clean event context after child is forked.

[Samba/bb.git] / WHATSNEW.txt

                   =============================
                   Release Notes for Samba 3.3.0
                          January, 05 2009
                   =============================

This is the first stable release of Samba 3.3.0.

Major enhancements in Samba 3.3.0 include:

 General changes:
 o The passdb tdbsam version has been raised.

 Configuration/installation:
 o Splitting of library directory into library directory and separate
   modules directory.
 o The default value of "ldap ssl" has been changed to "start tls".

 File Serving:
 o Extended Cluster support.

 Winbind:
 o Simplified idmap configuration.
 o New idmap backends "adex" and "hash".
 o Added new parameter "winbind reconnect delay".
 o Added support for user and group aliasing.
 o Added support for multiple domains to idmap_ad.

 Administrative tools:
 o The destination "all" of smbcontrol does now affect all running
   daemons including nmbd and winbindd.
 o New 'net rpc vampire keytab' and 'net rpc vampire ldif' commands.
 o The 'net' utility can now use kerberos for joining and authentication.
 o The 'wbinfo' utility can now add, modify and remove identity mapping entries.

 Libraries:
 o NetApi library implements various new calls for User- and Group
   Account Management.


General changes
===============

The passdb tdbsam version has been raised as among other things the RID counter
has been moved from the winbindd_idmap.tdb to the passdb.tdb file to make
"passdb backend = tdbsam" working in clustered environments.

Please note that an updated passdb.tdb file is _not_ compatible with Samba
versions before 3.3.0! Please backup your passdb.tdb file if
you use "passdb backend = tdbsam". That can be achieved by running

'tdbbackup /etc/samba/passdb.tdb'

before the update.


Configure changes
=================

The configure option "--with-libdir" has been removed. The library
directory can still be specified by using the existing "--libdir" option.
A new option "--with-modulesdir" has been added to allow the specification
of a separate directory for the shared modules.


Configuration changes
=====================

The default value of "ldap ssl" has been changed to "start tls". This means,
Samba will use the LDAPv3 StartTLS extended operation (RFC2830) for
communicating with directory servers by default. If your directory servers
do not support this extended operation, you will have to set
"ldap ssl = no". Otherwise, Samba could not contact the directory servers
anymore!


Winbind idmap backend changes
=============================

The idmap configuration has changed with version 3.3 to something that
allows a smoother upgrade path from pre-3.0.25 configurations that use
"idmap backend". The reason for this change is that to many, also to Samba
developers, the 3.0.25 style configuration with "idmap config" turned out
to be very complex. Version 3.3 no longer deprecates the "idmap backend"
parameter, instead with "idmap backend" the default idmap backend is
specified.

Accordingly, the "idmap config <domain> : default = yes" setting is no
longer being looked at.

The alloc backend defaults to the default backend, which should be able to
allocate IDs. In the default distribution the tdb and ldap backends can
allocate, the ad and rid backends can not. The idmap alloc range is now
being set with the "old" parameters "idmap uid" and "idmap gid".

The "idmap domains" parameter has been removed.


winbind reconnect delay
=======================

This is a new parameter which specifies the number of seconds the Winbind
daemon will wait between attempts to contact a Domain controller for a domain
that is determined to be down or not contactable.


Winbind's Name Aliasing
=======================

Name aliasing in Winbind is a feature that allows an administrator to
map a fully qualified user or group name from a Windows domain to a
convenient short name for Unix access.  This is similar to the username
map functionality supported by smbd but is primary intended for
clients and servers making use of Winbind's PAM and NSS libraries.

For example, the user "DOMAIN\fred" has been mapped to the Unix name
"freddie".

   $ getent passwd "DOMAIN\fred"
   freddie:x:1000:1001:Fred Jones:/home/freddie:/bin/bash

   $ getent passwd freddie
   freddie:x:1000:1001:Fred Jones:/home/freddie:/bin/bash

The name aliasing support is provided by individual nss_info plugins.
For example, the new "adex" plugin reads the uid attribute from Active
Directory to make a short login name to the fully qualified name.
While the new "hash" module utilizes a local file to map "short_name
= QUALIFIED\name".  Both user and group name mapping is supported.
Please refer to the "winbind nss info" option in smb.conf(5) and
to individual plugin man pages for further details.


idmap_hash
==========

The idmap_hash plugin provides similar support as the idmap_rid
module.  However, uids and gids are generated from the full domain
SID using a hashing algorithm that maps the lower 19 bits from the user
or group RID to bits 0 - 19 in the Unix id and hashes 96 bits from
the domain SID to bits 20 - 30 in the Unix id.  The result is a 31 bit
uid or gid that is consistent across machines and provides support for
trusted domains.

Please refer to the idmap_hash(8) man page for more details.


idmap_adex
==========

The adex idmap/nss_info plugin is an adaptation of the Likewise
Enterprise plugin with support for OU based cells removed
(since the Windows pieces to manage the cells are not available).

This plugin supports

      * The RFC2307 schema for users and groups.
      * Connections to trusted domains
      * Global catalog searches
      * Cross forest trusts
      * User and group aliases

Prerequisite: Add the following attributes to the Partial Attribute
Set in global catalog:

      * uidNumber
      * uid
      * gidNumber

A basic config using the current trunk code would look like:

[global]
        idmap backend = adex
        idmap uid = 10000 - 29999
        idmap gid = 10000 - 29999
        winbind nss info = adex

        winbind normalize names = yes
        winbind refresh tickets = yes
        template homedir = /home/%D/%U
        template shell = /bin/bash

Please refer to the idmap_adex(8) man page for more details.


######################################################################
Changes
#######

smb.conf changes
----------------

    Parameter Name                      Description     Default
    --------------                      -----------     -------
    cups connection timeout             New             30
    idmap domains                       Removed
    init logon delayed hosts            New             ""
    init logon delay                    New             100
    ldap ssl                            Changed Default start tls
    winbind reconnect delay             New             30


Changes since 3.3.0rc2:
-----------------------


o   Jeremy Allison <jra@samba.org>
    * BUG 5979: Fix level 2 oplocks being granted improperly.
    * BUG 5980: Race condition when granting level2 oplocks can cause break
      notify to be missed.
    * BUG 5986: Editing a stream is broken (rename problems).
    * BUG 5990: Strict allocate should be checked before ftruncate.
    * BUG 6009: Setting "min receivefile size = 1" breaks writes.
    * Fix gcc 4.3.2 warnings.
    * Fix more asprintf errors and error code paths.


o   Michael Adam <obnox@samba.org>
    * Fix build of pam_winbind.so on older Linux systems.
    * Packaging RHEL-CTDB: Fix build of [u]mount.cifs.
    * Prevent access to root filesystem when connecting with empty service name.


o   Kai Blin <kai@samba.org>
    * BUG 5953: Fix smbclient crashes.


o   Gerald (Jerry) Carter <jerry@samba.org>
    * Fix "allow trusted domain" so it disables trusted domains.


o   SATOH Fumiyasu <fumiyas@osstech.jp>
    * Fix gmem->numgids and gmem->maxgids breakage on Solaris 64-bit.
    * Fix SIGBUS on non-x86 CPUs in libsmbclient.
    * Fix a compile-time warning.


o   Holger Hetterich <hhetter@novell.com>
    * Add a simple tdb integrity check to tdbtool.


o   Björn Jacke <bj@sernet.de>
    * Correct the description of the "ldap timeout" parameter.


o   Volker Lendecke <vl@samba.org>
    * BUG 5913: Fix build error with at least GCC 4.2.2.
    * BUG 5933: Fix incrementing/decrementing of num_validated_vuids.
    * BUG 5953: Make cli_send_smb_direct_writeX use writev.
    * BUG 5969: Optimize smbclient put command.
    * BUG 6012: Add "get_real_filename" to full_audit.
    * BUG 6014: Fix segfault when calling mget without arguments.
    * Fix a spinning smbd when printing.
    * Fix a memory leak in cups_pull_comment_location.
    * Fix a valgrind error.
    * Fix a "ignoring function call result" warning.
    * Fix some C++ warnings.
    * Fix an ancient uninitialized variable read.
    * Fix a bad memleak in vfs_full_audit.


o   Stefan Metzmacher <metze@samba.org>
    * net_status: Use dbwrap to open sessionid.tdb.
    * Fix dbwrap_store_uint32() to match dbwrap_store_int32().
    * Make marshalling struct samu from and to a buffer more generic.
    * Store the next rid counter in passdb.tdb instead of winbind_idmap.tdb.
    * Register the client connection via CTDB_CONTROL_TCP_ADD.
    * Don't need to call messaging_reinit() twice.
    * Raise TDBSAM_VERSION.


o   Lars Müller <lars@samba.org>
    * Tweak with pam defines of older Linux versions.


o   Tim Prouty <tprouty@samba.org>
    * Fix stream marshalling to return the correct streaminfo status.


o   Karolin Seeger <kseeger@samba.org>
    * Change default value of "ldap ssl" to "start tls".
    * Update version number in the manpages.
    * Fix several small issues and typos in the manpages.


######################################################################
Reporting bugs & Development Discussion
#######################################

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba 3.3 product in the project's Bugzilla
database (https://bugzilla.samba.org/).


======================================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
======================================================================