1 WHAT'S NEW IN Samba 2.2.6pre1 - 27th July 2002
2 ===============================================
4 This is a prelease snapshot of SAMBA_2_2 cvs branch. This is a non-production
5 release provided for testing purposes only.
8 New/Changed parameters in 2.2.6pre1
9 -----------------------------------
11 There have been no changes to smb.conf(5) parameters.
17 1) Fixed several compiler warnings caused by the use of const parameters
18 2) Fixed a hang in the main smbd process caused by an EINTR in the
20 3) Fixed string substitutions to accept a length for sanity checks
21 4) Fixed 17-bit length field in nmb header
22 5) Removed non-portable inline declaration for functions
23 6) Performance fix for including files with an smb.conf variable in the
25 7) Fix for parsing LPRng lpq output
26 8) Parsing fix for PRINTER_INFO_2 structure which was causing viewing
27 printer properties to fail
28 9) Fix for printer change notification and Windows NT clients which caused
29 the client to go into an infinite loop of refeshing the local printers
31 10) Allow trans2 and nttrans messages to be processed in oplock break state
32 which fixes a problem with oplock break requests and Win2k clients
33 11) Don't crash on setfileinfo on printer fsp
34 12) Memory fixes caught by Valgrind
35 13) Updates to stop spurious error message in tdb
36 14) Fix silly logic bug in 'make smbd processes' and 'status = no' check
37 15) Fix compilation of pam_smbpass and --with-ldap
38 16) Fix compilation of samwrapper on Solaris hosts
39 17) fix logic error in a check for enableing the winbind_pam_auth_crap() code
40 & fix formatting typo in --with-winbind-auth-challenge
41 18) Correcting check for ldap_start_tls()
42 19) Fixed a problem with getgroups() where it could include our current
46 =========================================
48 Older releases notes for 2.2.x distributions follow
50 -----------------------------------------------------------------------------
51 The release notes for 2.2.5 follow :
53 There have been several fixes and internal enhancements which include:
55 * Several compile fixes for Solaris and HP-UX
56 * More printing fixes for Windows NT/2k/XP clients
57 * New options for the VFS recycle bin library
58 * New internal signal handling semantics relating to directory change
59 notification and oplocks
61 New/Changed parameters in 2.2.5
62 --------------------------------
64 For more information on these parameters, see the man pages for
67 Added/changed parameters
68 ------------------------
70 * block size = <INTEGER>
71 * force unknown acl user = <boolean>
72 * mangling method = [hash|hash2]
78 The following parameters have been marked as deprecated and will be removed
94 See the cvs log for SAMBA_2_2 for more details
96 1) Removal of several compiler warnings, incorrect Makefile dependencies,
97 and wrong autoconf tests on various platforms--Solaris & HP-UX 10.20
98 being the predominantly reported platforms
99 2) Fixed winbindd crash bug on the IBM s390 running Linux
100 3) Inclusion of enhanced Linux quota support
101 4) Correctly link against Sun LDAP libraries on Solaris 8 (even through
102 there is no apparent SSL support there)
103 5) POSIX conformance patches
104 6) Include new configure --enable-cups option (can also be disabled even
105 if CUPS libraries are installed on the system)
106 7) Set reasonable default for the "passwd program" parameter using an
108 8) Added --with-winbind-auth for enabling winbindd_pam_auth_crap() code
109 9) fixed bug to prevent root account from being deleted by the
111 10) Inclusion of autoconf script for building VFS modules
112 11) Add new run time options to the VFS recycle bin library (see
113 examples/VFS/recycle/README for details)
114 12) Include findsmb perl script as part of the "make install" process
115 13) Return correct error code for EnumPrinters(PRINTER_ENUM_REMOTE, InfoLevel1)
116 to fix a bug where printers appear at the workgroup level in the Windows
117 NT/2k APW browse list
118 14) Added support to nmblookup to return NMB flags (See nmblookup(8) for
120 15) Fix length bug that caused password changes from Windows NT/2k clients to
122 16) Correct false password expiration when using --with-ldapsam caused by
123 missing attributes in the directory
124 17) added -S option to smbpasswd for storing the SID of a domain controller
125 as the local machine SID in secrets.tdb. See the smbpasswd(8) man page
127 18) Various fixes for UNIX CIFS extensions commands
128 19) Fixed CIDR notation in "hosts allow/deny"
129 20) Change semantics of an idle connection to mean "no open files and no
130 open handles". We cannot idle a connection if there are open named
131 pipe handles. This fixes scalability problem on Samba print servers
132 and NT/2k clients introduced in 2.2.4
133 21) Fix germam umlaut problem when returning ACL entries
134 22) Return NT_STATUS_OBJECT_NAME_NOT_FOUND for ENOENT. This fixes the bug
135 of running the Microsoft Access executable (msaccess.exe) and database
136 files from a Samba share documented in the 2.2.4 release
137 23) Corrected signal handling relating to directory change notification and
139 24) Fix bug in unix_to_nt_time() that appeared on files dated close to Daylight
141 25) Corrected alignment bug in spoolss parsing code which caused Win2k/XP
142 clients not to be able to view printer properties from a Samba host
143 26) Fixed spoolss parsing bug causing printing from ACT! 2000 running on
144 Windows 2k/XP clients to fail
145 27) Fixed incorrect error check in mod_share_entry()
146 28) Allow %S variable in MS-DFS root paths
147 29) Correct a bug regarding the use of 'wbinfo -A'
148 30) Fixed libnss_wins.so to correctly work on RedHat 7.3 systems
149 31) Store the key for a name-to-sid cache entry in upper case rather than
150 whatever case the request was made in. This gets rid of duplicate
152 32) Fix bug causing the pid stored in winbindd's pid file to be the wrong id
153 33) Enhanced error reporting messages of wbinfo
154 34) Parameterize block size on disk size return
155 35) Added new parameter to allow incoming ACLs to have owner and group forced
156 to the currently logged in user. This fixes the XCOPY /O problem
157 36) Fixed bug in local_change_password() caused by reusing a struct
159 37) Change default value for "ldap port" to 389 if "ldap ssl = no"
160 38) Updated HOWTO's, manpages, and general documentation....
161 39) Allow root as well as domain admins to open an LDAP connection
162 40) Fixed veto files bug with ".*"
163 41) Fixed uninitialized variable bug in smbpasswd that was causing a random
164 IP address to be used in the connection when joining a domain
165 42) Fix for joining a domain with a netbios name of 15 characters and
166 pre-creating the account on the DC
167 43) Added links to new documentation on SWAT welcome page
171 -----------------------------------------------------------------------------
172 The release notes for 2.2.4 follow :
174 There have been several fixes and internal enhancements which include:
176 * More/better SPOOLSS printing functionality for Windows
178 * Several fixes relating to serving PC database files such
179 as (Access and FoxPro) from a Samba file share.
180 * Several improves in Samba's VFS layer which can be seen
181 in the inclusion of a "Recycle Bin" vfs module. See
182 examples/VFS/README for more details on this.
183 * Addition of a tool (tdbbackup) for backup/restore of Samba's
185 * Continued improvements to winbind for greater scalability
187 * Several fixes related to Samba's MS-DFS support
188 * Rpcclient's various printer commands now work (again)
191 New/Changed parameters in 2.2.4
192 --------------------------------
194 For more information on these parameters, see the man pages for
197 Added/changed parameters
198 ------------------------
206 * winbind use default domain
209 Deprecated parameters
210 ---------------------
212 The following parameters have been marked as deprecated
213 and will be removed in Samba 3.0
217 * printer driver file
218 * printer driver location
230 See the cvs log for SAMBA_2_2 for more details
232 1) added -c option to smbpasswd
233 2) reworked smbpasswd internal command line option parsing
234 3) small various bug fixes to experimental pdb_tdb.c
235 4) Enforce spoolss RPCs based on the access granted at PrinterOpen()
236 5) Added missing access checks to [add/delete/set]form
237 6) Compile fixes for pam_smbpass
238 7) fix smbd crash when netbios session request fails from
239 spoolss_connect_to_client().
240 8) fixed logic bug that prevent SetPrinter() from storing devmode
241 9) Removed extra get_printer_snum() calls from set_printer_hnd_name()
242 10) fix joining domain on big endian machine when using -U to smbpasswd
243 11) allow command line arg to override smb.conf log level
244 12) continue to retry to register 1b name with wins server if there is an old IP there
245 13) fix smbclient print crash bug
246 14) 9x pnp fix when the config file and driver file are different
247 15) force testparm to print the correct value for log level
248 16) fix swat to show full log level info
249 17) fix server GetPrinterData() fields to be more sensible
250 18) fix logic error in SetPrinterDataEx()
251 19) Only set smb_read_error if not already set
252 20) Fix string returns that require unicode
253 21) Merge of printing performance fixes from appliance
254 22) lpq parsing fixes
255 23) Back port tridge's xcopy /o fix from HEAD
256 24) Fix the printer change notify code (unfinished)
257 25) Patch for Domain users not showing up
258 26) Fixed SetPrinterData(magic key) to support zero length DEVMODE
259 27) Ensure that all methods of looking up and connecting to DC's work
260 using identical logic.
261 28) Merge in the mutex code to stop multiple domain logon failure
263 30) Fix winbindd to respect command line debuglevel as nmbd/smbd
264 31) Update with tdbbackup from HEAD
265 32) Fix for typo on solaris nss
266 33) Merge in the locking changes from HEAD
267 34) Added POSIX ACL layer into the vfs
268 35) Fix the returning of domain enum
269 36) Fix the generation of the MACHINE.SID file into the secrets.tdb.
270 37) Enable test for -rdynamic when building binaries
271 38) Remove the "stat open" code - make it inline
272 39) Fix the mp3 rename bug
273 40) Fix for Explorer DFS problems on older Windows 9X machines
274 41) implement OpenPrinter() opnum == 0x01
275 42) Matched W2K *insane* open semantics....
276 43) small fix that will prevent the "failed to marshall
277 R_NET_SAMLOGON" message in the logs
278 42) don't do checking of local passdb in smbpasswd if using -r option
279 43) fix "smbpasswd -j DOMAIN -r * -U Admin%XXXX" so that it doesn't
280 try to connect to a server named '*'
281 44) merge rpcclient code from HEAD
282 45) Ensure MACHINE.SID update done before child spawns
283 46) Fix the bad path errors for mkdir so mkdir \a\b\c\d works
284 47) Removed --with-vfs - always built if available
285 48) Fixed psec for 2.2
286 49) Fixed the handle leak in the connection management code
287 50) fix disable spoolss after the switch to nt status codes
288 51) Added Shirish's client side caching policy change
289 52) Honor the specversion when parsing the the DEVICEMODE
290 53) fix parsing bug when DEVICEMODE's private data does not end
292 54) do not idle an smbd when there is an open pipe
293 55) when a new driver is added to a Samba server, cycle through
294 all printers and bump the change_id for each one bound to the driver
295 56) allow smbclient to work with a FIFO as well (needed for KDE
297 57) various updates to pdb_nisplus.c
298 58) many small documentation updates
299 59) removed many compiler warnings
302 -----------------------------------------------------------------------------
303 The release notes for 2.2.3a follow :
305 This is a minor bugfix release for the 2.2.3 release. The 2.2.3
306 release had a problem that was visible to Windows 2000 Explorer
307 users in that copying files into a share that already existed
308 failed with "Access Denied" rather than asking the user if an
309 overwrite was required. This was due to an incorrect error mapping
310 between the UNIX EXIST error code and the NT status error.
312 As Windows Explorer is a highly visible end user application a quick
313 bugfix release was required, hence 2.2.3a.
315 Compilation on HPUX versions earlier than HPUX 11 has also been
318 The cvs.log file is no longer included with this release, as it adds
319 13Mb to the size of the release, and is easily available on the Web.
321 -----------------------------------------------------------------------------
322 The release notes for 2.2.3 follow :
324 There are several important scaling bugs that have been fixed in this release
325 for large server systems so an upgrade is recommended.
330 Much work has been done on the LDAP backend code. The configure
331 option --with-ldapsam is now considered to be stable. The schema
332 used has changed, see the file examples/LDAP/samba.schema for the
335 New documentation explaining how to set up a Samba only PDC/BDC
336 setup has been added in the files Samba-LDAP-HOWTO and Samba-BDC-HOWTO
337 in the documentation tree.
339 winbindd daemon extended
340 ------------------------
342 Samba 2.2.2 was the first release to include the winbind daemon.
343 This code allows UNIX systems that implement the name service
344 switch (nss) to be entered into a Windows NT/2000 domain and
345 use the Domain controller for all user and group enumeration.
347 Samba 2.2.3 fixes the known memory leaks in winbindd and has
348 been extended to work with SGI IRIX and HPUX (11.x) in addition
349 to the earlier targets of Linux and Solaris.
351 For more information on using winbind, see the man pages for
354 Note that winbindd is not installed by default.
356 New/Changed parameters in 2.2.3
357 --------------------------------
359 For more information on these parameters, see the man pages for
362 Added/changed parameters.
363 -------------------------
367 Enables the experimental UNIX CIFS extensions in smbd. See the manpage
372 Some printer drivers will crash the Windows NT/2000 spooler service
373 if they are given a default devmode, some require it. This parameter
374 allows the administrator a choice of whether smbd returns such a
375 default devmode for a driver.
379 This parameter has been restored to allow people who wish smbd to ignore
380 client share modes. This is *very dangerous* and should not be set without
381 full knowledge of what this is designed for.
386 1). Fixed shared library compile for Solaris with native compiler.
387 2). UNIX CIFS extensions code added (donated by HP).
388 3). Changed to using NT status codes on the wire if the client can support
390 4). altname command to show 8.3 name added to smbclient.
391 5). const-safe endian macros now used.
392 6). client code now uses UNICODE on the wire.
393 7). Correctly return fault PDU's on bad handle.
394 8). Improved NT error code mapping table.
395 9). Many new point and print RPC calls added.
396 10). Win9x clients can now see full user list.
397 11). field added to identify simultaneous open files (no longer
398 use dev/inode/time as unique value).
399 12). HPUX ACL code added (donated by HP).
400 13). vfs interfaces updated (again !).
401 14). MSDOS Code Page 866 -> 1251 mapping added.
402 15). winbindd now processes quit/hup signals correctly.
403 16). No tdb traversal done on startup/shutdown - ensures scalability.
404 17). Fix bug with paths for homes share.
405 18). Fixed copyfile for OS/2.
406 19). Fix group membership when groups are on more than one line.
407 20). Fixed core dumps in posix ACL mapping code.
408 21). Tidyup of UNICODE functions (put/get).
409 22). Move rpcclient to the new libsmb code.
410 23). Add missing Windows 2000 passthough trans2 calls.
411 24). Return check all tdb calls.
412 25). Make local name lookup work even if wins server is down.
413 26). pam session code added to winbind.
414 27). Added winbindd cache to all lookups.
415 28). Fix allocate bugs that caused file sizes to be incorrect.
416 29). Fixed write cache code - now safe to use.
417 30). Fixed winbindd memory leaks.
418 31). winbindd will now do name lookups (to allow non Open Source
419 systems to do the nsswitch WINS lookup). Fixed by SGI.
420 32). passdb memory leaks fixed.
421 33). LDAP code updates and now properly maintained.
422 34). Finally figured out how changeid is meant to work.
423 35). Downlevel printing now looks as NT does in print monitor window.
424 36). Many fixups in spoolss printing RPC parsing.
425 37). Speed up password enumeration as a PDC.
426 38). Fix printer changed notify messages (work from HP).
427 39). Fix modify timestamp on close code.
428 40). Fix long standing mangled names bug.
429 41). Fix delete on close semantics.
430 42). Stop opening all files with O_NONBLOCK !
431 43). Use O_NOFOLLOW for systems that have it and don't want symlinks.
432 44). Ensure NT supplementary groups get added to user token.
433 45). Try and mitigate effects of DNS timeout (do less lookups).
434 46). Added current user connection context stack.
435 47). Fixes to utmp code.
436 48). smbw code tidyups.
437 49). Added tdb open log code. Several tdb fixes.
439 -----------------------------------------------------------------------------
440 The release notes for 2.2.2 follow :
442 New daemon included - winbindd
443 ------------------------------
445 Samba 2.2.2 is the first release to include the winbind daemon.
446 This code allows UNIX systems that implement the name service
447 switch (nss) to be entered into a Windows NT/2000 domain and
448 use the Domain controller for all user and group enumeration.
450 This allows a Samba server added to a Windows domain to serve
451 file and print services with *NO* local users needed in /etc/passwd
452 and /etc/group - all users and groups are read directly from the
453 Windows domain controller. In addition with pam_winbind which allows
454 a PAM enabled UNIX system to use a Windows domain for authentication
455 service this allows single sign on and account control across
456 UNIX and Windows systems.
458 The current version of winbindd shipped in 2.2.2 does have some
459 memory leaks, which will be addressed for the next Samba release,
460 so it is advisable to monitor the winbind process. This code is
461 being used in production by several vendors, so the leaks are
462 manageable. In addition, this version of winbind does not work
463 correctly against a Samba PDC, due to some missing calls on the
464 PDC side. These problems are being addressed for the next Samba
465 release, but it was thought better to release the code now rather
466 than delay the main Samba code to match the winbind release schedule.
468 For more information on using winbind, see the man pages for
471 Note that winbindd is not installed by default.
473 New/Changed parameters in 2.2.2
474 -------------------------------
476 For more information on these parameters, see the man pages for
479 Added/changed parameters.
480 -------------------------
484 Causes Samba not to create UNIX 'sparse' files, but to follow the
485 Windows behavior of always allocating on-disk space.
489 Set to 'on' by default, only set to 'off' on HPUX 11.x or below or other
490 UNIX systems that don't have coherent mmap/read-write internal caches.
491 You should not need to set this parameter.
495 This parameter has been changed to a per-share option, and is very
496 useful in enabling Windows 2000 SP2 to load/save profiles from a
499 New printing parameters.
500 ------------------------
504 Setting this parameter causes Samba to go back to the old 2.0.x
505 LANMAN printing behavior, for people who wish to disable the
510 Causes Windows NT/2000 clients to need have a local printer driver
511 installed and to treat the printer as local.
516 Samba 2.2.2 contains new code to maintain a Samba SAM database
517 on a remote LDAP server. These parameters have been added as
518 part of this code. These parameters are only available when Samba
519 has been compiled with the --with-ldapsam option.
527 The SSL support in Samba has been fixed. These new parameters
528 are part of the changes added. These parameters are only available
529 when Samba has been compiled with the --with-ssl option.
530 Please see the smb.conf man page for details.
536 New winbindd parameters.
537 ------------------------
539 These parameters are used by winbindd. See the man page for
540 winbindd for details.
561 Some new README's have been added in the docs/ directory. These cover
562 using roving profiles with Windows 2000 SP2 (docs/README.Win2kSP2),
563 and how to use Samba to help prevent Windows virus spread
564 (docs/README.Win32-Viruses).
566 Quota problems on a Linux 2.4 kernel.
567 -------------------------------------
569 Currently the quota interfaces have diverged between the Linus
570 2.4.x kernels and the Alan Cox 2.4.x kernels (the Alan Cox variants
571 are shipped with RedHat). Running quota-enabled Samba compiled on
572 an Alan Cox kernel works correctly on an Alan Cox kernel (the one
573 shipped by default with RedHat 7.x) but fails on a Linus kernel.
575 This is a mess, and hopefully Alan and Linus will sort it out soon.
576 In the meantime we need to ship.....
581 1). mmap tdb code disabled on HPUX. This should prevent the reports of
582 tdb corruption on HUPX.
583 2). Large file support set to off in Solaris 5.5 and below.
584 3). Better CUPS detection.
585 4). New SAM (password database) backends - smbpasswd (traditional),
586 LDAP, NIS+ and Samba TDB.
587 5). Quota fixups on Linux.
588 6). libsmbclient stand-alone code added. Can be built as a shared library
590 7). Tru64 ACL support added.
591 8). winbindd option added.
592 9). Realloc fail tidyup fixes all over the code.
593 10). Large improvement in hash table code efficiency - would be found with
595 11). Error code consistency improved (still needs more work).
596 12). Profile shared memory support added to nmbd.
597 13). New Windows 2000/NT passthrough info levels added.
598 14). readraw/writeraw code rewritten - many bugs fixed.
599 15). UNIX password sync (non pam) code fixed, use correct wildcard matcher.
600 16). Reverse DNS lookup avoided on socket open.
601 17). Bug preventing nmbd re-registering names on WINS server timeout fixed.
602 18). Zero length byte range lock code added. Much closer to Windows semantics.
603 19). Alignment fault fixes for Linux/Alpha.
604 20). Error checking on tdb returns vastly improved.
605 21). Handling of delete on close fixed. No longer possible to leave 'dead'
607 22). Handling of oplock break failure cleanups improved. Should not be
608 able to leave 'dead' entries.
609 23). Fix handling of errors trying to set 64 bit locks on 32 bit NFS mounts.
610 24). Misc. MS-DFS code fixes.
611 25). Ignore logon packets if not a PDC (needed for PDC/BDC failover).
612 26). winbind pam module added.
613 27). Order N^^2 enumeration of printers problem fixed.
614 28). Password backend database code re-ordered to allow different password
615 backends (at compile time currently).
616 29). Improved print driver version detection for Windows 2000.
617 30). Driver DEVMODE initialization fixes.
618 31). Improved SYSV print parse code.
619 32). Fixed enumeration of large numbers of users/groups from Windows clients.
621 33). Fix for buggy NetApp RPC pipe clients.
622 34). Fix for NT sending multiple SetPrinterDataEx calls.
623 35). Fix for logic bug where smbd could delay oplock break request messages
624 from other smbd daemons whilst client kept us busy.
625 36). Fix deadlock problem with connections tdb on enumeration.
626 37). Fixes for setting/getting NT ACLs - improved POSIX mapping both ways.
627 38). Removed unused readbmpx/writebmpx code.
628 39). Attempt to fix Linux 2.4.x quota mess.
629 40). Improved ctemp code for Windows 2000 compatibility.
630 41). Finally understood difference between set EOF and set allocation requests.
631 Added strict allocate parameter to help.
632 42). Correctly return name types on name to SID lookups.
633 43). tdb spinlock code update.
634 44). Use pread/pwrite on systems that have it to fix race condition in tdb code.
636 -----------------------------------------------------------------------------
637 The release notes for 2.2.1a follow :
639 This is a minor bugfix release for 2.2.1, *NOT* security related.
641 1). 2.2.1 had a bug where using smbpasswd -m to add a Windows NT or
642 Windows2000 machine into a Samba hosted PDC would fail due to our
643 stricter user name checking. We were disallowing user names
644 containing '$', which is needed when using smbpasswd to add a
645 machine into a domain. Automatically adding machines (using the
646 native Windows tools) into a Samba domain worked correctly.
648 2.2.1a fixes this single problem.
650 -----------------------------------------------------------------------------
651 The release notes for 2.2.1 follow :
653 New/Changed parameters in 2.2.1
654 -------------------------------
659 obey pam restrictions
661 When Samba is configured to use PAM, turns on or off Samba checking
662 the PAM account restrictions. Defaults to off.
666 When Samba is configured to use PAM, turns on or off Samba passing
667 the password changes to PAM. Defaults to off.
671 New option to allow new Windows 2000 large file (64k) streaming
672 read/write options. Needs a 64 bit underlying operating system
673 (for Linux use kernel 2.4 with glibc 2.2 or above). Can improve performance
674 by 10% with Windows 2000 clients. Defaults to off. Not as tested
675 as some other Samba code paths.
679 Prevents clients from seeing the existence of files that cannot
680 be read. Off by default.
684 Turn on/off the enhanced Samba browsing functionality (*1B names).
685 Default is "on". Can prevent eternal machines in workgroups when
686 WINS servers are not synchronized.
698 1). "find" command removed for smbclient. Internal code now used.
699 2). smbspool updates to retry connections from Michael Sweet.
700 3). Fix for mapping 8859-15 characters to UNICODE.
701 4). Changed "security=server" to try with invalid username to prevent
703 5). Fixes to allow Windows 2000 SP2 clients to join a Samba PDC.
704 6). Support for Windows 9x Nexus tools to allow security changes from Win9x.
705 7). Two locking fixes added. Samba 2.2.1 now passes the Clarion network
706 lock tester tool for distributed databases.
707 8). Preliminary support added for Windows 2000 large file read/write SMBs.
708 9). Changed random number generator in Samba to prevent guess attacks.
709 10). Fixes for tdb corruption in connections.tdb and file locking brlock.tdb.
710 smbd's clean the tdb files on startup and shutdown.
711 11). Fixes for default ACLs on Solaris.
712 12). Tidyup of password entry caching code.
713 13). Correct shutdowns added for send fails. Helps tdb cleanup code.
714 14). Prevent invalid '/' characters in workgroup names.
715 15). Removed more static arrays in SAMR code.
716 16). Client code is now UNICODE on the wire.
717 17). Fix 2 second timestamp resolution everywhere if dos timestamp set to yes.
718 18). All tdb opens now going through logging function.
719 19). Add pam password changing and pam restrictions code.
720 20). Printer driver management improvements (delete driver).
721 21). Fix difference between NULL security descriptors and empty
722 security descriptors.
723 22). Fix SID returns for server roles.
724 23). Allow Windows 2000 mmc to view and set Samba share security descriptors.
725 24). Allow smbcontrol to forcibly disconnect a share.
726 25). tdb fixes for HPUX, OpenBSD and other OS's that don't have a coherent
727 mmap/file read/write cache.
728 26). Fix race condition in returning create disposition for file create/open.
729 27). Fix NT rewriting of security descriptors to their canonical form for
731 28). Fix for Samba running on top of Linux VFAT ftruncate bug.
732 29). Swat fixes for being run with xinetd that doesn't set the umask.
733 30). Fix for slow writes with Win9x Explorer clients. Emulates Microsoft
734 TCP stack early ack specification error.
735 31). Changed lock & persistent tdb directory to /var/cache/samba by default on
736 RedHat and Mandrake as they clear the /var/lock/samba directory on reboot.
738 -----------------------------------------------------------------------------
739 The release notes for 2.2.0a follow :
744 This is a security bugfix release for Samba 2.2.0. This release provides the
745 following two changes *ONLY* from the 2.2.0 release.
747 1). Fix for the security hole discovered by Michal Zalewski (lcamtuf@bos.bindview.com)
748 and described in the security advisory below.
749 2). Fix for the hosts allow/hosts deny parameters not being honoured.
751 No other changes are being made for this release to ensure a security fix only.
752 For new functionality (including these security fixes) download Samba 2.2.1
753 when it is available.
755 The security advisory follows :
758 IMPORTANT: Security bugfix for Samba
759 ------------------------------------
767 A serious security hole has been discovered in all versions of Samba
768 that allows an attacker to gain root access on the target machine for
769 certain types of common Samba configuration.
771 The immediate fix is to edit your smb.conf configuration file and
772 remove all occurances of the macro "%m". Replacing occurances of %m
773 with %I is probably the best solution for most sites.
778 A remote attacker can use a netbios name containing unix path
779 characters which will then be substituted into the %m macro wherever
780 it occurs in smb.conf. This can be used to cause Samba to create a log
781 file on top of an important system file, which in turn can be used to
782 compromise security on the server.
784 The most commonly used configuration option that can be vulnerable to
785 this attack is the "log file" option. The default value for this
786 option is VARDIR/log.smbd. If the default is used then Samba is not
787 vulnerable to this attack.
789 The security hole occurs when a log file option like the following is
792 log file = /var/log/samba/%m.log
794 In that case the attacker can use a locally created symbolic link to
795 overwrite any file on the system. This requires local access to the
798 If your Samba configuration has something like the following:
800 log file = /var/log/samba/%m
802 Then the attacker could successfully compromise your server remotely
803 as no symbolic link is required. This type of configuration is very
806 The most commonly used log file configuration containing %m is the
807 distributed in the sample configuration file that comes with Samba:
809 log file = /var/log/samba/log.%m
811 in that case your machine is not vulnerable to this attack unless you
812 happen to have a subdirectory in /var/log/samba/ which starts with the
818 Thanks to Michal Zalewski (lcamtuf@bos.bindview.com) for finding this
825 While we recommend that vulnerable sites immediately change their
826 smb.conf configuration file to prevent the attack we will also be
827 making new releases of Samba within the next 24 hours to properly fix
828 the problem. Please see http://www.samba.org/ for the new releases.
830 Please report any attacks to the appropriate authority.
835 ---------------------------------------------------------------------------
837 The release notes for 2.2.0 follow :
839 This is the official Samba 2.2.0 release. This version of Samba provides
840 the following new features and enhancements.
842 Integration between Windows oplocks and NFS file opens (IRIX and Linux
843 2.4 kernel only). This gives complete data and locking integrity between
844 Windows and UNIX file access to the same data files.
846 Ability to act as an authentication source for Windows 2000 clients as
847 well as for NT4.x clients.
849 Integration with the winbind daemon that provides a single
850 sign on facility for UNIX servers in Windows 2000/NT4 networks
851 driven by a Windows 2000/NT4 PDC. winbind is not included in
852 this release, it currently must be obtained separately. We are
853 committed to including winbind in a future Samba 2.2.x release.
855 Support for native Windows 2000/NT4 printing RPCs. This includes
856 support for automatic printer driver download.
858 Support for server supported Access Control Lists (ACLs).
859 This release contains support for the following filesystems:
863 Linux Kernel with ACL patch from http://acl.bestbits.at
864 Linux Kernel with XFS ACL support.
867 FreeBSD (with external patch)
869 Other platforms will be supported as resources are
870 available to test and implement the necessary modules. If
871 you are interested in writing the support for a particular
872 ACL filesystem, please join the samba-technical mailing
873 list and coordinate your efforts.
875 On PAM (Pluggable Authentication Module) based systems - better debugging
876 messages and encrypted password users now have access control verified via
877 PAM - Note: Authentication still uses the encrypted password database.
879 Rewritten internal locking semantics for more robustness.
880 This release supports full 64 bit locking semantics on all
881 (even 32 bit) platforms. SMB locks are mapped onto POSIX
882 locks (32 bit or 64 bit) as the underlying system allows.
884 Conversion of various internal flat data structures to use
885 database records for increased performance and
888 Support for acting as a MS-DFS (Distributed File System) server.
890 Support for manipulating Samba shares using Windows client tools
891 (server manager). Per share security can be set using these tools
892 and Samba will obey the access restrictions applied.
894 Samba profiling support (see below).
896 Compile time option for enabling a (Virtual file system) VFS layer
897 to allow non-disk resources to be exported as Windows filesystems
898 (such as databases etc.).
900 The documentation in this release has been updated and converted
901 from Yodl to DocBook 4.1. There are many new parameters since 2.0.7
902 and some defaults have changed.
906 Support for collection of profile information. A shared
907 memory area has been created which contains counters for
908 the number of calls to and the amount of time spent in
909 various system calls, smb transactions and nmbd activity. See
910 the file profile.h for a complete listing of the information
911 collected. Sample code for a samba pmda (collection agent
912 for Performance Co-Pilot) has been included in the pcp
915 To enable the profile data collection code in samba, you must
916 compile samba with profile data support (run configure with
917 the --with-profiling-data option). On startup, collection of
918 data is disabled. To begin collecting data use the smbcontrol
919 program to turn on profiling (see the smbcontrol man page).
920 Profile information collection can be enabled for nmbd, all smbd
921 processes or one or more selected processes. The profiling
922 data collected is the aggregate for all processes that have
925 With samba compiled for profile data collection, you may see
926 a very slight degradation in performance even with profiling
927 collection turned off. On initial tests with NetBench on an
928 SGI Origin 200 server, this degradation was not measurable
929 with profile collection off compared to no profile collection
932 With count profile collection enabled on all clients, the
933 degradation was less than 2%. With full profile collection
934 enabled on all clients, the degradation was about 8.5%.
936 =====================================================================
938 If you think you have found a bug please email a report to :
942 As always, all bugs are our responsibility.