diff options
Diffstat (limited to 'jerry/WHATSNEW.txt')
| -rw-r--r-- | jerry/WHATSNEW.txt | 1968 |
1 files changed, 1968 insertions, 0 deletions
diff --git a/jerry/WHATSNEW.txt b/jerry/WHATSNEW.txt new file mode 100644 index 00000000000..2b19a8aab42 --- /dev/null +++ b/jerry/WHATSNEW.txt @@ -0,0 +1,1968 @@ + ============================= + Release Notes for Samba 3.0.5 + July 20, 2004 + ============================= + +######################## SECURITY RELEASE ######################## + +Summary: Multiple Potential Buffer Overruns in Samba 3.0.x +CVE ID: CAN-2004-0600, CAN-2004-0686 + (http://cve.mitre.org/) + + +This is the latest stable release of Samba. This is the version +that production Samba servers should be running for all current +bug-fixes. + +It has been confirmed that versions of Samba 3 prior to v3.0.4 +are vulnerable to two potential buffer overruns. The individual +details are given below. + + +------------- +CAN-2004-0600 +------------- + +Affected Versions: Samba 3.0.2 and later + +The internal routine used by the Samba Web Administration +Tool (SWAT v3.0.2 and later) to decode the base64 data +during HTTP basic authentication is subject to a buffer +overrun caused by an invalid base64 character. It is +recommended that all Samba v3.0.2 or later installations +running SWAT either (a) upgrade to v3.0.5, or (b) disable +the swat administration service as a temporary workaround. + +This same code is used internally to decode the +sambaMungedDial attribute value when using the ldapsam +passdb backend. While we do not believe that the base64 +decoding routines used by the ldapsam passdb backend can +be exploited, sites using an LDAP directory service with +Samba are strongly encouraged to verify that the DIT only +allows write access to sambaSamAccount attributes by a +sufficiently authorized user. + +The Samba Team would like to heartily thank Evgeny Demidov +for analyzing and reporting this bug. + + +------------- +CAN-2004-0686 +------------- + +Affected Versions: Samba 3.0.0 and later + +A buffer overrun has been located in the code used to support +the 'mangling method = hash' smb.conf option. Please be aware +that the default setting for this parameter is 'mangling method += hash2' and therefore not vulnerable. + +Affected Samba 3 installations can avoid this possible security +bug by using the default hash2 mangling method. Server +installations requiring the hash mangling method are encouraged +to upgrade to Samba 3.0.5. + + +################################################################## + + +Changes for older versions follow below: + + -------------------------------------------------- + ============================= + Release Notes for Samba 3.0.4 + May 8, 2004 + ============================= + + +Common bugs fixed in Samba 3.0.4 include: + + o Password changing after applying the patch described in + the Microsoft KB828741 article to Windows clients. + o Crashes in smbd. + o Managing print jobs via Windows on Big-Endian servers. + o Several memory leaks in winbindd and smbd. + o Compile issues on AIX and *BSD. + +Changes since 3.0.3 +-------------------- + +commits +------- + +o Jeremy Allison <jra@samba.org> + * Fix path processing for DeletePrinterDriverEx(). + * BUG 1303: Fix for Microsoft hotfix MS04-011 password change + breakage. + + +o Andrew Bartlett <abartlet@samba.org> + * Fix alignment bug in GetDomPwInfo(). + + +o Alexander Bokovoy <ab@samba.org> + * Fix utime[s]() issues in smbwrapper on systems + that can boot both the 2.4 and 2.6 Linux kernels. + + +o Gerald Carter <jerry@samba.org> + * Fedora packaging fixes. + * BUG 1302: Fix seg fault by not trying to optimize a list of + invalid gids using the wrong array size. + * BUG 1309: fix seg fault caused by trying to strdup(NULL) + seen when 'security = share'. + * Fix problems when using IBM's compiler on AIX. + * Link Developer's Guide, Example Guide, and multi-page HOWTO + into SWAT's welcome page. + * BUG 1293: fix double free in printer publishing code. + + +o Wim Delvaux <wim.delvaux@adaptiveplanet.com> + * Fix for handling timeouts in socket connections. + + +o Michel Gravey <michel.gravey@optogone.com> + * BUG 483: patch from to fix password hash creation in SWAT. + + +o Volker Lendecke <vl@samba.org> + * Close the open NT pipes before the tdis. + * Fix AFS related build issues. + * Handle error conditions when base64 encoding a blob of 0 bytes. + + +o Herb Lewis <herb@samba.org> + * Added 'acls' debug class. + +o kawasa_r@itg.hitachi.co.jp + * Multiple variable initialization and memory leak fixes. + + +o Stephan Kulow <coolo@suse.de> + * Fix string length bug in libsmbclient that caused KDE's + Konqueror to crash. + * BUG 429: More libsmbclient fixes. + + +o Jim McDonough <jmcd@us.ibm.com> + * BUG 1007, 1279: Store the print job using a little-endian key. + + +o Eric Mertens + o Compile fix for OpenBSD (ENOTSUP not supported). + + +o Stefan Metzmacher <metze@samba.org> + * Correct bug in disks quota views from explorer. + + +o Tim Potter <tpot@samba.org> + BUG 1305: Correct debug output. + + +o Richard Sharpe <rsharpe@samba.org> + * Fix incorrect error code mapping. + + +o Jelmer Vernooij <jelmer@samba.org> + * Add additional NT_STATUS errorm mappings. + + + -------------------------------------------------- + + ============================= + Release Notes for Samba 3.0.3 + April 29, 2004 + ============================= + + +Common bugs fixed in Samba 3.0.3 include: + + o Crash bugs and change notify issues in Samba's printing code. + o Honoring secondary group membership on domain member servers. + o TDB scalability issue surrounding the TDB_CLEAR_IF_FIRST flag. + o Substitution errors for %[UuGg] in smb.conf. + o winbindd crashes when using ADS security mode. + o SMB signing errors. + o Delays in winbindd startup caused by unnecessary + connections to trusted domain controllers. + o Various small memory leaks. + o Winbindd failing due to expired Kerberos tickets. + +New features introduced in Samba 3.0.3 include: + + o Improved support for i18n character sets. + o Support for account lockout policy based on + bad password attempts. + o Improved support for long password changes (>14 + characters) and strong password enforcement. + o Support for Windows aliases (i.e. nested groups). + o Experimental support for storing DOS attribute on files + and folders in Extended Attributes. + o Support for local nested groups via winbindd. + o Specifying options to be passed directly to the CUPS libraries. + +Please be aware that the Samba source code repository was +migrated from CVS to Subversion on April 4, 2004. Details on +accessing the Samba source tree via anonymous svn can be found +at http://svn.samba.org/samba/subversion.html. + + +Changes since 3.0.2a +-------------------- +smb.conf changes +---------------- + + Parameter Name Action + -------------- ------ + cups options New + ea support New + only user Deprecated + store dos attributes New + unicode Removed + winbind nested groups New + + +commits +------- + +o Jeremy Allison <jra@samba.org> + * Ensure that Kerberos mutex is always properly unlocked. + * Removed Heimdal "in-memory keytab" support. + * Fixup the 'multiple-vuids' bugs in our server code. + * Correct return code from lsa_lookup_sids() on unmapped + sids (based on work by vl@samba.org). + * Fix the "too many fcntl locks" scalability problem + raised by tridge. + * Fixup correct (as per W2K3) returns for lookupsids + as well as lookupnames. + * Fixups for delete-on-close semantics as per Win2k3 behavior. + * Make SMB_FILE_ACCESS_INFORMATION call work correctly. + * Fix "unable to initialize" bug when smbd hasn't been run with + new system and a user is being added via pdbedit/smbpasswd. + * Added NTrename SMB (0xA5). + * Fixup correct timeout values for blocking lock timeouts. + * Fix various bugs reported by 'gentest'. + * More locking fixes in the case where we own the lock. + * Fix up regression in IS_NAME_VALID and renames. + * Don't set allocation size on directories. + * Return correct error code on fail if file exists and target + is a directory. + * Added client "hardlink" comment to test doing NT rename with + hard links. Added hardlink_internals() code - UNIX extensions + now use this as well. + * Use a common function to parse all pathnames from the wire for + much closer emulation of Win2k3 error return codes. + * Implement check_path_syntax() and rewrite string sub + functions for better multibyte support. + * Ensure msdfs referrals are multibyte safe. + * Allow msdfs symlink syntax to be more forgiving. + eg. sym_link -> msdfs://server/share/path/in/share + or sym_link -> msdfs:\\server\share\path\in\share. + * Cleanup multibyte netbios name support in nmbd ( based on patch + by MORIYAMA Masayuki <moriyama@miraclelinux.com>). + * Fix check_path_syntax() for multibyte encodings which have + no '\' as second byte (based on work by ab@samba.org. + * Fix the "dfs self-referrals as anonymous user" problem + (based on patch from vl@samba.org). + * BUG 1064: Ensure truncate attribute checking is done correctly + on "hidden" dot files. + * Fix bug in anonymous dfs self-referrals again. + * Fix get/set of EA's in client library + * Added support for OS/2 EA's in smbd server. + * Added 'ea support' parameter to smb.conf. + * Added 'store dos attributes' parameter to smb.conf. + * Fix wildcard identical rename. + * Fix reply_ctemp - make compatible with w2k3. + * Fix wildcard unlink. + * Fix wildcard src with wildcard dest renames. + * BUG 1139: Fix based on suggestion by jdev@panix.com. + swap lookups for user and group - group will do an + algorithmic lookup if it fails, user won't. + * Make EA's lookups case independent. + * Fix SETPATHINFO in 'unix extensions' support. + * Make 3.x pass the Samba 4.x RAW-SEARCH tests - except for + the UNIX info levels, and the short case preserve names. + + +o Timur Bakeyev <timur@com.bat.ru> + * BUG 1144: only set --with-fhs when the argument is 'yes' + * BUG 1152: Allow python modules to build despite libraries added + to LDFLAGS instead of LDPATH. + * BUG 1141: Fix nss*.so names on FreeBSD 5.x. + + +o Craig Barratt <cbarratt@users.sourceforge.net> + * BUG 389: Allow multiple exclude arguments with smbclient + tar -Xr options (better support for Amanda backup client). + + +o Andrew Bartlett <abartlet@samba.org> + * Include support for linking with cracklib for enforcing strong + password changes. + * Add support for >14 character password changes from Windows + clients. + * Add 'admin set password' capability to 'net rpc'. + * Allow 'net rpc samdump' to work with any joined domain + regardless of smb.conf settings. + * Use an allocated buffer for count_chars. + * Add sanity checks for changes in the domain SID in an + LDAP DIT. + * Implement python unit tests for Samba's multibyte string + support. + * Remove 'unicode' smb.conf option. + * BUG 1138: Fix support for 'optional' SMB signing and other + signing bugs. + * BUG 169: Fix NTLMv2-only behavior. + * Ensure 'net' honors the 'netbios name' in the smb.conf by + default. + * Support SMB signing on connections using only the LANMAN + password and generate the correct the 'session key' for these + connections. + * Implement --required-membership-of=, an ntlm_auth option + that restricts all authentication to members of this particular + group. + * Improve our fall back code for password changes. + * Only send the ntlm_auth 'ntlm-server-1' helper client a '.' + after the server had said something (such as an error). + * Add 'ntlm-server-1' helper protocol to ntlm_auth. + + +o Alexander Bokovoy <ab@samba.org> + * Fix incorrect size calculation of the directory name + in recycle.so. + * Fix problems with very long filenames in both smbd and smbclient + caused by truncating paths during character conversions. + * Fix smbfs problem with Tree Disconnect issued before smbfs + starts its work. + + +o Gerald Carter <jerry@samba.org> + * BUG 850: Fix 'make installmodules' bug on True64. + * BUG 66: mark 'only user' deprecated. + * Remove corrupt tdb and shutdown (only for printing tdbs, + connections, sessionid & locking). + * decrement smbd counter in connections.tdb in smb_panic(). + * RedHat specfile updates. + * Fix xattr.h build issue on Debian testing and SuSE 8.2. + * BUG 1147; bad pointer case in get_stored_queue_info() + causing seg fault. + * BUG 761: read the config file before initialized default + values for printing options; don't default to bsd printing + Linux. + * Allow the 'printing' parameter to be set on a per share basis. + * BUG 503: RedHat/Fedora packaging fixes regarding logrotate. + * BUG 848: don't create winbind local users/groups that already + exist in the tdb. + * BUG 1080: fix declaration of SMB_BIG_UINT (broke compile on + LynxOS/ppc). + * BUG 488: fix the 'show client in col 1' button and correctly + enumerate active connections. + * BUG 1007 (partial): Fix abort in smbd caused by byte ordering + problem when storing the updating pid for the lpq cache. + * BUG 1007 (partial): Fix print change notify bugs. + * BUG 1165, 1126: Fix bug with secondary groups (security = ads) + and winbind use default domain = yes. Also ensures that + * BUG 1151: Ensure that winbindd users are passed through + the username map. + * Fix client rpc binds for ASU derived servers (pc netlink, + etc...). + * BUG 417, 1128: Ensure that the current_user_info is set + consistently so that %[UuGg] is expanded correctly. + * BUG 1195: Fix crash in winbindd when the ADS server is + unavailable. + * BUG 1185: Set reconnect time to be the same as the + 'winbind cache time'. + * Ensure that we return the sec_desc in smb_io_printer_info_2. + * Change Samba printers Win32 attribute to PRINTER_ATTRIBUTE_LOCAL. + * BUG 1095: Honor the '-l' option in smbclient. + * BUG 1023: surround get_group_from_gid() with become_unbecome_root() + block. + * Ensure server schannel uses the auth level requested by the + client. + * Removed --with-cracklib option due to potential crash issue. + * Fix -lcrypto linking problem with wbinfo. + * BUG 761: allow printing parameter to set defaults on a per + share basis. + * Add 'cups options' parameter to allow raw printing without + changing /etc/cups/cupsd.conf. + * BUG 1081, 1183: Added remove_duplicate_gids() to smbd and + winbindd. + * BUG 1246: Fix typo in Fedora /etc/init.d/winbind. + * BUG 1288: resolve any machine netbios name (0x00) and not just + servers (0x20). + * BUG 1199: Fix potential symlink issue in + examples/printing/smbprint. + + +o Robert Dahlem <Robert.Dahlem@gmx.net> + * BUG 1048: Don't return short names when when 'mangled names = no' + + +o Guenther Deschner <gd@suse.com> + * Remove hard coded attribute name in the ads ranged retrieval + code. + * Add --with-libdir and --with-mandir to autoconf script. + + +o Bostjan Golob <golob@gimb.org> + * BUG 1046: Fix getpwent_list() so that the username is not + overwritten by other fields. + + +o Landon Fuller <landonf@opendarwin.org> + * BUG 1232: patch from landonf@opendarwin.org (Landon Fuller) + to fix user/group enumeration on systems whose libc does not + call setgrent() before trying to enumerate users (i.e. + FreeBSD 5.2). + + +o Steve French <sfrench@us.ibm.com> + * Update mount.cifs to version 1.1. + * Disable dev (MS_NODEV) on user mounts from cifs vfs. + * Fixes to minor security bug in the mount helper. + * Fix credential file mounting for cifs vfs. + * Fix free of incremented pointer in cifsvfs mount helper. + * Fix path canonicalization of the mount target path and help + text display in the cifs mount helper. + * Add missing guest mount option for mount.cifs. + + +o SATOH Fumiyasu <fumiya@miraclelinux.com> + * BUG 1055; formatting fixes for 'net share'. + * BUG 692: correct truncation of share names and workgroup + names in smbclient. + * BUG 1088: use strchr_m() for query_host (smbclient -L). + * Patch from to internally count characters correctly. + + +o Paul Green <paulg@samba.org> + * Update VOS _POSIX_C_SOURCE macro to 200112L. + * Fix bug in configure.ion by moving the first use of + AC_CHECK_HEADERS so it is always executed. + * Fix configure.in to only use $BLDSHARED to select whether to + build static or shared libraries. + + +o Pat Haywarrd <Pat.Hayward@propero.net> + * Make the session_users list dynamic (max of 128K). + + +o Cal Heldenbrand <calzplace@yahoo.com> + * Fix for for 'pam_smbpass migrate' functionality. + + +o Chris Hertel <crh@samba.org> + * fix enumeration of shares 12 characters in length via + smbclient. + + +o Ulrich Holeschak <ulrich@holeschak.de> + * BUG 932: fix local password change using pam_smbpass + + +o Krischan Jodies <kj@sernet.de> + * Implement 'net rpc group delete' + + +o John Klinger <john.klinger@lmco.com> + * Return NSS_SUCCESS once the max number of gids possible + has been found in initgroups() on Solaris. + * BUG 1182: Re-enable the -n 'no cache' option for winbindd. + + +o Volker Lendecke <vl@samba.org> + * Fix success message for net groupmap modify. + * Fix errors when enumerating members of groups in 'net rpc'. + * Match Windows behavior in samr_lookup_names() by returning + ALIAS(4) when you search in BUILTIN. + * Fix server SAMR code to be able to set alias info for + builtin as well. + * Fix duplication of logic when creating groups via smbd. + * Ensure that the HWM values are set correctly after running + 'net idmap'. + * Add 'net rpc group add'. + * Implement 'net groupmap set' and 'net groupmap cleanup'. + * Add 'net rpc group [add|del]mem' for domain groups and aliases. + * Fix wb_delgrpmem (wbinfo -o). + * As a DC we should not reply to lsalookupnames on DCNAME\\user. + * Fix sambaUserWorkstations on a Samba DC. + * Implement wbinfo -k: Have winbind generate an AFS token after + authenticating the user. + * Add expand_msdfs VFS module for providing referrals based on the + the client's IP address. + * Implement client side NETLOGON GetDCName function. + * Fix caching of name->sid lookups. + * Add support in winbindd for expanding nested local groups. + * Fix memleak in winbindd. + * Fix msdfs proxy. + * Don't list domain groups from BUILTIN. + * Fix memleak in policy handle utility functions. + * Decrease winbindd startup time by only contacting trusted + domains as necessary. + * Allow winbindd to ask the DC for its domain for a trusted + DC. + * Fix Netscape DS schema based on comments from + <thomas.mueller@christ-wasser.de>. + * Correct case where adding a domain user to a XP local group + did a lsalookupname on the user without domain prefix, and + failed. + * Fix segfault in winbindd caused by 'wbinfo -a'. + + +o Herb Lewis <herb@samba.org> + * Fix typo for tag in proto file. + * Add missing #ifdef HAVE_BICONV stuff. + * Truncate Samba's netbios name at the first '.' (not + right to left). + + +o Derrell Lipman <Derrell.Lipman@UnwiredUniverse.com> + * Bug fixes and enhancements to libsmbclient library. + + +o Jianliang Lu <j.lu@tiesse.com> + * Enforce the 'user must change password at next login' flag. + * Decode meaning of 'fields present' flags (improves support + for usrmgr.exe). + * NTLMv2 fixes. + * Don't force an upper case domain name in the ntlmssp code. + + +o L. Lucius <ib@digicron.com>. + * type fixes. + + +o Jim McDonough <jmcd@us.ibm.com> + * Add versioning support to tdbsam. + * Update the IBM Directory Server schema with the OpenLDAP + file. + * Various decoding fixes to improve usrmgr.exe support. + * Fix statfs redeclaration of statfs struct on ppc + * Implement support for password lockout of Samba domain + controllers and standalone servers. + * Get MungedDial attribute actually working with full TS + strings in it for pdb_ldap. + * BUG 1208 (partial): Improvements for working with expired krb5 + tickets in winbindd. + * Use timegm, or our already existing replacement instead of + timezone (spotted by Andrzej Tobola <san@iem.pw.edu.pl>). + * Remove modifyTimestamp from list of our attributes. + * Fix lsalookupnames to check for domain users as well as local + users. + * Merge struct uuid replacement for GUID from trunk. + * BUG 1208: Finish support for handling expired tickets in + winbindd (in conjunction with Guenther Deschner <gd@suse.de>). + + +o Stefan Metzmacher <metze@samba.org> + * Implement new VERSION schema based on subversion revision + numbers. + * Add shadow_copy vfs module. + * Fix segault in login_cache support. + + +o Heinrich Mislik <Heinrich.Mislik@univie.ac.at> + o BUG 979 -- Fix quota display on AIX. + + +o James Peach <jpeach@sgi.com> + * Correct check for printf() format when using the SGI MIPSPro + compiler. + * BUG 1038: support backtrace for 'panic action' on IRIX. + * BUG 768: Accept profileing arg to IRIX init script. + * BUG 748: Relax arg parsing to sambalp script (IRIX). + * BUG 758: Fix pdma build. + * Search IRIX ABI paths for libiconv. Based on initial fix from + Jason Mader. + + +o Kurt Pfeifle <kpfeifle@danka.de> + * Add example shell script for migrating drivers and printers + from a Windows print server to a Samba print server using + smbclient/rpcclient (examples/printing/VamireDriversFunctions). + + +o Tim Potter <tpot@samba.org> + * Fix logic bug in tdb non-blocking lock routines when + errno == EAGAIN. + * BUG 1025: Include sys/acl.h in check for broken nisplus + include files. + * BUG 1066: s/printf/d_printf/g in SWAT. + * BUG 1098: rename internal msleep() function to fix build + problems on AIX. + * BUG 1112: Fix for writable printerdata problem in python bindings. + * BUG 1154: Remove reference to <sys/mman.h> in tdbdump.c. + * BUG 1155: enclose use of fchown() with guards. + * Relicense tdb python module as LGPL. + + +o Richard Sharpe <rsharpe@samba.org> + * Add support to smbclient for multiple logins on the same + session (based on work by abartlet@samba.org). + * Correct blocking condition in smbd's use of accept() on IRIX. + * Add support for printing out the MAC address on nmblookup. + + +o Simo Source <idra@samba.org> + * Replace unknown_3 with fields_present in SAMR code. + * More length checks in strlcat(). + + +o Andrew Tridgell <tridge@samba.org> + * Rewrote the AIX UESS backend for winbindd. + * Fixed compilation with --enable-dmalloc. + * Change tdb license to LGPL (see source/tdb/tdb.c). + * Force winbindd to use schannel in clients connections to + DC's if possible. + + +o Jelmer Vernooij <jelmer@samba.org> + * Fix ETA Calculation when resuming downloads in smbget. + * Add -O (for writing downloaded files to standard out) + based on patch by Bas van Sisseren <bas@dnd.utwente.nl>. + * Fix syntax error in example mysql table + + +o TAKEDA yasuma <yasuma@miraclelinux.com> + * BUG 900: fix token processing in cmd_symlink, cmd_link, + cmd_chown, cmd_chmod smbclient functions. + + +o Shiro Yamada <shiro@miraclelinux.com> + * BUG 1129: install image files for SWAT. + + + -------------------------------------------------- + + ============================== + Release Notes for Samba 3.0.2a + February 13, 2004 + ============================== + +Samba 3.0.2a is a minor patch release for the 3.0.2 code base +to address, in particular, a problem when using pdbedit to +sanitize (--force-initialized-passwords) Samba's tdbsam +backend. This is the latest stable release of Samba. This +is the version that all production Samba servers should be +running for all current bug-fixes. + +******************* Attention! Achtung! Kree! ********************* + +Beginning with Samba 3.0.2, passwords for accounts with a last +change time (LCT-XXX in smbpasswd, sambaPwdLastSet attribute in +ldapsam, etc...) of zero (0) will be regarded as uninitialized +strings. This will cause authentication to fail for such +accounts. If you have valid passwords that meet this criteria, +you must update the last change time to a non-zero value. If you +do not, then 'pdbedit --force-initialized-passwords' will disable +these accounts and reset the password hashes to a string of X's. + +******************* Attention! Achtung! Kree! ********************* + + +Changes since 3.0.2 +------------------- + +commits +------- + +Please refer to the CVS log for the SAMBA_3_0 branch for complete +details. The list of changes per contributor are as follows: + + +o Jeremy Allison <jra@samba.org> + * Added paranoia checks in parsing code. + + +o Andrew Bartlett <abartlet@samba.org> + * Ensure that changes to uninitialized passwords in ldapsam + are written to the DIT. + + +o Gerald (Jerry) Carter <jerry@samba.org> + * Fixed iterator in tdbsam. + * Fix bug that disabled accounts with a valid NT password + hash, but no LanMan hash. + + +o Steve French <sfrench@us.ibm.com> + * Added missing nosetuid and noexec options. + + +o Bostjan Golob <golob@gimb.org> + * BUG 1046: Don't overwrite usernames of entries returned + by getpwent_list(). + + +o Sebastian Krahmer <krahmer@suse.de> + * Fixed potential crash bug in NTLMSSP parsing code. + + +o Tim Potter <tpot@samba.org> + * Fixed logic in tdb_brlock error checking. + + +o Urban Widmark <urban@teststation.com> + * Set nosuid,nodev flags in smbmnt by default. + + + -------------------------------------------------- + + ============================= + Release Notes for Samba 3.0.2 + February 9, 2004 + ============================= + +It has been confirmed that previous versions of Samba 3.0 are +susceptible to a password initialization bug that could grant an +attacker unauthorized access to a user account created by the +mksmbpasswd.sh shell script. + +The Common Vulnerabilities and Exposures project (cve.mitre.org) +has assigned the name CAN-2004-0082 to this issue. + +Samba administrators not wishing to upgrade to the current +version should download the 3.0.2 release, build the pdbedit +tool, and run + + root# pdbedit-3.0.2 --force-initialized-passwords + +This will disable all accounts not possessing a valid password +(e.g. the password field has been set a string of X's). + +Samba servers running 3.0.2 are not vulnerable to this bug +regardless of whether or not pdbedit has been used to sanitize +the passdb backend. + +Some of the more visible bugs in 3.0.1 addressed in the 3.0.2 +release include: + + o Joining a Samba domain from Pre-SP2 Windows 2000 clients. + o Logging onto a Samba domain from Windows XP clients. + o Problems with the %U and %u smb.conf variables in relation to + Windows 9x/ME clients. + o Kerberos failures due to an invalid in memory keytab detection + test. + o Updates to the ntlm_auth tool. + o Fixes for various SMB signing errors. + o Better separation of WINS and DNS queries for domain controllers. + o Issues with nss_winbind FreeBSD and Solaris. + o Several crash bugs in smbd and winbindd. + o Output formatting fixes for smbclient for better compatibility + with scripts based on the 2.2 version. + + +Changes since 3.0.1 +------------------- + +smb.conf changes +---------------- + + Parameter Name Action + -------------- ------ + ldap replication sleep New + read size removed (unused) + source environment removed (unused) + + +commits +------- + +Please refer to the CVS log for the SAMBA_3_0 branch for complete +details. The list of changes per contributor are as follows: + +o Jeremy Allison <jra@samba.org> + * Revert change that broke Exchange clear text samlogons. + * Fix gcc 3.4 warning in MS-DFS code. + * Tidy up of NTLMSSP code. + * Fixes for SMB signing errors + * BUG 815: Workaround NT4 bug to support plaintext + password logins and UNICODE. + * Fix SMB signing bug when copying large files. + * Correct error logic in mkdir_internals() (caused a panic + when combined with --enable-developer). + * BUG 830: Protect against crashes due to bad character + conversions. + + +o Petri Asikainen <paca@sci.fi> + * BUG 330, 387:Fix single valued attribute updates when + working with Novell NDS. + + +o Andrew Bartlett <abartlet@samba.org> + * Correctly handle per-pipe NTLMSSP inside a NULL session. + * Fix segfault in gencache + * Fix early free() of encrypted_session_key. + * Change DC lookup routines to more carefully separate + DNS names (realms) from NetBIOS domain names. + * Add new sid_to_dn() function for internal winbindd use. + * Refactor cli_ds_enum_domain_trusts(). + * BUG 707: Implement range retrieval of ADS attributes (based + on work from Volker <vl@samba.org> and Guenther Deschner + <gd@suse.com>). + * Automatically initialize the signing engine if a session key + is available. + * BUG 916: Do not perform a + -> ' ' substitution for squid URL + encoded strings, only form input in SWAT. + * Resets the NTLMSSP state for new negotiate packets. + * Add 2-byte alignments in net_samlogon() queries to parse + odd-length plain text passwords. + * Allow Windows groups with no members in winbindd. + * Allow normal authentication in the absence of a server + generated session key. + * More optimizations for looking up UNIX group lists. + * Clean up error codes and return values for pam_winbindd + and winbindd PAM interface. + * Fix string return values in ntlm_auth tool. + * Fix segfault when 'security = ads' but no realm is defined. + * BUG 722: Allow winbindd to map machine accounts to uids. + * More cleanups for winbindd's find_our_domain(). + * More clearly detect whether a domain controller is an NT4 + or mixed-mode AD DC (additional bug fixes by jerry & jmcd). + * Increase separation between DNS queries for hosts and queries + for AD domain controllers. + * Include additional NT_STATUS to PAM error mappings. + * Password initialization fixes. + + +o Justin Baugh <justin.baugh@request.com> + * BUG 948: Implement missing functions required for FreeBSD + nss_winbind support. + + +o Alexander Bokovoy <ab@samba.org> + * BUG 922: Make sure enable fast path for strlower_m() and + strupper_m(). + + +o Luca Bolcioni <Luca.Bolcioni@yacme.com> + * Fix crash when using 'security = server' and 'encrypt + passwords = no' by always initializing the session key. + + +o Dmitry Butskoj <buc@odusz.elektra.ru> + * Fix for special files being hidden from admins. + + +o Gerald (Jerry) Carter <jerry@samba.org> + * Fix bug in the lanman session key generation. Caused + "decode_pw: incorrect password length" error messages. + * Save the right case for the located user name in + fill_sam_account(). Fixes %U/%u expansion for win9x clients. + * BUG 897: Add well known rid for pre win2k compatible access + group. + * BUG 887: Correct typo in delete user script example. + * Use short lived TALLOC_CTX* for allocating printer objects + from the print handle cache. + * BUG 912: Fix check for HAVE_MEMORY_KEYTAB. + * Fix several warnings reported by the SUN Forte C compiler. + * Fully control DNS queries for AD DC's using 'name resolve order'. + * BUG 770: Send the SMBjobid for UNIX jobs back to the client. + * BUG 972: Fix segfault in cli_ds_getprimarydominfo(). + * BUG 936: fix bind credentials for schannel binds in smbd. + * BUG 446: Fix output of smbclient for better compatibility + with scripts based on the 2.2 version (including Amanda). + * BUG 891, 949: Fedora packaging fixes. + * Fix bug that caused rpcclient to incorrectly retrieve + the SID for a server (this causing all calls that required + this information to fail). + * BUG 977: Don't create a homes share for a user if a static + share already exists by the same name. + * Removed unused smb.conf options. + * Password initialization fixes. + * Set the disable flag for template accounts created by + mksmbpasswd.sh. + * Disable any account has no passwords and does not have the + ACB_PWNOTREQ bit set. + + +o Guenther Deschner <gd@suse.com> + * Install smbwrapper.so should be put into the $(libdir) + and not $(bindir). + * Add the capability to specify the new user password + for "net ads password" on the command line. + * Correctly detect AFS headers on SuSE. + + +o James Flemer <jflemer@uvm.edu> + * Fix AIX compile bug by linking HAVE_ATTR_LIST to + HAVE_SYS_ATTRIBUTES_H. + + +o Luke Howard <lukeh@PADL.COM> + * Fix segfault in session setup reply caused by a early free(). + + +o Stoian Ivanov <sdr@bultra.com> + * Implement grepable output for smbclient -L. + + +o LaMont Jones <lamont@debian.org> + * BUG 225328 (Debian): Correct false failure LFS test that resulted + in _GNU_SOURCE not being defined (thus resulting in strndup() + not being defined). + + +o Volker Lendecke <vl@samba.org> + * BUG 583: Ensure that user names always contain the short + version of the domain name. + * Fix our parsing of the LDAP uri. + * Don't show the 'afs username map' in the SWAT basic view. + * Fix SMB signing issues in relation to failed NTLMSSP logins. + * BUG 924: Fix return codes in smbtorture harness. + * Always lower-case usernames before handing it to AFS code. + * Add a German translation for SWAT. + * Fix a segfaults in winbindd. + * Fix the user's domain passed to register_vuid() from + reply_spnego_kerberos(). + * Add NSS example code in nss_winbind to convert UNIX + id's <-> Windows SIDs. + * Display more descriptive error messages for login via 'net'. + * Fix compiler warning in the net tool. + * Fix length bug when decoding base64 strings. + * Ensure we don't call getpwnam() inside a loop that is iterating + over users with getpwent(). This broke on glibc 2.3.2. + + +o Herb Lewis <herb@samba.org> + * Fix bit rot in psec. + + +o Jianliang Lu <j.lu@tiesse.com> + * Ensure we delete the group mapping before calling the delete + group script. + * Define well known RID for managing the "Power Users" group. + * BUG 381: check builtin (not local) group SID when updating + group membership. + * BUG 101: set the SV_TYPE_PRINTQ_SERVER flag in host announcement + packet. + + +o John Klinger <john.klinger@lmco.com> + * Implement initgroups() call in nss_winbind on Solaris. + + +o Jim McDonough <jmcd@us.ibm.com> + * Fix regression in net rpc join caused by recent changes + to cli_lsa_query_info_policy(). + * BUG 964: Fix crash bug in 'net rpc join' using a preexisting + machine account. + + +o MORIYAMA Masayuki <moriyama@miraclelinux.com> + * BUG 570: Ensure that configure honors the LDFLAGS variable. + + +o Stefan Metzmacher <metze@samba.org> + * Implement LDAP rebind sleep patch. + * Revert to 2.2 quota code because of so many broken quota files + out there. + * Fix XFS quotas: HAVE_XFS_QUOTA -> HAVE_XFS_QUOTAS + XFS_USER_QUOTA -> USRQUOTA + XFS_GROUP_QUOTA -> GRPQUOTA + * Fix disk_free calculation with group quotas. + * Add debug class 'quota' and a lot of DEBUG()'s + to the quota code. + * Fix sys_chown() when no chown() is present. + * Add SIGABRT to fault handling in order to catch got a + backtrace if an error occurs the OpenLDAP client libs. + + +o <ndb@theghet.to> + * Allow an existing LDAP machine account to be re-used when + joining an AD domain. + + +o James Peach <jpeach@sgi.com> + * BUG 889: Change smbd to use pread/pwrite on platforms that + support these calls. Can lead to a significant speed increase. + + +o Tim Potter <tpot@samba.org> + * BUG 905: Remove POBAD_CC to fix Solaris Forte compiles. + * BUG 924: Fix typo in RW2 torture test. + + +o Richard Sharpe <shape@samba.org> + * Small fixes to torture.c to cleanup the error handling + and prevent crashes. + + +o J. Tournier <jerome.tournier@IDEALX.com> + * Small fixes for the smbldap-tool scripts. + + +o Andrew Tridgell <tridge@samba.org> + * Fix src len check in pull_usc2(). + + +o Jelmer Vernooij <jelmer@samba.org> + * Put functions for generating SQL queries in pdb_sql.c + * Add pgSQL backend (based on patch by Hamish Friedlander) + * BUG 908: Fix -s option to smbcontrol. + * Add smbget utility - a wget-clone for the SMB/CIFS protocol. + * Fix for libnss_wins on IRIX platforms. + * Fix swatdir for --with-fhs. + + + -------------------------------------------------- + + ============================= + Release Notes for Samba 3.0.1 + December 15, 2003 + ============================= + +Some of the more common bugs in 3.0.0 addressed in the release +include: + + o Substitution problems with smb.conf variables. + o Errors in return codes which caused some applications + to fail to open files. + o General Protection Faults on Windows 2000/XP clients + using Samba point-n-print features. + o Several miscellaneous crash bugs. + o Access problems when enumerating group mappings are + stored in an LDAP Directory. + o Several common SWAT bugs when writing changes to + smb.conf. + o Internal inconsistencies when 'winbind use default + domain = yes' + + + +Changes since 3.0.0 +---------------------- + + Parameter Name Action + -------------- ------ + hide local users Removed + mangled map Deprecated + mangled stack Removed + passwd chat timeout New + + +commits +------- + +o Change the interface for init_unistr2 to not take a length + but a flags field. We were assuming that + 2*strlen(mb_string) == length of ucs2-le string. (bug 480). +o Allow d_printf() to handle strings with escaped quotation + marks since the msg file includes the escape character (bug 489). +o Fix bad html table row termination in SWAT wizard code (bug 413). +o Fix to parse the level-2 strings. +o Fix for "valid users = %S" in [homes]. Fix read/write + list as well. +o Change AC_CHECK_LIB_EXT to prepend libraries instead of append. + This is the same way AC_CHECK_LIB works (bug 508). +o Testparm output fixes for clarity. +o Fix broken wins hook functionality -- i18n bug (bug 528). +o Take care of condition where DOS and NT error codes must differ. +o Default to using only built-in charsets when a working iconv + implementation cannot be located. +o Wrap internals of sys_setgroups() so the sys_XX() call can + be done unconditionally (bug 550). +o Remove duplicate smbspool link on SWAT's front page (bug 541). +o Save and restore CFLAGS before/after AC_PROG_CC. Ensures that + --enable-debug=[yes|no] works correctly. +o Allow ^C to interrupt smbpasswd if using our getpass + (e.g. smbpasswd command). +o Support signing only on RPC's (bug 167). +o Correct bug that prevented Excel 2000 clients from opening + files marked as read-only. +o Portability fix bugs 546 - 549). +o Explicitly initialize the value of AR for vendor makes that don't + do this (e.g. HPUX 11). (bug 552). +o More i18n fixes for SWAT (bug 413). +o Change the cwd before the postexec script to ensure that a + umount will succeed. +o Correct double free that caused winbindd to crash when a DC + is rebooted (bug 437). +o Fix incorrect mode sum (bug 562). +o Canonicalize SMB_INFO_ALLOCATION in the same was as + SMB_FS_FULL_SIZE_INFORMATION (bug 564). +o Add script to generate *msg files. +o Add Dutch SWAT translation file. +o Make sure to call get_user_groups() with the full winbindd + name for a user if he/she has one (bug 406). +o Fix up error code returns from Samba4 tester. Ensure invalid + paths are validated the same way. +o Allow Samba3 to pass the Samba4 RAW-READ tests. +o Refuse to configure if --with-expsam=$BACKEND was used but no + libraries were found for $BACKEND. +o Move sysquotas autoconf tests to a separate file. +o Match W2K w.r.t. writelock and writeclose. Samba4 torture + tester +o Make sure that the files that contain the static_init_$subsystem; + macro get recompiled after configure by removing the object + files. +o Ensure canceling a blocking lock returns the correct error + message. +o Match Samba 2.2 behavior; make ACB_NORMAL the default ACB value. +o Updated Japanese welcome file in SWAT. +o Fix to nt-time <-> unix-time functions reversible. +o Ensure that winbindd uses the the escaped DN when querying + an AD ldap server. +o Fix portability issues when compiling (bug 505, 550) +o Compile fix for tdbbackup when Samba needs to override + non-C99 compliant implementations of snprintf(). +o Use @PICSUFFIX@ instead of .po in Makefile.in (bug 574). +o Make sure we break out of samsync loop on error. +o Ensure error code path doesn't free unmalloc()'d memory + (bug 628). +o Add configure test for krb5_keytab_entry keyblock vs key + member (bug 636). +o Fixed spinlocks. +o Modified testparm so that all output so all debug output goes + to stderr, and all file processing goes to stdout. +o Fix error return code for BUFFER_TOO_SMALL in smbcacls + and smbcquotas. +o Fix "NULL dest in safe_strcpy()" log message by ensuring that + we have a devmode before copying a string to the devicename. +o Support mapping REALM.COM\user to a local user account (without + running winbindd) for compatibility with 2.2.x release. +o Ensure we don't use mmap() on blacklisted systems. +o fixed a number of bugs and memory leaks in the AIX + winbindd shim +o Call initgroups() in SWAT before becomming the user so that + secondary group permissions can be used when writing to + smb.conf. +o Fix signing problems when reverse connecting back to a + client for printer notify +o Fix signing problems caused by a miss-sequence bug. +o Missing map in errormap for ERROR_MORE_DATA -> ERRDOS, ERRmoredata. + Fixes NEXUS tools running on Win9x clients (bug 64). +o Don't leave the domain field uninitialized in cli_lsa.c if some + SID could not be mapped. +o Fix segfault in mount.cifs helper when there is no options + specified during mount. +o Change the \n after the password prompt to go to tty instead + of stdout (bug 668). +o Stop net -P from prompting for machine account password (bug 451). +o Change in behavior to Not only change the effective uid but also + the real uid when becoming unprivileged. +o Cope with Exchange 5.5 cleartext pop password auth. +o New files for support of initshutdown pipe. Win2k doesn't + respond properly to all requests on the winreg pipe, so we need + to handle this new pipe (bug 534). +o Added more va_copy() checks in configure.in. +o Include fixes for libsmbclient build problems. +o Missing UNIX -> DOS codepage conversion in lanman.c. +o Allow DFMS-S filenames can now have arbitrary case (bug 667). +o Parameterize the listen backlog in smbd and make it larger by + default. A backlog of 5 is way too small these days. +o Check for an invalid fid before dereferencing the fsp pointer + (bug 696). +o Remove invalid memory frees and return codes in pdb_ldap.c. +o Prompt for password when invoking --set-auth-user and no + password is given. +o Bind the nmbd sending socket to the 'socket address'. +o Re-order link command for smbd, rpcclient and smbpasswd to ensure + $LDFLAGS occurs before any library specification (bug 661). +o Fix large number of printf() calls for 64-bit size_t. +o Fix AC_CHECK_MEMBER so that SLES8 does correctly finds the + keyblock in the krb5 structs. +o Remove #include <compat.h> in hopes to avoid problems with + apache header files. +o Correct winbindd build problems on HP-UX 11. +o Lowercase netgroups lookups (bug 703). +o Use the actual size of the buffer in strftime instead of a made + up value which just happens to be less than sizeof(fstring). + (bug 713). +o Add ldaplibs to pdbedit link line (bug 651). +o Fix crash bug in smbclient completion (bug 659). +o Fix packet length for browse list reply (bug 771). +o Fix coredump in cli_get_backup_list(). +o Make sure that we expand %N (bug 612). +o Allow rpcclient adddriver command to specify printer driver + version (bug 514). +o Compile tdbdump by default. +o Apply patches to fix iconv detection for FreeBSD. +o Do not allow the 'guest account' to be added to a passdb backend + using smbpasswd or pdbedit (bug 624). +o Save LDFLAGS during iconv detection (bug 57). +o Run krb5 logins through the username map if the winbindd + lookup fails (bug 698). +o Add const for lp_set_name_resolve_order() to avoid compiler + warnings (bug 471). +o Add support for the %i macro in smb.conf to stand in for the for + the local IP address to which a client connected. +o Allow winbindd to match local accounts to domain SID when + 'winbind trusted domains only = yes' (bug 680). +o Remove code in idmap_ldap that searches the user suffix and group + suffix. It's not needed and provides inconsistent functionality + from the tdb backend. +o Patch to handle munged dial string for Windows 2000 TSE. + Thanks to Gaz de France, Direction de la Recherche, Service + Informatique Métier for their supporting this work by Aurelien + Degrémont <adegremont@idealx.com>. +o Correct the "smbldap_open: cannot access when not root error" + messages when looking up group information (bug 281). +o Skip over the winbind separator when looking up a user. + This fixes the bug that prevented local users from + matching an AD user when not running winbindd (bug 698). +o Fix a problem with configure on *BSD systems. Make sure + we add -liconv etc to LDFLAGS. +o Fix core dump bug when "security = server" and the authentication + server goes away. +o Correct crash bug due to an empty munged dial string. +o Show files locked by a specific user (smbstatus -u 'user') + (bug 590). +o Fix bug preventing print jobs from display in the queue + monitor used by Windows NT and later clients (bug 660). +o Fix several reported problems with point-n-print from + Windows 2000/XP clients due to a bug in the EnumPrinterDataEx() + reply (bug 338, 527 & 643). +o Fix a handful of potential memory leaks in the LDAP code used + by ldapsam[_compat] and the LDAP idmap backend. +o Fix for pdbedit error code returns (bug 763). +o Make sure we only enumerate group mapping entries (not + /etc/group) even when doing local aliases. +o Relax check on the pipe name in a dce/rpc bind response to work + around issues with establishing trusts to a Windows 2003 domain. +o Ensure we mangle names ending in '.' in hash2 mangling method. +o Correct parsing issues with munged dial string. +o Fix bugs in quota support for XFS. +o Add a cleaner method for applications that need to provide + name->SID mappings to do this via NSS rather than having to + know the winbindd pipe protocol. +o Adds a variant of the winbindd_getgroups() call called + winbindd_getusersids() that provides direct SID->SIDs listing of + a users supplementary groups. This is enough to allow non-Samba + applications to do ACL checking. +o Make sure we don't append the 'ldap suffix' when writing out the + 'ldap XXX suffix' values in SWAT (bug 328). +o Fix renames across file systems. +o Ensure that items in a list of strings containing whitespace are + written out surrounded by single quotes. This means that both + double and single quotes are now used to surround strings in + smb.conf (bug 481). +o Enable SWAT to correctly determine if winbindd is running (bug + 398). +o Include WWW-Authenticate field in 401 response for bad auth + attempt (bug 629). +o Add support for NTLM2 (NTLMv2 session security). +o Add support for variable-length session keys. +o More privilege fixes for group enumeration in LDAP (bug 281). +o Use the dns name (or IP) as the originating client name when + using CUPS (bug 467). +o Fix various SMB signing bugs. +o Fix ACL propagation on a DFS root (bug 263). +o Disable NTLM2 for RPC pipes. +o Allow the client to specify the NTLM2 flags got NTLMSSP + authentication. +o Change the name of the job passed off to cups from "Test Page" + to "smbprn.00000033 Test Page" so that we can get the smb + jobid back. This allow users to delete jobs with cups printing + backend (partial work on bug 770). +o Fix build of winbindd with static pdb modules. +o Retrieve the correct ACL group bits if the file has an ACL + (bug 802). +o Implement "net rpc group members": Get members of a domain group + in human-readable format. +o Add MacOSX (Darwin) specific charset module code. +o Use samr_dispinfo(level == 1) for enumerating domain users so we + can include the full name in gecos field (bug 587). +o Add support for winbind's NSS library on FeeeBSD 5.1 (bug 797). +o Implement 'net rpc group list [global|local|builtin]*' for a + select listing of the respective user databases. +o Don't automatically set NT status code flag unless client tells + us it can cope. +o Add 'net status [sessions|shares] [parseable]'. +o Don't mistake pre-existing UNIX jobs for smb jobs (remainder of + bug 770). +o Add 'Replicator' and 'RAS Servers' to list of builtin SIDs + (bug 608). +o Fix inverted logic in hosts allow/deny checks caused by + s/strcmp/strequal/ (bug 846). +o Implement correct version SamrRemoveSidForeignDomain() (bug 252). +o Fix typo in 'hash' mangling algorithm. +o Support munged dial for ldapsam (bug 800). +o Fix process_incoming_data() to return the number of bytes handled + this call whether we have a complete PDU or not; fixes bug + with multiple PDU request rpc's broken over SMBwriteX calls + each. +o Fix incorrect smb flags2 for connections to pre-NT servers + (causes smbclient to fail to OS2 for example) (bug 821). +o Update version string in smbldap-tools Makefile to 0.8.2. +o Correct a problem with "net rpc vampire" mis-parsing the + alias member info reply. +o Ensure the ${libdir} is created by the installclientlib script. +o Fix detection of Windows 2003 client architecture in the smb.conf + %a variable. +o Ensure that smbd calls the add user script for a missing UNIX + user on kerberos auth call (bug 445). +o Fix bugs in hosts allow/deny when using a mismatched + network/netmask pair. +o Protect alloc_sub_basic() from crashing when the source string + is NULL (partial work on bug 687). +o Fix spinlocks on IRIX. +o Corrected some bad destination paths when running "configure + --with-fhs". +o Add packaging files for Fedora Core 1. +o Correct bug in SWAT install script for non-english languages. +o Support character set ISO-8859-1 internally (bug 558). +o Fixed more LDAP access errors when looking up group mappings + (bug 281). +o Fix UNISTR2 length bug in LsaQueryInfo(3) that caused SID + resolution to fail on local files on on domain members + (bug 875). +o Fix uninitialized variable in passdb.c. +o Fix formal parameter type in get_static() in nsswitch/wins.c. +o Fix problem mounting directories when mount.cifs is installed + with the setuid bit on. +o Fix bug that prevent --mandir from overriding the defaults + given in the --with-fhs macro. +o Fix bug in in-memory Kerberos keytab detection routines + in configure.in + + + +###################################################################### + + The original 3.0.0 release notes follow + ======================================= + WHATS NEW IN Samba 3.0.0 + September 24, 2003 + ======================================= + + +Major new features: +------------------- + +1) Active Directory support. Samba 3.0 is now able to + join a ADS realm as a member server and authenticate + users using LDAP/Kerberos. + +2) Unicode support. Samba will now negotiate UNICODE on the wire + and internally there is now a much better infrastructure for + multi-byte and UNICODE character sets. + +3) New authentication system. The internal authentication system + has been almost completely rewritten. Most of the changes are + internal, but the new auth system is also very configurable. + +4) New default filename mangling system. + +5) A new "net" command has been added. It is somewhat similar to + the "net" command in windows. Eventually we plan to replace + numerous other utilities (such as smbpasswd) with subcommands + in "net". + +6) Samba now negotiates NT-style status32 codes on the wire. This + improves error handling a lot. + +7) Better Windows 2000/XP/2003 printing support including publishing + printer attributes in active directory. + +8) New loadable module support for passdb backends and character + sets. + +9) New default dual-daemon winbindd support for better performance. + +10) Support for migrating from a Windows NT 4.0 domain to a Samba + domain and maintaining user, group and domain SIDs. + +11) Support for establishing trust relationships with Windows NT 4.0 + domain controllers. + +12) Initial support for a distributed Winbind architecture using + an LDAP directory for storing SID to uid/gid mappings. + +13) Major updates to the Samba documentation tree. + +14) Full support for client and server SMB signing to ensure + compatibility with default Windows 2003 security settings. + +15) Improvement of ACL mapping features based on code donated by + Andreas Grünbacher. + + +Plus lots of other improvements! + + +Additional Documentation +------------------------ + +Please refer to Samba documentation tree (included in the docs/ +subdirectory) for extensive explanations of installing, configuring +and maintaining Samba 3.0 servers and clients. It is advised to +begin with the Samba-HOWTO-Collection for overviews and specific +tasks (the current book is up to approximately 400 pages) and to +refer to the various man pages for information on individual options. + +We are very glad to be able to include the second edition of +"Using Samba" by Jay Ts, Robert Eckstein, and David Collier-Brown +(O'Reilly & Associates) in this release. The book is available +on-line at http://samba.org/samba/docs/ and is included with +the Samba Web Administration Tool (SWAT). Thanks to the authors and +publisher for making "Using Samba" under the GNU Free Documentation +License. + + +###################################################################### +Upgrading from a previous Samba 3.0 beta +######################################## + +Beginning with Samba 3.0.0beta3, the RID allocation functions +have been moved into winbindd. Previously these were handled +by each passdb backend. This means that winbindd must be running +to automatically allocate RIDs for users and/or groups. Otherwise, +smbd will use the 2.2 algorithm for generating new RIDs. + +If you are using 'passdb backend = tdbsam' with a previous Samba +3.0 beta release (or possibly alpha), it may be necessary to +move the RID_COUNTER entry from /usr/local/samba/private/passdb.tdb +to winbindd_idmap.tdb. To do this: + +1) Ensure that winbindd_idmap.tdb exists (launch winbindd at least + once) +2) build tdbtool by executing 'make tdbtool' in the source/tdb/ + directory +3) run: (note that 'tdb>' is the tool's prompt for input) + + root# ./tdbtool /usr/local/samba/private/passdb.tdb + tdb> show RID_COUNTER + key 12 bytes + RID_COUNTER + data 4 bytes + [000] 0A 52 00 00 .R. + + tdb> move RID_COUNTER /usr/local/samba/var/locks/winbindd_idmap.tdb + .... + record moved + +If you are using 'passdb backend = ldapsam', it will be necessary to +store idmap entries in the LDAP directory as well (i.e. idmap backend += ldap). Refer to the 'net idmap' command for more information on +migrating SID<->UNIX id mappings from one backend to another. + +If the RID_COUNTER record does not exist, then these instructions are +unneccessary and the new RID_COUNTER record will be correctly generated +if needed. + + + +######################## +Upgrading from Samba 2.2 +######################## + +This section is provided to help administrators understand the details +involved with upgrading a Samba 2.2 server to Samba 3.0. + + +Building +-------- + +Many of the options to the GNU autoconf script have been modified +in the 3.0 release. The most noticeable are: + + * removal of --with-tdbsam (is now included by default; see section + on passdb backends and authentication for more details) + + * --with-ldapsam is now on used to provided backward compatible + parameters for LDAP enabled Samba 2.2 servers. Refer to the passdb + backend and authentication section for more details + + * inclusion of non-standard passdb modules may be enabled using + --with-expsam. This includes an XML backend and a mysql backend. + + * removal of --with-msdfs (is now enabled by default) + + * removal of --with-ssl (no longer supported) + + * --with-utmp now defaults to 'yes' on supported systems + + * --with-sendfile-support is now enabled by default on supported + systems + + +Parameters +---------- + +This section contains a brief listing of changes to smb.conf options +in the 3.0.0 release. Please refer to the smb.conf(5) man page for +complete descriptions of new or modified parameters. + +Removed Parameters (order alphabetically): + + * admin log + * alternate permissions + * character set + * client codepage + * code page directory + * coding system + * domain admin group + * domain guest group + * force unknown acl user + * hide local users + * mangled stack + * nt smb support + * postscript + * printer driver + * printer driver file + * printer driver location + * read size + * source environment + * status + * strip dot + * total print jobs + * use rhosts + * valid chars + * vfs options + +New Parameters (new parameters have been grouped by function): + + Remote management + ----------------- + * abort shutdown script + * shutdown script + + User and Group Account Management + --------------------------------- + * add group script + * add machine script + * add user to group script + * algorithmic rid base + * delete group script + * delete user from group script + * passdb backend + * set primary group script + + Authentication + -------------- + * auth methods + * realm + * passwd chat timeout + + Protocol Options + ---------------- + * client lanman auth + * client NTLMv2 auth + * client schannel + * client signing + * client use spnego + * disable netbios + * ntlm auth + * paranoid server security + * server schannel + * server signing + * smb ports + * use spnego + + File Service + ------------ + * get quota command + * hide special files + * hide unwriteable files + * hostname lookups + * kernel change notify + * mangle prefix + * map acl inherit + * msdfs proxy + * set quota command + * use sendfile + * vfs objects + + Printing + -------- + * max reported print jobs + + UNICODE and Character Sets + -------------------------- + * display charset + * dos charset + * unicode + * unix charset + + SID to uid/gid Mappings + ----------------------- + * idmap backend + * idmap gid + * idmap uid + * winbind enable local accounts + * winbind trusted domains only + * template primary group + * enable rid algorithm + + LDAP + ---- + * ldap delete dn + * ldap group suffix + * ldap idmap suffix + * ldap machine suffix + * ldap passwd sync + * ldap replication sleep + * ldap user suffix + + General Configuration + --------------------- + * preload modules + * private dir + +Modified Parameters (changes in behavior): + + * encrypt passwords (enabled by default) + * mangling method (set to 'hash2' by default) + * passwd chat + * passwd program + * restrict anonymous (integer value) + * security (new 'ads' value) + * strict locking (enabled by default) + * unix extensions (enabled by default) + * winbind cache time (increased to 5 minutes) + * winbind uid (deprecated in favor of 'idmap uid') + * winbind gid (deprecated in favor of 'idmap gid') + + +Databases +--------- + +This section contains brief descriptions of any new databases +introduced in Samba 3.0. Please remember to backup your existing +${lock directory}/*tdb before upgrading to Samba 3.0. Samba will +upgrade databases as they are opened (if necessary), but downgrading +from 3.0 to 2.2 is an unsupported path. + +Name Description Backup? +---- ----------- ------- +account_policy User policy settings yes +gencache Generic caching db no +group_mapping Mapping table from Windows yes + groups/SID to unix groups +winbindd_idmap ID map table from SIDS to UNIX yes + uids/gids. +namecache Name resolution cache entries no +netsamlogon_cache Cache of NET_USER_INFO_3 structure no + returned as part of a successful + net_sam_logon request +printing/*.tdb Cached output from 'lpq no + command' created on a per print + service basis +registry Read-only samba registry skeleton no + that provides support for exporting + various db tables via the winreg RPCs + + +Changes in Behavior +------------------- + +The following issues are known changes in behavior between Samba 2.2 and +Samba 3.0 that may affect certain installations of Samba. + + 1) When operating as a member of a Windows domain, Samba 2.2 would + map any users authenticated by the remote DC to the 'guest account' + if a uid could not be obtained via the getpwnam() call. Samba 3.0 + rejects the connection as NT_STATUS_LOGON_FAILURE. There is no + current work around to re-establish the 2.2 behavior. + + 2) When adding machines to a Samba 2.2 controlled domain, the + 'add user script' was used to create the UNIX identity of the + machine trust account. Samba 3.0 introduces a new 'add machine + script' that must be specified for this purpose. Samba 3.0 will + not fall back to using the 'add user script' in the absence of + an 'add machine script' + + +###################################################################### +Passdb Backends and Authentication +################################## + +There have been a few new changes that Samba administrators should be +aware of when moving to Samba 3.0. + + 1) encrypted passwords have been enabled by default in order to + inter-operate better with out-of-the-box Windows client + installations. This does mean that either (a) a samba account + must be created for each user, or (b) 'encrypt passwords = no' + must be explicitly defined in smb.conf. + + 2) Inclusion of new 'security = ads' option for integration + with an Active Directory domain using the native Windows + Kerberos 5 and LDAP protocols. + + MIT kerberos 1.3.1 supports the ARCFOUR-HMAC-MD5 encryption + type which is neccessary for servers on which the + administrator password has not been changed, or kerberos-enabled + SMB connections to servers that require Kerberos SMB signing. + Besides this one difference, either MIT or Heimdal Kerberos + distributions are usable by Samba 3.0. + + +Samba 3.0 also includes the possibility of setting up chains +of authentication methods (auth methods) and account storage +backends (passdb backend). Please refer to the smb.conf(5) +man page for details. While both parameters assume sane default +values, it is likely that you will need to understand what the +values actually mean in order to ensure Samba operates correctly. + +The recommended passdb backends at this time are + + * smbpasswd - 2.2 compatible flat file format + * tdbsam - attribute rich database intended as an smbpasswd + replacement for stand alone servers + * ldapsam - attribute rich account storage and retrieval + backend utilizing an LDAP directory. + * ldapsam_compat - a 2.2 backward compatible LDAP account + backend + +Certain functions of the smbpasswd(8) tool have been split between the +new smbpasswd(8) utility, the net(8) tool, and the new pdbedit(8) +utility. See the respective man pages for details. + + +###################################################################### +LDAP +#### + +This section outlines the new features affecting Samba / LDAP +integration. + +New Schema +---------- + +A new object class (sambaSamAccount) has been introduced to replace +the old sambaAccount. This change aids us in the renaming of +attributes to prevent clashes with attributes from other vendors. +There is a conversion script (examples/LDAP/convertSambaAccount) to +modify and LDIF file to the new schema. + +Example: + + $ ldapsearch .... -b "ou=people,dc=..." > sambaAcct.ldif + $ convertSambaAccount --sid=<Domain SID> \ + --input=sambaAcct.ldif --output=sambaSamAcct.ldif \ + --changetype=[modify|add] + +The <DOM SID> can be obtained by running 'net getlocalsid +<DOMAINNAME>' on the Samba PDC as root. The changetype determines +the format of the generated LDIF output--either create new entries +or modify existing entries. + +The old sambaAccount schema may still be used by specifying the +"ldapsam_compat" passdb backend. However, the sambaAccount and +associated attributes have been moved to the historical section of +the schema file and must be uncommented before use if needed. +The 2.2 object class declaration for a sambaAccount has not changed +in the 3.0 samba.schema file. + +Other new object classes and their uses include: + + * sambaDomain - domain information used to allocate rids + for users and groups as necessary. The attributes are added + in 'ldap suffix' directory entry automatically if + an idmap uid/gid range has been set and the 'ldapsam' + passdb backend has been selected. + + * sambaGroupMapping - an object representing the + relationship between a posixGroup and a Windows + group/SID. These entries are stored in the 'ldap + group suffix' and managed by the 'net groupmap' command. + + * sambaUnixIdPool - created in the 'ldap idmap suffix' entry + automatically and contains the next available 'idmap uid' and + 'idmap gid' + + * sambaIdmapEntry - object storing a mapping between a + SID and a UNIX uid/gid. These objects are created by the + idmap_ldap module as needed. + + * sambaSidEntry - object representing a SID alone, as a Structural + class on which to build the sambaIdmapEntry. + + +New Suffix for Searching +------------------------ + +The following new smb.conf parameters have been added to aid in directing +certain LDAP queries when 'passdb backend = ldapsam://...' has been +specified. + + * ldap suffix - used to search for user and computer accounts + * ldap user suffix - used to store user accounts + * ldap machine suffix - used to store machine trust accounts + * ldap group suffix - location of posixGroup/sambaGroupMapping entries + * ldap idmap suffix - location of sambaIdmapEntry objects + +If an 'ldap suffix' is defined, it will be appended to all of the +remaining sub-suffix parameters. In this case, the order of the suffix +listings in smb.conf is important. Always place the 'ldap suffix' first +in the list. + +Due to a limitation in Samba's smb.conf parsing, you should not surround +the DN's with quotation marks. + + +IdMap LDAP support +------------------ + +Samba 3.0 supports an ldap backend for the idmap subsystem. The +following options would inform Samba that the idmap table should be +stored on the directory server onterose in the "ou=idmap,dc=plainjoe, +dc=org" partition. + + [global] + ... + idmap backend = ldap:ldap://onterose/ + ldap idmap suffix = ou=idmap,dc=plainjoe,dc=org + idmap uid = 40000-50000 + idmap gid = 40000-50000 + +This configuration allows winbind installations on multiple servers to +share a uid/gid number space, thus avoiding the interoperability problems +with NFS that were present in Samba 2.2. + + + +###################################################################### +Trust Relationships and a Samba Domain +###################################### + +Samba 3.0.0beta2 is able to utilize winbindd as the means of +allocating uids and gids to trusted users and groups. More +information regarding Samba's support for establishing trust +relationships can be found in the Samba-HOWTO-Collection included +in the docs/ directory of this release. + +First create your Samba PDC and ensure that everything is +working correctly before moving on the trusts. + +To establish Samba as the trusting domain (named SAMBA) from a Windows NT +4.0 domain named WINDOWS: + + 1) create the trust account for SAMBA in "User Manager for Domains" + 2) connect the trust from the Samba domain using + 'net rpc trustdom establish GLASS' + +To create a trustlationship with SAMBA as the trusted domain: + + 1) create the initial trust account for GLASS using + 'smbpasswd -a -i GLASS'. You may need to create a UNIX + account for GLASS$ prior to this step (depending on your + local configuration). + 2) connect the trust from a WINDOWS DC using "User Manager + for Domains" + +Now join winbindd on the Samba PDC to the SAMBA domain using +the normal steps for adding a Samba server to an NT4 domain: +(note that smbd & nmbd must be running at this point) + + root# net rpc join -U root + Password: <enter root password from smbpasswd file here> + +Start winbindd and test the join with 'wbinfo -t'. + +Now test the trust relationship by connecting to the SAMBA DC +(e.g. POGO) as a user from the WINDOWS domain: + + $ smbclient //pogo/netlogon -U Administrator -W WINDOWS + Password: + +Now connect to the WINDOWS DC (e.g. CRYSTAL) as a Samba user: + + $ smbclient //crystal/netlogon -U root -W WINDOWS + Password: + +###################################################################### +Changes in Winbind +################## + +Beginning with Samba3.0.0beta3, winbindd has been given new account +manage functionality equivalent to the 'add user script' family of +smb.conf parameters. The idmap design has also been changed to +centralize control of foreign SID lookups and matching to UNIX +uids and gids. + + +Brief Description of Changes +---------------------------- + +1) The sid_to_uid() family of functions (smbd/uid.c) have been + reverted to the 2.2.x design. This means that when resolving a + SID to a UID or similar mapping: + + a) First consult winbindd + b) perform a local lookup only if winbindd fails to + return a successful answer + + There are some variations to this, but these two rules generally + apply. + +2) All idmap lookups have been moved into winbindd. This means that + a server must run winbindd (and support NSS) in order to achieve + any mappings of SID to dynamically allocated UNIX ids. This was + a conscious design choice. + +3) New functions have been added to winbindd to emulate the 'add user + script' family of smbd functions without requiring that external + scripts be defined. This functionality is controlled by the 'winbind + enable local accounts' smb.conf parameter (enabled by default). + + However, this account management functionality is only supported + in a local tdb (winbindd_idmap.tdb). If these new UNIX accounts + must be shared among multiple Samba servers (such as a PDC and BDCs), + it will be necessary to define your own 'add user script', et. al. + programs that place the accounts/groups in some form of directory + such as NIS or LDAP. This requirement was deemed beyond the scope + of winbind's account management functions. Solutions for + distributing UNIX system information have been deployed and tested + for many years. We saw no need to reinvent the wheel. + +4) A member of a Samba controlled domain running winbindd is now able + to map domain users directly onto existing UNIX accounts while still + automatically creating accounts for trusted users and groups. This + behavior is controlled by the 'winbind trusted domains only' smb.conf + parameter (disabled by default to provide 2.2.x winbind behavior). + +5) Group mapping support is wrapped in the local_XX_to_XX() functions + in smbd/uid.c. The reason that group mappings are not included + in winbindd is because the purpose of Samba's group map is to + match any Windows SID with an existing UNIX group. These UNIX + groups can be created by winbindd (see next section), but the + SID<->gid mapping is retreived by smbd, not winbindd. + + +Examples +-------- + +* security = server running winbindd to allocate accounts on demand + +* Samba PDC running winbindd to handle the automatic creation of UNIX + identities for machine trust accounts + +* Automtically creating UNIX user and groups when migrating a Windows NT + 4.0 PDC to a Samba PDC. Winbindd must be running when executing + 'net rpc vampire' for this to work. + + +###################################################################### +Known Issues +############ + +* There are several bugs currently logged against the 3.0 codebase + that affect the use of NT 4.0 GUI domain management tools when run + against a Samba 3.0 PDC. This bugs should be released in an early + 3.0.x release. + +Please refer to https://bugzilla.samba.org/ for a current list of bugs +filed against the Samba 3.0 codebase. + + +###################################################################### +Reporting bugs & Development Discussion +####################################### + +Please discuss this release on the samba-technical mailing list or by +joining the #samba-technical IRC channel on irc.freenode.net. + +If you do report problems then please try to send high quality +feedback. If you don't provide vital information to help us track down +the problem then you will probably be ignored. + +A new bugzilla installation has been established to help support the +Samba 3.0 community of users. This server, located at +https://bugzilla.samba.org/, has replaced the older jitterbug server +previously located at http://bugs.samba.org/. + |