1 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
2 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3 <html xmlns="http://www.w3.org/1999/xhtml">
6 <title>Samba - Release Notes Archive</title>
11 <h2>The Samba Team is pleased to announce Samba 2.0.5</h2>
15 The Samba Team is pleased to announce Samba 2.0.5.
17 This is the latest stable release of Samba. This is the
18 version that all production Samba servers should be running
19 for all current bug-fixes.
21 Please read the "IMPORTANT NOTE" section of the release
22 notes as this explains three security bugfixes which have
23 been added in this release. It is vital that Samba admins
24 understand these issues.
26 It may be fetched via ftp from :
28 <a href="/samba/ftp/samba-2.0.5.tar.gz">/samba/ftp/samba-2.0.5.tar.gz </a>
30 Binary packages will be available shortly for many popular platforms.
31 Please check the main Web site or email announcements for details.
33 If you have problems, or think you have found a bug please email
36 <a href="mailto:samba-bugs@samba.org">samba-bugs@samba.org</a>
38 The WHATSNEW.txt file follows.
40 As always, any bugs are our responsibility,
46 -----------------------------------------------------------
47 WHATS NEW IN Samba 2.0.5
48 ========================
50 This is the latest stable release of Samba. This is the
51 version that all production Samba servers should be running
52 for all current bug-fixes.
57 This version of Samba contains three security bugfixes for
58 problems in previous versions of Samba found by Olaf Kirch of
59 Caldera Systems (www.caldera.com). The Samba Team would like
60 to publicly thank Olaf for his help in doing a security review
61 of our code and finding these bugs.
63 The three bugs are one potentially exploitable buffer overrun
64 bug (although no current exploits are known) in smbd and two
65 denial of service bugs in nmbd. By default the smbd bug was not
66 exploitable as shipped (the problem parameter was disabled by
67 default) but instructions on protecting any version of Samba
68 prior to 2.0.5 are included below.
70 All these bugs have been fixed in Samba 2.0.5.
72 If using any version of Samba prior to 2.0.5 the administrator
73 *MUST NOT* enable the "message command" parameter in smb.conf,
74 and *MUST* remove any "message command" that is listed in any
75 existing smb.conf file. No known instances of this attack being
76 exploited have been reported.
78 All Samba versions of nmbd prior to 2.0.5 are vulnerable to a
79 denial of service attack causing nmbd to either crash or to go
80 into an infinite loop. No known instances of this attack being
81 exploited have been reported.
83 New/Changed parameters in 2.0.5
84 -------------------------------
86 There are 5 new parameters in the smb.conf file.
90 directory security mask
94 The first 4 parameters are used to control the UNIX permissions bits
95 that an NT client is allowed to modify. These parameters are now
96 used instead of the older "create" parameters that were used in
97 2.0.4 to allow an administrator to separate the two functions.
99 Use of these new parameters is described in the smb.conf man page,
100 and also in the documents :
102 docs/textdocs/NT_Security.txt
103 docs/htmldocs/NT_Security.html
105 The fifth new parameter is described in the following section.
110 Samba 2.0.5 now implements level2 oplocks. As this is new
111 code this parameter is set to "off" by default. The benefit
112 of level2 oplocks is to allow read-only file caching from
113 multiple clients. This is of great speed benefit to shares
114 that are serving application executable programs (.EXE's)
115 that are usually not written to. To learn more about using
116 level 2 oplocks read the parameter description in the smb.conf
117 documentation or read the file :
119 docs/textdocs/Speed.txt.
124 1). smbmount for Linux systems has been re-written to use
125 the libsmb code and clientutil.c is no longer used with it.
126 2). A bug preventing directory opens using the NT SMB calls
128 3). A related bug causing a file structure leak when directory
129 opens were denied has been fixed.
130 4). Fix for glibc2.1 bug on 32-bit systems being reported as 64
132 5). Prevent timestamps of 0 or -1 corrupting file timestamps.
133 6). Fix for unusual delays when browsing shares using Windows
134 2000 - fix added by Matt.
135 7). Fix for smbpassword reading problems on Sparc Linux was fixed.
136 8). Fix for compiling with SSL library.
137 9). smbclient fix for crash when doing CR/LF conversion.
138 10). smbclient now reports short read errors.
139 11). smbclient now uses remote server workgroup to list servers by default.
140 12). smbclient now has -b option to change transmit/send buffer size.
141 13). smbclient fix for corrupting files when issuing multiple outstanding
143 14). Printing bug where Linux was using SYSV printing by default fixed.
144 Linux now set to be BSD printing by default.
145 15). Change for Linux to use SYSV shared memory by default.
146 16). Fix for using IP_TOS options on some systems.
147 17). Fix for some systems that complained about static struct passwd
148 buffers being modified.
149 18). Range checking applied to all string substitutions. Theoretically
150 not a bug, but much more rebust now.
151 19). Level II oplocks implemented.
152 20). Fix for Win2K client printing added.
153 21). Always allow loopback (127.0.0.1) connects unless specifically denied.
154 22). Patch for FreeBSD interface detection code from Archie Cobbs
155 (archie@whistle.com).
156 23). Return correct status from smbrun.
157 24). snprintf fixes for floating point numbers.
158 25). Force directories to always have zero size.
159 26). Fix for "force group" and "force user" options. "force user" now
160 always uses primary group of user as well. Force group now enhanced with '+'
161 semantics (see smb.conf man page for details).
162 27). Wildcard matching fix to get closer to WinNT semantics for Win9x clients.
163 28). Potential crash bug fixed in wildcard matching code. This bug could also
164 cause smbd to sometimes not see exact file matches.
165 29). Read/write for sockets changed to use revc/send to allow optimisations
167 30). Oplocks added to client library.
168 31). Several purify fixes in IPC code.
169 32). nmbd crash bug in processing strange NetBIOS names fixed.
170 33). nmbd loop bug in processing strange NetBIOS names fixed.
171 34). Paranoia fixes to processing of incoming WinPopup messages in smbd.
172 35). Share mode code now auto initialised.
173 36). Detect dead processes in IPC lock code.
174 37). Explicit -V version switch added to command line processing.
175 38). WORKGROUP(1b) name processing with no WINS server fixed.
176 39). Win2k client detection code added by Matt.
177 40). Fix to allow really short changenotify times to be honoured.
178 41). Fix for NT delete finding the wrong file from Tine Smukavec
179 (valentin.smukavec@hermes.si)
180 42). SWAT fix to prevent stderr messages from breaking the Web client.
181 43). testparm fixes to check more parameter conflicts.
182 44). Relative paths not fetched via SWAT in CGI scripts.
183 45). SWAT remote password change - remote host name not treated as a
184 password field any more.
189 A bug with MS-Word 97 saving files with zero UNIX permissions
190 was fixed. Even though a workaround is available (set force
191 create mode = 644 on the share) Word is such an important
192 application that a point fix was neccessary.
197 The text and html versions of NT_Security were missing from
198 the shipping tarball. Also a compile bug for platforms that
199 don't have usleep was fixed.
204 There are 5 new parameters and one modified parameter in
207 allow trusted domains
210 oplock break wait time
211 oplock contention limit
213 The modified parameter is :
217 Bugfixes added since 2.0.3
218 --------------------------
220 1). Fix for 8 character password problem when using HPUX and
222 2). --with-pam option added to ./configure.
223 3). Client fixes for memory leak and display of 64 bit values.
224 4). Fixes for -E and -s option with smbclient.
225 5). smbclient now allows -L //server or -L \\server
226 6). smbtar fix for display of 64 bit values.
227 7). Endian independence added to DCE/RPC code.
228 8). DCE/RPC marshalling/unmarshalling code re-written to provide
229 overflow reporting and sign and seal support.
230 9). Bind NAK reply packet added to DCE/RPC code, used to correctly
231 refuse bind requests (prevents NT system event log messages).
232 10). Mapping of UNIX permissions into NT ACL's for get and set
234 11). DCE/RPC enumeration of numbers of shares made dynamic.
235 Samba now has no limit on the number of exported shares seen.
236 12). Fix to speed up random number seed generation on /dev/urandom
238 13). Several memory fixes added by running Purify on the code.
239 14). Read from client error messages improved.
240 15). Fixed endianness used in UNICODE strings.
241 16). Cope with ERRORmoredata in an RPC pipe client call.
242 17). Check for malformed responses in nmbd register name.
243 18). NT Encrypted password changing from the NT password dialog box
244 now fully implmented.
245 19). Mangle 64-bit lock ranges into 32-bits (NT bug!) on a 32-bit
247 20). Allow file to be pseudo-openend in order to read security only.
248 21). Improve filename mangling to reduce chance of collisions.
249 22). Added code to prevent granting of oplocks when a file is under
251 23). Added tunable wait time before sending an oplock break request
252 to a client if the client caused the break request. Helps with clients
253 not responding to oplock breaks.
254 24). Always respond negatively to queued local oplock break messages
255 before shutdown. This can prevent "freezes" on an oplock error.
256 25). Allow admin to restrict logons to correct domain when in domain
258 26). Added "restrict anonymous" patch from Andy (thwartedefforts@wonky.org)
259 to prevent parameter substitution problems with anonymous connections.
260 27). Fix SMBseek where seeking to a negative number sets the offset
262 28). Fixed problem with mode getting corrupted in trans2 request
263 (setting to zero means please ignore it).
264 29). Correctly become the authenticated user on an authenticated
265 DCE/RPC pipe request.
266 30). Correctly reset debug level in nmbd if someone set it on the
268 31). Added more checking into testparm
269 32). NetBench simulator added to smbtorture by Andrew.
270 33). Fixed NIS+ option compile (was broken in 2.0.3).
271 34). Recursive smbclient directory listing fix. Patch from E. Jay Berkenbilt
274 Bugfixes added since 2.0.2
275 --------------------------
277 1). --with-ssl configure now include ssl include directory. Fix
279 2). Patch for configure for glibc2.1 support (large files etc.).
280 3). Several bugfixes for smbclient tar mode from Bob Boehmer
281 (boehmer@worldnet.att.net) to fix smbclient aborting problems
282 when restoring tar files.
283 4). Some automount fixes for smbmount.
284 5). Attempt to fix the AIX 4.1.x/3.x problems where smbd runs as
285 root. As no-one has given us root access to such a server this
286 cannot be tested fully, but should work.
287 6). Crash bug fix in debug code where *real* uid rather than
288 *effective* uid was being checked before attempting to rotate
289 log files. This fix should help a *lot* of people who were
290 reporting smbd aborting in the middle of a copy operation.
291 7). SIGALRM bugfix to ensure infinate file locks time out.
292 8). New code to implement NT ACL reporting for cacls.exe program.
293 9). UDP loopback socket rebind fix for Solaris.
294 10). Ensure all UNICODE strings are correctly in little-endian
296 11). smbpasswd file locking fix.
297 12). Fixes for strncpy problems with glibc2.1.
298 13). Ensure smbd correctly reports major and minor version number
299 and server type when queried via NT rpc calls.
300 14). Bugfix for short mangled names not being pulled off the
301 mangled stack correctly.
302 15). Fix for mapping of rwx bits being incorrectly overwritten
303 when doing ATTRIB.EXE
304 16). Fix for returning multiple PDU packets in NT rpc code. Should
305 allow multiple shares to be returned correctly).
306 17). Improved mapping of NT open access requests into UNIX open
308 18). Fix for copying files from an NTFS volume that contain
309 multiple data forks. Added 'magic' error code NT needs.
310 19). Fixed crash bug when primary NT authentication server
311 is down, rolls over to secondaries correctly now.
312 20). Fixed timeout processing to be timer based. Now will
313 always occur even if smbd is under load.
314 21). Fixed signed/unsigned problem in quotas code.
315 22). Fixed bug where setting the password of a completely fresh
316 user would end up setting the account disabled flag.
317 23). Improved user logon messages to help admins having
318 trouble with user authentication.
320 Bugfixes added since 2.0.1
321 --------------------------
323 Note that due to a critical signal handling bug in 2.0.1,
324 this release has been removed and replaced immediately with
325 2.0.2. The Samba Team would like to apologise for any problem
326 this may have caused.
328 1). Fixed smbd looping on SIGCLD problem. This was
329 caused by a missing break statement in a critical
332 Bugfixes added since 2.0.0
333 --------------------------
335 1). Autoconf changes for gcc2.7.x and Solaris 2.5/2.6
336 2). Autoconf changes to help HPUX configure correctly.
337 3). Autoconf changes to allow lock directory to be set.
338 4). Client fix to allow port to be set.
339 5). clitar fix to send debug messages to stderr.
340 6). smbmount race condition fix.
341 7). Fix for bug where trying to browse large numbers of shares
342 generated an error from an NT client.
343 8). Wrapper for setgroups for SunOS 4.x
344 9). Fix for directory deleting failing from multiuser NT.
345 10). Fix for crash bug if bitmap was full.
346 11). Fix for Linux genrand where /dev/random could cause
347 clients to timeout on connect if the entropy pool was
349 12). The default PASSWD_CHAT may now be overridden in local.h
350 13). HPUX printing fixes for default programs.
351 14). Reverted (erroneous) code in MACHINE.SID generation that
352 was setting the sid to 0x21 - should be *decimal* 21.
353 15). Fix for printing to remote machine under SVR4.
354 16). Fix for chgpasswd wait being interrupted with EINTR.
355 17). Fix for disk free routine. NT and Win98 now correctly
356 show greater than 2GB disks.
357 18). Fix for crash bug in stat cache statistics printing.
358 19). Fix for filenames ending in .~xx.
359 20). Fix for access check code wait being interrupted with EINTR.
360 21). Fix for password changes from "invalid password" to a valid
361 one setting the account disabled bit.
362 22). Fix for smbd crash bug in SMBreadraw cache prime code.
363 23). Fix for overly zealous lock range overflow reporting.
364 24). Fix for large disk disk free reporting (NT SMB code).
365 25). Fix for NT failing to truncate files correctly.
366 26). Fix for smbd crash bug with SMBcancel calls.
367 27). Additional -T flag to nmblookup to do reverse DNS on addresses.
368 28). SWAT fix to start/stop smbd/nmbd correctly.
370 Major changes in Samba 2.0
371 --------------------------
373 This is a MAJOR new release of Samba, the UNIX based SMB/CIFS file
374 and print server for Windows systems.
376 There have been many changes in Samba since the last major release,
377 1.9.18. These have mainly been in the areas of performance and
378 SMB protocol correctness. In addition, a Web based GUI interface
379 for configuring Samba has been added.
381 In addition, Samba has been re-written to help portability to
382 other POSIX-based systems, based on the GNU autoconf tool.
384 There are many major changes in Samba for version 2.0. Here are
387 =====================================================================
392 Samba has been benchmarked on high-end UNIX hardware as out-performing
393 all other SMB/CIFS servers using the Ziff-Davis NetBench benchmark.
394 Many changes to the code to optimise high-end performance have been made.
399 Samba now supports the Windows NT specific SMB requests. This
400 means that on platforms that are capable Samba now presents a
401 64 bit view of the filesystem to Windows NT clients and is
402 capable of handling very large files.
407 Samba is now self-configuring using GNU autoconf, removing
408 the need for people installing Samba to have to hand configure
409 Makefiles, as was needed in previous versions.
411 You now configure Samba by running "./configure" then "make". See
412 docs/textdocs/UNIX_INSTALL.txt for details.
414 4). Web based GUI configuration
415 -------------------------------
417 Samba now comes with SWAT, a web based GUI config system. See
418 the swat man page for details on how to set it up.
420 5). Cross protocol data integrity
421 ---------------------------------
423 An open function interface has been defined to allow
424 "opportunistic locks" (oplocks for short) granted by Samba
425 to be seen by other UNIX processes. This allows complete
426 cross protocol (NFS and SMB) data integrety using Samba
427 with platforms that support this feature.
429 6). Domain client capability
430 ----------------------------
432 Samba is now capable of using a Windows NT PDC for user
433 authentication in exactly the same way that a Windows NT
434 workstation does, i.e. it can be a member of a Domain. See
435 docs/textdocs/DOMAIN_MEMBER.txt for details.
437 7). Documentation Updates
438 -------------------------
440 All the reference parts of the Samba documentation (the
441 manual pages) have been updated and converted to a document
442 format that allows automatic generation of HTML, SGML, and
443 text formats. These documents now ship as standard in HTML
446 =====================================================================
448 NOTE - Some important option defaults changed
449 ---------------------------------------------
451 Several parameters have changed their default values. The most
452 important of these is that the default security mode is now user
453 level security rather than share level security.
455 This (incompatible) change was made to ease new Samba installs
456 as user level security is easier to use for Windows 95/98 and
459 ********IMPORTANT NOTE****************
461 If you have no "security=" line in the [global] section of
462 your current smb.conf and you update to Samba 2.0 you will
463 need to add the line :
467 to get exactly the same behaviour with Samba 2.0 as you
468 did with previous versions of Samba.
470 ********END IMPORTANT NOTE*************
472 In addition, Samba now defaults to case sensitivity options that
473 match a Windows NT server precisely, that is, case insensitive
476 The default format of the smbpasswd file has also been
477 changed for this release, although the new tools will read
478 and write the old format, for backwards compatibility.
480 =====================================================================
482 NOTE - Primary Domain Controller Functionality
483 ----------------------------------------------
485 This version of Samba contains code that correctly implements
486 the undocumented Primary Domain Controller authentication
487 protocols. However, there is much more to being a Primary
488 Domain Controller than serving Windows NT logon requests.
490 A useful version of a Primary Domain Controller contains
491 many remote procedure calls to do things like enumerate users,
492 groups, and security information, only some of which Samba currently
493 implements. In addition, there are outstanding (known) bugs with
494 using Samba as a PDC in this release that the Samba Team are actively
495 working on. For this reason we have chosen not to advertise and
496 actively support Primary Domain Controller functionality with this
499 This work is being done in the CVS (developer) versions of Samba,
500 development of which continues at a fast pace. If you are
501 interested in participating in or helping with this development
502 please join the Samba-NTDOM mailing list. Details on joining
505 <a href="http://samba.org/listproc/">http://samba.org/listproc/</a>
507 Details on obtaining CVS (developer) versions of Samba
510 <a href="http://samba.org/cvs.html">http://samba.org/cvs.html</a>
512 =====================================================================
514 If you have problems, or think you have found a bug please email
517 <a href="mailto:samba-bugs@samba.org">samba-bugs@samba.org</a>
519 As always, all bugs are our responsibility.
525 ----------------------------------------------------------------------