1 | ============================== |
---|
2 | Release Notes for Samba 3.0.2a |
---|
3 | February 13, 2004 |
---|
4 | ============================== |
---|
5 | |
---|
6 | Samba 3.0.2a is a minor patch release for the 3.0.2 code base |
---|
7 | to address, in particular, a problem when using pdbedit to |
---|
8 | sanitize (--force-initialized-passwords) Samba's tdbsam |
---|
9 | backend. This is the latest stable release of Samba. This |
---|
10 | is the version that all production Samba servers should be |
---|
11 | running for all current bug-fixes. |
---|
12 | |
---|
13 | ******************* Attention! Achtung! Kree! ********************* |
---|
14 | |
---|
15 | Beginning with Samba 3.0.2, passwords for accounts with a last |
---|
16 | change time (LCT-XXX in smbpasswd, sambaPwdLastSet attribute in |
---|
17 | ldapsam, etc...) of zero (0) will be regarded as uninitialized |
---|
18 | strings. This will cause authentication to fail for such |
---|
19 | accounts. If you have valid passwords that meet this criteria, |
---|
20 | you must update the last change time to a non-zero value. If you |
---|
21 | do not, then 'pdbedit --force-initialized-passwords' will disable |
---|
22 | these accounts and reset the password hashes to a string of X's. |
---|
23 | |
---|
24 | ******************* Attention! Achtung! Kree! ********************* |
---|
25 | |
---|
26 | |
---|
27 | ###################################################################### |
---|
28 | Changes |
---|
29 | ####### |
---|
30 | |
---|
31 | Changes since 3.0.2 |
---|
32 | ------------------- |
---|
33 | |
---|
34 | commits |
---|
35 | ------- |
---|
36 | |
---|
37 | Please refer to the CVS log for the SAMBA_3_0 branch for complete |
---|
38 | details. The list of changes per contributor are as follows: |
---|
39 | |
---|
40 | |
---|
41 | o Jeremy Allison <jra@samba.org> |
---|
42 | * Added paranoia checks in parsing code. |
---|
43 | |
---|
44 | |
---|
45 | o Andrew Bartlet <abartlet@samba.org> |
---|
46 | * Ensure that changes to uninitialized passwords in ldapsam |
---|
47 | are written to the DIT. |
---|
48 | |
---|
49 | |
---|
50 | o Gerald (Jerry) Carter <jerry@samba.org> |
---|
51 | * Fixed iterator in tdbsam. |
---|
52 | * Fix bug that disabled accounts with a valid NT password |
---|
53 | hash, but no LanMan hash. |
---|
54 | |
---|
55 | |
---|
56 | o Steve French <sfrench@us.ibm.com> |
---|
57 | * Added missing nosetuid and noexec options. |
---|
58 | |
---|
59 | |
---|
60 | o Bostjan Golob <golob@gimb.org> |
---|
61 | * BUG 1046: Don't overwrite usernames of entries returned |
---|
62 | by getpwent_list(). |
---|
63 | |
---|
64 | |
---|
65 | o Sebastian Krahmer <krahmer@suse.de> |
---|
66 | * Fixed potential crash bug in NTLMSSP parsing code. |
---|
67 | |
---|
68 | |
---|
69 | o Tim Potter <tpot@samba.org> |
---|
70 | * Fixed logic in tdb_brlock error checking. |
---|
71 | |
---|
72 | |
---|
73 | o Urban Widmark <urban@teststation.com> |
---|
74 | * Set nosuid,nodev flags in smbmnt by default. |
---|
75 | |
---|
76 | |
---|
77 | Changes for older versions follow below: |
---|
78 | |
---|
79 | -------------------------------------------------- |
---|
80 | |
---|
81 | ============================= |
---|
82 | Release Notes for Samba 3.0.2 |
---|
83 | February 9, 2004 |
---|
84 | ============================= |
---|
85 | |
---|
86 | It has been confirmed that previous versions of Samba 3.0 are |
---|
87 | susceptible to a password initialization bug that could grant an |
---|
88 | attacker unauthorized access to a user account created by the |
---|
89 | mksmbpasswd.sh shell script. |
---|
90 | |
---|
91 | The Common Vulnerabilities and Exposures project (cve.mitre.org) |
---|
92 | has assigned the name CAN-2004-0082 to this issue. |
---|
93 | |
---|
94 | Samba administrators not wishing to upgrade to the current |
---|
95 | version should download the 3.0.2 release, build the pdbedit |
---|
96 | tool, and run |
---|
97 | |
---|
98 | root# pdbedit-3.0.2 --force-initialized-passwords |
---|
99 | |
---|
100 | This will disable all accounts not possessing a valid password |
---|
101 | (e.g. the password field has been set a string of X's). |
---|
102 | |
---|
103 | Samba servers running 3.0.2 are not vulnerable to this bug |
---|
104 | regardless of whether or not pdbedit has been used to sanitize |
---|
105 | the passdb backend. |
---|
106 | |
---|
107 | Some of the more visible bugs in 3.0.1 addressed in the 3.0.2 |
---|
108 | release include: |
---|
109 | |
---|
110 | o Joining a Samba domain from Pre-SP2 Windows 2000 clients. |
---|
111 | o Logging onto a Samba domain from Windows XP clients. |
---|
112 | o Problems with the %U and %u smb.conf variables in relation to |
---|
113 | Windows 9x/ME clients. |
---|
114 | o Kerberos failures due to an invalid in memory keytab detection |
---|
115 | test. |
---|
116 | o Updates to the ntlm_auth tool. |
---|
117 | o Fixes for various SMB signing errors. |
---|
118 | o Better separation of WINS and DNS queries for domain controllers. |
---|
119 | o Issues with nss_winbind FreeBSD and Solaris. |
---|
120 | o Several crash bugs in smbd and winbindd. |
---|
121 | o Output formatting fixes for smbclient for better compatibility |
---|
122 | with scripts based on the 2.2 version. |
---|
123 | |
---|
124 | |
---|
125 | Changes since 3.0.1 |
---|
126 | ------------------- |
---|
127 | |
---|
128 | smb.conf changes |
---|
129 | ---------------- |
---|
130 | |
---|
131 | Parameter Name Action |
---|
132 | -------------- ------ |
---|
133 | ldap replication sleep New |
---|
134 | read size removed (unused) |
---|
135 | source environment removed (unused) |
---|
136 | |
---|
137 | |
---|
138 | commits |
---|
139 | ------- |
---|
140 | |
---|
141 | Please refer to the CVS log for the SAMBA_3_0 branch for complete |
---|
142 | details. The list of changes per contributor are as follows: |
---|
143 | |
---|
144 | o Jeremy Allison <jra@samba.org> |
---|
145 | * Revert change that broke Exchange clear text samlogons. |
---|
146 | * Fix gcc 3.4 warning in MS-DFS code. |
---|
147 | * Tidy up of NTLMSSP code. |
---|
148 | * Fixes for SMB signing errors |
---|
149 | * BUG 815: Workaround NT4 bug to support plaintext |
---|
150 | password logins and UNICODE. |
---|
151 | * Fix SMB signing bug when copying large files. |
---|
152 | * Correct error logic in mkdir_internals() (caused a panic |
---|
153 | when combined with --enable-developer). |
---|
154 | * BUG 830: Protect against crashes due to bad character |
---|
155 | conversions. |
---|
156 | |
---|
157 | |
---|
158 | o Petri Asikainen <paca@sci.fi> |
---|
159 | * BUG 330, 387:Fix single valued attribute updates when |
---|
160 | working with Novell NDS. |
---|
161 | |
---|
162 | |
---|
163 | o Andrew Bartlet <abartlet@samba.org> |
---|
164 | * Correctly handle per-pipe NTLMSSP inside a NULL session. |
---|
165 | * Fix segfault in gencache |
---|
166 | * Fix early free() of encrypted_session_key. |
---|
167 | * Change DC lookup routines to more carefully separate |
---|
168 | DNS names (realms) from NetBIOS domain names. |
---|
169 | * Add new sid_to_dn() function for internal winbindd use. |
---|
170 | * Refactor cli_ds_enum_domain_trusts(). |
---|
171 | * BUG 707: Implement range retrieval of ADS attributes (based |
---|
172 | on work from Volker <vl@samba.org> and Guenther Deschner |
---|
173 | <gd@suse.com>). |
---|
174 | * Automatically initialize the signing engine if a session key |
---|
175 | is available. |
---|
176 | * BUG 916: Do not perform a + -> ' ' substitution for squid URL |
---|
177 | encoded strings, only form input in SWAT. |
---|
178 | * Resets the NTLMSSP state for new negotiate packets. |
---|
179 | * Add 2-byte alignments in net_samlogon() queries to parse |
---|
180 | odd-length plain text passwords. |
---|
181 | * Allow Windows groups with no members in winbindd. |
---|
182 | * Allow normal authentication in the absence of a server |
---|
183 | generated session key. |
---|
184 | * More optimizations for looking up UNIX group lists. |
---|
185 | * Clean up error codes and return values for pam_winbindd |
---|
186 | and winbindd PAM interface. |
---|
187 | * Fix string return values in ntlm_auth tool. |
---|
188 | * Fix segfault when 'security = ads' but no realm is defined. |
---|
189 | * BUG 722: Allow winbindd to map machine accounts to uids. |
---|
190 | * More cleanups for winbindd's find_our_domain(). |
---|
191 | * More clearly detect whether a domain controller is an NT4 |
---|
192 | or mixed-mode AD DC (additional bug fixes by jerry & jmcd). |
---|
193 | * Increase separation between DNS queries for hosts and queries |
---|
194 | for AD domain controllers. |
---|
195 | * Include additional NT_STATUS to PAM error mappings. |
---|
196 | * Password initialization fixes. |
---|
197 | |
---|
198 | |
---|
199 | o Justin Baugh <justin.baugh@request.com> |
---|
200 | * BUG 948: Implement missing functions required for FreeBSD |
---|
201 | nss_winbind support. |
---|
202 | |
---|
203 | |
---|
204 | o Alexander Bokovoy <ab@samba.org> |
---|
205 | * BUG 922: Make sure enable fast path for strlower_m() and |
---|
206 | strupper_m(). |
---|
207 | |
---|
208 | |
---|
209 | o Luca Bolcioni <Luca.Bolcioni@yacme.com> |
---|
210 | * Fix crash when using 'security = server' and 'encrypt |
---|
211 | passwords = no' by always initializing the session key. |
---|
212 | |
---|
213 | |
---|
214 | o Dmitry Butskoj <buc@odusz.elektra.ru> |
---|
215 | * Fix for special files being hidden from admins. |
---|
216 | |
---|
217 | |
---|
218 | o Gerald (Jerry) Carter <jerry@samba.org> |
---|
219 | * Fix bug in the lanman session key generation. Caused |
---|
220 | "decode_pw: incorrect password length" error messages. |
---|
221 | * Save the right case for the located user name in |
---|
222 | fill_sam_account(). Fixes %U/%u expansion for win9x clients. |
---|
223 | * BUG 897: Add well known rid for pre win2k compatible access |
---|
224 | group. |
---|
225 | * BUG 887: Correct typo in delete user script example. |
---|
226 | * Use short lived TALLOC_CTX* for allocating printer objects |
---|
227 | from the print handle cache. |
---|
228 | * BUG 912: Fix check for HAVE_MEMORY_KEYTAB. |
---|
229 | * Fix several warnings reported by the SUN Forte C compiler. |
---|
230 | * Fully control DNS queries for AD DC's using 'name resolve order'. |
---|
231 | * BUG 770: Send the SMBjobid for UNIX jobs back to the client. |
---|
232 | * BUG 972: Fix segfault in cli_ds_getprimarydominfo(). |
---|
233 | * BUG 936: fix bind credentials for schannel binds in smbd. |
---|
234 | * BUG 446: Fix output of smbclient for better compatibility |
---|
235 | with scripts based on the 2.2 version (including Amanda). |
---|
236 | * BUG 891, 949: Fedora packaging fixes. |
---|
237 | * Fix bug that caused rpcclient to incorrectly retrieve |
---|
238 | the SID for a server (this causing all calls that required |
---|
239 | this information to fail). |
---|
240 | * BUG 977: Don't create a homes share for a user if a static |
---|
241 | share already exists by the same name. |
---|
242 | * Removed unused smb.conf options. |
---|
243 | * Password initialization fixes. |
---|
244 | * Set the disable flag for template accounts created by |
---|
245 | mksmbpasswd.sh. |
---|
246 | * Disable any account has no passwords and does not have the |
---|
247 | ACB_PWNOTREQ bit set. |
---|
248 | |
---|
249 | |
---|
250 | o Guenther Deschner <gd@suse.com> |
---|
251 | * Install smbwrapper.so should be put into the $(libdir) |
---|
252 | and not $(bindir). |
---|
253 | * Add the capability to specify the new user password |
---|
254 | for "net ads password" on the command line. |
---|
255 | * Correctly detect AFS headers on SuSE. |
---|
256 | |
---|
257 | |
---|
258 | o James Flemer <jflemer@uvm.edu> |
---|
259 | * Fix AIX compile bug by linking HAVE_ATTR_LIST to |
---|
260 | HAVE_SYS_ATTRIBUTES_H. |
---|
261 | |
---|
262 | |
---|
263 | o Luke Howard <lukeh@PADL.COM> |
---|
264 | * Fix segfault in session setup reply caused by a early free(). |
---|
265 | |
---|
266 | |
---|
267 | o Stoian Ivanov <sdr@bultra.com> |
---|
268 | * Implement grepable output for smbclient -L. |
---|
269 | |
---|
270 | |
---|
271 | o LaMont Jones <lamont@debian.org> |
---|
272 | * BUG 225328 (Debian): Correct false failure LFS test that resulted |
---|
273 | in _GNU_SOURCE not being defined (thus resulting in strndup() |
---|
274 | not being defined). |
---|
275 | |
---|
276 | |
---|
277 | o Volker Lendecke <vl@samba.org> |
---|
278 | * BUG 583: Ensure that user names always contain the short |
---|
279 | version of the domain name. |
---|
280 | * Fix our parsing of the LDAP uri. |
---|
281 | * Don't show the 'afs username map' in the SWAT basic view. |
---|
282 | * Fix SMB signing issues in relation to failed NTLMSSP logins. |
---|
283 | * BUG 924: Fix return codes in smbtorture harness. |
---|
284 | * Always lower-case usernames before handing it to AFS code. |
---|
285 | * Add a German translation for SWAT. |
---|
286 | * Fix a segfaults in winbindd. |
---|
287 | * Fix the user's domain passed to register_vuid() from |
---|
288 | reply_spnego_kerberos(). |
---|
289 | * Add NSS example code in nss_winbind to convert UNIX |
---|
290 | id's <-> Windows SIDs. |
---|
291 | * Display more descriptive error messages for login via 'net'. |
---|
292 | * Fix compiler warning in the net tool. |
---|
293 | * Fix length bug when decoding base64 strings. |
---|
294 | * Ensure we don't call getpwnam() inside a loop that is iterating |
---|
295 | over users with getpwent(). This broke on glibc 2.3.2. |
---|
296 | |
---|
297 | |
---|
298 | o Herb Lewis <herb@samba.org> |
---|
299 | * Fix bit rot in psec. |
---|
300 | |
---|
301 | |
---|
302 | o Jianliang Lu <j.lu@tiesse.com> |
---|
303 | * Ensure we delete the group mapping before calling the delete |
---|
304 | group script. |
---|
305 | * Define well known RID for managing the "Power Users" group. |
---|
306 | * BUG 381: check builtin (not local) group SID when updating |
---|
307 | group membership. |
---|
308 | * BUG 101: set the SV_TYPE_PRINTQ_SERVER flag in host announcement |
---|
309 | packet. |
---|
310 | |
---|
311 | |
---|
312 | o John Klinger <john.klinger@lmco.com> |
---|
313 | * Implement initgroups() call in nss_winbind on Solaris. |
---|
314 | |
---|
315 | |
---|
316 | o Jim McDonough <jmcd@us.ibm.com> |
---|
317 | * Fix regression in net rpc join caused by recent changes |
---|
318 | to cli_lsa_query_info_policy(). |
---|
319 | * BUG 964: Fix crash bug in 'net rpc join' using a preexisting |
---|
320 | machine account. |
---|
321 | |
---|
322 | |
---|
323 | o MORIYAMA Masayuki <moriyama@miraclelinux.com> |
---|
324 | * BUG 570: Ensure that configure honors the LDFLAGS variable. |
---|
325 | |
---|
326 | |
---|
327 | o Stefan Metzmacher <metze@samba.org> |
---|
328 | * Implement LDAP rebind sleep patch. |
---|
329 | * Revert to 2.2 quota code because of so many broken quota files |
---|
330 | out there. |
---|
331 | * Fix XFS quotas: HAVE_XFS_QUOTA -> HAVE_XFS_QUOTAS |
---|
332 | XFS_USER_QUOTA -> USRQUOTA |
---|
333 | XFS_GROUP_QUOTA -> GRPQUOTA |
---|
334 | * Fix disk_free calculation with group quotas. |
---|
335 | * Add debug class 'quota' and a lot of DEBUG()'s |
---|
336 | to the quota code. |
---|
337 | * Fix sys_chown() when no chown() is present. |
---|
338 | * Add SIGABRT to fault handling in order to catch got a |
---|
339 | backtrace if an error occurs the OpenLDAP client libs. |
---|
340 | |
---|
341 | |
---|
342 | o <ndb@theghet.to> |
---|
343 | * Allow an existing LDAP machine account to be re-used when |
---|
344 | joining an AD domain. |
---|
345 | |
---|
346 | |
---|
347 | o James Peach <jpeach@sgi.com> |
---|
348 | * BUG 889: Change smbd to use pread/pwrite on platforms that |
---|
349 | support these calls. Can lead to a significant speed increase. |
---|
350 | |
---|
351 | |
---|
352 | o Tim Potter <tpot@samba.org> |
---|
353 | * BUG 905: Remove POBAD_CC to fix Solaris Forte compiles. |
---|
354 | * BUG 924: Fix typo in RW2 torture test. |
---|
355 | |
---|
356 | |
---|
357 | o Richard Sharpe <shape@samba.org> |
---|
358 | * Small fixes to torture.c to cleanup the error handling |
---|
359 | and prevent crashes. |
---|
360 | |
---|
361 | |
---|
362 | o J. Tournier <jerome.tournier@IDEALX.com> |
---|
363 | * Small fixes for the smbldap-tool scripts. |
---|
364 | |
---|
365 | |
---|
366 | o Andrew Tridgell <tridge@samba.org> |
---|
367 | * Fix src len check in pull_usc2(). |
---|
368 | |
---|
369 | |
---|
370 | o Jelmer Vernooij <jelmer@samba.org> |
---|
371 | * Put functions for generating SQL queries in pdb_sql.c |
---|
372 | * Add pgSQL backend (based on patch by Hamish Friedlander) |
---|
373 | * BUG 908: Fix -s option to smbcontrol. |
---|
374 | * Add smbget utility - a wget-clone for the SMB/CIFS protocol. |
---|
375 | * Fix for libnss_wins on IRIX platforms. |
---|
376 | * Fix swatdir for --with-fhs. |
---|
377 | |
---|
378 | |
---|
379 | -------------------------------------------------- |
---|
380 | |
---|
381 | ============================= |
---|
382 | Release Notes for Samba 3.0.1 |
---|
383 | December 15, 2003 |
---|
384 | ============================= |
---|
385 | |
---|
386 | Some of the more common bugs in 3.0.0 addressed in the release |
---|
387 | include: |
---|
388 | |
---|
389 | o Substitution problems with smb.conf variables. |
---|
390 | o Errors in return codes which caused some applications |
---|
391 | to fail to open files. |
---|
392 | o General Protection Faults on Windows 2000/XP clients |
---|
393 | using Samba point-n-print features. |
---|
394 | o Several miscellaneous crash bugs. |
---|
395 | o Access problems when enumerating group mappings are |
---|
396 | stored in an LDAP Directory. |
---|
397 | o Several common SWAT bugs when writing changes to |
---|
398 | smb.conf. |
---|
399 | o Internal inconsistencies when 'winbind use default |
---|
400 | domain = yes' |
---|
401 | |
---|
402 | |
---|
403 | |
---|
404 | Changes since 3.0.0 |
---|
405 | ---------------------- |
---|
406 | |
---|
407 | Parameter Name Action |
---|
408 | -------------- ------ |
---|
409 | hide local users Removed |
---|
410 | mangled map Deprecated |
---|
411 | mangled stack Removed |
---|
412 | passwd chat timeout New |
---|
413 | |
---|
414 | |
---|
415 | commits |
---|
416 | ------- |
---|
417 | |
---|
418 | o Change the interface for init_unistr2 to not take a length |
---|
419 | but a flags field. We were assuming that |
---|
420 | 2*strlen(mb_string) == length of ucs2-le string. (bug 480). |
---|
421 | o Allow d_printf() to handle strings with escaped quotation |
---|
422 | marks since the msg file includes the escape character (bug 489). |
---|
423 | o Fix bad html table row termination in SWAT wizard code (bug 413). |
---|
424 | o Fix to parse the level-2 strings. |
---|
425 | o Fix for "valid users = %S" in [homes]. Fix read/write |
---|
426 | list as well. |
---|
427 | o Change AC_CHECK_LIB_EXT to prepend libraries instead of append. |
---|
428 | This is the same way AC_CHECK_LIB works (bug 508). |
---|
429 | o Testparm output fixes for clarity. |
---|
430 | o Fix broken wins hook functionality -- i18n bug (bug 528). |
---|
431 | o Take care of condition where DOS and NT error codes must differ. |
---|
432 | o Default to using only built-in charsets when a working iconv |
---|
433 | implementation cannot be located. |
---|
434 | o Wrap internals of sys_setgroups() so the sys_XX() call can |
---|
435 | be done unconditionally (bug 550). |
---|
436 | o Remove duplicate smbspool link on SWAT's front page (bug 541). |
---|
437 | o Save and restore CFLAGS before/after AC_PROG_CC. Ensures that |
---|
438 | --enable-debug=[yes|no] works correctly. |
---|
439 | o Allow ^C to interrupt smbpasswd if using our getpass |
---|
440 | (e.g. smbpasswd command). |
---|
441 | o Support signing only on RPC's (bug 167). |
---|
442 | o Correct bug that prevented Excel 2000 clients from opening |
---|
443 | files marked as read-only. |
---|
444 | o Portability fix bugs 546 - 549). |
---|
445 | o Explicitly initialize the value of AR for vendor makes that don't |
---|
446 | do this (e.g. HPUX 11). (bug 552). |
---|
447 | o More i18n fixes for SWAT (bug 413). |
---|
448 | o Change the cwd before the postexec script to ensure that a |
---|
449 | umount will succeed. |
---|
450 | o Correct double free that caused winbindd to crash when a DC |
---|
451 | is rebooted (bug 437). |
---|
452 | o Fix incorrect mode sum (bug 562). |
---|
453 | o Canonicalize SMB_INFO_ALLOCATION in the same was as |
---|
454 | SMB_FS_FULL_SIZE_INFORMATION (bug 564). |
---|
455 | o Add script to generate *msg files. |
---|
456 | o Add Dutch SWAT translation file. |
---|
457 | o Make sure to call get_user_groups() with the full winbindd |
---|
458 | name for a user if he/she has one (bug 406). |
---|
459 | o Fix up error code returns from Samba4 tester. Ensure invalid |
---|
460 | paths are validated the same way. |
---|
461 | o Allow Samba3 to pass the Samba4 RAW-READ tests. |
---|
462 | o Refuse to configure if --with-expsam=$BACKEND was used but no |
---|
463 | libraries were found for $BACKEND. |
---|
464 | o Move sysquotas autoconf tests to a separate file. |
---|
465 | o Match W2K w.r.t. writelock and writeclose. Samba4 torture |
---|
466 | tester |
---|
467 | o Make sure that the files that contain the static_init_$subsystem; |
---|
468 | macro get recompiled after configure by removing the object |
---|
469 | files. |
---|
470 | o Ensure canceling a blocking lock returns the correct error |
---|
471 | message. |
---|
472 | o Match Samba 2.2 behavior; make ACB_NORMAL the default ACB value. |
---|
473 | o Updated Japanese welcome file in SWAT. |
---|
474 | o Fix to nt-time <-> unix-time functions reversible. |
---|
475 | o Ensure that winbindd uses the the escaped DN when querying |
---|
476 | an AD ldap server. |
---|
477 | o Fix portability issues when compiling (bug 505, 550) |
---|
478 | o Compile fix for tdbbackup when Samba needs to override |
---|
479 | non-C99 compliant implementations of snprintf(). |
---|
480 | o Use @PICSUFFIX@ instead of .po in Makefile.in (bug 574). |
---|
481 | o Make sure we break out of samsync loop on error. |
---|
482 | o Ensure error code path doesn't free unmalloc()'d memory |
---|
483 | (bug 628). |
---|
484 | o Add configure test for krb5_keytab_entry keyblock vs key |
---|
485 | member (bug 636). |
---|
486 | o Fixed spinlocks. |
---|
487 | o Modified testparm so that all output so all debug output goes |
---|
488 | to stderr, and all file processing goes to stdout. |
---|
489 | o Fix error return code for BUFFER_TOO_SMALL in smbcacls |
---|
490 | and smbcquotas. |
---|
491 | o Fix "NULL dest in safe_strcpy()" log message by ensuring that |
---|
492 | we have a devmode before copying a string to the devicename. |
---|
493 | o Support mapping REALM.COM\user to a local user account (without |
---|
494 | running winbindd) for compatibility with 2.2.x release. |
---|
495 | o Ensure we don't use mmap() on blacklisted systems. |
---|
496 | o fixed a number of bugs and memory leaks in the AIX |
---|
497 | winbindd shim |
---|
498 | o Call initgroups() in SWAT before becomming the user so that |
---|
499 | secondary group permissions can be used when writing to |
---|
500 | smb.conf. |
---|
501 | o Fix signing problems when reverse connecting back to a |
---|
502 | client for printer notify |
---|
503 | o Fix signing problems caused by a miss-sequence bug. |
---|
504 | o Missing map in errormap for ERROR_MORE_DATA -> ERRDOS, ERRmoredata. |
---|
505 | Fixes NEXUS tools running on Win9x clients (bug 64). |
---|
506 | o Don't leave the domain field uninitialized in cli_lsa.c if some |
---|
507 | SID could not be mapped. |
---|
508 | o Fix segfault in mount.cifs helper when there is no options |
---|
509 | specified during mount. |
---|
510 | o Change the \n after the password prompt to go to tty instead |
---|
511 | of stdout (bug 668). |
---|
512 | o Stop net -P from prompting for machine account password (bug 451). |
---|
513 | o Change in behavior to Not only change the effective uid but also |
---|
514 | the real uid when becoming unprivileged. |
---|
515 | o Cope with Exchange 5.5 cleartext pop password auth. |
---|
516 | o New files for support of initshutdown pipe. Win2k doesn't |
---|
517 | respond properly to all requests on the winreg pipe, so we need |
---|
518 | to handle this new pipe (bug 534). |
---|
519 | o Added more va_copy() checks in configure.in. |
---|
520 | o Include fixes for libsmbclient build problems. |
---|
521 | o Missing UNIX -> DOS codepage conversion in lanman.c. |
---|
522 | o Allow DFMS-S filenames can now have arbitrary case (bug 667). |
---|
523 | o Parameterize the listen backlog in smbd and make it larger by |
---|
524 | default. A backlog of 5 is way too small these days. |
---|
525 | o Check for an invalid fid before dereferencing the fsp pointer |
---|
526 | (bug 696). |
---|
527 | o Remove invalid memory frees and return codes in pdb_ldap.c. |
---|
528 | o Prompt for password when invoking --set-auth-user and no |
---|
529 | password is given. |
---|
530 | o Bind the nmbd sending socket to the 'socket address'. |
---|
531 | o Re-order link command for smbd, rpcclient and smbpasswd to ensure |
---|
532 | $LDFLAGS occurs before any library specification (bug 661). |
---|
533 | o Fix large number of printf() calls for 64-bit size_t. |
---|
534 | o Fix AC_CHECK_MEMBER so that SLES8 does correctly finds the |
---|
535 | keyblock in the krb5 structs. |
---|
536 | o Remove #include <compat.h> in hopes to avoid problems with |
---|
537 | apache header files. |
---|
538 | o Correct winbindd build problems on HP-UX 11. |
---|
539 | o Lowercase netgroups lookups (bug 703). |
---|
540 | o Use the actual size of the buffer in strftime instead of a made |
---|
541 | up value which just happens to be less than sizeof(fstring). |
---|
542 | (bug 713). |
---|
543 | o Add ldaplibs to pdbedit link line (bug 651). |
---|
544 | o Fix crash bug in smbclient completion (bug 659). |
---|
545 | o Fix packet length for browse list reply (bug 771). |
---|
546 | o Fix coredump in cli_get_backup_list(). |
---|
547 | o Make sure that we expand %N (bug 612). |
---|
548 | o Allow rpcclient adddriver command to specify printer driver |
---|
549 | version (bug 514). |
---|
550 | o Compile tdbdump by default. |
---|
551 | o Apply patches to fix iconv detection for FreeBSD. |
---|
552 | o Do not allow the 'guest account' to be added to a passdb backend |
---|
553 | using smbpasswd or pdbedit (bug 624). |
---|
554 | o Save LDFLAGS during iconv detection (bug 57). |
---|
555 | o Run krb5 logins through the username map if the winbindd |
---|
556 | lookup fails (bug 698). |
---|
557 | o Add const for lp_set_name_resolve_order() to avoid compiler |
---|
558 | warnings (bug 471). |
---|
559 | o Add support for the %i macro in smb.conf to stand in for the for |
---|
560 | the local IP address to which a client connected. |
---|
561 | o Allow winbindd to match local accounts to domain SID when |
---|
562 | 'winbind trusted domains only = yes' (bug 680). |
---|
563 | o Remove code in idmap_ldap that searches the user suffix and group |
---|
564 | suffix. It's not needed and provides inconsistent functionality |
---|
565 | from the tdb backend. |
---|
566 | o Patch to handle munged dial string for Windows 200 TSE. |
---|
567 | o Correct the "smbldap_open: cannot access when not root error" |
---|
568 | messages when looking up group information (bug 281). |
---|
569 | o Skip over the winbind separator when looking up a user. |
---|
570 | This fixes the bug that prevented local users from |
---|
571 | matching an AD user when not running winbindd (bug 698). |
---|
572 | o Fix a problem with configure on *BSD systems. Make sure |
---|
573 | we add -liconv etc to LDFLAGS. |
---|
574 | o Fix core dump bug when "security = server" and the authentication |
---|
575 | server goes away. |
---|
576 | o Correct crash bug due to an empty munged dial string. |
---|
577 | o Show files locked by a specific user (smbstatus -u 'user') |
---|
578 | (bug 590). |
---|
579 | o Fix bug preventing print jobs from display in the queue |
---|
580 | monitor used by Windows NT and later clients (bug 660). |
---|
581 | o Fix several reported problems with point-n-print from |
---|
582 | Windows 2000/XP clients due to a bug in the EnumPrinterDataEx() |
---|
583 | reply (bug 338, 527 & 643). |
---|
584 | o Fix a handful of potential memory leaks in the LDAP code used |
---|
585 | by ldapsam[_compat] and the LDAP idmap backend. |
---|
586 | o Fix for pdbedit error code returns (bug 763). |
---|
587 | o Make sure we only enumerate group mapping entries (not |
---|
588 | /etc/group) even when doing local aliases. |
---|
589 | o Relax check on the pipe name in a dce/rpc bind response to work |
---|
590 | around issues with establishing trusts to a Windows 2003 domain. |
---|
591 | o Ensure we mangle names ending in '.' in hash2 mangling method. |
---|
592 | o Correct parsing issues with munged dial string. |
---|
593 | o Fix bugs in quota support for XFS. |
---|
594 | o Add a cleaner method for applications that need to provide |
---|
595 | name->SID mappings to do this via NSS rather than having to |
---|
596 | know the winbindd pipe protocol. |
---|
597 | o Adds a variant of the winbindd_getgroups() call called |
---|
598 | winbindd_getusersids() that provides direct SID->SIDs listing of |
---|
599 | a users supplementary groups. This is enough to allow non-Samba |
---|
600 | applications to do ACL checking. |
---|
601 | o Make sure we don't append the 'ldap suffix' when writing out the |
---|
602 | 'ldap XXX suffix' values in SWAT (bug 328). |
---|
603 | o Fix renames across file systems. |
---|
604 | o Ensure that items in a list of strings containing whitespace are |
---|
605 | written out surrounded by single quotes. This means that both |
---|
606 | double and single quotes are now used to surround strings in |
---|
607 | smb.conf (bug 481). |
---|
608 | o Enable SWAT to correctly determine if winbindd is running (bug |
---|
609 | 398). |
---|
610 | o Include WWW-Authenticate field in 401 response for bad auth |
---|
611 | attempt (bug 629). |
---|
612 | o Add support for NTLM2 (NTLMv2 session security). |
---|
613 | o Add support for variable-length session keys. |
---|
614 | o More privilege fixes for group enumeration in LDAP (bug 281). |
---|
615 | o Use the dns name (or IP) as the originating client name when |
---|
616 | using CUPS (bug 467). |
---|
617 | o Fix various SMB signing bugs. |
---|
618 | o Fix ACL propagation on a DFS root (bug 263). |
---|
619 | o Disable NTLM2 for RPC pipes. |
---|
620 | o Allow the client to specify the NTLM2 flags got NTLMSSP |
---|
621 | authentication. |
---|
622 | o Change the name of the job passed off to cups from "Test Page" |
---|
623 | to "smbprn.00000033 Test Page" so that we can get the smb |
---|
624 | jobid back. This allow users to delete jobs with cups printing |
---|
625 | backend (partial work on bug 770). |
---|
626 | o Fix build of winbindd with static pdb modules. |
---|
627 | o Retrieve the correct ACL group bits if the file has an ACL |
---|
628 | (bug 802). |
---|
629 | o Implement "net rpc group members": Get members of a domain group |
---|
630 | in human-readable format. |
---|
631 | o Add MacOSX (Darwin) specific charset module code. |
---|
632 | o Use samr_dispinfo(level == 1) for enumerating domain users so we |
---|
633 | can include the full name in gecos field (bug 587). |
---|
634 | o Add support for winbind's NSS library on FeeeBSD 5.1 (bug 797). |
---|
635 | o Implement 'net rpc group list [global|local|builtin]*' for a |
---|
636 | select listing of the respective user databases. |
---|
637 | o Don't automatically set NT status code flag unless client tells |
---|
638 | us it can cope. |
---|
639 | o Add 'net status [sessions|shares] [parseable]'. |
---|
640 | o Don't mistake pre-existing UNIX jobs for smb jobs (remainder of |
---|
641 | bug 770). |
---|
642 | o Add 'Replicator' and 'RAS Servers' to list of builtin SIDs |
---|
643 | (bug 608). |
---|
644 | o Fix inverted logic in hosts allow/deny checks caused by |
---|
645 | s/strcmp/strequal/ (bug 846). |
---|
646 | o Implement correct version SamrRemoveSidForeignDomain() (bug 252). |
---|
647 | o Fix typo in 'hash' mangling algorithm. |
---|
648 | o Support munged dial for ldapsam (bug 800). |
---|
649 | o Fix process_incoming_data() to return the number of bytes handled |
---|
650 | this call whether we have a complete PDU or not; fixes bug |
---|
651 | with multiple PDU request rpc's broken over SMBwriteX calls |
---|
652 | each. |
---|
653 | o Fix incorrect smb flags2 for connections to pre-NT servers |
---|
654 | (causes smbclient to fail to OS2 for example) (bug 821). |
---|
655 | o Update version string in smbldap-tools Makefile to 0.8.2. |
---|
656 | o Correct a problem with "net rpc vampire" mis-parsing the |
---|
657 | alias member info reply. |
---|
658 | o Ensure the ${libdir} is created by the installclientlib script. |
---|
659 | o Fix detection of Windows 2003 client architecture in the smb.conf |
---|
660 | %a variable. |
---|
661 | o Ensure that smbd calls the add user script for a missing UNIX |
---|
662 | user on kerberos auth call (bug 445). |
---|
663 | o Fix bugs in hosts allow/deny when using a mismatched |
---|
664 | network/netmask pair. |
---|
665 | o Protect alloc_sub_basic() from crashing when the source string |
---|
666 | is NULL (partial work on bug 687). |
---|
667 | o Fix spinlocks on IRIX. |
---|
668 | o Corrected some bad destination paths when running "configure |
---|
669 | --with-fhs". |
---|
670 | o Add packaging files for Fedora Core 1. |
---|
671 | o Correct bug in SWAT install script for non-english languages. |
---|
672 | o Support character set ISO-8859-1 internally (bug 558). |
---|
673 | o Fixed more LDAP access errors when looking up group mappings |
---|
674 | (bug 281). |
---|
675 | o Fix UNISTR2 length bug in LsaQueryInfo(3) that caused SID |
---|
676 | resolution to fail on local files on on domain members |
---|
677 | (bug 875). |
---|
678 | o Fix uninitialized variable in passdb.c. |
---|
679 | o Fix formal parameter type in get_static() in nsswitch/wins.c. |
---|
680 | o Fix problem mounting directories when mount.cifs is installed |
---|
681 | with the setuid bit on. |
---|
682 | o Fix bug that prevent --mandir from overriding the defaults |
---|
683 | given in the --with-fhs macro. |
---|
684 | o Fix bug in in-memory Kerberos keytab detection routines |
---|
685 | in configure.in |
---|
686 | |
---|
687 | |
---|
688 | |
---|
689 | ###################################################################### |
---|
690 | |
---|
691 | The original 3.0.0 release notes follow |
---|
692 | ======================================= |
---|
693 | WHATS NEW IN Samba 3.0.0 |
---|
694 | September 24, 2003 |
---|
695 | ======================================= |
---|
696 | |
---|
697 | |
---|
698 | Major new features: |
---|
699 | ------------------- |
---|
700 | |
---|
701 | 1) Active Directory support. Samba 3.0 is now able to |
---|
702 | join a ADS realm as a member server and authenticate |
---|
703 | users using LDAP/Kerberos. |
---|
704 | |
---|
705 | 2) Unicode support. Samba will now negotiate UNICODE on the wire |
---|
706 | and internally there is now a much better infrastructure for |
---|
707 | multi-byte and UNICODE character sets. |
---|
708 | |
---|
709 | 3) New authentication system. The internal authentication system |
---|
710 | has been almost completely rewritten. Most of the changes are |
---|
711 | internal, but the new auth system is also very configurable. |
---|
712 | |
---|
713 | 4) New default filename mangling system. |
---|
714 | |
---|
715 | 5) A new "net" command has been added. It is somewhat similar to |
---|
716 | the "net" command in windows. Eventually we plan to replace |
---|
717 | numerous other utilities (such as smbpasswd) with subcommands |
---|
718 | in "net". |
---|
719 | |
---|
720 | 6) Samba now negotiates NT-style status32 codes on the wire. This |
---|
721 | improves error handling a lot. |
---|
722 | |
---|
723 | 7) Better Windows 2000/XP/2003 printing support including publishing |
---|
724 | printer attributes in active directory. |
---|
725 | |
---|
726 | 8) New loadable module support for passdb backends and character |
---|
727 | sets. |
---|
728 | |
---|
729 | 9) New default dual-daemon winbindd support for better performance. |
---|
730 | |
---|
731 | 10) Support for migrating from a Windows NT 4.0 domain to a Samba |
---|
732 | domain and maintaining user, group and domain SIDs. |
---|
733 | |
---|
734 | 11) Support for establishing trust relationships with Windows NT 4.0 |
---|
735 | domain controllers. |
---|
736 | |
---|
737 | 12) Initial support for a distributed Winbind architecture using |
---|
738 | an LDAP directory for storing SID to uid/gid mappings. |
---|
739 | |
---|
740 | 13) Major updates to the Samba documentation tree. |
---|
741 | |
---|
742 | 14) Full support for client and server SMB signing to ensure |
---|
743 | compatibility with default Windows 2003 security settings. |
---|
744 | |
---|
745 | 15) Improvement of ACL mapping features based on code donated by |
---|
746 | Andreas Grünbacher. |
---|
747 | |
---|
748 | |
---|
749 | Plus lots of other improvements! |
---|
750 | |
---|
751 | |
---|
752 | Additional Documentation |
---|
753 | ------------------------ |
---|
754 | |
---|
755 | Please refer to Samba documentation tree (included in the docs/ |
---|
756 | subdirectory) for extensive explanations of installing, configuring |
---|
757 | and maintaining Samba 3.0 servers and clients. It is advised to |
---|
758 | begin with the Samba-HOWTO-Collection for overviews and specific |
---|
759 | tasks (the current book is up to approximately 400 pages) and to |
---|
760 | refer to the various man pages for information on individual options. |
---|
761 | |
---|
762 | We are very glad to be able to include the second edition of |
---|
763 | "Using Samba" by Jay Ts, Robert Eckstein, and David Collier-Brown |
---|
764 | (O'Reilly & Associates) in this release. The book is available |
---|
765 | on-line at http://samba.org/samba/docs/ and is included with |
---|
766 | the Samba Web Administration Tool (SWAT). Thanks to the authors and |
---|
767 | publisher for making "Using Samba" under the GNU Free Documentation |
---|
768 | License. |
---|
769 | |
---|
770 | |
---|
771 | ###################################################################### |
---|
772 | Upgrading from a previous Samba 3.0 beta |
---|
773 | ######################################## |
---|
774 | |
---|
775 | Beginning with Samba 3.0.0beta3, the RID allocation functions |
---|
776 | have been moved into winbindd. Previously these were handled |
---|
777 | by each passdb backend. This means that winbindd must be running |
---|
778 | to automatically allocate RIDs for users and/or groups. Otherwise, |
---|
779 | smbd will use the 2.2 algorithm for generating new RIDs. |
---|
780 | |
---|
781 | If you are using 'passdb backend = tdbsam' with a previous Samba |
---|
782 | 3.0 beta release (or possibly alpha), it may be necessary to |
---|
783 | move the RID_COUNTER entry from /usr/local/samba/private/passdb.tdb |
---|
784 | to winbindd_idmap.tdb. To do this: |
---|
785 | |
---|
786 | 1) Ensure that winbindd_idmap.tdb exists (launch winbindd at least |
---|
787 | once) |
---|
788 | 2) build tdbtool by executing 'make tdbtool' in the source/tdb/ |
---|
789 | directory |
---|
790 | 3) run: (note that 'tdb>' is the tool's prompt for input) |
---|
791 | |
---|
792 | root# ./tdbtool /usr/local/samba/private/passdb.tdb |
---|
793 | tdb> show RID_COUNTER |
---|
794 | key 12 bytes |
---|
795 | RID_COUNTER |
---|
796 | data 4 bytes |
---|
797 | [000] 0A 52 00 00 .R. |
---|
798 | |
---|
799 | tdb> move RID_COUNTER /usr/local/samba/var/locks/winbindd_idmap.tdb |
---|
800 | .... |
---|
801 | record moved |
---|
802 | |
---|
803 | If you are using 'passdb backend = ldapsam', it will be necessary to |
---|
804 | store idmap entries in the LDAP directory as well (i.e. idmap backend |
---|
805 | = ldap). Refer to the 'net idmap' command for more information on |
---|
806 | migrating SID<->UNIX id mappings from one backend to another. |
---|
807 | |
---|
808 | If the RID_COUNTER record does not exist, then these instructions are |
---|
809 | unneccessary and the new RID_COUNTER record will be correctly generated |
---|
810 | if needed. |
---|
811 | |
---|
812 | |
---|
813 | |
---|
814 | ######################## |
---|
815 | Upgrading from Samba 2.2 |
---|
816 | ######################## |
---|
817 | |
---|
818 | This section is provided to help administrators understand the details |
---|
819 | involved with upgrading a Samba 2.2 server to Samba 3.0. |
---|
820 | |
---|
821 | |
---|
822 | Building |
---|
823 | -------- |
---|
824 | |
---|
825 | Many of the options to the GNU autoconf script have been modified |
---|
826 | in the 3.0 release. The most noticeable are: |
---|
827 | |
---|
828 | * removal of --with-tdbsam (is now included by default; see section |
---|
829 | on passdb backends and authentication for more details) |
---|
830 | |
---|
831 | * --with-ldapsam is now on used to provided backward compatible |
---|
832 | parameters for LDAP enabled Samba 2.2 servers. Refer to the passdb |
---|
833 | backend and authentication section for more details |
---|
834 | |
---|
835 | * inclusion of non-standard passdb modules may be enabled using |
---|
836 | --with-expsam. This includes an XML backend and a mysql backend. |
---|
837 | |
---|
838 | * removal of --with-msdfs (is now enabled by default) |
---|
839 | |
---|
840 | * removal of --with-ssl (no longer supported) |
---|
841 | |
---|
842 | * --with-utmp now defaults to 'yes' on supported systems |
---|
843 | |
---|
844 | * --with-sendfile-support is now enabled by default on supported |
---|
845 | systems |
---|
846 | |
---|
847 | |
---|
848 | Parameters |
---|
849 | ---------- |
---|
850 | |
---|
851 | This section contains a brief listing of changes to smb.conf options |
---|
852 | in the 3.0.0 release. Please refer to the smb.conf(5) man page for |
---|
853 | complete descriptions of new or modified parameters. |
---|
854 | |
---|
855 | Removed Parameters (order alphabetically): |
---|
856 | |
---|
857 | * admin log |
---|
858 | * alternate permissions |
---|
859 | * character set |
---|
860 | * client codepage |
---|
861 | * code page directory |
---|
862 | * coding system |
---|
863 | * domain admin group |
---|
864 | * domain guest group |
---|
865 | * force unknown acl user |
---|
866 | * hide local users |
---|
867 | * mangled stack |
---|
868 | * nt smb support |
---|
869 | * postscript |
---|
870 | * printer driver |
---|
871 | * printer driver file |
---|
872 | * printer driver location |
---|
873 | * read size |
---|
874 | * source environment |
---|
875 | * status |
---|
876 | * strip dot |
---|
877 | * total print jobs |
---|
878 | * use rhosts |
---|
879 | * valid chars |
---|
880 | * vfs options |
---|
881 | |
---|
882 | New Parameters (new parameters have been grouped by function): |
---|
883 | |
---|
884 | Remote management |
---|
885 | ----------------- |
---|
886 | * abort shutdown script |
---|
887 | * shutdown script |
---|
888 | |
---|
889 | User and Group Account Management |
---|
890 | --------------------------------- |
---|
891 | * add group script |
---|
892 | * add machine script |
---|
893 | * add user to group script |
---|
894 | * algorithmic rid base |
---|
895 | * delete group script |
---|
896 | * delete user from group script |
---|
897 | * passdb backend |
---|
898 | * set primary group script |
---|
899 | |
---|
900 | Authentication |
---|
901 | -------------- |
---|
902 | * auth methods |
---|
903 | * realm |
---|
904 | * passwd chat timeout |
---|
905 | |
---|
906 | Protocol Options |
---|
907 | ---------------- |
---|
908 | * client lanman auth |
---|
909 | * client NTLMv2 auth |
---|
910 | * client schannel |
---|
911 | * client signing |
---|
912 | * client use spnego |
---|
913 | * disable netbios |
---|
914 | * ntlm auth |
---|
915 | * paranoid server security |
---|
916 | * server schannel |
---|
917 | * server signing |
---|
918 | * smb ports |
---|
919 | * use spnego |
---|
920 | |
---|
921 | File Service |
---|
922 | ------------ |
---|
923 | * get quota command |
---|
924 | * hide special files |
---|
925 | * hide unwriteable files |
---|
926 | * hostname lookups |
---|
927 | * kernel change notify |
---|
928 | * mangle prefix |
---|
929 | * map acl inherit |
---|
930 | * msdfs proxy |
---|
931 | * set quota command |
---|
932 | * use sendfile |
---|
933 | * vfs objects |
---|
934 | |
---|
935 | Printing |
---|
936 | -------- |
---|
937 | * max reported print jobs |
---|
938 | |
---|
939 | UNICODE and Character Sets |
---|
940 | -------------------------- |
---|
941 | * display charset |
---|
942 | * dos charset |
---|
943 | * unicode |
---|
944 | * unix charset |
---|
945 | |
---|
946 | SID to uid/gid Mappings |
---|
947 | ----------------------- |
---|
948 | * idmap backend |
---|
949 | * idmap gid |
---|
950 | * idmap uid |
---|
951 | * winbind enable local accounts |
---|
952 | * winbind trusted domains only |
---|
953 | * template primary group |
---|
954 | * enable rid algorithm |
---|
955 | |
---|
956 | LDAP |
---|
957 | ---- |
---|
958 | * ldap delete dn |
---|
959 | * ldap group suffix |
---|
960 | * ldap idmap suffix |
---|
961 | * ldap machine suffix |
---|
962 | * ldap passwd sync |
---|
963 | * ldap replication sleep |
---|
964 | * ldap user suffix |
---|
965 | |
---|
966 | General Configuration |
---|
967 | --------------------- |
---|
968 | * preload modules |
---|
969 | * private dir |
---|
970 | |
---|
971 | Modified Parameters (changes in behavior): |
---|
972 | |
---|
973 | * encrypt passwords (enabled by default) |
---|
974 | * mangling method (set to 'hash2' by default) |
---|
975 | * passwd chat |
---|
976 | * passwd program |
---|
977 | * restrict anonymous (integer value) |
---|
978 | * security (new 'ads' value) |
---|
979 | * strict locking (enabled by default) |
---|
980 | * unix extensions (enabled by default) |
---|
981 | * winbind cache time (increased to 5 minutes) |
---|
982 | * winbind uid (deprecated in favor of 'idmap uid') |
---|
983 | * winbind gid (deprecated in favor of 'idmap gid') |
---|
984 | |
---|
985 | |
---|
986 | Databases |
---|
987 | --------- |
---|
988 | |
---|
989 | This section contains brief descriptions of any new databases |
---|
990 | introduced in Samba 3.0. Please remember to backup your existing |
---|
991 | ${lock directory}/*tdb before upgrading to Samba 3.0. Samba will |
---|
992 | upgrade databases as they are opened (if necessary), but downgrading |
---|
993 | from 3.0 to 2.2 is an unsupported path. |
---|
994 | |
---|
995 | Name Description Backup? |
---|
996 | ---- ----------- ------- |
---|
997 | account_policy User policy settings yes |
---|
998 | gencache Generic caching db no |
---|
999 | group_mapping Mapping table from Windows yes |
---|
1000 | groups/SID to unix groups |
---|
1001 | winbindd_idmap ID map table from SIDS to UNIX yes |
---|
1002 | uids/gids. |
---|
1003 | namecache Name resolution cache entries no |
---|
1004 | netsamlogon_cache Cache of NET_USER_INFO_3 structure no |
---|
1005 | returned as part of a successful |
---|
1006 | net_sam_logon request |
---|
1007 | printing/*.tdb Cached output from 'lpq no |
---|
1008 | command' created on a per print |
---|
1009 | service basis |
---|
1010 | registry Read-only samba registry skeleton no |
---|
1011 | that provides support for exporting |
---|
1012 | various db tables via the winreg RPCs |
---|
1013 | |
---|
1014 | |
---|
1015 | Changes in Behavior |
---|
1016 | ------------------- |
---|
1017 | |
---|
1018 | The following issues are known changes in behavior between Samba 2.2 and |
---|
1019 | Samba 3.0 that may affect certain installations of Samba. |
---|
1020 | |
---|
1021 | 1) When operating as a member of a Windows domain, Samba 2.2 would |
---|
1022 | map any users authenticated by the remote DC to the 'guest account' |
---|
1023 | if a uid could not be obtained via the getpwnam() call. Samba 3.0 |
---|
1024 | rejects the connection as NT_STATUS_LOGON_FAILURE. There is no |
---|
1025 | current work around to re-establish the 2.2 behavior. |
---|
1026 | |
---|
1027 | 2) When adding machines to a Samba 2.2 controlled domain, the |
---|
1028 | 'add user script' was used to create the UNIX identity of the |
---|
1029 | machine trust account. Samba 3.0 introduces a new 'add machine |
---|
1030 | script' that must be specified for this purpose. Samba 3.0 will |
---|
1031 | not fall back to using the 'add user script' in the absence of |
---|
1032 | an 'add machine script' |
---|
1033 | |
---|
1034 | |
---|
1035 | ###################################################################### |
---|
1036 | Passdb Backends and Authentication |
---|
1037 | ################################## |
---|
1038 | |
---|
1039 | There have been a few new changes that Samba administrators should be |
---|
1040 | aware of when moving to Samba 3.0. |
---|
1041 | |
---|
1042 | 1) encrypted passwords have been enabled by default in order to |
---|
1043 | inter-operate better with out-of-the-box Windows client |
---|
1044 | installations. This does mean that either (a) a samba account |
---|
1045 | must be created for each user, or (b) 'encrypt passwords = no' |
---|
1046 | must be explicitly defined in smb.conf. |
---|
1047 | |
---|
1048 | 2) Inclusion of new 'security = ads' option for integration |
---|
1049 | with an Active Directory domain using the native Windows |
---|
1050 | Kerberos 5 and LDAP protocols. |
---|
1051 | |
---|
1052 | MIT kerberos 1.3.1 supports the ARCFOUR-HMAC-MD5 encryption |
---|
1053 | type which is neccessary for servers on which the |
---|
1054 | administrator password has not been changed, or kerberos-enabled |
---|
1055 | SMB connections to servers that require Kerberos SMB signing. |
---|
1056 | Besides this one difference, either MIT or Heimdal Kerberos |
---|
1057 | distributions are usable by Samba 3.0. |
---|
1058 | |
---|
1059 | |
---|
1060 | Samba 3.0 also includes the possibility of setting up chains |
---|
1061 | of authentication methods (auth methods) and account storage |
---|
1062 | backends (passdb backend). Please refer to the smb.conf(5) |
---|
1063 | man page for details. While both parameters assume sane default |
---|
1064 | values, it is likely that you will need to understand what the |
---|
1065 | values actually mean in order to ensure Samba operates correctly. |
---|
1066 | |
---|
1067 | The recommended passdb backends at this time are |
---|
1068 | |
---|
1069 | * smbpasswd - 2.2 compatible flat file format |
---|
1070 | * tdbsam - attribute rich database intended as an smbpasswd |
---|
1071 | replacement for stand alone servers |
---|
1072 | * ldapsam - attribute rich account storage and retrieval |
---|
1073 | backend utilizing an LDAP directory. |
---|
1074 | * ldapsam_compat - a 2.2 backward compatible LDAP account |
---|
1075 | backend |
---|
1076 | |
---|
1077 | Certain functions of the smbpasswd(8) tool have been split between the |
---|
1078 | new smbpasswd(8) utility, the net(8) tool, and the new pdbedit(8) |
---|
1079 | utility. See the respective man pages for details. |
---|
1080 | |
---|
1081 | |
---|
1082 | ###################################################################### |
---|
1083 | LDAP |
---|
1084 | #### |
---|
1085 | |
---|
1086 | This section outlines the new features affecting Samba / LDAP |
---|
1087 | integration. |
---|
1088 | |
---|
1089 | New Schema |
---|
1090 | ---------- |
---|
1091 | |
---|
1092 | A new object class (sambaSamAccount) has been introduced to replace |
---|
1093 | the old sambaAccount. This change aids us in the renaming of |
---|
1094 | attributes to prevent clashes with attributes from other vendors. |
---|
1095 | There is a conversion script (examples/LDAP/convertSambaAccount) to |
---|
1096 | modify and LDIF file to the new schema. |
---|
1097 | |
---|
1098 | Example: |
---|
1099 | |
---|
1100 | $ ldapsearch .... -b "ou=people,dc=..." > sambaAcct.ldif |
---|
1101 | $ convertSambaAccount --sid=<Domain SID> \ |
---|
1102 | --input=sambaAcct.ldif --output=sambaSamAcct.ldif \ |
---|
1103 | --changetype=[modify|add] |
---|
1104 | |
---|
1105 | The <DOM SID> can be obtained by running 'net getlocalsid |
---|
1106 | <DOMAINNAME>' on the Samba PDC as root. The changetype determines |
---|
1107 | the format of the generated LDIF output--either create new entries |
---|
1108 | or modify existing entries. |
---|
1109 | |
---|
1110 | The old sambaAccount schema may still be used by specifying the |
---|
1111 | "ldapsam_compat" passdb backend. However, the sambaAccount and |
---|
1112 | associated attributes have been moved to the historical section of |
---|
1113 | the schema file and must be uncommented before use if needed. |
---|
1114 | The 2.2 object class declaration for a sambaAccount has not changed |
---|
1115 | in the 3.0 samba.schema file. |
---|
1116 | |
---|
1117 | Other new object classes and their uses include: |
---|
1118 | |
---|
1119 | * sambaDomain - domain information used to allocate rids |
---|
1120 | for users and groups as necessary. The attributes are added |
---|
1121 | in 'ldap suffix' directory entry automatically if |
---|
1122 | an idmap uid/gid range has been set and the 'ldapsam' |
---|
1123 | passdb backend has been selected. |
---|
1124 | |
---|
1125 | * sambaGroupMapping - an object representing the |
---|
1126 | relationship between a posixGroup and a Windows |
---|
1127 | group/SID. These entries are stored in the 'ldap |
---|
1128 | group suffix' and managed by the 'net groupmap' command. |
---|
1129 | |
---|
1130 | * sambaUnixIdPool - created in the 'ldap idmap suffix' entry |
---|
1131 | automatically and contains the next available 'idmap uid' and |
---|
1132 | 'idmap gid' |
---|
1133 | |
---|
1134 | * sambaIdmapEntry - object storing a mapping between a |
---|
1135 | SID and a UNIX uid/gid. These objects are created by the |
---|
1136 | idmap_ldap module as needed. |
---|
1137 | |
---|
1138 | * sambaSidEntry - object representing a SID alone, as a Structural |
---|
1139 | class on which to build the sambaIdmapEntry. |
---|
1140 | |
---|
1141 | |
---|
1142 | New Suffix for Searching |
---|
1143 | ------------------------ |
---|
1144 | |
---|
1145 | The following new smb.conf parameters have been added to aid in directing |
---|
1146 | certain LDAP queries when 'passdb backend = ldapsam://...' has been |
---|
1147 | specified. |
---|
1148 | |
---|
1149 | * ldap suffix - used to search for user and computer accounts |
---|
1150 | * ldap user suffix - used to store user accounts |
---|
1151 | * ldap machine suffix - used to store machine trust accounts |
---|
1152 | * ldap group suffix - location of posixGroup/sambaGroupMapping entries |
---|
1153 | * ldap idmap suffix - location of sambaIdmapEntry objects |
---|
1154 | |
---|
1155 | If an 'ldap suffix' is defined, it will be appended to all of the |
---|
1156 | remaining sub-suffix parameters. In this case, the order of the suffix |
---|
1157 | listings in smb.conf is important. Always place the 'ldap suffix' first |
---|
1158 | in the list. |
---|
1159 | |
---|
1160 | Due to a limitation in Samba's smb.conf parsing, you should not surround |
---|
1161 | the DN's with quotation marks. |
---|
1162 | |
---|
1163 | |
---|
1164 | IdMap LDAP support |
---|
1165 | ------------------ |
---|
1166 | |
---|
1167 | Samba 3.0 supports an ldap backend for the idmap subsystem. The |
---|
1168 | following options would inform Samba that the idmap table should be |
---|
1169 | stored on the directory server onterose in the "ou=idmap,dc=plainjoe, |
---|
1170 | dc=org" partition. |
---|
1171 | |
---|
1172 | [global] |
---|
1173 | ... |
---|
1174 | idmap backend = ldap:ldap://onterose/ |
---|
1175 | ldap idmap suffix = ou=idmap,dc=plainjoe,dc=org |
---|
1176 | idmap uid = 40000-50000 |
---|
1177 | idmap gid = 40000-50000 |
---|
1178 | |
---|
1179 | This configuration allows winbind installations on multiple servers to |
---|
1180 | share a uid/gid number space, thus avoiding the interoperability problems |
---|
1181 | with NFS that were present in Samba 2.2. |
---|
1182 | |
---|
1183 | |
---|
1184 | |
---|
1185 | ###################################################################### |
---|
1186 | Trust Relationships and a Samba Domain |
---|
1187 | ###################################### |
---|
1188 | |
---|
1189 | Samba 3.0.0beta2 is able to utilize winbindd as the means of |
---|
1190 | allocating uids and gids to trusted users and groups. More |
---|
1191 | information regarding Samba's support for establishing trust |
---|
1192 | relationships can be found in the Samba-HOWTO-Collection included |
---|
1193 | in the docs/ directory of this release. |
---|
1194 | |
---|
1195 | First create your Samba PDC and ensure that everything is |
---|
1196 | working correctly before moving on the trusts. |
---|
1197 | |
---|
1198 | To establish Samba as the trusting domain (named SAMBA) from a Windows NT |
---|
1199 | 4.0 domain named WINDOWS: |
---|
1200 | |
---|
1201 | 1) create the trust account for SAMBA in "User Manager for Domains" |
---|
1202 | 2) connect the trust from the Samba domain using |
---|
1203 | 'net rpc trustdom establish GLASS' |
---|
1204 | |
---|
1205 | To create a trustlationship with SAMBA as the trusted domain: |
---|
1206 | |
---|
1207 | 1) create the initial trust account for GLASS using |
---|
1208 | 'smbpasswd -a -i GLASS'. You may need to create a UNIX |
---|
1209 | account for GLASS$ prior to this step (depending on your |
---|
1210 | local configuration). |
---|
1211 | 2) connect the trust from a WINDOWS DC using "User Manager |
---|
1212 | for Domains" |
---|
1213 | |
---|
1214 | Now join winbindd on the Samba PDC to the SAMBA domain using |
---|
1215 | the normal steps for adding a Samba server to an NT4 domain: |
---|
1216 | (note that smbd & nmbd must be running at this point) |
---|
1217 | |
---|
1218 | root# net rpc join -U root |
---|
1219 | Password: <enter root password from smbpasswd file here> |
---|
1220 | |
---|
1221 | Start winbindd and test the join with 'wbinfo -t'. |
---|
1222 | |
---|
1223 | Now test the trust relationship by connecting to the SAMBA DC |
---|
1224 | (e.g. POGO) as a user from the WINDOWS domain: |
---|
1225 | |
---|
1226 | $ smbclient //pogo/netlogon -U Administrator -W WINDOWS |
---|
1227 | Password: |
---|
1228 | |
---|
1229 | Now connect to the WINDOWS DC (e.g. CRYSTAL) as a Samba user: |
---|
1230 | |
---|
1231 | $ smbclient //crystal/netlogon -U root -W WINDOWS |
---|
1232 | Password: |
---|
1233 | |
---|
1234 | ###################################################################### |
---|
1235 | Changes in Winbind |
---|
1236 | ################## |
---|
1237 | |
---|
1238 | Beginning with Samba3.0.0beta3, winbindd has been given new account |
---|
1239 | manage functionality equivalent to the 'add user script' family of |
---|
1240 | smb.conf parameters. The idmap design has also been changed to |
---|
1241 | centralize control of foreign SID lookups and matching to UNIX |
---|
1242 | uids and gids. |
---|
1243 | |
---|
1244 | |
---|
1245 | Brief Description of Changes |
---|
1246 | ---------------------------- |
---|
1247 | |
---|
1248 | 1) The sid_to_uid() family of functions (smbd/uid.c) have been |
---|
1249 | reverted to the 2.2.x design. This means that when resolving a |
---|
1250 | SID to a UID or similar mapping: |
---|
1251 | |
---|
1252 | a) First consult winbindd |
---|
1253 | b) perform a local lookup only if winbindd fails to |
---|
1254 | return a successful answer |
---|
1255 | |
---|
1256 | There are some variations to this, but these two rules generally |
---|
1257 | apply. |
---|
1258 | |
---|
1259 | 2) All idmap lookups have been moved into winbindd. This means that |
---|
1260 | a server must run winbindd (and support NSS) in order to achieve |
---|
1261 | any mappings of SID to dynamically allocated UNIX ids. This was |
---|
1262 | a conscious design choice. |
---|
1263 | |
---|
1264 | 3) New functions have been added to winbindd to emulate the 'add user |
---|
1265 | script' family of smbd functions without requiring that external |
---|
1266 | scripts be defined. This functionality is controlled by the 'winbind |
---|
1267 | enable local accounts' smb.conf parameter (enabled by default). |
---|
1268 | |
---|
1269 | However, this account management functionality is only supported |
---|
1270 | in a local tdb (winbindd_idmap.tdb). If these new UNIX accounts |
---|
1271 | must be shared among multiple Samba servers (such as a PDC and BDCs), |
---|
1272 | it will be necessary to define your own 'add user script', et. al. |
---|
1273 | programs that place the accounts/groups in some form of directory |
---|
1274 | such as NIS or LDAP. This requirement was deemed beyond the scope |
---|
1275 | of winbind's account management functions. Solutions for |
---|
1276 | distributing UNIX system information have been deployed and tested |
---|
1277 | for many years. We saw no need to reinvent the wheel. |
---|
1278 | |
---|
1279 | 4) A member of a Samba controlled domain running winbindd is now able |
---|
1280 | to map domain users directly onto existing UNIX accounts while still |
---|
1281 | automatically creating accounts for trusted users and groups. This |
---|
1282 | behavior is controlled by the 'winbind trusted domains only' smb.conf |
---|
1283 | parameter (disabled by default to provide 2.2.x winbind behavior). |
---|
1284 | |
---|
1285 | 5) Group mapping support is wrapped in the local_XX_to_XX() functions |
---|
1286 | in smbd/uid.c. The reason that group mappings are not included |
---|
1287 | in winbindd is because the purpose of Samba's group map is to |
---|
1288 | match any Windows SID with an existing UNIX group. These UNIX |
---|
1289 | groups can be created by winbindd (see next section), but the |
---|
1290 | SID<->gid mapping is retreived by smbd, not winbindd. |
---|
1291 | |
---|
1292 | |
---|
1293 | Examples |
---|
1294 | -------- |
---|
1295 | |
---|
1296 | * security = server running winbindd to allocate accounts on demand |
---|
1297 | |
---|
1298 | * Samba PDC running winbindd to handle the automatic creation of UNIX |
---|
1299 | identities for machine trust accounts |
---|
1300 | |
---|
1301 | * Automtically creating UNIX user and groups when migrating a Windows NT |
---|
1302 | 4.0 PDC to a Samba PDC. Winbindd must be running when executing |
---|
1303 | 'net rpc vampire' for this to work. |
---|
1304 | |
---|
1305 | |
---|
1306 | ###################################################################### |
---|
1307 | Known Issues |
---|
1308 | ############ |
---|
1309 | |
---|
1310 | * There are several bugs currently logged against the 3.0 codebase |
---|
1311 | that affect the use of NT 4.0 GUI domain management tools when run |
---|
1312 | against a Samba 3.0 PDC. This bugs should be released in an early |
---|
1313 | 3.0.x release. |
---|
1314 | |
---|
1315 | Please refer to https://bugzilla.samba.org/ for a current list of bugs |
---|
1316 | filed against the Samba 3.0 codebase. |
---|
1317 | |
---|
1318 | |
---|
1319 | ###################################################################### |
---|
1320 | Reporting bugs & Development Discussion |
---|
1321 | ####################################### |
---|
1322 | |
---|
1323 | Please discuss this release on the samba-technical mailing list or by |
---|
1324 | joining the #samba-technical IRC channel on irc.freenode.net. |
---|
1325 | |
---|
1326 | If you do report problems then please try to send high quality |
---|
1327 | feedback. If you don't provide vital information to help us track down |
---|
1328 | the problem then you will probably be ignored. |
---|
1329 | |
---|
1330 | A new bugzilla installation has been established to help support the |
---|
1331 | Samba 3.0 community of users. This server, located at |
---|
1332 | https://bugzilla.samba.org/, has replaced the older jitterbug server |
---|
1333 | previously located at http://bugs.samba.org/. |
---|
1334 | |
---|