o security = share and NTLMv2
Fixes an issues with servers set to "security = share" and Vista
clients that send NTLMv2 responses by default.
o Vista Point-n-Print
Fixes several point-n-print bugs with Vista clients.
o BUG 4361
Fix failure when using the Vista backup utility.
o BUG 4093
Fix expansion of the %a smb.conf variable for Vista clients.
o BUG 4356
Fix MS-DFS referrals with Windows Vista clients.
o BUG 4188
Fix for Vista failing to delete directories on a Samba share.
Bump PKGREVISION.
Major changes since version 3.0.22:
- CVE-2007-0452 (Potential Denial of Service bug in smbd)
- CVE-2007-0453 (Buffer overrun in NSS host lookup Winbind
NSS library on Solaris)
- CVE-2007-0454 (Format string bug in afsacl.so VFS plugin)
- Stability fixes for winbindd
- Portability fixes on FreeBSD and Solaris operating systems.
- Authentication failures in pam_winbind when the AD domain
policy is set to not expire passwords.
- Authorization failures when using smb.conf options such
as "valid users" with the smbpasswd passdb backend.
- Ambiguity with unqualified names in smb.conf parameters
such as "force user" and "valid users".
- Errors in 'net ads join' caused by bad IP address in the list
of domain controllers.
- SMB signing errors in the client and server code.
- Domain join failures when using smbpasswd on a Samba PDC.
- Failure to strip the domain name from groups when 'winbind
use default domain = yes'
- Failure in pam_winbind to correctly parse arguments.
- Bad token creation of local users on member servers not
running winbindd.
- Failure to add users or groups to ACLs using the Windows
object picker.
- Failure in file serving code when 'kernel oplocks = yes'.
- New "createupn" option to "net ads join"
- Rewritten Kerberos keytab generation when 'use kerberos
keytab = yes'
- Improved 'make test'
- New offline mode in winbindd.
- New Kerberos support for pam_winbind.so.
- New handling of unmapped users and groups.
- New non-root share management tools.
- Improved support for local and BUILTIN groups.
- Winbind IDMAP integration with RFC2307 schema objects supported
by Windows 2003 R2.
- Rewritten 'net ads join' to mimic Windows XP without requiring
administrative rights to join a domain.
extracted source tree. That expands them at parse time, and without the
source tree, causes all kinds of headaches in bmake, e.g.
/usr/bin/awk: can't open file /export/SRC/netbsd/pkgsrc/net/samba/work.i386/samba-3.0.22/source/Makefile.in source line number 1
make: "/usr/bin/awk -F= '/^LIBMSRPC_MAJOR/ { print $2; }' /export/SRC/netbsd/pkgsrc/net/samba/work.i386/samba-3.0.22/source/Makefile.in" returned non-zero status
Rewrite to use a shell loop.
files-check: No backup copies of the Samba binaries are made.
Before using ln -s, the destination file is removed. This is necessary
for installing the package over an already-installed version.
* Fix CAN-2006-1059 -- samba<3.0.22 exposes the clear text of the
server's machine account credentials in the winbind log files when
the log level is set to 5 or higher.
* Append "-pkgsrc" to the Samba version string so as to distinguish
the official version from the pkgsrc version, which has the
modifications for "state directory" and "passwd expand gecos".
* Modify package so that we automatically determine the name of the
nsswitch modules that are installed by samba with the winbind
option. We extract this information by invoking the config.status
script to get the value that the configure script determined.
o Access checks when deleting printer driver meta-data.
o Several non-default combinations schannel and SPNEGO support.
o Password changes with NT4 and Win2k pre-SP4 clients.
o High load issues on IRIX caused by a bug when interfacing
with kernel oplocks.
o Server crashes in smbd.
o Compile issues on 64-bit platforms.
o Crash bugs on big-endian systems.
o Packaging fixes for RHEL/Fedora, Solaris, & Debian.
o Over 30 bugzilla reports closed.
Bugfixes:
o Address a bug in the oplock code which may cause clients to stall
when multiple users are accessing a share concurrently
o Missing groups in a user's token when logging in via kerberos
o Incompatibilities with newer MS Windows hotfixes and
embedded OS platforms
o Portability and crash bugs.
o Performance issues in winbindd.
Additions:
o Complete NTLMv2 support by consolidating authentication
mechanism used at the CIFS and RPC layers.
o The capability to manage Unix services using the Win32
Service Control API.
o The capability to view external Unix log files via the
Microsoft Event Viewer.
o New libmsrpc share library for application developers.
o Rewrite of CIFS oplock implementation.
o Performance Counter external daemon.
o Winbindd auto-detection query methods when communicating with
a domain controller.
o The ability to enumerate long share names in libsmbclient
applications.
load_rc_config_var so that platforms with older versions of /etc/rc.subr
can run smbd.sh and winbindd.sh without updating /etc/rc.subr.
Bump PKGREVISION to 3.
for samba-3.0.20b that are applied as part of this update include:
http://www.samba.org/samba/patches/print_lprm.patchhttp://www.samba.org/samba/patches/quota.patchhttp://www.samba.org/samba/patches/bug3201_wbinfo.patch
This fixes PRs pkg/31352 and pkg/31991. Important changes that were
made as part of porting this Samba release to pkgsrc include the
following:
* The new release model for Samba includes distributing patches for
urgent bug fixes that will be included in the next release of Samba,
and are available at http://www.samba.org/samba/patches/. Since
these patches are rather generically named, we download all DISTFILES
and PATCHFILES for Samba into a ${DISTNAME}-specific directory.
* The default configuration for the samba package no longer builds the
"winbind" portions of samba, which are really only useful when
attempting to unify logons between Unix and Microsoft Windows. When
the "winbind" option is specified, we also build the RID and AD idmap
backends, which allow sharing UIDs/GIDs across Unix machines.
* New package options have been added to the build: "mysql", "pgsql",
and "xml" allow adding optional support for experimental passdb
storage backends, and "winbind" allows for optionally building the
winbindd daemon and associated plugins.
* Two new smb.conf options were added -- "passwd expand gecos" and
"state directory". The first describes whether "&" in the GECOS
field of a passwd db entry is expanded to the login name. The
second describes the location where the persistent-state database
files are stored.
* Luke Mewburn contributed code to allow nss_winbind.so to work properly
on supported NetBSD systems. The FreeBSD NSS winbind code should
probably be replaced with a suitably tweaked version of the NetBSD
code since the latter is much more complete in the functions that are
provided, but I'll leave that to freebsd-pkg-people.
* Samba dumps all of its files into "lock directory", but some of them
need to persist across reboots. We make a distinction between these
files and the temporary files that are re-created by the Samba
daemons when they are restarted -- the former are now stored in a
"state directory" and the latter are stored in the "lock directory".
This is modeled after the Debian patch to Samba located in:
packaging/Debian/debian-unstable/patches/fhs.patch
The "lock directory" default has been moved to ${VARBASE}/run/samba
to emphasize the temporary status of the files stored in that
directory.
* Samba persists in using PAM_AUTHTOK_RECOVER_ERR, when there is almost
universal agreement that PAM_AUTHTOK_RECOVERY_ERR is the right
constant to use. Even the Linux-PAM distribution ensures that
PAM_AUTHTOK_RECOVERY_ERR is correctly defined. To work around this,
we define PAM_AUTHTOK_RECOVER_ERR appropriately in all the places
where it is used.
* The configure script checks for OpenSSL's libcrypto.so by looking
for the symbol "des_set_key". However, libcrypto.so might not
contain that symbol because the DES functions might come from a
separate library, e.g. libdes.so. In this case, the configure script
will think that libcrypto.so is not available, when it actually may
be. Instead, look for EVP_des_cbc, which is always provided by
libcrypto.so.
* Add some missing $(PASSDB_LIBS) references to the Makefile to fix
compilation problems if the experimental passdb backends are statically
compiled into the Samba suite programs.
* Fix compilation problems in sam/idmap_rid.c and sam/idmap_ad.c if the
"rid" and "ad" idmap backends are statically compiled into winbindd.
Changes between version 3.0.14a and 3.0.20b include:
o Reporting files as read-only instead of returning the correct error
code of "access denied"
o File system quota support defects
o Crash bugs caused by incompatibilities on 64-bit systems.
o User Manager interoperability problems.
o Support for several new Win32 rpc pipes.
o New 'net rpc service' tool for managing Win32 services.
o Capability to set the owner on new files and directory based on the
parent's ownership.
o Experimental, asynchronous IO file serving support.
o Support for Microsoft Print Migrator.
o New Winbind IDmap plugin (ad) for retrieving uid and gid from AD
servers which maintain the SFU user and group attributes.
o Rewritten support for POSIX pathnames when utilizing the Linux CIFS
fs client.
o New asynchronous winbindd.
o New Windows NT registry file I/O library.
o New user right (SeTakeOwnershipPrivilege) added.
o New "net share migrate" options.
as the INSTALL and DEINSTALL scripts no longer distinguish between
the two types of files. Drop SUPPORT_FILES{,_PERMS} and modify the
packages in pkgsrc accordingly.
Changes from 3.0.10 are huge, please see
http://www.samba.org/samba/history/samba-3.0.14a.html in detail.
pkgsrc changes:
* replace ln command to ${LN}.
* avoid use file for shell's variable.
* remove trailing spaces.
under share/examples/rc.d. The variable name already was named
RCD_SCRIPTS_EXAMPLEDIR.
This is from ideas from Greg Woods and others.
Also bumped PKGREVISION for all packages using RCD_SCRIPTS mechanism
(as requested by wiz).
- Added checks surrounding all *alloc() calls to fix CAN-2004-1154.
- Fix long standing memory size bug in bitmap_allocate().
- Remove bogus error check in deferred open file serving
code.
- Fix autoconf script on platforms using a version of GNU ld
that does not include a date stamp in the output of --version.
- Fix the swat install script to deal with the new image
destination directory used by the docs.
Changes:
o Problem updating roaming user profiles.
o Crash in smbd when printing from a Windows 9x client.
o Unresolved symbols in libsmbclient which caused
applications such as KDE's konqueror to fail when
accessing smb:// URLs.
Common bugs fixed in 3.0.8 include:
o Compile fixes for HP-UX
o Fixes for the printer publishing code used when joined to
an AD domain.
o Incompatibilities with file system quotas.
o Several bugs in the spoolss printing code and print system
backends.
o Inconsistencies in the username map functionality when
configured on domain member servers.
o Various compile warnings and errors on various platforms.
o Fixes for kerberos interoperability with Windows 200x
domains when using DES keys.
o Fix for CAN-2004-0930 -- smbd remote DoS vulnerability.
New features included in the 3.0.8 release are:
o New migration functionality added the the net tool
for files/directories, printers, and shares.
o New experimental idmap backend for assigning uids/gids
directly based on the user/group RID when acting as a
member of single domain without any trusts.
o Additional printer migration support for XP/2003 platforms.
as smb (as the manual says). This enables samba printing through cups
(at least, the option appears in the web configuration form).
Bump PKGREVISION to 2.
in the process. (More information on tech-pkg.)
Bump PKGREVISION and BUILDLINK_DEPENDS of all packages using libtool and
installing .la files.
Bump PKGREVISION (only) of all packages depending directly on the above
via a buildlink3 include.
o Fixes for two Denial of Service vulnerabalities
(CVE ID# CAN-2004-0807 & CAN-2004-0808).
o Winbind failure to return user entries under certain conditions.
o Syntax errors in the OpenLDAP schema file (samba.schema).
o Printing errors caused by not setting default values for the various
printing commands.
* Disable 'winbind enable local accounts' by default.
o Schannel failure in winbindd.
o Incompatibilities between the 'write list' and 'force user' smb.conf
options.
o Premature optimization of the open_directory() internal function that
broke tools such as the ArcServe backup agent, Macromedia HomeSite,
and Robocopy.
o Sharing violation errors commonly seen when opening when serving
Microsoft Office documents from a Samba file share.
o Browsing problems caused by an apostrophe (') in the computer's
description field.
o Problems creating special file types from UNIX CIFS clients and
enabling 'unix extensions'.
o Fix stalls in smbd caused by inaccessible LDAP servers.
o Remove various memory leaks.
o Fix issues in the password lockout feature.
o Using a cups server other than localhost.
o Maintaining the service principal entry in the system keytab for
integration with other kerberized services. Please refer to the
'use kerberos keytab' entry in smb.conf(5). When using the heimdal
kerberos libraries, you must also specify the following in /etc/krb5.conf:
[libdefaults]
default_keytab_name = FILE:/etc/krb5.keytab
o Support for maintaining individual printer names stored separately
from the printer's sharename.
o Support for maintaining user password history.
o Support for honoring the logon times for user in a Samba domain.
* Reintroduce 'force unknown acl user' parameter. When getting a security
descriptor for a file, if the owner sid is not known, the owner uid is
set to the current uid. Same for group sid.
