1 ============================= 2 Release Notes for Samba 3.0.2 3 February 9, 2004 4 ============================= 5 6This is the latest stable release of Samba. This is the version 7that all production Samba servers should be running for all current 8bug-fixes. 9 10It has been confirmed that previous versions of Samba 3.0 are 11susceptible to a password initialization bug that could grant an 12attacker unauthorized access to a user account created by the 13mksmbpasswd.sh shell script. 14 15The Common Vulnerabilities and Exposures project (cve.mitre.org) 16has assigned the name CAN-2004-0082 to this issue. 17 18Samba administrators not wishing to upgrade to the current 19version should download the 3.0.2 release, build the pdbedit 20tool, and run 21 22 root# pdbedit-3.0.2 --force-initialized-passwords 23 24This will disable all accounts not possessing a valid password 25(e.g. the password field has been set a string of X's). 26 27Samba servers running 3.0.2 are not vulnerable to this bug 28regardless of whether or not pdbedit has been used to sanitize 29the passdb backend. 30 31Some of the more visible bugs in 3.0.1 addressed in the 3.0.2 32release include: 33 34 o Joining a Samba domain from Pre-SP2 Windows 2000 clients. 35 o Logging onto a Samba domain from Windows XP clients. 36 o Problems with the %U and %u smb.conf variables in relation to 37 Windows 9x/ME clients. 38 o Kerberos failures due to an invalid in memory keytab detection 39 test. 40 o Updates to the ntlm_auth tool. 41 o Fixes for various SMB signing errors. 42 o Better separation of WINS and DNS queries for domain controllers. 43 o Issues with nss_winbind FreeBSD and Solaris. 44 o Several crash bugs in smbd and winbindd. 45 o Output formatting fixes for smbclient for better compatibility 46 with scripts based on the 2.2 version. 47 48 49###################################################################### 50Changes 51####### 52Changes since 3.0.1 53------------------- 54 55smb.conf changes 56---------------- 57 58 Parameter Name Action 59 -------------- ------ 60 ldap replication sleep New 61 read size removed (unused) 62 source environment removed (unused) 63 64 65commits 66------- 67 68Please refer to the CVS log for the SAMBA_3_0 branch for complete 69details. The list of changes per contributor are as follows: 70 71o Jeremy Allison <jra@samba.org> 72 * Revert change that broke Exchange clear text samlogons. 73 * Fix gcc 3.4 warning in MS-DFS code. 74 * Tidy up of NTLMSSP code. 75 * Fixes for SMB signing errors 76 * BUG 815: Workaround NT4 bug to support plaintext 77 password logins and UNICODE. 78 * Fix SMB signing bug when copying large files. 79 * Correct error logic in mkdir_internals() (caused a panic 80 when combined with --enable-developer). 81 82 83o Petri Asikainen <paca@sci.fi> 84 * BUG 330, 387:Fix single valued attribute updates when 85 working with Novell NDS. 86 87 88o Andrew Bartlet <abartlet@samba.org> 89 * Correctly handle per-pipe NTLMSSP inside a NULL session. 90 * Fix segfault in gencache 91 * Fix early free() of encrypted_session_key. 92 * Change DC lookup routines to more carefully separate 93 DNS names (realms) from NetBIOS domain names. 94 * Add new sid_to_dn() function for internal winbindd use. 95 * Refactor cli_ds_enum_domain_trusts(). 96 * BUG 707: Implement range retrieval of ADS attributes (based 97 on work from Volker <vl@samba.org> and Guenther Deschner 98 <gd@suse.com>). 99 * Automatically initialize the signing engine if a session key 100 is available. 101 * BUG 916: Do not perform a + -> ' ' substitution for squid URL 102 encoded strings, only form input in SWAT. 103 * Resets the NTLMSSP state for new negotiate packets. 104 * Add 2-byte alignments in net_samlogon() queries to parse 105 odd-length plain text passwords. 106 * Allow Windows groups with no members in winbindd. 107 * Allow normal authentication in the absence of a server 108 generated session key. 109 * More optimizations for looking up UNIX group lists. 110 * Clean up error codes and return values for pam_winbindd 111 and winbindd PAM interface. 112 * Fix string return values in ntlm_auth tool. 113 * Fix segfault when 'security = ads' but no realm is defined. 114 * BUG 722: Allow winbindd to map machine accounts to uids. 115 * More cleanups for winbindd's find_our_domain(). 116 * More clearly detect whether a domain controller is an NT4 117 or mixed-mode AD DC (additional bug fixes by jerry & jmcd). 118 * Increase separation between DNS queries for hosts and queries 119 for AD domain controllers. 120 * Include additional NT_STATUS to PAM error mappings. 121 122 123o Justin Baugh <justin.baugh@request.com> 124 * BUG 948: Implement missing functions required for FreeBSD 125 nss_winbind support. 126 127 128o Alexander Bokovoy <ab@samba.org> 129 * BUG 922: Make sure enable fast path for strlower_m() and 130 strupper_m(). 131 132 133o Luca Bolcioni <Luca.Bolcioni@yacme.com> 134 * Fix crash when using 'security = server' and 'encrypt 135 passwords = no' by always initializing the session key. 136 137 138o Dmitry Butskoj <buc@odusz.elektra.ru> 139 * Fix for special files being hidden from admins. 140 141 142o Gerald (Jerry) Carter <jerry@samba.org> 143 * Fix bug in the lanman session key generation. Caused 144 "decode_pw: incorrect password length" error messages. 145 * Save the right case for the located user name in 146 fill_sam_account(). Fixes %U/%u expansion for win9x clients. 147 * BUG 897: Add well known rid for pre win2k compatible access 148 group. 149 * BUG 887: Correct typo in delete user script example. 150 * Use short lived TALLOC_CTX* for allocating printer objects 151 from the print handle cache. 152 * BUG 912: Fix check for HAVE_MEMORY_KEYTAB. 153 * Fix several warnings reported by the SUN Forte C compiler. 154 * Fully control DNS queries for AD DC's using 'name resolve order'. 155 * BUG 770: Send the SMBjobid for UNIX jobs back to the client. 156 * BUG 972: Fix segfault in cli_ds_getprimarydominfo(). 157 * BUG 936: fix bind credentials for schannel binds in smbd. 158 * BUG 446: Fix output of smbclient for better compatibility 159 with scripts based on the 2.2 version (including Amanda). 160 * BUG 891, 949: Fedora packaging fixes. 161 * Fix bug that caused rpcclient to incorrectly retrieve 162 the SID for a server (this causing all calls that required 163 this information to fail). 164 * BUG 977: Don't create a homes share for a user if a static 165 share already exists by the same name. 166 * Removed unused smb.conf options. 167 * Set the disable flag for template accounts created by 168 mksmbpasswd.sh. 169 * Disable any account has no passwords and does not have the 170 ACB_PWNOTREQ bit set. 171 172 173o Guenther Deschner <gd@suse.com> 174 * Install smbwrapper.so should be put into the $(libdir) 175 and not $(bindir). 176 * Add the capability to specify the new user password 177 for "net ads password" on the command line. 178 * Correctly detect AFS headers on SuSE. 179 180 181o James Flemer <jflemer@uvm.edu> 182 * Fix AIX compile bug by linking HAVE_ATTR_LIST to 183 HAVE_SYS_ATTRIBUTES_H. 184 185 186o Luke Howard <lukeh@PADL.COM> 187 * Fix segfault in session setup reply caused by a early free(). 188 189 190o Stoian Ivanov <sdr@bultra.com> 191 * Implement grepable output for smbclient -L. 192 193 194o LaMont Jones <lamont@debian.org> 195 * BUG 225328 (Debian): Correct false failure LFS test that resulted 196 in _GNU_SOURCE not being defined (thus resulting in strndup() 197 not being defined). 198 199 200o Volker Lendecke <vl@samba.org> 201 * BUG 583: Ensure that user names always contain the short 202 version of the domain name. 203 * Fix our parsing of the LDAP uri. 204 * Don't show the 'afs username map' in the SWAT basic view. 205 * Fix SMB signing issues in relation to failed NTLMSSP logins. 206 * BUG 924: Fix return codes in smbtorture harness. 207 * Always lower-case usernames before handing it to AFS code. 208 * Add a German translation for SWAT. 209 * Fix a segfaults in winbindd. 210 * Fix the user's domain passed to register_vuid() from 211 reply_spnego_kerberos(). 212 * Add NSS example code in nss_winbind to convert UNIX 213 id's <-> Windows SIDs. 214 * Display more descriptive error messages for login via 'net'. 215 * Fix compiler warning in the net tool. 216 * Fix length bug when decoding base64 strings. 217 * Ensure we don't call getpwnam() inside a loop that is iterating 218 over users with getpwent(). This broke on glibc 2.3.2. 219 220 221o Herb Lewis <herb@samba.org> 222 * Fix bit rot in psec. 223 224 225o Jianliang Lu <j.lu@tiesse.com> 226 * Ensure we delete the group mapping before calling the delete 227 group script. 228 * Define well known RID for managing the "Power Users" group. 229 * BUG 381: check builtin (not local) group SID when updating 230 group membership. 231 * BUG 101: set the SV_TYPE_PRINTQ_SERVER flag in host announcement 232 packet. 233 234 235o John Klinger <john.klinger@lmco.com> 236 * Implement initgroups() call in nss_winbind on Solaris. 237 238 239o Jim McDonough <jmcd@us.ibm.com> 240 * Fix regression in net rpc join caused by recent changes 241 to cli_lsa_query_info_policy(). 242 * BUG 964: Fix crash bug in 'net rpc join' using a preexisting 243 machine account. 244 245 246o MORIYAMA Masayuki <moriyama@miraclelinux.com> 247 * BUG 570: Ensure that configure honors the LDFLAGS variable. 248 249 250o Stefan Metzmacher <metze@samba.org> 251 * Implement LDAP rebind sleep patch. 252 * Revert to 2.2 quota code because of so many broken quota files 253 out there. 254 * Fix XFS quotas: HAVE_XFS_QUOTA -> HAVE_XFS_QUOTAS 255 XFS_USER_QUOTA -> USRQUOTA 256 XFS_GROUP_QUOTA -> GRPQUOTA 257 * Fix disk_free calculation with group quotas. 258 * Add debug class 'quota' and a lot of DEBUG()'s 259 to the quota code. 260 * Fix sys_chown() when no chown() is present. 261 * Add SIGABRT to fault handling in order to catch got a 262 backtrace if an error occurs the OpenLDAP client libs. 263 264 265o <ndb@theghet.to> 266 * Allow an existing LDAP machine account to be re-used when 267 joining an AD domain. 268 269 270o James Peach <jpeach@sgi.com> 271 * BUG 889: Change smbd to use pread/pwrite on platforms that 272 support these calls. Can lead to a significant speed increase. 273 274 275o Tim Potter <tpot@samba.org> 276 * BUG 905: Remove POBAD_CC to fix Solaris Forte compiles. 277 * BUG 924: Fix typo in RW2 torture test. 278 279 280o Richard Sharpe <shape@samba.org> 281 * Small fixes to torture.c to cleanup the error handling 282 and prevent crashes. 283 284 285o J. Tournier <jerome.tournier@IDEALX.com> 286 * Small fixes for the smbldap-tool scripts. 287 288 289o Jelmer Vernooij <jelmer@samba.org> 290 * Put functions for generating SQL queries in pdb_sql.c 291 * Add pgSQL backend (based on patch by Hamish Friedlander) 292 * BUG 908: Fix -s option to smbcontrol. 293 * Add smbget utility - a wget-clone for the SMB/CIFS protocol. 294 * Fix for libnss_wins on IRIX platforms. 295 * Fix swatdir for --with-fhs. 296 297 298 299Changes since 3.0.0 300---------------------- 301 302 Parameter Name Action 303 -------------- ------ 304 hide local users Removed 305 mangled map Deprecated 306 mangled stack Removed 307 passwd chat timeout New 308 309 310commits 311------- 312 313o Change the interface for init_unistr2 to not take a length 314 but a flags field. We were assuming that 315 2*strlen(mb_string) == length of ucs2-le string. (bug 480). 316o Allow d_printf() to handle strings with escaped quotation 317 marks since the msg file includes the escape character (bug 489). 318o Fix bad html table row termination in SWAT wizard code (bug 413). 319o Fix to parse the level-2 strings. 320o Fix for "valid users = %S" in [homes]. Fix read/write 321 list as well. 322o Change AC_CHECK_LIB_EXT to prepend libraries instead of append. 323 This is the same way AC_CHECK_LIB works (bug 508). 324o Testparm output fixes for clarity. 325o Fix broken wins hook functionality -- i18n bug (bug 528). 326o Take care of condition where DOS and NT error codes must differ. 327o Default to using only built-in charsets when a working iconv 328 implementation cannot be located. 329o Wrap internals of sys_setgroups() so the sys_XX() call can 330 be done unconditionally (bug 550). 331o Remove duplicate smbspool link on SWAT's front page (bug 541). 332o Save and restore CFLAGS before/after AC_PROG_CC. Ensures that 333 --enable-debug=[yes|no] works correctly. 334o Allow ^C to interrupt smbpasswd if using our getpass 335 (e.g. smbpasswd command). 336o Support signing only on RPC's (bug 167). 337o Correct bug that prevented Excel 2000 clients from opening 338 files marked as read-only. 339o Portability fix bugs 546 - 549). 340o Explicitly initialize the value of AR for vendor makes that don't 341 do this (e.g. HPUX 11). (bug 552). 342o More i18n fixes for SWAT (bug 413). 343o Change the cwd before the postexec script to ensure that a 344 umount will succeed. 345o Correct double free that caused winbindd to crash when a DC 346 is rebooted (bug 437). 347o Fix incorrect mode sum (bug 562). 348o Canonicalize SMB_INFO_ALLOCATION in the same was as 349 SMB_FS_FULL_SIZE_INFORMATION (bug 564). 350o Add script to generate *msg files. 351o Add Dutch SWAT translation file. 352o Make sure to call get_user_groups() with the full winbindd 353 name for a user if he/she has one (bug 406). 354o Fix up error code returns from Samba4 tester. Ensure invalid 355 paths are validated the same way. 356o Allow Samba3 to pass the Samba4 RAW-READ tests. 357o Refuse to configure if --with-expsam=$BACKEND was used but no 358 libraries were found for $BACKEND. 359o Move sysquotas autoconf tests to a separate file. 360o Match W2K w.r.t. writelock and writeclose. Samba4 torture 361 tester 362o Make sure that the files that contain the static_init_$subsystem; 363 macro get recompiled after configure by removing the object 364 files. 365o Ensure canceling a blocking lock returns the correct error 366 message. 367o Match Samba 2.2 behavior; make ACB_NORMAL the default ACB value. 368o Updated Japanese welcome file in SWAT. 369o Fix to nt-time <-> unix-time functions reversible. 370o Ensure that winbindd uses the the escaped DN when querying 371 an AD ldap server. 372o Fix portability issues when compiling (bug 505, 550) 373o Compile fix for tdbbackup when Samba needs to override 374 non-C99 compliant implementations of snprintf(). 375o Use @PICSUFFIX@ instead of .po in Makefile.in (bug 574). 376o Make sure we break out of samsync loop on error. 377o Ensure error code path doesn't free unmalloc()'d memory 378 (bug 628). 379o Add configure test for krb5_keytab_entry keyblock vs key 380 member (bug 636). 381o Fixed spinlocks. 382o Modified testparm so that all output so all debug output goes 383 to stderr, and all file processing goes to stdout. 384o Fix error return code for BUFFER_TOO_SMALL in smbcacls 385 and smbcquotas. 386o Fix "NULL dest in safe_strcpy()" log message by ensuring that 387 we have a devmode before copying a string to the devicename. 388o Support mapping REALM.COM\user to a local user account (without 389 running winbindd) for compatibility with 2.2.x release. 390o Ensure we don't use mmap() on blacklisted systems. 391o fixed a number of bugs and memory leaks in the AIX 392 winbindd shim 393o Call initgroups() in SWAT before becomming the user so that 394 secondary group permissions can be used when writing to 395 smb.conf. 396o Fix signing problems when reverse connecting back to a 397 client for printer notify 398o Fix signing problems caused by a miss-sequence bug. 399o Missing map in errormap for ERROR_MORE_DATA -> ERRDOS, ERRmoredata. 400 Fixes NEXUS tools running on Win9x clients (bug 64). 401o Don't leave the domain field uninitialized in cli_lsa.c if some 402 SID could not be mapped. 403o Fix segfault in mount.cifs helper when there is no options 404 specified during mount. 405o Change the \n after the password prompt to go to tty instead 406 of stdout (bug 668). 407o Stop net -P from prompting for machine account password (bug 451). 408o Change in behavior to Not only change the effective uid but also 409 the real uid when becoming unprivileged. 410o Cope with Exchange 5.5 cleartext pop password auth. 411o New files for support of initshutdown pipe. Win2k doesn't 412 respond properly to all requests on the winreg pipe, so we need 413 to handle this new pipe (bug 534). 414o Added more va_copy() checks in configure.in. 415o Include fixes for libsmbclient build problems. 416o Missing UNIX -> DOS codepage conversion in lanman.c. 417o Allow DFMS-S filenames can now have arbitrary case (bug 667). 418o Parameterize the listen backlog in smbd and make it larger by 419 default. A backlog of 5 is way too small these days. 420o Check for an invalid fid before dereferencing the fsp pointer 421 (bug 696). 422o Remove invalid memory frees and return codes in pdb_ldap.c. 423o Prompt for password when invoking --set-auth-user and no 424 password is given. 425o Bind the nmbd sending socket to the 'socket address'. 426o Re-order link command for smbd, rpcclient and smbpasswd to ensure 427 $LDFLAGS occurs before any library specification (bug 661). 428o Fix large number of printf() calls for 64-bit size_t. 429o Fix AC_CHECK_MEMBER so that SLES8 does correctly finds the 430 keyblock in the krb5 structs. 431o Remove #include <compat.h> in hopes to avoid problems with 432 apache header files. 433o Correct winbindd build problems on HP-UX 11. 434o Lowercase netgroups lookups (bug 703). 435o Use the actual size of the buffer in strftime instead of a made 436 up value which just happens to be less than sizeof(fstring). 437 (bug 713). 438o Add ldaplibs to pdbedit link line (bug 651). 439o Fix crash bug in smbclient completion (bug 659). 440o Fix packet length for browse list reply (bug 771). 441o Fix coredump in cli_get_backup_list(). 442o Make sure that we expand %N (bug 612). 443o Allow rpcclient adddriver command to specify printer driver 444 version (bug 514). 445o Compile tdbdump by default. 446o Apply patches to fix iconv detection for FreeBSD. 447o Do not allow the 'guest account' to be added to a passdb backend 448 using smbpasswd or pdbedit (bug 624). 449o Save LDFLAGS during iconv detection (bug 57). 450o Run krb5 logins through the username map if the winbindd 451 lookup fails (bug 698). 452o Add const for lp_set_name_resolve_order() to avoid compiler 453 warnings (bug 471). 454o Add support for the %i macro in smb.conf to stand in for the for 455 the local IP address to which a client connected. 456o Allow winbindd to match local accounts to domain SID when 457 'winbind trusted domains only = yes' (bug 680). 458o Remove code in idmap_ldap that searches the user suffix and group 459 suffix. It's not needed and provides inconsistent functionality 460 from the tdb backend. 461o Patch to handle munged dial string for Windows 200 TSE. 462o Correct the "smbldap_open: cannot access when not root error" 463 messages when looking up group information (bug 281). 464o Skip over the winbind separator when looking up a user. 465 This fixes the bug that prevented local users from 466 matching an AD user when not running winbindd (bug 698). 467o Fix a problem with configure on *BSD systems. Make sure 468 we add -liconv etc to LDFLAGS. 469o Fix core dump bug when "security = server" and the authentication 470 server goes away. 471o Correct crash bug due to an empty munged dial string. 472o Show files locked by a specific user (smbstatus -u 'user') 473 (bug 590). 474o Fix bug preventing print jobs from display in the queue 475 monitor used by Windows NT and later clients (bug 660). 476o Fix several reported problems with point-n-print from 477 Windows 2000/XP clients due to a bug in the EnumPrinterDataEx() 478 reply (bug 338, 527 & 643). 479o Fix a handful of potential memory leaks in the LDAP code used 480 by ldapsam[_compat] and the LDAP idmap backend. 481o Fix for pdbedit error code returns (bug 763). 482o Make sure we only enumerate group mapping entries (not 483 /etc/group) even when doing local aliases. 484o Relax check on the pipe name in a dce/rpc bind response to work 485 around issues with establishing trusts to a Windows 2003 domain. 486o Ensure we mangle names ending in '.' in hash2 mangling method. 487o Correct parsing issues with munged dial string. 488o Fix bugs in quota support for XFS. 489o Add a cleaner method for applications that need to provide 490 name->SID mappings to do this via NSS rather than having to 491 know the winbindd pipe protocol. 492o Adds a variant of the winbindd_getgroups() call called 493 winbindd_getusersids() that provides direct SID->SIDs listing of 494 a users supplementary groups. This is enough to allow non-Samba 495 applications to do ACL checking. 496o Make sure we don't append the 'ldap suffix' when writing out the 497 'ldap XXX suffix' values in SWAT (bug 328). 498o Fix renames across file systems. 499o Ensure that items in a list of strings containing whitespace are 500 written out surrounded by single quotes. This means that both 501 double and single quotes are now used to surround strings in 502 smb.conf (bug 481). 503o Enable SWAT to correctly determine if winbindd is running (bug 504 398). 505o Include WWW-Authenticate field in 401 response for bad auth 506 attempt (bug 629). 507o Add support for NTLM2 (NTLMv2 session security). 508o Add support for variable-length session keys. 509o More privilege fixes for group enumeration in LDAP (bug 281). 510o Use the dns name (or IP) as the originating client name when 511 using CUPS (bug 467). 512o Fix various SMB signing bugs. 513o Fix ACL propagation on a DFS root (bug 263). 514o Disable NTLM2 for RPC pipes. 515o Allow the client to specify the NTLM2 flags got NTLMSSP 516 authentication. 517o Change the name of the job passed off to cups from "Test Page" 518 to "smbprn.00000033 Test Page" so that we can get the smb 519 jobid back. This allow users to delete jobs with cups printing 520 backend (partial work on bug 770). 521o Fix build of winbindd with static pdb modules. 522o Retrieve the correct ACL group bits if the file has an ACL 523 (bug 802). 524o Implement "net rpc group members": Get members of a domain group 525 in human-readable format. 526o Add MacOSX (Darwin) specific charset module code. 527o Use samr_dispinfo(level == 1) for enumerating domain users so we 528 can include the full name in gecos field (bug 587). 529o Add support for winbind's NSS library on FeeeBSD 5.1 (bug 797). 530o Implement 'net rpc group list [global|local|builtin]*' for a 531 select listing of the respective user databases. 532o Don't automatically set NT status code flag unless client tells 533 us it can cope. 534o Add 'net status [sessions|shares] [parseable]'. 535o Don't mistake pre-existing UNIX jobs for smb jobs (remainder of 536 bug 770). 537o Add 'Replicator' and 'RAS Servers' to list of builtin SIDs 538 (bug 608). 539o Fix inverted logic in hosts allow/deny checks caused by 540 s/strcmp/strequal/ (bug 846). 541o Implement correct version SamrRemoveSidForeignDomain() (bug 252). 542o Fix typo in 'hash' mangling algorithm. 543o Support munged dial for ldapsam (bug 800). 544o Fix process_incoming_data() to return the number of bytes handled 545 this call whether we have a complete PDU or not; fixes bug 546 with multiple PDU request rpc's broken over SMBwriteX calls 547 each. 548o Fix incorrect smb flags2 for connections to pre-NT servers 549 (causes smbclient to fail to OS2 for example) (bug 821). 550o Update version string in smbldap-tools Makefile to 0.8.2. 551o Correct a problem with "net rpc vampire" mis-parsing the 552 alias member info reply. 553o Ensure the ${libdir} is created by the installclientlib script. 554o Fix detection of Windows 2003 client architecture in the smb.conf 555 %a variable. 556o Ensure that smbd calls the add user script for a missing UNIX 557 user on kerberos auth call (bug 445). 558o Fix bugs in hosts allow/deny when using a mismatched 559 network/netmask pair. 560o Protect alloc_sub_basic() from crashing when the source string 561 is NULL (partial work on bug 687). 562o Fix spinlocks on IRIX. 563o Corrected some bad destination paths when running "configure 564 --with-fhs". 565o Add packaging files for Fedora Core 1. 566o Correct bug in SWAT install script for non-english languages. 567o Support character set ISO-8859-1 internally (bug 558). 568o Fixed more LDAP access errors when looking up group mappings 569 (bug 281). 570o Fix UNISTR2 length bug in LsaQueryInfo(3) that caused SID 571 resolution to fail on local files on on domain members 572 (bug 875). 573o Fix uninitialized variable in passdb.c. 574o Fix formal parameter type in get_static() in nsswitch/wins.c. 575o Fix problem mounting directories when mount.cifs is installed 576 with the setuid bit on. 577o Fix bug that prevent --mandir from overriding the defaults 578 given in the --with-fhs macro. 579o Fix bug in in-memory Kerberos keytab detection routines 580 in configure.in 581 582 583 584###################################################################### 585 586 ======================================= 587 The original 3.0.0 release notes follow 588 ======================================= 589 590 591Major new features: 592------------------- 593 5941) Active Directory support. Samba 3.0 is now able to 595 join a ADS realm as a member server and authenticate 596 users using LDAP/Kerberos. 597 5982) Unicode support. Samba will now negotiate UNICODE on the wire 599 and internally there is now a much better infrastructure for 600 multi-byte and UNICODE character sets. 601 6023) New authentication system. The internal authentication system 603 has been almost completely rewritten. Most of the changes are 604 internal, but the new auth system is also very configurable. 605 6064) New default filename mangling system. 607 6085) A new "net" command has been added. It is somewhat similar to 609 the "net" command in windows. Eventually we plan to replace 610 numerous other utilities (such as smbpasswd) with subcommands 611 in "net". 612 6136) Samba now negotiates NT-style status32 codes on the wire. This 614 improves error handling a lot. 615 6167) Better Windows 2000/XP/2003 printing support including publishing 617 printer attributes in active directory. 618 6198) New loadable module support for passdb backends and character 620 sets. 621 6229) New default dual-daemon winbindd support for better performance. 623 62410) Support for migrating from a Windows NT 4.0 domain to a Samba 625 domain and maintaining user, group and domain SIDs. 626 62711) Support for establishing trust relationships with Windows NT 4.0 628 domain controllers. 629 63012) Initial support for a distributed Winbind architecture using 631 an LDAP directory for storing SID to uid/gid mappings. 632 63313) Major updates to the Samba documentation tree. 634 63514) Full support for client and server SMB signing to ensure 636 compatibility with default Windows 2003 security settings. 637 63815) Improvement of ACL mapping features based on code donated by 639 Andreas Gr��nbacher. 640 641 642Plus lots of other improvements! 643 644 645Additional Documentation 646------------------------ 647 648Please refer to Samba documentation tree (included in the docs/ 649subdirectory) for extensive explanations of installing, configuring 650and maintaining Samba 3.0 servers and clients. It is advised to 651begin with the Samba-HOWTO-Collection for overviews and specific 652tasks (the current book is up to approximately 400 pages) and to 653refer to the various man pages for information on individual options. 654 655We are very glad to be able to include the second edition of 656"Using Samba" by Jay Ts, Robert Eckstein, and David Collier-Brown 657(O'Reilly & Associates) in this release. The book is available 658on-line at http://samba.org/samba/docs/ and is included with 659the Samba Web Administration Tool (SWAT). Thanks to the authors and 660publisher for making "Using Samba" under the GNU Free Documentation 661License. 662 663 664###################################################################### 665Upgrading from a previous Samba 3.0 beta 666######################################## 667 668Beginning with Samba 3.0.0beta3, the RID allocation functions 669have been moved into winbindd. Previously these were handled 670by each passdb backend. This means that winbindd must be running 671to automatically allocate RIDs for users and/or groups. Otherwise, 672smbd will use the 2.2 algorithm for generating new RIDs. 673 674If you are using 'passdb backend = tdbsam' with a previous Samba 6753.0 beta release (or possibly alpha), it may be necessary to 676move the RID_COUNTER entry from /usr/local/samba/private/passdb.tdb 677to winbindd_idmap.tdb. To do this: 678 6791) Ensure that winbindd_idmap.tdb exists (launch winbindd at least 680 once) 6812) build tdbtool by executing 'make tdbtool' in the source/tdb/ 682 directory 6833) run: (note that 'tdb>' is the tool's prompt for input) 684 685 root# ./tdbtool /usr/local/samba/private/passdb.tdb 686 tdb> show RID_COUNTER 687 key 12 bytes 688 RID_COUNTER 689 data 4 bytes 690 [000] 0A 52 00 00 .R. 691 692 tdb> move RID_COUNTER /usr/local/samba/var/locks/winbindd_idmap.tdb 693 .... 694 record moved 695 696If you are using 'passdb backend = ldapsam', it will be necessary to 697store idmap entries in the LDAP directory as well (i.e. idmap backend 698= ldap). Refer to the 'net idmap' command for more information on 699migrating SID<->UNIX id mappings from one backend to another. 700 701If the RID_COUNTER record does not exist, then these instructions are 702unneccessary and the new RID_COUNTER record will be correctly generated 703if needed. 704 705 706 707######################## 708Upgrading from Samba 2.2 709######################## 710 711This section is provided to help administrators understand the details 712involved with upgrading a Samba 2.2 server to Samba 3.0. 713 714 715Building 716-------- 717 718Many of the options to the GNU autoconf script have been modified 719in the 3.0 release. The most noticeable are: 720 721 * removal of --with-tdbsam (is now included by default; see section 722 on passdb backends and authentication for more details) 723 724 * --with-ldapsam is now on used to provided backward compatible 725 parameters for LDAP enabled Samba 2.2 servers. Refer to the passdb 726 backend and authentication section for more details 727 728 * inclusion of non-standard passdb modules may be enabled using 729 --with-expsam. This includes an XML backend and a mysql backend. 730 731 * removal of --with-msdfs (is now enabled by default) 732 733 * removal of --with-ssl (no longer supported) 734 735 * --with-utmp now defaults to 'yes' on supported systems 736 737 * --with-sendfile-support is now enabled by default on supported 738 systems 739 740 741Parameters 742---------- 743 744This section contains a brief listing of changes to smb.conf options 745in the 3.0.0 release. Please refer to the smb.conf(5) man page for 746complete descriptions of new or modified parameters. 747 748Removed Parameters (order alphabetically): 749 750 * admin log 751 * alternate permissions 752 * character set 753 * client codepage 754 * code page directory 755 * coding system 756 * domain admin group 757 * domain guest group 758 * force unknown acl user 759 * hide local users 760 * mangled stack 761 * nt smb support 762 * postscript 763 * printer driver 764 * printer driver file 765 * printer driver location 766 * read size 767 * source environment 768 * status 769 * strip dot 770 * total print jobs 771 * use rhosts 772 * valid chars 773 * vfs options 774 775New Parameters (new parameters have been grouped by function): 776 777 Remote management 778 ----------------- 779 * abort shutdown script 780 * shutdown script 781 782 User and Group Account Management 783 --------------------------------- 784 * add group script 785 * add machine script 786 * add user to group script 787 * algorithmic rid base 788 * delete group script 789 * delete user from group script 790 * passdb backend 791 * set primary group script 792 793 Authentication 794 -------------- 795 * auth methods 796 * realm 797 * passwd chat timeout 798 799 Protocol Options 800 ---------------- 801 * client lanman auth 802 * client NTLMv2 auth 803 * client schannel 804 * client signing 805 * client use spnego 806 * disable netbios 807 * ntlm auth 808 * paranoid server security 809 * server schannel 810 * server signing 811 * smb ports 812 * use spnego 813 814 File Service 815 ------------ 816 * get quota command 817 * hide special files 818 * hide unwriteable files 819 * hostname lookups 820 * kernel change notify 821 * mangle prefix 822 * map acl inherit 823 * msdfs proxy 824 * set quota command 825 * use sendfile 826 * vfs objects 827 828 Printing 829 -------- 830 * max reported print jobs 831 832 UNICODE and Character Sets 833 -------------------------- 834 * display charset 835 * dos charset 836 * unicode 837 * unix charset 838 839 SID to uid/gid Mappings 840 ----------------------- 841 * idmap backend 842 * idmap gid 843 * idmap uid 844 * winbind enable local accounts 845 * winbind trusted domains only 846 * template primary group 847 * enable rid algorithm 848 849 LDAP 850 ---- 851 * ldap delete dn 852 * ldap group suffix 853 * ldap idmap suffix 854 * ldap machine suffix 855 * ldap passwd sync 856 * ldap replication sleep 857 * ldap user suffix 858 859 General Configuration 860 --------------------- 861 * preload modules 862 * private dir 863 864Modified Parameters (changes in behavior): 865 866 * encrypt passwords (enabled by default) 867 * mangling method (set to 'hash2' by default) 868 * passwd chat 869 * passwd program 870 * restrict anonymous (integer value) 871 * security (new 'ads' value) 872 * strict locking (enabled by default) 873 * unix extensions (enabled by default) 874 * winbind cache time (increased to 5 minutes) 875 * winbind uid (deprecated in favor of 'idmap uid') 876 * winbind gid (deprecated in favor of 'idmap gid') 877 878 879Databases 880--------- 881 882This section contains brief descriptions of any new databases 883introduced in Samba 3.0. Please remember to backup your existing 884${lock directory}/*tdb before upgrading to Samba 3.0. Samba will 885upgrade databases as they are opened (if necessary), but downgrading 886from 3.0 to 2.2 is an unsupported path. 887 888Name Description Backup? 889---- ----------- ------- 890account_policy User policy settings yes 891gencache Generic caching db no 892group_mapping Mapping table from Windows yes 893 groups/SID to unix groups 894winbindd_idmap ID map table from SIDS to UNIX yes 895 uids/gids. 896namecache Name resolution cache entries no 897netsamlogon_cache Cache of NET_USER_INFO_3 structure no 898 returned as part of a successful 899 net_sam_logon request 900printing/*.tdb Cached output from 'lpq no 901 command' created on a per print 902 service basis 903registry Read-only samba registry skeleton no 904 that provides support for exporting 905 various db tables via the winreg RPCs 906 907 908Changes in Behavior 909------------------- 910 911The following issues are known changes in behavior between Samba 2.2 and 912Samba 3.0 that may affect certain installations of Samba. 913 914 1) When operating as a member of a Windows domain, Samba 2.2 would 915 map any users authenticated by the remote DC to the 'guest account' 916 if a uid could not be obtained via the getpwnam() call. Samba 3.0 917 rejects the connection as NT_STATUS_LOGON_FAILURE. There is no 918 current work around to re-establish the 2.2 behavior. 919 920 2) When adding machines to a Samba 2.2 controlled domain, the 921 'add user script' was used to create the UNIX identity of the 922 machine trust account. Samba 3.0 introduces a new 'add machine 923 script' that must be specified for this purpose. Samba 3.0 will 924 not fall back to using the 'add user script' in the absence of 925 an 'add machine script' 926 927 928###################################################################### 929Passdb Backends and Authentication 930################################## 931 932There have been a few new changes that Samba administrators should be 933aware of when moving to Samba 3.0. 934 935 1) encrypted passwords have been enabled by default in order to 936 inter-operate better with out-of-the-box Windows client 937 installations. This does mean that either (a) a samba account 938 must be created for each user, or (b) 'encrypt passwords = no' 939 must be explicitly defined in smb.conf. 940 941 2) Inclusion of new 'security = ads' option for integration 942 with an Active Directory domain using the native Windows 943 Kerberos 5 and LDAP protocols. 944 945 MIT kerberos 1.3.1 supports the ARCFOUR-HMAC-MD5 encryption 946 type which is neccessary for servers on which the 947 administrator password has not been changed, or kerberos-enabled 948 SMB connections to servers that require Kerberos SMB signing. 949 Besides this one difference, either MIT or Heimdal Kerberos 950 distributions are usable by Samba 3.0. 951 952 953Samba 3.0 also includes the possibility of setting up chains 954of authentication methods (auth methods) and account storage 955backends (passdb backend). Please refer to the smb.conf(5) 956man page for details. While both parameters assume sane default 957values, it is likely that you will need to understand what the 958values actually mean in order to ensure Samba operates correctly. 959 960The recommended passdb backends at this time are 961 962 * smbpasswd - 2.2 compatible flat file format 963 * tdbsam - attribute rich database intended as an smbpasswd 964 replacement for stand alone servers 965 * ldapsam - attribute rich account storage and retrieval 966 backend utilizing an LDAP directory. 967 * ldapsam_compat - a 2.2 backward compatible LDAP account 968 backend 969 970Certain functions of the smbpasswd(8) tool have been split between the 971new smbpasswd(8) utility, the net(8) tool, and the new pdbedit(8) 972utility. See the respective man pages for details. 973 974 975###################################################################### 976LDAP 977#### 978 979This section outlines the new features affecting Samba / LDAP 980integration. 981 982New Schema 983---------- 984 985A new object class (sambaSamAccount) has been introduced to replace 986the old sambaAccount. This change aids us in the renaming of 987attributes to prevent clashes with attributes from other vendors. 988There is a conversion script (examples/LDAP/convertSambaAccount) to 989modify and LDIF file to the new schema. 990 991Example: 992 993 $ ldapsearch .... -b "ou=people,dc=..." > sambaAcct.ldif 994 $ convertSambaAccount --sid=<Domain SID> \ 995 --input=sambaAcct.ldif --output=sambaSamAcct.ldif \ 996 --changetype=[modify|add] 997 998The <DOM SID> can be obtained by running 'net getlocalsid 999<DOMAINNAME>' on the Samba PDC as root. The changetype determines 1000the format of the generated LDIF output--either create new entries 1001or modify existing entries. 1002 1003The old sambaAccount schema may still be used by specifying the 1004"ldapsam_compat" passdb backend. However, the sambaAccount and 1005associated attributes have been moved to the historical section of 1006the schema file and must be uncommented before use if needed. 1007The 2.2 object class declaration for a sambaAccount has not changed 1008in the 3.0 samba.schema file. 1009 1010Other new object classes and their uses include: 1011 1012 * sambaDomain - domain information used to allocate rids 1013 for users and groups as necessary. The attributes are added 1014 in 'ldap suffix' directory entry automatically if 1015 an idmap uid/gid range has been set and the 'ldapsam' 1016 passdb backend has been selected. 1017 1018 * sambaGroupMapping - an object representing the 1019 relationship between a posixGroup and a Windows 1020 group/SID. These entries are stored in the 'ldap 1021 group suffix' and managed by the 'net groupmap' command. 1022 1023 * sambaUnixIdPool - created in the 'ldap idmap suffix' entry 1024 automatically and contains the next available 'idmap uid' and 1025 'idmap gid' 1026 1027 * sambaIdmapEntry - object storing a mapping between a 1028 SID and a UNIX uid/gid. These objects are created by the 1029 idmap_ldap module as needed. 1030 1031 * sambaSidEntry - object representing a SID alone, as a Structural 1032 class on which to build the sambaIdmapEntry. 1033 1034 1035New Suffix for Searching 1036------------------------ 1037 1038The following new smb.conf parameters have been added to aid in directing 1039certain LDAP queries when 'passdb backend = ldapsam://...' has been 1040specified. 1041 1042 * ldap suffix - used to search for user and computer accounts 1043 * ldap user suffix - used to store user accounts 1044 * ldap machine suffix - used to store machine trust accounts 1045 * ldap group suffix - location of posixGroup/sambaGroupMapping entries 1046 * ldap idmap suffix - location of sambaIdmapEntry objects 1047 1048If an 'ldap suffix' is defined, it will be appended to all of the 1049remaining sub-suffix parameters. In this case, the order of the suffix 1050listings in smb.conf is important. Always place the 'ldap suffix' first 1051in the list. 1052 1053Due to a limitation in Samba's smb.conf parsing, you should not surround 1054the DN's with quotation marks. 1055 1056 1057IdMap LDAP support 1058------------------ 1059 1060Samba 3.0 supports an ldap backend for the idmap subsystem. The 1061following options would inform Samba that the idmap table should be 1062stored on the directory server onterose in the "ou=idmap,dc=plainjoe, 1063dc=org" partition. 1064 1065 [global] 1066 ... 1067 idmap backend = ldap:ldap://onterose/ 1068 ldap idmap suffix = ou=idmap,dc=plainjoe,dc=org 1069 idmap uid = 40000-50000 1070 idmap gid = 40000-50000 1071 1072This configuration allows winbind installations on multiple servers to 1073share a uid/gid number space, thus avoiding the interoperability problems 1074with NFS that were present in Samba 2.2. 1075 1076 1077 1078###################################################################### 1079Trust Relationships and a Samba Domain 1080###################################### 1081 1082Samba 3.0.0beta2 is able to utilize winbindd as the means of 1083allocating uids and gids to trusted users and groups. More 1084information regarding Samba's support for establishing trust 1085relationships can be found in the Samba-HOWTO-Collection included 1086in the docs/ directory of this release. 1087 1088First create your Samba PDC and ensure that everything is 1089working correctly before moving on the trusts. 1090 1091To establish Samba as the trusting domain (named SAMBA) from a Windows NT 10924.0 domain named WINDOWS: 1093 1094 1) create the trust account for SAMBA in "User Manager for Domains" 1095 2) connect the trust from the Samba domain using 1096 'net rpc trustdom establish GLASS' 1097 1098To create a trustlationship with SAMBA as the trusted domain: 1099 1100 1) create the initial trust account for GLASS using 1101 'smbpasswd -a -i GLASS'. You may need to create a UNIX 1102 account for GLASS$ prior to this step (depending on your 1103 local configuration). 1104 2) connect the trust from a WINDOWS DC using "User Manager 1105 for Domains" 1106 1107Now join winbindd on the Samba PDC to the SAMBA domain using 1108the normal steps for adding a Samba server to an NT4 domain: 1109(note that smbd & nmbd must be running at this point) 1110 1111 root# net rpc join -U root 1112 Password: <enter root password from smbpasswd file here> 1113 1114Start winbindd and test the join with 'wbinfo -t'. 1115 1116Now test the trust relationship by connecting to the SAMBA DC 1117(e.g. POGO) as a user from the WINDOWS domain: 1118 1119 $ smbclient //pogo/netlogon -U Administrator -W WINDOWS 1120 Password: 1121 1122Now connect to the WINDOWS DC (e.g. CRYSTAL) as a Samba user: 1123 1124 $ smbclient //crystal/netlogon -U root -W WINDOWS 1125 Password: 1126 1127###################################################################### 1128Changes in Winbind 1129################## 1130 1131Beginning with Samba3.0.0beta3, winbindd has been given new account 1132manage functionality equivalent to the 'add user script' family of 1133smb.conf parameters. The idmap design has also been changed to 1134centralize control of foreign SID lookups and matching to UNIX 1135uids and gids. 1136 1137 1138Brief Description of Changes 1139---------------------------- 1140 11411) The sid_to_uid() family of functions (smbd/uid.c) have been 1142 reverted to the 2.2.x design. This means that when resolving a 1143 SID to a UID or similar mapping: 1144 1145 a) First consult winbindd 1146 b) perform a local lookup only if winbindd fails to 1147 return a successful answer 1148 1149 There are some variations to this, but these two rules generally 1150 apply. 1151 11522) All idmap lookups have been moved into winbindd. This means that 1153 a server must run winbindd (and support NSS) in order to achieve 1154 any mappings of SID to dynamically allocated UNIX ids. This was 1155 a conscious design choice. 1156 11573) New functions have been added to winbindd to emulate the 'add user 1158 script' family of smbd functions without requiring that external 1159 scripts be defined. This functionality is controlled by the 'winbind 1160 enable local accounts' smb.conf parameter (enabled by default). 1161 1162 However, this account management functionality is only supported 1163 in a local tdb (winbindd_idmap.tdb). If these new UNIX accounts 1164 must be shared among multiple Samba servers (such as a PDC and BDCs), 1165 it will be necessary to define your own 'add user script', et. al. 1166 programs that place the accounts/groups in some form of directory 1167 such as NIS or LDAP. This requirement was deemed beyond the scope 1168 of winbind's account management functions. Solutions for 1169 distributing UNIX system information have been deployed and tested 1170 for many years. We saw no need to reinvent the wheel. 1171 11724) A member of a Samba controlled domain running winbindd is now able 1173 to map domain users directly onto existing UNIX accounts while still 1174 automatically creating accounts for trusted users and groups. This 1175 behavior is controlled by the 'winbind trusted domains only' smb.conf 1176 parameter (disabled by default to provide 2.2.x winbind behavior). 1177 11785) Group mapping support is wrapped in the local_XX_to_XX() functions 1179 in smbd/uid.c. The reason that group mappings are not included 1180 in winbindd is because the purpose of Samba's group map is to 1181 match any Windows SID with an existing UNIX group. These UNIX 1182 groups can be created by winbindd (see next section), but the 1183 SID<->gid mapping is retreived by smbd, not winbindd. 1184 1185 1186Examples 1187-------- 1188 1189* security = server running winbindd to allocate accounts on demand 1190 1191* Samba PDC running winbindd to handle the automatic creation of UNIX 1192 identities for machine trust accounts 1193 1194* Automtically creating UNIX user and groups when migrating a Windows NT 1195 4.0 PDC to a Samba PDC. Winbindd must be running when executing 1196 'net rpc vampire' for this to work. 1197 1198 1199###################################################################### 1200Known Issues 1201############ 1202 1203* There are several bugs currently logged against the 3.0 codebase 1204 that affect the use of NT 4.0 GUI domain management tools when run 1205 against a Samba 3.0 PDC. This bugs should be released in an early 1206 3.0.x release. 1207 1208Please refer to https://bugzilla.samba.org/ for a current list of bugs 1209filed against the Samba 3.0 codebase. 1210 1211 1212###################################################################### 1213Reporting bugs & Development Discussion 1214####################################### 1215 1216Please discuss this release on the samba-technical mailing list or by 1217joining the #samba-technical IRC channel on irc.freenode.net. 1218 1219If you do report problems then please try to send high quality 1220feedback. If you don't provide vital information to help us track down 1221the problem then you will probably be ignored. 1222 1223A new bugzilla installation has been established to help support the 1224Samba 3.0 community of users. This server, located at 1225https://bugzilla.samba.org/, has replaced the older jitterbug server 1226previously located at http://bugs.samba.org/. 1227 1228