source: trunk/third/samba/WHATSNEW.txt @ 20377

Revision 20377, 50.1 KB checked in by zacheiss, 21 years ago (diff)
This commit was generated by cvs2svn to compensate for changes in r20376, which included commits to RCS files with non-trunk default branches.
Line 
1                  ==============================
2                  Release Notes for Samba 3.0.2a
3                        February 13, 2004
4                  ==============================
5
6Samba 3.0.2a is a minor patch release for the 3.0.2 code base
7to address, in particular, a problem when using pdbedit to
8sanitize (--force-initialized-passwords) Samba's tdbsam
9backend.   This is the latest stable release of Samba. This
10is the version that all production Samba servers should be
11running for all current bug-fixes. 
12
13******************* Attention! Achtung! Kree! *********************
14
15Beginning with Samba 3.0.2, passwords for accounts with a last
16change time (LCT-XXX in smbpasswd, sambaPwdLastSet attribute in
17ldapsam, etc...) of zero (0) will be regarded as uninitialized
18strings.  This will cause authentication to fail for such
19accounts.  If you have valid passwords that meet this criteria,
20you must update the last change time to a non-zero value.  If you
21do not, then  'pdbedit --force-initialized-passwords' will disable
22these accounts and reset the password hashes to a string of X's.
23
24******************* Attention! Achtung! Kree! *********************
25
26
27######################################################################
28Changes
29#######
30
31Changes since 3.0.2
32-------------------
33
34commits
35-------
36
37Please refer to the CVS log for the SAMBA_3_0 branch for complete
38details.  The list of changes per contributor are as follows:
39
40
41o   Jeremy Allison <jra@samba.org>
42    * Added paranoia checks in parsing code.
43   
44
45o   Andrew Bartlet <abartlet@samba.org>
46    * Ensure that changes to uninitialized passwords in ldapsam
47      are written to the DIT.
48
49
50o   Gerald (Jerry) Carter <jerry@samba.org>
51    * Fixed iterator in tdbsam.
52    * Fix bug that disabled accounts with a valid NT password
53      hash, but no LanMan hash.
54   
55
56o   Steve French <sfrench@us.ibm.com>
57    * Added missing nosetuid and noexec options.
58
59   
60o   Bostjan Golob <golob@gimb.org>
61    * BUG 1046: Don't overwrite usernames of entries returned
62      by getpwent_list().
63
64
65o   Sebastian Krahmer <krahmer@suse.de>
66    * Fixed potential crash bug in NTLMSSP parsing code.
67
68
69o   Tim Potter <tpot@samba.org>
70    * Fixed logic in tdb_brlock error checking.
71
72   
73o   Urban Widmark <urban@teststation.com>
74    * Set nosuid,nodev flags in smbmnt by default.
75
76
77Changes for older versions follow below:
78
79        --------------------------------------------------
80
81                  =============================
82                  Release Notes for Samba 3.0.2
83                        February 9, 2004
84                  =============================
85
86It has been confirmed that previous versions of Samba 3.0 are
87susceptible to a password initialization bug that could grant an
88attacker unauthorized access to a user account created by the
89mksmbpasswd.sh shell script.
90
91The Common Vulnerabilities and Exposures project (cve.mitre.org)
92has assigned the name CAN-2004-0082 to this issue.
93
94Samba administrators not wishing to upgrade to the current
95version should download the 3.0.2 release, build the pdbedit
96tool, and run
97
98   root# pdbedit-3.0.2 --force-initialized-passwords
99     
100This will disable all accounts not possessing a valid password
101(e.g. the password field has been set a string of X's).
102
103Samba servers running 3.0.2 are not vulnerable to this bug
104regardless of whether or not pdbedit has been used to sanitize
105the passdb backend.
106
107Some of the more visible bugs in 3.0.1 addressed in the 3.0.2
108release include:
109
110  o Joining a Samba domain from Pre-SP2 Windows 2000 clients.
111  o Logging onto a Samba domain from Windows XP clients.
112  o Problems with the %U and %u smb.conf variables in relation to
113    Windows 9x/ME clients.
114  o Kerberos failures due to an invalid in memory keytab detection
115    test.
116  o Updates to the ntlm_auth tool.
117  o Fixes for various SMB signing errors.
118  o Better separation of WINS and DNS queries for domain controllers.
119  o Issues with nss_winbind FreeBSD and Solaris.
120  o Several crash bugs in smbd and winbindd.
121  o Output formatting fixes for smbclient for better compatibility
122    with scripts based on the 2.2 version.
123
124
125Changes since 3.0.1
126-------------------
127
128smb.conf changes
129----------------
130
131    Parameter Name              Action
132    --------------              ------
133    ldap replication sleep      New
134    read size                   removed (unused)
135    source environment          removed (unused)
136
137
138commits
139-------
140
141Please refer to the CVS log for the SAMBA_3_0 branch for complete
142details.  The list of changes per contributor are as follows:
143
144o   Jeremy Allison <jra@samba.org>
145    * Revert change that broke Exchange clear text samlogons.
146    * Fix gcc 3.4 warning in MS-DFS code.
147    * Tidy up of NTLMSSP code.
148    * Fixes for SMB signing errors
149    * BUG 815: Workaround NT4 bug to support plaintext
150      password logins and UNICODE.
151    * Fix SMB signing bug when copying large files.
152    * Correct error logic in mkdir_internals() (caused a panic
153      when combined with --enable-developer).
154    * BUG 830: Protect against crashes due to bad character
155      conversions.
156
157     
158o   Petri Asikainen <paca@sci.fi>
159    * BUG 330, 387:Fix single valued attribute updates when
160      working with Novell NDS.
161
162
163o   Andrew Bartlet <abartlet@samba.org>
164    * Correctly handle per-pipe NTLMSSP inside a NULL session.
165    * Fix segfault in gencache
166    * Fix early free() of encrypted_session_key.
167    * Change DC lookup routines to more carefully separate
168      DNS names (realms) from NetBIOS domain names.
169    * Add new sid_to_dn() function for internal winbindd use.
170    * Refactor cli_ds_enum_domain_trusts().
171    * BUG 707: Implement range retrieval of ADS attributes (based
172      on work from Volker <vl@samba.org> and Guenther Deschner
173      <gd@suse.com>).
174    * Automatically initialize the signing engine if a session key
175      is available.
176    * BUG 916: Do not perform a + -> ' ' substitution for squid URL
177      encoded strings, only form input in SWAT.
178    * Resets the NTLMSSP state for new negotiate packets.
179    * Add 2-byte alignments in net_samlogon() queries to parse
180      odd-length plain text passwords.
181    * Allow Windows groups with no members in winbindd.
182    * Allow normal authentication in the absence of a server
183      generated session key.
184    * More optimizations for looking up UNIX group lists.
185    * Clean up error codes and return values for pam_winbindd
186      and winbindd PAM interface.
187    * Fix string return values in ntlm_auth tool.
188    * Fix segfault when 'security = ads' but no realm is defined.
189    * BUG 722: Allow winbindd to map machine accounts to uids.
190    * More cleanups for winbindd's find_our_domain().
191    * More clearly detect whether a domain controller is an NT4
192      or mixed-mode AD DC (additional bug fixes by jerry & jmcd).
193    * Increase separation between DNS queries for hosts and queries
194      for AD domain controllers.
195    * Include additional NT_STATUS to PAM error mappings.
196    * Password initialization fixes.
197
198   
199o   Justin Baugh <justin.baugh@request.com>
200    * BUG 948: Implement missing functions required for FreeBSD
201      nss_winbind support.
202
203
204o   Alexander Bokovoy <ab@samba.org>
205    * BUG 922: Make sure enable fast path for strlower_m() and
206      strupper_m().
207
208
209o   Luca Bolcioni <Luca.Bolcioni@yacme.com>
210    * Fix crash when using 'security = server' and 'encrypt
211      passwords = no' by always initializing the session key.
212
213     
214o   Dmitry Butskoj <buc@odusz.elektra.ru>
215    * Fix for special files being hidden from admins.
216
217
218o   Gerald (Jerry) Carter <jerry@samba.org>
219    * Fix bug in the lanman session key generation.  Caused
220      "decode_pw: incorrect password length" error messages.
221    * Save the right case for the located user name in
222      fill_sam_account().  Fixes %U/%u expansion for win9x clients.
223    * BUG 897: Add well known rid for pre win2k compatible access
224      group.
225    * BUG 887: Correct typo in delete user script example.
226    * Use short lived TALLOC_CTX* for allocating printer objects
227      from the print handle cache.
228    * BUG 912: Fix check for HAVE_MEMORY_KEYTAB.
229    * Fix several warnings reported by the SUN Forte C compiler.
230    * Fully control DNS queries for AD DC's using 'name resolve order'.
231    * BUG 770: Send the SMBjobid for UNIX jobs back to the client.
232    * BUG 972: Fix segfault in cli_ds_getprimarydominfo().
233    * BUG 936: fix bind credentials for schannel binds in smbd.
234    * BUG 446: Fix output of smbclient for better compatibility
235      with scripts based on the 2.2 version (including Amanda).
236    * BUG 891, 949: Fedora packaging fixes.
237    * Fix bug that caused rpcclient to incorrectly retrieve
238      the SID for a server (this causing all calls that required
239      this information to fail).
240    * BUG 977: Don't create a homes share for a user if a static
241      share already exists by the same name.
242    * Removed unused smb.conf options.
243    * Password initialization fixes.
244    * Set the disable flag for template accounts created by
245      mksmbpasswd.sh.
246    * Disable any account has no passwords and does not have the
247      ACB_PWNOTREQ bit set.
248
249
250o   Guenther Deschner <gd@suse.com>
251    * Install smbwrapper.so should be put into the $(libdir)
252      and not $(bindir).
253    * Add the capability to specify the new user password
254      for "net ads password" on the command line.
255    * Correctly detect AFS headers on SuSE.
256       
257
258o   James Flemer <jflemer@uvm.edu>
259    * Fix AIX compile bug by linking HAVE_ATTR_LIST to
260      HAVE_SYS_ATTRIBUTES_H.
261
262
263o   Luke Howard <lukeh@PADL.COM>
264    * Fix segfault in session setup reply caused by a early free().
265
266
267o   Stoian Ivanov <sdr@bultra.com>
268    * Implement grepable output for smbclient -L.
269
270
271o   LaMont Jones <lamont@debian.org>
272    * BUG 225328 (Debian): Correct false failure LFS test that resulted
273      in  _GNU_SOURCE not being defined (thus resulting in strndup()
274      not being defined).
275
276     
277o   Volker Lendecke <vl@samba.org>
278    * BUG 583: Ensure that user names always contain the short
279      version of the domain name.
280    * Fix our parsing of the LDAP uri.
281    * Don't show the 'afs username map' in the SWAT basic view.
282    * Fix SMB signing issues in relation to failed NTLMSSP logins.
283    * BUG 924: Fix return codes in smbtorture harness.
284    * Always lower-case usernames before handing it to AFS code.
285    * Add a German translation for SWAT.
286    * Fix a segfaults in winbindd.
287    * Fix the user's domain passed to register_vuid() from
288      reply_spnego_kerberos().
289    * Add NSS example code in nss_winbind to convert UNIX
290      id's <-> Windows SIDs.
291    * Display more descriptive error messages for login via 'net'.
292    * Fix compiler warning in the net tool.
293    * Fix length bug when decoding base64 strings.
294    * Ensure we don't call getpwnam() inside a loop that is iterating
295      over users with getpwent().  This broke on glibc 2.3.2.
296
297
298o   Herb Lewis <herb@samba.org>
299    * Fix bit rot in psec.
300
301
302o   Jianliang Lu <j.lu@tiesse.com>
303    * Ensure we delete the group mapping before calling the delete
304      group script.
305    * Define well known RID for managing the  "Power Users" group.
306    * BUG 381: check builtin (not local) group SID when updating
307      group membership.
308    * BUG 101: set the SV_TYPE_PRINTQ_SERVER flag in host announcement
309      packet.
310
311
312o   John Klinger <john.klinger@lmco.com>
313    * Implement initgroups() call in nss_winbind on Solaris.
314
315
316o   Jim McDonough <jmcd@us.ibm.com>
317    * Fix regression in net rpc join caused by recent changes
318      to cli_lsa_query_info_policy().
319    * BUG 964: Fix crash bug in 'net rpc join' using a preexisting
320      machine account.
321
322
323o   MORIYAMA Masayuki <moriyama@miraclelinux.com>
324    * BUG 570: Ensure that configure honors the LDFLAGS variable.
325
326
327o   Stefan Metzmacher <metze@samba.org>
328    * Implement LDAP rebind sleep patch.
329    * Revert to 2.2 quota code because of so many broken quota files
330      out there.
331    * Fix XFS quotas: HAVE_XFS_QUOTA -> HAVE_XFS_QUOTAS
332                      XFS_USER_QUOTA -> USRQUOTA
333                      XFS_GROUP_QUOTA -> GRPQUOTA
334    * Fix disk_free calculation with group quotas.
335    * Add debug class 'quota' and a lot of DEBUG()'s
336      to the quota code.
337    * Fix sys_chown() when no chown() is present.
338    * Add SIGABRT to fault handling in order to catch got a
339      backtrace if an error occurs the OpenLDAP client libs.
340
341
342o   <ndb@theghet.to>
343    * Allow an existing LDAP machine account to be re-used when
344      joining an AD domain.
345
346
347o   James Peach <jpeach@sgi.com>
348    * BUG 889: Change smbd to use pread/pwrite on platforms that
349      support these calls. Can lead to a significant speed increase.
350
351
352o   Tim Potter <tpot@samba.org>
353    * BUG 905: Remove POBAD_CC to fix Solaris Forte compiles.
354    * BUG 924: Fix typo in RW2 torture test.
355   
356   
357o   Richard Sharpe <shape@samba.org>
358    * Small fixes to torture.c to cleanup the error handling
359      and prevent crashes.
360
361
362o   J. Tournier <jerome.tournier@IDEALX.com>
363    * Small fixes for the smbldap-tool scripts.
364
365
366o   Andrew Tridgell <tridge@samba.org>
367    * Fix src len check in pull_usc2().
368   
369   
370o   Jelmer Vernooij <jelmer@samba.org>
371    * Put functions for generating SQL queries in pdb_sql.c
372    * Add pgSQL backend (based on patch by Hamish Friedlander)
373    * BUG 908: Fix -s option to smbcontrol.   
374    * Add smbget utility - a wget-clone for the SMB/CIFS protocol.
375    * Fix for libnss_wins on IRIX platforms.
376    * Fix swatdir for --with-fhs.
377
378
379        --------------------------------------------------
380
381                  =============================
382                  Release Notes for Samba 3.0.1
383                        December 15, 2003
384                  =============================
385
386Some of the more common bugs in 3.0.0 addressed in the release
387include:
388
389  o Substitution problems with smb.conf variables.
390  o Errors in return codes which caused some applications
391    to fail to open files.
392  o General Protection Faults on Windows 2000/XP clients
393    using Samba point-n-print features.
394  o Several miscellaneous crash bugs.
395  o Access problems when enumerating group mappings are
396    stored in an LDAP Directory.
397  o Several common SWAT bugs when writing changes to
398    smb.conf.
399  o Internal inconsistencies when 'winbind use default
400    domain = yes'
401
402
403
404Changes since 3.0.0
405----------------------
406
407    Parameter Name              Action
408    --------------              ------
409    hide local users            Removed
410    mangled map                 Deprecated
411    mangled stack               Removed
412    passwd chat timeout         New
413
414
415commits
416-------
417
418o   Change the interface for init_unistr2 to not take a length
419    but a flags field.  We were assuming that
420    2*strlen(mb_string) == length of ucs2-le string.  (bug 480).
421o   Allow d_printf() to handle strings with escaped quotation
422    marks since the msg file includes the escape character (bug 489).
423o   Fix bad html table row termination in SWAT wizard code (bug 413).
424o   Fix to parse the level-2 strings.
425o   Fix for "valid users = %S" in [homes].  Fix read/write
426    list as well.
427o   Change AC_CHECK_LIB_EXT to prepend libraries instead of append. 
428    This is the same way AC_CHECK_LIB works (bug 508).
429o   Testparm output fixes for clarity.
430o   Fix broken wins hook functionality -- i18n bug (bug 528).
431o   Take care of condition where DOS and NT error codes must differ.
432o   Default to using only built-in charsets when a working iconv
433    implementation cannot be located.
434o   Wrap internals of sys_setgroups() so the sys_XX() call can
435    be done unconditionally (bug 550).
436o   Remove duplicate smbspool link on SWAT's front page (bug 541).
437o   Save and restore CFLAGS before/after AC_PROG_CC.  Ensures that
438    --enable-debug=[yes|no] works correctly.
439o   Allow ^C to interrupt smbpasswd if using our getpass
440    (e.g. smbpasswd command).
441o   Support signing only on RPC's (bug 167).
442o   Correct bug that prevented  Excel 2000 clients from opening
443    files marked as read-only.
444o   Portability fix bugs 546 - 549).
445o   Explicitly initialize the value of AR for vendor makes that don't
446    do this (e.g. HPUX 11).  (bug 552).
447o   More i18n fixes for SWAT (bug 413).
448o   Change the cwd before the postexec script to ensure that a
449    umount will succeed.
450o   Correct double free that caused winbindd to crash when a DC
451    is rebooted (bug 437).
452o   Fix incorrect mode sum (bug 562).
453o   Canonicalize SMB_INFO_ALLOCATION in the same was as
454    SMB_FS_FULL_SIZE_INFORMATION (bug 564).
455o   Add script to generate *msg files.
456o   Add Dutch SWAT translation file.
457o   Make sure to call get_user_groups() with the full winbindd
458    name for a user if he/she has one (bug 406).
459o   Fix up error code returns from Samba4 tester. Ensure invalid
460    paths are validated the same way. 
461o   Allow Samba3 to pass the Samba4 RAW-READ tests.
462o   Refuse to configure if --with-expsam=$BACKEND was used but no
463    libraries were found for $BACKEND.
464o   Move sysquotas autoconf tests to a separate file.
465o   Match W2K w.r.t. writelock and writeclose.  Samba4 torture
466    tester
467o   Make sure that the files that contain the static_init_$subsystem;
468    macro get recompiled after configure by removing the object
469    files.
470o   Ensure canceling a blocking lock returns the correct error
471    message.
472o   Match Samba 2.2 behavior; make ACB_NORMAL the default ACB value.
473o   Updated Japanese welcome file in SWAT.
474o   Fix to  nt-time <-> unix-time functions reversible.
475o   Ensure that winbindd uses the the escaped DN when querying
476    an AD ldap server.
477o   Fix portability issues when compiling (bug 505, 550)
478o   Compile fix for tdbbackup when Samba needs to override
479    non-C99 compliant implementations of snprintf().
480o   Use @PICSUFFIX@ instead of .po in Makefile.in (bug 574).
481o   Make sure we break out of samsync loop on error.
482o   Ensure error code path doesn't free unmalloc()'d memory
483    (bug 628).
484o   Add configure test for krb5_keytab_entry keyblock vs key
485    member (bug 636).
486o   Fixed spinlocks.
487o   Modified testparm so that all output so all debug output goes
488    to stderr, and all file processing goes to stdout.
489o   Fix error return code for BUFFER_TOO_SMALL in smbcacls
490    and smbcquotas.
491o   Fix "NULL dest in safe_strcpy()" log message by ensuring that
492    we have a devmode before copying a string to the devicename.
493o   Support mapping REALM.COM\user to a local user account (without
494    running winbindd)  for compatibility with 2.2.x release.
495o   Ensure we don't use mmap() on blacklisted systems.
496o   fixed a number of bugs and memory leaks in the AIX
497    winbindd shim
498o   Call initgroups() in SWAT before becomming the user so that
499    secondary group permissions can be used when writing to
500    smb.conf.
501o   Fix signing problems when reverse connecting back to a
502    client for printer notify
503o   Fix signing problems caused by a miss-sequence bug.
504o   Missing map in errormap for ERROR_MORE_DATA -> ERRDOS, ERRmoredata.
505    Fixes NEXUS tools running on Win9x clients (bug 64).
506o   Don't leave the domain field uninitialized in cli_lsa.c if some
507    SID could not be mapped.
508o   Fix segfault in mount.cifs helper when there is no options
509    specified during mount.
510o   Change the \n after the password prompt to go to tty instead
511    of stdout (bug 668).
512o   Stop net -P from prompting for machine account password (bug 451).
513o   Change in behavior to Not only change the effective uid but also
514    the real uid when becoming unprivileged.
515o   Cope with Exchange 5.5 cleartext pop password auth.
516o   New files for support of initshutdown pipe.  Win2k doesn't
517    respond properly to all requests on the winreg pipe, so we need
518    to handle this new pipe (bug 534).
519o   Added more va_copy() checks in configure.in.
520o   Include fixes for libsmbclient build problems.
521o   Missing UNIX -> DOS codepage conversion in lanman.c.
522o   Allow DFMS-S filenames can now have arbitrary case (bug 667).
523o   Parameterize the listen backlog in smbd and make it larger by
524    default. A backlog of 5 is way too small these days.
525o   Check for an invalid fid before dereferencing the fsp pointer
526    (bug 696).
527o   Remove invalid memory frees and return codes in pdb_ldap.c.
528o   Prompt for password when invoking --set-auth-user and no
529    password is given.
530o   Bind the nmbd sending socket to the 'socket address'.
531o   Re-order link command for smbd, rpcclient and smbpasswd to ensure
532    $LDFLAGS occurs before any library specification (bug 661).
533o   Fix large number of printf() calls for 64-bit size_t.
534o   Fix AC_CHECK_MEMBER so that SLES8 does correctly finds the
535    keyblock in the krb5 structs.
536o   Remove #include <compat.h> in hopes to avoid problems with
537    apache header files.
538o   Correct winbindd build problems on HP-UX 11.
539o   Lowercase netgroups lookups (bug 703).
540o   Use the actual size of the buffer in strftime instead of a made
541    up value which just happens to be less than sizeof(fstring). 
542    (bug 713).
543o   Add ldaplibs to pdbedit link line (bug 651).
544o   Fix crash bug in smbclient completion (bug 659).
545o   Fix packet length for browse list reply (bug 771).
546o   Fix coredump in cli_get_backup_list().
547o   Make sure that we expand %N (bug 612).
548o   Allow rpcclient adddriver command to specify printer driver
549    version (bug 514).
550o   Compile tdbdump by default.
551o   Apply patches to fix iconv detection for FreeBSD.
552o   Do not allow the 'guest account' to be added to a passdb backend
553    using smbpasswd or pdbedit (bug 624).
554o   Save LDFLAGS during iconv detection (bug 57).
555o   Run krb5 logins through the username map if the winbindd
556    lookup fails (bug 698).
557o   Add const for lp_set_name_resolve_order() to avoid compiler
558    warnings (bug 471).
559o   Add support for the %i macro in smb.conf to stand in for the for
560    the local IP address to which a client connected.
561o   Allow winbindd to match local accounts to domain SID when
562    'winbind trusted domains only = yes' (bug 680).
563o   Remove code in idmap_ldap that searches the user suffix and group
564    suffix.  It's not needed and provides inconsistent functionality
565    from the tdb backend.
566o   Patch to handle munged dial string for Windows 200 TSE.
567o   Correct the "smbldap_open: cannot access when not root error"
568    messages when looking up group information (bug 281).
569o   Skip over the winbind separator when looking up a user.
570    This fixes the bug that prevented local users from
571    matching an AD user when not running winbindd (bug 698).
572o   Fix a problem with configure on *BSD systems. Make sure
573    we add -liconv etc to LDFLAGS.
574o   Fix core dump bug when "security = server" and the authentication
575    server goes away.
576o   Correct crash bug due to an empty munged dial string.
577o   Show files locked by a specific user (smbstatus -u 'user')
578    (bug 590).
579o   Fix bug preventing print jobs from display in the queue
580    monitor used by Windows NT and later clients (bug 660).
581o   Fix several reported problems with point-n-print from
582    Windows 2000/XP clients due to a bug in the EnumPrinterDataEx()
583    reply (bug 338, 527 & 643).
584o   Fix a handful of potential memory leaks in the LDAP code used
585    by ldapsam[_compat] and the LDAP idmap backend.
586o   Fix for pdbedit error code returns (bug 763).
587o   Make sure we only enumerate group mapping entries  (not
588    /etc/group) even when doing local aliases.
589o   Relax check on the pipe name in a dce/rpc bind response to work
590    around issues with establishing trusts to a Windows 2003 domain.
591o   Ensure we mangle names ending in '.' in hash2 mangling method.
592o   Correct parsing issues with munged dial string.
593o   Fix bugs in quota support for XFS.
594o   Add a cleaner method for applications that need to provide
595    name->SID mappings to do this via NSS rather than having to
596    know the winbindd pipe protocol.
597o   Adds a variant of the winbindd_getgroups() call called
598    winbindd_getusersids() that provides direct SID->SIDs listing of
599    a users supplementary groups. This is enough to allow non-Samba
600    applications to do ACL checking.
601o   Make sure we don't append the 'ldap suffix' when writing out the
602    'ldap XXX suffix' values in SWAT (bug 328).
603o   Fix renames across file systems.
604o   Ensure that items in a list of strings containing whitespace are
605    written out surrounded by single quotes.  This means that both
606    double and single quotes are now used to surround strings in
607    smb.conf (bug 481).
608o   Enable SWAT to correctly determine if winbindd is running (bug
609    398).
610o   Include WWW-Authenticate field in 401 response for bad auth
611    attempt (bug 629).
612o   Add support for NTLM2 (NTLMv2 session security).
613o   Add support for variable-length session keys.
614o   More privilege fixes for group enumeration in LDAP (bug 281).
615o   Use the dns name (or IP) as the originating client name when
616    using CUPS (bug 467).
617o   Fix various SMB signing bugs.
618o   Fix ACL propagation on a DFS root (bug 263).
619o   Disable NTLM2 for RPC pipes.
620o   Allow the client to specify the NTLM2 flags got NTLMSSP
621    authentication.
622o   Change the name of the job passed off to cups from "Test Page"
623    to "smbprn.00000033 Test Page" so that we can get the smb
624    jobid back. This allow users to delete jobs with cups printing
625    backend (partial work on bug 770).
626o   Fix build of winbindd with static pdb modules.
627o   Retrieve the correct ACL group bits if the file has an ACL
628    (bug 802).
629o   Implement "net rpc group members": Get members of a domain group
630    in human-readable format.
631o   Add MacOSX (Darwin) specific charset module code.
632o   Use samr_dispinfo(level == 1) for enumerating domain users so we
633    can include the full name in gecos field (bug 587).
634o   Add support for winbind's NSS library on FeeeBSD 5.1 (bug 797).
635o   Implement 'net rpc group list [global|local|builtin]*' for a
636    select listing of the respective user databases.
637o   Don't automatically set NT status code flag unless client tells
638    us it can cope.
639o   Add 'net status [sessions|shares] [parseable]'.
640o   Don't mistake pre-existing UNIX jobs for smb jobs (remainder of 
641    bug 770).
642o   Add 'Replicator' and 'RAS Servers' to list of builtin SIDs
643   (bug 608).
644o   Fix inverted logic in hosts allow/deny checks caused by
645    s/strcmp/strequal/ (bug 846).
646o   Implement correct version SamrRemoveSidForeignDomain() (bug 252).
647o   Fix typo in 'hash' mangling algorithm.
648o   Support munged dial for ldapsam (bug 800).
649o   Fix process_incoming_data() to return the number of bytes handled
650    this call whether we have a complete PDU or not; fixes bug
651    with multiple PDU request rpc's broken over SMBwriteX calls
652    each.
653o   Fix incorrect smb flags2 for connections to pre-NT servers
654    (causes smbclient to fail to OS2 for example) (bug 821).
655o   Update version string in smbldap-tools Makefile to 0.8.2.
656o   Correct a problem with "net rpc vampire" mis-parsing the
657    alias member info reply.
658o   Ensure the ${libdir} is created by the installclientlib script.
659o   Fix detection of Windows 2003 client architecture in the smb.conf
660    %a variable.
661o   Ensure that smbd calls the add user script for a missing UNIX
662    user on kerberos auth call (bug 445).
663o   Fix bugs in hosts allow/deny when using a mismatched
664    network/netmask pair.
665o   Protect alloc_sub_basic() from crashing when the source string
666    is NULL (partial work on bug 687).
667o   Fix spinlocks on IRIX.
668o   Corrected some bad destination paths when running "configure
669    --with-fhs".
670o   Add packaging files for Fedora Core 1.
671o   Correct bug in SWAT install script for non-english languages.
672o   Support character set ISO-8859-1 internally (bug 558).
673o   Fixed more LDAP access errors when looking up group mappings
674    (bug 281).
675o   Fix UNISTR2 length bug in LsaQueryInfo(3) that caused SID
676    resolution to fail on local files on on domain members
677    (bug 875).
678o   Fix uninitialized variable in passdb.c.
679o   Fix formal parameter type in get_static() in nsswitch/wins.c.
680o   Fix problem mounting directories when mount.cifs is installed
681    with the setuid bit on.
682o   Fix bug that prevent --mandir from overriding the defaults
683    given in the --with-fhs macro.
684o   Fix bug in in-memory Kerberos keytab detection routines
685    in configure.in
686
687
688
689######################################################################
690
691              The original 3.0.0 release notes follow
692              =======================================
693                    WHATS NEW IN Samba 3.0.0
694                        September 24, 2003
695              =======================================
696
697
698Major new features:
699-------------------
700
7011)  Active Directory support.  Samba 3.0 is now able to 
702    join a ADS realm as a member server and authenticate
703    users using LDAP/Kerberos.
704
7052)  Unicode support. Samba will now negotiate UNICODE on the wire
706    and internally there is now a much better infrastructure for
707    multi-byte and UNICODE character sets.
708
7093)  New authentication system. The internal authentication system
710    has been almost completely rewritten. Most of the changes are
711    internal, but the new auth system is also very configurable.
712
7134)  New default filename mangling system.
714
7155)  A new "net" command has been added. It is somewhat similar to
716    the "net" command in windows. Eventually we plan to replace
717    numerous other utilities (such as smbpasswd) with subcommands
718    in "net".
719
7206)  Samba now negotiates NT-style status32 codes on the wire. This
721    improves error handling a lot.
722
7237)  Better Windows 2000/XP/2003 printing support including publishing
724    printer attributes in active directory.
725
7268)  New loadable module support for passdb backends and character
727    sets.
728
7299)  New default dual-daemon winbindd support for better performance.
730
73110) Support for migrating from a Windows NT 4.0 domain to a Samba
732    domain and maintaining user, group and domain SIDs.
733
73411) Support for establishing trust relationships with Windows NT 4.0
735    domain controllers.
736 
73712) Initial support for a distributed Winbind architecture using
738    an LDAP directory for storing SID to uid/gid mappings.
739 
74013) Major updates to the Samba documentation tree.
741
74214) Full support for client and server SMB signing to ensure
743    compatibility with default Windows 2003 security settings.
744
74515) Improvement of ACL mapping features based on code donated by
746    Andreas Grünbacher.
747
748
749Plus lots of other improvements!
750
751
752Additional Documentation
753------------------------
754
755Please refer to Samba documentation tree (included in the docs/
756subdirectory) for extensive explanations of installing, configuring
757and maintaining Samba 3.0 servers and clients.  It is advised to
758begin with the Samba-HOWTO-Collection for overviews and specific
759tasks (the current book is up to approximately 400 pages) and to
760refer to the various man pages for information on individual options.
761
762We are very glad to be able to include the second edition of
763"Using Samba" by Jay Ts, Robert Eckstein, and David Collier-Brown
764(O'Reilly & Associates) in this release.  The book is available
765on-line at http://samba.org/samba/docs/ and is included with
766the Samba Web Administration Tool (SWAT).  Thanks to the authors and
767publisher for making "Using Samba" under the GNU Free Documentation
768License.
769
770
771######################################################################
772Upgrading from a previous Samba 3.0 beta
773########################################
774
775Beginning with Samba 3.0.0beta3, the RID allocation functions
776have been moved into winbindd.  Previously these were handled
777by each passdb backend.  This means that winbindd must be running
778to automatically allocate RIDs for users and/or groups.  Otherwise,
779smbd will use the 2.2 algorithm for generating new RIDs.
780
781If you are using 'passdb backend = tdbsam' with a previous Samba
7823.0 beta release (or possibly alpha), it may be necessary to
783move the RID_COUNTER entry from /usr/local/samba/private/passdb.tdb
784to winbindd_idmap.tdb.  To do this:
785
7861)  Ensure that winbindd_idmap.tdb exists (launch winbindd at least
787    once)
7882)  build tdbtool by executing 'make tdbtool' in the source/tdb/
789    directory
7903)  run: (note that 'tdb>' is the tool's prompt for input)
791
792       root# ./tdbtool /usr/local/samba/private/passdb.tdb
793       tdb> show RID_COUNTER
794       key 12 bytes
795       RID_COUNTER
796       data 4 bytes
797       [000] 0A 52 00 00                                       .R.
798
799       tdb> move RID_COUNTER /usr/local/samba/var/locks/winbindd_idmap.tdb
800       ....
801       record moved
802
803If you are using 'passdb backend = ldapsam', it will be necessary to
804store idmap entries in the LDAP directory as well (i.e. idmap backend
805= ldap).  Refer to the 'net idmap' command for more information on
806migrating SID<->UNIX id mappings from one backend to another.
807
808If the RID_COUNTER record does not exist, then these instructions are
809unneccessary and the new RID_COUNTER record will be correctly generated
810if needed. 
811
812
813
814########################
815Upgrading from Samba 2.2
816########################
817
818This section is provided to help administrators understand the details
819involved with upgrading a Samba 2.2 server to Samba 3.0.
820
821
822Building
823--------
824
825Many of the options to the GNU autoconf script have been modified
826in the 3.0 release.  The most noticeable are:
827
828  * removal of --with-tdbsam (is now included by default; see section
829    on passdb backends and authentication for more details)
830   
831  * --with-ldapsam is now on used to provided backward compatible
832    parameters for LDAP enabled Samba 2.2 servers.  Refer to the passdb
833    backend and authentication section for more details
834 
835  * inclusion of non-standard passdb modules may be enabled using
836    --with-expsam.  This includes an XML backend and a mysql backend.
837     
838  * removal of --with-msdfs (is now enabled by default)
839 
840  * removal of --with-ssl (no longer supported)
841 
842  * --with-utmp now defaults to 'yes' on supported systems
843 
844  * --with-sendfile-support is now enabled by default on supported
845    systems
846 
847   
848Parameters
849----------
850
851This section contains a brief listing of changes to smb.conf options
852in the 3.0.0 release.  Please refer to the smb.conf(5) man page for
853complete descriptions of new or modified parameters.
854
855Removed Parameters (order alphabetically):
856
857  * admin log
858  * alternate permissions
859  * character set
860  * client codepage
861  * code page directory
862  * coding system
863  * domain admin group
864  * domain guest group
865  * force unknown acl user
866  * hide local users
867  * mangled stack
868  * nt smb support
869  * postscript
870  * printer driver
871  * printer driver file
872  * printer driver location
873  * read size
874  * source environment
875  * status
876  * strip dot
877  * total print jobs
878  * use rhosts
879  * valid chars
880  * vfs options
881
882New Parameters (new parameters have been grouped by function):
883
884  Remote management
885  -----------------
886  * abort shutdown script
887  * shutdown script
888
889  User and Group Account Management
890  ---------------------------------
891  * add group script
892  * add machine script
893  * add user to group script
894  * algorithmic rid base
895  * delete group script
896  * delete user from group script
897  * passdb backend
898  * set primary group script
899
900  Authentication
901  --------------
902  * auth methods
903  * realm
904  * passwd chat timeout
905
906  Protocol Options
907  ----------------
908  * client lanman auth
909  * client NTLMv2 auth
910  * client schannel
911  * client signing
912  * client use spnego
913  * disable netbios
914  * ntlm auth
915  * paranoid server security
916  * server schannel
917  * server signing
918  * smb ports
919  * use spnego
920
921  File Service
922  ------------
923  * get quota command
924  * hide special files
925  * hide unwriteable files
926  * hostname lookups
927  * kernel change notify
928  * mangle prefix
929  * map acl inherit
930  * msdfs proxy
931  * set quota command
932  * use sendfile
933  * vfs objects
934 
935  Printing
936  --------
937  * max reported print jobs
938
939  UNICODE and Character Sets
940  --------------------------
941  * display charset
942  * dos charset
943  * unicode
944  * unix charset
945 
946  SID to uid/gid Mappings
947  -----------------------
948  * idmap backend
949  * idmap gid
950  * idmap uid
951  * winbind enable local accounts
952  * winbind trusted domains only
953  * template primary group
954  * enable rid algorithm
955
956  LDAP
957  ----
958  * ldap delete dn
959  * ldap group suffix
960  * ldap idmap suffix
961  * ldap machine suffix
962  * ldap passwd sync
963  * ldap replication sleep
964  * ldap user suffix
965 
966  General Configuration
967  ---------------------
968  * preload modules
969  * private dir
970
971Modified Parameters (changes in behavior):
972
973  * encrypt passwords (enabled by default)
974  * mangling method (set to 'hash2' by default)
975  * passwd chat
976  * passwd program
977  * restrict anonymous (integer value)
978  * security (new 'ads' value)
979  * strict locking (enabled by default)
980  * unix extensions (enabled by default)
981  * winbind cache time (increased to 5 minutes)
982  * winbind uid (deprecated in favor of 'idmap uid')
983  * winbind gid (deprecated in favor of 'idmap gid')
984
985
986Databases
987---------
988
989This section contains brief descriptions of any new databases
990introduced in Samba 3.0.  Please remember to backup your existing
991${lock directory}/*tdb before upgrading to Samba 3.0.  Samba will
992upgrade databases as they are opened (if necessary), but downgrading
993from 3.0 to 2.2 is an unsupported path.
994
995Name                    Description                             Backup?
996----                    -----------                             -------
997account_policy          User policy settings                    yes
998gencache                Generic caching db                      no
999group_mapping           Mapping table from Windows              yes
1000                        groups/SID to unix groups       
1001winbindd_idmap          ID map table from SIDS to UNIX          yes
1002                        uids/gids.
1003namecache               Name resolution cache entries           no
1004netsamlogon_cache       Cache of NET_USER_INFO_3 structure      no
1005                        returned as part of a successful
1006                        net_sam_logon request
1007printing/*.tdb          Cached output from 'lpq                 no
1008                        command' created on a per print
1009                        service basis
1010registry                Read-only samba registry skeleton       no
1011                        that provides support for exporting
1012                        various db tables via the winreg RPCs
1013
1014
1015Changes in Behavior
1016-------------------
1017
1018The following issues are known changes in behavior between Samba 2.2 and
1019Samba 3.0 that may affect certain installations of Samba.
1020
1021  1)  When operating as a member of a Windows domain, Samba 2.2 would
1022      map any users authenticated by the remote DC to the 'guest account'
1023      if a uid could not be obtained via the getpwnam() call.  Samba 3.0
1024      rejects the connection as NT_STATUS_LOGON_FAILURE.  There is no
1025      current work around to re-establish the 2.2 behavior.
1026     
1027  2)  When adding machines to a Samba 2.2 controlled domain, the
1028      'add user script' was used to create the UNIX identity of the
1029      machine trust account.  Samba 3.0 introduces a new 'add machine
1030      script' that must be specified for this purpose.  Samba 3.0 will
1031      not fall back to using the 'add user script' in the absence of
1032      an 'add machine script'
1033 
1034
1035######################################################################
1036Passdb Backends and Authentication
1037##################################
1038
1039There have been a few new changes that Samba administrators should be
1040aware of when moving to Samba 3.0.
1041
1042  1) encrypted passwords have been enabled by default in order to
1043     inter-operate better with out-of-the-box Windows client
1044     installations.  This does mean that either (a) a samba account
1045     must be created for each user, or (b) 'encrypt passwords = no'
1046     must be explicitly defined in smb.conf.
1047   
1048  2) Inclusion of new 'security = ads' option for integration
1049     with an Active Directory domain using the native Windows
1050     Kerberos 5 and LDAP protocols.
1051
1052     MIT kerberos 1.3.1 supports the ARCFOUR-HMAC-MD5 encryption
1053     type which is neccessary for servers on which the
1054     administrator password has not been changed, or kerberos-enabled
1055     SMB connections to servers that require Kerberos SMB signing.
1056     Besides this one difference, either MIT or Heimdal Kerberos
1057     distributions are usable by Samba 3.0.
1058     
1059
1060Samba 3.0 also includes the possibility of setting up chains
1061of authentication methods (auth methods) and account storage
1062backends (passdb backend).  Please refer to the smb.conf(5)
1063man page for details.  While both parameters assume sane default
1064values, it is likely that you will need to understand what the
1065values actually mean in order to ensure Samba operates correctly.
1066
1067The recommended passdb backends at this time are
1068
1069  * smbpasswd - 2.2 compatible flat file format
1070  * tdbsam - attribute rich database intended as an smbpasswd
1071    replacement for stand alone servers
1072  * ldapsam - attribute rich account storage and retrieval
1073    backend utilizing an LDAP directory. 
1074  * ldapsam_compat - a 2.2 backward compatible LDAP account
1075    backend
1076   
1077Certain functions of the smbpasswd(8) tool have been split between the
1078new smbpasswd(8) utility, the net(8) tool, and the new pdbedit(8)
1079utility.  See the respective man pages for details.
1080   
1081     
1082######################################################################
1083LDAP
1084####
1085
1086This section outlines the new features affecting Samba / LDAP
1087integration.
1088
1089New Schema
1090----------
1091 
1092A new object class (sambaSamAccount) has been introduced to replace
1093the old sambaAccount.  This change aids us in the renaming of
1094attributes to prevent clashes with attributes from other vendors. 
1095There is a conversion script (examples/LDAP/convertSambaAccount) to
1096modify and LDIF file to the new schema.
1097 
1098Example:
1099 
1100  $ ldapsearch .... -b "ou=people,dc=..." > sambaAcct.ldif
1101  $ convertSambaAccount --sid=<Domain SID> \
1102    --input=sambaAcct.ldif --output=sambaSamAcct.ldif \
1103    --changetype=[modify|add]
1104       
1105The <DOM SID> can be obtained by running 'net getlocalsid
1106<DOMAINNAME>' on the Samba PDC as root.  The changetype determines
1107the format of the generated LDIF output--either create new entries
1108or modify existing entries.
1109   
1110The old sambaAccount schema may still be used by specifying the
1111"ldapsam_compat" passdb backend.  However, the sambaAccount and
1112associated attributes have been moved to the historical section of
1113the schema file and must be uncommented before use if needed.
1114The 2.2 object class declaration for a sambaAccount has not changed
1115in the 3.0 samba.schema file.
1116 
1117Other new object classes and their uses include:
1118 
1119  * sambaDomain - domain information used to allocate rids
1120    for users and groups as necessary.  The attributes are added
1121    in 'ldap suffix' directory entry automatically if
1122    an idmap uid/gid range has been set and the 'ldapsam'
1123    passdb backend has been selected.
1124     
1125  * sambaGroupMapping - an object representing the
1126    relationship between a posixGroup and a Windows
1127    group/SID.  These entries are stored in the 'ldap
1128    group suffix' and managed by the 'net groupmap' command.
1129   
1130  * sambaUnixIdPool - created in the 'ldap idmap suffix' entry
1131    automatically and contains the next available 'idmap uid' and
1132    'idmap gid'
1133   
1134  * sambaIdmapEntry - object storing a mapping between a
1135    SID and a UNIX uid/gid.  These objects are created by the
1136    idmap_ldap module as needed.
1137
1138  * sambaSidEntry - object representing a SID alone, as a Structural
1139    class on which to build the sambaIdmapEntry.
1140
1141   
1142New Suffix for Searching
1143------------------------
1144 
1145The following new smb.conf parameters have been added to aid in directing
1146certain LDAP queries when 'passdb backend = ldapsam://...' has been
1147specified.
1148
1149  * ldap suffix         - used to search for user and computer accounts
1150  * ldap user suffix    - used to store user accounts
1151  * ldap machine suffix - used to store machine trust accounts
1152  * ldap group suffix   - location of posixGroup/sambaGroupMapping entries
1153  * ldap idmap suffix   - location of sambaIdmapEntry objects
1154
1155If an 'ldap suffix' is defined, it will be appended to all of the
1156remaining sub-suffix parameters.  In this case, the order of the suffix
1157listings in smb.conf is important.  Always place the 'ldap suffix' first
1158in the list. 
1159
1160Due to a limitation in Samba's smb.conf parsing, you should not surround
1161the DN's with quotation marks.
1162
1163
1164IdMap LDAP support
1165------------------
1166
1167Samba 3.0 supports an ldap backend for the idmap subsystem.  The
1168following options would inform Samba that the idmap table should be
1169stored on the directory server onterose in the "ou=idmap,dc=plainjoe,
1170dc=org" partition.
1171
1172 [global]
1173    ...
1174    idmap backend     = ldap:ldap://onterose/
1175    ldap idmap suffix = ou=idmap,dc=plainjoe,dc=org
1176    idmap uid         = 40000-50000
1177    idmap gid         = 40000-50000
1178
1179This configuration allows winbind installations on multiple servers to
1180share a uid/gid number space, thus avoiding the interoperability problems
1181with NFS that were present in Samba 2.2.
1182   
1183
1184
1185######################################################################
1186Trust Relationships and a Samba Domain
1187######################################
1188
1189Samba 3.0.0beta2 is able to utilize winbindd as the means of
1190allocating uids and gids to trusted users and groups.  More
1191information regarding Samba's support for establishing trust
1192relationships can be found in the Samba-HOWTO-Collection included
1193in the docs/ directory of this release.
1194
1195First create your Samba PDC and ensure that everything is
1196working correctly before moving on the trusts.
1197
1198To establish Samba as the trusting domain (named SAMBA) from a Windows NT
11994.0 domain named WINDOWS:
1200
1201  1) create the trust account for SAMBA in "User Manager for Domains"
1202  2) connect the trust from the Samba domain using
1203     'net rpc trustdom establish GLASS'
1204
1205To create a trustlationship with SAMBA as the trusted domain:
1206
1207  1) create the initial trust account for GLASS using
1208     'smbpasswd -a -i GLASS'.  You may need to create a UNIX
1209     account for GLASS$ prior to this step (depending on your
1210     local configuration).
1211  2) connect the trust from a WINDOWS DC using "User Manager
1212     for Domains"
1213
1214Now join winbindd on the Samba PDC to the SAMBA domain using
1215the normal steps for adding a Samba server to an NT4 domain:
1216(note that smbd & nmbd must be running at this point)
1217
1218   root# net rpc join -U root
1219   Password: <enter root password from smbpasswd file here>
1220
1221Start winbindd and test the join with 'wbinfo -t'.
1222
1223Now test the trust relationship by connecting to the SAMBA DC
1224(e.g. POGO) as a user from the WINDOWS domain:
1225
1226   $ smbclient //pogo/netlogon -U Administrator -W WINDOWS
1227   Password:
1228
1229Now connect to the WINDOWS DC (e.g. CRYSTAL) as a Samba user:
1230
1231   $ smbclient //crystal/netlogon -U root -W WINDOWS
1232   Password:
1233
1234######################################################################
1235Changes in Winbind
1236##################
1237
1238Beginning with Samba3.0.0beta3, winbindd has been given new account
1239manage functionality equivalent to the 'add user script' family of
1240smb.conf parameters.  The idmap design has also been changed to
1241centralize control of foreign SID lookups and matching to UNIX
1242uids and gids.
1243
1244
1245Brief Description of Changes
1246----------------------------
1247
12481) The sid_to_uid() family of functions (smbd/uid.c) have been
1249   reverted to the 2.2.x design.  This means that when resolving a
1250   SID to a UID or similar mapping:
1251
1252        a) First consult winbindd
1253        b) perform a local lookup only if winbindd fails to
1254           return a successful answer
1255
1256   There are some variations to this, but these two rules generally
1257   apply.
1258
12592) All idmap lookups have been moved into winbindd.  This means that
1260   a server must run winbindd (and support NSS) in order to achieve
1261   any mappings of SID to dynamically allocated UNIX ids.  This was
1262   a conscious design choice.
1263
12643) New functions have been added to winbindd to emulate the 'add user
1265   script' family of smbd functions without requiring that external
1266   scripts be defined.  This functionality is controlled by the 'winbind
1267   enable local accounts' smb.conf parameter (enabled by default).
1268
1269   However, this account management functionality is only supported
1270   in a local tdb (winbindd_idmap.tdb).  If these new UNIX accounts
1271   must be shared among multiple Samba servers (such as a PDC and BDCs),
1272   it will be necessary to define your own 'add user script', et. al.
1273   programs that place the accounts/groups in some form of directory
1274   such as NIS or LDAP.  This requirement was deemed beyond the scope
1275   of winbind's account management functions.  Solutions for
1276   distributing UNIX system information have been deployed and tested
1277   for many years.  We saw no need to reinvent the wheel.
1278
12794) A member of a Samba controlled domain running winbindd is now able
1280   to map domain users directly onto existing UNIX accounts while still
1281   automatically creating accounts for trusted users and groups.  This
1282   behavior is controlled by the 'winbind trusted domains only' smb.conf
1283   parameter (disabled by default to provide 2.2.x winbind behavior).
1284
12855) Group mapping support is wrapped in the local_XX_to_XX() functions
1286   in smbd/uid.c.  The reason that group mappings are not included
1287   in winbindd is because the purpose of Samba's group map is to
1288   match any Windows SID with an existing UNIX group.  These UNIX
1289   groups can be created by winbindd (see next section), but the
1290   SID<->gid mapping is retreived by smbd, not winbindd.
1291
1292
1293Examples
1294--------
1295
1296* security = server running winbindd to allocate accounts on demand
1297
1298* Samba PDC running winbindd to handle the automatic creation of UNIX
1299  identities for machine trust accounts
1300
1301* Automtically creating UNIX user and groups when migrating a Windows NT
1302  4.0 PDC to a Samba PDC.  Winbindd must be running when executing
1303  'net rpc vampire' for this to work.
1304
1305   
1306######################################################################
1307Known Issues
1308############
1309
1310* There are several bugs currently logged against the 3.0 codebase
1311  that affect the use of NT 4.0 GUI domain management tools when run
1312  against a Samba 3.0 PDC.  This bugs should be released in an early
1313  3.0.x release.
1314
1315Please refer to https://bugzilla.samba.org/ for a current list of bugs
1316filed against the Samba 3.0 codebase.
1317
1318
1319######################################################################
1320Reporting bugs & Development Discussion
1321#######################################
1322
1323Please discuss this release on the samba-technical mailing list or by
1324joining the #samba-technical IRC channel on irc.freenode.net.
1325
1326If you do report problems then please try to send high quality
1327feedback. If you don't provide vital information to help us track down
1328the problem then you will probably be ignored. 
1329
1330A new bugzilla installation has been established to help support the
1331Samba 3.0 community of users.  This server, located at
1332https://bugzilla.samba.org/, has replaced the older jitterbug server
1333previously located at http://bugs.samba.org/.
1334
Note: See TracBrowser for help on using the repository browser.