1 WHAT'S NEW IN Samba 2.2.6rc2 - 9th October 2002
2 ================================================
4 This is a prelease snapshot of SAMBA_2_2 cvs branch. This is a non-production
5 release provided for testing purposes only.
7 The following new new smb.conf(5) options have been added in this preview
12 The following options have been added to Samba's configure script
14 --with-sendfile Enable experimental sendfile support
15 --with-winbind-ldap-hack Enable winbindd_ldap_hack() functionality
16 for Windows 2000 native mode domains
20 Changes since 2.2.6rc1
21 ----------------------
22 1) Default all LDAP connections to v3 with compiling with --with-ldapsam
24 Changes since 2.2.6pre2
25 -----------------------
26 1) Merge in free list unlock on error fix
27 2) Correctly fail opens with mismatching SYSTEM or HIDDEN attributes
28 if we are mapping system or hidden
29 3) Fix bug with stat mode open being done on read-only open with truncate
30 4) Fix crash bug discovered where cli struct was being deallocated in a
32 5) Ensure we open UNIX fifo's non-blocking
33 6) Fix DeletePrinterDriver() (hopefully for the last time...yeah right....)
34 7) only lowercase global_myname in the %L substitution, not the whole string
35 8) Merged Steve French's fix for OS/2 EA return error being removed
36 9) Patch from Steve French to fix difference in responses to smbclient
37 //server/share ls / on Samba and Windows 2000
38 10) Print error and exit if smb.conf doesn't have security=domain and
39 encrypt passwords=yes when joining domain
40 11) Added final Steve French patch for "required" attributes with old dir
42 12) Initialize user_rid value in WINBIND_USERINFO structure returned by
43 the rpc version of query_user()
44 13) Ensure we've failed a lock with a lock denied message before automatically
45 pushing it onto the blocking queue
46 14) Add experimental --with-sendfile code
47 15) alignment fix in printing code merged from HEAD
48 16) Merge fix for other sids in token from HEAD
49 17) Merge winbindd with current (more advanced) state of play in APPLIANCE_HEAD
50 18) fix smbclient / Win98 off by one bug
51 19) Never, *ever* hold a mutex lock in the message database where there may be
52 traversals being attempted
53 20) Add LDAP hack for retrieving the SAM sequence number when a member of a
54 Windows 2000 native mode domain
55 21) Fix race condition when changing a machine account password as we were
56 no longer locking the secrets entry
57 22) Allow '@' as a valid character in domain names
58 23) remove jobs from the spool directory when using cups
59 24) removed -lresolv for --enable-ldapsam
60 25) Memory leak fix and correct use of negative caching in winbindd
61 26) Updated spoolss parsing code with known good state of APPLIANCE_HEAD
62 27) Delete printer security check was reversed
63 28) Windows allows delete printer on a handle opened by an admin user, then
64 used on a pipe handle created by an anonymous user...We do to now...
65 29) Make explicit the difference between a tdb key with no data attached, and
67 30) Ensure we register the 1c name on the unicast subnet.
68 31) Fix inheritance problem when recursively setting ACLs on directories
69 32) prevent ACL set on read-only share
70 33) Ensure we never have more than MAX_PRINT_JOBS in a queue
71 34) Added timeout to tdb_lock_bystring()
72 35) Ensure we set FIRST+LAST flags on a bind request
73 36) Add version strings to the usage message for smbcacls and smbpasswd
74 37) Fix bug in the write cache code
75 38) make the default printed values for boolean the same for all parameters
78 Changes since 2.2.6pre1
79 -----------------------
80 1) fix incorrect semantics in the DeletePrinterDriver() spoolss rpc
81 to only attempt to delete the architecture specified by the client
82 2) Don't allow TEMP attribute on directory open
83 3) Restore VxFS quotas to the 2.2 branch
84 4) Added basic "Wizard" functionality to SWAT
85 5) Fix initial "allocation size" in NTcreate&X call
86 6) Fix for open fid, "nametoolong"
87 7) Exit server on receipt of a non-SMB packet. Ensure we have
88 at least smb_size bytes before processing a packet
89 8) Replace inet_aton with inet_addr() to correct compile problems on Solaris
90 9) Include the "account" objectclass when adding a new account to --with-ldapsam
91 in order to comply with the data model implemented by OpenLDAP 2.1.x
92 10) Various fixes for POSIX compliance
93 11) Correct alignment & offset bug in EnumPrinterDataEx()
94 12) Fix access checks when modifying forms using a print server handle
95 (not just a printer handle)
96 13) Account for case data_len == 0 in EnumPrinterDataEx()
97 14) Fix logic error in blocking lock code
98 15) Fixed various incorrect return codes to clients
99 16) Add RESOLVE_DFSPATH to mkdir operations
100 17) Fix longstanding bug in Win2k clients by clearing the shortname
101 buffer before returning ASCII short name
102 18) added -t option to smbpasswd for explicitly changing a trust
103 account password when operating in security = domain
104 19) installed -x option to testparm to eXclude printing all parameter
105 values that are at default settings.
106 20) Fix shares/printers view in SWAT so that only Basic options are exposed
108 21) Added 1125 & KOI8-U to codepage list in Makefile.in
109 22) Include separate configure checks for *openbsd* & *freebsd* when
110 determining flags used to compile shared libraries.
118 1) Fixed several compiler warnings caused by the use of const parameters
119 2) Fixed a hang in the main smbd process caused by an EINTR in the
121 3) Fixed string substitutions to accept a length for sanity checks
122 4) Fixed 17-bit length field in nmb header
123 5) Removed non-portable inline declaration for functions
124 6) Performance fix for including files with an smb.conf variable in the
126 7) Fix for parsing LPRng lpq output
127 8) Parsing fix for PRINTER_INFO_2 structure which was causing viewing
128 printer properties to fail
129 9) Fix for printer change notification and Windows NT clients which caused
130 the client to go into an infinite loop of refeshing the local printers
132 10) Allow trans2 and nttrans messages to be processed in oplock break state
133 which fixes a problem with oplock break requests and Win2k clients
134 11) Don't crash on setfileinfo on printer fsp
135 12) Memory fixes caught by Valgrind
136 13) Updates to stop spurious error message in tdb
137 14) Fix silly logic bug in 'make smbd processes' and 'status = no' check
138 15) Fix compilation of pam_smbpass and --with-ldap
139 16) Fix compilation of samwrapper on Solaris hosts
140 17) fix logic error in a check for enableing the winbind_pam_auth_crap() code
141 & fix formatting typo in --with-winbind-auth-challenge
142 18) Correcting check for ldap_start_tls()
143 19) Fixed a problem with getgroups() where it could include our current
147 =========================================
149 Older releases notes for 2.2.x distributions follow
151 -----------------------------------------------------------------------------
152 The release notes for 2.2.5 follow :
154 There have been several fixes and internal enhancements which include:
156 * Several compile fixes for Solaris and HP-UX
157 * More printing fixes for Windows NT/2k/XP clients
158 * New options for the VFS recycle bin library
159 * New internal signal handling semantics relating to directory change
160 notification and oplocks
162 New/Changed parameters in 2.2.5
163 --------------------------------
165 For more information on these parameters, see the man pages for
168 Added/changed parameters
169 ------------------------
171 * block size = <INTEGER>
172 * force unknown acl user = <boolean>
173 * mangling method = [hash|hash2]
176 Deprecated Parameters
177 ---------------------
179 The following parameters have been marked as deprecated and will be removed
195 See the cvs log for SAMBA_2_2 for more details
197 1) Removal of several compiler warnings, incorrect Makefile dependencies,
198 and wrong autoconf tests on various platforms--Solaris & HP-UX 10.20
199 being the predominantly reported platforms
200 2) Fixed winbindd crash bug on the IBM s390 running Linux
201 3) Inclusion of enhanced Linux quota support
202 4) Correctly link against Sun LDAP libraries on Solaris 8 (even through
203 there is no apparent SSL support there)
204 5) POSIX conformance patches
205 6) Include new configure --enable-cups option (can also be disabled even
206 if CUPS libraries are installed on the system)
207 7) Set reasonable default for the "passwd program" parameter using an
209 8) Added --with-winbind-auth for enabling winbindd_pam_auth_crap() code
210 9) fixed bug to prevent root account from being deleted by the
212 10) Inclusion of autoconf script for building VFS modules
213 11) Add new run time options to the VFS recycle bin library (see
214 examples/VFS/recycle/README for details)
215 12) Include findsmb perl script as part of the "make install" process
216 13) Return correct error code for EnumPrinters(PRINTER_ENUM_REMOTE, InfoLevel1)
217 to fix a bug where printers appear at the workgroup level in the Windows
218 NT/2k APW browse list
219 14) Added support to nmblookup to return NMB flags (See nmblookup(8) for
221 15) Fix length bug that caused password changes from Windows NT/2k clients to
223 16) Correct false password expiration when using --with-ldapsam caused by
224 missing attributes in the directory
225 17) added -S option to smbpasswd for storing the SID of a domain controller
226 as the local machine SID in secrets.tdb. See the smbpasswd(8) man page
228 18) Various fixes for UNIX CIFS extensions commands
229 19) Fixed CIDR notation in "hosts allow/deny"
230 20) Change semantics of an idle connection to mean "no open files and no
231 open handles". We cannot idle a connection if there are open named
232 pipe handles. This fixes scalability problem on Samba print servers
233 and NT/2k clients introduced in 2.2.4
234 21) Fix germam umlaut problem when returning ACL entries
235 22) Return NT_STATUS_OBJECT_NAME_NOT_FOUND for ENOENT. This fixes the bug
236 of running the Microsoft Access executable (msaccess.exe) and database
237 files from a Samba share documented in the 2.2.4 release
238 23) Corrected signal handling relating to directory change notification and
240 24) Fix bug in unix_to_nt_time() that appeared on files dated close to Daylight
242 25) Corrected alignment bug in spoolss parsing code which caused Win2k/XP
243 clients not to be able to view printer properties from a Samba host
244 26) Fixed spoolss parsing bug causing printing from ACT! 2000 running on
245 Windows 2k/XP clients to fail
246 27) Fixed incorrect error check in mod_share_entry()
247 28) Allow %S variable in MS-DFS root paths
248 29) Correct a bug regarding the use of 'wbinfo -A'
249 30) Fixed libnss_wins.so to correctly work on RedHat 7.3 systems
250 31) Store the key for a name-to-sid cache entry in upper case rather than
251 whatever case the request was made in. This gets rid of duplicate
253 32) Fix bug causing the pid stored in winbindd's pid file to be the wrong id
254 33) Enhanced error reporting messages of wbinfo
255 34) Parameterize block size on disk size return
256 35) Added new parameter to allow incoming ACLs to have owner and group forced
257 to the currently logged in user. This fixes the XCOPY /O problem
258 36) Fixed bug in local_change_password() caused by reusing a struct
260 37) Change default value for "ldap port" to 389 if "ldap ssl = no"
261 38) Updated HOWTO's, manpages, and general documentation....
262 39) Allow root as well as domain admins to open an LDAP connection
263 40) Fixed veto files bug with ".*"
264 41) Fixed uninitialized variable bug in smbpasswd that was causing a random
265 IP address to be used in the connection when joining a domain
266 42) Fix for joining a domain with a netbios name of 15 characters and
267 pre-creating the account on the DC
268 43) Added links to new documentation on SWAT welcome page
272 -----------------------------------------------------------------------------
273 The release notes for 2.2.4 follow :
275 There have been several fixes and internal enhancements which include:
277 * More/better SPOOLSS printing functionality for Windows
279 * Several fixes relating to serving PC database files such
280 as (Access and FoxPro) from a Samba file share.
281 * Several improves in Samba's VFS layer which can be seen
282 in the inclusion of a "Recycle Bin" vfs module. See
283 examples/VFS/README for more details on this.
284 * Addition of a tool (tdbbackup) for backup/restore of Samba's
286 * Continued improvements to winbind for greater scalability
288 * Several fixes related to Samba's MS-DFS support
289 * Rpcclient's various printer commands now work (again)
292 New/Changed parameters in 2.2.4
293 --------------------------------
295 For more information on these parameters, see the man pages for
298 Added/changed parameters
299 ------------------------
307 * winbind use default domain
310 Deprecated parameters
311 ---------------------
313 The following parameters have been marked as deprecated
314 and will be removed in Samba 3.0
318 * printer driver file
319 * printer driver location
331 See the cvs log for SAMBA_2_2 for more details
333 1) added -c option to smbpasswd
334 2) reworked smbpasswd internal command line option parsing
335 3) small various bug fixes to experimental pdb_tdb.c
336 4) Enforce spoolss RPCs based on the access granted at PrinterOpen()
337 5) Added missing access checks to [add/delete/set]form
338 6) Compile fixes for pam_smbpass
339 7) fix smbd crash when netbios session request fails from
340 spoolss_connect_to_client().
341 8) fixed logic bug that prevent SetPrinter() from storing devmode
342 9) Removed extra get_printer_snum() calls from set_printer_hnd_name()
343 10) fix joining domain on big endian machine when using -U to smbpasswd
344 11) allow command line arg to override smb.conf log level
345 12) continue to retry to register 1b name with wins server if there is an old IP there
346 13) fix smbclient print crash bug
347 14) 9x pnp fix when the config file and driver file are different
348 15) force testparm to print the correct value for log level
349 16) fix swat to show full log level info
350 17) fix server GetPrinterData() fields to be more sensible
351 18) fix logic error in SetPrinterDataEx()
352 19) Only set smb_read_error if not already set
353 20) Fix string returns that require unicode
354 21) Merge of printing performance fixes from appliance
355 22) lpq parsing fixes
356 23) Back port tridge's xcopy /o fix from HEAD
357 24) Fix the printer change notify code (unfinished)
358 25) Patch for Domain users not showing up
359 26) Fixed SetPrinterData(magic key) to support zero length DEVMODE
360 27) Ensure that all methods of looking up and connecting to DC's work
361 using identical logic.
362 28) Merge in the mutex code to stop multiple domain logon failure
364 30) Fix winbindd to respect command line debuglevel as nmbd/smbd
365 31) Update with tdbbackup from HEAD
366 32) Fix for typo on solaris nss
367 33) Merge in the locking changes from HEAD
368 34) Added POSIX ACL layer into the vfs
369 35) Fix the returning of domain enum
370 36) Fix the generation of the MACHINE.SID file into the secrets.tdb.
371 37) Enable test for -rdynamic when building binaries
372 38) Remove the "stat open" code - make it inline
373 39) Fix the mp3 rename bug
374 40) Fix for Explorer DFS problems on older Windows 9X machines
375 41) implement OpenPrinter() opnum == 0x01
376 42) Matched W2K *insane* open semantics....
377 43) small fix that will prevent the "failed to marshall
378 R_NET_SAMLOGON" message in the logs
379 42) don't do checking of local passdb in smbpasswd if using -r option
380 43) fix "smbpasswd -j DOMAIN -r * -U Admin%XXXX" so that it doesn't
381 try to connect to a server named '*'
382 44) merge rpcclient code from HEAD
383 45) Ensure MACHINE.SID update done before child spawns
384 46) Fix the bad path errors for mkdir so mkdir \a\b\c\d works
385 47) Removed --with-vfs - always built if available
386 48) Fixed psec for 2.2
387 49) Fixed the handle leak in the connection management code
388 50) fix disable spoolss after the switch to nt status codes
389 51) Added Shirish's client side caching policy change
390 52) Honor the specversion when parsing the the DEVICEMODE
391 53) fix parsing bug when DEVICEMODE's private data does not end
393 54) do not idle an smbd when there is an open pipe
394 55) when a new driver is added to a Samba server, cycle through
395 all printers and bump the change_id for each one bound to the driver
396 56) allow smbclient to work with a FIFO as well (needed for KDE
398 57) various updates to pdb_nisplus.c
399 58) many small documentation updates
400 59) removed many compiler warnings
403 -----------------------------------------------------------------------------
404 The release notes for 2.2.3a follow :
406 This is a minor bugfix release for the 2.2.3 release. The 2.2.3
407 release had a problem that was visible to Windows 2000 Explorer
408 users in that copying files into a share that already existed
409 failed with "Access Denied" rather than asking the user if an
410 overwrite was required. This was due to an incorrect error mapping
411 between the UNIX EXIST error code and the NT status error.
413 As Windows Explorer is a highly visible end user application a quick
414 bugfix release was required, hence 2.2.3a.
416 Compilation on HPUX versions earlier than HPUX 11 has also been
419 The cvs.log file is no longer included with this release, as it adds
420 13Mb to the size of the release, and is easily available on the Web.
422 -----------------------------------------------------------------------------
423 The release notes for 2.2.3 follow :
425 There are several important scaling bugs that have been fixed in this release
426 for large server systems so an upgrade is recommended.
431 Much work has been done on the LDAP backend code. The configure
432 option --with-ldapsam is now considered to be stable. The schema
433 used has changed, see the file examples/LDAP/samba.schema for the
436 New documentation explaining how to set up a Samba only PDC/BDC
437 setup has been added in the files Samba-LDAP-HOWTO and Samba-BDC-HOWTO
438 in the documentation tree.
440 winbindd daemon extended
441 ------------------------
443 Samba 2.2.2 was the first release to include the winbind daemon.
444 This code allows UNIX systems that implement the name service
445 switch (nss) to be entered into a Windows NT/2000 domain and
446 use the Domain controller for all user and group enumeration.
448 Samba 2.2.3 fixes the known memory leaks in winbindd and has
449 been extended to work with SGI IRIX and HPUX (11.x) in addition
450 to the earlier targets of Linux and Solaris.
452 For more information on using winbind, see the man pages for
455 Note that winbindd is not installed by default.
457 New/Changed parameters in 2.2.3
458 --------------------------------
460 For more information on these parameters, see the man pages for
463 Added/changed parameters.
464 -------------------------
468 Enables the experimental UNIX CIFS extensions in smbd. See the manpage
473 Some printer drivers will crash the Windows NT/2000 spooler service
474 if they are given a default devmode, some require it. This parameter
475 allows the administrator a choice of whether smbd returns such a
476 default devmode for a driver.
480 This parameter has been restored to allow people who wish smbd to ignore
481 client share modes. This is *very dangerous* and should not be set without
482 full knowledge of what this is designed for.
487 1). Fixed shared library compile for Solaris with native compiler.
488 2). UNIX CIFS extensions code added (donated by HP).
489 3). Changed to using NT status codes on the wire if the client can support
491 4). altname command to show 8.3 name added to smbclient.
492 5). const-safe endian macros now used.
493 6). client code now uses UNICODE on the wire.
494 7). Correctly return fault PDU's on bad handle.
495 8). Improved NT error code mapping table.
496 9). Many new point and print RPC calls added.
497 10). Win9x clients can now see full user list.
498 11). field added to identify simultaneous open files (no longer
499 use dev/inode/time as unique value).
500 12). HPUX ACL code added (donated by HP).
501 13). vfs interfaces updated (again !).
502 14). MSDOS Code Page 866 -> 1251 mapping added.
503 15). winbindd now processes quit/hup signals correctly.
504 16). No tdb traversal done on startup/shutdown - ensures scalability.
505 17). Fix bug with paths for homes share.
506 18). Fixed copyfile for OS/2.
507 19). Fix group membership when groups are on more than one line.
508 20). Fixed core dumps in posix ACL mapping code.
509 21). Tidyup of UNICODE functions (put/get).
510 22). Move rpcclient to the new libsmb code.
511 23). Add missing Windows 2000 passthough trans2 calls.
512 24). Return check all tdb calls.
513 25). Make local name lookup work even if wins server is down.
514 26). pam session code added to winbind.
515 27). Added winbindd cache to all lookups.
516 28). Fix allocate bugs that caused file sizes to be incorrect.
517 29). Fixed write cache code - now safe to use.
518 30). Fixed winbindd memory leaks.
519 31). winbindd will now do name lookups (to allow non Open Source
520 systems to do the nsswitch WINS lookup). Fixed by SGI.
521 32). passdb memory leaks fixed.
522 33). LDAP code updates and now properly maintained.
523 34). Finally figured out how changeid is meant to work.
524 35). Downlevel printing now looks as NT does in print monitor window.
525 36). Many fixups in spoolss printing RPC parsing.
526 37). Speed up password enumeration as a PDC.
527 38). Fix printer changed notify messages (work from HP).
528 39). Fix modify timestamp on close code.
529 40). Fix long standing mangled names bug.
530 41). Fix delete on close semantics.
531 42). Stop opening all files with O_NONBLOCK !
532 43). Use O_NOFOLLOW for systems that have it and don't want symlinks.
533 44). Ensure NT supplementary groups get added to user token.
534 45). Try and mitigate effects of DNS timeout (do less lookups).
535 46). Added current user connection context stack.
536 47). Fixes to utmp code.
537 48). smbw code tidyups.
538 49). Added tdb open log code. Several tdb fixes.
540 -----------------------------------------------------------------------------
541 The release notes for 2.2.2 follow :
543 New daemon included - winbindd
544 ------------------------------
546 Samba 2.2.2 is the first release to include the winbind daemon.
547 This code allows UNIX systems that implement the name service
548 switch (nss) to be entered into a Windows NT/2000 domain and
549 use the Domain controller for all user and group enumeration.
551 This allows a Samba server added to a Windows domain to serve
552 file and print services with *NO* local users needed in /etc/passwd
553 and /etc/group - all users and groups are read directly from the
554 Windows domain controller. In addition with pam_winbind which allows
555 a PAM enabled UNIX system to use a Windows domain for authentication
556 service this allows single sign on and account control across
557 UNIX and Windows systems.
559 The current version of winbindd shipped in 2.2.2 does have some
560 memory leaks, which will be addressed for the next Samba release,
561 so it is advisable to monitor the winbind process. This code is
562 being used in production by several vendors, so the leaks are
563 manageable. In addition, this version of winbind does not work
564 correctly against a Samba PDC, due to some missing calls on the
565 PDC side. These problems are being addressed for the next Samba
566 release, but it was thought better to release the code now rather
567 than delay the main Samba code to match the winbind release schedule.
569 For more information on using winbind, see the man pages for
572 Note that winbindd is not installed by default.
574 New/Changed parameters in 2.2.2
575 -------------------------------
577 For more information on these parameters, see the man pages for
580 Added/changed parameters.
581 -------------------------
585 Causes Samba not to create UNIX 'sparse' files, but to follow the
586 Windows behavior of always allocating on-disk space.
590 Set to 'on' by default, only set to 'off' on HPUX 11.x or below or other
591 UNIX systems that don't have coherent mmap/read-write internal caches.
592 You should not need to set this parameter.
596 This parameter has been changed to a per-share option, and is very
597 useful in enabling Windows 2000 SP2 to load/save profiles from a
600 New printing parameters.
601 ------------------------
605 Setting this parameter causes Samba to go back to the old 2.0.x
606 LANMAN printing behavior, for people who wish to disable the
611 Causes Windows NT/2000 clients to need have a local printer driver
612 installed and to treat the printer as local.
617 Samba 2.2.2 contains new code to maintain a Samba SAM database
618 on a remote LDAP server. These parameters have been added as
619 part of this code. These parameters are only available when Samba
620 has been compiled with the --with-ldapsam option.
628 The SSL support in Samba has been fixed. These new parameters
629 are part of the changes added. These parameters are only available
630 when Samba has been compiled with the --with-ssl option.
631 Please see the smb.conf man page for details.
637 New winbindd parameters.
638 ------------------------
640 These parameters are used by winbindd. See the man page for
641 winbindd for details.
662 Some new README's have been added in the docs/ directory. These cover
663 using roving profiles with Windows 2000 SP2 (docs/README.Win2kSP2),
664 and how to use Samba to help prevent Windows virus spread
665 (docs/README.Win32-Viruses).
667 Quota problems on a Linux 2.4 kernel.
668 -------------------------------------
670 Currently the quota interfaces have diverged between the Linus
671 2.4.x kernels and the Alan Cox 2.4.x kernels (the Alan Cox variants
672 are shipped with RedHat). Running quota-enabled Samba compiled on
673 an Alan Cox kernel works correctly on an Alan Cox kernel (the one
674 shipped by default with RedHat 7.x) but fails on a Linus kernel.
676 This is a mess, and hopefully Alan and Linus will sort it out soon.
677 In the meantime we need to ship.....
682 1). mmap tdb code disabled on HPUX. This should prevent the reports of
683 tdb corruption on HUPX.
684 2). Large file support set to off in Solaris 5.5 and below.
685 3). Better CUPS detection.
686 4). New SAM (password database) backends - smbpasswd (traditional),
687 LDAP, NIS+ and Samba TDB.
688 5). Quota fixups on Linux.
689 6). libsmbclient stand-alone code added. Can be built as a shared library
691 7). Tru64 ACL support added.
692 8). winbindd option added.
693 9). Realloc fail tidyup fixes all over the code.
694 10). Large improvement in hash table code efficiency - would be found with
696 11). Error code consistency improved (still needs more work).
697 12). Profile shared memory support added to nmbd.
698 13). New Windows 2000/NT passthrough info levels added.
699 14). readraw/writeraw code rewritten - many bugs fixed.
700 15). UNIX password sync (non pam) code fixed, use correct wildcard matcher.
701 16). Reverse DNS lookup avoided on socket open.
702 17). Bug preventing nmbd re-registering names on WINS server timeout fixed.
703 18). Zero length byte range lock code added. Much closer to Windows semantics.
704 19). Alignment fault fixes for Linux/Alpha.
705 20). Error checking on tdb returns vastly improved.
706 21). Handling of delete on close fixed. No longer possible to leave 'dead'
708 22). Handling of oplock break failure cleanups improved. Should not be
709 able to leave 'dead' entries.
710 23). Fix handling of errors trying to set 64 bit locks on 32 bit NFS mounts.
711 24). Misc. MS-DFS code fixes.
712 25). Ignore logon packets if not a PDC (needed for PDC/BDC failover).
713 26). winbind pam module added.
714 27). Order N^^2 enumeration of printers problem fixed.
715 28). Password backend database code re-ordered to allow different password
716 backends (at compile time currently).
717 29). Improved print driver version detection for Windows 2000.
718 30). Driver DEVMODE initialization fixes.
719 31). Improved SYSV print parse code.
720 32). Fixed enumeration of large numbers of users/groups from Windows clients.
722 33). Fix for buggy NetApp RPC pipe clients.
723 34). Fix for NT sending multiple SetPrinterDataEx calls.
724 35). Fix for logic bug where smbd could delay oplock break request messages
725 from other smbd daemons whilst client kept us busy.
726 36). Fix deadlock problem with connections tdb on enumeration.
727 37). Fixes for setting/getting NT ACLs - improved POSIX mapping both ways.
728 38). Removed unused readbmpx/writebmpx code.
729 39). Attempt to fix Linux 2.4.x quota mess.
730 40). Improved ctemp code for Windows 2000 compatibility.
731 41). Finally understood difference between set EOF and set allocation requests.
732 Added strict allocate parameter to help.
733 42). Correctly return name types on name to SID lookups.
734 43). tdb spinlock code update.
735 44). Use pread/pwrite on systems that have it to fix race condition in tdb code.
737 -----------------------------------------------------------------------------
738 The release notes for 2.2.1a follow :
740 This is a minor bugfix release for 2.2.1, *NOT* security related.
742 1). 2.2.1 had a bug where using smbpasswd -m to add a Windows NT or
743 Windows2000 machine into a Samba hosted PDC would fail due to our
744 stricter user name checking. We were disallowing user names
745 containing '$', which is needed when using smbpasswd to add a
746 machine into a domain. Automatically adding machines (using the
747 native Windows tools) into a Samba domain worked correctly.
749 2.2.1a fixes this single problem.
751 -----------------------------------------------------------------------------
752 The release notes for 2.2.1 follow :
754 New/Changed parameters in 2.2.1
755 -------------------------------
760 obey pam restrictions
762 When Samba is configured to use PAM, turns on or off Samba checking
763 the PAM account restrictions. Defaults to off.
767 When Samba is configured to use PAM, turns on or off Samba passing
768 the password changes to PAM. Defaults to off.
772 New option to allow new Windows 2000 large file (64k) streaming
773 read/write options. Needs a 64 bit underlying operating system
774 (for Linux use kernel 2.4 with glibc 2.2 or above). Can improve performance
775 by 10% with Windows 2000 clients. Defaults to off. Not as tested
776 as some other Samba code paths.
780 Prevents clients from seeing the existence of files that cannot
781 be read. Off by default.
785 Turn on/off the enhanced Samba browsing functionality (*1B names).
786 Default is "on". Can prevent eternal machines in workgroups when
787 WINS servers are not synchronized.
799 1). "find" command removed for smbclient. Internal code now used.
800 2). smbspool updates to retry connections from Michael Sweet.
801 3). Fix for mapping 8859-15 characters to UNICODE.
802 4). Changed "security=server" to try with invalid username to prevent
804 5). Fixes to allow Windows 2000 SP2 clients to join a Samba PDC.
805 6). Support for Windows 9x Nexus tools to allow security changes from Win9x.
806 7). Two locking fixes added. Samba 2.2.1 now passes the Clarion network
807 lock tester tool for distributed databases.
808 8). Preliminary support added for Windows 2000 large file read/write SMBs.
809 9). Changed random number generator in Samba to prevent guess attacks.
810 10). Fixes for tdb corruption in connections.tdb and file locking brlock.tdb.
811 smbd's clean the tdb files on startup and shutdown.
812 11). Fixes for default ACLs on Solaris.
813 12). Tidyup of password entry caching code.
814 13). Correct shutdowns added for send fails. Helps tdb cleanup code.
815 14). Prevent invalid '/' characters in workgroup names.
816 15). Removed more static arrays in SAMR code.
817 16). Client code is now UNICODE on the wire.
818 17). Fix 2 second timestamp resolution everywhere if dos timestamp set to yes.
819 18). All tdb opens now going through logging function.
820 19). Add pam password changing and pam restrictions code.
821 20). Printer driver management improvements (delete driver).
822 21). Fix difference between NULL security descriptors and empty
823 security descriptors.
824 22). Fix SID returns for server roles.
825 23). Allow Windows 2000 mmc to view and set Samba share security descriptors.
826 24). Allow smbcontrol to forcibly disconnect a share.
827 25). tdb fixes for HPUX, OpenBSD and other OS's that don't have a coherent
828 mmap/file read/write cache.
829 26). Fix race condition in returning create disposition for file create/open.
830 27). Fix NT rewriting of security descriptors to their canonical form for
832 28). Fix for Samba running on top of Linux VFAT ftruncate bug.
833 29). Swat fixes for being run with xinetd that doesn't set the umask.
834 30). Fix for slow writes with Win9x Explorer clients. Emulates Microsoft
835 TCP stack early ack specification error.
836 31). Changed lock & persistent tdb directory to /var/cache/samba by default on
837 RedHat and Mandrake as they clear the /var/lock/samba directory on reboot.
839 -----------------------------------------------------------------------------
840 The release notes for 2.2.0a follow :
845 This is a security bugfix release for Samba 2.2.0. This release provides the
846 following two changes *ONLY* from the 2.2.0 release.
848 1). Fix for the security hole discovered by Michal Zalewski (lcamtuf@bos.bindview.com)
849 and described in the security advisory below.
850 2). Fix for the hosts allow/hosts deny parameters not being honoured.
852 No other changes are being made for this release to ensure a security fix only.
853 For new functionality (including these security fixes) download Samba 2.2.1
854 when it is available.
856 The security advisory follows :
859 IMPORTANT: Security bugfix for Samba
860 ------------------------------------
868 A serious security hole has been discovered in all versions of Samba
869 that allows an attacker to gain root access on the target machine for
870 certain types of common Samba configuration.
872 The immediate fix is to edit your smb.conf configuration file and
873 remove all occurances of the macro "%m". Replacing occurances of %m
874 with %I is probably the best solution for most sites.
879 A remote attacker can use a netbios name containing unix path
880 characters which will then be substituted into the %m macro wherever
881 it occurs in smb.conf. This can be used to cause Samba to create a log
882 file on top of an important system file, which in turn can be used to
883 compromise security on the server.
885 The most commonly used configuration option that can be vulnerable to
886 this attack is the "log file" option. The default value for this
887 option is VARDIR/log.smbd. If the default is used then Samba is not
888 vulnerable to this attack.
890 The security hole occurs when a log file option like the following is
893 log file = /var/log/samba/%m.log
895 In that case the attacker can use a locally created symbolic link to
896 overwrite any file on the system. This requires local access to the
899 If your Samba configuration has something like the following:
901 log file = /var/log/samba/%m
903 Then the attacker could successfully compromise your server remotely
904 as no symbolic link is required. This type of configuration is very
907 The most commonly used log file configuration containing %m is the
908 distributed in the sample configuration file that comes with Samba:
910 log file = /var/log/samba/log.%m
912 in that case your machine is not vulnerable to this attack unless you
913 happen to have a subdirectory in /var/log/samba/ which starts with the
919 Thanks to Michal Zalewski (lcamtuf@bos.bindview.com) for finding this
926 While we recommend that vulnerable sites immediately change their
927 smb.conf configuration file to prevent the attack we will also be
928 making new releases of Samba within the next 24 hours to properly fix
929 the problem. Please see http://www.samba.org/ for the new releases.
931 Please report any attacks to the appropriate authority.
936 ---------------------------------------------------------------------------
938 The release notes for 2.2.0 follow :
940 This is the official Samba 2.2.0 release. This version of Samba provides
941 the following new features and enhancements.
943 Integration between Windows oplocks and NFS file opens (IRIX and Linux
944 2.4 kernel only). This gives complete data and locking integrity between
945 Windows and UNIX file access to the same data files.
947 Ability to act as an authentication source for Windows 2000 clients as
948 well as for NT4.x clients.
950 Integration with the winbind daemon that provides a single
951 sign on facility for UNIX servers in Windows 2000/NT4 networks
952 driven by a Windows 2000/NT4 PDC. winbind is not included in
953 this release, it currently must be obtained separately. We are
954 committed to including winbind in a future Samba 2.2.x release.
956 Support for native Windows 2000/NT4 printing RPCs. This includes
957 support for automatic printer driver download.
959 Support for server supported Access Control Lists (ACLs).
960 This release contains support for the following filesystems:
964 Linux Kernel with ACL patch from http://acl.bestbits.at
965 Linux Kernel with XFS ACL support.
968 FreeBSD (with external patch)
970 Other platforms will be supported as resources are
971 available to test and implement the necessary modules. If
972 you are interested in writing the support for a particular
973 ACL filesystem, please join the samba-technical mailing
974 list and coordinate your efforts.
976 On PAM (Pluggable Authentication Module) based systems - better debugging
977 messages and encrypted password users now have access control verified via
978 PAM - Note: Authentication still uses the encrypted password database.
980 Rewritten internal locking semantics for more robustness.
981 This release supports full 64 bit locking semantics on all
982 (even 32 bit) platforms. SMB locks are mapped onto POSIX
983 locks (32 bit or 64 bit) as the underlying system allows.
985 Conversion of various internal flat data structures to use
986 database records for increased performance and
989 Support for acting as a MS-DFS (Distributed File System) server.
991 Support for manipulating Samba shares using Windows client tools
992 (server manager). Per share security can be set using these tools
993 and Samba will obey the access restrictions applied.
995 Samba profiling support (see below).
997 Compile time option for enabling a (Virtual file system) VFS layer
998 to allow non-disk resources to be exported as Windows filesystems
999 (such as databases etc.).
1001 The documentation in this release has been updated and converted
1002 from Yodl to DocBook 4.1. There are many new parameters since 2.0.7
1003 and some defaults have changed.
1007 Support for collection of profile information. A shared
1008 memory area has been created which contains counters for
1009 the number of calls to and the amount of time spent in
1010 various system calls, smb transactions and nmbd activity. See
1011 the file profile.h for a complete listing of the information
1012 collected. Sample code for a samba pmda (collection agent
1013 for Performance Co-Pilot) has been included in the pcp
1016 To enable the profile data collection code in samba, you must
1017 compile samba with profile data support (run configure with
1018 the --with-profiling-data option). On startup, collection of
1019 data is disabled. To begin collecting data use the smbcontrol
1020 program to turn on profiling (see the smbcontrol man page).
1021 Profile information collection can be enabled for nmbd, all smbd
1022 processes or one or more selected processes. The profiling
1023 data collected is the aggregate for all processes that have
1026 With samba compiled for profile data collection, you may see
1027 a very slight degradation in performance even with profiling
1028 collection turned off. On initial tests with NetBench on an
1029 SGI Origin 200 server, this degradation was not measurable
1030 with profile collection off compared to no profile collection
1031 compiled into samba.
1033 With count profile collection enabled on all clients, the
1034 degradation was less than 2%. With full profile collection
1035 enabled on all clients, the degradation was about 8.5%.
1037 =====================================================================
1039 If you think you have found a bug please email a report to :
1043 As always, all bugs are our responsibility.