Fix for CVE-2009-2906.

[Samba/bb.git] / WHATSNEW.txt

                   =============================
                   Release Notes for Samba 3.3.8
                          October, 1  2009
                   =============================


This is a security release in order to address CVE-2009-2813, CVE-2009-2948
and CVE-2009-2906.

   o CVE-2009-2813:
     In all versions of Samba later than 3.0.11, connecting to the home
     share of a user will use the root of the filesystem
     as the home directory if this user is misconfigured to have
     an empty home directory in /etc/passwd.

   o CVE-2009-2948:
     If mount.cifs is installed as a setuid program, a user can pass it a
     credential or password path to which he or she does not have access and
     then use the --verbose option to view the first line of that file.
     All known Samba versions are affected.

   o CVE-2009-2906:
     Specially crafted SMB requests on authenticated SMB connections can
     send smbd into a 100% CPU loop, causing a DoS on the Samba server.


######################################################################
Changes
#######

Changes since 3.3.7
-------------------


o   Jeremy Allison <jra@samba.org>
    * BUG 6763: Fix for CVE-2009-2813.
    * BUG 6768: Fix for CVE-2009-2906.


o   Jeff Layton <jlayton@redhat.com>
    * Fix for CVE-2009-2948.


######################################################################
Reporting bugs & Development Discussion
#######################################

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba 3.3 product in the project's Bugzilla
database (https://bugzilla.samba.org/).


======================================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
======================================================================


Release notes for older releases follow:
----------------------------------------

                   =============================
                   Release Notes for Samba 3.3.7
                          July, 29  2009
                   =============================


This is the latest bugfix release of the Samba 3.3 series.


######################################################################
Changes
#######


Changes since 3.3.6:
--------------------


o   Jeremy Allison <jra@samba.org>
    * BUG 6421: Fix POSIX read-only open on read-only shares.
    * BUG 6476: Fix smbd zombies in memory when using [x]inetd.
    * BUG 6487: Add missing DFS call in trans2 mkdir call.
    * BUG 6520: Fix time stamps when "unix extensions = yes".


o   Günther Deschner <gd@samba.org>
    * BUG 6253: Use correct value for password expiry calculation in
      pam_winbind.
    * BUG 6340: Fix segfault when cleartext trustdom pwd could not be retrieved.
    * BUG 6451: Use right access bits in net/libnetapi user rename.
    * BUG 6484: Fix _lsa_LookupNames2() server implementation which always
      returned a NULL sid_array.


o   Björn Jacke <bj@sernet.de>
    * BUG 6497: Fix configure error.


o   Volker Lendecke <vl@samba.org>
    * BUG 6498: Add workaround for MS KB932762.


o   Jim McDonough <jmcd@samba.org>
    * BUG 6481: Don't require "Modify property" perms to unjoin.


o   Stefan Metzmacher <metze@samba.org>
    * BUG 6526: Let parent_dirname() correctly return toplevel filenames.


o   Bo Yang <boyang@samba.org>
    * BUG 6560: Fix handling of UPN.


######################################################################
Reporting bugs & Development Discussion
#######################################

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba 3.3 product in the project's Bugzilla
database (https://bugzilla.samba.org/).


======================================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
======================================================================


----------------------------------------------------------------------


                   =============================
                   Release Notes for Samba 3.3.6
                          June, 23  2009
                   =============================


This is a security release in order to address CVE-2009-1888.

   o CVE-2009-1888:
     In Samba 3.0.31 to 3.3.5 (inclusive), an uninitialized read of a
     data value can potentially affect access control when "dos filemode"
     is set to "yes".


######################################################################
Changes
#######


Changes since 3.3.5:
--------------------


o   Jeremy Allison <jra@samba.org>
    * BUG 6488: Fix for CVE-2009-1888.


######################################################################
Reporting bugs & Development Discussion
#######################################

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba 3.3 product in the project's Bugzilla
database (https://bugzilla.samba.org/).


======================================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
======================================================================


----------------------------------------------------------------------


                   =============================
                   Release Notes for Samba 3.3.5
                          June, 16  2009
                   =============================


This is the latest bugfix release of the Samba 3.3 series.

Major enhancements in Samba 3.3.5 include:

    o Fix SAMR and LSA checks (bug #6089, #6289)
    o Fix posix acls when setting an ACL without explicit ACE for the
      owner (bug #2346).
    o Fix joining of Win7 into Samba domain (bug #6099).
    o Fix joining of Win2000 SP4 clients (bug #6301).


######################################################################
Changes
#######


Changes since 3.3.4:
--------------------


o   Michael Adam <obnox@samba.org>
    * BUG 6320: Handle registry config source in file_list.
    * BUG 6415: Filter out of range mappings in default idmap config in
      idmap_tdb.
    * BUG 6416: Filter out of range mappings in default idmap config in
      idmap_tdb2.
    * BUG 6417: Filter out of range mappings in default idmap config in
      idmap_ldap.
    * Prevent infinite include nesting.
    * Mark registry shares without path unavailable.


o   Jeremy Allison <jra@samba.org>
    * BUG 6089: Revert the extra SAMR and LSA checks.
    * BUG 6099: Fix joining of Win7 into Samba domain.
    * BUG 6289: Revert the extra SAMR and LSA checks.
    * BUG 6297: Owner of sticky directory cannot delete files created by
      others.
    * BUG 6315: smbd crashes doing vfs_full_audit on IPC$ close event.
    * BUG 6330: Fix DFS on AIX.


o   Guenther Deschner <gd@samba.org>
    * BUG 6099: Fix joining of Win7 into Samba domain.
    * BUG 6157: Fix handling of multi-value attribute "uid".
    * BUG 6301: Fix joining of Win2000 SP4 clients.
    * BUG 6309: Support remote unjoining of Windows 2003 or greater.
    * BUG 6372: Fix usermanager only displaying 1024 groups and aliases.
    * BUG 6465: Fix enumeration of empty aliases (ldb backend).


o   Björn Jacke <bj@sernet.de>
    * Also handle DirX return codes.


o   Volker Lendecke <vl@samba.org>
    * BUG 6336: Fix 'net groupmap set' segfault.
    * BUG 6361: Make --rcfile work in smbget.
    * BUG 6365: Re-Add the "dropbox" functionality with -wx rights on a
      directory.
    * BUG 6382: Fix case insensitive access to DFS links.
    * BUG 6441: Fix the compile with --enable-dnssd.
    * BUG 6449: 'net rap user add' crashes without -C option.
    * Fix Coverity ID 897.
    * Do not crash in ctdbd_traverse if ctdbd is not around.
    * Fix a race condition in winbind leading to a panic.


o   TAKAHASHI Motonobu <monyo@samba.gr.jp>
    * BUG 5897: Fix shutdown script example in the smb.conf manpage.


o   Stefan Metzmacher <metze@samba.org>
    * BUG 2346: Fix posix acls when setting an ACL without explicit ACE for the
      owner.


o   D.L. Meyer <dlmeyer@uiuc.edu>
    * BUG 5832: Fix build on RHEL when ccache is not available.


o   Andreas Schneider <mail@cynapses.org>
    * Some man pam_winbind improvements.


o   Karolin Seeger <kseeger@samba.org>
    * BUG 5835: Add keyutils-devel to build requires to fix build on RHEL.


o   Marc VanHeyningen <marc.vanheyningen@isilon.com>
    * Zero an uninitialized array.


######################################################################
Reporting bugs & Development Discussion
#######################################

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba 3.3 product in the project's Bugzilla
database (https://bugzilla.samba.org/).


======================================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
======================================================================


----------------------------------------------------------------------


                   =============================
                   Release Notes for Samba 3.3.4
                          April, 29  2009
                   =============================


This is the latest bugfix release of the Samba 3.3 series.

Major enhancements in Samba 3.3.4 include:

    o Fix domain logins for WinXP clients pre SP3 (bug #6263).
    o Fix samr_OpenDomain access checks (bug #6089).
    o Fix usrmgr.exe creating a user (bug #6243).


######################################################################
Changes
#######


Changes since 3.3.3:
--------------------


o   Michael Adam <obnox@samba.org>
    * net conf: Save share name as given, not as lower case only.
    * Prevent creation of registry keys containing the '/' character.


o   Jeremy Allison <jra@samba.org>
    * BUG 6089: Fix samr_OpenDomain access checks.
    * BUG 6254: Fix IPv6 PUT/GET errors to an SMB server (3.3) with
      "msdfs root" set to "yes".
    * BUG 6279: Fix Winbind crash.
    * Allow pdbedit to change a user rid/sid.
    * When doing a cli_ulogoff don't invalidate the cnum, invalidate the vuid.
    * Don't access a freed structure when logging off and re-using a vuid.


o   Günther Deschner <gd@samba.org>
    * BUG 5329: Add "net rpc service delete/create".
    * BUG 6238: Make sure wbcLogoffUserParams are properly initialized before
      freed.
    * BUG 6263: Fix domain logins for WinXP clients pre SP3.
    * BUG 6286: Call init function for builtin idmap modules before probing for
      them as shared modules.
    * Try to to fix password_expired flag handling.
    * Make sure to grey out change fields in the netdomjoin-gui when not
      running as root.


o   Jim McDonough <jmcd@samba.org>
    * Don't look up local user for remote changes, even when root.


o   Volker Lendecke <vl@samba.org>
    * BUG 6243: Fix usrmgr.exe creating a user.
    * Use procid_str in debug messages for better cluster-debuggability.
    * Use cluster-aware procid_is_me instead of comparing pids.
    * Fix smbd crash for close_on_completion.
    * Fix a memleak in an unlikely error path in change_notify_create().
    * Do not use the file system GET_REAL_FILENAME for mangled names.


o   Stefan Metzmacher <metze@samba.org>
    * Fix a crash bug if we timeout in net rpc trustdom list.
    * Add '--request-timeout' option to net.


o   Martin Schwenke <martin@meltin.net>
    * In net_conf_import, start a transaction when importing a single share.


o   Simo Sorce <ssorce@redhat.com>
    * Fix writing of roaming profiles with "profile acls" set to "yes".


######################################################################
Reporting bugs & Development Discussion
#######################################

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba 3.3 product in the project's Bugzilla
database (https://bugzilla.samba.org/).


======================================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
======================================================================


----------------------------------------------------------------------


                   =============================
                   Release Notes for Samba 3.3.3
                            April, 1 2009
                   =============================

This is the latest bugfix release release of the Samba 3.3 series.

Major enhancements in Samba 3.3.3 include:

    o Migrating from 3.0.x to 3.3.x can fail to update passdb.tdb
      correctly (bug #6195).
    o Fix serving of files with colons to CIFS/VFS client (bug #6196).
    o Fix "map readonly" (bug #6186).


######################################################################
Changes
#######


Changes since 3.3.2:
--------------------


o   Michael Adam <obnox@samba.org>
    * BUG 6195: Don't let smbd child processes panic.
    * Add backend_requires_messaging() method to libsmbconf.
    * Add methods is_writeable() and wrapper smbconf_is_writeable() to libsmbconf.
    * Fall back to file backend when no valid backend was found.
    * Fix a memleak in dbwrap_rbt.
    * Provide transaction_start|commit|cancel fns for the registry tdb.
    * Speed up "net conf drop".
    * Speed up "net conf import".
    * Add transactions to the libsmbconf API.
    * Reduce memory usage of "net conf import".
    * Registry cleanup.
    * Fix handling of SAMBA_VERSION_VENDOR_PATCH.
    * Fix build of pam_winbind.so with static linking.
    * Tidy up some convert_string_internal error cases.


o   Jeremy Allison <jra@samba.org>
    * BUG 6186: Fix map readonly.
    * BUG 6195: Migrating from 3.0.x to 3.3.x can fail to update passdb.tdb
      correctly.
    * BUG 6196: Unable to serve files with colons to Linux CIFS/VFS client.
    * BUG 6224: nmbd waits 5 minutes at startup before checking if it needs
      to run elections.
    * Allow DFS client paths to work when POSIX pathnames have been
      selected.
    * Try and fix the build farm RAW-STREAMS errors.
    * Ensure files starting with multiple dots are hidden.


o   Günther Deschner <gd@samba.org>
    * BUG 6102: NetQueryDisplayInformation could return wrong information.
    * BUG 6193: Avoid messing with sync_context in libnet_samsync_delta().
    * Fix notify_printer_status_byname.
    * Fix Coverity IDs 722, 762, 774, 775, 776.


o   Björn Jacke <bj@sernet.de>
    * Fix build on old Heimdal based systems.
    * Fix compile warning.
    * Use parentheses in if condition to make negation clear.


o   Andy Kelk <andy@mopoke.co.uk>
    * Add dirsort module.


o   Steve Langasek <vorlon@debian.org>
    * BUG 6147: Fix detection of the GNU ld version.


o   Volker Lendecke <vl@samba.org>
    * BUG 6097: Fix smbd segfault.
    * BUG 6130: Don't crash in winbindd_rpc lookup_groupmem() on unmapped
      members.
    * BUG 6139: Add missing whitespace in mount.cifs error message.
    * Fix a malloc/talloc mismatch when cli_initialise() fails.
    * Fix a valgrind error.
    * Speed up "net conf list".
    * Add sorted subkey cache.
    * Use StrCaseCmp in the dirsort module.
    * Document the dirsort module.
    * Fix the build on HP/UX.
    * Disable dns_sd by default.
    * Add avahi detection to configure.
    * Add event avahi binding.
    * Use avahi to register _smb._tcp in smbd.
    * Fix two memleaks in the encryption code.
    * Fix a scary "fill_share_mode_lock failed" message.


o   Derrell Lipman <derrell@dworkin.(none)>
    * BUG 6228: Fix SMBC_open_ctx failure due to path resolve failure doesn't set
      errno.


o   Stefan Metzmacher <metze@samba.org>
    * Don't use reserved words in smbconftort.
    * Fix smb signing for fragmented trans/trans2/nttrans requests.


o   Tim Prouty <tprouty@samba.org>
    * Parse_packet can return NULL which is then dereferenced in
      match_mailslot_name.


o   Timur <timur@FreeBSD.org>
    * Format the header check for netinet/ip.h more nicely.
    * Fix detection of netinet/ip.h on FreeBSD.


o   Alexander Zagrebin <alexz@visp.ru>
    * Missing break in conversion function prevents tdb password database
      update.


######################################################################
Reporting bugs & Development Discussion
#######################################

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba 3.3 product in the project's Bugzilla
database (https://bugzilla.samba.org/).


======================================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
======================================================================


----------------------------------------------------------------------


                   =============================
                   Release Notes for Samba 3.3.2
                           March, 12 2009
                   =============================

This is the latest bugfix release release of the Samba 3.3 series.

Major enhancements in Samba 3.3.2 include:

     * Fix "force group" (bug #6155).
     * Fix saving of files on Samba share using MS Office 2007 (bug #6160).
     * Fix guest authentication in setups with "security = share" and
      "guest ok = yes" when Winbind is running.
     * Fix corruptions of source path in tar mode of smbclient (bug #6161).


######################################################################
Changes
#######


Changes since 3.3.1:
--------------------


o   Jeremy Allison <jra@samba.org>
    * BUG 6082: Fix renaming and deleting of directories using Windows clients.
    * BUG 6154: Make ZFS honor admin users.
    * BUG 6155: Fix "force group".
    * BUG 6160: Fix saving of files on Samba share using MS Office 2007.
    * BUG 6161: Fix corruptions of source path in tar mode of smbclient.
    * Fix some NetBSD warnings.
    * Fix bug in processing of open modes in POSIX open.
    * Fix use of streams modules with CIFSFS client.
    * Ensure ACL modules work with POSIX paths.
    * Use fsp->posix_open in preference if we have it.
    * Fix more POSIX path lstat calls.


o   Andrew Tridgell <tridge@samba.org>
    * Fix a bug in message handling for the change notify code.


o   Steven Danneman <steven.danneman@isilon.com>
    * Fix guest authentication in setups with "security = share" and "guest ok =
      yes" when Winbind is running.


o   Steve French <smfrench@gmail.com>
    * BUG 4640: Fix guest mounts in mount.cifs.
    * Fix displaying the version string properly when no other parameters passed
      in in mount.cifs.


o   Björn Jacke <bj@sernet.de>
    * Prefer gssapi header files from subdirectory.


o   Volker Lendecke <vl@samba.org>
    * BUG 6124: Fix the build on IRIX.
    * BUG 6176: winbindd -n should disable the winbind idmap cache.
    * Add a vfs_preopen module to hide fs latencies.
    * Don't log NDR_PRINT_DEBUG at level 0, this always ends up in syslog.
    * Fix a valgrind error / segfault in dns_register_smbd().


o   Stefan Metzmacher <metze@samba.org>
    * Fix build on SLES8.
    * Decremented by 1 for ntcancel requests.


o   Tim Prouty <tprouty@samba.org>
    * Fix creation of core files.


o   Dan Sledz <dan.sledz@isilon.com>
    * Fix first mapping of uids/gids in Winbind.


o   Bo Yang <boyang@novell.com>
    * Initialize the id_map status in idmap_ldap to avoid surprise.
    * Fix initialization of idmap status.


######################################################################
Reporting bugs & Development Discussion
#######################################

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba 3.3 product in the project's Bugzilla
database (https://bugzilla.samba.org/).


======================================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
======================================================================


----------------------------------------------------------------------


                   =============================
                   Release Notes for Samba 3.3.1
                          February, 24 2009
                   =============================

This is the latest bugfix release release of the Samba 3.3 series.

Major enhancements in Samba 3.3.1 include:

     * Fix net ads join when "ldap ssl = start tls" (bug #6073).
     * Fix renaming/deleting of files using Windows clients (bug #6082).
     * Fix renaming/deleting a "not matching/resolving" symlink (bug #6090).
     * Fix remotely adding a share via the Windows MMC.


######################################################################
Changes
#######

smb.conf changes
----------------

    Parameter Name                      Description     Default
    --------------                      -----------     -------
    ldap ssl ads                        New             No


Changes since 3.3.0:
--------------------


o   Jeremy Allison <jra@samba.org>
    * BUG 6082: Fix renaming/deleting of files using Windows clients.
    * BUG 6069: Fix build with too many arguments.
    * BUG 6090: Fix renaming/deleting a "not matching/resolving" symlink.
    * BUG 6099: Try to fix domain join of Win7 Beta.
    * BUG 6117: Fix core dump of pdbedit -a.
    * BUG 6133: Fix deletion of non-ACL files on Solaris/ZFS/NFSv4 ACL
      filesystem.
    * Fix Coverity IDs 115, 116, 117, 602.
    * Fix warning (bad handler prototype).
    * Unify the detection of the timespec code in configure.in, and the
      application of it in time.c.
    * Correctly use chroot().
    * Parameterize in local.h the MAX_RPC_DATA_SIZE, and ensure that "offered"
      read from the rpc packet in spoolss is under that size.
    * Backport the semantics of when to delete alternate data streams on a file
      truncate.
    * Fix printf warnings.
    * Fix warnings on Solaris.


o   Michael Adam <obnox@samba.org>
    * BUG 6066: netinet/ip.h present but cannot be compiled on Solaris.
    * BUG 6073: Prevent ads_connect() from using SSL unless explicitly
      requested.
    * Fix 'getent passwd' to allocate new uids.
    * Fix 'getent group' to allocate new gids.
    * Remove check for sharename being a username in 'net conf
      addshare'.


o   Guenther Deschner <gd@samba.org>
    * Fix Coverity ID 848.
    * Remove unused ENUM_HND from 'net'.
    * Fix getform command asprintf return code in rpcclient.
    * Fix memleak in get_remote_printer_publishing_data().
    * Remove duplicate prototypes for generated rpc server functions.


o   Holger Hetterich <hhetter@novell.com>
    * Enable total anonymization in vfs_smb_traffic_analyzer.


o   Bjoern Jacke <bj@sernet.de>
    * Fix build with external dns_sd libraries.
    * Fix configure check "sub-second timestamps without struct timespec".
    * Add configure check for AIX style sub-second resolution support.
    * Add configure check for Tru64 sub-second timestamp resolution.
    * Add Tru64 sub-second resolution timestamp support.
    * Enable IPv6 support for NetBSD and FreeBSD.
    * Use correct BSD evironment variable.


o   Guenter Kukkukk <linux@kukkukk.com>
    * Don't try and delete a default ACL from a file.


o   Volker Lendecke <vl@samba.org>
    * BUG 5798: CFLAGS info lost in configure.
    * Fix Coverity IDs 740, 742, 744, 745, 876, 879, 880.
    * Fix remotely adding a share via the Windows MMC.
    * Avoid valgrind errors.
    * Fix 'net rpc join' for users with the SeMachineAccountPrivilege.
    * Fix resume handle for _samr_EnumDomainGroups.
    * Fix a buffer handling bug when adding lots of registry keys.
    * Fix a O(n^2) algorithm in regdb_fetch_keys().


o   Jeff Layton <jlayton@redhat.com>
    * Initialize rc to 0 in main in mount.cifs.


o   Derrell Lipman <derrell.lipman@unwireduniverse.com>
    * BUG 6069: Add a fstatvfs function for libsmbclient.
    * Eliminate compiler warnings.


o   Glenn Machin <gmachin@sandia.gov>
    * Don't miss an absolute pathname as a kerberos keytab path.


o   Stefan Metzmacher <metze@samba.org>
    * BUG 6100: Implement _netr_LogonGetCapabilities() with
      NT_STATUS_NOT_IMPLEMENTED.
    * Make Samba work with older ctdb versions.
    * Add S-1-22-X-Y sids to the local token.


o   Lars Mueller <lars@samba.org>
    * Conditional install of the cifs.upcall man page.
    * Adjust regex to match variable names including underscores.


o   Shirish Pargaonkar <shirishpargaonkar@gmail.com>
    * BUG 4370: Clean-up entries in /etc/mtab after unmount.
    * Add fakemount (-f) and nomtab (-n) flags to mount.cifs.


o   Ted Percival <ted.percival@quest.com>
    * Fix a crash during name resolution.


o   Tim Prouty <tprouty@samba.org>
    * Fix "assignment discards qualifiers from pointer target type"
      warnings.
    * Fix SMB_VFS_RECVFILE/SENDFILE macros.


o   Karolin Seeger <kseeger@samba.org>
    * Change "ldap ssl:ads" parameter to "ldap ssl ads".
    * Add manpages for vfs_acl_xattr and vfs_acl_tdb.


o   Dan Sledz <dsledz@isilon.com>
    * Fix double free caused by incorrect talloc_steal usage.


o   Simo Sorce <idra@samba.org>
    * Build ldbrename.


o   Aravind Srinivasan <aravind.srinivasan@isilon.com>
    * Make nmbd check all available interfaces for WINS before failing.


o   Miguel Suarez <Miguel.Suarez@stratus.com>
    * Fix compilation of vfs_default on systems that do not support utimes().


o   Yasuma Takeda <yasuma@osstech.co.jp>
    * BUG 5920: Fix the calculation of the memcpy length.
    * BUG 6098: Fix ads_find_dc() in setups with "security = domain".


o   Bo Yang <boyang@novell.com>
    * Make libsmbclient work with DFS.


######################################################################
Reporting bugs & Development Discussion
#######################################

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba 3.3 product in the project's Bugzilla
database (https://bugzilla.samba.org/).


======================================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
======================================================================


----------------------------------------------------------------------


                   =============================
                   Release Notes for Samba 3.3.0
                          January, 27 2009
                   =============================

This is the first stable release of Samba 3.3.0.

Major enhancements in Samba 3.3.0 include:

 General changes:
 o The passdb tdbsam version has been raised.

 Configuration/installation:
 o Splitting of library directory into library directory and separate
   modules directory.
 o The default value of "ldap ssl" has been changed to "start tls".

 File Serving:
 o Extended Cluster support.
 o New experimental VFS modules "vfs_acl_xattr" and "vfs_acl_tdb"
   to store NTFS ACLs on Samba file servers.

 Winbind:
 o Simplified idmap configuration.
 o New idmap backends "adex" and "hash".
 o Added new parameter "winbind reconnect delay".
 o Added support for user and group aliasing.
 o Added support for multiple domains to idmap_ad.

 Administrative tools:
 o The destination "all" of smbcontrol does now affect all running
   daemons including nmbd and winbindd.
 o New 'net rpc vampire keytab' and 'net rpc vampire ldif' commands.
 o The 'net' utility can now use kerberos for joining and authentication.
 o The 'wbinfo' utility can now add, modify and remove identity mapping entries.

 Libraries:
 o NetApi library implements various new calls for User- and Group
   Account Management.
 o libsmbclient does now determine case sensitivity based on file system
   attributes.


General changes
===============

The passdb tdbsam version has been raised as among other things the RID counter
has been moved from the winbindd_idmap.tdb to the passdb.tdb file to make
"passdb backend = tdbsam" working in clustered environments.

Please note that an updated passdb.tdb file is _not_ compatible with Samba
versions before 3.3.0! Please backup your passdb.tdb file if
you use "passdb backend = tdbsam". That can be achieved by running

'tdbbackup /etc/samba/passdb.tdb'

before the update.


Configure changes
=================

The configure option "--with-libdir" has been removed. The library
directory can still be specified by using the existing "--libdir" option.
A new option "--with-modulesdir" has been added to allow the specification
of a separate directory for the shared modules.


Configuration changes
=====================

The default value of "ldap ssl" has been changed to "start tls". This means,
Samba will use the LDAPv3 StartTLS extended operation (RFC2830) for
communicating with directory servers by default. If your directory servers
do not support this extended operation, you will have to set
"ldap ssl = no". Otherwise, Samba could not contact the directory servers
anymore!


Winbind idmap backend changes
=============================

The idmap configuration has changed with version 3.3 to something that
allows a smoother upgrade path from pre-3.0.25 configurations that use
"idmap backend". The reason for this change is that to many, also to Samba
developers, the 3.0.25 style configuration with "idmap config" turned out
to be very complex. Version 3.3 no longer deprecates the "idmap backend"
parameter, instead with "idmap backend" the default idmap backend is
specified.

Accordingly, the "idmap config <domain> : default = yes" setting is no
longer being looked at.

The alloc backend defaults to the default backend, which should be able to
allocate IDs. In the default distribution the tdb and ldap backends can
allocate, the ad and rid backends can not. The idmap alloc range is now
being set with the "old" parameters "idmap uid" and "idmap gid".

The "idmap domains" parameter has been removed.


winbind reconnect delay
=======================

This is a new parameter which specifies the number of seconds the Winbind
daemon will wait between attempts to contact a Domain controller for a domain
that is determined to be down or not contactable.


Winbind's Name Aliasing
=======================

Name aliasing in Winbind is a feature that allows an administrator to
map a fully qualified user or group name from a Windows domain to a
convenient short name for Unix access.  This is similar to the username
map functionality supported by smbd but is primary intended for
clients and servers making use of Winbind's PAM and NSS libraries.

For example, the user "DOMAIN\fred" has been mapped to the Unix name
"freddie".

   $ getent passwd "DOMAIN\fred"
   freddie:x:1000:1001:Fred Jones:/home/freddie:/bin/bash

   $ getent passwd freddie
   freddie:x:1000:1001:Fred Jones:/home/freddie:/bin/bash

The name aliasing support is provided by individual nss_info plugins.
For example, the new "adex" plugin reads the uid attribute from Active
Directory to make a short login name to the fully qualified name.
While the new "hash" module utilizes a local file to map "short_name
= QUALIFIED\name".  Both user and group name mapping is supported.
Please refer to the "winbind nss info" option in smb.conf(5) and
to individual plugin man pages for further details.


idmap_hash
==========

The idmap_hash plugin provides similar support as the idmap_rid
module.  However, uids and gids are generated from the full domain
SID using a hashing algorithm that maps the lower 19 bits from the user
or group RID to bits 0 - 19 in the Unix id and hashes 96 bits from
the domain SID to bits 20 - 30 in the Unix id.  The result is a 31 bit
uid or gid that is consistent across machines and provides support for
trusted domains.

Please refer to the idmap_hash(8) man page for more details.


idmap_adex
==========

The adex idmap/nss_info plugin is an adaptation of the Likewise
Enterprise plugin with support for OU based cells removed
(since the Windows pieces to manage the cells are not available).

This plugin supports

      * The RFC2307 schema for users and groups.
      * Connections to trusted domains
      * Global catalog searches
      * Cross forest trusts
      * User and group aliases

Prerequisite: Add the following attributes to the Partial Attribute
Set in global catalog:

      * uidNumber
      * uid
      * gidNumber

A basic config using the current trunk code would look like:

[global]
        idmap backend = adex
        idmap uid = 10000 - 29999
        idmap gid = 10000 - 29999
        winbind nss info = adex

        winbind normalize names = yes
        winbind refresh tickets = yes
        template homedir = /home/%D/%U
        template shell = /bin/bash

Please refer to the idmap_adex(8) man page for more details.


Libraries
=========

libsmbclient will now treat file names case-sensitive by default if the filesystem
we are connecting to supports case sensitivity. This change of behavior is
considered a bug fix, as it was previously possible to accidentally overwrite a
file that had the same case-insensitive name but a different case-sensitive name
as a previously-existing file, while creating a new file.

If it is not possible to detect if the filesystem supports case sensitivity,
the user-specified option value will be used.


######################################################################
Changes
#######

smb.conf changes
----------------

    Parameter Name                      Description     Default
    --------------                      -----------     -------
    cups connection timeout             New             30
    idmap config DOM:range              Removed
    idmap domains                       Removed
    init logon delayed hosts            New             ""
    init logon delay                    New             100
    ldap ssl                            Changed Default start tls
    share modes                         Deprecated
    winbind reconnect delay             New             30


Changes since 3.3.0rc2:
-----------------------


o   Jeremy Allison <jra@samba.org>
    * BUG 4308: Fix corrupting of file ACLs during Excel save operations.
    * BUG 5979: Fix level 2 oplocks being granted improperly.
    * BUG 5980: Race condition when granting level2 oplocks can cause break
      notify to be missed.
    * BUG 5986: Editing a stream is broken (rename problems).
    * BUG 5990: Strict allocate should be checked before ftruncate.
    * BUG 6009: Setting "min receivefile size = 1" breaks writes.
    * BUG 6016: Alternate Data Streams / Extended Attributes seem to conflict.
    * BUG 6017: Fix magic scripts.
    * BUG 6019: Fix file corruption in Clustered SMB/NFS environment managed via
      CTDB.
    * BUG 6021: smbclient du command does not recuse properly.
    * BUG 6024: Deprecate the "share modes" parameter.
    * BUG 6030: Add missing <th> header in Status page.
    * BUG 6035: Fix possible race between fcntl F_SETLKW and alarm delivery.
    * BUG 6040: Calling Samba print server with an aliased DNS-name fails.
    * Fix gcc 4.3.2 warnings.
    * Fix more asprintf errors and error code paths.
    * Attempt to fix crash seen with new CUPS async printcap loading code.
    * Add winbindd_reinit_after_fork(), cleaning out all possible events
      in a forked child.
    * Make winbindd_cm.c use winbindd_reinit_after_fork().
    * Fix race condition in alarm lock processing.
    * Fixes crash bug in SWAT.


o   Michael Adam <obnox@samba.org>
    * Fix build of pam_winbind.so on older Linux systems.
    * Packaging RHEL-CTDB: Fix build of [u]mount.cifs.
    * Prevent access to root filesystem when connecting with empty service name.
    * Fix distclean target and add realdistclean target in the docs build.
    * Add manpage for idmap_tdb2.
    * Clarify idmap manpages.


o   Kai Blin <kai@samba.org>
    * BUG 5953: Fix smbclient crashes.


o   Gerald (Jerry) Carter <jerry@samba.org>
    * Fix "allow trusted domain" so it disables trusted domains.
    * Return immediately on a failed GC connection in ads_connect.


o   SATOH Fumiyasu <fumiyas@osstech.jp>
    * Fix gmem->numgids and gmem->maxgids breakage on Solaris 64-bit.
    * Fix SIGBUS on non-x86 CPUs in libsmbclient.
    * Fix a compile-time warning.


o   Holger Hetterich <hhetter@novell.com>
    * Add a simple tdb integrity check to tdbtool.


o   Björn Jacke <bj@sernet.de>
    * Correct the description of the "ldap timeout" parameter.


o   Volker Lendecke <vl@samba.org>
    * BUG 5913: Fix build error with at least GCC 4.2.2.
    * BUG 5933: Fix incrementing/decrementing of num_validated_vuids.
    * BUG 5953: Make cli_send_smb_direct_writeX use writev.
    * BUG 5965: Fix creation of the first share using SWAT.
    * BUG 5969: Optimize smbclient put command.
    * BUG 6012: Add "get_real_filename" to full_audit.
    * BUG 6014: Fix segfault when calling mget without arguments.
    * Fix a spinning smbd when printing.
    * Fix a memory leak in cups_pull_comment_location.
    * Fix a valgrind error.
    * Fix a "ignoring function call result" warning.
    * Fix some C++ warnings.
    * Fix an ancient uninitialized variable read.
    * Fix a bad memleak in vfs_full_audit.


o   Derrell Lipman <derrell.lipman@unwireduniverse.com>
    * BUG 6022: Make smbc_urlencode and smbc_urldecode in libsmbclient.
    * Determine case sensitivity based on file system attributes.


o   Stefan Metzmacher <metze@samba.org>
    * net_status: Use dbwrap to open sessionid.tdb.
    * Fix dbwrap_store_uint32() to match dbwrap_store_int32().
    * Make marshalling struct samu from and to a buffer more generic.
    * Store the next rid counter in passdb.tdb instead of winbind_idmap.tdb.
    * Register the client connection via CTDB_CONTROL_TCP_ADD.
    * Don't need to call messaging_reinit() twice.
    * Raise TDBSAM_VERSION.
    * Add manpage for vfs_fileid.
    * Rename 'fd_event' to 'winbindd_fd_event' to avoid confusion.
    * Recreate the per domain check_online_event without relying on global
      state.
    * Handle the smb signing states the same in the krb5 and ntlmssp cases.
    * Re-add 'fileid:algorithm' option to vfs_fileid.
    * Fix CTDB IPv6 support in cluster setups.
    * Reinit_after_fork() should reinit the event context before the
      messaging context.
    * Fix PCAP support in socket_wrapper.


o   Lars Müller <lars@samba.org>
    * Tweak with pam defines of older Linux versions.


o   Tim Prouty <tprouty@samba.org>
    * Fix stream marshalling to return the correct streaminfo status.
    * Allow renames of streams via NTRENAME and fix stream error codes on
      rename.
    * Remove a few unnecessary checks from the streams xattr module.
    * Remove a few unnecessary checks from the streams depot module and fix to
      work with NTRENAME.


o   Andreas Schneider <anschneider@suse.de>
    * Fix a segfault if ? is there but the options are NULL.
    * Avoid flooding of syslog with failing pam_putenv messages.


o   Karolin Seeger <kseeger@samba.org>
    * BUG 6000: Avoid bashism in perfcount.init.
    * Change default value of "ldap ssl" to "start tls".
    * Update version number in the manpages.
    * Fix several small issues and typos in the manpages.
    * Check if Unix account exists before asking for the password in smbpasswd.


o   Todd Stecher <todd.stecher@gmail.com>
    * Fix memory leaks and other fixes found by Coverity.


o   Bo Yang <boyang@novell.com>
    * Clean event context after child is forked.
    * Fix broken krb5 refresh chain.
    * Set entry->refresh_time to make ccache_regain_all_now() work correctly.
    * Refresh sequence number as soon as possible.
    * Don't set child->requests to NULL in parent after fork.
    * Don't send message to any other child in child process.
    * Fix bug in get_dc_name_via_netlogon(), null pointer reference.



"Changes since" sections of 3.3 previews and release candidates follow:
=======================================================================

Changes since 3.3.0rc1:
------------------------

o   Jeremy Allison <jra@samba.org>
    * BUG 1254: Fix "write list" in setups using "security = share".
    * BUG 5937: Fix filenames with "*" char hiding other files.
    * BUG 5953: Fix segfaults in smbclient.
    * Fix usrmgr opening a user object as non-root.


o   Michael Adam <obnox@samba.org>
    * BUG 3661: Add support for trusted domains to idmap_ad.
    * Fix default backend handling for ad backends.
    * Fix potential segfault in vfs_tsmsm.
    * Fix several RHEL CTDB packaging issues.


o   Guenther Deschner <gd@samba.org>
    * BUG 5957: Do not abort rename process on valid rename script.
    * Fix various potential memleaks in samr_SetUserInfo.
    * Fix access bits in netapi.


o   Steve French <stevef@smf-t60p.smfdom>
    * BUG 5934: Use USER environment in mount.cifs when no user is specified.
    * variable


o   SATOH Fumiyasu <fumiyas@osstech.co.jp>
    * BUG 5688: LPQ process is orphaned if socket address parameter is invalid.
    * Vars for signals must be volatile sig_atomic_t.


o   Henning Henkel <henning.henkel@fh-furtwangen.de>
    * BUG 5929: Fix build of vfs_prealloc with option --with-cluster-support and
      GPFS.


o   Tomasz Krasuski <kr0tki@poczta.onet.pl>
    * BUG 5928: Fix 'testparm --version'.


o   Jeff Layton <jlayton@redhat.com>
    * Allow mounts to ipv6 capable servers in mount.cifs.


o   Volker Lendecke <vl@samba.org>
    * Fix crash bug when freeing a non-malloc'ed buffer if the client sends a
      non-encrypted packet with the crypto state set.
    * Fix error code when smbclient puts a file over an existing directory.
    * Pass the get_real_filename operation through the VFS.


o   Stefan Metzmacher <metze@samba.org>
    * BUG 5749: Re-set acctflags while joining.
    * Fix several issues concerning Alternate Data Streams.
    * Fix valgrind bug lp_parm_const_string().
    * Fix setting of trust passwords using 'net rpc trustdom add'.
    * Correctly detect if the current dc is the closest one.


o   Tim Prouty <tprouty@samba.org>
    * Fix a delete on close divergence from windows.


o   Dan Sledz <dsledz@isilon.com>
    * Fix logging to syslog.


o   Yasuma Takeda <yasuma@osstech.co.jp>
    * BUG 5944: Fix starting of nmbd with "socket address" set to "".


o   Bo Yang <boyang@novell.com>
    * Fix script installmo.sh when no .po file exists.


----------------------------------------------------

Changes since 3.3.0pre2:
------------------------

o   Michael Adam <obnox@samba.org>
    * Fix eventlog crash.
    * Make keytab filename argument mandatory to "net rpc vampire keytab".
    * Add domain prefix to username in lookup_groupmem().
    * Honour "winbind use default domain" in lookup_groupmem().
    * Sanely handle NULL domain in add_member().
    * Don't list the domain twice when expanding internal aliases.
    * Prevent negative GM/ cache entries due to broken connections.
    * Use the reconnect methods instead of the rpc methods directly.


o   Jeremy Allison <jra@samba.org>
    * BUG 5080: Fix access to cups-printers with cups 1.3.4.
    * BUG 5814: Fix Winbind crash bug while doing "rescan_trusted_domain".
    * BUG 5818: Sort ACEs in smbcacl output properly and honor inheritance.
    * BUG 5825: Fix account locking with an LDAP backend.
    * BUG 5826: Fix truncated filenames when accessing old servers.
    * BUG 5873: Fix ACL inheritance.
    * BUG 5889: Fix "delete veto files = no".
    * BUG 5891: Fix smbd crash when viewing the eventlog exported by "eventlog
      list".
    * BUG 5900: Fix vfs_readonly.
    * BUG 5903: Fix breaking of file contents in vfs_streams_xattr.
    * BUG 5904: Fix SIGABRT while servicing getaddrinfo() request caused by
      libnss_wins.
    * BUG 5914: Fix redefinition of struct name_list.
    * Correctly fix smbclient to terminate on eof from server.
    * Fix client timeout when searching for a large number of cups printers.
    * Unify access checks for lsa server functions.
    * Remove the requirement for ldap call made as root.
    * Cope with MAXIMUM_ALLOWED_ACCESS requests when opening handles.
    * Fix net rpc vampire, based on an *amazing* piece of debugging work by
      "Cooper S. Blake" <the_analogkid@yahoo.com>.
    * Fix memory leak in error path, spotted by Martin Zielinski <mz@seh.de>.
    * Add vfs_acl_tdb.c module to do ACLs completely in userspace.
    * Use fxattr calls whenever possible (trying to work around the strange
      Linux kernel oplock bug).


o   Kai Blin <kai@samba.org>
    * BUG 5892: Fix net rap printq info documentation.
    * Add placeholder functions to libwbclient.


o   Gerald (Jerry) Carter <jerry@samba.org>
    * Use the same prerequisite for DDNS update as Windows XP.
    * Make "lwinet ads dns register" honor the "interfaces" parameter.


o   Steven Danneman <steven.danneman@isilon.com>
    * Add options to manage identity mapping entries to wbinfo and Winbind.
    * Fix to allow setting of NULL DACL/SACL.


o   Guenther Deschner <gd@samba.org>
    * BUG 5888: Fix remote rpc service management.
    * Ensure consistency when reporting password complexity.
    * Fix _lsa_GetUserName.
    * Fix access check in _samr_QuerySecurity().
    * _samr_DeleteUser needs to wipe out the user_handle on success.
    * NetGroupEnum_r needs to handle servers with no groups.
    * Fix numerous netapi issues.
    * Add support for partial and delta netlogon replication in
      "net rpc vampire".
    * Add automatic machine password update in Winbind for member servers.
    * Add German internalization for pam_winbind.
    * Add Winbind krb5 locator plugin manpage.
    * Add new wbclient wbcLookupDomainControllerEx call.
    * Use autogenerated DCE/RPC routines for one more call on SVCCTL
      named pipe.
    * Use autogenerated NBT routines from Samba4 for Mailslot/CLDAP
      parsing.
    * Fix Winbind password change code for Windows 2000 DCs.
    * Fix PNP_HwProfInfo NDR parsing.
    * Add wbclient wbcLogonUser and wbcLogoffUserEx functions.
    * Add automatic home directory creation for pam_winbind.


o   Mathias Dietz <MDIETZ@de.ibm.com>
    * Search for gpfs functions in both libgpfs_gpl.so an libgpfs.so.


o   Dina Fine <dina@exanet.com>
    * BUG 5908: Fix internal change notify on share directories.


o   Nils Goroll <nils.goroll@hamburg.de>
    * BUG 5135: Prevent calling POSIX ACL vfs methods on zfs share.
    * BUG 5446: Prevent calling POSIX ACL vfs methods on zfs share.


o   Jeff Layton <jlayton@redhat.com>
    * Have uppercase_string return success on NULL pointer in mount.cifs.
    * Make mount.cifs return codes match the return codes for /bin/mount.


o   Volker Lendecke <vl@samba.org>
    * BUG 5691: Fig smbd panic on Solaris.
    * BUG 5840: Fix segfault in "rpcclient lsaaddacctrights".
    * BUG 5860: safe_strcpy gives a nasty error message for overlong strings.
    * Fix the offset checks in the trans routines (CVE-2008-4314).
    * Fix a potential NULL deref in found by the IBM Checker.
    * Fix an uninitialized variable found by the IBM Checker.
    * Fix an unlikely memleak found by the IBM Checker.
    * Fix some missing error handlings.
    * Add workaround for domain joins using a netbios name which is different
      from the hostname.
    * Fix a valgrind error in idmap_ad_sids_to_unixids().
    * Make memcache_add_talloc NULL out the source pointer.
    * Fix memleak in memcache_add_talloc found by Martin Zielinski <mz@seh.de>.
    * Fix memleak in calculate_next_machine_pwd_change.


o   Jeff Layton <jlayton@redhat.com>
    * mount.cifs: use lock/unlock_mtab scheme from util-linux-ng mount prog.


o   Derrell Lipman <derrell.lipman@unwireduniverse.com>
    * BUG 5805: Don't close stdout when calling setup_logging multiple times.


o   Stefan Metzmacher <metze@samba.org>
    * Return an error instead of crashing when no realm is given.


o   TAKAHASHI Motonobu <monyo@samba.gr.jp>
    * 5901: Fix default value for streams_depot location.


o   Tim Prouty <tim.prouty@isilon.com>
    * Fix several build warnings.


o   Andreas Schneider <mail@cynapses.org>
    * Delete the krb5 ccname variable from the PAM environment if set.
    * Add a function out of pam_sm_close_session to delete the credentials.
    * Fix circular dependency error with autoconf 2.6.3.


o   Davide Sfriso <sfriso@virgilio.it>
    * BUG 5906: Fix Winbind crash bug during 'getent group' on PDC.


o   Dan Sledz <dsledz@isilon.com>
    * Add FreeBSD configure check for backtrace_symbols.
    * Allow SYSLOG_FACILITY to be modified with a new configure option called
      --with-syslog-facility.


o   Joe Smith <yasumoto7@gmail.com>
    * Fix typo in source/utils/net_rap.c.


o   Martin Schwenke <martin@meltin.net>
    * Prevent make errors for picky makes when $(EXTRA_ALL_TARGETS) is empty.
    * Add @CIFSUPCALL_PROGS@ to "all" target so cifs.upcall gets built at
      compile time rather than install time.


o   Yasuma Takeda <yasuma@osstech.co.jp>
    * BUG 5909: Fix MS-DFS links containing multibyte characters on Vista.


o   Bo Yang <boyang@novell.com>
    * Fix broken msgids in ntstatus_errors.
    * i18n/l10n pam_winbind


----------------------------------------------------

Changes since 3.3.0pre1:
------------------------

o   Michael Adam <obnox@samba.org>

    * BUG 5492: Fix RHEL SPEC file by removing libmsrpc stuff.
    * BUG 5507: Fix several issues in the RHEL SPEC file.


o   Jeremy Allison <jra@samba.org>
    * BUG 5729: Explicitly allow "-valid".
    * BUG 5737: Fix winbindd crash in an unusual failure mode.
    * BUG 5751: Fix showing of ACLs on DFS in (lib)smbclient.
    * BUG 5762: Fix opening of mangled directory name (resulted
      'is a stream name').
    * BUG 5783: Fix FindFirst where search pattern == mangled filename.
    * BUG 5790: Fix returning of STATUS_OBJECT_NAME_NOT_FOUND on set file
      disposition.
    * BUG 5797: Fix moving of readonly files.
    * Fix crashes when looking up a non-existant uid.
    * Fix getting/setting of NT ACLs on a file.
    * Add st_birthtime and friends for accurate create times on *BSD
      and MacOSX).
    * Fix the wcache_invalidate_samlogon calls.
    * Clarify usage of "force create mode".
    * Get smbd to look (read-only) into the winbindd cache for uid/gid <--> sid
      mappings.
    * Write times code update.
    * Add experimental version of VFS module acl_xattr.
    * Fix rename_open_files.
    * Make SMB traffic analyzer VFS module more efficient.


o   Gerald W. Carter <jerry@samba.org>
    * Fix segfault when calling nss_get_info() with a NULL ads structure.
    * Add support for name aliasing in Winbind.
    * Add the idmap/nss-info provider from Likewise Open.
    * Allow an admin to define the "uid" attribute for a RFC2307
      user object in AD to be the username alias.
    * Add new idmap backend "adex" to support RFC2307 enabled AD forests.
    * Add new idmap backend "hash".


o   Steven Danneman <steven.danneman@isilon.com>
    * Fix build warnings.
    * Cleanup of DC enumeration in get_dcs().


o   Guenther Deschner <gd@samba.org>
    * BUG 5710: Fix changing of machine account passwords.
    * BUG 5784: Fix pam_winbind build issue on Solaris.
    * Fix invalid sid copy (hit when enumerating sibling domains) in Winbind.
    * Fix double installation of cifs.upcall.
    * Add change-user-password command to wbinfo.
    * Fix segfault in _srvsvc_NetShareAdd.


o   James Ding <ding_cc@hotmail.com>
    * BUG 5736: Fix Winbind crash bug with trusted domains.


o   Ephi Dror <Ephi.Dror@datadomain.com>
    * Correct the netsamlogon_clear_cached_user function.


o   Holger Hetterich <hhetter@novell.com>
    * Add new VFS module to analyze SMB traffic to record write and read
      operations on the Samba server.


o   Jeff Layton <jlayton@redhat.com>
    * Fix build warnings in cifs.upcall.


o   Volker Lendecke <vl@sernet.de>
    * BUG 5707: Do proper error handling if the socket is closed.
    * BUG 5778: Don't define 'strlcat' and 'strlcpy' if it's already defined.
    * Fix Coverity IDs 587 and 589.
    * Increase the default positive idmap cache time to a week.
    * Fix calculation of useable_space for trans2 and nttrans replies.
    * Add mapping of generic bits when setting an NFSv4 ACL.


o   Stefan Metzmacher <metze@samba.org>
    * Some write time fixes.


o   Karolin Seeger <kseeger@samba.org>
    * Add new parameter "cups connection timeout".


o   Simo Sorce <idra@samba.org>
    * Fix enumeration of nested group memberships in Winbind.
      This affected only setups using "security = ads".


o   Timur <timur@FreeBSD.org>
    * Fix cut and paste error in quota code.
    * Fix display of POSIX ACLs.
    * Fix aio on FreeBSD.


o   Andrew Tridgell <tridge@samba.org>
    * Fix permissions of group_mapping.ldb (CVE-2008-3789).
    * Avoid a race condition in glibc between AIO and setresuid().
    * Add missing become root for AIO operations.
    * Fix an errno handling bug that could lead to an infinite loop.
    * Fix logic of tsmsm_sendfile().
    * Fix handling of arbitrary new PAC types.
    * Fix segfault on startup with trusted domains.
    * Fix segfault on the CTDB destructor code.
    * Fix memory leak.
    * Re-add "winbind:ignore domains".


o   Jelmer Vernooij <jelmer@samba.org>
    * Fix segfault (Debian bug #431696).


o   Qiao Yang <geoyang@ironport.com>
    * Fix a memleak.


######################################################################
Reporting bugs & Development Discussion
#######################################

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba 3.3 product in the project's Bugzilla
database (https://bugzilla.samba.org/).


======================================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
======================================================================