (or domain name if we are a PDC).
- Move existing permissive 'sam' method to 'sam_ignoredomain'
- and make 'samstrict' the new default 'sam' auth method.
-45) Match Windows NT4/2k behavior when authenticating a user with
- and unknown domain (default to our domain if we are a DC or
- domain member; default to our local name if we are a
- standalone server)
-46) Fix Get_Pwnam() to always fall back to lookup 'user' if the
- 'DOMAIN\user' lookup fails. This matches 2.2. behavior.
-47) Fix the trustdom_cache code to update the list of trusted
- domains when operating as a domain member and not using
- winbindd
-48) Remove 'nisplussam' passdb backend since it has suffered for
- too long without a maintainer
-
+Upgrading from a previous Samba 3.0 beta
+########################################
+Beginning with Samba 3.0.0beta3, the RID allocation functions
+have been moved into winbindd. Previously these were handled
+by each passdb backend. This means that winbindd must be running
+to automatically allocate RIDs for users and/or groups. Otherwise,
+smbd will use the 2.2 algorithm for generating new RIDs.
+If you are using 'passdb backend = tdbsam' with a previous Samba
+3.0 beta release (or possibly alpha), it may be necessary to
+move the RID_COUNTER entry from /usr/local/samba/private/passdb.tdb
+to winbindd_idmap.tdb. To do this:
-######################################################################
+1) Ensure that winbindd_idmap.tdb exists (launch winbindd at least
+ once)
+2) build tdbtool by executing 'make tdbtool' in the source/tdb/
+ directory
+3) run: (note that 'tdb>' is the tool's prompt for input)
+
+ root# ./tdbtool /usr/local/samba/private/passdb.tdb
+ tdb> show RID_COUNTER
+ key 12 bytes
+ RID_COUNTER
+ data 4 bytes
+ [000] 0A 52 00 00 .R.
+
+ tdb> move RID_COUNTER /usr/local/samba/var/locks/winbindd_idmap.tdb
+ ....
+ record moved
+
+If you are using 'passdb backend = ldapsam', it will be necessary to
+store idmap entries in the LDAP directory as well (i.e. idmap backend
+= ldap). Refer to the 'net idmap' command for more information on
+migrating SID<->UNIX id mappings from one backend to another.
+
+If the RID_COUNTER record does not exist, then these instructions are
+unneccessary and the new RID_COUNTER record will be correctly generated
+if needed.
+
+
+
+########################
Upgrading from Samba 2.2
########################
This section is provided to help administrators understand the details
-involved with upgrading a Samba 2.2 server to Samba 3.0
+involved with upgrading a Samba 2.2 server to Samba 3.0.
Building
--------
Many of the options to the GNU autoconf script have been modified
-in the 3.0 release. The most noticeable are
+in the 3.0 release. The most noticeable are:
* removal of --with-tdbsam (is now included by default; see section
on passdb backends and authentication for more details)
backend and authentication section for more details
* inclusion of non-standard passdb modules may be enabled using
- --with-expsam. This includes an XML backend, a mysql backend,
- and a NIS backend.
+ --with-expsam. This includes an XML backend and a mysql backend.
* removal of --with-msdfs (is now enabled by default)
* domain admin group
* domain guest group
* force unknown acl user
+ * hide local users
+ * mangled stack
* nt smb support
- * post script
+ * postscript
* printer driver
* printer driver file
* printer driver location
+ * read size
+ * source environment
* status
+ * strip dot
* total print jobs
* use rhosts
* valid chars
--------------
* auth methods
* realm
+ * passwd chat timeout
Protocol Options
----------------
* ntlm auth
* paranoid server security
* server schannel
+ * server signing
* smb ports
* use spnego
* hostname lookups
* kernel change notify
* mangle prefix
- * map acl inheritence
+ * map acl inherit
* msdfs proxy
* set quota command
* use sendfile
-----------------------
* idmap backend
* idmap gid
- * idmap only
* idmap uid
+ * winbind enable local accounts
+ * winbind trusted domains only
+ * template primary group
+ * enable rid algorithm
LDAP
----
* ldap idmap suffix
* ldap machine suffix
* ldap passwd sync
- * ldap trust ids
+ * ldap replication sleep
* ldap user suffix
General Configuration
---------------------
* preload modules
- * privatedir
+ * private dir
Modified Parameters (changes in behavior):
* restrict anonymous (integer value)
* security (new 'ads' value)
* strict locking (enabled by default)
+ * unix extensions (enabled by default)
* winbind cache time (increased to 5 minutes)
* winbind uid (deprecated in favor of 'idmap uid')
* winbind gid (deprecated in favor of 'idmap gid')
upgrade databases as they are opened (if necessary), but downgrading
from 3.0 to 2.2 is an unsupported path.
-Name Description Backup?
----- ----------- -------
-account_policy User policy settings yes
-gencache Generic caching db no
-group_mapping Mapping table from Windows yes
- groups/SID to unix groups
-idmap new ID map table from SIDS yes
- to UNIX uids/gids.
-namecache Name resolution cache entries no
-netsamlogon_cache Cache of NET_USER_INFO_3 structure no
- returned as part of a successful
- net_sam_logon request
-printing/*.tdb Cached output from 'lpq no
- command' created on a per print
- service basis
-registry Read-only samba registry skeleton no
- that provides support for exporting
- various db tables via the winreg RPCs
+Name Description Backup?
+---- ----------- -------
+account_policy User policy settings yes
+gencache Generic caching db no
+group_mapping Mapping table from Windows yes
+ groups/SID to unix groups
+winbindd_idmap ID map table from SIDS to UNIX yes
+ uids/gids.
+namecache Name resolution cache entries no
+netsamlogon_cache Cache of NET_USER_INFO_3 structure no
+ returned as part of a successful
+ net_sam_logon request
+printing/*.tdb Cached output from 'lpq no
+ command' created on a per print
+ service basis
+registry Read-only samba registry skeleton no
+ that provides support for exporting
+ various db tables via the winreg RPCs
Changes in Behavior
with an Active Directory domain using the native Windows
Kerberos 5 and LDAP protocols.
+ MIT Kerberos 1.3.1 supports the ARCFOUR-HMAC-MD5 encryption
+ type which is neccessary for servers on which the
+ administrator password has not been changed, or Kerberos-enabled
+ SMB connections to servers that require Kerberos SMB signing.
+ Besides this one difference, either MIT or Heimdal Kerberos
+ distributions are usable by Samba 3.0.
+
+
Samba 3.0 also includes the possibility of setting up chains
of authentication methods (auth methods) and account storage
backends (passdb backend). Please refer to the smb.conf(5)
LDAP
####
-This section outlines the new features affecting Samba / LDAP integration.
+This section outlines the new features affecting Samba / LDAP
+integration.
New Schema
----------
A new object class (sambaSamAccount) has been introduced to replace
-the old sambaAccount. This change aids us in the renaming of attributes
-to prevent clashes with attributes from other vendors. There is a
-conversion script (examples/LDAP/convertSambaAccount) to modify and LDIF
-file to the new schema.
+the old sambaAccount. This change aids us in the renaming of
+attributes to prevent clashes with attributes from other vendors.
+There is a conversion script (examples/LDAP/convertSambaAccount) to
+modify and LDIF file to the new schema.
Example:
- $ ldapsearch .... -b "ou=people,dc=..." > old.ldif
- $ convertSambaAccount <DOM SID> old.ldif new.ldif
+ $ ldapsearch .... -b "ou=people,dc=..." > sambaAcct.ldif
+ $ convertSambaAccount --sid=<Domain SID> \
+ --input=sambaAcct.ldif --output=sambaSamAcct.ldif \
+ --changetype=[modify|add]
-The <DOM SID> can be obtained by running 'net getlocalsid <DOMAINNAME>'
-on the Samba PDC as root.
+The <DOM SID> can be obtained by running 'net getlocalsid
+<DOMAINNAME>' on the Samba PDC as root. The changetype determines
+the format of the generated LDIF output--either create new entries
+or modify existing entries.
The old sambaAccount schema may still be used by specifying the
"ldapsam_compat" passdb backend. However, the sambaAccount and
SID and a UNIX uid/gid. These objects are created by the
idmap_ldap module as needed.
+ * sambaSidEntry - object representing a SID alone, as a Structural
+ class on which to build the sambaIdmapEntry.
+
New Suffix for Searching
------------------------
with NFS that were present in Samba 2.2.
+
+######################################################################
+Trust Relationships and a Samba Domain
+######################################
+
+Samba 3.0.0beta2 is able to utilize winbindd as the means of
+allocating uids and gids to trusted users and groups. More
+information regarding Samba's support for establishing trust
+relationships can be found in the Samba-HOWTO-Collection included
+in the docs/ directory of this release.
+
+First create your Samba PDC and ensure that everything is
+working correctly before moving on the trusts.
+
+To establish Samba as the trusting domain (named SAMBA) from a Windows NT
+4.0 domain named WINDOWS:
+
+ 1) create the trust account for SAMBA in "User Manager for Domains"
+ 2) connect the trust from the Samba domain using
+ 'net rpc trustdom establish GLASS'
+
+To create a trustlationship with SAMBA as the trusted domain:
+
+ 1) create the initial trust account for GLASS using
+ 'smbpasswd -a -i GLASS'. You may need to create a UNIX
+ account for GLASS$ prior to this step (depending on your
+ local configuration).
+ 2) connect the trust from a WINDOWS DC using "User Manager
+ for Domains"
+
+Now join winbindd on the Samba PDC to the SAMBA domain using
+the normal steps for adding a Samba server to an NT4 domain:
+(note that smbd & nmbd must be running at this point)
+
+ root# net rpc join -U root
+ Password: <enter root password from smbpasswd file here>
+
+Start winbindd and test the join with 'wbinfo -t'.
+
+Now test the trust relationship by connecting to the SAMBA DC
+(e.g. POGO) as a user from the WINDOWS domain:
+
+ $ smbclient //pogo/netlogon -U Administrator -W WINDOWS
+ Password:
+
+Now connect to the WINDOWS DC (e.g. CRYSTAL) as a Samba user:
+
+ $ smbclient //crystal/netlogon -U root -W WINDOWS
+ Password:
+
+######################################################################
+Changes in Winbind
+##################
+
+Beginning with Samba3.0.0beta3, winbindd has been given new account
+manage functionality equivalent to the 'add user script' family of
+smb.conf parameters. The idmap design has also been changed to
+centralize control of foreign SID lookups and matching to UNIX
+uids and gids.
+
+
+Brief Description of Changes
+----------------------------
+
+1) The sid_to_uid() family of functions (smbd/uid.c) have been
+ reverted to the 2.2.x design. This means that when resolving a
+ SID to a UID or similar mapping:
+
+ a) First consult winbindd
+ b) perform a local lookup only if winbindd fails to
+ return a successful answer
+
+ There are some variations to this, but these two rules generally
+ apply.
+
+2) All idmap lookups have been moved into winbindd. This means that
+ a server must run winbindd (and support NSS) in order to achieve
+ any mappings of SID to dynamically allocated UNIX ids. This was
+ a conscious design choice.
+
+3) (OBSOLETE) New functions have been added to winbindd to emulate
+ the 'add user script' family of smbd functions without requiring
+ that external scripts be defined. This functionality is controlled
+ by the 'winbind enable local accounts' smb.conf parameter (enabled
+ by default).
+
+ However, this account management functionality is only supported
+ in a local tdb (winbindd_idmap.tdb). If these new UNIX accounts
+ must be shared among multiple Samba servers (such as a PDC and BDCs),
+ it will be necessary to define your own 'add user script', et. al.
+ programs that place the accounts/groups in some form of directory
+ such as NIS or LDAP. This requirement was deemed beyond the scope
+ of winbind's account management functions. Solutions for
+ distributing UNIX system information have been deployed and tested
+ for many years. We saw no need to reinvent the wheel.
+
+4) A member of a Samba controlled domain running winbindd is now able
+ to map domain users directly onto existing UNIX accounts while still
+ automatically creating accounts for trusted users and groups. This
+ behavior is controlled by the 'winbind trusted domains only' smb.conf
+ parameter (disabled by default to provide 2.2.x winbind behavior).
+
+5) Group mapping support is wrapped in the local_XX_to_XX() functions
+ in smbd/uid.c. The reason that group mappings are not included
+ in winbindd is because the purpose of Samba's group map is to
+ match any Windows SID with an existing UNIX group. These UNIX
+ groups can be created by winbindd (see next section), but the
+ SID<->gid mapping is retreived by smbd, not winbindd.
+
+
+Examples
+--------
+
+* security = server running winbindd to allocate accounts on demand
+
+* Samba PDC running winbindd to handle the automatic creation of UNIX
+ identities for machine trust accounts
+
+* Automtically creating UNIX user and groups when migrating a Windows NT
+ 4.0 PDC to a Samba PDC. Winbindd must be running when executing
+ 'net rpc vampire' for this to work.
+
+
######################################################################
Known Issues
############
-* The smbldap perl scripts for managing user entries in an LDAP
- directory have not be updated to function with the Samba 3.0
- schema changes. This (or an equivalent solution) work is planned
- to be completed prior to the stable 3.0.0 release.
+* There are several bugs currently logged against the 3.0 codebase
+ that affect the use of NT 4.0 GUI domain management tools when run
+ against a Samba 3.0 PDC. This bugs should be released in an early
+ 3.0.x release.
Please refer to https://bugzilla.samba.org/ for a current list of bugs
filed against the Samba 3.0 codebase.
A new bugzilla installation has been established to help support the
Samba 3.0 community of users. This server, located at
-https://bugzilla.samba.org/, will replace the existing jitterbug server
-and the old http://bugs.samba.org now points to the new bugzilla server.
+https://bugzilla.samba.org/, has replaced the older jitterbug server
+previously located at http://bugs.samba.org/.
git.samba.org / tprouty / samba.git / blobdiff