==============================
Release Notes for Samba 3.6.17
August 05, 2013
==============================
This is a security release in order to address
CVE-2013-4124 (Missing integer wrap protection in EA list reading can cause
server to loop with DOS).
o CVE-2013-4124:
All current released versions of Samba are vulnerable to a denial of
service on an authenticated or guest connection. A malformed packet
can cause the smbd server to loop the CPU performing memory
allocations and preventing any further service.
A connection to a file share, or a local account is needed to exploit
this problem, either authenticated or unauthenticated if guest
connections are allowed.
This flaw is not exploitable beyond causing the code to loop
allocating memory, which may cause the machine to exceed memory
limits.
Changes since 3.6.16:
---------------------
o Jeremy Allison <jra@samba.org>
* BUG 10010: CVE-2013-4124: Missing integer wrap protection in EA list
reading can cause server to loop with DOS.
=============================
Release Notes for Samba 3.6.6
June 25, 2012
=============================
This is is the latest stable release of Samba 3.6.
Major enhancements in Samba 3.6.6 include:
o Fix possible memory leaks in the Samba master process (bug #8970).
o Fix uninitialized memory read in talloc_free().
o Fix joining of XP Pro workstations to 3.6 DCs (bug #8373).
Changes since 3.6.5:
--------------------
o Michael Adam <obnox@samba.org>
* BUG 8738: SMB2 server will not release unused shares.
* BUG 8749: Sign non guest sessions in SessionSetup.
* BUG 8921: Fix race writing registry values.
o Jeremy Allison <jra@samba.org>
* BUG 8373: Fix joining of XP Pro workstations to 3.6 DCs.
* BUG 8627: Fix crash bug in dns_create_probe when dns_create_update fails.
* BUG 8723: Add pthread-based aio VFS module.
* BUG 8784: When calculating the share security mask, take priviliges into
account for the connecting user.
* BUG 8811: sd_has_inheritable_components segfaults on an SD that
se_access_check accepts.
* BUG 8837: Fix crash in smbd when deleting directory and veto files are
enabled.
* BUG 8857: Setting traverse rights fails to enable directory traversal when
acl_xattr in use.
* BUG 8882: Broken processing of %U with vfs_full_audit when force user is
set.
* BUG 8897: Make winbind_krb5_locator not only returning one IP address.
* BUG 8910: resolve_ads() code can return zero addresses and miss valid
DC IP addresses.
* BUG 8922: smbclient's tarmode insists on listing excluded directories.
* BUG 8953: Winbind can hang as nbt_getdc() has no timeout.
* BUG 8957: Typo in pam_winbindd code MUST fix.
* BUG 8970: Fix possible memory leaks in the Samba master process.
* BUG 8971: cleanup_timeout_fn() is called too often, on exiting when an
smbd is idle.
* BUG 8972: Directory group write permission bit is set if unix extensions
are enabled.
o Christian Ambach <ambi@samba.org>
* BUG 8406: Fix a return code check in Winbind.
* BUG 8807: Fix crash in dcerpc_lsa_lookup_sids_noalloc() crashes when
groups has more than 1000 groups.
o Andrew Bartlett <abartlet@samba.org>
* BUG 8599: Only use SamLogonEx when we can get unencrypted session keys.
* BUG 8727: Fix smbclients with posix large reads.
* BUG 8943: Slow but responsive DC can lock up Winbind for > 10 minutes
at a time.
o Björn Baumbach <bb@sernet.de>
* BUG 7564: Fix default name resolve order in the manpage.
* BUG 8554, 8612, 8748: Add new printers to registry.
* BUG 8789: Remove whitespace in example samba.ldif.
o Alexander Bokovoy <ab@samba.org>
* BUG 8988: Avoid crash with MIT krb5 1.10.0 in gss_get_name_attribute().
o Alejandro Escanero Blanco <aescanero@gmail.com>
* BUG 8798: The primary rid should be in the groups rid array.
o Ira Cooper <samba@ira.wakeful.net>
* BUG 8729: Fix getpass regressions on Solaris/Illumos.
* BUG 8743: Fix configure.developer builds on Solaris.
* BUG 8910: Fix bad bugfix for bug #8910.
* BUG 8952: Fix negative SID->uid/gid cache handling.
* BUG 8995: Use fsp_persistent_id() as persistent_file_id part for SMB2.
o David Disseldorp <ddiss@samba.org>
* BUG 8762: Fix crash in printer_list_set_printer().
o Olaf Flebbe <o.flebbe@science-computing.de>
* BUG 8859: Fix assertion in reg_parse.
o Björn Jacke <bj@sernet.de>
* BUG 8732: Fix compile of krb5 locator on Solaris.
* BUG 8869: Remove outdated netscape ds 5 schema file.
* BUG 8978: Remove dependency on automake for 'make everything'.
o Steve Langasek <steve.langasek@ubuntu.com>
* BUG 8920: Fix null dereference in pdb_interface.
o Volker Lendecke <vl@samba.org>
* Fix uninitialized memory read in talloc_free().
* BUG 8567: Fix segfault in dom_sid_compare.
* BUG 8733: Delete streams on directories (streams_depot).
* BUG 8760: Add SERVERID_UNIQUE_ID_NOT_TO_VERIFY.
* BUG 8836: Fix segfaults on "smbcontrol close-share" in aio_fork.
* BUG 8861: Fix a segfault with debug level 3 on Solaris.
* BUG 8904: Fix Winbind crash triggered by 'wbinfo --lookup-sids ""'.
* BUG 8998: Notify code can miss a ChDir.
o Stefan Metzmacher <metze@samba.org>
* BUG 8139: Ignore SMBecho errors (the server may not support it).
* BUG 8527: db_ctdb_traverse fails to traverse records created within the
current transaction.
* BUG 8311: Winzip occasionally can not read files out of an open winzip
dialog.
* BUG 8739: Fill the sids array of the info in
wbcAuthUserInfo_to_netr_SamInfo3().
* BUG 8749: Sign non guest sessions in SessionSetup.
* BUG 8995: Use fsp_persistent_id() as persistent_file_id part for SMB2.
o Matthieu Patou <mat@matws.net>
* BUG 8599: Set the can_do_validation6 also for trusted domain.
* BUG 8714: Catch with pid filename's change when config file is not
smb.conf.
* BUG 8734: Don't try to do clever thing if the username is not found while
authenticating through Winbind.
* BUG 8771: Winbind takes up to 20 minutes to change from DC 1 to DC 2.
* BUG 8975: Call dump_core_setup after command line option has been parsed.
o SATOH Fumiyasu <fumiyas@osstech.co.jp>
* BUG 8826: Prepend '/' to filename argument (docs).
o Andreas Schneider <asn@samba.org>
* BUG 8944 and 8567: Don't lookup the system user in pdb.
o Richard Sharpe <realrichardsharpe@gmail.com>
* BUG 8768: Honor SeTakeOwnershipPrivilege when file opened with
SEC_STD_WRITE_OWNER.
* BUG 8797: Correctly handle DENY ACEs when privileges apply.
* BUG 8822: Fix building out-of-tree modules.
* BUG 8945: vfs_acl_common discards errors from writing to the underlying
storage.
* BUG 8970: Fix possible memory leaks in the Samba master process.
o Simo Sorce <idra@samba.org>
* BUG 8915: Fix pam_winbind build against newer iniparser library.
o Joseph Tam <jtam.home@gmail.com>
* BUG 8877: Syslog broken owing to mistyping of debug_settings.syslog.
o Ralph Wuerthner <ralph.wuerthner@de.ibm.com>
* BUG 8845: Move print_backend_init() behind init_system_info().
Major enhancements in Samba 3.6.1 include:
o Fix smbd crashes triggered by Windows XP clients (bug #8384).
o Fix a Winbind race leading to 100% CPU load (bug #8409).
o Several SMB2 fixes.
o The VFS ACL modules are no longer experimental but production-ready.
Full release notes at http://www.samba.org/samba/history/samba-3.6.1.html
Major enhancements in Samba 3.6.0 include:
- Changed security defaults:
client ntlmv2 auth = yes
client use spnego principal = no
send spnego principal = no
- SMB2 support (fully functional with one omission)
- Internal Winbind passdb changes
- New Spoolss code
- ID Mapping Changes
- Endpoint Mapper
- Internal restructuring
- SMB Traffic Analyzer (http://holger123.wordpress.com/smb-traffic-analyzer/)
- NFS quota backend on Linux
Full release notes at http://www.samba.org/samba/history/samba-3.6.0.html
This is a security release in order to address CVE-2009-2813, CVE-2009-2948
and CVE-2009-2906.
Please note that Samba 3.0 is not maintained any longer. This security
release is shipped on a voluntary basis.
o CVE-2009-2813:
In all versions of Samba later than 3.0.11, connecting to the home
share of a user will use the root of the filesystem
as the home directory if this user is misconfigured to have
an empty home directory in /etc/passwd.
o CVE-2009-2948:
If mount.cifs is installed as a setuid program, a user can pass it a
credential or password path to which he or she does not have access and
then use the --verbose option to view the first line of that file.
o CVE-2009-2906:
Specially crafted SMB requests on authenticated SMB connections can
send smbd into a 100% CPU loop, causing a DoS on the Samba server.
- CVE-2009-1888:
In Samba 3.0.31 to 3.3.5 (inclusive), an uninitialized read of a
data value can potentially affect access control when "dos filemode"
is set to "yes".
This security fix has already been integrated into "pkggsrc" via a patch
previously. The package was only updated to make future maintenance easier.
CVE-2009-1888:
In Samba 3.0.31 to 3.3.5 (inclusive), an uninitialized read of a
data value can potentially affect access control when "dos filemode"
is set to "yes".
bump PKGREVISION
- Fix update of machine account passwords.
- Fix SMB signing issue on Windows Vista with MS Hotfix KB955302.
- Fix Winbind crashes.
- Correctly detect if the current dc is the closest one.
- Add saf_join_store() function to memorize the dc used at join time.
This avoids problems caused by replication delays shortly after
domain joins.
- Fix write list in setups using "security = share".
AIX method was being chosen in preference (on NetBSD 5.0 at least). This
broke net and rpcclient, etc. as they failed to enumerate interfaces
correctly.
- Prevent crash bug in Winbind caused by a race condition
when a child process becomes unresponsive.
- Fix interactive password prompting in the "net" command.
- Documentation clarifications and typographical fixes.
- Correct issues with running Winbind running on a Samba PDC.
- Problems with trusted Windows 2008 domains.
- Difficulty joining an NT4 or Windows 2000 AD domain.
- Fix for CVE-2008-1105.
- Remove man pages for ldb tools not included in Samba 3.0.
- Fix build for pam_smbpass.
- Fix a crash in tdb_wrap_log().
- BUG 5267: Fix for nmbd termination problems when no interfaces
found.
- BUG 5326: OS/2 servers give strange "high word" replies for
print jobs.
- Remove MS-DFS check that required the target host be ourself.
- BUG 5372: Fix high CPU usage of cupsd on large print servers
by using more efficient CUPS queries in smbd.
- Rewrite integer wrap checks to deal with gcc 4.x optimizations.
- BUG 5095: Fix the enforcement of the "Manage Documents" access right.
- Don't free memory from getpass() in mount.cifs.
- BUG 5460: Fix MS-DFS referral problem in server code.
- Fix bug in Winbind that caused the parent to ignore dead children.
- Fix compile warnings.
- Fix build for pam_smbpass.
- Document build fixes.
- BUG 4235: Improve compliance to the Squid helper protocol.
- BUG 5107: Fix handling of large DNS replies on AIX and Solaris.
- Prevent cycle in Wibind's list of children when reaping dead processes.
- BUG 5419: Fix memory leak in ads_do_search_all_args() (merge from v3-2).
- Fix winbind NETLOGON credential chain on a samba dc for w2k8 trusts.
- Fix client connections and negotiation with Windows 2008 DCs
in member server code.
- Add NT_STATUS_DOWNGRADE_DETECTED error code (merge from v3-2).
- BUG 5430: Fix pam_winbind.so on Solaris (requires -lsocket).
- Re-add samr getdispinfoindex parsing which got lost in the glue commit.
- BUG 5461: Implement a very basic _samr_GetDisplayEnumerationIndex().
Corrects interop problem between Citrix PM and a Samba DC.
- BUG 3840: Fix smbclient connecting to NetApp filers when using
whitespace in the user's password.
- BUG 4901: Fix behavior of "ldap passwd sync = only".
- BUG 5317: Fix debug output from domain_client_validate().
- BUG 5338: Fix format string bug in rpcclient.
- Ensure that "wbinfo -a trusted\\user%password" works correctly
on a Samba DC with trusts.
- BUG 5336: Fix SetUsetrInfo(level 25) to update the pwdLastSet
attribute.
- BUG 5350: Fallback to anonymous sessions if not trust password
could be obtained on Samba DCs and member servers.
- BUG 5366: Fix password chat on Sun OpenSolaris (Nevada).
- Fix signing problem in the client with trans requests.
- Fix alignment bug hitting Solaris with "reset in zero vc" activated.
- Fix build with glibc 2.8.
- Enable winbind child processes to do something with signals, in
particular closing and reopening logs on SIGHUP.
- Documentation cleanup after r emerging docs from svn to git and
back-porting from the v3-2 branch.
- Add implementation of machine-authenticated connection to netlogon
pipe used when connecting to win2k and newer domain controllers.
- Fix trusted users on a DC that uses the old idmap syntax.
- Only have Winbind cache domain password policies that were
successfully retrieved.
- Fix alignment bug when marshalling printer data replies.
- Fix DeleteDriverDriverEx() checks to prevent removing in use files.
CHANGES FOR PKGSRC:
==================
Makefile:
+ Modify section that manually handles the ELF symlinks for samba
shared libraries -- add additional libraries that are built (addns,
smbsharemodes) and reorganize so we don't need two loops where one
will do.
+ Pass --with-included-popt to the configure script to force using
the popt distribution included with samba to avoid any library
mismatch errors between samba and any installed popt. This fixes
PR pkg/34444 by Jason Lingohr.
+ Don't build the smbmount programs on Linux -- they're deprecated in
favor of the mount.cifs programs.
+ Remove some pkgviews-related settings -- I'm not supporting pkgviews
installation of samba.
Makefile.patches:
+ Empty out PATCHFILES because we are updating to the latest release
of samba, which has all previous patches for security advisories
already rolled into the main sources.
Makefile.mirrors:
+ Update SAMBA_MIRRORS in Makefile.mirrors to the latest list of FTP
mirrors.
options.mk:
+ Only show the ``acl'' option on platforms that actually support
POSIX ACLs.
+ Add a new ``fam'' option to enable building the notify_fam VFS
module.
patch-ab, patch-ax:
+ Remove patch-ab and update patch-ax -- there's nothing for the
scripts to back up so we don't need to patch the install* scripts
to avoid this.
patch-ae, patch-ah:
+ Update patch-ae and remove patch-ah -- we should definitely check
that PAM_AUTHTOK_RECOVERY_ERR is defined before using its value to
define PAM_AUTHTOK_RECOVER_ERR.
patch-at, patch-au:
+ Fix patch-at and patch-au -- in configure.in, we need to "escape"
left and right brackets or else m4 will strip them away in the
resulting configure script. This should fix the detection of FreeBSD
and NetBSD systems capable of using nss_winbind noted in PR pkg/38076
by Ingo Meyer.
patch-ay:
+ Remove some unnecessary changes -- we can safely just do "mkdir" in
some places because we know the parent and any intermediate directories
exist.
patch-be:
+ Fix a bug in locating WINS_LIST -- nmbd/nmbd_winsserver.c was
referring to WINS_LIST under the state directory in one place and
under the lock directory in another; change all references to be
under the state directory.
patch-db:
+ Add patch to fix the build of samba on older BSDs. Patch supplied
in PR pkg/37487 by John Frear.
All remaining changes to patches/patch-* are simply to remove fuzz.
MAJOR CHANGES FROM VERSION 3.0.26a:
* Fix failure to join Windows 2008 domains.
* Fix Windows Vista (including SP1 RC) inter-op issues.
* Add a new ``administrative share'' service parameter for defining
hidden shares that cannot be managed from Windows.
* Fix for CVS-2007-6015 (already fixed in 3.0.26anb4 in pkgsrc).
* Fix for CVS-2007-5398 (already fixed in 3.0.26anb4 in pkgsrc).
* Fix for CVS-2007-4572 (already fixed in 3.0.26anb4 in pkgsrc). Also
subsequent fix for regression experienced by smbfs clients caused by
the fix for CVS-2007-4572, noted in PR pkg/38300 by Dave Barnes.
* Many other bugs fixed and memory leaks plugged.
Major changes since version 3.0.22:
- CVE-2007-0452 (Potential Denial of Service bug in smbd)
- CVE-2007-0453 (Buffer overrun in NSS host lookup Winbind
NSS library on Solaris)
- CVE-2007-0454 (Format string bug in afsacl.so VFS plugin)
- Stability fixes for winbindd
- Portability fixes on FreeBSD and Solaris operating systems.
- Authentication failures in pam_winbind when the AD domain
policy is set to not expire passwords.
- Authorization failures when using smb.conf options such
as "valid users" with the smbpasswd passdb backend.
- Ambiguity with unqualified names in smb.conf parameters
such as "force user" and "valid users".
- Errors in 'net ads join' caused by bad IP address in the list
of domain controllers.
- SMB signing errors in the client and server code.
- Domain join failures when using smbpasswd on a Samba PDC.
- Failure to strip the domain name from groups when 'winbind
use default domain = yes'
- Failure in pam_winbind to correctly parse arguments.
- Bad token creation of local users on member servers not
running winbindd.
- Failure to add users or groups to ACLs using the Windows
object picker.
- Failure in file serving code when 'kernel oplocks = yes'.
- New "createupn" option to "net ads join"
- Rewritten Kerberos keytab generation when 'use kerberos
keytab = yes'
- Improved 'make test'
- New offline mode in winbindd.
- New Kerberos support for pam_winbind.so.
- New handling of unmapped users and groups.
- New non-root share management tools.
- Improved support for local and BUILTIN groups.
- Winbind IDMAP integration with RFC2307 schema objects supported
by Windows 2003 R2.
- Rewritten 'net ads join' to mimic Windows XP without requiring
administrative rights to join a domain.
files-check: No backup copies of the Samba binaries are made.
Before using ln -s, the destination file is removed. This is necessary
for installing the package over an already-installed version.
* Fix CAN-2006-1059 -- samba<3.0.22 exposes the clear text of the
server's machine account credentials in the winbind log files when
the log level is set to 5 or higher.
* Append "-pkgsrc" to the Samba version string so as to distinguish
the official version from the pkgsrc version, which has the
modifications for "state directory" and "passwd expand gecos".
* Modify package so that we automatically determine the name of the
nsswitch modules that are installed by samba with the winbind
option. We extract this information by invoking the config.status
script to get the value that the configure script determined.
o Access checks when deleting printer driver meta-data.
o Several non-default combinations schannel and SPNEGO support.
o Password changes with NT4 and Win2k pre-SP4 clients.
o High load issues on IRIX caused by a bug when interfacing
with kernel oplocks.
o Server crashes in smbd.
o Compile issues on 64-bit platforms.
o Crash bugs on big-endian systems.
o Packaging fixes for RHEL/Fedora, Solaris, & Debian.
o Over 30 bugzilla reports closed.
Bugfixes:
o Address a bug in the oplock code which may cause clients to stall
when multiple users are accessing a share concurrently
o Missing groups in a user's token when logging in via kerberos
o Incompatibilities with newer MS Windows hotfixes and
embedded OS platforms
o Portability and crash bugs.
o Performance issues in winbindd.
Additions:
o Complete NTLMv2 support by consolidating authentication
mechanism used at the CIFS and RPC layers.
o The capability to manage Unix services using the Win32
Service Control API.
o The capability to view external Unix log files via the
Microsoft Event Viewer.
o New libmsrpc share library for application developers.
o Rewrite of CIFS oplock implementation.
o Performance Counter external daemon.
o Winbindd auto-detection query methods when communicating with
a domain controller.
o The ability to enumerate long share names in libsmbclient
applications.
for samba-3.0.20b that are applied as part of this update include:
http://www.samba.org/samba/patches/print_lprm.patchhttp://www.samba.org/samba/patches/quota.patchhttp://www.samba.org/samba/patches/bug3201_wbinfo.patch
This fixes PRs pkg/31352 and pkg/31991. Important changes that were
made as part of porting this Samba release to pkgsrc include the
following:
* The new release model for Samba includes distributing patches for
urgent bug fixes that will be included in the next release of Samba,
and are available at http://www.samba.org/samba/patches/. Since
these patches are rather generically named, we download all DISTFILES
and PATCHFILES for Samba into a ${DISTNAME}-specific directory.
* The default configuration for the samba package no longer builds the
"winbind" portions of samba, which are really only useful when
attempting to unify logons between Unix and Microsoft Windows. When
the "winbind" option is specified, we also build the RID and AD idmap
backends, which allow sharing UIDs/GIDs across Unix machines.
* New package options have been added to the build: "mysql", "pgsql",
and "xml" allow adding optional support for experimental passdb
storage backends, and "winbind" allows for optionally building the
winbindd daemon and associated plugins.
* Two new smb.conf options were added -- "passwd expand gecos" and
"state directory". The first describes whether "&" in the GECOS
field of a passwd db entry is expanded to the login name. The
second describes the location where the persistent-state database
files are stored.
* Luke Mewburn contributed code to allow nss_winbind.so to work properly
on supported NetBSD systems. The FreeBSD NSS winbind code should
probably be replaced with a suitably tweaked version of the NetBSD
code since the latter is much more complete in the functions that are
provided, but I'll leave that to freebsd-pkg-people.
* Samba dumps all of its files into "lock directory", but some of them
need to persist across reboots. We make a distinction between these
files and the temporary files that are re-created by the Samba
daemons when they are restarted -- the former are now stored in a
"state directory" and the latter are stored in the "lock directory".
This is modeled after the Debian patch to Samba located in:
packaging/Debian/debian-unstable/patches/fhs.patch
The "lock directory" default has been moved to ${VARBASE}/run/samba
to emphasize the temporary status of the files stored in that
directory.
* Samba persists in using PAM_AUTHTOK_RECOVER_ERR, when there is almost
universal agreement that PAM_AUTHTOK_RECOVERY_ERR is the right
constant to use. Even the Linux-PAM distribution ensures that
PAM_AUTHTOK_RECOVERY_ERR is correctly defined. To work around this,
we define PAM_AUTHTOK_RECOVER_ERR appropriately in all the places
where it is used.
* The configure script checks for OpenSSL's libcrypto.so by looking
for the symbol "des_set_key". However, libcrypto.so might not
contain that symbol because the DES functions might come from a
separate library, e.g. libdes.so. In this case, the configure script
will think that libcrypto.so is not available, when it actually may
be. Instead, look for EVP_des_cbc, which is always provided by
libcrypto.so.
* Add some missing $(PASSDB_LIBS) references to the Makefile to fix
compilation problems if the experimental passdb backends are statically
compiled into the Samba suite programs.
* Fix compilation problems in sam/idmap_rid.c and sam/idmap_ad.c if the
"rid" and "ad" idmap backends are statically compiled into winbindd.
Changes between version 3.0.14a and 3.0.20b include:
o Reporting files as read-only instead of returning the correct error
code of "access denied"
o File system quota support defects
o Crash bugs caused by incompatibilities on 64-bit systems.
o User Manager interoperability problems.
o Support for several new Win32 rpc pipes.
o New 'net rpc service' tool for managing Win32 services.
o Capability to set the owner on new files and directory based on the
parent's ownership.
o Experimental, asynchronous IO file serving support.
o Support for Microsoft Print Migrator.
o New Winbind IDmap plugin (ad) for retrieving uid and gid from AD
servers which maintain the SFU user and group attributes.
o Rewritten support for POSIX pathnames when utilizing the Linux CIFS
fs client.
o New asynchronous winbindd.
o New Windows NT registry file I/O library.
o New user right (SeTakeOwnershipPrivilege) added.
o New "net share migrate" options.
decide if it's actually libcrypto.so from the OpenSSL distribution.
Samba looks to see if libkrb5.so needs it to link when samba is
configured to build ADS support. However, newer versions of heimdal
don't need the old DES API, and newer versions of OpenSSL don't even
provide the old des_* symbol names in the library, so "des_set_key"
is a poor choice to use to detect libcrypto.so. The only place in
the samba sources where the old DES API is even used is in the AFS
fake kaserver support, which pkgsrc does not (ever) intend to support.
This fixes PR pkg/24456.
Changes from 3.0.10 are huge, please see
http://www.samba.org/samba/history/samba-3.0.14a.html in detail.
pkgsrc changes:
* replace ln command to ${LN}.
* avoid use file for shell's variable.
* remove trailing spaces.
- Added checks surrounding all *alloc() calls to fix CAN-2004-1154.
- Fix long standing memory size bug in bitmap_allocate().
- Remove bogus error check in deferred open file serving
code.
- Fix autoconf script on platforms using a version of GNU ld
that does not include a date stamp in the output of --version.
- Fix the swat install script to deal with the new image
destination directory used by the docs.
o Fixes for two Denial of Service vulnerabalities
(CVE ID# CAN-2004-0807 & CAN-2004-0808).
o Winbind failure to return user entries under certain conditions.
o Syntax errors in the OpenLDAP schema file (samba.schema).
o Printing errors caused by not setting default values for the various
printing commands.
* Disable 'winbind enable local accounts' by default.
o Schannel failure in winbindd.
o Incompatibilities between the 'write list' and 'force user' smb.conf
options.
o Premature optimization of the open_directory() internal function that
broke tools such as the ArcServe backup agent, Macromedia HomeSite,
and Robocopy.
o Sharing violation errors commonly seen when opening when serving
Microsoft Office documents from a Samba file share.
o Browsing problems caused by an apostrophe (') in the computer's
description field.
o Problems creating special file types from UNIX CIFS clients and
enabling 'unix extensions'.
o Fix stalls in smbd caused by inaccessible LDAP servers.
o Remove various memory leaks.
o Fix issues in the password lockout feature.
o Using a cups server other than localhost.
o Maintaining the service principal entry in the system keytab for
integration with other kerberized services. Please refer to the
'use kerberos keytab' entry in smb.conf(5). When using the heimdal
kerberos libraries, you must also specify the following in /etc/krb5.conf:
[libdefaults]
default_keytab_name = FILE:/etc/krb5.keytab
o Support for maintaining individual printer names stored separately
from the printer's sharename.
o Support for maintaining user password history.
o Support for honoring the logon times for user in a Samba domain.
* Reintroduce 'force unknown acl user' parameter. When getting a security
descriptor for a file, if the owner sid is not known, the owner uid is
set to the current uid. Same for group sid.
Common bugs fixed in Samba 3.0.3 include:
o Crash bugs and change notify issues in Samba's printing code.
o Honoring secondary group membership on domain member servers.
o TDB scalability issue surrounding the TDB_CLEAR_IF_FIRST flag.
o Substitution errors for %[UuGg] in smb.conf.
o winbindd crashes when using ADS security mode.
o SMB signing errors.
o Delays in winbindd startup caused by unnecessary
connections to trusted domain controllers.
o Various small memory leaks.
o Winbindd failing due to expired Kerberos tickets.
New features introduced in Samba 3.0.3 include:
o Improved support for i18n character sets.
o Support for account lockout policy based on
bad password attempts.
o Improved support for long password changes (>14
characters) and strong password enforcement.
o Support for Windows aliases (i.e. nested groups).
o Experimental support for storing DOS attribute on files
and folders in Extended Attributes.
o Support for local nested groups via winbindd.
o Specifying options to be passed directly to the CUPS libraries.
And more... please review "WHATSNEW.txt".
o Joining a Samba domain from Pre-SP2 Windows 2000 clients.
o Logging onto a Samba domain from Windows XP clients.
o Problems with the %U and %u smb.conf variables in relation to
Windows 9x/ME clients.
o Kerberos failures due to an invalid in memory keytab detection
test.
o Updates to the ntlm_auth tool.
o Fixes for various SMB signing errors.
o Better separation of WINS and DNS queries for domain controllers.
o Issues with nss_winbind FreeBSD and Solaris.
o Several crash bugs in smbd and winbindd.
o Output formatting fixes for smbclient for better compatibility
with scripts based on the 2.2 version.
* Active Directory support. Samba is able to join a ADS realm as
a member server and authenticate using LDAP/Kerberos.
* Unicode support.
* New, more flexible authentication (passdb) system.
* A new "net" command that is similar to the "net" command in Windows.
* Samba now negotiates NT-style status32 codes on the wire, which
greatly improves error handling.
* Better Windows 2K/2K3/XP printing support.
* Loadable module support for passdb backends and character sets.
* More performant winbindd.
* Support for migrating from a Windows NT4 domain to a Samba domain
and maintaining user, group, and domain SIDs.
* Support for establishing trust relationships with Windows NT4 DCs.
* Initial support for a distributed Winbind architecture using an
LDAP directory for storing SID-to-uid/gid mappings.
* Major updates to the Samba documentation tree.
* Full support for client and server SMB signing to ensure
compatibility with default Windows 2K3 security settings.
* Improvement of ACL mapping features.
