Major changes since version 3.0.22:
- CVE-2007-0452 (Potential Denial of Service bug in smbd)
- CVE-2007-0453 (Buffer overrun in NSS host lookup Winbind
NSS library on Solaris)
- CVE-2007-0454 (Format string bug in afsacl.so VFS plugin)
- Stability fixes for winbindd
- Portability fixes on FreeBSD and Solaris operating systems.
- Authentication failures in pam_winbind when the AD domain
policy is set to not expire passwords.
- Authorization failures when using smb.conf options such
as "valid users" with the smbpasswd passdb backend.
- Ambiguity with unqualified names in smb.conf parameters
such as "force user" and "valid users".
- Errors in 'net ads join' caused by bad IP address in the list
of domain controllers.
- SMB signing errors in the client and server code.
- Domain join failures when using smbpasswd on a Samba PDC.
- Failure to strip the domain name from groups when 'winbind
use default domain = yes'
- Failure in pam_winbind to correctly parse arguments.
- Bad token creation of local users on member servers not
running winbindd.
- Failure to add users or groups to ACLs using the Windows
object picker.
- Failure in file serving code when 'kernel oplocks = yes'.
- New "createupn" option to "net ads join"
- Rewritten Kerberos keytab generation when 'use kerberos
keytab = yes'
- Improved 'make test'
- New offline mode in winbindd.
- New Kerberos support for pam_winbind.so.
- New handling of unmapped users and groups.
- New non-root share management tools.
- Improved support for local and BUILTIN groups.
- Winbind IDMAP integration with RFC2307 schema objects supported
by Windows 2003 R2.
- Rewritten 'net ads join' to mimic Windows XP without requiring
administrative rights to join a domain.
for samba-3.0.20b that are applied as part of this update include:
http://www.samba.org/samba/patches/print_lprm.patchhttp://www.samba.org/samba/patches/quota.patchhttp://www.samba.org/samba/patches/bug3201_wbinfo.patch
This fixes PRs pkg/31352 and pkg/31991. Important changes that were
made as part of porting this Samba release to pkgsrc include the
following:
* The new release model for Samba includes distributing patches for
urgent bug fixes that will be included in the next release of Samba,
and are available at http://www.samba.org/samba/patches/. Since
these patches are rather generically named, we download all DISTFILES
and PATCHFILES for Samba into a ${DISTNAME}-specific directory.
* The default configuration for the samba package no longer builds the
"winbind" portions of samba, which are really only useful when
attempting to unify logons between Unix and Microsoft Windows. When
the "winbind" option is specified, we also build the RID and AD idmap
backends, which allow sharing UIDs/GIDs across Unix machines.
* New package options have been added to the build: "mysql", "pgsql",
and "xml" allow adding optional support for experimental passdb
storage backends, and "winbind" allows for optionally building the
winbindd daemon and associated plugins.
* Two new smb.conf options were added -- "passwd expand gecos" and
"state directory". The first describes whether "&" in the GECOS
field of a passwd db entry is expanded to the login name. The
second describes the location where the persistent-state database
files are stored.
* Luke Mewburn contributed code to allow nss_winbind.so to work properly
on supported NetBSD systems. The FreeBSD NSS winbind code should
probably be replaced with a suitably tweaked version of the NetBSD
code since the latter is much more complete in the functions that are
provided, but I'll leave that to freebsd-pkg-people.
* Samba dumps all of its files into "lock directory", but some of them
need to persist across reboots. We make a distinction between these
files and the temporary files that are re-created by the Samba
daemons when they are restarted -- the former are now stored in a
"state directory" and the latter are stored in the "lock directory".
This is modeled after the Debian patch to Samba located in:
packaging/Debian/debian-unstable/patches/fhs.patch
The "lock directory" default has been moved to ${VARBASE}/run/samba
to emphasize the temporary status of the files stored in that
directory.
* Samba persists in using PAM_AUTHTOK_RECOVER_ERR, when there is almost
universal agreement that PAM_AUTHTOK_RECOVERY_ERR is the right
constant to use. Even the Linux-PAM distribution ensures that
PAM_AUTHTOK_RECOVERY_ERR is correctly defined. To work around this,
we define PAM_AUTHTOK_RECOVER_ERR appropriately in all the places
where it is used.
* The configure script checks for OpenSSL's libcrypto.so by looking
for the symbol "des_set_key". However, libcrypto.so might not
contain that symbol because the DES functions might come from a
separate library, e.g. libdes.so. In this case, the configure script
will think that libcrypto.so is not available, when it actually may
be. Instead, look for EVP_des_cbc, which is always provided by
libcrypto.so.
* Add some missing $(PASSDB_LIBS) references to the Makefile to fix
compilation problems if the experimental passdb backends are statically
compiled into the Samba suite programs.
* Fix compilation problems in sam/idmap_rid.c and sam/idmap_ad.c if the
"rid" and "ad" idmap backends are statically compiled into winbindd.
Changes between version 3.0.14a and 3.0.20b include:
o Reporting files as read-only instead of returning the correct error
code of "access denied"
o File system quota support defects
o Crash bugs caused by incompatibilities on 64-bit systems.
o User Manager interoperability problems.
o Support for several new Win32 rpc pipes.
o New 'net rpc service' tool for managing Win32 services.
o Capability to set the owner on new files and directory based on the
parent's ownership.
o Experimental, asynchronous IO file serving support.
o Support for Microsoft Print Migrator.
o New Winbind IDmap plugin (ad) for retrieving uid and gid from AD
servers which maintain the SFU user and group attributes.
o Rewritten support for POSIX pathnames when utilizing the Linux CIFS
fs client.
o New asynchronous winbindd.
o New Windows NT registry file I/O library.
o New user right (SeTakeOwnershipPrivilege) added.
o New "net share migrate" options.
* Active Directory support. Samba is able to join a ADS realm as
a member server and authenticate using LDAP/Kerberos.
* Unicode support.
* New, more flexible authentication (passdb) system.
* A new "net" command that is similar to the "net" command in Windows.
* Samba now negotiates NT-style status32 codes on the wire, which
greatly improves error handling.
* Better Windows 2K/2K3/XP printing support.
* Loadable module support for passdb backends and character sets.
* More performant winbindd.
* Support for migrating from a Windows NT4 domain to a Samba domain
and maintaining user, group, and domain SIDs.
* Support for establishing trust relationships with Windows NT4 DCs.
* Initial support for a distributed Winbind architecture using an
LDAP directory for storing SID-to-uid/gid mappings.
* Major updates to the Samba documentation tree.
* Full support for client and server SMB signing to ensure
compatibility with default Windows 2K3 security settings.
* Improvement of ACL mapping features.
* findsmb is a perl script, and we need to substitute the correct path to
the perl interpreter.
* Don't create ${PREFIX}/private during a "make install" as it's a
completely useless directory.
* Don't bother to install the completely outdated Samba HTML documentation
that is superseded by the Samba HOWTO Collection documentation.
WHATS NEW IN Samba 2.2.1a: 11th July 2001
==========================================
This is the latest stable release of Samba. This is the version that all
production Samba servers should be running for all current bug-fixes.
This is a minor bugfix release for 2.2.1, *NOT* security related.
1). 2.2.1 had a bug where using smbpasswd -m to add a Windows NT or
Windows2000 machine into a Samba hosted PDC would fail due to our
stricter user name checking. We were disallowing user names
containing '$', which is needed when using smbpasswd to add a
machine into a domain. Automatically adding machines (using the
native Windows tools) into a Samba domain worked correctly.
2.2.1a fixes this single problem.
New/Changed parameters in 2.2.1
-------------------------------
Added parameters.
-----------------
obey pam restrictions
When Samba is configured to use PAM, turns on or off Samba checking
the PAM account restrictions. Defaults to off.
pam password change
When Samba is configured to use PAM, turns on or off Samba passing
the password changes to PAM. Defaults to off.
large readwrite
New option to allow new Windows 2000 large file (64k) streaming
read/write options. Needs a 64 bit underlying operating system
(for Linux use kernel 2.4 with glibc 2.2 or above). Can improve performance
by 10% with Windows 2000 clients. Defaults to off. Not as tested
as some other Samba code paths.
hide unreadable
Prevents clients from seeing the existance of files that cannot
be read. Off by default.
enhanced browsing
Turn on/off the enhanced Samba browing functionality (*1B names).
Default is "on". Can prevent eternal machines in workgroups when
WINS servers are not synchronised.
Removed parameters.
-------------------
domain groups
domain admin users
domain guest users
Changes in 2.2.1
-----------------
1). "find" command removed for smbclient. Internal code now used.
2). smbspool updates to retry connections from Michael Sweet.
3). Fix for mapping 8859-15 characters to UNICODE.
4). Changed "security=server" to try with invalid username to prevent
account lockouts.
5). Fixes to allow Windows 2000 SP2 clients to join a Samba PDC.
6). Support for Windows 9x Nexus tools to allow security changes from Win9x.
7). Two locking fixes added. Samba 2.2.1 now passes the Clarion network
lock tester tool for distributed databases.
8). Preliminary support added for Windows 2000 large file read/write SMBs.
9). Changed random number generator in Samba to prevent guess attacks.
10). Fixes for tdb corruption in connections.tdb and file locking brlock.tdb.
smbd's clean the tdb files on startup and shutdown.
11). Fixes for default ACLs on Solaris.
12). Tidyup of password entry caching code.
13). Correct shutdowns added for send fails. Helps tdb cleanup code.
14). Prevent invalid '/' characters in workgroup names.
15). Removed more static arrays in SAMR code.
16). Client code is now UNICODE on the wire.
17). Fix 2 second timstamp resolution everywhere if dos timestamp set to yes.
18). All tdb opens now going through logging function.
19). Add pam password changing and pam restrictions code.
20). Printer driver management improvements (delete driver).
21). Fix difference between NULL security descriptors and empty
security descriptors.
22). Fix SID returns for server roles.
23). Allow Windows 2000 mmc to view and set Samba share security descriptors.
24). Allow smbcontrol to forcibly disconnect a share.
25). tdb fixes for HPUX, OpenBSD and other OS's that don't have a coherent
mmap/file read/write cache.
26). Fix race condition in returning create disposition for file create/open.
27). Fix NT rewriting of security descriptors to their canonical form for
ACLs.
28). Fix for Samba running on top of Linux VFAT ftruncate bug.
29). Swat fixes for being run with xinetd that doesn't set the umask.
30). Fix for slow writes with Win9x Explorer clients. Emulates Microsoft
TCP stack early ack specification error.
31). Changed lock & persistant tdb directory to /var/cache/samba by default on
RedHat and Mandrake as they clear the /var/lock/samba directory on reboot.
