<ul>
<li><a href="/samba/docs/man/Samba-HOWTO-Collection/">Official HOWTO</a></li>
<li><a href="/samba/docs/man/Samba-Guide/">By Example</a></li>
- <li><a href="/samba/docs/">All The Docs</a></li>
+ <li><a href="/samba/docs/">Docs and Books</a></li>
</ul>
<img src="/samba/images/talk.png" alt="talk samba" />
<ul>
<li><a href="/samba/docs/man/Samba-HOWTO-Collection/">Official HOWTO</a></li>
<li><a href="/samba/docs/man/Samba-Guide/">By Example</a></li>
- <li><a href="/samba/docs/">All The Docs</a></li>
+ <li><a href="/samba/docs/">Docs And Books</a></li>
</ul>
<img src="/samba/images/talk.png" alt="talk samba" />
<ul>
<li><a href="/samba/docs/man/Samba-HOWTO-Collection/">Official HOWTO</a></li>
<li><a href="/samba/docs/man/Samba-Guide/">By Example</a></li>
- <li><a href="/samba/docs/">All The Docs</a></li>
+ <li><a href="/samba/docs/">Docs and Books</a></li>
</ul>
<img src="/samba/images/talk.png" alt="talk samba" />
<ul>
<li><a href="/samba/docs/man/Samba-HOWTO-Collection/">Official HOWTO</a></li>
<li><a href="/samba/docs/man/Samba-Guide/">By Example</a></li>
- <li><a href="/samba/docs/">All The Docs</a></li>
+ <li><a href="/samba/docs/">Docs and Books</a></li>
</ul>
<img src="/samba/images/talk.png" alt="talk samba" />
gpg: Good signature from "Samba Distribution Verification Key <samba-bugs@samba.org>"
</pre>
+<p>For information on Samba security releases, please see our <a href="/samba/history/security.html">security page</a>.</p>
+
<br>
<table border=0>
<ul>
<li><a href="/samba/docs/man/Samba-HOWTO-Collection/">Official HOWTO</a></li>
<li><a href="/samba/docs/man/Samba-Guide/">By Example</a></li>
- <li><a href="/samba/docs/">All The Docs</a></li>
+ <li><a href="/samba/docs/">Docs And Books</a></li>
</ul>
<img src="/samba/images/talk.png" alt="talk samba" />
--- /dev/null
+<!--#include virtual="/samba/header.html" -->
+ <title>Samba - opening windows to a wider world</title>
+<!--#include virtual="/samba/header2.html" -->
+
+ <p>Samba is an <a href="http://www.opensource.org/">Open Source</a>/<a href="http://www.gnu.org/philosophy/free-sw.html">Free Software</a> suite that provides seamless file and print services to SMB/CIFS clients. Samba is freely available under the <a href="/samba/docs/GPL.html">GNU General Public License</a>.</p>
+
+
+ <h2>Current Release</h2>
+
+ <h4>7 August 2004</h4>
+
+ <p class="headline"><a name="latest"> Samba 3.0.6rc2 Available for Download</a></p>
+
+ <p>The second release candidate of Samba 3.0.6 is now available for download.
+ Previously released snapshots in this series were referred to as 3.0.5pre1
+ and 3.0.5rc1. These were later renamed as the 3.0.6 series due to the
+ 3.0.5 security release. Samba 3.0.6rc2 can be downloaded in
+ <a href="/samba/ftp/rc/samba-3.0.6rc2.tar.gz">gzipped format</a>.
+ The <a href="/samba/ftp/rc/samba-3.0.6rc2.tar.asc">GPG signature</a> is for the uncompressed tarball.
+ There have been several bug fixes since the 3.0.4/5 release that
+ we feel are important to make available to the Samba community
+ for wider testings. This release is <b>not</b> intended for production
+ servers. Use at your own risk. All testing is very much appreciated.
+ Please refer to the <a href="/samba/ftp/rc/WHATSNEW-3-0-6rc2.txt">Release Notes</a> for
+ descriptions of the exact changes.</p>
+
+ <p><a href="http://samba.org/~jerry/RPMS/samba/">RPMS for RedHat 8/9
+ and Fedora Core 1/2</a> can also be downloaded.</p>
+
+
+ <h2>News</h2>
+
+
+ <div class="plugs">
+ <a href="/samba/tshirt.html"><img src="/samba/images/t-small.jpg"
+alt="Samba t-shirt" /></a>
+
+ <p><a href="/samba/tshirt.html">Samba T-shirts and mugs are available!</a></p>
+ </div>
+
+ <div class="request">
+ <p>Please select the closest <span class="punch">mirror site</span> from the menu above. The popularity of Samba puts a strain on our network. By using a mirror site you can do your bit to reduce the load.</p>
+ </div>
+
+<!--#include virtual="/samba/footer.html" -->
--- /dev/null
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Release Notes Archive</title>
+</head>
+
+<body>
+
+<h2>The Samba Team are pleased to announce Samba 2.0.0</h2>
+
+<p>
+<pre>
+The Samba Team is pleased to announce a new major release of Samba,
+Samba 2.0.
+
+This is the latest stable release of Samba. This is the version that
+all production Samba servers should be running for all current
+bug-fixes.
+
+Samba 2.0.0 is available in source form from
+samba.org and all of our mirror sites at the url :
+
+<a href="/samba/ftp/samba-2.0.0.tar.gz">/samba/ftp/samba-2.0.0.tar.gz </a>
+
+Binary packages will be available shortly for many popular platforms.
+Please check the main Web site or email announcements for details.
+
+If you have problems, or think you have found a bug please email
+a report to :
+
+ <a href="mailto:samba-bugs@samba.org">samba-bugs@samba.org</a>
+
+The WHATSNEW.txt file follows.
+
+As always, any bugs are our responsibility,
+
+Regards,
+
+ The Samba Team.
+
+-----------------------------------------------------------
+ Issues fixed between Beta5 and 2.0.0
+ ------------------------------------
+
+1). Fixed problems with SIGCLD causing infinite looping of
+ smbd on Solaris in password changing code.
+2). Fixed compile problem with mmap for HPUX.
+3). Fixed issues with setreuid code not being used in preference
+ to seteuid code.
+4). Added capability to return the same NT ACL that NT does
+ when queried on a DOS FAT filesystem. This fixes the "not
+ implemented" error message for GetSecurityDescriptor() calls
+ that was causing some NT apps to fail.
+5). Fixed nmbd strange name loop problem.
+6). Added fix to show full pathname for locked files.
+7). Re-added FTRUNCATE_NEEDS_ROOT code and autoconf test for
+ older systems.
+8). nmbd now reloads smb.conf in main loop rather than in
+ signal handler.
+9). Re-wrote changenotify tests to do directory scan. Needed
+ for Visual C++ to work correctly.
+10). Re-wrote directory handle code to eliminate handle leak
+ and allow infinite (well 4096) simultaneous handles using
+ bitmap code.
+11). Fixed bug where MS-Office wouldn't report file in use.
+12). Caused timeout processing to be done correctly on timestamps,
+ not on bogus counter.
+13). Cause timeout processing to be done on receipt of SMBecho.
+14). Added code to cope with NT bug where it's sending 64 bit
+ lock ranges to a server that only handles 32 bit ranges.
+15). Allows %S substitution to be used in force user.
+16). Fixed autoconf test for setreuid.
+17). Fixed bug in testparm with password changing parameter.
+18). Fixed SWAT bug - now remove 'commit' button from areas where
+ user doesn't have write access.
+
+-----------------------------------------------------------
+ Issues fixed between Beta4 and Beta5
+ ------------------------------------
+
+1). Recuse directory bug with NT and smbtar fixed. smbtar now
+ recurses through all directories correctly.
+2). Subtle bug fixed with the SIGCLD eating process status values
+ in cases where they are needed.
+3). Fixed autoconf detection and handling of the different
+ setresuid/seteuid/setuid calls on different UNIXs.
+4). Wrapped readdir64 for large file support.
+5). Fixed --with-nisplus compile for Solaris.
+6). Fixed wildcard bug with 16 bit clients. Also got closer
+ to NT wildcard semantics.
+7). Allowed seek fails with EPIPE when doing client seeks to
+ allow Windows clients to communicate with UNIX processes via
+ fifo's (worked on 1.9.18, was broken in 2.0.0beta1-4).
+8). Fixed compile bug with slow share mode code.
+9). Fixes for QNX compiles.
+10). Fixed recursion bug in nmbd if WINS server returns an
+ error at a bad time :-).
+11). Log AFS auth fail.
+12). Fixed Digital UNIX enhanced security problem with SWAT.
+13). Updated SID generation code to produce NT compatible SIDs.
+14). Fixed bug with ENOSPC on close() calls. This should now
+ be detected and returned to the client.
+15). NT transact parameters weren't being zeroed out before use.
+16). Fixed lockread bug where it was asking for a read-only
+ lock. It should be using a write lock (however strange this
+ seems :-).
+17). Many SWAT printer fixes from Herb Lewis.
+18). SWAT parameters now grouped in a more logical way.
+19). Changed main smbd select loop to 60 seconds, smb.conf checks
+ to every 120 seconds to reduce load on large servers.
+
+-----------------------------------------------------------
+ Issues fixed between Beta3 and Beta4
+ ------------------------------------
+
+1). More sanity checks in testparm code to help diagnose smb.conf
+ problems.
+2). Ensure log header not written before log rotated.
+3). Fix getrlimit number of file descriptors problem with AIX.
+ AIX supports the call but always returns infinity. This was
+ causing smbd to try and allocate a large amount of memory.
+4). Fixed name lookup in lmhosts to match the documentation for
+ name type lookup.
+5). Removed need to link password database code into nmbd.
+6). Stop nmbd sending broadcast name refresh requests, use
+ permanent TTL on broadcast interfaces.
+7). Flag "PRINTER" and "SHARE" parameters so SWAT can display
+ them correctly.
+8). Fix SWAT so that it can display auto-generated printer list.
+9). Added AFS and DCE auth includes back.
+10). Added workaround to Windows NT redirector bug where it sends
+ 64 bit lock requests to systems that don't support 64 bit offsets
+ (eg. Linux).
+11). Fixed name mangling cache bug.
+12). Fix smbpasswd bug where a missmatched password could be mis-interpreted
+ when adding a user.
+13). Updates to SWAT to display "commit" button if user has write
+ access to smb.conf.
+14). Fixed to autoconf for HPUX systems to work around broken
+ HPUX shadow.h include file.
+
+-----------------------------------------------------------
+ Issues fixed between Beta2 and Beta3
+ ------------------------------------
+
+1). New parameters added :
+ "add user script"
+ "delete user script"
+ Designed to allow Samba servers to be set up with
+ no UNIX users and to allow them to create the needed
+ UNIX users on the fly. See the smb.conf documentation
+ for more details.
+2). Autoconf issues including fixes for large file support for
+ Solaris and SINIX, and stat64 tests on SVR4 systems.
+3). Code dealing with dos pathnames and native pathnames split
+ to be explicit about when Samba is accessing which type of
+ name.
+4). Fix for missing PRINTCAP define under HPUX.
+5). Added Samba specific strtoul().
+6). Fix for reverse filename mapping with ISO8859-5 filenames.
+7). Fix for nmbd not starting correctly sometimes due to pid
+ locking file.
+8). Check for error returns in file descriptor limit checking code.
+9). Kernel oplock code bugfix.
+10). Restored client retarget code.
+11). Fix for potential stack overflow in Digital UNIX crypt check.
+12). Explicitly test for negative uids in smbpasswd file.
+13). Fix for NT username in Domain logon code.
+14). Patch from Scott Moomaw scott@bridgewater.edu to correctly
+ return "Invalid Info level" to Win95 printer clients.
+15). Fix to allow NT printer clients to add printers (as 1.9.18
+ code would allow).
+16). Fix to prevent ".." being used in servicename.
+17). New SWAT icons.
+
+-----------------------------------------------------------
+ Issues fixed between Beta1 and Beta2
+ ------------------------------------
+
+1). Many autoconf issues (too many to list here).
+2). Correctly set default printing for AIX.
+3). Attempt to fix struct rtentry not being defined problem.
+4). Convert all open() style calls to wrappers for 64 bit systems.
+5). Get more 'const' correct.
+6). Fix bug with O_EXCL not being set on exlusive open requests.
+7). Fix string_sub() problem with LinPopup.
+8). Fix lmhosts bug causing only 3 character names to be looked up.
+9). Fixed bug with NetBIOS pointers in scope names.
+10). Removed code that was preventing NT3.51 PDC logons from working.
+11). Fixed crash bug when processing DELETE_ON_CLOSE directive from MS Office.
+12). Fixed NT4.x problems adding printer.
+13). Stop multiple logs of NT ACL's not supported messages.
+14). Changed 'security=server' mode to use *SMBSERVER name if
+ initial connect refused.
+15). Fixed NT4.x problem with modify times not being preserved
+ on explorer file copy.
+16). 'Silent' switch for testparm.
+17). Added 'hosts allow/deny' checks to SWAT.
+
+-----------------------------------------------------------
+ WHATS NEW IN Samba 2.0.0
+ ========================
+
+This is a MAJOR new release of Samba, the UNIX based SMB/CIFS file
+and print server for Windows systems.
+
+There have been many changes in Samba since the last major release,
+1.9.18. These have mainly been in the areas of performance and
+SMB protocol correctness. In addition, a Web based GUI interface
+for configuring Samba has been added.
+
+In addition, Samba has been re-written to help portability to
+other POSIX-based systems, based on the GNU autoconf tool.
+
+Major changes in Samba 2.0
+--------------------------
+
+There are many major changes in Samba for version 2.0. Here are
+some of them:
+
+=====================================================================
+
+1). Speed
+---------
+
+Samba has been benchmarked on high-end UNIX hardware as out-performing
+all other SMB/CIFS servers using the Ziff-Davis NetBench benchmark.
+Many changes to the code to optimise high-end performance have been made.
+
+2). Correctness
+---------------
+
+Samba now supports the Windows NT specific SMB requests. This
+means that on platforms that are capable Samba now presents a
+64 bit view of the filesystem to Windows NT clients and is
+capable of handling very large files.
+
+3). Portability
+---------------
+
+Samba is now self-configuring using GNU autoconf, removing
+the need for people installing Samba to have to hand configure
+Makefiles, as was needed in previous versions.
+
+You now configure Samba by running "./configure" then "make". See
+docs/textdocs/UNIX_INSTALL.txt for details.
+
+4). Web based GUI configuration
+-------------------------------
+
+Samba now comes with SWAT, a web based GUI config system. See
+the swat man page for details on how to set it up.
+
+5). Cross protocol data integrity
+---------------------------------
+
+An open function interface has been defined to allow
+"opportunistic locks" (oplocks for short) granted by Samba
+to be seen by other UNIX processes. This allows complete
+cross protocol (NFS and SMB) data integrety using Samba
+with platforms that support this feature.
+
+6). Domain client capability
+----------------------------
+
+Samba is now capable of using a Windows NT PDC for user
+authentication in exactly the same way that a Windows NT
+workstation does, i.e. it can be a member of a Domain. See
+docs/textdocs/DOMAIN_MEMBER.txt for details.
+
+7). Documentation Updates
+-------------------------
+
+All the reference parts of the Samba documentation (the
+manual pages) have been updated and converted to a document
+format that allows automatic generation of HTML, SGML, and
+text formats. These documents now ship as standard in HTML
+and manpage format.
+
+=====================================================================
+
+NOTE - Some important option defaults changed
+---------------------------------------------
+
+Several parameters have changed their default values. The most
+important of these is that the default security mode is now user
+level security rather than share level security.
+
+This (incompatible) change was made to ease new Samba installs
+as user level security is easier to use for Windows 95/98 and
+Windows NT clients.
+
+********IMPORTANT NOTE****************
+
+If you have no "security=" line in the [global] section of
+your current smb.conf and you update to Samba 2.0 you will
+need to add the line :
+
+security=share
+
+to get exactly the same behaviour with Samba 2.0 as you
+did with previous versions of Samba.
+
+********END IMPORTANT NOTE*************
+
+In addition, Samba now defaults to case sensitivity options that
+match a Windows NT server precisely, that is, case insensitive
+but case preserving.
+
+The default format of the smbpasswd file has also been
+changed for this release, although the new tools will read
+and write the old format, for backwards compatibility.
+
+=====================================================================
+
+NOTE - Primary Domain Controller Functionality
+----------------------------------------------
+
+This version of Samba contains code that correctly implements
+the undocumented Primary Domain Controller authentication
+protocols. However, there is much more to being a Primary
+Domain Controller than serving Windows NT logon requests.
+
+A useful version of a Primary Domain Controller contains
+many remote procedure calls to do things like enumerate users,
+groups, and security information, only some of which Samba currently
+implements. In addition, there are outstanding (known) bugs with
+using Samba as a PDC in this release that the Samba Team are actively
+working on. For this reason we have chosen not to advertise and
+actively support Primary Domain Controller functionality with this
+release.
+
+This work is being done in the CVS (developer) versions of Samba,
+development of which continues at a fast pace. If you are
+interested in participating in or helping with this development
+please join the Samba-NTDOM mailing list. Details on joining
+are available at :
+
+<a href="http://lists.samba.org/listinfo/samba-ntdom/">http://lists.samba.org/listinfo/samba-ntdom/</a>
+
+Details on obtaining CVS (developer) versions of Samba
+are available at:
+
+<a href="http://www.samba.org/cvs.html">http://www.samba.org/cvs.html</a>
+
+=====================================================================
+
+If you have problems, or think you have found a bug please email
+a report to :
+
+ <a href="mailto:samba-bugs@samba.org">samba-bugs@samba.org</a>
+
+As always, all bugs are our responsibility.
+
+Regards,
+
+ The Samba Team.
+
+----------------------------------------------------------------------
+</pre>
+
+</body>
+</html>
--- /dev/null
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Release Notes Archive</title>
+</head>
+
+<body>
+
+<h2>The Samba Team is pleased to announce Samba 2.0.1</h2>
+
+<p>
+<pre>
+The Samba Team is pleased to announce Samba 2.0.1.
+
+This is the latest stable release of Samba. This is the
+version that all production Samba servers should be running
+for all current bug-fixes. Due to a couple of smbd crash
+bugs that were found in Samba 2.0.0 it is recommened
+all sites using Samba 2.0.0 upgrade to this release.
+
+Samba 2.0.1 is available in source form from
+samba.org and all of our mirror sites at the url :
+
+<a href="/samba/ftp/samba-2.0.1.tar.gz">/samba/ftp/samba-2.0.1.tar.gz </a>
+
+Binary packages will be available shortly for many popular platforms.
+Please check the main Web site or email announcements for details.
+
+If you have problems, or think you have found a bug please email
+a report to :
+
+ <a href="mailto:samba-bugs@samba.org">samba-bugs@samba.org</a>
+
+The WHATSNEW.txt file follows.
+
+As always, any bugs are our responsibility,
+
+Regards,
+
+ The Samba Team.
+
+-----------------------------------------------------------
+ WHATS NEW IN Samba 2.0.1
+ ========================
+
+This is the latest stable release of Samba. This is the
+version that all production Samba servers should be running
+for all current bug-fixes.
+
+Bugfixes added since 2.0.0
+--------------------------
+
+1). Autoconf changes for gcc2.7.x and Solaris 2.5/2.6
+2). Autoconf changes to help HPUX configure correctly.
+3). Autoconf changes to allow lock directory to be set.
+4). Client fix to allow port to be set.
+5). clitar fix to send debug messages to stderr.
+6). smbmount race condition fix.
+7). Fix for bug where trying to browse large numbers of shares
+ generated an error from an NT client.
+8). Wrapper for setgroups for SunOS 4.x
+9). Fix for directory deleting failing from multiuser NT.
+10). Fix for crash bug if bitmap was full.
+11). Fix for Linux genrand where /dev/random could cause
+ clients to timeout on connect if the entropy pool was
+ empty.
+12). The default PASSWD_CHAT may now be overridden in local.h
+13). HPUX printing fixes for default programs.
+14). Reverted (erroneous) code in MACHINE.SID generation that
+ was setting the sid to 0x21 - should be *decimal* 21.
+15). Fix for printing to remote machine under SVR4.
+16). Fix for chgpasswd wait being interrupted with EINTR.
+17). Fix for disk free routine. NT and Win98 now correctly
+ show greater than 2GB disks.
+18). Fix for crash bug in stat cache statistics printing.
+19). Fix for filenames ending in .~xx.
+20). Fix for access check code wait being interrupted with EINTR.
+21). Fix for password changes from "invalid password" to a valid
+ one setting the account disabled bit.
+22). Fix for smbd crash bug in SMBreadraw cache prime code.
+23). Fix for overly zealous lock range overflow reporting.
+24). Fix for large disk disk free reporting (NT SMB code).
+25). Fix for NT failing to truncate files correctly.
+26). Fix for smbd crash bug with SMBcancel calls.
+27). Additional -T flag to nmblookup to do reverse DNS on addresses.
+28). SWAT fix to start/stop smbd/nmbd correctly.
+
+Major changes in Samba 2.0
+--------------------------
+
+This is a MAJOR new release of Samba, the UNIX based SMB/CIFS file
+and print server for Windows systems.
+
+There have been many changes in Samba since the last major release,
+1.9.18. These have mainly been in the areas of performance and
+SMB protocol correctness. In addition, a Web based GUI interface
+for configuring Samba has been added.
+
+In addition, Samba has been re-written to help portability to
+other POSIX-based systems, based on the GNU autoconf tool.
+
+There are many major changes in Samba for version 2.0. Here are
+some of them:
+
+=====================================================================
+
+1). Speed
+---------
+
+Samba has been benchmarked on high-end UNIX hardware as out-performing
+all other SMB/CIFS servers using the Ziff-Davis NetBench benchmark.
+Many changes to the code to optimise high-end performance have been made.
+
+2). Correctness
+---------------
+
+Samba now supports the Windows NT specific SMB requests. This
+means that on platforms that are capable Samba now presents a
+64 bit view of the filesystem to Windows NT clients and is
+capable of handling very large files.
+
+3). Portability
+---------------
+
+Samba is now self-configuring using GNU autoconf, removing
+the need for people installing Samba to have to hand configure
+Makefiles, as was needed in previous versions.
+
+You now configure Samba by running "./configure" then "make". See
+docs/textdocs/UNIX_INSTALL.txt for details.
+
+4). Web based GUI configuration
+-------------------------------
+
+Samba now comes with SWAT, a web based GUI config system. See
+the swat man page for details on how to set it up.
+
+5). Cross protocol data integrity
+---------------------------------
+
+An open function interface has been defined to allow
+"opportunistic locks" (oplocks for short) granted by Samba
+to be seen by other UNIX processes. This allows complete
+cross protocol (NFS and SMB) data integrety using Samba
+with platforms that support this feature.
+
+6). Domain client capability
+----------------------------
+
+Samba is now capable of using a Windows NT PDC for user
+authentication in exactly the same way that a Windows NT
+workstation does, i.e. it can be a member of a Domain. See
+docs/textdocs/DOMAIN_MEMBER.txt for details.
+
+7). Documentation Updates
+-------------------------
+
+All the reference parts of the Samba documentation (the
+manual pages) have been updated and converted to a document
+format that allows automatic generation of HTML, SGML, and
+text formats. These documents now ship as standard in HTML
+and manpage format.
+
+=====================================================================
+
+NOTE - Some important option defaults changed
+---------------------------------------------
+
+Several parameters have changed their default values. The most
+important of these is that the default security mode is now user
+level security rather than share level security.
+
+This (incompatible) change was made to ease new Samba installs
+as user level security is easier to use for Windows 95/98 and
+Windows NT clients.
+
+********IMPORTANT NOTE****************
+
+If you have no "security=" line in the [global] section of
+your current smb.conf and you update to Samba 2.0 you will
+need to add the line :
+
+security=share
+
+to get exactly the same behaviour with Samba 2.0 as you
+did with previous versions of Samba.
+
+********END IMPORTANT NOTE*************
+
+In addition, Samba now defaults to case sensitivity options that
+match a Windows NT server precisely, that is, case insensitive
+but case preserving.
+
+The default format of the smbpasswd file has also been
+changed for this release, although the new tools will read
+and write the old format, for backwards compatibility.
+
+=====================================================================
+
+NOTE - Primary Domain Controller Functionality
+----------------------------------------------
+
+This version of Samba contains code that correctly implements
+the undocumented Primary Domain Controller authentication
+protocols. However, there is much more to being a Primary
+Domain Controller than serving Windows NT logon requests.
+
+A useful version of a Primary Domain Controller contains
+many remote procedure calls to do things like enumerate users,
+groups, and security information, only some of which Samba currently
+implements. In addition, there are outstanding (known) bugs with
+using Samba as a PDC in this release that the Samba Team are actively
+working on. For this reason we have chosen not to advertise and
+actively support Primary Domain Controller functionality with this
+release.
+
+This work is being done in the CVS (developer) versions of Samba,
+development of which continues at a fast pace. If you are
+interested in participating in or helping with this development
+please join the Samba-NTDOM mailing list. Details on joining
+are available at :
+
+<a href="http://samba.org/listproc/">http://samba.org/listproc/</a>
+
+Details on obtaining CVS (developer) versions of Samba
+are available at:
+
+<a href="http://samba.org/cvs.html">http://samba.org/cvs.html</a>
+
+=====================================================================
+
+If you have problems, or think you have found a bug please email
+a report to :
+
+ <a href="mailto:samba-bugs@samba.org">samba-bugs@samba.org</a>
+
+As always, all bugs are our responsibility.
+
+Regards,
+
+ The Samba Team.
+
+----------------------------------------------------------------------
+</pre>
+
+</body>
+</html>
\ No newline at end of file
--- /dev/null
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Release Notes Archive</title>
+</head>
+
+<body>
+
+<h2>The Samba Team is pleased to announce Samba 2.0.2</h2>
+
+<p>
+<pre>
+The Samba Team is pleased to announce Samba 2.0.2.
+
+This is the latest stable release of Samba. This is the
+version that all production Samba servers should be running
+for all current bug-fixes. Due to a couple of smbd crash
+bugs that were found in Samba 2.0.0 and a critical signal
+handling bug found in Samba 2.0.1 it is recommened
+all sites using Samba 2.0.0 upgrade to this release.
+
+Due to the signal handling bug Samba 2.0.1 was
+withdrawn hours after release. The Samba Team would
+like to apologise for any inconvenience caused.
+
+Samba 2.0.2 is available in source form from
+samba.org and all of our mirror sites at the url :
+
+<a href="/samba/ftp/samba-2.0.2.tar.gz">/samba/ftp/samba-2.0.2.tar.gz </a>
+
+Binary packages will be available shortly for many popular platforms.
+Please check the main Web site or email announcements for details.
+
+If you have problems, or think you have found a bug please email
+a report to :
+
+ <a href="mailto:samba-bugs@samba.org">samba-bugs@samba.org</a>
+
+The WHATSNEW.txt file follows.
+
+As always, any bugs are our responsibility,
+
+Regards,
+
+ The Samba Team.
+
+-----------------------------------------------------------
+ WHATS NEW IN Samba 2.0.2
+ ========================
+
+This is the latest stable release of Samba. This is the
+version that all production Samba servers should be running
+for all current bug-fixes.
+
+Note that due to a critical signal handling bug in 2.0.1,
+this release has been removed and replaced immediately with
+2.0.2. The Samba Team would like to apologise for any problem
+this may have caused.
+
+Bugfixes added since 2.0.1
+--------------------------
+
+1). Fixed smbd looping on SIGCLD problem. This was
+ caused by a missing break statement in a critical
+ piece of code.
+
+Bugfixes added since 2.0.0
+--------------------------
+
+1). Autoconf changes for gcc2.7.x and Solaris 2.5/2.6
+2). Autoconf changes to help HPUX configure correctly.
+3). Autoconf changes to allow lock directory to be set.
+4). Client fix to allow port to be set.
+5). clitar fix to send debug messages to stderr.
+6). smbmount race condition fix.
+7). Fix for bug where trying to browse large numbers of shares
+ generated an error from an NT client.
+8). Wrapper for setgroups for SunOS 4.x
+9). Fix for directory deleting failing from multiuser NT.
+10). Fix for crash bug if bitmap was full.
+11). Fix for Linux genrand where /dev/random could cause
+ clients to timeout on connect if the entropy pool was
+ empty.
+12). The default PASSWD_CHAT may now be overridden in local.h
+13). HPUX printing fixes for default programs.
+14). Reverted (erroneous) code in MACHINE.SID generation that
+ was setting the sid to 0x21 - should be *decimal* 21.
+15). Fix for printing to remote machine under SVR4.
+16). Fix for chgpasswd wait being interrupted with EINTR.
+17). Fix for disk free routine. NT and Win98 now correctly
+ show greater than 2GB disks.
+18). Fix for crash bug in stat cache statistics printing.
+19). Fix for filenames ending in .~xx.
+20). Fix for access check code wait being interrupted with EINTR.
+21). Fix for password changes from "invalid password" to a valid
+ one setting the account disabled bit.
+22). Fix for smbd crash bug in SMBreadraw cache prime code.
+23). Fix for overly zealous lock range overflow reporting.
+24). Fix for large disk disk free reporting (NT SMB code).
+25). Fix for NT failing to truncate files correctly.
+26). Fix for smbd crash bug with SMBcancel calls.
+27). Additional -T flag to nmblookup to do reverse DNS on addresses.
+28). SWAT fix to start/stop smbd/nmbd correctly.
+
+Major changes in Samba 2.0
+--------------------------
+
+This is a MAJOR new release of Samba, the UNIX based SMB/CIFS file
+and print server for Windows systems.
+
+There have been many changes in Samba since the last major release,
+1.9.18. These have mainly been in the areas of performance and
+SMB protocol correctness. In addition, a Web based GUI interface
+for configuring Samba has been added.
+
+In addition, Samba has been re-written to help portability to
+other POSIX-based systems, based on the GNU autoconf tool.
+
+There are many major changes in Samba for version 2.0. Here are
+some of them:
+
+=====================================================================
+
+1). Speed
+---------
+
+Samba has been benchmarked on high-end UNIX hardware as out-performing
+all other SMB/CIFS servers using the Ziff-Davis NetBench benchmark.
+Many changes to the code to optimise high-end performance have been made.
+
+2). Correctness
+---------------
+
+Samba now supports the Windows NT specific SMB requests. This
+means that on platforms that are capable Samba now presents a
+64 bit view of the filesystem to Windows NT clients and is
+capable of handling very large files.
+
+3). Portability
+---------------
+
+Samba is now self-configuring using GNU autoconf, removing
+the need for people installing Samba to have to hand configure
+Makefiles, as was needed in previous versions.
+
+You now configure Samba by running "./configure" then "make". See
+docs/textdocs/UNIX_INSTALL.txt for details.
+
+4). Web based GUI configuration
+-------------------------------
+
+Samba now comes with SWAT, a web based GUI config system. See
+the swat man page for details on how to set it up.
+
+5). Cross protocol data integrity
+---------------------------------
+
+An open function interface has been defined to allow
+"opportunistic locks" (oplocks for short) granted by Samba
+to be seen by other UNIX processes. This allows complete
+cross protocol (NFS and SMB) data integrety using Samba
+with platforms that support this feature.
+
+6). Domain client capability
+----------------------------
+
+Samba is now capable of using a Windows NT PDC for user
+authentication in exactly the same way that a Windows NT
+workstation does, i.e. it can be a member of a Domain. See
+docs/textdocs/DOMAIN_MEMBER.txt for details.
+
+7). Documentation Updates
+-------------------------
+
+All the reference parts of the Samba documentation (the
+manual pages) have been updated and converted to a document
+format that allows automatic generation of HTML, SGML, and
+text formats. These documents now ship as standard in HTML
+and manpage format.
+
+=====================================================================
+
+NOTE - Some important option defaults changed
+---------------------------------------------
+
+Several parameters have changed their default values. The most
+important of these is that the default security mode is now user
+level security rather than share level security.
+
+This (incompatible) change was made to ease new Samba installs
+as user level security is easier to use for Windows 95/98 and
+Windows NT clients.
+
+********IMPORTANT NOTE****************
+
+If you have no "security=" line in the [global] section of
+your current smb.conf and you update to Samba 2.0 you will
+need to add the line :
+
+security=share
+
+to get exactly the same behaviour with Samba 2.0 as you
+did with previous versions of Samba.
+
+********END IMPORTANT NOTE*************
+
+In addition, Samba now defaults to case sensitivity options that
+match a Windows NT server precisely, that is, case insensitive
+but case preserving.
+
+The default format of the smbpasswd file has also been
+changed for this release, although the new tools will read
+and write the old format, for backwards compatibility.
+
+=====================================================================
+
+NOTE - Primary Domain Controller Functionality
+----------------------------------------------
+
+This version of Samba contains code that correctly implements
+the undocumented Primary Domain Controller authentication
+protocols. However, there is much more to being a Primary
+Domain Controller than serving Windows NT logon requests.
+
+A useful version of a Primary Domain Controller contains
+many remote procedure calls to do things like enumerate users,
+groups, and security information, only some of which Samba currently
+implements. In addition, there are outstanding (known) bugs with
+using Samba as a PDC in this release that the Samba Team are actively
+working on. For this reason we have chosen not to advertise and
+actively support Primary Domain Controller functionality with this
+release.
+
+This work is being done in the CVS (developer) versions of Samba,
+development of which continues at a fast pace. If you are
+interested in participating in or helping with this development
+please join the Samba-NTDOM mailing list. Details on joining
+are available at :
+
+<a href="http://samba.org/listproc/">http://samba.org/listproc/</a>
+
+Details on obtaining CVS (developer) versions of Samba
+are available at:
+
+<a href="http://samba.org/cvs.html">http://samba.org/cvs.html</a>
+
+=====================================================================
+
+If you have problems, or think you have found a bug please email
+a report to :
+
+ <a href="mailto:samba-bugs@samba.org">samba-bugs@samba.org</a>
+
+As always, all bugs are our responsibility.
+
+Regards,
+
+ The Samba Team.
+
+----------------------------------------------------------------------
+</pre>
+
+</body>
+</html>
\ No newline at end of file
--- /dev/null
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Release Notes Archive</title>
+</head>
+
+<body>
+
+<h2>The Samba Team is pleased to announce Samba 2.0.3</h2>
+
+<p>
+<pre>
+The Samba Team is pleased to announce Samba 2.0.3.
+
+This is the latest stable release of Samba. This is the
+version that all production Samba servers should be running
+for all current bug-fixes.
+
+It may be fetched via ftp from :
+
+<a href="/samba/ftp/samba-2.0.3.tar.gz">/samba/ftp/samba-2.0.3.tar.gz </a>
+
+Binary packages will be available shortly for many popular platforms.
+Please check the main Web site or email announcements for details.
+
+If you have problems, or think you have found a bug please email
+a report to :
+
+ <a href="mailto:samba-bugs@samba.org">samba-bugs@samba.org</a>
+
+The WHATSNEW.txt file follows.
+
+As always, any bugs are our responsibility,
+
+Regards,
+
+ The Samba Team.
+
+-----------------------------------------------------------
+ WHATS NEW IN Samba 2.0.3
+ ========================
+
+This is the latest stable release of Samba. This is the
+version that all production Samba servers should be running
+for all current bug-fixes.
+
+New/Changed parameters in 2.0.3
+-------------------------------
+
+There are 2 new parameters and one enhanced parameter in
+the smb.conf file.
+
+The new parameters are :
+
+nt acl support
+--------------
+
+This is a global parameter that defaults to False (at the
+present time). If set to yes it allows UNIX file permissions
+to be reported via the Windows NT "cacls.exe" program. As some
+of the RPC calls that allow cacls to report the name of the
+owner of a file are not yet implemented in 2.0.3 this parameter
+is set to "no" by default. The default state of this parameter
+will change to "yes" in a future release.
+
+min passwd length
+-----------------
+
+This is an integer global parameter that tells Samba the minimum
+permissible UNIX password length (in characters) when Samba is
+set to synchronise the Windows and UNIX passwords. By default
+this is set to 5, and was previously hardcoded into Samba 2.0.x.
+
+The modified parameter is :
+
+announce as
+-----------
+
+Prior to 2.0.3 this parameter had only one setting for Windows
+NT compatibility, "NT", which was the default. This is still
+the default and this still tells Samba to announce itself in
+browse lists as an NT server, however this parameter may now
+be set to "NT workstation" which causes Samba to announce itself
+as an NT workstation instead of a server.
+
+All of these new parameters and changes are documented in the
+smb.conf man pages and html pages.
+
+Updated and New documentation
+-----------------------------
+
+The NT Domain FAQ has been updated. Three new text documents have
+been provided :
+
+docs/textdocs/File-Cacheing.txt
+docs/textdocs/NT-Guest-Access.txt
+docs/textdocs/CRLF-LF-Conversions.txt
+
+Bugfixes added since 2.0.2
+--------------------------
+
+1). --with-ssl configure now include ssl include directory. Fix
+from Richard Sharpe.
+2). Patch for configure for glibc2.1 support (large files etc.).
+3). Several bugfixes for smbclient tar mode from Bob Boehmer
+(boehmer@worldnet.att.net) to fix smbclient aborting problems
+when restoring tar files.
+4). Some automount fixes for smbmount.
+5). Attempt to fix the AIX 4.1.x/3.x problems where smbd runs as
+root. As no-one has given us root access to such a server this
+cannot be tested fully, but should work.
+6). Crash bug fix in debug code where *real* uid rather than
+*effective* uid was being checked before attempting to rotate
+log files. This fix should help a *lot* of people who were
+reporting smbd aborting in the middle of a copy operation.
+7). SIGALRM bugfix to ensure infinate file locks time out.
+8). New code to implement NT ACL reporting for cacls.exe program.
+9). UDP loopback socket rebind fix for Solaris.
+10). Ensure all UNICODE strings are correctly in little-endian
+format.
+11). smbpasswd file locking fix.
+12). Fixes for strncpy problems with glibc2.1.
+13). Ensure smbd correctly reports major and minor version number
+and server type when queried via NT rpc calls.
+14). Bugfix for short mangled names not being pulled off the
+mangled stack correctly.
+15). Fix for mapping of rwx bits being incorrectly overwritten
+when doing ATTRIB.EXE
+16). Fix for returning multiple PDU packets in NT rpc code. Should
+allow multiple shares to be returned correctly).
+17). Improved mapping of NT open access requests into UNIX open
+modes.
+18). Fix for copying files from an NTFS volume that contain
+multiple data forks. Added 'magic' error code NT needs.
+19). Fixed crash bug when primary NT authentication server
+is down, rolls over to secondaries correctly now.
+20). Fixed timeout processing to be timer based. Now will
+always occur even if smbd is under load.
+21). Fixed signed/unsigned problem in quotas code.
+22). Fixed bug where setting the password of a completely fresh
+user would end up setting the account disabled flag.
+23). Improved user logon messages to help admins having
+trouble with user authentication.
+
+
+Bugfixes added since 2.0.1
+--------------------------
+
+1). Fixed smbd looping on SIGCLD problem. This was
+ caused by a missing break statement in a critical
+ piece of code.
+
+Bugfixes added since 2.0.0
+--------------------------
+
+1). Autoconf changes for gcc2.7.x and Solaris 2.5/2.6
+2). Autoconf changes to help HPUX configure correctly.
+3). Autoconf changes to allow lock directory to be set.
+4). Client fix to allow port to be set.
+5). clitar fix to send debug messages to stderr.
+6). smbmount race condition fix.
+7). Fix for bug where trying to browse large numbers of shares
+ generated an error from an NT client.
+8). Wrapper for setgroups for SunOS 4.x
+9). Fix for directory deleting failing from multiuser NT.
+10). Fix for crash bug if bitmap was full.
+11). Fix for Linux genrand where /dev/random could cause
+ clients to timeout on connect if the entropy pool was
+ empty.
+12). The default PASSWD_CHAT may now be overridden in local.h
+13). HPUX printing fixes for default programs.
+14). Reverted (erroneous) code in MACHINE.SID generation that
+ was setting the sid to 0x21 - should be *decimal* 21.
+15). Fix for printing to remote machine under SVR4.
+16). Fix for chgpasswd wait being interrupted with EINTR.
+17). Fix for disk free routine. NT and Win98 now correctly
+ show greater than 2GB disks.
+18). Fix for crash bug in stat cache statistics printing.
+19). Fix for filenames ending in .~xx.
+20). Fix for access check code wait being interrupted with EINTR.
+21). Fix for password changes from "invalid password" to a valid
+ one setting the account disabled bit.
+22). Fix for smbd crash bug in SMBreadraw cache prime code.
+23). Fix for overly zealous lock range overflow reporting.
+24). Fix for large disk disk free reporting (NT SMB code).
+25). Fix for NT failing to truncate files correctly.
+26). Fix for smbd crash bug with SMBcancel calls.
+27). Additional -T flag to nmblookup to do reverse DNS on addresses.
+28). SWAT fix to start/stop smbd/nmbd correctly.
+
+Major changes in Samba 2.0
+--------------------------
+
+This is a MAJOR new release of Samba, the UNIX based SMB/CIFS file
+and print server for Windows systems.
+
+There have been many changes in Samba since the last major release,
+1.9.18. These have mainly been in the areas of performance and
+SMB protocol correctness. In addition, a Web based GUI interface
+for configuring Samba has been added.
+
+In addition, Samba has been re-written to help portability to
+other POSIX-based systems, based on the GNU autoconf tool.
+
+There are many major changes in Samba for version 2.0. Here are
+some of them:
+
+=====================================================================
+
+1). Speed
+---------
+
+Samba has been benchmarked on high-end UNIX hardware as out-performing
+all other SMB/CIFS servers using the Ziff-Davis NetBench benchmark.
+Many changes to the code to optimise high-end performance have been made.
+
+2). Correctness
+---------------
+
+Samba now supports the Windows NT specific SMB requests. This
+means that on platforms that are capable Samba now presents a
+64 bit view of the filesystem to Windows NT clients and is
+capable of handling very large files.
+
+3). Portability
+---------------
+
+Samba is now self-configuring using GNU autoconf, removing
+the need for people installing Samba to have to hand configure
+Makefiles, as was needed in previous versions.
+
+You now configure Samba by running "./configure" then "make". See
+docs/textdocs/UNIX_INSTALL.txt for details.
+
+4). Web based GUI configuration
+-------------------------------
+
+Samba now comes with SWAT, a web based GUI config system. See
+the swat man page for details on how to set it up.
+
+5). Cross protocol data integrity
+---------------------------------
+
+An open function interface has been defined to allow
+"opportunistic locks" (oplocks for short) granted by Samba
+to be seen by other UNIX processes. This allows complete
+cross protocol (NFS and SMB) data integrety using Samba
+with platforms that support this feature.
+
+6). Domain client capability
+----------------------------
+
+Samba is now capable of using a Windows NT PDC for user
+authentication in exactly the same way that a Windows NT
+workstation does, i.e. it can be a member of a Domain. See
+docs/textdocs/DOMAIN_MEMBER.txt for details.
+
+7). Documentation Updates
+-------------------------
+
+All the reference parts of the Samba documentation (the
+manual pages) have been updated and converted to a document
+format that allows automatic generation of HTML, SGML, and
+text formats. These documents now ship as standard in HTML
+and manpage format.
+
+=====================================================================
+
+NOTE - Some important option defaults changed
+---------------------------------------------
+
+Several parameters have changed their default values. The most
+important of these is that the default security mode is now user
+level security rather than share level security.
+
+This (incompatible) change was made to ease new Samba installs
+as user level security is easier to use for Windows 95/98 and
+Windows NT clients.
+
+********IMPORTANT NOTE****************
+
+If you have no "security=" line in the [global] section of
+your current smb.conf and you update to Samba 2.0 you will
+need to add the line :
+
+security=share
+
+to get exactly the same behaviour with Samba 2.0 as you
+did with previous versions of Samba.
+
+********END IMPORTANT NOTE*************
+
+In addition, Samba now defaults to case sensitivity options that
+match a Windows NT server precisely, that is, case insensitive
+but case preserving.
+
+The default format of the smbpasswd file has also been
+changed for this release, although the new tools will read
+and write the old format, for backwards compatibility.
+
+=====================================================================
+
+NOTE - Primary Domain Controller Functionality
+----------------------------------------------
+
+This version of Samba contains code that correctly implements
+the undocumented Primary Domain Controller authentication
+protocols. However, there is much more to being a Primary
+Domain Controller than serving Windows NT logon requests.
+
+A useful version of a Primary Domain Controller contains
+many remote procedure calls to do things like enumerate users,
+groups, and security information, only some of which Samba currently
+implements. In addition, there are outstanding (known) bugs with
+using Samba as a PDC in this release that the Samba Team are actively
+working on. For this reason we have chosen not to advertise and
+actively support Primary Domain Controller functionality with this
+release.
+
+This work is being done in the CVS (developer) versions of Samba,
+development of which continues at a fast pace. If you are
+interested in participating in or helping with this development
+please join the Samba-NTDOM mailing list. Details on joining
+are available at :
+
+<a href="http://samba.org/listproc/">http://samba.org/listproc/</a>
+
+Details on obtaining CVS (developer) versions of Samba
+are available at:
+
+<a href="http://samba.org/cvs.html">http://samba.org/cvs.html</a>
+
+=====================================================================
+
+If you have problems, or think you have found a bug please email
+a report to :
+
+ <a href="mailto:samba-bugs@samba.org">samba-bugs@samba.org</a>
+
+As always, all bugs are our responsibility.
+
+Regards,
+
+ The Samba Team.
+
+----------------------------------------------------------------------
+</pre>
+
+</body>
+</html>
\ No newline at end of file
--- /dev/null
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Release Notes Archive</title>
+</head>
+
+<body>
+
+<h2>The Samba Team is pleased to announce Samba 2.0.4</h2>
+
+<p>
+<pre>
+The Samba Team is pleased to announce Samba 2.0.4.
+
+This is the latest stable release of Samba. This is the
+version that all production Samba servers should be running
+for all current bug-fixes.
+
+Samba 2.0.4 now supports the viewing and modification of
+UNIX security ownership and permissions from the standard
+Windows NT client security dialog. More details may be found
+in the NT_Security document included in this release.
+
+It may be fetched via ftp from :
+
+<a href="/samba/ftp/samba-2.0.4b.tar.gz">/samba/ftp/samba-2.0.4b.tar.gz </a>
+
+Binary packages will be available shortly for many popular platforms.
+Please check the main Web site or email announcements for details.
+
+If you have problems, or think you have found a bug please email
+a report to :
+
+ <a href="mailto:samba-bugs@samba.org">samba-bugs@samba.org</a>
+
+The WHATSNEW.txt file follows.
+
+As always, any bugs are our responsibility,
+
+Regards,
+
+ The Samba Team.
+
+-----------------------------------------------------------
+ WHATS NEW IN Samba 2.0.4
+ ========================
+
+This is the latest stable release of Samba. This is the
+version that all production Samba servers should be running
+for all current bug-fixes.
+
+New/Changed parameters in 2.0.4
+-------------------------------
+
+There are 5 new parameters and one modified parameter in
+the smb.conf file.
+
+allow trusted domains
+restrict anonymous
+mangle locks
+oplock break wait time
+oplock contention limit
+
+The new parameters are :
+
+allow trusted domains
+---------------------
+
+This option is used in "security=domain" settings and allows
+the Samba admin to restrict access to users within the domain
+the the Samba server is in.
+
+restrict anonymous
+------------------
+
+This parameter allows the Samba admin to cause Samba to
+refuse access to anonymous users. Use of this parameter
+is only recommened for homogenous NT client environments.
+
+mangle locks
+------------
+
+This parameter was added to get around a bug in Windows NT
+when dealing with Samba running on 32-bit systems (such
+as Linux x86). This bug causes NT to send 64 bit locking
+requests to 32-bit systems even though Samba correctly
+tells the NT client not to do so. This option causes Samba
+to map the lock requests from 64 bits to 32 bits on these
+systems.
+
+oplock break wait time
+----------------------
+
+This tuning parameter, added to help with clients that don't
+respond to oplock break requests, causes Samba to deley for
+this number of milliseconds before sending an oplock break
+request to a client that caused the break to be sent. The
+default is 10ms. This is an advanced tuning parameter and
+should not be changed lightly.
+
+oplock contention limit
+-----------------------
+
+This tuning parameter causes Samba not to grant oplocks
+when an smbd daemon notices that there have been this
+many concurrent requests for an oplock on a file. This
+prevents the "baton passing" oplock problem where many
+clients accessing one file pass the oplock between themselves
+like a baton. The default is 2. This is an advanced tuning
+parameter and should not be changed lightly.
+
+The modified parameter is :
+
+nt acl support
+--------------
+
+This is a global parameter that defaulted to False in
+the previous release (2.0.3) and now defaults to True
+as the RPC code has been added to Samba to allow it to
+map UNIX permissions to NT ACLs.
+
+All of these new parameters and changes are documented in the
+smb.conf man pages and html pages.
+
+Updated and New documentation
+-----------------------------
+
+A new document describing the manipulation of UNIX permissions
+via the Windows NT security dialogs and their interaction with
+Samba 2.0.4 is provided as :
+
+docs/textdocs/NT_Security.txt
+docs/htmldocs/NT_Security.html
+
+Bugfixes added since 2.0.3
+--------------------------
+
+1). Fix for 8 character password problem when using HPUX and
+plaintext passwords.
+2). --with-pam option added to ./configure.
+3). Client fixes for memory leak and display of 64 bit values.
+4). Fixes for -E and -s option with smbclient.
+5). smbclient now allows -L //server or -L \\server
+6). smbtar fix for display of 64 bit values.
+7). Endian independence added to DCE/RPC code.
+8). DCE/RPC marshalling/unmarshalling code re-written to provide
+overflow reporting and sign and seal support.
+9). Bind NAK reply packet added to DCE/RPC code, used to correctly
+refuse bind requests (prevents NT system event log messages).
+10). Mapping of UNIX permissions into NT ACL's for get and set
+added.
+11). DCE/RPC enumeration of numbers of shares made dynamic.
+Samba now has no limit on the number of exported shares seen.
+12). Fix to speed up random number seed generation on /dev/urandom
+being unavailable.
+13). Several memory fixes added by running Purify on the code.
+14). Read from client error messages improved.
+15). Fixed endianness used in UNICODE strings.
+16). Cope with ERRORmoredata in an RPC pipe client call.
+17). Check for malformed responses in nmbd register name.
+18). NT Encrypted password changing from the NT password dialog box
+now fully implmented.
+19). Mangle 64-bit lock ranges into 32-bits (NT bug!) on a 32-bit
+Samba platform.
+20). Allow file to be pseudo-openend in order to read security only.
+21). Improve filename mangling to reduce chance of collisions.
+22). Added code to prevent granting of oplocks when a file is under
+contention.
+23). Added tunable wait time before sending an oplock break request
+to a client if the client caused the break request. Helps with clients
+not responding to oplock breaks.
+24). Always respond negatively to queued local oplock break messages
+before shutdown. This can prevent "freezes" on an oplock error.
+25). Allow admin to restrict logons to correct domain when in domain
+level security.
+26). Added "restrict anonymous" patch from Andy (thwartedefforts@wonky.org)
+to prevent parameter substitution problems with anonymous connections.
+27). Fix SMBseek where seeking to a negative number sets the offset
+to zero.
+28). Fixed problem with mode getting corrupted in trans2 request
+(setting to zero means please ignore it).
+29). Correctly become the authenticated user on an authenticated
+DCE/RPC pipe request.
+30). Correctly reset debug level in nmbd if someone set it on the
+command line.
+31). Added more checking into testparm
+32). NetBench simulator added to smbtorture by Andrew.
+33). Fixed NIS+ option compile (was broken in 2.0.3).
+34). Recursive smbclient directory listing fix. Patch from E. Jay Berkenbilt
+(ejb@ql.org)
+
+Bugfixes added since 2.0.2
+--------------------------
+
+1). --with-ssl configure now include ssl include directory. Fix
+from Richard Sharpe.
+2). Patch for configure for glibc2.1 support (large files etc.).
+3). Several bugfixes for smbclient tar mode from Bob Boehmer
+(boehmer@worldnet.att.net) to fix smbclient aborting problems
+when restoring tar files.
+4). Some automount fixes for smbmount.
+5). Attempt to fix the AIX 4.1.x/3.x problems where smbd runs as
+root. As no-one has given us root access to such a server this
+cannot be tested fully, but should work.
+6). Crash bug fix in debug code where *real* uid rather than
+*effective* uid was being checked before attempting to rotate
+log files. This fix should help a *lot* of people who were
+reporting smbd aborting in the middle of a copy operation.
+7). SIGALRM bugfix to ensure infinate file locks time out.
+8). New code to implement NT ACL reporting for cacls.exe program.
+9). UDP loopback socket rebind fix for Solaris.
+10). Ensure all UNICODE strings are correctly in little-endian
+format.
+11). smbpasswd file locking fix.
+12). Fixes for strncpy problems with glibc2.1.
+13). Ensure smbd correctly reports major and minor version number
+and server type when queried via NT rpc calls.
+14). Bugfix for short mangled names not being pulled off the
+mangled stack correctly.
+15). Fix for mapping of rwx bits being incorrectly overwritten
+when doing ATTRIB.EXE
+16). Fix for returning multiple PDU packets in NT rpc code. Should
+allow multiple shares to be returned correctly).
+17). Improved mapping of NT open access requests into UNIX open
+modes.
+18). Fix for copying files from an NTFS volume that contain
+multiple data forks. Added 'magic' error code NT needs.
+19). Fixed crash bug when primary NT authentication server
+is down, rolls over to secondaries correctly now.
+20). Fixed timeout processing to be timer based. Now will
+always occur even if smbd is under load.
+21). Fixed signed/unsigned problem in quotas code.
+22). Fixed bug where setting the password of a completely fresh
+user would end up setting the account disabled flag.
+23). Improved user logon messages to help admins having
+trouble with user authentication.
+
+
+Bugfixes added since 2.0.1
+--------------------------
+
+1). Fixed smbd looping on SIGCLD problem. This was
+ caused by a missing break statement in a critical
+ piece of code.
+
+Bugfixes added since 2.0.0
+--------------------------
+
+1). Autoconf changes for gcc2.7.x and Solaris 2.5/2.6
+2). Autoconf changes to help HPUX configure correctly.
+3). Autoconf changes to allow lock directory to be set.
+4). Client fix to allow port to be set.
+5). clitar fix to send debug messages to stderr.
+6). smbmount race condition fix.
+7). Fix for bug where trying to browse large numbers of shares
+ generated an error from an NT client.
+8). Wrapper for setgroups for SunOS 4.x
+9). Fix for directory deleting failing from multiuser NT.
+10). Fix for crash bug if bitmap was full.
+11). Fix for Linux genrand where /dev/random could cause
+ clients to timeout on connect if the entropy pool was
+ empty.
+12). The default PASSWD_CHAT may now be overridden in local.h
+13). HPUX printing fixes for default programs.
+14). Reverted (erroneous) code in MACHINE.SID generation that
+ was setting the sid to 0x21 - should be *decimal* 21.
+15). Fix for printing to remote machine under SVR4.
+16). Fix for chgpasswd wait being interrupted with EINTR.
+17). Fix for disk free routine. NT and Win98 now correctly
+ show greater than 2GB disks.
+18). Fix for crash bug in stat cache statistics printing.
+19). Fix for filenames ending in .~xx.
+20). Fix for access check code wait being interrupted with EINTR.
+21). Fix for password changes from "invalid password" to a valid
+ one setting the account disabled bit.
+22). Fix for smbd crash bug in SMBreadraw cache prime code.
+23). Fix for overly zealous lock range overflow reporting.
+24). Fix for large disk disk free reporting (NT SMB code).
+25). Fix for NT failing to truncate files correctly.
+26). Fix for smbd crash bug with SMBcancel calls.
+27). Additional -T flag to nmblookup to do reverse DNS on addresses.
+28). SWAT fix to start/stop smbd/nmbd correctly.
+
+Major changes in Samba 2.0
+--------------------------
+
+This is a MAJOR new release of Samba, the UNIX based SMB/CIFS file
+and print server for Windows systems.
+
+There have been many changes in Samba since the last major release,
+1.9.18. These have mainly been in the areas of performance and
+SMB protocol correctness. In addition, a Web based GUI interface
+for configuring Samba has been added.
+
+In addition, Samba has been re-written to help portability to
+other POSIX-based systems, based on the GNU autoconf tool.
+
+There are many major changes in Samba for version 2.0. Here are
+some of them:
+
+=====================================================================
+
+1). Speed
+---------
+
+Samba has been benchmarked on high-end UNIX hardware as out-performing
+all other SMB/CIFS servers using the Ziff-Davis NetBench benchmark.
+Many changes to the code to optimise high-end performance have been made.
+
+2). Correctness
+---------------
+
+Samba now supports the Windows NT specific SMB requests. This
+means that on platforms that are capable Samba now presents a
+64 bit view of the filesystem to Windows NT clients and is
+capable of handling very large files.
+
+3). Portability
+---------------
+
+Samba is now self-configuring using GNU autoconf, removing
+the need for people installing Samba to have to hand configure
+Makefiles, as was needed in previous versions.
+
+You now configure Samba by running "./configure" then "make". See
+docs/textdocs/UNIX_INSTALL.txt for details.
+
+4). Web based GUI configuration
+-------------------------------
+
+Samba now comes with SWAT, a web based GUI config system. See
+the swat man page for details on how to set it up.
+
+5). Cross protocol data integrity
+---------------------------------
+
+An open function interface has been defined to allow
+"opportunistic locks" (oplocks for short) granted by Samba
+to be seen by other UNIX processes. This allows complete
+cross protocol (NFS and SMB) data integrety using Samba
+with platforms that support this feature.
+
+6). Domain client capability
+----------------------------
+
+Samba is now capable of using a Windows NT PDC for user
+authentication in exactly the same way that a Windows NT
+workstation does, i.e. it can be a member of a Domain. See
+docs/textdocs/DOMAIN_MEMBER.txt for details.
+
+7). Documentation Updates
+-------------------------
+
+All the reference parts of the Samba documentation (the
+manual pages) have been updated and converted to a document
+format that allows automatic generation of HTML, SGML, and
+text formats. These documents now ship as standard in HTML
+and manpage format.
+
+=====================================================================
+
+NOTE - Some important option defaults changed
+---------------------------------------------
+
+Several parameters have changed their default values. The most
+important of these is that the default security mode is now user
+level security rather than share level security.
+
+This (incompatible) change was made to ease new Samba installs
+as user level security is easier to use for Windows 95/98 and
+Windows NT clients.
+
+********IMPORTANT NOTE****************
+
+If you have no "security=" line in the [global] section of
+your current smb.conf and you update to Samba 2.0 you will
+need to add the line :
+
+security=share
+
+to get exactly the same behaviour with Samba 2.0 as you
+did with previous versions of Samba.
+
+********END IMPORTANT NOTE*************
+
+In addition, Samba now defaults to case sensitivity options that
+match a Windows NT server precisely, that is, case insensitive
+but case preserving.
+
+The default format of the smbpasswd file has also been
+changed for this release, although the new tools will read
+and write the old format, for backwards compatibility.
+
+=====================================================================
+
+NOTE - Primary Domain Controller Functionality
+----------------------------------------------
+
+This version of Samba contains code that correctly implements
+the undocumented Primary Domain Controller authentication
+protocols. However, there is much more to being a Primary
+Domain Controller than serving Windows NT logon requests.
+
+A useful version of a Primary Domain Controller contains
+many remote procedure calls to do things like enumerate users,
+groups, and security information, only some of which Samba currently
+implements. In addition, there are outstanding (known) bugs with
+using Samba as a PDC in this release that the Samba Team are actively
+working on. For this reason we have chosen not to advertise and
+actively support Primary Domain Controller functionality with this
+release.
+
+This work is being done in the CVS (developer) versions of Samba,
+development of which continues at a fast pace. If you are
+interested in participating in or helping with this development
+please join the Samba-NTDOM mailing list. Details on joining
+are available at :
+
+<a href="http://samba.org/listproc/">http://samba.org/listproc/</a>
+
+Details on obtaining CVS (developer) versions of Samba
+are available at:
+
+<a href="http://samba.org/cvs.html">http://samba.org/cvs.html</a>
+
+=====================================================================
+
+If you have problems, or think you have found a bug please email
+a report to :
+
+ <a href="mailto:samba-bugs@samba.org">samba-bugs@samba.org</a>
+
+As always, all bugs are our responsibility.
+
+Regards,
+
+ The Samba Team.
+
+----------------------------------------------------------------------
+</pre>
+
+</body>
+</html>
--- /dev/null
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Release Notes Archive</title>
+</head>
+
+<body>
+
+<h2>The Samba Team is pleased to announce Samba 2.0.5</h2>
+
+<p>
+<pre>
+The Samba Team is pleased to announce Samba 2.0.5.
+
+This is the latest stable release of Samba. This is the
+version that all production Samba servers should be running
+for all current bug-fixes.
+
+Please read the "IMPORTANT NOTE" section of the release
+notes as this explains three security bugfixes which have
+been added in this release. It is vital that Samba admins
+understand these issues.
+
+It may be fetched via ftp from :
+
+<a href="/samba/ftp/samba-2.0.5.tar.gz">/samba/ftp/samba-2.0.5.tar.gz </a>
+
+Binary packages will be available shortly for many popular platforms.
+Please check the main Web site or email announcements for details.
+
+If you have problems, or think you have found a bug please email
+a report to :
+
+ <a href="mailto:samba-bugs@samba.org">samba-bugs@samba.org</a>
+
+The WHATSNEW.txt file follows.
+
+As always, any bugs are our responsibility,
+
+Regards,
+
+ The Samba Team.
+
+-----------------------------------------------------------
+ WHATS NEW IN Samba 2.0.5
+ ========================
+
+This is the latest stable release of Samba. This is the
+version that all production Samba servers should be running
+for all current bug-fixes.
+
+IMPORTANT NOTE !
+----------------
+
+This version of Samba contains three security bugfixes for
+problems in previous versions of Samba found by Olaf Kirch of
+Caldera Systems (www.caldera.com). The Samba Team would like
+to publicly thank Olaf for his help in doing a security review
+of our code and finding these bugs.
+
+The three bugs are one potentially exploitable buffer overrun
+bug (although no current exploits are known) in smbd and two
+denial of service bugs in nmbd. By default the smbd bug was not
+exploitable as shipped (the problem parameter was disabled by
+default) but instructions on protecting any version of Samba
+prior to 2.0.5 are included below.
+
+All these bugs have been fixed in Samba 2.0.5.
+
+If using any version of Samba prior to 2.0.5 the administrator
+*MUST NOT* enable the "message command" parameter in smb.conf,
+and *MUST* remove any "message command" that is listed in any
+existing smb.conf file. No known instances of this attack being
+exploited have been reported.
+
+All Samba versions of nmbd prior to 2.0.5 are vulnerable to a
+denial of service attack causing nmbd to either crash or to go
+into an infinite loop. No known instances of this attack being
+exploited have been reported.
+
+New/Changed parameters in 2.0.5
+-------------------------------
+
+There are 5 new parameters in the smb.conf file.
+
+security mask
+force security mode
+directory security mask
+force directory mode
+level2 oplocks
+
+The first 4 parameters are used to control the UNIX permissions bits
+that an NT client is allowed to modify. These parameters are now
+used instead of the older "create" parameters that were used in
+2.0.4 to allow an administrator to separate the two functions.
+
+Use of these new parameters is described in the smb.conf man page,
+and also in the documents :
+
+docs/textdocs/NT_Security.txt
+docs/htmldocs/NT_Security.html
+
+The fifth new parameter is described in the following section.
+
+Level II oplocks
+----------------
+
+Samba 2.0.5 now implements level2 oplocks. As this is new
+code this parameter is set to "off" by default. The benefit
+of level2 oplocks is to allow read-only file caching from
+multiple clients. This is of great speed benefit to shares
+that are serving application executable programs (.EXE's)
+that are usually not written to. To learn more about using
+level 2 oplocks read the parameter description in the smb.conf
+documentation or read the file :
+
+docs/textdocs/Speed.txt.
+
+Changes in 2.0.5
+-----------------
+
+1). smbmount for Linux systems has been re-written to use
+the libsmb code and clientutil.c is no longer used with it.
+2). A bug preventing directory opens using the NT SMB calls
+has been fixed.
+3). A related bug causing a file structure leak when directory
+opens were denied has been fixed.
+4). Fix for glibc2.1 bug on 32-bit systems being reported as 64
+bit.
+5). Prevent timestamps of 0 or -1 corrupting file timestamps.
+6). Fix for unusual delays when browsing shares using Windows
+2000 - fix added by Matt.
+7). Fix for smbpassword reading problems on Sparc Linux was fixed.
+8). Fix for compiling with SSL library.
+9). smbclient fix for crash when doing CR/LF conversion.
+10). smbclient now reports short read errors.
+11). smbclient now uses remote server workgroup to list servers by default.
+12). smbclient now has -b option to change transmit/send buffer size.
+13). smbclient fix for corrupting files when issuing multiple outstanding
+read requests.
+14). Printing bug where Linux was using SYSV printing by default fixed.
+Linux now set to be BSD printing by default.
+15). Change for Linux to use SYSV shared memory by default.
+16). Fix for using IP_TOS options on some systems.
+17). Fix for some systems that complained about static struct passwd
+buffers being modified.
+18). Range checking applied to all string substitutions. Theoretically
+not a bug, but much more rebust now.
+19). Level II oplocks implemented.
+20). Fix for Win2K client printing added.
+21). Always allow loopback (127.0.0.1) connects unless specifically denied.
+22). Patch for FreeBSD interface detection code from Archie Cobbs
+(archie@whistle.com).
+23). Return correct status from smbrun.
+24). snprintf fixes for floating point numbers.
+25). Force directories to always have zero size.
+26). Fix for "force group" and "force user" options. "force user" now
+always uses primary group of user as well. Force group now enhanced with '+'
+semantics (see smb.conf man page for details).
+27). Wildcard matching fix to get closer to WinNT semantics for Win9x clients.
+28). Potential crash bug fixed in wildcard matching code. This bug could also
+cause smbd to sometimes not see exact file matches.
+29). Read/write for sockets changed to use revc/send to allow optimisations
+later.
+30). Oplocks added to client library.
+31). Several purify fixes in IPC code.
+32). nmbd crash bug in processing strange NetBIOS names fixed.
+33). nmbd loop bug in processing strange NetBIOS names fixed.
+34). Paranoia fixes to processing of incoming WinPopup messages in smbd.
+35). Share mode code now auto initialised.
+36). Detect dead processes in IPC lock code.
+37). Explicit -V version switch added to command line processing.
+38). WORKGROUP(1b) name processing with no WINS server fixed.
+39). Win2k client detection code added by Matt.
+40). Fix to allow really short changenotify times to be honoured.
+41). Fix for NT delete finding the wrong file from Tine Smukavec
+(valentin.smukavec@hermes.si)
+42). SWAT fix to prevent stderr messages from breaking the Web client.
+43). testparm fixes to check more parameter conflicts.
+44). Relative paths not fetched via SWAT in CGI scripts.
+45). SWAT remote password change - remote host name not treated as a
+password field any more.
+
+Changes in 2.0.4b
+-----------------
+
+A bug with MS-Word 97 saving files with zero UNIX permissions
+was fixed. Even though a workaround is available (set force
+create mode = 644 on the share) Word is such an important
+application that a point fix was neccessary.
+
+Changes in 2.0.4a
+-----------------
+
+The text and html versions of NT_Security were missing from
+the shipping tarball. Also a compile bug for platforms that
+don't have usleep was fixed.
+
+Changes in 2.0.4
+----------------
+
+There are 5 new parameters and one modified parameter in
+the smb.conf file.
+
+allow trusted domains
+restrict anonymous
+mangle locks
+oplock break wait time
+oplock contention limit
+
+The modified parameter is :
+
+nt acl support
+
+Bugfixes added since 2.0.3
+--------------------------
+
+1). Fix for 8 character password problem when using HPUX and
+plaintext passwords.
+2). --with-pam option added to ./configure.
+3). Client fixes for memory leak and display of 64 bit values.
+4). Fixes for -E and -s option with smbclient.
+5). smbclient now allows -L //server or -L \\server
+6). smbtar fix for display of 64 bit values.
+7). Endian independence added to DCE/RPC code.
+8). DCE/RPC marshalling/unmarshalling code re-written to provide
+overflow reporting and sign and seal support.
+9). Bind NAK reply packet added to DCE/RPC code, used to correctly
+refuse bind requests (prevents NT system event log messages).
+10). Mapping of UNIX permissions into NT ACL's for get and set
+added.
+11). DCE/RPC enumeration of numbers of shares made dynamic.
+Samba now has no limit on the number of exported shares seen.
+12). Fix to speed up random number seed generation on /dev/urandom
+being unavailable.
+13). Several memory fixes added by running Purify on the code.
+14). Read from client error messages improved.
+15). Fixed endianness used in UNICODE strings.
+16). Cope with ERRORmoredata in an RPC pipe client call.
+17). Check for malformed responses in nmbd register name.
+18). NT Encrypted password changing from the NT password dialog box
+now fully implmented.
+19). Mangle 64-bit lock ranges into 32-bits (NT bug!) on a 32-bit
+Samba platform.
+20). Allow file to be pseudo-openend in order to read security only.
+21). Improve filename mangling to reduce chance of collisions.
+22). Added code to prevent granting of oplocks when a file is under
+contention.
+23). Added tunable wait time before sending an oplock break request
+to a client if the client caused the break request. Helps with clients
+not responding to oplock breaks.
+24). Always respond negatively to queued local oplock break messages
+before shutdown. This can prevent "freezes" on an oplock error.
+25). Allow admin to restrict logons to correct domain when in domain
+level security.
+26). Added "restrict anonymous" patch from Andy (thwartedefforts@wonky.org)
+to prevent parameter substitution problems with anonymous connections.
+27). Fix SMBseek where seeking to a negative number sets the offset
+to zero.
+28). Fixed problem with mode getting corrupted in trans2 request
+(setting to zero means please ignore it).
+29). Correctly become the authenticated user on an authenticated
+DCE/RPC pipe request.
+30). Correctly reset debug level in nmbd if someone set it on the
+command line.
+31). Added more checking into testparm
+32). NetBench simulator added to smbtorture by Andrew.
+33). Fixed NIS+ option compile (was broken in 2.0.3).
+34). Recursive smbclient directory listing fix. Patch from E. Jay Berkenbilt
+(ejb@ql.org)
+
+Bugfixes added since 2.0.2
+--------------------------
+
+1). --with-ssl configure now include ssl include directory. Fix
+from Richard Sharpe.
+2). Patch for configure for glibc2.1 support (large files etc.).
+3). Several bugfixes for smbclient tar mode from Bob Boehmer
+(boehmer@worldnet.att.net) to fix smbclient aborting problems
+when restoring tar files.
+4). Some automount fixes for smbmount.
+5). Attempt to fix the AIX 4.1.x/3.x problems where smbd runs as
+root. As no-one has given us root access to such a server this
+cannot be tested fully, but should work.
+6). Crash bug fix in debug code where *real* uid rather than
+*effective* uid was being checked before attempting to rotate
+log files. This fix should help a *lot* of people who were
+reporting smbd aborting in the middle of a copy operation.
+7). SIGALRM bugfix to ensure infinate file locks time out.
+8). New code to implement NT ACL reporting for cacls.exe program.
+9). UDP loopback socket rebind fix for Solaris.
+10). Ensure all UNICODE strings are correctly in little-endian
+format.
+11). smbpasswd file locking fix.
+12). Fixes for strncpy problems with glibc2.1.
+13). Ensure smbd correctly reports major and minor version number
+and server type when queried via NT rpc calls.
+14). Bugfix for short mangled names not being pulled off the
+mangled stack correctly.
+15). Fix for mapping of rwx bits being incorrectly overwritten
+when doing ATTRIB.EXE
+16). Fix for returning multiple PDU packets in NT rpc code. Should
+allow multiple shares to be returned correctly).
+17). Improved mapping of NT open access requests into UNIX open
+modes.
+18). Fix for copying files from an NTFS volume that contain
+multiple data forks. Added 'magic' error code NT needs.
+19). Fixed crash bug when primary NT authentication server
+is down, rolls over to secondaries correctly now.
+20). Fixed timeout processing to be timer based. Now will
+always occur even if smbd is under load.
+21). Fixed signed/unsigned problem in quotas code.
+22). Fixed bug where setting the password of a completely fresh
+user would end up setting the account disabled flag.
+23). Improved user logon messages to help admins having
+trouble with user authentication.
+
+Bugfixes added since 2.0.1
+--------------------------
+
+Note that due to a critical signal handling bug in 2.0.1,
+this release has been removed and replaced immediately with
+2.0.2. The Samba Team would like to apologise for any problem
+this may have caused.
+
+1). Fixed smbd looping on SIGCLD problem. This was
+ caused by a missing break statement in a critical
+ piece of code.
+
+Bugfixes added since 2.0.0
+--------------------------
+
+1). Autoconf changes for gcc2.7.x and Solaris 2.5/2.6
+2). Autoconf changes to help HPUX configure correctly.
+3). Autoconf changes to allow lock directory to be set.
+4). Client fix to allow port to be set.
+5). clitar fix to send debug messages to stderr.
+6). smbmount race condition fix.
+7). Fix for bug where trying to browse large numbers of shares
+ generated an error from an NT client.
+8). Wrapper for setgroups for SunOS 4.x
+9). Fix for directory deleting failing from multiuser NT.
+10). Fix for crash bug if bitmap was full.
+11). Fix for Linux genrand where /dev/random could cause
+ clients to timeout on connect if the entropy pool was
+ empty.
+12). The default PASSWD_CHAT may now be overridden in local.h
+13). HPUX printing fixes for default programs.
+14). Reverted (erroneous) code in MACHINE.SID generation that
+ was setting the sid to 0x21 - should be *decimal* 21.
+15). Fix for printing to remote machine under SVR4.
+16). Fix for chgpasswd wait being interrupted with EINTR.
+17). Fix for disk free routine. NT and Win98 now correctly
+ show greater than 2GB disks.
+18). Fix for crash bug in stat cache statistics printing.
+19). Fix for filenames ending in .~xx.
+20). Fix for access check code wait being interrupted with EINTR.
+21). Fix for password changes from "invalid password" to a valid
+ one setting the account disabled bit.
+22). Fix for smbd crash bug in SMBreadraw cache prime code.
+23). Fix for overly zealous lock range overflow reporting.
+24). Fix for large disk disk free reporting (NT SMB code).
+25). Fix for NT failing to truncate files correctly.
+26). Fix for smbd crash bug with SMBcancel calls.
+27). Additional -T flag to nmblookup to do reverse DNS on addresses.
+28). SWAT fix to start/stop smbd/nmbd correctly.
+
+Major changes in Samba 2.0
+--------------------------
+
+This is a MAJOR new release of Samba, the UNIX based SMB/CIFS file
+and print server for Windows systems.
+
+There have been many changes in Samba since the last major release,
+1.9.18. These have mainly been in the areas of performance and
+SMB protocol correctness. In addition, a Web based GUI interface
+for configuring Samba has been added.
+
+In addition, Samba has been re-written to help portability to
+other POSIX-based systems, based on the GNU autoconf tool.
+
+There are many major changes in Samba for version 2.0. Here are
+some of them:
+
+=====================================================================
+
+1). Speed
+---------
+
+Samba has been benchmarked on high-end UNIX hardware as out-performing
+all other SMB/CIFS servers using the Ziff-Davis NetBench benchmark.
+Many changes to the code to optimise high-end performance have been made.
+
+2). Correctness
+---------------
+
+Samba now supports the Windows NT specific SMB requests. This
+means that on platforms that are capable Samba now presents a
+64 bit view of the filesystem to Windows NT clients and is
+capable of handling very large files.
+
+3). Portability
+---------------
+
+Samba is now self-configuring using GNU autoconf, removing
+the need for people installing Samba to have to hand configure
+Makefiles, as was needed in previous versions.
+
+You now configure Samba by running "./configure" then "make". See
+docs/textdocs/UNIX_INSTALL.txt for details.
+
+4). Web based GUI configuration
+-------------------------------
+
+Samba now comes with SWAT, a web based GUI config system. See
+the swat man page for details on how to set it up.
+
+5). Cross protocol data integrity
+---------------------------------
+
+An open function interface has been defined to allow
+"opportunistic locks" (oplocks for short) granted by Samba
+to be seen by other UNIX processes. This allows complete
+cross protocol (NFS and SMB) data integrety using Samba
+with platforms that support this feature.
+
+6). Domain client capability
+----------------------------
+
+Samba is now capable of using a Windows NT PDC for user
+authentication in exactly the same way that a Windows NT
+workstation does, i.e. it can be a member of a Domain. See
+docs/textdocs/DOMAIN_MEMBER.txt for details.
+
+7). Documentation Updates
+-------------------------
+
+All the reference parts of the Samba documentation (the
+manual pages) have been updated and converted to a document
+format that allows automatic generation of HTML, SGML, and
+text formats. These documents now ship as standard in HTML
+and manpage format.
+
+=====================================================================
+
+NOTE - Some important option defaults changed
+---------------------------------------------
+
+Several parameters have changed their default values. The most
+important of these is that the default security mode is now user
+level security rather than share level security.
+
+This (incompatible) change was made to ease new Samba installs
+as user level security is easier to use for Windows 95/98 and
+Windows NT clients.
+
+********IMPORTANT NOTE****************
+
+If you have no "security=" line in the [global] section of
+your current smb.conf and you update to Samba 2.0 you will
+need to add the line :
+
+security=share
+
+to get exactly the same behaviour with Samba 2.0 as you
+did with previous versions of Samba.
+
+********END IMPORTANT NOTE*************
+
+In addition, Samba now defaults to case sensitivity options that
+match a Windows NT server precisely, that is, case insensitive
+but case preserving.
+
+The default format of the smbpasswd file has also been
+changed for this release, although the new tools will read
+and write the old format, for backwards compatibility.
+
+=====================================================================
+
+NOTE - Primary Domain Controller Functionality
+----------------------------------------------
+
+This version of Samba contains code that correctly implements
+the undocumented Primary Domain Controller authentication
+protocols. However, there is much more to being a Primary
+Domain Controller than serving Windows NT logon requests.
+
+A useful version of a Primary Domain Controller contains
+many remote procedure calls to do things like enumerate users,
+groups, and security information, only some of which Samba currently
+implements. In addition, there are outstanding (known) bugs with
+using Samba as a PDC in this release that the Samba Team are actively
+working on. For this reason we have chosen not to advertise and
+actively support Primary Domain Controller functionality with this
+release.
+
+This work is being done in the CVS (developer) versions of Samba,
+development of which continues at a fast pace. If you are
+interested in participating in or helping with this development
+please join the Samba-NTDOM mailing list. Details on joining
+are available at :
+
+<a href="http://samba.org/listproc/">http://samba.org/listproc/</a>
+
+Details on obtaining CVS (developer) versions of Samba
+are available at:
+
+<a href="http://samba.org/cvs.html">http://samba.org/cvs.html</a>
+
+=====================================================================
+
+If you have problems, or think you have found a bug please email
+a report to :
+
+ <a href="mailto:samba-bugs@samba.org">samba-bugs@samba.org</a>
+
+As always, all bugs are our responsibility.
+
+Regards,
+
+ The Samba Team.
+
+----------------------------------------------------------------------
+</pre>
+
+</body>
+</html>
--- /dev/null
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Release Notes Archive</title>
+</head>
+
+<body>
+
+<h2>The Samba Team is pleased to announce Samba 2.0.5a</h2>
+
+<p>
+<pre>
+The Samba Team is pleased to announce Samba 2.0.5a.
+
+This is the latest stable release of Samba. This is the
+version that all production Samba servers should be running
+for all current bug-fixes.
+
+Please read the "IMPORTANT NOTE" section of the release
+notes as this explains three security bugfixes which have
+been added in this release. It is vital that Samba admins
+understand these issues.
+
+It may be fetched via ftp from :
+
+<a href="/samba/ftp/samba-2.0.5a.tar.gz">/samba/ftp/samba-2.0.5a.tar.gz </a>
+
+Binary packages will be available shortly for many popular platforms.
+Please check the main Web site or email announcements for details.
+
+If you think you have found a bug please email a report to :
+
+ <a href="mailto:samba-bugs@samba.org">samba-bugs@samba.org</a>
+
+The WHATSNEW.txt file follows.
+
+As always, any bugs are our responsibility,
+
+Regards,
+
+ The Samba Team.
+
+-----------------------------------------------------------
+ WHATS NEW IN Samba 2.0.5a
+ =========================
+
+This is the latest stable release of Samba. This is the
+version that all production Samba servers should be running
+for all current bug-fixes.
+
+IMPORTANT NOTE !
+----------------
+
+This version of Samba contains three security bugfixes for
+problems in previous versions of Samba found by Olaf Kirch of
+Caldera Systems (www.caldera.com). The Samba Team would like
+to publicly thank Olaf for his help in doing a security review
+of our code and finding these bugs.
+
+The three bugs are one potentially exploitable buffer overrun
+bug (although no current exploits are known) in smbd and two
+denial of service bugs in nmbd. By default the smbd bug was not
+exploitable as shipped (the problem parameter was disabled by
+default) but instructions on protecting any version of Samba
+prior to 2.0.5 are included below.
+
+All these bugs have been fixed in Samba 2.0.5 and 2.0.5a.
+
+If using any version of Samba prior to 2.0.5 the administrator
+*MUST NOT* enable the "message command" parameter in smb.conf,
+and *MUST* remove any "message command" that is listed in any
+existing smb.conf file. No known instances of this attack being
+exploited have been reported.
+
+All Samba versions of nmbd prior to 2.0.5 are vulnerable to a
+denial of service attack causing nmbd to either crash or to go
+into an infinite loop. No known instances of this attack being
+exploited have been reported.
+
+New/Changed parameters in 2.0.5 and 2.0.5a.
+-------------------------------------------
+
+There are 5 new parameters in the smb.conf file.
+
+security mask
+force security mode
+directory security mask
+force directory mode
+level2 oplocks
+
+The first 4 parameters are used to control the UNIX permissions bits
+that an NT client is allowed to modify. These parameters are now
+used instead of the older "create" parameters that were used in
+2.0.4 to allow an administrator to separate the two functions.
+
+Use of these new parameters is described in the smb.conf man page,
+and also in the documents :
+
+docs/textdocs/NT_Security.txt
+docs/htmldocs/NT_Security.html
+
+The fifth new parameter is described in the following section.
+
+Level II oplocks
+----------------
+
+Samba 2.0.5 now implements level2 oplocks. As this is new
+code this parameter is set to "off" by default. The benefit
+of level2 oplocks is to allow read-only file caching from
+multiple clients. This is of great speed benefit to shares
+that are serving application executable programs (.EXE's)
+that are usually not written to. To learn more about using
+level 2 oplocks read the parameter description in the smb.conf
+documentation or read the file :
+
+docs/textdocs/Speed.txt.
+
+Changes in 2.0.5a
+-----------------
+
+1). Fix for smbd crash bug in string_sub(). smbd was miscalculating
+memmove lengths on multiple '%' substitutions.
+2). Fix for wildcard matching bug for old DOS programs running on Win9x.
+3). Fix for Windows NT client changing passwords against a Samba server,
+intermittently failing.
+4). Fix for PPP link being detected as primary interface if using the
+same IP address as the primary.
+5). Ensure smbmount is built with RPM build.
+
+Changes in 2.0.5
+-----------------
+
+1). smbmount for Linux systems has been re-written to use
+the libsmb code and clientutil.c is no longer used with it.
+2). A bug preventing directory opens using the NT SMB calls
+has been fixed.
+3). A related bug causing a file structure leak when directory
+opens were denied has been fixed.
+4). Fix for glibc2.1 bug on 32-bit systems being reported as 64
+bit.
+5). Prevent timestamps of 0 or -1 corrupting file timestamps.
+6). Fix for unusual delays when browsing shares using Windows
+2000 - fix added by Matt.
+7). Fix for smbpassword reading problems on Sparc Linux was fixed.
+8). Fix for compiling with SSL library.
+9). smbclient fix for crash when doing CR/LF conversion.
+10). smbclient now reports short read errors.
+11). smbclient now uses remote server workgroup to list servers by default.
+12). smbclient now has -b option to change transmit/send buffer size.
+13). smbclient fix for corrupting files when issuing multiple outstanding
+read requests.
+14). Printing bug where Linux was using SYSV printing by default fixed.
+Linux now set to be BSD printing by default.
+15). Change for Linux to use SYSV shared memory by default.
+16). Fix for using IP_TOS options on some systems.
+17). Fix for some systems that complained about static struct passwd
+buffers being modified.
+18). Range checking applied to all string substitutions. Theoretically
+not a bug, but much more rebust now.
+19). Level II oplocks implemented.
+20). Fix for Win2K client printing added.
+21). Always allow loopback (127.0.0.1) connects unless specifically denied.
+22). Patch for FreeBSD interface detection code from Archie Cobbs
+(archie@whistle.com).
+23). Return correct status from smbrun.
+24). snprintf fixes for floating point numbers.
+25). Force directories to always have zero size.
+26). Fix for "force group" and "force user" options. "force user" now
+always uses primary group of user as well. Force group now enhanced with '+'
+semantics (see smb.conf man page for details).
+27). Wildcard matching fix to get closer to WinNT semantics for Win9x clients.
+28). Potential crash bug fixed in wildcard matching code. This bug could also
+cause smbd to sometimes not see exact file matches.
+29). Read/write for sockets changed to use revc/send to allow optimisations
+later.
+30). Oplocks added to client library.
+31). Several purify fixes in IPC code.
+32). nmbd crash bug in processing strange NetBIOS names fixed.
+33). nmbd loop bug in processing strange NetBIOS names fixed.
+34). Paranoia fixes to processing of incoming WinPopup messages in smbd.
+35). Share mode code now auto initialised.
+36). Detect dead processes in IPC lock code.
+37). Explicit -V version switch added to command line processing.
+38). WORKGROUP(1b) name processing with no WINS server fixed.
+39). Win2k client detection code added by Matt.
+40). Fix to allow really short changenotify times to be honoured.
+41). Fix for NT delete finding the wrong file from Tine Smukavec
+(valentin.smukavec@hermes.si)
+42). SWAT fix to prevent stderr messages from breaking the Web client.
+43). testparm fixes to check more parameter conflicts.
+44). Relative paths not fetched via SWAT in CGI scripts.
+45). SWAT remote password change - remote host name not treated as a
+password field any more.
+
+Changes in 2.0.4b
+-----------------
+
+A bug with MS-Word 97 saving files with zero UNIX permissions
+was fixed. Even though a workaround is available (set force
+create mode = 644 on the share) Word is such an important
+application that a point fix was neccessary.
+
+Changes in 2.0.4a
+-----------------
+
+The text and html versions of NT_Security were missing from
+the shipping tarball. Also a compile bug for platforms that
+don't have usleep was fixed.
+
+Changes in 2.0.4
+----------------
+
+There are 5 new parameters and one modified parameter in
+the smb.conf file.
+
+allow trusted domains
+restrict anonymous
+mangle locks
+oplock break wait time
+oplock contention limit
+
+The modified parameter is :
+
+nt acl support
+
+Bugfixes added since 2.0.3
+--------------------------
+
+1). Fix for 8 character password problem when using HPUX and
+plaintext passwords.
+2). --with-pam option added to ./configure.
+3). Client fixes for memory leak and display of 64 bit values.
+4). Fixes for -E and -s option with smbclient.
+5). smbclient now allows -L //server or -L \\server
+6). smbtar fix for display of 64 bit values.
+7). Endian independence added to DCE/RPC code.
+8). DCE/RPC marshalling/unmarshalling code re-written to provide
+overflow reporting and sign and seal support.
+9). Bind NAK reply packet added to DCE/RPC code, used to correctly
+refuse bind requests (prevents NT system event log messages).
+10). Mapping of UNIX permissions into NT ACL's for get and set
+added.
+11). DCE/RPC enumeration of numbers of shares made dynamic.
+Samba now has no limit on the number of exported shares seen.
+12). Fix to speed up random number seed generation on /dev/urandom
+being unavailable.
+13). Several memory fixes added by running Purify on the code.
+14). Read from client error messages improved.
+15). Fixed endianness used in UNICODE strings.
+16). Cope with ERRORmoredata in an RPC pipe client call.
+17). Check for malformed responses in nmbd register name.
+18). NT Encrypted password changing from the NT password dialog box
+now fully implmented.
+19). Mangle 64-bit lock ranges into 32-bits (NT bug!) on a 32-bit
+Samba platform.
+20). Allow file to be pseudo-openend in order to read security only.
+21). Improve filename mangling to reduce chance of collisions.
+22). Added code to prevent granting of oplocks when a file is under
+contention.
+23). Added tunable wait time before sending an oplock break request
+to a client if the client caused the break request. Helps with clients
+not responding to oplock breaks.
+24). Always respond negatively to queued local oplock break messages
+before shutdown. This can prevent "freezes" on an oplock error.
+25). Allow admin to restrict logons to correct domain when in domain
+level security.
+26). Added "restrict anonymous" patch from Andy (thwartedefforts@wonky.org)
+to prevent parameter substitution problems with anonymous connections.
+27). Fix SMBseek where seeking to a negative number sets the offset
+to zero.
+28). Fixed problem with mode getting corrupted in trans2 request
+(setting to zero means please ignore it).
+29). Correctly become the authenticated user on an authenticated
+DCE/RPC pipe request.
+30). Correctly reset debug level in nmbd if someone set it on the
+command line.
+31). Added more checking into testparm
+32). NetBench simulator added to smbtorture by Andrew.
+33). Fixed NIS+ option compile (was broken in 2.0.3).
+34). Recursive smbclient directory listing fix. Patch from E. Jay Berkenbilt
+(ejb@ql.org)
+
+Bugfixes added since 2.0.2
+--------------------------
+
+1). --with-ssl configure now include ssl include directory. Fix
+from Richard Sharpe.
+2). Patch for configure for glibc2.1 support (large files etc.).
+3). Several bugfixes for smbclient tar mode from Bob Boehmer
+(boehmer@worldnet.att.net) to fix smbclient aborting problems
+when restoring tar files.
+4). Some automount fixes for smbmount.
+5). Attempt to fix the AIX 4.1.x/3.x problems where smbd runs as
+root. As no-one has given us root access to such a server this
+cannot be tested fully, but should work.
+6). Crash bug fix in debug code where *real* uid rather than
+*effective* uid was being checked before attempting to rotate
+log files. This fix should help a *lot* of people who were
+reporting smbd aborting in the middle of a copy operation.
+7). SIGALRM bugfix to ensure infinate file locks time out.
+8). New code to implement NT ACL reporting for cacls.exe program.
+9). UDP loopback socket rebind fix for Solaris.
+10). Ensure all UNICODE strings are correctly in little-endian
+format.
+11). smbpasswd file locking fix.
+12). Fixes for strncpy problems with glibc2.1.
+13). Ensure smbd correctly reports major and minor version number
+and server type when queried via NT rpc calls.
+14). Bugfix for short mangled names not being pulled off the
+mangled stack correctly.
+15). Fix for mapping of rwx bits being incorrectly overwritten
+when doing ATTRIB.EXE
+16). Fix for returning multiple PDU packets in NT rpc code. Should
+allow multiple shares to be returned correctly).
+17). Improved mapping of NT open access requests into UNIX open
+modes.
+18). Fix for copying files from an NTFS volume that contain
+multiple data forks. Added 'magic' error code NT needs.
+19). Fixed crash bug when primary NT authentication server
+is down, rolls over to secondaries correctly now.
+20). Fixed timeout processing to be timer based. Now will
+always occur even if smbd is under load.
+21). Fixed signed/unsigned problem in quotas code.
+22). Fixed bug where setting the password of a completely fresh
+user would end up setting the account disabled flag.
+23). Improved user logon messages to help admins having
+trouble with user authentication.
+
+Bugfixes added since 2.0.1
+--------------------------
+
+Note that due to a critical signal handling bug in 2.0.1,
+this release has been removed and replaced immediately with
+2.0.2. The Samba Team would like to apologise for any problem
+this may have caused.
+
+1). Fixed smbd looping on SIGCLD problem. This was
+ caused by a missing break statement in a critical
+ piece of code.
+
+Bugfixes added since 2.0.0
+--------------------------
+
+1). Autoconf changes for gcc2.7.x and Solaris 2.5/2.6
+2). Autoconf changes to help HPUX configure correctly.
+3). Autoconf changes to allow lock directory to be set.
+4). Client fix to allow port to be set.
+5). clitar fix to send debug messages to stderr.
+6). smbmount race condition fix.
+7). Fix for bug where trying to browse large numbers of shares
+ generated an error from an NT client.
+8). Wrapper for setgroups for SunOS 4.x
+9). Fix for directory deleting failing from multiuser NT.
+10). Fix for crash bug if bitmap was full.
+11). Fix for Linux genrand where /dev/random could cause
+ clients to timeout on connect if the entropy pool was
+ empty.
+12). The default PASSWD_CHAT may now be overridden in local.h
+13). HPUX printing fixes for default programs.
+14). Reverted (erroneous) code in MACHINE.SID generation that
+ was setting the sid to 0x21 - should be *decimal* 21.
+15). Fix for printing to remote machine under SVR4.
+16). Fix for chgpasswd wait being interrupted with EINTR.
+17). Fix for disk free routine. NT and Win98 now correctly
+ show greater than 2GB disks.
+18). Fix for crash bug in stat cache statistics printing.
+19). Fix for filenames ending in .~xx.
+20). Fix for access check code wait being interrupted with EINTR.
+21). Fix for password changes from "invalid password" to a valid
+ one setting the account disabled bit.
+22). Fix for smbd crash bug in SMBreadraw cache prime code.
+23). Fix for overly zealous lock range overflow reporting.
+24). Fix for large disk disk free reporting (NT SMB code).
+25). Fix for NT failing to truncate files correctly.
+26). Fix for smbd crash bug with SMBcancel calls.
+27). Additional -T flag to nmblookup to do reverse DNS on addresses.
+28). SWAT fix to start/stop smbd/nmbd correctly.
+
+Major changes in Samba 2.0
+--------------------------
+
+This is a MAJOR new release of Samba, the UNIX based SMB/CIFS file
+and print server for Windows systems.
+
+There have been many changes in Samba since the last major release,
+1.9.18. These have mainly been in the areas of performance and
+SMB protocol correctness. In addition, a Web based GUI interface
+for configuring Samba has been added.
+
+In addition, Samba has been re-written to help portability to
+other POSIX-based systems, based on the GNU autoconf tool.
+
+There are many major changes in Samba for version 2.0. Here are
+some of them:
+
+=====================================================================
+
+1). Speed
+---------
+
+Samba has been benchmarked on high-end UNIX hardware as out-performing
+all other SMB/CIFS servers using the Ziff-Davis NetBench benchmark.
+Many changes to the code to optimise high-end performance have been made.
+
+2). Correctness
+---------------
+
+Samba now supports the Windows NT specific SMB requests. This
+means that on platforms that are capable Samba now presents a
+64 bit view of the filesystem to Windows NT clients and is
+capable of handling very large files.
+
+3). Portability
+---------------
+
+Samba is now self-configuring using GNU autoconf, removing
+the need for people installing Samba to have to hand configure
+Makefiles, as was needed in previous versions.
+
+You now configure Samba by running "./configure" then "make". See
+docs/textdocs/UNIX_INSTALL.txt for details.
+
+4). Web based GUI configuration
+-------------------------------
+
+Samba now comes with SWAT, a web based GUI config system. See
+the swat man page for details on how to set it up.
+
+5). Cross protocol data integrity
+---------------------------------
+
+An open function interface has been defined to allow
+"opportunistic locks" (oplocks for short) granted by Samba
+to be seen by other UNIX processes. This allows complete
+cross protocol (NFS and SMB) data integrety using Samba
+with platforms that support this feature.
+
+6). Domain client capability
+----------------------------
+
+Samba is now capable of using a Windows NT PDC for user
+authentication in exactly the same way that a Windows NT
+workstation does, i.e. it can be a member of a Domain. See
+docs/textdocs/DOMAIN_MEMBER.txt for details.
+
+7). Documentation Updates
+-------------------------
+
+All the reference parts of the Samba documentation (the
+manual pages) have been updated and converted to a document
+format that allows automatic generation of HTML, SGML, and
+text formats. These documents now ship as standard in HTML
+and manpage format.
+
+=====================================================================
+
+NOTE - Some important option defaults changed
+---------------------------------------------
+
+Several parameters have changed their default values. The most
+important of these is that the default security mode is now user
+level security rather than share level security.
+
+This (incompatible) change was made to ease new Samba installs
+as user level security is easier to use for Windows 95/98 and
+Windows NT clients.
+
+********IMPORTANT NOTE****************
+
+If you have no "security=" line in the [global] section of
+your current smb.conf and you update to Samba 2.0 you will
+need to add the line :
+
+security=share
+
+to get exactly the same behaviour with Samba 2.0 as you
+did with previous versions of Samba.
+
+********END IMPORTANT NOTE*************
+
+In addition, Samba now defaults to case sensitivity options that
+match a Windows NT server precisely, that is, case insensitive
+but case preserving.
+
+The default format of the smbpasswd file has also been
+changed for this release, although the new tools will read
+and write the old format, for backwards compatibility.
+
+=====================================================================
+
+NOTE - Primary Domain Controller Functionality
+----------------------------------------------
+
+This version of Samba contains code that correctly implements
+the undocumented Primary Domain Controller authentication
+protocols. However, there is much more to being a Primary
+Domain Controller than serving Windows NT logon requests.
+
+A useful version of a Primary Domain Controller contains
+many remote procedure calls to do things like enumerate users,
+groups, and security information, only some of which Samba currently
+implements. In addition, there are outstanding (known) bugs with
+using Samba as a PDC in this release that the Samba Team are actively
+working on. For this reason we have chosen not to advertise and
+actively support Primary Domain Controller functionality with this
+release.
+
+This work is being done in the CVS (developer) versions of Samba,
+development of which continues at a fast pace. If you are
+interested in participating in or helping with this development
+please join the Samba-NTDOM mailing list. Details on joining
+are available at :
+
+<a href="http://samba.org/listproc/">http://samba.org/listproc/</a>
+
+Details on obtaining CVS (developer) versions of Samba
+are available at:
+
+<a href="http://samba.org/cvs.html">http://samba.org/cvs.html</a>
+
+=====================================================================
+
+If you think you have found a bug please email a report to :
+
+ <a href="mailto:samba-bugs@samba.org">samba-bugs@samba.org</a>
+
+As always, all bugs are our responsibility.
+
+Regards,
+
+ The Samba Team.
+
+----------------------------------------------------------------------
+</pre>
+
+</body>
+</html>
--- /dev/null
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Release Notes Archive</title>
+</head>
+
+<body>
+
+<h2>The Samba Team is pleased to announce Samba 2.0.6</h2>
+
+<p>
+<pre>
+The Samba Team is pleased to announce Samba 2.0.6.
+
+This is the latest stable release of Samba. This is the
+version that all production Samba servers should be running
+for all current bug-fixes.
+
+It may be fetched via ftp from :
+
+<a href="/samba/ftp/samba-2.0.6.tar.gz">/samba/ftp/samba-2.0.6.tar.gz </a>
+
+Binary packages will be available shortly for many popular platforms.
+Please check the main Web site or email announcements for details.
+
+If you have problems, or think you have found a bug please email
+a report to :
+
+ <a href="mailto:samba-bugs@samba.org">samba-bugs@samba.org</a>
+
+The WHATSNEW.txt file follows.
+
+As always, any bugs are our responsibility,
+
+Regards,
+
+ The Samba Team.
+
+-----------------------------------------------------------
+ WHATS NEW IN Samba 2.0.6
+ ========================
+
+This is the latest stable release of Samba. This is the
+version that all production Samba servers should be running
+for all current bug-fixes.
+
+New/Changed parameters in 2.0.6
+-------------------------------
+
+There are 6 new parameters in the smb.conf file.
+
+wins hook
+
+This parameter allows an external program to be called
+on all changes to a Samba WINS database, allowing dynamic
+DNS updates.
+
+debug hires timestamp
+debug pid
+debug uid
+
+The above 3 parameters provide greater debug information.
+
+preexec close
+rootpreexec close
+
+The above 2 parameters control the action taken on the
+success or failure of a 'preexec' script.
+
+There is also one removed parameter.
+
+mangle locks
+
+The addition of these new parameters and the removal of the old
+is described in more detail in the smb.conf man page,
+
+When using "security=domain" the "password server"
+parameter can now be set to the string "*', which will
+cause Samba to search for Domain controllers in the
+same way that Windows NT does. See the smb.conf man
+page for more details.
+
+The "interfaces" parameter in smb.conf can now be dynamically
+detected on startup and can also now take an interface name
+such as eth0. See the smb.conf man page for the details
+on the new features of the "interfaces" parameter.
+nmbd has been enhanced to use this feature.
+
+The syntax for the Linux-specific smbmount command has been changed
+and is now compatible with the standard mount command. See the modified
+smbmount man page for details.
+
+Support for the UNIX CUPS printer standard has been added.
+See www.cups.org for details. Thanks to the folks at Easy Software
+Products for this code. Set the printcap name to "cups" to
+enable this. See the smb.conf man page for details.
+
+Changes in 2.0.6
+-----------------
+
+1). 64-bit locking removed from Linux autoconf build. This fixes
+several Linux specific locking issues.
+2). Crash bug fix in smbclient recursive processing. Fix from
+E. Jay Berkenbilt (ejb@ql.org).
+3). "history" command added to smbclient if readline available.
+4). smbtar - updates files and directory message on restore.
+5). smbmnt - 'u', 'g', 'r', 'f', 'd' options added by Andrew. See
+man page for details.
+6). smbmount updated to be useable by autofs on Linux. See the
+samba/examples/autofs/README file for details.
+7). Bug fixed where TCP_NODELAY was not being used by default in smbd.
+8). Many oplock fixes. Samba now waits 30 seconds, not 45. Also
+smbd no longer aborts on client break failure, but logs a message
+and continues. This is what NT does. This should fix many "oplock
+break" message problems people have been having.
+9). New code from Andrew to dynamically detect interfaces. nmbd will
+now attempt to dynamically detect interface changes and register names
+as an interface goes "up".
+10). Win95 ioctl for print jobs added by Matt.
+11). Mapping for ISO8859-1 extended for codepage 437 and 850.
+12). Code Page 737 -> ISO-8859-7 (Greek-Hellenic) mapping added.
+13). Character strings now correctly converted from UNIX character set
+format to DOS codepage when read from smb.conf or external passwd or
+group files. Samba is now much more careful about what format external
+strings should be converted to/from.
+14). snprintf crash fix for IRIX 6.2 and below.
+15). Increased timestamp debug fixes (adds milliseconds and uid/pid if
+requested).
+16). Optimisation for wildcard exact match requests.
+17). Win95 wildcard semantics fix - unused code removed.
+18). 'mangle locks' parameter removed. This now done automatically.
+19). setXid() routines re-written to provide asserts and also to fix
+AIX versions prior to 4.1.x.
+20). MSG_WAITALL optimisation removed due to bugs in FreeBSD.
+21). Length fix when writing UNICODE string.
+22). oplock processing added to libsmb client code.
+23). Added more client error message strings.
+24). Fix bug with connecting to encrypted server when non-encrypted
+password given.
+25). In security=domain, password server extended to search for DC's
+if parameter = '*'.
+26). "root did not create samaphore" bug fixed.
+27). random generator initialized early to prevent icons not showing
+up in Win9x.
+28). Logging fix after SIGHUP.
+29). WINS hook external call added when nmbd is a WINS server.
+30). Support for CUPS printer protocol added by Michael Sweet.
+31). Support for NIS+ backend password database updates.
+32). Handle dashes in print job id's. Fix from Dom.Mitchell@palmerharvey.co.uk
+33). Race condition in UNIX password sync on some platforms fixed by Matt.
+34). Dirptr leak from Win98 fixed.
+35). Logic bug in handling of level II oplocks fixed.
+36). smbd crash bug fix when opening directories.
+37). Paranoia oplock fix from Charles Hoch (hoch@exemplary.com)
+38). Fix Win2k problem where DCE/RPC is done on SMBwrite as well as SMBwriteX.
+39). Fix Win95 redirector alignment bug that caused oplock break failures.
+40). Preexec close code added.
+41). Extra sanity checks in testparm code.
+42). oplock tests added to smbtorture.
+43). Tell SWAT user if logged in as root or not.
+44). Solaris packaging fixes donated by VERITAS.
+
+Older release notes for Samba 2.0.x follow.
+
+Previous Release notes for 2.0.5a
+---------------------------------
+
+IMPORTANT NOTE !
+----------------
+
+Version 2.0.5a of Samba contains three security bugfixes for
+problems in previous versions of Samba found by Olaf Kirch of
+Caldera Systems (www.caldera.com). The Samba Team would like
+to publicly thank Olaf for his help in doing a security review
+of our code and finding these bugs.
+
+The three bugs are one potentially exploitable buffer overrun
+bug (although no current exploits are known) in smbd and two
+denial of service bugs in nmbd. By default the smbd bug was not
+exploitable as shipped (the problem parameter was disabled by
+default) but instructions on protecting any version of Samba
+prior to 2.0.5 are included below.
+
+All these bugs have been fixed in Samba 2.0.5 and 2.0.5a.
+
+If using any version of Samba prior to 2.0.5 the administrator
+*MUST NOT* enable the "message command" parameter in smb.conf,
+and *MUST* remove any "message command" that is listed in any
+existing smb.conf file. No known instances of this attack being
+exploited have been reported.
+
+All Samba versions of nmbd prior to 2.0.5 are vulnerable to a
+denial of service attack causing nmbd to either crash or to go
+into an infinite loop. No known instances of this attack being
+exploited have been reported.
+
+New/Changed parameters in 2.0.5 and 2.0.5a.
+-------------------------------------------
+
+There are 5 new parameters in the smb.conf file.
+
+security mask
+force security mode
+directory security mask
+force directory secruty mode
+level2 oplocks
+
+The first 4 parameters are used to control the UNIX permissions bits
+that an NT client is allowed to modify. These parameters are now
+used instead of the older "create" parameters that were used in
+2.0.4 to allow an administrator to separate the two functions.
+
+Use of these new parameters is described in the smb.conf man page,
+and also in the documents :
+
+docs/textdocs/NT_Security.txt
+docs/htmldocs/NT_Security.html
+
+The fifth new parameter is described in the following section.
+
+Level II oplocks
+----------------
+
+Samba 2.0.5 now implements level2 oplocks. As this is new
+code this parameter is set to "off" by default. The benefit
+of level2 oplocks is to allow read-only file caching from
+multiple clients. This is of great speed benefit to shares
+that are serving application executable programs (.EXE's)
+that are usually not written to. To learn more about using
+level 2 oplocks read the parameter description in the smb.conf
+documentation or read the file :
+
+docs/textdocs/Speed.txt.
+
+Changes in 2.0.5a
+-----------------
+
+1). Fix for smbd crash bug in string_sub(). smbd was miscalculating
+memmove lengths on multiple '%' substitutions.
+2). Fix for wildcard matching bug for old DOS programs running on Win9x.
+3). Fix for Windows NT client changing passwords against a Samba server,
+intermittently failing.
+4). Fix for PPP link being detected as primary interface if using the
+same IP address as the primary.
+5). Ensure smbmount is built with RPM build.
+
+Changes in 2.0.5
+----------------
+
+1). smbmount for Linux systems has been re-written to use
+the libsmb code and clientutil.c is no longer used with it.
+2). A bug preventing directory opens using the NT SMB calls
+has been fixed.
+3). A related bug causing a file structure leak when directory
+opens were denied has been fixed.
+4). Fix for glibc2.1 bug on 32-bit systems being reported as 64
+bit.
+5). Prevent timestamps of 0 or -1 corrupting file timestamps.
+6). Fix for unusual delays when browsing shares using Windows
+2000 - fix added by Matt.
+7). Fix for smbpassword reading problems on Sparc Linux was fixed.
+8). Fix for compiling with SSL library.
+9). smbclient fix for crash when doing CR/LF conversion.
+10). smbclient now reports short read errors.
+11). smbclient now uses remote server workgroup to list servers by default.
+12). smbclient now has -b option to change transmit/send buffer size.
+13). smbclient fix for corrupting files when issuing multiple outstanding
+read requests.
+14). Printing bug where Linux was using SYSV printing by default fixed.
+Linux now set to be BSD printing by default.
+15). Change for Linux to use SYSV shared memory by default.
+16). Fix for using IP_TOS options on some systems.
+17). Fix for some systems that complained about static struct passwd
+buffers being modified.
+18). Range checking applied to all string substitutions. Theoretically
+not a bug, but much more rebust now.
+19). Level II oplocks implemented.
+20). Fix for Win2K client printing added.
+21). Always allow loopback (127.0.0.1) connects unless specifically denied.
+22). Patch for FreeBSD interface detection code from Archie Cobbs (archie@whistle.com).
+23). Return correct status from smbrun.
+24). snprintf fixes for floating point numbers.
+25). Force directories to always have zero size.
+26). Fix for "force group" and "force user" options. "force user" now
+always uses primary group of user as well. Force group now enhanced with '+'
+semantics (see smb.conf man page for details).
+27). Wildcard matching fix to get closer to WinNT semantics for Win9x clients.
+28). Potential crash bug fixed in wildcard matching code. This bug could also
+cause smbd to sometimes not see exact file matches.
+29). Read/write for sockets changed to use revc/send to allow optimisations
+later.
+30). Oplocks added to client library.
+31). Several purify fixes in IPC code.
+32). nmbd crash bug in processing strange NetBIOS names fixed.
+33). nmbd loop bug in processing strange NetBIOS names fixed.
+34). Paranoia fixes to processing of incoming WinPopup messages in smbd.
+35). Share mode code now auto initialised.
+36). Detect dead processes in IPC lock code.
+37). Explicit -V version switch added to command line processing.
+38). WORKGROUP(1b) name processing with no WINS server fixed.
+39). Win2k client detection code added by Matt.
+40). Fix to allow really short changenotify times to be honoured.
+41). Fix for NT delete finding the wrong file from Tine Smukavec
+(valentin.smukavec@hermes.si)
+42). SWAT fix to prevent stderr messages from breaking the Web client.
+43). testparm fixes to check more parameter conflicts.
+44). Relative paths not fetched via SWAT in CGI scripts.
+45). SWAT remote password change - remote host name not treated as a
+password field any more.
+
+Changes in 2.0.4b
+-----------------
+
+A bug with MS-Word 97 saving files with zero UNIX permissions
+was fixed. Even though a workaround is available (set force
+create mode = 644 on the share) Word is such an important
+application that a point fix was neccessary.
+
+Changes in 2.0.4a
+-----------------
+
+The text and html versions of NT_Security were missing from
+the shipping tarball. Also a compile bug for platforms that
+don't have usleep was fixed.
+
+Changes in 2.0.4
+----------------
+
+There are 5 new parameters and one modified parameter in
+the smb.conf file.
+
+allow trusted domains
+restrict anonymous
+mangle locks
+oplock break wait time
+oplock contention limit
+
+The modified parameter is :
+
+nt acl support
+
+Bugfixes added since 2.0.3
+--------------------------
+
+1). Fix for 8 character password problem when using HPUX and
+plaintext passwords.
+2). --with-pam option added to ./configure.
+3). Client fixes for memory leak and display of 64 bit values.
+4). Fixes for -E and -s option with smbclient.
+5). smbclient now allows -L //server or -L \\server
+6). smbtar fix for display of 64 bit values.
+7). Endian independence added to DCE/RPC code.
+8). DCE/RPC marshalling/unmarshalling code re-written to provide
+overflow reporting and sign and seal support.
+9). Bind NAK reply packet added to DCE/RPC code, used to correctly
+refuse bind requests (prevents NT system event log messages).
+10). Mapping of UNIX permissions into NT ACL's for get and set
+added.
+11). DCE/RPC enumeration of numbers of shares made dynamic.
+Samba now has no limit on the number of exported shares seen.
+12). Fix to speed up random number seed generation on /dev/urandom
+being unavailable.
+13). Several memory fixes added by running Purify on the code.
+14). Read from client error messages improved.
+15). Fixed endianness used in UNICODE strings.
+16). Cope with ERRORmoredata in an RPC pipe client call.
+17). Check for malformed responses in nmbd register name.
+18). NT Encrypted password changing from the NT password dialog box
+now fully implmented.
+19). Mangle 64-bit lock ranges into 32-bits (NT bug!) on a 32-bit
+Samba platform.
+20). Allow file to be pseudo-openend in order to read security only.
+21). Improve filename mangling to reduce chance of collisions.
+22). Added code to prevent granting of oplocks when a file is under
+contention.
+23). Added tunable wait time before sending an oplock break request
+to a client if the client caused the break request. Helps with clients
+not responding to oplock breaks.
+24). Always respond negatively to queued local oplock break messages
+before shutdown. This can prevent "freezes" on an oplock error.
+25). Allow admin to restrict logons to correct domain when in domain
+level security.
+26). Added "restrict anonymous" patch from Andy (thwartedefforts@wonky.org)
+to prevent parameter substitution problems with anonymous connections.
+27). Fix SMBseek where seeking to a negative number sets the offset
+to zero.
+28). Fixed problem with mode getting corrupted in trans2 request
+(setting to zero means please ignore it).
+29). Correctly become the authenticated user on an authenticated
+DCE/RPC pipe request.
+30). Correctly reset debug level in nmbd if someone set it on the
+command line.
+31). Added more checking into testparm
+32). NetBench simulator added to smbtorture by Andrew.
+33). Fixed NIS+ option compile (was broken in 2.0.3).
+34). Recursive smbclient directory listing fix. Patch from E. Jay Berkenbilt
+(ejb@ql.org)
+
+Bugfixes added since 2.0.2
+--------------------------
+
+1). --with-ssl configure now include ssl include directory. Fix
+from Richard Sharpe.
+2). Patch for configure for glibc2.1 support (large files etc.).
+3). Several bugfixes for smbclient tar mode from Bob Boehmer
+(boehmer@worldnet.att.net) to fix smbclient aborting problems
+when restoring tar files.
+4). Some automount fixes for smbmount.
+5). Attempt to fix the AIX 4.1.x/3.x problems where smbd runs as
+root. As no-one has given us root access to such a server this
+cannot be tested fully, but should work.
+6). Crash bug fix in debug code where *real* uid rather than
+*effective* uid was being checked before attempting to rotate
+log files. This fix should help a *lot* of people who were
+reporting smbd aborting in the middle of a copy operation.
+7). SIGALRM bugfix to ensure infinate file locks time out.
+8). New code to implement NT ACL reporting for cacls.exe program.
+9). UDP loopback socket rebind fix for Solaris.
+10). Ensure all UNICODE strings are correctly in little-endian
+format.
+11). smbpasswd file locking fix.
+12). Fixes for strncpy problems with glibc2.1.
+13). Ensure smbd correctly reports major and minor version number
+and server type when queried via NT rpc calls.
+14). Bugfix for short mangled names not being pulled off the
+mangled stack correctly.
+15). Fix for mapping of rwx bits being incorrectly overwritten
+when doing ATTRIB.EXE
+16). Fix for returning multiple PDU packets in NT rpc code. Should
+allow multiple shares to be returned correctly).
+17). Improved mapping of NT open access requests into UNIX open
+modes.
+18). Fix for copying files from an NTFS volume that contain
+multiple data forks. Added 'magic' error code NT needs.
+19). Fixed crash bug when primary NT authentication server
+is down, rolls over to secondaries correctly now.
+20). Fixed timeout processing to be timer based. Now will
+always occur even if smbd is under load.
+21). Fixed signed/unsigned problem in quotas code.
+22). Fixed bug where setting the password of a completely fresh
+user would end up setting the account disabled flag.
+23). Improved user logon messages to help admins having
+trouble with user authentication.
+
+Bugfixes added since 2.0.1
+--------------------------
+
+Note that due to a critical signal handling bug in 2.0.1,
+this release has been removed and replaced immediately with
+2.0.2. The Samba Team would like to apologise for any problem
+this may have caused.
+
+1). Fixed smbd looping on SIGCLD problem. This was
+ caused by a missing break statement in a critical
+ piece of code.
+
+Bugfixes added since 2.0.0
+--------------------------
+
+1). Autoconf changes for gcc2.7.x and Solaris 2.5/2.6
+2). Autoconf changes to help HPUX configure correctly.
+3). Autoconf changes to allow lock directory to be set.
+4). Client fix to allow port to be set.
+5). clitar fix to send debug messages to stderr.
+6). smbmount race condition fix.
+7). Fix for bug where trying to browse large numbers of shares
+ generated an error from an NT client.
+8). Wrapper for setgroups for SunOS 4.x
+9). Fix for directory deleting failing from multiuser NT.
+10). Fix for crash bug if bitmap was full.
+11). Fix for Linux genrand where /dev/random could cause
+ clients to timeout on connect if the entropy pool was
+ empty.
+12). The default PASSWD_CHAT may now be overridden in local.h
+13). HPUX printing fixes for default programs.
+14). Reverted (erroneous) code in MACHINE.SID generation that
+ was setting the sid to 0x21 - should be *decimal* 21.
+15). Fix for printing to remote machine under SVR4.
+16). Fix for chgpasswd wait being interrupted with EINTR.
+17). Fix for disk free routine. NT and Win98 now correctly
+ show greater than 2GB disks.
+18). Fix for crash bug in stat cache statistics printing.
+19). Fix for filenames ending in .~xx.
+20). Fix for access check code wait being interrupted with EINTR.
+21). Fix for password changes from "invalid password" to a valid
+ one setting the account disabled bit.
+22). Fix for smbd crash bug in SMBreadraw cache prime code.
+23). Fix for overly zealous lock range overflow reporting.
+24). Fix for large disk disk free reporting (NT SMB code).
+25). Fix for NT failing to truncate files correctly.
+26). Fix for smbd crash bug with SMBcancel calls.
+27). Additional -T flag to nmblookup to do reverse DNS on addresses.
+28). SWAT fix to start/stop smbd/nmbd correctly.
+
+Major changes in Samba 2.0
+--------------------------
+
+This is a MAJOR new release of Samba, the UNIX based SMB/CIFS file
+and print server for Windows systems.
+
+There have been many changes in Samba since the last major release,
+1.9.18. These have mainly been in the areas of performance and
+SMB protocol correctness. In addition, a Web based GUI interface
+for configuring Samba has been added.
+
+In addition, Samba has been re-written to help portability to
+other POSIX-based systems, based on the GNU autoconf tool.
+
+There are many major changes in Samba for version 2.0. Here are
+some of them:
+
+=====================================================================
+
+1). Speed
+---------
+
+Samba has been benchmarked on high-end UNIX hardware as out-performing
+all other SMB/CIFS servers using the Ziff-Davis NetBench benchmark.
+Many changes to the code to optimise high-end performance have been made.
+
+2). Correctness
+---------------
+
+Samba now supports the Windows NT specific SMB requests. This
+means that on platforms that are capable Samba now presents a
+64 bit view of the filesystem to Windows NT clients and is
+capable of handling very large files.
+
+3). Portability
+---------------
+
+Samba is now self-configuring using GNU autoconf, removing
+the need for people installing Samba to have to hand configure
+Makefiles, as was needed in previous versions.
+
+You now configure Samba by running "./configure" then "make". See
+docs/textdocs/UNIX_INSTALL.txt for details.
+
+4). Web based GUI configuration
+-------------------------------
+
+Samba now comes with SWAT, a web based GUI config system. See
+the swat man page for details on how to set it up.
+
+5). Cross protocol data integrity
+---------------------------------
+
+An open function interface has been defined to allow
+"opportunistic locks" (oplocks for short) granted by Samba
+to be seen by other UNIX processes. This allows complete
+cross protocol (NFS and SMB) data integrety using Samba
+with platforms that support this feature.
+
+6). Domain client capability
+----------------------------
+
+Samba is now capable of using a Windows NT PDC for user
+authentication in exactly the same way that a Windows NT
+workstation does, i.e. it can be a member of a Domain. See
+docs/textdocs/DOMAIN_MEMBER.txt for details.
+
+7). Documentation Updates
+-------------------------
+
+All the reference parts of the Samba documentation (the
+manual pages) have been updated and converted to a document
+format that allows automatic generation of HTML, SGML, and
+text formats. These documents now ship as standard in HTML
+and manpage format.
+
+=====================================================================
+
+NOTE - Some important option defaults changed
+---------------------------------------------
+
+Several parameters have changed their default values. The most
+important of these is that the default security mode is now user
+level security rather than share level security.
+
+This (incompatible) change was made to ease new Samba installs
+as user level security is easier to use for Windows 95/98 and
+Windows NT clients.
+
+********IMPORTANT NOTE****************
+
+If you have no "security=" line in the [global] section of
+your current smb.conf and you update to Samba 2.0 you will
+need to add the line :
+
+security=share
+
+to get exactly the same behaviour with Samba 2.0 as you
+did with previous versions of Samba.
+
+********END IMPORTANT NOTE*************
+
+In addition, Samba now defaults to case sensitivity options that
+match a Windows NT server precisely, that is, case insensitive
+but case preserving.
+
+The default format of the smbpasswd file has also been
+changed for this release, although the new tools will read
+and write the old format, for backwards compatibility.
+
+=====================================================================
+
+NOTE - Primary Domain Controller Functionality
+----------------------------------------------
+
+This version of Samba contains code that correctly implements
+the undocumented Primary Domain Controller authentication
+protocols. However, there is much more to being a Primary
+Domain Controller than serving Windows NT logon requests.
+
+A useful version of a Primary Domain Controller contains
+many remote procedure calls to do things like enumerate users,
+groups, and security information, only some of which Samba currently
+implements. In addition, there are outstanding (known) bugs with
+using Samba as a PDC in this release that the Samba Team are actively
+working on. For this reason we have chosen not to advertise and
+actively support Primary Domain Controller functionality with this
+release.
+
+This work is being done in the CVS (developer) versions of Samba,
+development of which continues at a fast pace. If you are
+interested in participating in or helping with this development
+please join the Samba-NTDOM mailing list. Details on joining
+are available at :
+
+<a href="http://samba.org/listproc/">http://samba.org/listproc/</a>
+
+Details on obtaining CVS (developer) versions of Samba
+are available at:
+
+<a href="http://samba.org/cvs.html">http://samba.org/cvs.html</a>
+
+=====================================================================
+
+If you have problems, or think you have found a bug please email
+a report to :
+
+ <a href="mailto:samba-bugs@samba.org">samba-bugs@samba.org</a>
+
+As always, all bugs are our responsibility.
+
+Regards,
+
+ The Samba Team.
+
+----------------------------------------------------------------------
+</pre>
+
+</body>
+</html>
\ No newline at end of file
--- /dev/null
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Release Notes Archive</title>
+</head>
+
+<body>
+
+<h2>The Samba Team is pleased to announce Samba 2.0.7</h2>
+
+<p>
+<pre>
+The Samba Team is pleased to announce Samba 2.0.7.
+
+This is the latest stable release of Samba. This is the
+version that all production Samba servers should be running
+for all current bug-fixes. This version has been tested
+against Windows 2000 and has no *known* issues with that
+release of Windows.
+
+It may be fetched via ftp from :
+
+<a href="/samba/ftp/samba-2.0.7.tar.gz">/samba/ftp/samba-2.0.7.tar.gz </a>
+
+Or just follow the link on the main page of
+your nearest http://samba.org mirror.
+
+Binary packages for supported systems will be made available
+within a short time. A separate announcement will be made
+for the release of these packages.
+
+Offers of binary Samba packages for various systems are
+welcome and should be sent to <a href="mailto:samba@samba.org">samba@samba.org</a>.
+
+If you have problems, or think you have found a bug please email
+a report to :
+
+ <a href="mailto:samba@samba.org">samba@samba.org</a>
+
+As always, all bugs are our responsibility.
+
+Without further ado, here are the release notes.
+
+Regards,
+
+ The Samba Team.
+
+----------------------------------------------------------------------
+ WHATS NEW IN Samba 2.0.7
+ ========================
+
+This is the latest stable release of Samba. This is the
+version that all production Samba servers should be running
+for all current bug-fixes.
+
+New Documentation in 2.0.7
+--------------------------
+
+O'Reilly and Associates have donated their book "Using Samba"
+to the Samba community to be updated in a collaberative way
+along with the Samba software. Starting with this release the
+html of "Using Samba" will be distributed with the Samba software
+as the online documentation for Samba. Bug fixes for the book
+are encouraged as is new material. Please help us make this
+documentation the best it can be for Samba !
+
+SWAT (Samba Web Administration Tool) has been updated to
+add a link to the full text of "Using Samba" from the start
+screen.
+
+Note that this does not mean that the other documentation
+(man pages especially) are being abandoned. The Samba Team
+is still committed to updating and improving *all* the
+documentation shipped with Samba.
+
+Also, as the source code for the book is moved into a more
+manageable format (not raw HTML) we are committed to making
+it available for editing by all interested parties. The
+current situation of only shipping HTML with the Samba software
+is a first attempt at getting this documentation integrated
+with the Samba software and should not be regarded as the only
+way in which this material will be made available (it was just
+the quickest way to get the book integrated into 2.0.7 :-).
+
+Windows 2000 Issues
+-------------------
+
+This version of Samba has been tested with Windows 2000 and
+the five known incompatibilities with Windows 2000 have been
+fixed. See the "Changes in 2.0.7" list below for details.
+
+New/Changed parameters in 2.0.7
+-------------------------------
+
+There is a new option to the autoconf "./configure" script.
+This is the "--with-utmp" (and attendant "--without-utmp")
+option. Running configure with this option will cause smbd
+to attempt to use utmp accounting for users who log on and
+log off to the Samba server.
+
+There are 5 new parameters in the smb.conf file.
+
+utmp
+utmp dir
+utmp hostname
+utmp consolidate
+wtmp directory
+
+These parameters are only available if the "--with-utmp"
+option was selected at configure time. The yes/no option "utmp"
+specifies whether utmp records should be recorded on user
+logon/logoff. It defaults to "no". The "utmp dir" and "wtmp dir"
+are string parameters specifying pathnames to the directories containing
+the utmp/wtmp file databases. See the smb.conf man page for more details.
+
+inherit permissions
+
+This boolean parameter causes newly created files and directories
+to inherit their initial permissions from their parent directory.
+This can be very useful in propagating such things as the set-group
+bit in directory heirarchies. See the smb.conf man page for more
+details.
+
+write cache size
+
+This integer parameter specifies (in bytes) the size of a user level
+per-file write cache that smbd will create for an oplocked file. This
+can improve performance significantly for writing files by causing
+writes to be done in large chunk sizes. If this parameter is set (it
+defaults to zero which means no write cache) to the stripe size of
+a raid volume then it will cause writes to be much more efficient.
+Up to 10 write caches can be active simultaneously per smbd (allocated
+for the first 10 oplocked file opens). All normal warnings about the
+dangers of user level caching of data apply. See the smb.conf man page
+for more details.
+
+source environment
+
+This pathname parameter causes Samba to read a list of environment
+variables from a named file on startup. This can be useful in setting
+up Samba in a clustered environment. See the smb.conf man page for more
+details.
+
+Ability to delete users added
+-----------------------------
+
+SWAT and smbpasswd can now delete users from the Samba smbpasswd file.
+See the man page for smbpasswd for details.
+
+Roving profile behavior finalized
+---------------------------------
+
+The change in behavior with roving profiles (using the "logon home"
+parameter instead of the "logon path" parameter) introduced in 2.0.6
+has been discovered to be consistant with the way Windows NT behaves,
+and has been left as the default action. Please see the additional
+notes in the "logon home" parameter description in the smb.conf man
+page for more details.
+
+Changes in 2.0.7
+-----------------
+
+1). Fix for the semaphore promblems when compiling Samba with gcc on
+SGI IRIX 6.5.x.
+2). Quota support for Veritas filesystem added by David Lee.
+3). Incoming RPC code re-written to support multiple PDU input from
+the client. This should make the RPC subsystem more robust.
+4). Fix from Ying Chen @ IBM to inline many frequently called functions. This
+decreased CPU usage by 10%.
+5). Fix from Ying Chen @ IBM to use a hash table to lookup entries in the file
+cache. This is a significant improvement over the old linked-list
+lookup code.
+6). smbclient issues with native language support fixed. smbclient
+now uses UNIX filename character sets exclusively when communicating
+with libsmb library.
+7). smbclient fix to not print error messages when "putting" an
+empty file.
+8). smbclient fix to cope with spaces in filenames when recursing.
+9). Improved error reporting in smbclient when getting browse lists.
+10). NetBIOS "scope" now supported in all Samba code/tools.
+11). New mapping from code page 850 to UNIX "roman8" character set.
+12). Fix for crash bug if debug file handle couldn't be opened.
+13). Fix to allow mkdir to correctly set the high order permissions
+bits for UNIX's that don't allow this by default.
+14). Fix to dynamically allocate group array for setgroups. Don't
+depend on NGROUPS_MAX being correctly defined in header files.
+15). Fix for crash bug in floating point in snprintf.
+16). "Safe" version of popen() included to allow use in code such
+as "source environment" patch.
+17). Fix for SWAT for trailing '\n' in asctime().
+18). Wildcard match fix from weidel@multichart.de for NT wildcard
+processing.
+19). unix_mask_match fixes for "veto files" parameter.
+20). Fix for system call bug when configuring on Linux kernel 2.0.x
+with glibc2.1.x.
+21). SO_REUSEPORT socket option added for HPUX.
+22). All recv() calls changed back to read() to fix Solaris 2.5.x bug.
+23). Some UNICODE conversion fixes. Not complete yet.
+24). NetShareEnum fix for Windows 2000. Don't ask for 64K as Win2k
+can't cope with this (returns "Out of memory" error).
+25). Fixes for cli_error() crashes.
+26). Fix for crash when connecting to password server by DNS name
+not NetBIOS name.
+27). Fix bug in demangling of compacted NetBIOS names.
+28). Fixes for slow locking code for VMS.
+29). Reply to short NetLogon packet in nmbd with short reply.
+30). Correctly allign userdata to prevent crashes in nmbd.
+31). Use talloc() in string buffer rotation code to prevent overwrites.
+32). Added multi-byte awareness to parameter loading code.
+33). Re-wrote password file modification code. We can now delete users
+atomically. Original patch from Bruce Tenison.
+34). Fixed bug in parsing smbpasswd type entries.
+35). Fixes from HP to the windows registry RPC emulation.
+36). Added ability to return RPC fault PDU to unknown calls. Needed to
+allow Windows 2000 to return UNIX permissions as NT ACLs.
+37). utmp code patch from T.D.Lee@durham.ac.uk. Not available on all
+platforms - test with ./configure.
+38). Inherit permissions fix from David Lee.
+39). Added write caching code for oplocked files.
+40). Workaround for new bug in Windows 2000 where NT file create using
+NTtransact call sends UNICODE without bothering to set the UNICODE flag
+bit.
+41). Workaround for new bug in Windows 2000 where it attempts to re-write
+existing ACLs to make them inherit only.
+42). Removed unused mmap code.
+43). Added correct implementation of share mode deny table. We now match
+Windows NT.
+44). Fix recursion bug with group enumeration.
+45). Fix from Bjart Kvarme to take into account changed machine passwords
+that haven't yet propagated from PDC to BDC.
+46). Correctly skip two byte length field when accepting RPC "start of
+message" packets in SMBwriteX on pipes.
+47). Added auto-detection of Windows 2000 clients.
+48). Fix bug with rollback of POSIX locks if a lock in a range fails to
+apply.
+49). Fix bug with registering startup smbd's in flat file.
+50). Ensure usernames are converted correctly between DOS codepages
+and UNIX character sets.
+51). Fix for timestamps being set incorrectly on copied files from
+Paul Eggert.
+52). Fix for parsing HP specific printer definitions in make_printerdef.
+53). Fix for smbclient doing an 'ls' on large directories from OS/2 servers
+from Christoph Pfisterer.
+54). Fix for WINS server code where "do you still want name?" request was
+being sent to the wrong IP address.
+55). Fixed "recursion desired" bits set in nmbd so we are identical to
+Windows NT.
+56). nmbd now should process logon packets from Win95, Win98 and both
+versions of the NT logon packet.
+57). Correctly set parameter offset value for first trans2 reply.
+58). Win2K will only accept volume labels in UNICODE.
+59). Ensure nmbd doesn't attempt to use the loopback interface when
+registering names.
+60). Fixed bug where smbd didn't return '.' or '..' on top level
+share directory listing.
+61). Fix for soft quotas not being set (make them equal to hardquota)
+from Norbert Pschel (Pueschel.Norbert@Walzbarren-VAW.ne.uunet.de).
+62). SWAT fixes for SCO UnixWare (SIGPIPE handling).
+63). Fix for nmbd DOS with redirect recursion.
+64). Fix for log files growing without bound from Mattias Gronlund.
+65). Fix for smbd crash bug in truncate is locked.
+66). Memory leak fix in mangle name code.
+
+Older release notes for Samba 2.0.x follow.
+
+Previous Release notes for 2.0.6
+---------------------------------
+
+New/Changed parameters in 2.0.6
+-------------------------------
+
+There are 6 new parameters in the smb.conf file.
+
+wins hook
+
+This parameter allows an external program to be called
+on all changes to a Samba WINS database, allowing dynamic
+DNS updates.
+
+debug hires timestamp
+debug pid
+debug uid
+
+The above 3 parameters provide greater debug information.
+
+preexec close
+rootpreexec close
+
+The above 2 parameters control the action taken on the
+success or failure of a 'preexec' script.
+
+There is also one removed parameter.
+
+mangle locks
+
+The addition of these new parameters and the removal of the old
+is described in more detail in the smb.conf man page,
+
+When using "security=domain" the "password server"
+parameter can now be set to the string "*', which will
+cause Samba to search for Domain controllers in the
+same way that Windows NT does. See the smb.conf man
+page for more details.
+
+The "interfaces" parameter in smb.conf can now be dynamically
+detected on startup and can also now take an interface name
+such as eth0. See the smb.conf man page for the details
+on the new features of the "interfaces" parameter.
+nmbd has been enhanced to use this feature.
+
+The syntax for the Linux-specific smbmount command has been changed
+and is now compatible with the standard mount command. See the modified
+smbmount man page for details.
+
+Support for the UNIX CUPS printer standard has been added.
+See www.cups.org for details. Thanks to the folks at Easy Software
+Products for this code. Set the printcap name to "cups" to
+enable this. See the smb.conf man page for details.
+
+Changes in 2.0.6
+-----------------
+
+1). 64-bit locking removed from Linux autoconf build. This fixes
+several Linux specific locking issues.
+2). Crash bug fix in smbclient recursive processing. Fix from
+E. Jay Berkenbilt (ejb@ql.org).
+3). "history" command added to smbclient if readline available.
+4). smbtar - updates files and directory message on restore.
+5). smbmnt - 'u', 'g', 'r', 'f', 'd' options added by Andrew. See
+man page for details.
+6). smbmount updated to be useable by autofs on Linux. See the
+samba/examples/autofs/README file for details.
+7). Bug fixed where TCP_NODELAY was not being used by default in smbd.
+8). Many oplock fixes. Samba now waits 30 seconds, not 45. Also
+smbd no longer aborts on client break failure, but logs a message
+and continues. This is what NT does. This should fix many "oplock
+break" message problems people have been having.
+9). New code from Andrew to dynamically detect interfaces. nmbd will
+now attempt to dynamically detect interface changes and register names
+as an interface goes "up".
+10). Win95 ioctl for print jobs added by Matt.
+11). Mapping for ISO8859-1 extended for codepage 437 and 850.
+12). Code Page 737 -> ISO-8859-7 (Greek-Hellenic) mapping added.
+13). Character strings now correctly converted from UNIX character set
+format to DOS codepage when read from smb.conf or external passwd or
+group files. Samba is now much more careful about what format external
+strings should be converted to/from.
+14). snprintf crash fix for IRIX 6.2 and below.
+15). Increased timestamp debug fixes (adds milliseconds and uid/pid if
+requested).
+16). Optimisation for wildcard exact match requests.
+17). Win95 wildcard semantics fix - unused code removed.
+18). 'mangle locks' parameter removed. This now done automatically.
+19). setXid() routines re-written to provide asserts and also to fix
+AIX versions prior to 4.1.x.
+20). MSG_WAITALL optimisation removed due to bugs in FreeBSD.
+21). Length fix when writing UNICODE string.
+22). oplock processing added to libsmb client code.
+23). Added more client error message strings.
+24). Fix bug with connecting to encrypted server when non-encrypted
+password given.
+25). In security=domain, password server extended to search for DC's
+if parameter = '*'.
+26). "root did not create samaphore" bug fixed.
+27). random generator initialized early to prevent icons not showing
+up in Win9x.
+28). Logging fix after SIGHUP.
+29). WINS hook external call added when nmbd is a WINS server.
+30). Support for CUPS printer protocol added by Michael Sweet.
+31). Support for NIS+ backend password database updates.
+32). Handle dashes in print job id's. Fix from Dom.Mitchell@palmerharvey.co.uk
+33). Race condition in UNIX password sync on some platforms fixed by Matt.
+34). Dirptr leak from Win98 fixed.
+35). Logic bug in handling of level II oplocks fixed.
+36). smbd crash bug fix when opening directories.
+37). Paranoia oplock fix from Charles Hoch (hoch@exemplary.com)
+38). Fix Win2k problem where DCE/RPC is done on SMBwrite as well as SMBwriteX.
+39). Fix Win95 redirector alignment bug that caused oplock break failures.
+40). Preexec close code added.
+41). Extra sanity checks in testparm code.
+42). oplock tests added to smbtorture.
+43). Tell SWAT user if logged in as root or not.
+44). Solaris packaging fixes donated by VERITAS.
+
+Older release notes for Samba 2.0.x follow.
+
+Previous Release notes for 2.0.5a
+---------------------------------
+
+IMPORTANT NOTE !
+----------------
+
+Version 2.0.5a of Samba contains three security bugfixes for
+problems in previous versions of Samba found by Olaf Kirch of
+Caldera Systems (www.caldera.com). The Samba Team would like
+to publicly thank Olaf for his help in doing a security review
+of our code and finding these bugs.
+
+The three bugs are one potentially exploitable buffer overrun
+bug (although no current exploits are known) in smbd and two
+denial of service bugs in nmbd. By default the smbd bug was not
+exploitable as shipped (the problem parameter was disabled by
+default) but instructions on protecting any version of Samba
+prior to 2.0.5 are included below.
+
+All these bugs have been fixed in Samba 2.0.5 and 2.0.5a.
+
+If using any version of Samba prior to 2.0.5 the administrator
+*MUST NOT* enable the "message command" parameter in smb.conf,
+and *MUST* remove any "message command" that is listed in any
+existing smb.conf file. No known instances of this attack being
+exploited have been reported.
+
+All Samba versions of nmbd prior to 2.0.5 are vulnerable to a
+denial of service attack causing nmbd to either crash or to go
+into an infinite loop. No known instances of this attack being
+exploited have been reported.
+
+New/Changed parameters in 2.0.5 and 2.0.5a.
+-------------------------------------------
+
+There are 5 new parameters in the smb.conf file.
+
+security mask
+force security mode
+directory security mask
+force directory secruty mode
+level2 oplocks
+
+The first 4 parameters are used to control the UNIX permissions bits
+that an NT client is allowed to modify. These parameters are now
+used instead of the older "create" parameters that were used in
+2.0.4 to allow an administrator to separate the two functions.
+
+Use of these new parameters is described in the smb.conf man page,
+and also in the documents :
+
+docs/textdocs/NT_Security.txt
+docs/htmldocs/NT_Security.html
+
+The fifth new parameter is described in the following section.
+
+Level II oplocks
+----------------
+
+Samba 2.0.5 now implements level2 oplocks. As this is new
+code this parameter is set to "off" by default. The benefit
+of level2 oplocks is to allow read-only file caching from
+multiple clients. This is of great speed benefit to shares
+that are serving application executable programs (.EXE's)
+that are usually not written to. To learn more about using
+level 2 oplocks read the parameter description in the smb.conf
+documentation or read the file :
+
+docs/textdocs/Speed.txt.
+
+Changes in 2.0.5a
+-----------------
+
+1). Fix for smbd crash bug in string_sub(). smbd was miscalculating
+memmove lengths on multiple '%' substitutions.
+2). Fix for wildcard matching bug for old DOS programs running on Win9x.
+3). Fix for Windows NT client changing passwords against a Samba server,
+intermittently failing.
+4). Fix for PPP link being detected as primary interface if using the
+same IP address as the primary.
+5). Ensure smbmount is built with RPM build.
+
+Changes in 2.0.5
+----------------
+
+1). smbmount for Linux systems has been re-written to use
+the libsmb code and clientutil.c is no longer used with it.
+2). A bug preventing directory opens using the NT SMB calls
+has been fixed.
+3). A related bug causing a file structure leak when directory
+opens were denied has been fixed.
+4). Fix for glibc2.1 bug on 32-bit systems being reported as 64
+bit.
+5). Prevent timestamps of 0 or -1 corrupting file timestamps.
+6). Fix for unusual delays when browsing shares using Windows
+2000 - fix added by Matt.
+7). Fix for smbpassword reading problems on Sparc Linux was fixed.
+8). Fix for compiling with SSL library.
+9). smbclient fix for crash when doing CR/LF conversion.
+10). smbclient now reports short read errors.
+11). smbclient now uses remote server workgroup to list servers by default.
+12). smbclient now has -b option to change transmit/send buffer size.
+13). smbclient fix for corrupting files when issuing multiple outstanding
+read requests.
+14). Printing bug where Linux was using SYSV printing by default fixed.
+Linux now set to be BSD printing by default.
+15). Change for Linux to use SYSV shared memory by default.
+16). Fix for using IP_TOS options on some systems.
+17). Fix for some systems that complained about static struct passwd
+buffers being modified.
+18). Range checking applied to all string substitutions. Theoretically
+not a bug, but much more rebust now.
+19). Level II oplocks implemented.
+20). Fix for Win2K client printing added.
+21). Always allow loopback (127.0.0.1) connects unless specifically denied.
+22). Patch for FreeBSD interface detection code from Archie Cobbs (archie@whistle.com).
+23). Return correct status from smbrun.
+24). snprintf fixes for floating point numbers.
+25). Force directories to always have zero size.
+26). Fix for "force group" and "force user" options. "force user" now
+always uses primary group of user as well. Force group now enhanced with '+'
+semantics (see smb.conf man page for details).
+27). Wildcard matching fix to get closer to WinNT semantics for Win9x clients.
+28). Potential crash bug fixed in wildcard matching code. This bug could also
+cause smbd to sometimes not see exact file matches.
+29). Read/write for sockets changed to use revc/send to allow optimisations
+later.
+30). Oplocks added to client library.
+31). Several purify fixes in IPC code.
+32). nmbd crash bug in processing strange NetBIOS names fixed.
+33). nmbd loop bug in processing strange NetBIOS names fixed.
+34). Paranoia fixes to processing of incoming WinPopup messages in smbd.
+35). Share mode code now auto initialised.
+36). Detect dead processes in IPC lock code.
+37). Explicit -V version switch added to command line processing.
+38). WORKGROUP(1b) name processing with no WINS server fixed.
+39). Win2k client detection code added by Matt.
+40). Fix to allow really short changenotify times to be honoured.
+41). Fix for NT delete finding the wrong file from Tine Smukavec
+(valentin.smukavec@hermes.si)
+42). SWAT fix to prevent stderr messages from breaking the Web client.
+43). testparm fixes to check more parameter conflicts.
+44). Relative paths not fetched via SWAT in CGI scripts.
+45). SWAT remote password change - remote host name not treated as a
+password field any more.
+
+Changes in 2.0.4b
+-----------------
+
+A bug with MS-Word 97 saving files with zero UNIX permissions
+was fixed. Even though a workaround is available (set force
+create mode = 644 on the share) Word is such an important
+application that a point fix was neccessary.
+
+Changes in 2.0.4a
+-----------------
+
+The text and html versions of NT_Security were missing from
+the shipping tarball. Also a compile bug for platforms that
+don't have usleep was fixed.
+
+Changes in 2.0.4
+----------------
+
+There are 5 new parameters and one modified parameter in
+the smb.conf file.
+
+allow trusted domains
+restrict anonymous
+mangle locks
+oplock break wait time
+oplock contention limit
+
+The modified parameter is :
+
+nt acl support
+
+Bugfixes added since 2.0.3
+--------------------------
+
+1). Fix for 8 character password problem when using HPUX and
+plaintext passwords.
+2). --with-pam option added to ./configure.
+3). Client fixes for memory leak and display of 64 bit values.
+4). Fixes for -E and -s option with smbclient.
+5). smbclient now allows -L //server or -L \\server
+6). smbtar fix for display of 64 bit values.
+7). Endian independence added to DCE/RPC code.
+8). DCE/RPC marshalling/unmarshalling code re-written to provide
+overflow reporting and sign and seal support.
+9). Bind NAK reply packet added to DCE/RPC code, used to correctly
+refuse bind requests (prevents NT system event log messages).
+10). Mapping of UNIX permissions into NT ACL's for get and set
+added.
+11). DCE/RPC enumeration of numbers of shares made dynamic.
+Samba now has no limit on the number of exported shares seen.
+12). Fix to speed up random number seed generation on /dev/urandom
+being unavailable.
+13). Several memory fixes added by running Purify on the code.
+14). Read from client error messages improved.
+15). Fixed endianness used in UNICODE strings.
+16). Cope with ERRORmoredata in an RPC pipe client call.
+17). Check for malformed responses in nmbd register name.
+18). NT Encrypted password changing from the NT password dialog box
+now fully implmented.
+19). Mangle 64-bit lock ranges into 32-bits (NT bug!) on a 32-bit
+Samba platform.
+20). Allow file to be pseudo-openend in order to read security only.
+21). Improve filename mangling to reduce chance of collisions.
+22). Added code to prevent granting of oplocks when a file is under
+contention.
+23). Added tunable wait time before sending an oplock break request
+to a client if the client caused the break request. Helps with clients
+not responding to oplock breaks.
+24). Always respond negatively to queued local oplock break messages
+before shutdown. This can prevent "freezes" on an oplock error.
+25). Allow admin to restrict logons to correct domain when in domain
+level security.
+26). Added "restrict anonymous" patch from Andy (thwartedefforts@wonky.org)
+to prevent parameter substitution problems with anonymous connections.
+27). Fix SMBseek where seeking to a negative number sets the offset
+to zero.
+28). Fixed problem with mode getting corrupted in trans2 request
+(setting to zero means please ignore it).
+29). Correctly become the authenticated user on an authenticated
+DCE/RPC pipe request.
+30). Correctly reset debug level in nmbd if someone set it on the
+command line.
+31). Added more checking into testparm
+32). NetBench simulator added to smbtorture by Andrew.
+33). Fixed NIS+ option compile (was broken in 2.0.3).
+34). Recursive smbclient directory listing fix. Patch from E. Jay Berkenbilt
+(ejb@ql.org)
+
+Bugfixes added since 2.0.2
+--------------------------
+
+1). --with-ssl configure now include ssl include directory. Fix
+from Richard Sharpe.
+2). Patch for configure for glibc2.1 support (large files etc.).
+3). Several bugfixes for smbclient tar mode from Bob Boehmer
+(boehmer@worldnet.att.net) to fix smbclient aborting problems
+when restoring tar files.
+4). Some automount fixes for smbmount.
+5). Attempt to fix the AIX 4.1.x/3.x problems where smbd runs as
+root. As no-one has given us root access to such a server this
+cannot be tested fully, but should work.
+6). Crash bug fix in debug code where *real* uid rather than
+*effective* uid was being checked before attempting to rotate
+log files. This fix should help a *lot* of people who were
+reporting smbd aborting in the middle of a copy operation.
+7). SIGALRM bugfix to ensure infinate file locks time out.
+8). New code to implement NT ACL reporting for cacls.exe program.
+9). UDP loopback socket rebind fix for Solaris.
+10). Ensure all UNICODE strings are correctly in little-endian
+format.
+11). smbpasswd file locking fix.
+12). Fixes for strncpy problems with glibc2.1.
+13). Ensure smbd correctly reports major and minor version number
+and server type when queried via NT rpc calls.
+14). Bugfix for short mangled names not being pulled off the
+mangled stack correctly.
+15). Fix for mapping of rwx bits being incorrectly overwritten
+when doing ATTRIB.EXE
+16). Fix for returning multiple PDU packets in NT rpc code. Should
+allow multiple shares to be returned correctly).
+17). Improved mapping of NT open access requests into UNIX open
+modes.
+18). Fix for copying files from an NTFS volume that contain
+multiple data forks. Added 'magic' error code NT needs.
+19). Fixed crash bug when primary NT authentication server
+is down, rolls over to secondaries correctly now.
+20). Fixed timeout processing to be timer based. Now will
+always occur even if smbd is under load.
+21). Fixed signed/unsigned problem in quotas code.
+22). Fixed bug where setting the password of a completely fresh
+user would end up setting the account disabled flag.
+23). Improved user logon messages to help admins having
+trouble with user authentication.
+
+Bugfixes added since 2.0.1
+--------------------------
+
+Note that due to a critical signal handling bug in 2.0.1,
+this release has been removed and replaced immediately with
+2.0.2. The Samba Team would like to apologise for any problem
+this may have caused.
+
+1). Fixed smbd looping on SIGCLD problem. This was
+ caused by a missing break statement in a critical
+ piece of code.
+
+Bugfixes added since 2.0.0
+--------------------------
+
+1). Autoconf changes for gcc2.7.x and Solaris 2.5/2.6
+2). Autoconf changes to help HPUX configure correctly.
+3). Autoconf changes to allow lock directory to be set.
+4). Client fix to allow port to be set.
+5). clitar fix to send debug messages to stderr.
+6). smbmount race condition fix.
+7). Fix for bug where trying to browse large numbers of shares
+ generated an error from an NT client.
+8). Wrapper for setgroups for SunOS 4.x
+9). Fix for directory deleting failing from multiuser NT.
+10). Fix for crash bug if bitmap was full.
+11). Fix for Linux genrand where /dev/random could cause
+ clients to timeout on connect if the entropy pool was
+ empty.
+12). The default PASSWD_CHAT may now be overridden in local.h
+13). HPUX printing fixes for default programs.
+14). Reverted (erroneous) code in MACHINE.SID generation that
+ was setting the sid to 0x21 - should be *decimal* 21.
+15). Fix for printing to remote machine under SVR4.
+16). Fix for chgpasswd wait being interrupted with EINTR.
+17). Fix for disk free routine. NT and Win98 now correctly
+ show greater than 2GB disks.
+18). Fix for crash bug in stat cache statistics printing.
+19). Fix for filenames ending in .~xx.
+20). Fix for access check code wait being interrupted with EINTR.
+21). Fix for password changes from "invalid password" to a valid
+ one setting the account disabled bit.
+22). Fix for smbd crash bug in SMBreadraw cache prime code.
+23). Fix for overly zealous lock range overflow reporting.
+24). Fix for large disk disk free reporting (NT SMB code).
+25). Fix for NT failing to truncate files correctly.
+26). Fix for smbd crash bug with SMBcancel calls.
+27). Additional -T flag to nmblookup to do reverse DNS on addresses.
+28). SWAT fix to start/stop smbd/nmbd correctly.
+
+Major changes in Samba 2.0
+--------------------------
+
+This is a MAJOR new release of Samba, the UNIX based SMB/CIFS file
+and print server for Windows systems.
+
+There have been many changes in Samba since the last major release,
+1.9.18. These have mainly been in the areas of performance and
+SMB protocol correctness. In addition, a Web based GUI interface
+for configuring Samba has been added.
+
+In addition, Samba has been re-written to help portability to
+other POSIX-based systems, based on the GNU autoconf tool.
+
+There are many major changes in Samba for version 2.0. Here are
+some of them:
+
+=====================================================================
+
+1). Speed
+---------
+
+Samba has been benchmarked on high-end UNIX hardware as out-performing
+all other SMB/CIFS servers using the Ziff-Davis NetBench benchmark.
+Many changes to the code to optimise high-end performance have been made.
+
+2). Correctness
+---------------
+
+Samba now supports the Windows NT specific SMB requests. This
+means that on platforms that are capable Samba now presents a
+64 bit view of the filesystem to Windows NT clients and is
+capable of handling very large files.
+
+3). Portability
+---------------
+
+Samba is now self-configuring using GNU autoconf, removing
+the need for people installing Samba to have to hand configure
+Makefiles, as was needed in previous versions.
+
+You now configure Samba by running "./configure" then "make". See
+docs/textdocs/UNIX_INSTALL.txt for details.
+
+4). Web based GUI configuration
+-------------------------------
+
+Samba now comes with SWAT, a web based GUI config system. See
+the swat man page for details on how to set it up.
+
+5). Cross protocol data integrity
+---------------------------------
+
+An open function interface has been defined to allow
+"opportunistic locks" (oplocks for short) granted by Samba
+to be seen by other UNIX processes. This allows complete
+cross protocol (NFS and SMB) data integrety using Samba
+with platforms that support this feature.
+
+6). Domain client capability
+----------------------------
+
+Samba is now capable of using a Windows NT PDC for user
+authentication in exactly the same way that a Windows NT
+workstation does, i.e. it can be a member of a Domain. See
+docs/textdocs/DOMAIN_MEMBER.txt for details.
+
+7). Documentation Updates
+-------------------------
+
+All the reference parts of the Samba documentation (the
+manual pages) have been updated and converted to a document
+format that allows automatic generation of HTML, SGML, and
+text formats. These documents now ship as standard in HTML
+and manpage format.
+
+=====================================================================
+
+NOTE - Some important option defaults changed
+---------------------------------------------
+
+Several parameters have changed their default values. The most
+important of these is that the default security mode is now user
+level security rather than share level security.
+
+This (incompatible) change was made to ease new Samba installs
+as user level security is easier to use for Windows 95/98 and
+Windows NT clients.
+
+********IMPORTANT NOTE****************
+
+If you have no "security=" line in the [global] section of
+your current smb.conf and you update to Samba 2.0 you will
+need to add the line :
+
+security=share
+
+to get exactly the same behaviour with Samba 2.0 as you
+did with previous versions of Samba.
+
+********END IMPORTANT NOTE*************
+
+In addition, Samba now defaults to case sensitivity options that
+match a Windows NT server precisely, that is, case insensitive
+but case preserving.
+
+The default format of the smbpasswd file has also been
+changed for this release, although the new tools will read
+and write the old format, for backwards compatibility.
+
+=====================================================================
+
+NOTE - Primary Domain Controller Functionality
+----------------------------------------------
+
+This version of Samba contains code that correctly implements
+the undocumented Primary Domain Controller authentication
+protocols. However, there is much more to being a Primary
+Domain Controller than serving Windows NT logon requests.
+
+A useful version of a Primary Domain Controller contains
+many remote procedure calls to do things like enumerate users,
+groups, and security information, only some of which Samba currently
+implements. In addition, there are outstanding (known) bugs with
+using Samba as a PDC in this release that the Samba Team are actively
+working on. For this reason we have chosen not to advertise and
+actively support Primary Domain Controller functionality with this
+release.
+
+This work is being done in the CVS (developer) versions of Samba,
+development of which continues at a fast pace. If you are
+interested in participating in or helping with this development
+please join the Samba-NTDOM mailing list. Details on joining
+are available at :
+
+http://lists.samba.org/listinfo/samba-ntdom
+
+Details on obtaining CVS (developer) versions of Samba
+are available at:
+
+http://www.samba.org/cvs.html
+
+=====================================================================
+
+If you think you have found a bug please email a report to :
+
+ samba@samba.org
+
+As always, all bugs are our responsibility.
+
+Regards,
+
+ The Samba Team.
+----------------------------------------------------------------------
+</pre>
+
+</body>
+</html>
--- /dev/null
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Release Notes Archive</title>
+</head>
+
+<body>
+
+<h2>The Samba Team are pleased to announce Samba 2.2.0</h2>
+
+<p>
+<pre>
+The Samba Team is pleased to announce a new major release of Samba,
+Samba 2.2.0.
+
+Samba 2.2.0 is available in source form from
+samba.org and all of our mirror sites at the url :
+
+<a href="/samba/ftp/samba-2.2.0.tar.gz">/samba/ftp/samba-2.2.0.tar.gz </a>
+
+Binary packages will be available shortly for many popular platforms.
+Please check the main Web site or email announcements for details.
+
+If you have problems, or think you have found a bug please email
+a report to :
+
+ <a href="mailto:samba@samba.org">samba@samba.org</a>
+
+The WHATSNEW.txt file follows.
+
+As always, any bugs are our responsibility,
+
+Regards,
+
+ The Samba Team.
+
+----------------------------------------------------------------------
+ WHATS NEW IN Samba 2.2.0
+ ========================
+
+This is the official Samba 2.2.0 release. This version of Samba provides
+the following new features and enhancements.
+
+Integration between Windows oplocks and NFS file opens (IRIX and Linux
+2.4 kernel only). This gives complete data and locking integrity between
+Windows and UNIX file access to the same data files.
+
+Ability to act as an authentication source for Windows 2000 clients as
+well as for NT4.x clients.
+
+Integration with the winbind daemon that provides a single
+sign on facility for UNIX servers in Windows 2000/NT4 networks
+driven by a Windows 2000/NT4 PDC. winbind is not included in
+this release, it currently must be obtained separately. We are
+committed to including winbind in a future Samba 2.2.x release.
+
+Support for native Windows 2000/NT4 printing RPCs. This includes
+support for automatic printer driver download.
+
+Support for server supported Access Control Lists (ACLs).
+This release contains support for the following filesystems:
+
+ Solaris 2.6+
+ SGI Irix
+ Linux Kernel with ACL patch from http://acl.bestbits.at
+ Linux Kernel with XFS ACL support.
+ Caldera/SCO UnixWare
+ IBM AIX
+ FreeBSD (with external patch)
+
+Other platforms will be supported as resources are
+available to test and implement the encessary modules. If
+you are interested in writing the support for a particular
+ACL filesystem, please join the samba-technical mailing
+list and coordinate your efforts.
+
+On PAM (Pluggable Authentication Module) based systems - better debugging
+messages and encrypted password users now have access control verified via
+PAM - Note: Authentication still uses the encrypted password database.
+
+Rewritten internal locking semantics for more robustness.
+This release supports full 64 bit locking semantics on all
+(even 32 bit) platforms. SMB locks are mapped onto POSIX
+locks (32 bit or 64 bit) as the underlying system allows.
+
+Conversion of various internal flat data structures to use
+database records for increased performance and
+flexibility.
+
+Support for acting as a MS-DFS (Distributed File System) server.
+
+Support for manipulating Samba shares using Windows client tools
+(server manager). Per share security can be set using these tools
+and Samba will obey the access restrictions applied.
+
+Samba profiling support (see below).
+
+Compile time option for enabling a (Virtual file system) VFS layer
+to allow non-disk resources to be exported as Windows filesystems
+(such as databases etc.).
+
+The documentation in this release has been updated and converted
+from Yodl to DocBook 4.1. There are many new parameters since 2.0.7
+and some defaults have changed.
+
+Profiling support.
+------------------
+Support for collection of profile information. A shared
+memory area has been created which contains counters for
+the number of calls to and the amount of time spent in
+various system calls and smb transactions. See the file
+profile.h for a complete listing of the information
+collected. Sample code for a samba pmda (collection agent
+for Performance Co-Pilot) has been included in the pcp
+directory.
+
+To enable the profile data collection code in samba, you
+must compile samba with profile support (run configure with
+the --with-profile option). On startup, collection of data
+is disabled. To begin collecting data use the smbcontrol
+program to turn on profiling (see the smbcontrol man page).
+Profile information collection can be enabled for all smbd
+processes or one or more selected processes. The profiling
+data collected is the aggragate for all processes that have
+profiling enabled.
+
+With samba compiled for profile data collection, you may see
+a very slight degradation in performance even with profiling
+collection turned off. On initial tests with NetBench on an
+SGI Origin 200 server, this degradation was not measureable
+with profile collection off compared to no profile collection
+compiled into samba.
+
+With count profile collection enabled on all clients, the
+degradation was less than 2%. With full profile collection
+enabled on all clients, the degradation was about 8.5%.
+
+=====================================================================
+
+If you think you have found a bug please email a report to :
+
+ <a href="mailto:samba@samba.org">samba@samba.org</a>
+
+As always, all bugs are our responsibility.
+
+Regards,
+
+ The Samba Team.
+
+----------------------------------------------------------------------
+</pre>
+
+</body>
+</html>
--- /dev/null
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Release Notes Archive</title>
+</head>
+
+<body>
+
+
+<h2>The Samba Team are pleased to announce Samba 2.2.1</h2>
+
+<p>
+<pre>
+The Samba Team is proud to announce the release of Samba 2.2.1.
+
+This is the latest stable release of Samba. This is the version that all
+production Samba servers should be running for all current bug-fixes.
+
+Samba 2.2.1 is available in source form from samba.org and all of our
+mirror sites at the url
+
+<a href="/samba/ftp/samba-2.2.1a.tar.gz">/samba/ftp/samba-2.2.1a.tar.gz </a>
+
+The release notes follow.
+
+If you think you have found a bug please email a report to :
+
+ <a href="mailto:samba@samba.org">samba@samba.org</a>
+
+As always, all bugs are our responsibility.
+
+Regards,
+
+ The Samba Team.
+
+----------------------------------------------------------------------
+ WHATS NEW IN Samba 2.2.1: 10th July 2001
+ =========================================
+
+This is the latest stable release of Samba. This is the version that all
+production Samba servers should be running for all current bug-fixes.
+
+New/Changed parameters in 2.2.1
+-------------------------------
+
+Added parameters.
+-----------------
+
+obey pam restrictions
+
+When Samba is configured to use PAM, turns on or off Samba checking
+the PAM account restrictions. Defaults to off.
+
+pam password change
+
+When Samba is configured to use PAM, turns on or off Samba passing
+the password changes to PAM. Defaults to off.
+
+large readwrite
+
+New option to allow new Windows 2000 large file (64k) streaming
+read/write options. Needs a 64 bit underlying operating system
+(for Linux use kernel 2.4 with glibc 2.2 or above). Can improve performance
+by 10% with Windows 2000 clients. Defaults to off. Not as tested
+as some other Samba code paths.
+
+hide unreadable
+
+Prevents clients from seeing the existance of files that cannot
+be read. Off by default.
+
+enhanced browsing
+
+Turn on/off the enhanced Samba browing functionality (*1B names).
+Default is "on". Can prevent eternal machines in workgroups when
+WINS servers are not synchronised.
+
+Removed parameters.
+-------------------
+
+domain groups
+domain admin users
+domain guest users
+
+Changes in 2.2.1
+-----------------
+
+1). "find" command removed for smbclient. Internal code now used.
+2). smbspool updates to retry connections from Michael Sweet.
+3). Fix for mapping 8859-15 characters to UNICODE.
+4). Changed "security=server" to try with invalid username to prevent
+ account lockouts.
+5). Fixes to allow Windows 2000 SP2 clients to join a Samba PDC.
+6). Support for Windows 9x Nexus tools to allow security changes from Win9x.
+7). Two locking fixes added. Samba 2.2.1 now passes the Clarion network
+ lock tester tool for distributed databases.
+8). Preliminary support added for Windows 2000 large file read/write SMBs.
+9). Changed random number generator in Samba to prevent guess attacks.
+10). Fixes for tdb corruption in connections.tdb and file locking brlock.tdb.
+ smbd's clean the tdb files on startup and shutdown.
+11). Fixes for default ACLs on Solaris.
+12). Tidyup of password entry caching code.
+13). Correct shutdowns added for send fails. Helps tdb cleanup code.
+14). Prevent invalid '/' characters in workgroup names.
+15). Removed more static arrays in SAMR code.
+16). Client code is now UNICODE on the wire.
+17). Fix 2 second timstamp resolution everywhere if dos timestamp set to yes.
+18). All tdb opens now going through logging function.
+19). Add pam password changing and pam restrictions code.
+20). Printer driver management improvements (delete driver).
+21). Fix difference between NULL security descriptors and empty
+ security descriptors.
+22). Fix SID returns for server roles.
+23). Allow Windows 2000 mmc to view and set Samba share security descriptors.
+24). Allow smbcontrol to forcibly disconnect a share.
+25). tdb fixes for HPUX, OpenBSD and other OS's that don't have a coherent
+ mmap/file read/write cache.
+26). Fix race condition in returning create disposition for file create/open.
+27). Fix NT rewriting of security descriptors to their canonical form for
+ ACLs.
+28). Fix for Samba running on top of Linux VFAT ftruncate bug.
+29). Swat fixes for being run with xinetd that doesn't set the umask.
+30). Fix for slow writes with Win9x Explorer clients. Emulates Microsoft
+ TCP stack early ack specification error.
+31). Changed lock & persistant tdb directory to /var/cache/samba by default on
+ RedHat and Mandrake as they clear the /var/lock/samba directory on reboot.
+
+Older release notes for Samba 2.2.x follow.
+
+-----------------------------------------------------------------------------
+The release notes for 2.2.0a follow :
+
+SECURITY FIX
+============
+
+This is a security bugfix release for Samba 2.2.0. This release provides the
+following two changes *ONLY* from the 2.2.0 release.
+
+1). Fix for the security hole discovered by Michal Zalewski (lcamtuf@bos.bindview.com)
+ and described in the security advisory below.
+2). Fix for the hosts allow/hosts deny parameters not being honoured.
+
+No other changes are being made for this release to ensure a security fix only.
+For new functionality (including these security fixes) download Samba 2.2.1
+when it is available.
+
+The security advisory follows :
+
+
+ IMPORTANT: Security bugfix for Samba
+ ------------------------------------
+
+June 23rd 2001
+
+
+Summary
+-------
+
+A serious security hole has been discovered in all versions of Samba
+that allows an attacker to gain root access on the target machine for
+certain types of common Samba configuration.
+
+The immediate fix is to edit your smb.conf configuration file and
+remove all occurances of the macro "%m". Replacing occurances of %m
+with %I is probably the best solution for most sites.
+
+Details
+-------
+
+A remote attacker can use a netbios name containing unix path
+characters which will then be substituted into the %m macro wherever
+it occurs in smb.conf. This can be used to cause Samba to create a log
+file on top of an important system file, which in turn can be used to
+compromise security on the server.
+
+The most commonly used configuration option that can be vulnerable to
+this attack is the "log file" option. The default value for this
+option is VARDIR/log.smbd. If the default is used then Samba is not
+vulnerable to this attack.
+
+The security hole occurs when a log file option like the following is
+used:
+
+ log file = /var/log/samba/%m.log
+
+In that case the attacker can use a locally created symbolic link to
+overwrite any file on the system. This requires local access to the
+server.
+
+If your Samba configuration has something like the following:
+
+ log file = /var/log/samba/%m
+
+Then the attacker could successfully compromise your server remotely
+as no symbolic link is required. This type of configuration is very
+rare.
+
+The most commonly used log file configuration containing %m is the
+distributed in the sample configuration file that comes with Samba:
+
+ log file = /var/log/samba/log.%m
+
+in that case your machine is not vulnerable to this attack unless you
+happen to have a subdirectory in /var/log/samba/ which starts with the
+prefix "log."
+
+Credit
+------
+
+Thanks to Michal Zalewski (lcamtuf@bos.bindview.com) for finding this
+vulnerability.
+
+
+New Release
+-----------
+
+While we recommend that vulnerable sites immediately change their
+smb.conf configuration file to prevent the attack we will also be
+making new releases of Samba within the next 24 hours to properly fix
+the problem. Please see http://www.samba.org/ for the new releases.
+
+Please report any attacks to the appropriate authority.
+
+ The Samba Team
+ <a href="mailto:security@samba.org">security@samba.org</a>
+
+---------------------------------------------------------------------------
+
+The release notes for 2.2.0 follow :
+
+This is the official Samba 2.2.0 release. This version of Samba provides
+the following new features and enhancements.
+
+Integration between Windows oplocks and NFS file opens (IRIX and Linux
+2.4 kernel only). This gives complete data and locking integrity between
+Windows and UNIX file access to the same data files.
+
+Ability to act as an authentication source for Windows 2000 clients as
+well as for NT4.x clients.
+
+Integration with the winbind daemon that provides a single
+sign on facility for UNIX servers in Windows 2000/NT4 networks
+driven by a Windows 2000/NT4 PDC. winbind is not included in
+this release, it currently must be obtained separately. We are
+committed to including winbind in a future Samba 2.2.x release.
+
+Support for native Windows 2000/NT4 printing RPCs. This includes
+support for automatic printer driver download.
+
+Support for server supported Access Control Lists (ACLs).
+This release contains support for the following filesystems:
+
+ Solaris 2.6+
+ SGI Irix
+ Linux Kernel with ACL patch from http://acl.bestbits.at
+ Linux Kernel with XFS ACL support.
+ Caldera/SCO UnixWare
+ IBM AIX
+ FreeBSD (with external patch)
+
+Other platforms will be supported as resources are
+available to test and implement the encessary modules. If
+you are interested in writing the support for a particular
+ACL filesystem, please join the samba-technical mailing
+list and coordinate your efforts.
+
+On PAM (Pluggable Authentication Module) based systems - better debugging
+messages and encrypted password users now have access control verified via
+PAM - Note: Authentication still uses the encrypted password database.
+
+Rewritten internal locking semantics for more robustness.
+This release supports full 64 bit locking semantics on all
+(even 32 bit) platforms. SMB locks are mapped onto POSIX
+locks (32 bit or 64 bit) as the underlying system allows.
+
+Conversion of various internal flat data structures to use
+database records for increased performance and
+flexibility.
+
+Support for acting as a MS-DFS (Distributed File System) server.
+
+Support for manipulating Samba shares using Windows client tools
+(server manager). Per share security can be set using these tools
+and Samba will obey the access restrictions applied.
+
+Samba profiling support (see below).
+
+Compile time option for enabling a (Virtual file system) VFS layer
+to allow non-disk resources to be exported as Windows filesystems
+(such as databases etc.).
+
+The documentation in this release has been updated and converted
+from Yodl to DocBook 4.1. There are many new parameters since 2.0.7
+and some defaults have changed.
+
+Profiling support.
+------------------
+Support for collection of profile information. A shared
+memory area has been created which contains counters for
+the number of calls to and the amount of time spent in
+various system calls and smb transactions. See the file
+profile.h for a complete listing of the information
+collected. Sample code for a samba pmda (collection agent
+for Performance Co-Pilot) has been included in the pcp
+directory.
+
+To enable the profile data collection code in samba, you
+must compile samba with profile support (run configure with
+the --with-profile option). On startup, collection of data
+is disabled. To begin collecting data use the smbcontrol
+program to turn on profiling (see the smbcontrol man page).
+Profile information collection can be enabled for all smbd
+processes or one or more selected processes. The profiling
+data collected is the aggragate for all processes that have
+profiling enabled.
+
+With samba compiled for profile data collection, you may see
+a very slight degradation in performance even with profiling
+collection turned off. On initial tests with NetBench on an
+SGI Origin 200 server, this degradation was not measureable
+with profile collection off compared to no profile collection
+compiled into samba.
+
+With count profile collection enabled on all clients, the
+degradation was less than 2%. With full profile collection
+enabled on all clients, the degradation was about 8.5%.
+
+=====================================================================
+
+If you think you have found a bug please email a report to :
+
+<a href="mailto:samba@samba.org">samba@samba.org</a>
+
+As always, all bugs are our responsibility.
+
+Regards,
+
+ The Samba Team.
+</pre>
+
+</body>
+</html>
--- /dev/null
+<!--#include virtual="/samba/header.html" -->
+
+ <H2>Security Release - Samba 2.2.10 Available for Download</H2>
+
+<p>
+<pre>
+ ==============================
+ Release Notes for Samba 2.2.10
+ July 22, 2004
+ ==============================
+
+
+######################## SECURITY RELEASE ########################
+
+Summary: Potential Buffer Overrun in Samba 2.2.x
+CVE ID: CAN-2004-0686
+ (http://cve.mitre.org/)
+
+This is the latest stable release of the Samba 2.2 code base.
+There are no further Samba 2.2.x releases planned at this time.
+
+-------------
+CAN-2004-0686
+-------------
+
+Affected Versions: Samba 2.2.0 through 2.2.9
+
+A buffer overrun has been located in the code used to support
+the 'mangling method = hash' smb.conf option. Affected Samba
+2.2 installations can avoid this possible security bug by using
+the hash2 mangling method. Server installations requiring
+the hash mangling method are encouraged to upgrade to Samba v2.2.10
+or v3.0.5.
+
+
+The source code can be downloaded from :
+
+ <a href="/samba/ftp">http://download.samba.org/samba/ftp/</a>
+
+in the file samba-2.2.10.tar.gz. The uncompressed archive has
+been signed using the Samba Distribution Key.
+
+Our code, Our bugs, Our responsibility (<a href="https://bugzilla.samba.org/">Samba Bugzilla</a>).
+
+ -- The Samba Team
+
+Older releases notes for 2.2.x distributions follow
+
+ ------------------------------------------------------
+
+ =============================
+ Release Notes for Samba 2.2.9
+ May 8, 2004
+ =============================
+
+This is the latest stable release of the Samba 2.2 code base.
+This is a maintenance release of Samba 2.2.8a to address the
+problem with user password changes after applying the Microsoft
+hotfix described in KB828741 to Windows NT 4.0/200x/XP clients.
+No other changes have been applied since Samba 2.2.8a.
+
+There are no further Samba 2.2.x releases planned at this time.
+
+
+The source code can be downloaded from :
+
+ <a href="/samba/ftp">http://download.samba.org/samba/ftp/</a>
+
+in the file samba-2.2.9.tar.gz. The uncompressed archive has
+been signed using the Samba Distribution Key.
+
+As always, all bugs are our responsibility.
+
+ --Sincerely
+ The Samba Team
+
+ ------------------------------------------------------
+
+ ===========================================
+ What's new in Samba 2.2.8a - 7th April 2003
+ ===========================================
+
+ ****************************************
+ * IMPORTANT: Security bugfix for Samba *
+ ****************************************
+
+Summary
+-------
+
+Digital Defense, Inc. has alerted the Samba Team to a serious
+vulnerability in all stable versions of Samba currently shipping.
+The Common Vulnerabilities and Exposures (CVE) project has assigned
+the ID CAN-2003-0201 to this defect.
+
+This vulnerability, if exploited correctly, leads to an anonymous
+user gaining root access on a Samba serving system. All versions
+of Samba up to and including Samba 2.2.8 are vulnerable. An active
+exploit of the bug has been reported in the wild. Alpha versions of
+Samba 3.0 and above are *NOT* vulnerable.
+
+
+Credit
+------
+
+The Samba Team would like to thank Erik Parker and the team at
+Digital Defense, Inc. for their efforts spent in the responsible
+and timely reporting of this bug.
+
+
+Patch Availability
+------------------
+
+The Samba 2.2.8a release contains only updates to address this
+security issue. A roll-up patch for release 2.2.7a and 2.0.10
+addressing both CAN-2003-0201 and CAN-2003-0085 can be obtained
+from http://www.samba.org/samba/ftp/patches/security/.
+
+
+ ========================================
+
+
+The release notes for 2.2.8 follow:
+
+ ****************************************
+ * IMPORTANT: Security bugfix for Samba *
+ ****************************************
+
+
+Summary
+-------
+
+The SuSE security audit team, in particular <a href="mailto:krahmer@suse.de">Sebastian
+Krahmer</a>, has found a flaw in the Samba main smbd code which
+could allow an external attacker to remotely and anonymously gain
+Super User (root) privileges on a server running a Samba server.
+
+This flaw exists in previous versions of Samba from 2.0.x to 2.2.7a
+inclusive. This is a serious problem and all sites should either
+upgrade to Samba 2.2.8 immediately or prohibit access to TCP ports 139
+and 445. Advice created by Andrew Tridgell, the leader of the Samba Team,
+on how to protect an unpatched Samba server is given at the end of this
+section.
+
+The SMB/CIFS protocol implemented by Samba is vulnerable to many
+attacks, even without specific security holes. The TCP ports 139 and
+the new port 445 (used by Win2k and the Samba 3.0 alpha code in
+particular) should never be exposed to untrusted networks.
+
+Description
+-----------
+
+A buffer overrun condition exists in the SMB/CIFS packet fragment
+re-assembly code in smbd which would allow an attacker to cause smbd
+to overwrite arbitrary areas of memory in its own process address
+space. This could allow a skilled attacker to inject binary specific
+exploit code into smbd.
+
+This version of Samba adds explicit overrun and overflow checks on
+fragment re-assembly of SMB/CIFS packets to ensure that only valid
+re-assembly is performed by smbd.
+
+In addition, the same checks have been added to the re-assembly
+functions in the client code, making it safe for use in other
+services.
+
+Credit
+------
+
+This security flaw was discovered and reported to the Samba Team by
+Sebastian Krahmer <krahmer@suse.de> of the SuSE Security Audit Team.
+The fix was prepared by Jeremy Allison and reviewed by engineers from
+the Samba Team, SuSE, HP, SGI, Apple, and the Linux vendor engineers
+on the Linux Vendor security mailing list.
+
+The Samba Team would like to thank SuSE and Sebastian Krahmer for
+their excellent auditing work and for drawing attention to this flaw.
+
+Patch Availability
+-----------------
+
+As this is a security issue, patches for this flaw specific to earlier
+versions of Samba will be posted on the samba-technical@samba.org
+mailing list as requested.
+
+
+************************************
+Protecting an unpatched Samba server
+************************************
+
+ Samba Team, March 2003
+
+ This is a note on how to provide your Samba server some
+ protection against the recently discovered remote security
+ hole if you are unable to upgrade to the fixed version
+ immediately. Even if you do upgrade you might like to think
+ about the suggestions in this note to provide you with
+ additional levels of protection.
+
+
+ Using host based protection
+ ---------------------------
+
+ In many installations of Samba the greatest threat comes for
+ outside your immediate network. By default Samba will accept
+ connections from any host, which means that if you run an
+ insecure version of Samba on a host that is directly
+ connected to the Internet you can be especially vulnerable.
+
+ One of the simplest fixes in this case is to use the 'hosts
+ allow' and 'hosts deny' options in the Samba smb.conf
+ configuration file to only allow access to your server from a
+ specific range of hosts. An example might be:
+
+
+ hosts allow = 127.0.0.1 192.168.2.0/24 192.168.3.0/24
+ hosts deny = 0.0.0.0/0
+
+ The above will only allow SMB connections from 'localhost'
+ (your own computer) and from the two private networks
+ 192.168.2 and 192.168.3. All other connections will be
+ refused connections as soon as the client sends its first
+ packet. The refusal will be marked as a 'not listening on
+ called name' error.
+
+
+ Using interface protection
+ --------------------------
+
+ By default Samba will accept connections on any network
+ interface that it finds on your system. That means if you
+ have a ISDN line or a PPP connection to the Internet then
+ Samba will accept connections on those links. This may not be
+ what you want.
+
+ You can change this behavior using options like the
+ following:
+
+ interfaces = eth* lo
+ bind interfaces only = yes
+
+ that tells Samba to only listen for connections on interfaces
+ with a name starting with 'eth' such as eth0, eth1, plus on
+ the loopback interface called 'lo'. The name you will need to
+ use depends on what OS you are using. In the above I used the
+ common name for ethernet adapters on Linux.
+
+ If you use the above and someone tries to make a SMB
+ connection to your host over a PPP interface called 'ppp0',
+ they will get a TCP connection refused reply. In that
+ case no Samba code is run at all as the operating system has
+ been told not to pass connections from that interface to any
+ process.
+
+
+ Using a firewall
+ ----------------
+
+ Many people use a firewall to deny access to services that
+ they don't want exposed outside their network. This can be a
+ very good idea, although I would recommend using it in
+ conjunction with the above methods so that you are protected
+ even if your firewall is not active for some reason.
+
+ If you are setting up a firewall then you need to know what
+ TCP and UDP ports to allow and block. Samba uses the
+ following:
+
+ UDP/137 - used by nmbd
+ UDP/138 - used by nmbd
+ TCP/139 - used by smbd
+ TCP/445 - used by smbd
+
+ The last one is important as many older firewall setups may
+ not be aware of it, given that this port was only added to
+ the protocol in recent years.
+
+
+ Using a IPC$ share deny
+ -----------------------
+
+ If the above methods are not suitable, then you could also
+ place a more specific deny on the IPC$ share that is used in
+ the recently discovered security hole. This allows you to
+ offer access to other shares while denying access to IPC$
+ from potentially untrustworthy hosts.
+
+ To do that you could use:
+
+ [ipc$]
+ hosts allow = 192.168.115.0/24 127.0.0.1
+ hosts deny = 0.0.0.0/0
+
+ this would tell Samba that IPC$ connections are not allowed
+ from anywhere but the two listed places (localhost and a
+ local subnet). Connections to other shares would still be
+ allowed. As the IPC$ share is the only share that is always
+ accessible anonymously this provides some level of protection
+ against attackers that do not know a username/password for
+ your host.
+
+
+ If you use this method then clients will be given a 'access
+ denied' reply when they try to access the IPC$ share. That
+ means that those clients will not be able to browse shares,
+ and may also be unable to access some other resources.
+
+ I don't recommend this method unless you cannot use one of
+ the other methods listed above for some reason.
+
+
+ Upgrading Samba
+ ---------------
+
+ Of course the best solution is to upgrade Samba to a version
+ where the bug has been fixed. If you wish to also use one of
+ the additional measures above then that would certainly be a
+ good idea.
+
+ Please check regularly on http://www.samba.org/ for updates
+ and important announcements.
+
+
+ ****************************************
+ ****************************************
+
+-----------------------------------------------------------------
+
+Changes since 2.2.7a
+--------------------
+
+New Parameters
+
+ * acl compatibility
+
+Additional Changes:
+ See the cvs log for SAMBA_2_2 for more details
+
+1) smbumount lazy patch from Mandrake
+2) Check for too many processes *before* the fork.
+3) make sure we don't run over the end of 'name' in unix_convert()
+4) set umask to 0 before creating socket directory.
+5) Fix the LARGE_SMB_OFF_T problems and allow smbd to do the right
+ thing in interactive mode when a log file dir is also specified.
+6) Fix delete on close semantics to match W2K.
+7) Correctly return access denied on share mode deny when we can't
+ open the file.
+8) Always use safe_strcpy not pstrcpy for malloc()'d strings
+9) Fixes for HP-UX only having limited POSIX lock range
+10) Added uid/gid caching code. Reduces load on winbindd.
+11) Removed extra copy of server name in the printername field (it was
+ mangling the the name to be \\server\\\server\printer
+12) Fix dumb perror used without errno being set.
+13) Do retries correctly if the connection to the DC has failed.
+14) Correctly check for inet_addr fail.
+15) Ensure we use getgrnam() unless BROKEN_GETGRNAM is defined.
+16) Fix for missing if (setting_acls) on default perms.
+17) Fix to cache the sidtype
+18) fix printer settings on Solaris (big-endian) print servers.
+ ASCII -> UNICODE conversion bug.
+19) Small fix check correct error return.
+20) Ensure space_avail is unsigned.
+21) patch to check for a valid [f]chmod_acl function pointer
+ before calling it. Fixes seg fault in audit VFS module
+22) When checking is_locked() new WRITE locks conflict with existing
+ READ locks even if the context is the same.
+23) Merge off-by-one crash fixes from HEAD
+24) Move off-by-one buggy malloc()/safe_strcpy() combination to
+ strdup() instead.
+25) Merge from HEAD. Use pstrcpy not safe_strcpy.
+26) Fix to allow blocking lock notification to be done rapidly (no wait
+ for smb -> smb lock release). Adds new PENDING_LOCK type to lockdb
+ (does not interfere with existing locks).
+27) Doxygen cleanups for code documentation
+28) limit the unix domain sockets used by winbindd by adding a
+ "last_access" field to winbindd connections, and will close
+ the oldest idle connection once the number of open connections goes
+ over WINBINDD_MAX_SIMULTANEOUS_CLIENTS (defined in local.h as 200
+ currently)
+29) Fix a couple of string handling errors in smbd/dir.c that would
+ cause smbd to crash
+30) Fix seg fault in smbpasswd when specifying the new password
+ as a command line argument
+31) Correct 64-but file sizes issues with smbtar and smbclient
+32) Add batch mode option to pdbedit
+33) Add protection in nmbd against malformed reply packets
+34) Fix bug with sendfile profiling support in smbstatus output
+35) Correct bug in "hide unreadable" smb.conf parameter that
+ resulted in incorrect directory listings
+36) Fix bug in group enumeration in winbindd
+37) Correct build issues with libsmbclient on Solaris
+38) Fix memory leak and bad pointer dereference in password
+ changing code in smbd
+39) Fix for changing attributes on a file truncate
+40) Ensure smbd process count never gets to -1 if limiting number
+ of processes
+41) Ensure we return disk full by default on short writes
+42) Don't delete jobs submitted after the lpq time
+43) Fix reference count bug where smbds would not terminate
+ with no open resources
+44) Performance fix when using quota support on HP-UX
+45) Fixes for --with-ldapsam
+ * Default to port 389 when "ldap ssl != on"
+ * add support for rebinding to the master directory server
+ for password changes when "ldap server" points to a read-only
+ slave
+46) Add -W and -X command line flags to smbpasswd for extracting and
+ setting the machine/domain SID in secrets.tdb. See the
+ smbpasswd(8) man page for details.
+47) Added (c) Luke Howard to winbind_nss_solaris.c for coded
+ obtained from PADL's nss_ldap library.
+48) Fix bug in samr_dispinfo query in winbindd
+49) Fix segfault in NTLMSSP password changing code for
+ guest connections
+50) Correct pstring/fstring mismatches
+51) Send level II oplock break requests synchronously to prevent
+ condition where one smbd would continually lock a share entry
+ in locking.tdb
+52) Miscellaneous cleanups for tdb error conditions and appending
+ data in a record
+53) Implement correct open file truncate semantics with DOS
+ attributes
+54) Enforce wide links = no on files as well as directories
+55) Include shared library checks for Stratus VOS
+56) Include support for CUPS printer classes and logging the remote
+ client name
+57) Include "WinXP" (Windows XP) and "Win2K3" (Windows .NET) values
+ for %a
+58) Increase the max PDU size to deal with some troublesome printer
+ drivers and Windows NT 4.0 clients
+59) increment the process counter immediately after the fork
+ (not just when we receive the first smb packet)
+60) Ensure rename sets errno correctly
+61) Unify ACL code (back-port from 3.0)
+62) Fix some further issues around off_t and large offsets
+</pre>
+<!--#include virtual="/samba/footer.html" -->
--- /dev/null
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Release Notes Archive</title>
+</head>
+
+<body>
+
+<h2>The Samba Team are pleased to announce Samba 2.2.2</h2>
+
+<p>
+<pre>
+The Samba Team is proud to announce the release of Samba 2.2.2.
+
+This is the latest stable release of Samba. This is the version that all
+production Samba servers should be running for all current bug-fixes.
+
+There are several important oplock logic bugs that have been fixed in
+this release, so an upgrade is recommended.
+
+Samba 2.2.2 is available in source form from samba.org and all of our
+mirror sites at the url
+
+<a href="/samba/ftp/samba-2.2.2.tar.gz">/samba/ftp/samba-2.2.2.tar.gz </a>
+
+The release notes follow.
+
+If you think you have found a bug please email a report to :
+
+ <a href="mailto:samba@samba.org">samba@samba.org</a>
+
+As always, all bugs are our responsibility.
+
+Regards,
+
+ The Samba Team.
+
+----------------------------------------------------------------------
+ WHATS NEW IN Samba 2.2.2: 13th October 2001
+ ===========================================
+
+This is the latest stable release of Samba. This is the version that all
+production Samba servers should be running for all current bug-fixes.
+
+There are several important oplock logic bugs that have been fixed in
+this release, so an upgrade is recommended.
+
+New daemon included - winbindd
+------------------------------
+
+Samba 2.2.2 is the first release to include the winbind daemon.
+This code allows UNIX systems that implement the name service
+switch (nss) to be entered into a Windows NT/2000 domain and
+use the Domain controller for all user and group enumeration.
+
+This allows a Samba server added to a Windows domain to serve
+file and print services with *NO* local users needed in /etc/passwd
+and /etc/group - all users and groups are read directly from the
+Windows domain controller. In addition with pam_winbind which allows
+a PAM enabled UNIX system to use a Windows domain for authentication
+service this allows single sign on and account control across
+UNIX and Windows systems.
+
+The current version of winbindd shipped in 2.2.2 does have some
+memory leaks, which will be addressed for the next Samba release,
+so it is advisable to monitor the winbind process. This code is
+being used in production by several vendors, so the leaks are
+managable. In addition, this version of winbind does not work
+correctly against a Samba PDC, due to some missing calls on the
+PDC side. These problems are being addressed for the next Samba
+release, but it was thought better to release the code now rather
+than delay the main Samba code to match the winbind release schedule.
+
+For more information on using winbind, see the man pages for
+winbindd and wbinfo.
+
+Note that winbindd is not installed by default.
+
+New/Changed parameters in 2.2.2
+-------------------------------
+
+For more information on these parameters, see the man pages for
+smb.conf.
+
+Added/changed parameters.
+-------------------------
+
+strict allocate
+
+Causes Samba not to create UNIX 'sparse' files, but to follow the
+Windows behaviour of always allocating on-disk space.
+
+use mmap
+
+Set to 'on' by default, only set to 'off' on HPUX 11.x or below or other
+UNIX systems that don't have coherent mmap/read-write internal caches.
+You should not need to set this parameter.
+
+nt acl support
+
+This parameter has been changed to a per-share option, and is very
+useful in enabling Windows 2000 SP2 to load/save profiles from a
+Samba share.
+
+New printing parameters.
+------------------------
+
+disable spoolss
+
+Setting this parameter causes Samba to go back to the old 2.0.x
+LANMAN printing behaviour, for people who wish to disable the
+new SPOOLSS pipe.
+
+use client driver
+
+Causes Windows NT/2000 clients to need have a local printer driver
+installed and to treat the printer as local.
+
+New LDAP parameters.
+--------------------
+
+Samba 2.2.2 contains new code to maintain a Samba SAM database
+on a remote LDAP server. These parameters have been added as
+part of this code. These parameters are only available when Samba
+has been compiled with the --with-ldapsam option.
+
+ldap admin dn
+ldap ssl
+
+New SSL parameters.
+-------------------
+
+The SSL support in Samba has been fixed. These new parameters
+are part of the changes added. These parameters are only available
+when Samba has been compiled with the --with-ssl option.
+Please see the smb.conf man page for details.
+
+ssl egd socket
+ssl entropy file
+ssl entropy bytes
+
+New winbindd parameters.
+------------------------
+
+These parameters are used by winbindd. See the man page for
+winbindd for details.
+
+winbind separator
+winbind uid
+winbind gid
+winbind cache time
+winbind enum users
+winbind enum groups
+template homedir
+template shell
+
+Removed parameters.
+-------------------
+
+share modes
+ldap root
+ldap root passwd
+
+New Documentation.
+------------------
+
+Some new README's have been added in the docs/ directory. These cover
+using roving profiles with Windows 2000 SP2 (docs/README.Win2kSP2),
+and how to use Samba to help prevent Windows virus spread
+(docs/README.Win32-Viruses).
+
+Quota problems on a Linux 2.4 kernel.
+-------------------------------------
+
+Currently the quota interfaces have diverged between the Linus
+2.4.x kernels and the Alan Cox 2.4.x kernels (the Alan Cox varients
+are shipped with RedHat). Running quota-enabled Samba compiled on
+an Alan Cox kernel works correctly on an Alan Cox kernel (the one
+shipped by default with RedHat 7.x) but fails on a Linus kernel.
+
+This is a mess, and hopefully Alan and Linus will sort it out soon.
+In the meantime we need to ship.....
+
+Changes in 2.2.2
+-----------------
+
+1). mmap tdb code disabled on HPUX. This should prevent the reports of
+tdb corruption on HPUX.
+2). Large file support set to off in Solaris 5.5 and below.
+3). Better CUPS detection.
+4). New SAM (password database) backends - smbpasswd (traditional),
+LDAP, NIS+ and Samba TDB.
+5). Quota fixups on Linux.
+6). libsmbclient stand-alone code added. Can be built as a shared library
+under Linux.
+7). Tru64 ACL suppport added.
+8). winbindd option added.
+9). Realloc fail tidyup fixes all over the code.
+10). Large improvement in hash table code efficiency - would be found with
+large stat caches.
+11). Error code consistency improved (still needs more work).
+12). Profile shared memory support added to nmbd.
+13). New Windows 2000/NT passthrough info levels added.
+14). readraw/writeraw code rewritten - many bugs fixed.
+15). UNIX password sync (non pam) code fixed, use correct wildcard matcher.
+16). Reverse DNS lookup avoided on socket open.
+17). Bug preventing nmbd re-registering names on WINS server timeout fixed.
+18). Zero length byte range lock code added. Much closer to Windows semantics.
+19). Alignment fault fixes for Linux/Alpha.
+20). Error checking on tdb returns vastly improved.
+21). Handling of delete on close fixed. No longer possible to leave 'dead'
+file entries.
+22). Handling of oplock break failure cleanups improved. Should not be
+able to leave 'dead' entries.
+23). Fix handling of errors trying to set 64 bit locks on 32 bit NFS mounts.
+24). Misc. MS-DFS code fixes.
+25). Ignore logon packets if not a PDC (needed for PDC/BDC failover).
+26). winbind pam module added.
+27). Order N^^2 enumeration of printers problem fixed.
+28). Password backend database code re-ordered to allow different password
+backends (at compile time currently).
+29). Improved print driver version detection for Windows 2000.
+30). Driver DEVMODE initialization fixes.
+31). Improved SYSV print parse code.
+32). Fixed enumeration of large numbers of users/groups from Windows clients.
+Code still too slow.
+33). Fix for buggy NetApp RPC pipe clients.
+34). Fix for NT sending multiple SetPrinterDataEx calls.
+35). Fix for logic bug where smbd could delay oplock break request messages
+from other smbd daemons whilst client kept us busy.
+36). Fix deadlock problem with connections tdb on enumeration.
+37). Fixes for setting/getting NT ACLs - improved POSIX mapping both ways.
+38). Removed unused readbmpx/writebmpx code.
+39). Attempt to fix Linux 2.4.x quota mess.
+40). Improved ctemp code for Windows 2000 compatibilty.
+41). Finally understood difference between set EOF and set allocation requests.
+Added strict allocate parameter to help.
+42). Correctly return name types on name to SID lookups.
+43). tdb spinlock code update.
+44). Use pread/pwrite on systems that have it to fix race condition in tdb code.
+
+Older release notes for Samba 2.2.x follow.
+
+-----------------------------------------------------------------------------
+The release notes for 2.2.1a follow :
+
+This is a minor bugfix release for 2.2.1, *NOT* security related.
+
+1). 2.2.1 had a bug where using smbpasswd -m to add a Windows NT or
+Windows2000 machine into a Samba hosted PDC would fail due to our
+stricter user name checking. We were disallowing user names
+containing '$', which is needed when using smbpasswd to add a
+machine into a domain. Automatically adding machines (using the
+native Windows tools) into a Samba domain worked correctly.
+
+2.2.1a fixes this single problem.
+
+-----------------------------------------------------------------------------
+The release notes for 2.2.1 follow :
+
+New/Changed parameters in 2.2.1
+-------------------------------
+
+Added parameters.
+-----------------
+
+obey pam restrictions
+
+When Samba is configured to use PAM, turns on or off Samba checking
+the PAM account restrictions. Defaults to off.
+
+pam password change
+
+When Samba is configured to use PAM, turns on or off Samba passing
+the password changes to PAM. Defaults to off.
+
+large readwrite
+
+New option to allow new Windows 2000 large file (64k) streaming
+read/write options. Needs a 64 bit underlying operating system
+(for Linux use kernel 2.4 with glibc 2.2 or above). Can improve performance
+by 10% with Windows 2000 clients. Defaults to off. Not as tested
+as some other Samba code paths.
+
+hide unreadable
+
+Prevents clients from seeing the existance of files that cannot
+be read. Off by default.
+
+enhanced browsing
+
+Turn on/off the enhanced Samba browing functionality (*1B names).
+Default is "on". Can prevent eternal machines in workgroups when
+WINS servers are not synchronised.
+
+Removed parameters.
+-------------------
+
+domain groups
+domain admin users
+domain guest users
+
+Changes in 2.2.1
+-----------------
+
+1). "find" command removed for smbclient. Internal code now used.
+2). smbspool updates to retry connections from Michael Sweet.
+3). Fix for mapping 8859-15 characters to UNICODE.
+4). Changed "security=server" to try with invalid username to prevent
+ account lockouts.
+5). Fixes to allow Windows 2000 SP2 clients to join a Samba PDC.
+6). Support for Windows 9x Nexus tools to allow security changes from Win9x.
+7). Two locking fixes added. Samba 2.2.1 now passes the Clarion network
+ lock tester tool for distributed databases.
+8). Preliminary support added for Windows 2000 large file read/write SMBs.
+9). Changed random number generator in Samba to prevent guess attacks.
+10). Fixes for tdb corruption in connections.tdb and file locking brlock.tdb.
+ smbd's clean the tdb files on startup and shutdown.
+11). Fixes for default ACLs on Solaris.
+12). Tidyup of password entry caching code.
+13). Correct shutdowns added for send fails. Helps tdb cleanup code.
+14). Prevent invalid '/' characters in workgroup names.
+15). Removed more static arrays in SAMR code.
+16). Client code is now UNICODE on the wire.
+17). Fix 2 second timstamp resolution everywhere if dos timestamp set to yes.
+18). All tdb opens now going through logging function.
+19). Add pam password changing and pam restrictions code.
+20). Printer driver management improvements (delete driver).
+21). Fix difference between NULL security descriptors and empty
+ security descriptors.
+22). Fix SID returns for server roles.
+23). Allow Windows 2000 mmc to view and set Samba share security descriptors.
+24). Allow smbcontrol to forcibly disconnect a share.
+25). tdb fixes for HPUX, OpenBSD and other OS's that don't have a coherent
+ mmap/file read/write cache.
+26). Fix race condition in returning create disposition for file create/open.
+27). Fix NT rewriting of security descriptors to their canonical form for
+ ACLs.
+28). Fix for Samba running on top of Linux VFAT ftruncate bug.
+29). Swat fixes for being run with xinetd that doesn't set the umask.
+30). Fix for slow writes with Win9x Explorer clients. Emulates Microsoft
+ TCP stack early ack specification error.
+31). Changed lock & persistant tdb directory to /var/cache/samba by default on
+ RedHat and Mandrake as they clear the /var/lock/samba directory on reboot.
+
+-----------------------------------------------------------------------------
+The release notes for 2.2.0a follow :
+
+SECURITY FIX
+============
+
+This is a security bugfix release for Samba 2.2.0. This release provides the
+following two changes *ONLY* from the 2.2.0 release.
+
+1). Fix for the security hole discovered by Michal Zalewski (lcamtuf@bos.bindview.com)
+ and described in the security advisory below.
+2). Fix for the hosts allow/hosts deny parameters not being honoured.
+
+No other changes are being made for this release to ensure a security fix only.
+For new functionality (including these security fixes) download Samba 2.2.1
+when it is available.
+
+The security advisory follows :
+
+
+ IMPORTANT: Security bugfix for Samba
+ ------------------------------------
+
+June 23rd 2001
+
+
+Summary
+-------
+
+A serious security hole has been discovered in all versions of Samba
+that allows an attacker to gain root access on the target machine for
+certain types of common Samba configuration.
+
+The immediate fix is to edit your smb.conf configuration file and
+remove all occurances of the macro "%m". Replacing occurances of %m
+with %I is probably the best solution for most sites.
+
+Details
+-------
+
+A remote attacker can use a netbios name containing unix path
+characters which will then be substituted into the %m macro wherever
+it occurs in smb.conf. This can be used to cause Samba to create a log
+file on top of an important system file, which in turn can be used to
+compromise security on the server.
+
+The most commonly used configuration option that can be vulnerable to
+this attack is the "log file" option. The default value for this
+option is VARDIR/log.smbd. If the default is used then Samba is not
+vulnerable to this attack.
+
+The security hole occurs when a log file option like the following is
+used:
+
+ log file = /var/log/samba/%m.log
+
+In that case the attacker can use a locally created symbolic link to
+overwrite any file on the system. This requires local access to the
+server.
+
+If your Samba configuration has something like the following:
+
+ log file = /var/log/samba/%m
+
+Then the attacker could successfully compromise your server remotely
+as no symbolic link is required. This type of configuration is very
+rare.
+
+The most commonly used log file configuration containing %m is the
+distributed in the sample configuration file that comes with Samba:
+
+ log file = /var/log/samba/log.%m
+
+in that case your machine is not vulnerable to this attack unless you
+happen to have a subdirectory in /var/log/samba/ which starts with the
+prefix "log."
+
+Credit
+------
+
+Thanks to Michal Zalewski (lcamtuf@bos.bindview.com) for finding this
+vulnerability.
+
+
+New Release
+-----------
+
+While we recommend that vulnerable sites immediately change their
+smb.conf configuration file to prevent the attack we will also be
+making new releases of Samba within the next 24 hours to properly fix
+the problem. Please see http://www.samba.org/ for the new releases.
+
+Please report any attacks to the appropriate authority.
+
+ The Samba Team
+ security@samba.org
+
+---------------------------------------------------------------------------
+
+The release notes for 2.2.0 follow :
+
+This is the official Samba 2.2.0 release. This version of Samba provides
+the following new features and enhancements.
+
+Integration between Windows oplocks and NFS file opens (IRIX and Linux
+2.4 kernel only). This gives complete data and locking integrity between
+Windows and UNIX file access to the same data files.
+
+Ability to act as an authentication source for Windows 2000 clients as
+well as for NT4.x clients.
+
+Integration with the winbind daemon that provides a single
+sign on facility for UNIX servers in Windows 2000/NT4 networks
+driven by a Windows 2000/NT4 PDC. winbind is not included in
+this release, it currently must be obtained separately. We are
+committed to including winbind in a future Samba 2.2.x release.
+
+Support for native Windows 2000/NT4 printing RPCs. This includes
+support for automatic printer driver download.
+
+Support for server supported Access Control Lists (ACLs).
+This release contains support for the following filesystems:
+
+ Solaris 2.6+
+ SGI Irix
+ Linux Kernel with ACL patch from http://acl.bestbits.at
+ Linux Kernel with XFS ACL support.
+ Caldera/SCO UnixWare
+ IBM AIX
+ FreeBSD (with external patch)
+
+Other platforms will be supported as resources are
+available to test and implement the encessary modules. If
+you are interested in writing the support for a particular
+ACL filesystem, please join the samba-technical mailing
+list and coordinate your efforts.
+
+On PAM (Pluggable Authentication Module) based systems - better debugging
+messages and encrypted password users now have access control verified via
+PAM - Note: Authentication still uses the encrypted password database.
+
+Rewritten internal locking semantics for more robustness.
+This release supports full 64 bit locking semantics on all
+(even 32 bit) platforms. SMB locks are mapped onto POSIX
+locks (32 bit or 64 bit) as the underlying system allows.
+
+Conversion of various internal flat data structures to use
+database records for increased performance and
+flexibility.
+
+Support for acting as a MS-DFS (Distributed File System) server.
+
+Support for manipulating Samba shares using Windows client tools
+(server manager). Per share security can be set using these tools
+and Samba will obey the access restrictions applied.
+
+Samba profiling support (see below).
+
+Compile time option for enabling a (Virtual file system) VFS layer
+to allow non-disk resources to be exported as Windows filesystems
+(such as databases etc.).
+
+The documentation in this release has been updated and converted
+from Yodl to DocBook 4.1. There are many new parameters since 2.0.7
+and some defaults have changed.
+
+Profiling support.
+------------------
+Support for collection of profile information. A shared
+memory area has been created which contains counters for
+the number of calls to and the amount of time spent in
+various system calls, smb transactions and nmbd activity. See
+the file profile.h for a complete listing of the information
+collected. Sample code for a samba pmda (collection agent
+for Performance Co-Pilot) has been included in the pcp
+directory.
+
+To enable the profile data collection code in samba, you must
+compile samba with profile data support (run configure with
+the --with-profiling-data option). On startup, collection of
+data is disabled. To begin collecting data use the smbcontrol
+program to turn on profiling (see the smbcontrol man page).
+Profile information collection can be enabled for nmbd, all smbd
+processes or one or more selected processes. The profiling
+data collected is the aggragate for all processes that have
+profiling enabled.
+
+With samba compiled for profile data collection, you may see
+a very slight degradation in performance even with profiling
+collection turned off. On initial tests with NetBench on an
+SGI Origin 200 server, this degradation was not measureable
+with profile collection off compared to no profile collection
+compiled into samba.
+
+With count profile collection enabled on all clients, the
+degradation was less than 2%. With full profile collection
+enabled on all clients, the degradation was about 8.5%.
+
+=====================================================================
+
+If you think you have found a bug please email a report to :
+
+ <a href="mailto:samba@samba.org">samba@samba.org</a>
+
+As always, all bugs are our responsibility.
+
+Regards,
+
+ The Samba Team.
+</pre>
+
+</html>
+</body>
--- /dev/null
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Release Notes Archive</title>
+</head>
+
+<body>
+
+<h2>The Samba Team are pleased to announce Samba 2.2.3</h2>
+
+<p>
+<pre>
+The Samba Team is proud to announce the release of Samba 2.2.3.
+
+This is the latest stable release of Samba. This is the version that all
+production Samba servers should be running for all current bug-fixes.
+
+There are several important scaling bugs that have been fixed in this release
+for large server systems so an upgrade is recommended.
+
+Samba 2.2.3 is available in source form from samba.org and all of our
+mirror sites at the url
+
+<a href="/samba/ftp/samba-2.2.3.tar.gz">/samba/ftp/samba-2.2.3.tar.gz </a>
+
+The release notes follow.
+
+If you think you have found a bug please email a report to :
+
+ <a href="mailto:samba@samba.org">samba@samba.org</a>
+
+As always, all bugs are our responsibility.
+
+Regards,
+
+ The Samba Team.
+
+----------------------------------------------------------------------
+ WHATS NEW IN Samba 2.2.3 - 2nd February 2002
+ =============================================
+
+This is the latest stable release of Samba. This is the version that all
+production Samba servers should be running for all current bug-fixes.
+
+There are several important scaling bugs that have been fixed in this release
+for large server systems so an upgrade is recommended.
+
+LDAP update
+-----------
+
+Much work has been done on the LDAP backend code. The configure
+option --with-ldapsam is now considered to be stable. The schema
+used has changed, see the file examples/LDAP/samba.schema for the
+new schema.
+
+New documentation explaining how to set up a Samba only PDC/BDC
+setup has been added in the files Samba-LDAP-HOWTO and Samba-BDC-HOWTO
+in the documentation tree.
+
+winbindd daemon extended
+------------------------
+
+Samba 2.2.2 was the first release to include the winbind daemon.
+This code allows UNIX systems that implement the name service
+switch (nss) to be entered into a Windows NT/2000 domain and
+use the Domain controller for all user and group enumeration.
+
+Samba 2.2.3 fixes the known memory leaks in winbindd and has
+been extended to work with SGI IRIX and HPUX (11.x) in addition
+to the earlier targets of Linux and Solaris.
+
+For more information on using winbind, see the man pages for
+winbindd and wbinfo.
+
+Note that winbindd is not installed by default.
+
+New/Changed parameters in 2.2.3
+-------------------------------
+
+For more information on these parameters, see the man pages for
+smb.conf.
+
+Added/changed parameters.
+-------------------------
+
+unix extensions
+
+Enables the experimental UNIX CIFS extensions in smbd. See the manpage
+for more details.
+
+default devmode
+
+Some printer drivers will crash the Windows NT/2000 spooler service
+if they are given a default devmode, some require it. This parameter
+allows the administrator a choice of whether smbd returns such a
+default devmode for a driver.
+
+share modes
+
+This parameter has been restored to allow people who wish smbd to ignore
+client share modes. This is *very dangerous* and should not be set without
+full knowledge of what this is designed for.
+
+Changes in 2.2.3
+-----------------
+
+1). Fixed shared library compile for Solaris with native compiler.
+2). UNIX CIFS extensions code added (donated by HP).
+3). Changed to using NT status codes on the wire if the client can support
+this.
+4). altname command to show 8.3 name added to smbclient.
+5). const-safe endian macros now used.
+6). client code now uses UNICODE on the wire.
+7). Correctly return fault PDU's on bad handle.
+8). Improved NT error code mapping table.
+9). Many new point and print RPC calls added.
+10). Win9x clients can now see full user list.
+11). fileid added to identify simultaneous open files (no longer
+use dev/inode/time as unique value).
+12). HPUX ACL code added (donated by HP).
+13). vfs interfaces updated (again !).
+14). MSDOS Code Page 866 -> 1251 mapping added.
+15). winbindd now processes quit/hup signals correctly.
+16). No tdb traversal done on startup/shutdown - ensures scalability.
+17). Fix bug with paths for homes share.
+18). Fixed copyfile for OS/2.
+19). Fix group membership when groups are on more than one line.
+20). Fixed core dumps in posix ACL mapping code.
+21). Tidyup of UNICODE functions (put/get).
+22). Move rpcclient to the new libsmb code.
+23). Add missing Windows 2000 passthough trans2 calls.
+24). Return check all tdb calls.
+25). Make local name lookup work even if wins server is down.
+26). pam session code added to winbind.
+27). Added winbindd cache to all lookups.
+28). Fix allocate bugs that caused file sizes to be incorrect.
+29). Fixed write cache code - now safe to use.
+30). Fixed winbindd memory leaks.
+31). winbindd will now do name lookups (to allow non Open Source
+systems to do the nsswitch WINS lookup). Fixed by SGI.
+32). passdb memory leaks fixed.
+33). LDAP code updates and now properly maintained.
+34). Finally figured out how changeid is meant to work.
+35). Downlevel printing now looks as NT does in print monitor window.
+36). Many fixups in spoolss printing RPC parsing.
+37). Speed up password enumeration as a PDC.
+38). Fix printer changed notify messages (work from HP).
+39). Fix modify timestamp on close code.
+40). Fix long standing mangled names bug.
+41). Fix delete on close semantics.
+42). Stop opening all files with O_NONBLOCK !
+43). Use O_NOFOLLOW for systems that have it and don't want symlinks.
+44). Ensure NT suplementary groups get added to user token.
+45). Try and mitigate effects of DNS timeout (do less lookups).
+46). Added current user connection context stack.
+47). Fixes to utmp code.
+48). smbw code tidyups.
+49). Added tdb open log code. Several tdb fixes.
+
+Older release notes for Samba 2.2.x follow.
+
+-----------------------------------------------------------------------------
+
+New daemon included - winbindd
+------------------------------
+
+Samba 2.2.2 is the first release to include the winbind daemon.
+This code allows UNIX systems that implement the name service
+switch (nss) to be entered into a Windows NT/2000 domain and
+use the Domain controller for all user and group enumeration.
+
+This allows a Samba server added to a Windows domain to serve
+file and print services with *NO* local users needed in /etc/passwd
+and /etc/group - all users and groups are read directly from the
+Windows domain controller. In addition with pam_winbind which allows
+a PAM enabled UNIX system to use a Windows domain for authentication
+service this allows single sign on and account control across
+UNIX and Windows systems.
+
+The current version of winbindd shipped in 2.2.2 does have some
+memory leaks, which will be addressed for the next Samba release,
+so it is advisable to monitor the winbind process. This code is
+being used in production by several vendors, so the leaks are
+managable. In addition, this version of winbind does not work
+correctly against a Samba PDC, due to some missing calls on the
+PDC side. These problems are being addressed for the next Samba
+release, but it was thought better to release the code now rather
+than delay the main Samba code to match the winbind release schedule.
+
+For more information on using winbind, see the man pages for
+winbindd and wbinfo.
+
+Note that winbindd is not installed by default.
+
+New/Changed parameters in 2.2.2
+-------------------------------
+
+For more information on these parameters, see the man pages for
+smb.conf.
+
+Added/changed parameters.
+-------------------------
+
+strict allocate
+
+Causes Samba not to create UNIX 'sparse' files, but to follow the
+Windows behaviour of always allocating on-disk space.
+
+use mmap
+
+Set to 'on' by default, only set to 'off' on HPUX 11.x or below or other
+UNIX systems that don't have coherent mmap/read-write internal caches.
+You should not need to set this parameter.
+
+nt acl support
+
+This parameter has been changed to a per-share option, and is very
+useful in enabling Windows 2000 SP2 to load/save profiles from a
+Samba share.
+
+New printing parameters.
+------------------------
+
+disable spoolss
+
+Setting this parameter causes Samba to go back to the old 2.0.x
+LANMAN printing behaviour, for people who wish to disable the
+new SPOOLSS pipe.
+
+use client driver
+
+Causes Windows NT/2000 clients to need have a local printer driver
+installed and to treat the printer as local.
+
+New LDAP parameters.
+--------------------
+
+Samba 2.2.2 contains new code to maintain a Samba SAM database
+on a remote LDAP server. These parameters have been added as
+part of this code. These parameters are only available when Samba
+has been compiled with the --with-ldapsam option.
+
+ldap admin dn
+ldap ssl
+
+New SSL parameters.
+-------------------
+
+The SSL support in Samba has been fixed. These new parameters
+are part of the changes added. These parameters are only available
+when Samba has been compiled with the --with-ssl option.
+Please see the smb.conf man page for details.
+
+ssl egd socket
+ssl entropy file
+ssl entropy bytes
+
+New winbindd parameters.
+------------------------
+
+These parameters are used by winbindd. See the man page for
+winbindd for details.
+
+winbind separator
+winbind uid
+winbind gid
+winbind cache time
+winbind enum users
+winbind enum groups
+template homedir
+template shell
+
+Removed parameters.
+-------------------
+
+share modes
+ldap root
+ldap root passwd
+
+New Documentation.
+------------------
+
+Some new README's have been added in the docs/ directory. These cover
+using roving profiles with Windows 2000 SP2 (docs/README.Win2kSP2),
+and how to use Samba to help prevent Windows virus spread
+(docs/README.Win32-Viruses).
+
+Quota problems on a Linux 2.4 kernel.
+-------------------------------------
+
+Currently the quota interfaces have diverged between the Linus
+2.4.x kernels and the Alan Cox 2.4.x kernels (the Alan Cox varients
+are shipped with RedHat). Running quota-enabled Samba compiled on
+an Alan Cox kernel works correctly on an Alan Cox kernel (the one
+shipped by default with RedHat 7.x) but fails on a Linus kernel.
+
+This is a mess, and hopefully Alan and Linus will sort it out soon.
+In the meantime we need to ship.....
+
+Changes in 2.2.2
+-----------------
+
+1). mmap tdb code disabled on HPUX. This should prevent the reports of
+tdb corruption on HUPX.
+2). Large file support set to off in Solaris 5.5 and below.
+3). Better CUPS detection.
+4). New SAM (password database) backends - smbpasswd (traditional),
+LDAP, NIS+ and Samba TDB.
+5). Quota fixups on Linux.
+6). libsmbclient stand-alone code added. Can be built as a shared library
+under Linux.
+7). Tru64 ACL suppport added.
+8). winbindd option added.
+9). Realloc fail tidyup fixes all over the code.
+10). Large improvement in hash table code efficiency - would be found with
+large stat caches.
+11). Error code consistency improved (still needs more work).
+12). Profile shared memory support added to nmbd.
+13). New Windows 2000/NT passthrough info levels added.
+14). readraw/writeraw code rewritten - many bugs fixed.
+15). UNIX password sync (non pam) code fixed, use correct wildcard matcher.
+16). Reverse DNS lookup avoided on socket open.
+17). Bug preventing nmbd re-registering names on WINS server timeout fixed.
+18). Zero length byte range lock code added. Much closer to Windows semantics.
+19). Alignment fault fixes for Linux/Alpha.
+20). Error checking on tdb returns vastly improved.
+21). Handling of delete on close fixed. No longer possible to leave 'dead'
+file entries.
+22). Handling of oplock break failure cleanups improved. Should not be
+able to leave 'dead' entries.
+23). Fix handling of errors trying to set 64 bit locks on 32 bit NFS mounts.
+24). Misc. MS-DFS code fixes.
+25). Ignore logon packets if not a PDC (needed for PDC/BDC failover).
+26). winbind pam module added.
+27). Order N^^2 enumeration of printers problem fixed.
+28). Password backend database code re-ordered to allow different password
+backends (at compile time currently).
+29). Improved print driver version detection for Windows 2000.
+30). Driver DEVMODE initialization fixes.
+31). Improved SYSV print parse code.
+32). Fixed enumeration of large numbers of users/groups from Windows clients.
+Code still too slow.
+33). Fix for buggy NetApp RPC pipe clients.
+34). Fix for NT sending multiple SetPrinterDataEx calls.
+35). Fix for logic bug where smbd could delay oplock break request messages
+from other smbd daemons whilst client kept us busy.
+36). Fix deadlock problem with connections tdb on enumeration.
+37). Fixes for setting/getting NT ACLs - improved POSIX mapping both ways.
+38). Removed unused readbmpx/writebmpx code.
+39). Attempt to fix Linux 2.4.x quota mess.
+40). Improved ctemp code for Windows 2000 compatibilty.
+41). Finally understood difference between set EOF and set allocation requests.
+Added strict allocate parameter to help.
+42). Correctly return name types on name to SID lookups.
+43). tdb spinlock code update.
+44). Use pread/pwrite on systems that have it to fix race condition in tdb code.
+
+Older release notes for Samba 2.2.x follow.
+
+-----------------------------------------------------------------------------
+The release notes for 2.2.1a follow :
+
+This is a minor bugfix release for 2.2.1, *NOT* security related.
+
+1). 2.2.1 had a bug where using smbpasswd -m to add a Windows NT or
+Windows2000 machine into a Samba hosted PDC would fail due to our
+stricter user name checking. We were disallowing user names
+containing '$', which is needed when using smbpasswd to add a
+machine into a domain. Automatically adding machines (using the
+native Windows tools) into a Samba domain worked correctly.
+
+2.2.1a fixes this single problem.
+
+-----------------------------------------------------------------------------
+The release notes for 2.2.1 follow :
+
+New/Changed parameters in 2.2.1
+-------------------------------
+
+Added parameters.
+-----------------
+
+obey pam restrictions
+
+When Samba is configured to use PAM, turns on or off Samba checking
+the PAM account restrictions. Defaults to off.
+
+pam password change
+
+When Samba is configured to use PAM, turns on or off Samba passing
+the password changes to PAM. Defaults to off.
+
+large readwrite
+
+New option to allow new Windows 2000 large file (64k) streaming
+read/write options. Needs a 64 bit underlying operating system
+(for Linux use kernel 2.4 with glibc 2.2 or above). Can improve performance
+by 10% with Windows 2000 clients. Defaults to off. Not as tested
+as some other Samba code paths.
+
+hide unreadable
+
+Prevents clients from seeing the existance of files that cannot
+be read. Off by default.
+
+enhanced browsing
+
+Turn on/off the enhanced Samba browing functionality (*1B names).
+Default is "on". Can prevent eternal machines in workgroups when
+WINS servers are not synchronised.
+
+Removed parameters.
+-------------------
+
+domain groups
+domain admin users
+domain guest users
+
+Changes in 2.2.1
+-----------------
+
+1). "find" command removed for smbclient. Internal code now used.
+2). smbspool updates to retry connections from Michael Sweet.
+3). Fix for mapping 8859-15 characters to UNICODE.
+4). Changed "security=server" to try with invalid username to prevent
+ account lockouts.
+5). Fixes to allow Windows 2000 SP2 clients to join a Samba PDC.
+6). Support for Windows 9x Nexus tools to allow security changes from Win9x.
+7). Two locking fixes added. Samba 2.2.1 now passes the Clarion network
+ lock tester tool for distributed databases.
+8). Preliminary support added for Windows 2000 large file read/write SMBs.
+9). Changed random number generator in Samba to prevent guess attacks.
+10). Fixes for tdb corruption in connections.tdb and file locking brlock.tdb.
+ smbd's clean the tdb files on startup and shutdown.
+11). Fixes for default ACLs on Solaris.
+12). Tidyup of password entry caching code.
+13). Correct shutdowns added for send fails. Helps tdb cleanup code.
+14). Prevent invalid '/' characters in workgroup names.
+15). Removed more static arrays in SAMR code.
+16). Client code is now UNICODE on the wire.
+17). Fix 2 second timstamp resolution everywhere if dos timestamp set to yes.
+18). All tdb opens now going through logging function.
+19). Add pam password changing and pam restrictions code.
+20). Printer driver management improvements (delete driver).
+21). Fix difference between NULL security descriptors and empty
+ security descriptors.
+22). Fix SID returns for server roles.
+23). Allow Windows 2000 mmc to view and set Samba share security descriptors.
+24). Allow smbcontrol to forcibly disconnect a share.
+25). tdb fixes for HPUX, OpenBSD and other OS's that don't have a coherent
+ mmap/file read/write cache.
+26). Fix race condition in returning create disposition for file create/open.
+27). Fix NT rewriting of security descriptors to their canonical form for
+ ACLs.
+28). Fix for Samba running on top of Linux VFAT ftruncate bug.
+29). Swat fixes for being run with xinetd that doesn't set the umask.
+30). Fix for slow writes with Win9x Explorer clients. Emulates Microsoft
+ TCP stack early ack specification error.
+31). Changed lock & persistant tdb directory to /var/cache/samba by default on
+ RedHat and Mandrake as they clear the /var/lock/samba directory on reboot.
+
+-----------------------------------------------------------------------------
+The release notes for 2.2.0a follow :
+
+SECURITY FIX
+============
+
+This is a security bugfix release for Samba 2.2.0. This release provides the
+following two changes *ONLY* from the 2.2.0 release.
+
+1). Fix for the security hole discovered by Michal Zalewski (lcamtuf@bos.bindview.com)
+ and described in the security advisory below.
+2). Fix for the hosts allow/hosts deny parameters not being honoured.
+
+No other changes are being made for this release to ensure a security fix only.
+For new functionality (including these security fixes) download Samba 2.2.1
+when it is available.
+
+The security advisory follows :
+
+
+ IMPORTANT: Security bugfix for Samba
+ ------------------------------------
+
+June 23rd 2001
+
+
+Summary
+-------
+
+A serious security hole has been discovered in all versions of Samba
+that allows an attacker to gain root access on the target machine for
+certain types of common Samba configuration.
+
+The immediate fix is to edit your smb.conf configuration file and
+remove all occurances of the macro "%m". Replacing occurances of %m
+with %I is probably the best solution for most sites.
+
+Details
+-------
+
+A remote attacker can use a netbios name containing unix path
+characters which will then be substituted into the %m macro wherever
+it occurs in smb.conf. This can be used to cause Samba to create a log
+file on top of an important system file, which in turn can be used to
+compromise security on the server.
+
+The most commonly used configuration option that can be vulnerable to
+this attack is the "log file" option. The default value for this
+option is VARDIR/log.smbd. If the default is used then Samba is not
+vulnerable to this attack.
+
+The security hole occurs when a log file option like the following is
+used:
+
+ log file = /var/log/samba/%m.log
+
+In that case the attacker can use a locally created symbolic link to
+overwrite any file on the system. This requires local access to the
+server.
+
+If your Samba configuration has something like the following:
+
+ log file = /var/log/samba/%m
+
+Then the attacker could successfully compromise your server remotely
+as no symbolic link is required. This type of configuration is very
+rare.
+
+The most commonly used log file configuration containing %m is the
+distributed in the sample configuration file that comes with Samba:
+
+ log file = /var/log/samba/log.%m
+
+in that case your machine is not vulnerable to this attack unless you
+happen to have a subdirectory in /var/log/samba/ which starts with the
+prefix "log."
+
+Credit
+------
+
+Thanks to Michal Zalewski (lcamtuf@bos.bindview.com) for finding this
+vulnerability.
+
+
+New Release
+-----------
+
+While we recommend that vulnerable sites immediately change their
+smb.conf configuration file to prevent the attack we will also be
+making new releases of Samba within the next 24 hours to properly fix
+the problem. Please see http://www.samba.org/ for the new releases.
+
+Please report any attacks to the appropriate authority.
+
+ The Samba Team
+ security@samba.org
+
+---------------------------------------------------------------------------
+
+The release notes for 2.2.0 follow :
+
+This is the official Samba 2.2.0 release. This version of Samba provides
+the following new features and enhancements.
+
+Integration between Windows oplocks and NFS file opens (IRIX and Linux
+2.4 kernel only). This gives complete data and locking integrity between
+Windows and UNIX file access to the same data files.
+
+Ability to act as an authentication source for Windows 2000 clients as
+well as for NT4.x clients.
+
+Integration with the winbind daemon that provides a single
+sign on facility for UNIX servers in Windows 2000/NT4 networks
+driven by a Windows 2000/NT4 PDC. winbind is not included in
+this release, it currently must be obtained separately. We are
+committed to including winbind in a future Samba 2.2.x release.
+
+Support for native Windows 2000/NT4 printing RPCs. This includes
+support for automatic printer driver download.
+
+Support for server supported Access Control Lists (ACLs).
+This release contains support for the following filesystems:
+
+ Solaris 2.6+
+ SGI Irix
+ Linux Kernel with ACL patch from http://acl.bestbits.at
+ Linux Kernel with XFS ACL support.
+ Caldera/SCO UnixWare
+ IBM AIX
+ FreeBSD (with external patch)
+
+Other platforms will be supported as resources are
+available to test and implement the encessary modules. If
+you are interested in writing the support for a particular
+ACL filesystem, please join the samba-technical mailing
+list and coordinate your efforts.
+
+On PAM (Pluggable Authentication Module) based systems - better debugging
+messages and encrypted password users now have access control verified via
+PAM - Note: Authentication still uses the encrypted password database.
+
+Rewritten internal locking semantics for more robustness.
+This release supports full 64 bit locking semantics on all
+(even 32 bit) platforms. SMB locks are mapped onto POSIX
+locks (32 bit or 64 bit) as the underlying system allows.
+
+Conversion of various internal flat data structures to use
+database records for increased performance and
+flexibility.
+
+Support for acting as a MS-DFS (Distributed File System) server.
+
+Support for manipulating Samba shares using Windows client tools
+(server manager). Per share security can be set using these tools
+and Samba will obey the access restrictions applied.
+
+Samba profiling support (see below).
+
+Compile time option for enabling a (Virtual file system) VFS layer
+to allow non-disk resources to be exported as Windows filesystems
+(such as databases etc.).
+
+The documentation in this release has been updated and converted
+from Yodl to DocBook 4.1. There are many new parameters since 2.0.7
+and some defaults have changed.
+
+Profiling support.
+------------------
+Support for collection of profile information. A shared
+memory area has been created which contains counters for
+the number of calls to and the amount of time spent in
+various system calls, smb transactions and nmbd activity. See
+the file profile.h for a complete listing of the information
+collected. Sample code for a samba pmda (collection agent
+for Performance Co-Pilot) has been included in the pcp
+directory.
+
+To enable the profile data collection code in samba, you must
+compile samba with profile data support (run configure with
+the --with-profiling-data option). On startup, collection of
+data is disabled. To begin collecting data use the smbcontrol
+program to turn on profiling (see the smbcontrol man page).
+Profile information collection can be enabled for nmbd, all smbd
+processes or one or more selected processes. The profiling
+data collected is the aggragate for all processes that have
+profiling enabled.
+
+With samba compiled for profile data collection, you may see
+a very slight degradation in performance even with profiling
+collection turned off. On initial tests with NetBench on an
+SGI Origin 200 server, this degradation was not measureable
+with profile collection off compared to no profile collection
+compiled into samba.
+
+With count profile collection enabled on all clients, the
+degradation was less than 2%. With full profile collection
+enabled on all clients, the degradation was about 8.5%.
+
+=====================================================================
+
+If you think you have found a bug please email a report to :
+
+ <a href="mailto:samba@samba.org">samba@samba.org</a>
+
+As always, all bugs are our responsibility.
+
+Regards,
+
+ The Samba Team.
+</pre>
+
+</body>
+</html>
\ No newline at end of file
--- /dev/null
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Release Notes Archive</title>
+</head>
+
+<body>
+
+<h2>The Samba Team announce Samba 2.2.3a</h2>
+
+<p>
+<pre>
+The Samba Team announces the release of Samba 2.2.3a, a bugfix release to
+correct an error in Samba 2.2.3.
+
+This is the latest stable release of Samba. This is the version that all
+production Samba servers should be running for all current bug-fixes.
+
+This is a minor bugfix release for the 2.2.3 release. The 2.2.3
+release had a problem that was visible to Windows 2000 Explorer
+users in that copying files into a share that already existed
+failed with "Access Denied" rather than asking the user if an
+overwrite was required. This was due to an incorrect error mapping
+between the UNIX EEXIST error code and the corresponding NT status error.
+
+As Windows Explorer is a highly visible end user application a quick
+bugfix release was required, hence 2.2.3a.
+
+There are several important scaling bugs that have been fixed in this release
+for large server systems so an upgrade is recommended.
+
+Samba 2.2.3a is available in source form from samba.org and all of our
+mirror sites at the url
+
+<a href="/samba/ftp/samba-2.2.3a.tar.gz">/samba/ftp/samba-2.2.3a.tar.gz </a>
+
+The release notes follow.
+
+If you think you have found a bug please email a report to :
+
+ <a href="mailto:samba@samba.org">samba@samba.org</a>
+
+As always, all bugs are our responsibility.
+
+Regards,
+
+ The Samba Team.
+
+----------------------------------------------------------------------
+ WHATS NEW IN Samba 2.2.3a - 6th February 2002
+ ==============================================
+
+This is the latest stable release of Samba. This is the version that all
+production Samba servers should be running for all current bug-fixes.
+
+There are several important scaling bugs that have been fixed in this release
+for large server systems so an upgrade is recommended.
+
+Change from 2.2.3
+-----------------
+
+This is a minor bugfix release for the 2.2.3 release. The 2.2.3
+release had a problem that was visible to Windows 2000 Explorer
+users in that copying files into a share that already existed
+failed with "Access Denied" rather than asking the user if an
+overwrite was required. This was due to an incorrect error mapping
+between the UNIX EEXIST error code and the NT status error.
+
+As Windows Explorer is a highly visible end user application a quick
+bugfix release was required, hence 2.2.3a.
+
+Compilation on HPUX versions earlier than HPUX 11 has also been
+corrected.
+
+The cvs.log file is no longer included with this release, as it adds
+13Mb to the size of the release, and is easily available on the Web.
+
+LDAP update
+-----------
+
+Much work has been done on the LDAP backend code. The configure
+option --with-ldapsam is now considered to be stable. The schema
+used has changed, see the file examples/LDAP/samba.schema for the
+new schema.
+
+New documentation explaining how to set up a Samba only PDC/BDC
+setup has been added in the files Samba-LDAP-HOWTO and Samba-BDC-HOWTO
+in the documentation tree.
+
+winbindd daemon extended
+------------------------
+
+Samba 2.2.2 was the first release to include the winbind daemon.
+This code allows UNIX systems that implement the name service
+switch (nss) to be entered into a Windows NT/2000 domain and
+use the Domain controller for all user and group enumeration.
+
+Samba 2.2.3 fixes the known memory leaks in winbindd and has
+been extended to work with SGI IRIX and HPUX (11.x) in addition
+to the earlier targets of Linux and Solaris.
+
+For more information on using winbind, see the man pages for
+winbindd and wbinfo.
+
+Note that winbindd is not installed by default.
+
+New/Changed parameters in 2.2.3a
+--------------------------------
+
+For more information on these parameters, see the man pages for
+smb.conf.
+
+Added/changed parameters.
+-------------------------
+
+unix extensions
+
+Enables the experimental UNIX CIFS extensions in smbd. See the manpage
+for more details.
+
+default devmode
+
+Some printer drivers will crash the Windows NT/2000 spooler service
+if they are given a default devmode, some require it. This parameter
+allows the administrator a choice of whether smbd returns such a
+default devmode for a driver.
+
+share modes
+
+This parameter has been restored to allow people who wish smbd to ignore
+client share modes. This is *very dangerous* and should not be set without
+full knowledge of what this is designed for.
+
+Changes in 2.2.3
+-----------------
+
+1). Fixed shared library compile for Solaris with native compiler.
+2). UNIX CIFS extensions code added (donated by HP).
+3). Changed to using NT status codes on the wire if the client can support
+this.
+4). altname command to show 8.3 name added to smbclient.
+5). const-safe endian macros now used.
+6). client code now uses UNICODE on the wire.
+7). Correctly return fault PDU's on bad handle.
+8). Improved NT error code mapping table.
+9). Many new point and print RPC calls added.
+10). Win9x clients can now see full user list.
+11). fileid added to identify simultaneous open files (no longer
+use dev/inode/time as unique value).
+12). HPUX ACL code added (donated by HP).
+13). vfs interfaces updated (again !).
+14). MSDOS Code Page 866 -> 1251 mapping added.
+15). winbindd now processes quit/hup signals correctly.
+16). No tdb traversal done on startup/shutdown - ensures scalability.
+17). Fix bug with paths for homes share.
+18). Fixed copyfile for OS/2.
+19). Fix group membership when groups are on more than one line.
+20). Fixed core dumps in posix ACL mapping code.
+21). Tidyup of UNICODE functions (put/get).
+22). Move rpcclient to the new libsmb code.
+23). Add missing Windows 2000 passthough trans2 calls.
+24). Return check all tdb calls.
+25). Make local name lookup work even if wins server is down.
+26). pam session code added to winbind.
+27). Added winbindd cache to all lookups.
+28). Fix allocate bugs that caused file sizes to be incorrect.
+29). Fixed write cache code - now safe to use.
+30). Fixed winbindd memory leaks.
+31). winbindd will now do name lookups (to allow non Open Source
+systems to do the nsswitch WINS lookup). Fixed by SGI.
+32). passdb memory leaks fixed.
+33). LDAP code updates and now properly maintained.
+34). Finally figured out how changeid is meant to work.
+35). Downlevel printing now looks as NT does in print monitor window.
+36). Many fixups in spoolss printing RPC parsing.
+37). Speed up password enumeration as a PDC.
+38). Fix printer changed notify messages (work from HP).
+39). Fix modify timestamp on close code.
+40). Fix long standing mangled names bug.
+41). Fix delete on close semantics.
+42). Stop opening all files with O_NONBLOCK !
+43). Use O_NOFOLLOW for systems that have it and don't want symlinks.
+44). Ensure NT suplementary groups get added to user token.
+45). Try and mitigate effects of DNS timeout (do less lookups).
+46). Added current user connection context stack.
+47). Fixes to utmp code.
+48). smbw code tidyups.
+49). Added tdb open log code. Several tdb fixes.
+
+Older release notes for Samba 2.2.x follow.
+
+-----------------------------------------------------------------------------
+
+New daemon included - winbindd
+------------------------------
+
+Samba 2.2.2 is the first release to include the winbind daemon.
+This code allows UNIX systems that implement the name service
+switch (nss) to be entered into a Windows NT/2000 domain and
+use the Domain controller for all user and group enumeration.
+
+This allows a Samba server added to a Windows domain to serve
+file and print services with *NO* local users needed in /etc/passwd
+and /etc/group - all users and groups are read directly from the
+Windows domain controller. In addition with pam_winbind which allows
+a PAM enabled UNIX system to use a Windows domain for authentication
+service this allows single sign on and account control across
+UNIX and Windows systems.
+
+The current version of winbindd shipped in 2.2.2 does have some
+memory leaks, which will be addressed for the next Samba release,
+so it is advisable to monitor the winbind process. This code is
+being used in production by several vendors, so the leaks are
+managable. In addition, this version of winbind does not work
+correctly against a Samba PDC, due to some missing calls on the
+PDC side. These problems are being addressed for the next Samba
+release, but it was thought better to release the code now rather
+than delay the main Samba code to match the winbind release schedule.
+
+For more information on using winbind, see the man pages for
+winbindd and wbinfo.
+
+Note that winbindd is not installed by default.
+
+New/Changed parameters in 2.2.2
+-------------------------------
+
+For more information on these parameters, see the man pages for
+smb.conf.
+
+Added/changed parameters.
+-------------------------
+
+strict allocate
+
+Causes Samba not to create UNIX 'sparse' files, but to follow the
+Windows behaviour of always allocating on-disk space.
+
+use mmap
+
+Set to 'on' by default, only set to 'off' on HPUX 11.x or below or other
+UNIX systems that don't have coherent mmap/read-write internal caches.
+You should not need to set this parameter.
+
+nt acl support
+
+This parameter has been changed to a per-share option, and is very
+useful in enabling Windows 2000 SP2 to load/save profiles from a
+Samba share.
+
+New printing parameters.
+------------------------
+
+disable spoolss
+
+Setting this parameter causes Samba to go back to the old 2.0.x
+LANMAN printing behaviour, for people who wish to disable the
+new SPOOLSS pipe.
+
+use client driver
+
+Causes Windows NT/2000 clients to need have a local printer driver
+installed and to treat the printer as local.
+
+New LDAP parameters.
+--------------------
+
+Samba 2.2.2 contains new code to maintain a Samba SAM database
+on a remote LDAP server. These parameters have been added as
+part of this code. These parameters are only available when Samba
+has been compiled with the --with-ldapsam option.
+
+ldap admin dn
+ldap ssl
+
+New SSL parameters.
+-------------------
+
+The SSL support in Samba has been fixed. These new parameters
+are part of the changes added. These parameters are only available
+when Samba has been compiled with the --with-ssl option.
+Please see the smb.conf man page for details.
+
+ssl egd socket
+ssl entropy file
+ssl entropy bytes
+
+New winbindd parameters.
+------------------------
+
+These parameters are used by winbindd. See the man page for
+winbindd for details.
+
+winbind separator
+winbind uid
+winbind gid
+winbind cache time
+winbind enum users
+winbind enum groups
+template homedir
+template shell
+
+Removed parameters.
+-------------------
+
+share modes
+ldap root
+ldap root passwd
+
+New Documentation.
+------------------
+
+Some new README's have been added in the docs/ directory. These cover
+using roving profiles with Windows 2000 SP2 (docs/README.Win2kSP2),
+and how to use Samba to help prevent Windows virus spread
+(docs/README.Win32-Viruses).
+
+Quota problems on a Linux 2.4 kernel.
+-------------------------------------
+
+Currently the quota interfaces have diverged between the Linus
+2.4.x kernels and the Alan Cox 2.4.x kernels (the Alan Cox varients
+are shipped with RedHat). Running quota-enabled Samba compiled on
+an Alan Cox kernel works correctly on an Alan Cox kernel (the one
+shipped by default with RedHat 7.x) but fails on a Linus kernel.
+
+This is a mess, and hopefully Alan and Linus will sort it out soon.
+In the meantime we need to ship.....
+
+Changes in 2.2.2
+-----------------
+
+1). mmap tdb code disabled on HPUX. This should prevent the reports of
+tdb corruption on HUPX.
+2). Large file support set to off in Solaris 5.5 and below.
+3). Better CUPS detection.
+4). New SAM (password database) backends - smbpasswd (traditional),
+LDAP, NIS+ and Samba TDB.
+5). Quota fixups on Linux.
+6). libsmbclient stand-alone code added. Can be built as a shared library
+under Linux.
+7). Tru64 ACL suppport added.
+8). winbindd option added.
+9). Realloc fail tidyup fixes all over the code.
+10). Large improvement in hash table code efficiency - would be found with
+large stat caches.
+11). Error code consistency improved (still needs more work).
+12). Profile shared memory support added to nmbd.
+13). New Windows 2000/NT passthrough info levels added.
+14). readraw/writeraw code rewritten - many bugs fixed.
+15). UNIX password sync (non pam) code fixed, use correct wildcard matcher.
+16). Reverse DNS lookup avoided on socket open.
+17). Bug preventing nmbd re-registering names on WINS server timeout fixed.
+18). Zero length byte range lock code added. Much closer to Windows semantics.
+19). Alignment fault fixes for Linux/Alpha.
+20). Error checking on tdb returns vastly improved.
+21). Handling of delete on close fixed. No longer possible to leave 'dead'
+file entries.
+22). Handling of oplock break failure cleanups improved. Should not be
+able to leave 'dead' entries.
+23). Fix handling of errors trying to set 64 bit locks on 32 bit NFS mounts.
+24). Misc. MS-DFS code fixes.
+25). Ignore logon packets if not a PDC (needed for PDC/BDC failover).
+26). winbind pam module added.
+27). Order N^^2 enumeration of printers problem fixed.
+28). Password backend database code re-ordered to allow different password
+backends (at compile time currently).
+29). Improved print driver version detection for Windows 2000.
+30). Driver DEVMODE initialization fixes.
+31). Improved SYSV print parse code.
+32). Fixed enumeration of large numbers of users/groups from Windows clients.
+Code still too slow.
+33). Fix for buggy NetApp RPC pipe clients.
+34). Fix for NT sending multiple SetPrinterDataEx calls.
+35). Fix for logic bug where smbd could delay oplock break request messages
+from other smbd daemons whilst client kept us busy.
+36). Fix deadlock problem with connections tdb on enumeration.
+37). Fixes for setting/getting NT ACLs - improved POSIX mapping both ways.
+38). Removed unused readbmpx/writebmpx code.
+39). Attempt to fix Linux 2.4.x quota mess.
+40). Improved ctemp code for Windows 2000 compatibilty.
+41). Finally understood difference between set EOF and set allocation requests.
+Added strict allocate parameter to help.
+42). Correctly return name types on name to SID lookups.
+43). tdb spinlock code update.
+44). Use pread/pwrite on systems that have it to fix race condition in tdb code.
+
+Older release notes for Samba 2.2.x follow.
+
+-----------------------------------------------------------------------------
+The release notes for 2.2.1a follow :
+
+This is a minor bugfix release for 2.2.1, *NOT* security related.
+
+1). 2.2.1 had a bug where using smbpasswd -m to add a Windows NT or
+Windows2000 machine into a Samba hosted PDC would fail due to our
+stricter user name checking. We were disallowing user names
+containing '$', which is needed when using smbpasswd to add a
+machine into a domain. Automatically adding machines (using the
+native Windows tools) into a Samba domain worked correctly.
+
+2.2.1a fixes this single problem.
+
+-----------------------------------------------------------------------------
+The release notes for 2.2.1 follow :
+
+New/Changed parameters in 2.2.1
+-------------------------------
+
+Added parameters.
+-----------------
+
+obey pam restrictions
+
+When Samba is configured to use PAM, turns on or off Samba checking
+the PAM account restrictions. Defaults to off.
+
+pam password change
+
+When Samba is configured to use PAM, turns on or off Samba passing
+the password changes to PAM. Defaults to off.
+
+large readwrite
+
+New option to allow new Windows 2000 large file (64k) streaming
+read/write options. Needs a 64 bit underlying operating system
+(for Linux use kernel 2.4 with glibc 2.2 or above). Can improve performance
+by 10% with Windows 2000 clients. Defaults to off. Not as tested
+as some other Samba code paths.
+
+hide unreadable
+
+Prevents clients from seeing the existance of files that cannot
+be read. Off by default.
+
+enhanced browsing
+
+Turn on/off the enhanced Samba browing functionality (*1B names).
+Default is "on". Can prevent eternal machines in workgroups when
+WINS servers are not synchronised.
+
+Removed parameters.
+-------------------
+
+domain groups
+domain admin users
+domain guest users
+
+Changes in 2.2.1
+-----------------
+
+1). "find" command removed for smbclient. Internal code now used.
+2). smbspool updates to retry connections from Michael Sweet.
+3). Fix for mapping 8859-15 characters to UNICODE.
+4). Changed "security=server" to try with invalid username to prevent
+ account lockouts.
+5). Fixes to allow Windows 2000 SP2 clients to join a Samba PDC.
+6). Support for Windows 9x Nexus tools to allow security changes from Win9x.
+7). Two locking fixes added. Samba 2.2.1 now passes the Clarion network
+ lock tester tool for distributed databases.
+8). Preliminary support added for Windows 2000 large file read/write SMBs.
+9). Changed random number generator in Samba to prevent guess attacks.
+10). Fixes for tdb corruption in connections.tdb and file locking brlock.tdb.
+ smbd's clean the tdb files on startup and shutdown.
+11). Fixes for default ACLs on Solaris.
+12). Tidyup of password entry caching code.
+13). Correct shutdowns added for send fails. Helps tdb cleanup code.
+14). Prevent invalid '/' characters in workgroup names.
+15). Removed more static arrays in SAMR code.
+16). Client code is now UNICODE on the wire.
+17). Fix 2 second timstamp resolution everywhere if dos timestamp set to yes.
+18). All tdb opens now going through logging function.
+19). Add pam password changing and pam restrictions code.
+20). Printer driver management improvements (delete driver).
+21). Fix difference between NULL security descriptors and empty
+ security descriptors.
+22). Fix SID returns for server roles.
+23). Allow Windows 2000 mmc to view and set Samba share security descriptors.
+24). Allow smbcontrol to forcibly disconnect a share.
+25). tdb fixes for HPUX, OpenBSD and other OS's that don't have a coherent
+ mmap/file read/write cache.
+26). Fix race condition in returning create disposition for file create/open.
+27). Fix NT rewriting of security descriptors to their canonical form for
+ ACLs.
+28). Fix for Samba running on top of Linux VFAT ftruncate bug.
+29). Swat fixes for being run with xinetd that doesn't set the umask.
+30). Fix for slow writes with Win9x Explorer clients. Emulates Microsoft
+ TCP stack early ack specification error.
+31). Changed lock & persistant tdb directory to /var/cache/samba by default on
+ RedHat and Mandrake as they clear the /var/lock/samba directory on reboot.
+
+-----------------------------------------------------------------------------
+The release notes for 2.2.0a follow :
+
+SECURITY FIX
+============
+
+This is a security bugfix release for Samba 2.2.0. This release provides the
+following two changes *ONLY* from the 2.2.0 release.
+
+1). Fix for the security hole discovered by Michal Zalewski (lcamtuf@bos.bindview.com)
+ and described in the security advisory below.
+2). Fix for the hosts allow/hosts deny parameters not being honoured.
+
+No other changes are being made for this release to ensure a security fix only.
+For new functionality (including these security fixes) download Samba 2.2.1
+when it is available.
+
+The security advisory follows :
+
+
+ IMPORTANT: Security bugfix for Samba
+ ------------------------------------
+
+June 23rd 2001
+
+
+Summary
+-------
+
+A serious security hole has been discovered in all versions of Samba
+that allows an attacker to gain root access on the target machine for
+certain types of common Samba configuration.
+
+The immediate fix is to edit your smb.conf configuration file and
+remove all occurances of the macro "%m". Replacing occurances of %m
+with %I is probably the best solution for most sites.
+
+Details
+-------
+
+A remote attacker can use a netbios name containing unix path
+characters which will then be substituted into the %m macro wherever
+it occurs in smb.conf. This can be used to cause Samba to create a log
+file on top of an important system file, which in turn can be used to
+compromise security on the server.
+
+The most commonly used configuration option that can be vulnerable to
+this attack is the "log file" option. The default value for this
+option is VARDIR/log.smbd. If the default is used then Samba is not
+vulnerable to this attack.
+
+The security hole occurs when a log file option like the following is
+used:
+
+ log file = /var/log/samba/%m.log
+
+In that case the attacker can use a locally created symbolic link to
+overwrite any file on the system. This requires local access to the
+server.
+
+If your Samba configuration has something like the following:
+
+ log file = /var/log/samba/%m
+
+Then the attacker could successfully compromise your server remotely
+as no symbolic link is required. This type of configuration is very
+rare.
+
+The most commonly used log file configuration containing %m is the
+distributed in the sample configuration file that comes with Samba:
+
+ log file = /var/log/samba/log.%m
+
+in that case your machine is not vulnerable to this attack unless you
+happen to have a subdirectory in /var/log/samba/ which starts with the
+prefix "log."
+
+Credit
+------
+
+Thanks to Michal Zalewski (lcamtuf@bos.bindview.com) for finding this
+vulnerability.
+
+
+New Release
+-----------
+
+While we recommend that vulnerable sites immediately change their
+smb.conf configuration file to prevent the attack we will also be
+making new releases of Samba within the next 24 hours to properly fix
+the problem. Please see http://www.samba.org/ for the new releases.
+
+Please report any attacks to the appropriate authority.
+
+ The Samba Team
+ security@samba.org
+
+---------------------------------------------------------------------------
+
+The release notes for 2.2.0 follow :
+
+This is the official Samba 2.2.0 release. This version of Samba provides
+the following new features and enhancements.
+
+Integration between Windows oplocks and NFS file opens (IRIX and Linux
+2.4 kernel only). This gives complete data and locking integrity between
+Windows and UNIX file access to the same data files.
+
+Ability to act as an authentication source for Windows 2000 clients as
+well as for NT4.x clients.
+
+Integration with the winbind daemon that provides a single
+sign on facility for UNIX servers in Windows 2000/NT4 networks
+driven by a Windows 2000/NT4 PDC. winbind is not included in
+this release, it currently must be obtained separately. We are
+committed to including winbind in a future Samba 2.2.x release.
+
+Support for native Windows 2000/NT4 printing RPCs. This includes
+support for automatic printer driver download.
+
+Support for server supported Access Control Lists (ACLs).
+This release contains support for the following filesystems:
+
+ Solaris 2.6+
+ SGI Irix
+ Linux Kernel with ACL patch from http://acl.bestbits.at
+ Linux Kernel with XFS ACL support.
+ Caldera/SCO UnixWare
+ IBM AIX
+ FreeBSD (with external patch)
+
+Other platforms will be supported as resources are
+available to test and implement the encessary modules. If
+you are interested in writing the support for a particular
+ACL filesystem, please join the samba-technical mailing
+list and coordinate your efforts.
+
+On PAM (Pluggable Authentication Module) based systems - better debugging
+messages and encrypted password users now have access control verified via
+PAM - Note: Authentication still uses the encrypted password database.
+
+Rewritten internal locking semantics for more robustness.
+This release supports full 64 bit locking semantics on all
+(even 32 bit) platforms. SMB locks are mapped onto POSIX
+locks (32 bit or 64 bit) as the underlying system allows.
+
+Conversion of various internal flat data structures to use
+database records for increased performance and
+flexibility.
+
+Support for acting as a MS-DFS (Distributed File System) server.
+
+Support for manipulating Samba shares using Windows client tools
+(server manager). Per share security can be set using these tools
+and Samba will obey the access restrictions applied.
+
+Samba profiling support (see below).
+
+Compile time option for enabling a (Virtual file system) VFS layer
+to allow non-disk resources to be exported as Windows filesystems
+(such as databases etc.).
+
+The documentation in this release has been updated and converted
+from Yodl to DocBook 4.1. There are many new parameters since 2.0.7
+and some defaults have changed.
+
+Profiling support.
+------------------
+Support for collection of profile information. A shared
+memory area has been created which contains counters for
+the number of calls to and the amount of time spent in
+various system calls, smb transactions and nmbd activity. See
+the file profile.h for a complete listing of the information
+collected. Sample code for a samba pmda (collection agent
+for Performance Co-Pilot) has been included in the pcp
+directory.
+
+To enable the profile data collection code in samba, you must
+compile samba with profile data support (run configure with
+the --with-profiling-data option). On startup, collection of
+data is disabled. To begin collecting data use the smbcontrol
+program to turn on profiling (see the smbcontrol man page).
+Profile information collection can be enabled for nmbd, all smbd
+processes or one or more selected processes. The profiling
+data collected is the aggragate for all processes that have
+profiling enabled.
+
+With samba compiled for profile data collection, you may see
+a very slight degradation in performance even with profiling
+collection turned off. On initial tests with NetBench on an
+SGI Origin 200 server, this degradation was not measureable
+with profile collection off compared to no profile collection
+compiled into samba.
+
+With count profile collection enabled on all clients, the
+degradation was less than 2%. With full profile collection
+enabled on all clients, the degradation was about 8.5%.
+
+=====================================================================
+
+If you think you have found a bug please email a report to :
+
+ <a href="mailto:samba@samba.org">samba@samba.org</a>
+
+As always, all bugs are our responsibility.
+
+Regards,
+
+ The Samba Team.
+</pre>
+
+</body>
+</html>
--- /dev/null
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Release Notes Archive</title>
+</head>
+
+<body>
+
+<h2>The Samba Team are pleased to announce Samba 2.2.4</h2>
+
+<p>
+<pre>
+The Samba Team is proud to announce the release of Samba 2.2.4.
+
+This is the latest stable release of Samba. This is the version that all
+production Samba servers should be running for all current bug-fixes.
+
+There have been several fixes and internal enhancements which include:
+
+ * More/better SPOOLSS printing functionality for Windows
+ NT/2k/XP clients.
+ * Several fixes relating to serving PC database files such
+ as (Access and FoxPro) from a Samba file share.
+ * Several improves in Samba's VFS layer which can be seen
+ in the inclusion of a "Recycle Bin" vfs module. See
+ examples/VFS/README for more details on this.
+ * Addition of a tool (tdbbackup) for backup/restore of Samba's
+ tdb's
+ * Continued improvements to winbind for greater scalability
+ and stability
+ * Several fixes related to Samba's MS-DFS support
+ * Rpcclient's various printer commands now work (again)
+
+Binary packages will be released shortly for major platforms. The source
+code can be downloaded from :
+
+ <a href="/samba/ftp">ftp://ftp.samba.org/pub/samba/</a>
+
+in the file samba-2.2.4.tar.gz or samba-2.2.4.tar.bz2.
+md5sum's are available in the same directory.
+
+The release notes follow.
+
+As always, all bugs are our responsibility.
+
+Regards,
+
+ The Samba Team.
+
+
+ WHAT'S NEW IN Samba 2.2.4 - 2nd May 2002
+ =========================================
+
+
+New/Changed parameters in 2.2.4
+--------------------------------
+
+For more information on these parameters, see the man pages for
+smb.conf(5).
+
+Added/changed parameters
+------------------------
+
+* csc policy
+* inherit acls
+* nt status support
+* lock spin count
+* lock spin time
+* pid directory
+* winbind use default domain
+
+
+Depreciated parameters
+----------------------
+
+The following parameters have been marked as depreciated
+and will be removed in Samba 3.0
+
+* postscript
+* printer driver
+* printer driver file
+* printer driver location
+
+
+Removed Parameters
+------------------
+
+ none
+
+
+Changes in 2.2.4
+----------------
+
+See the cvs log for SAMBA_2_2 for more details
+
+1) added -c option to smbpasswd
+2) reworked smbpasswd internal command line option parsing
+3) small various bug fixes to experimental pdb_tdb.c
+4) Enforce spoolss RPCs based on the access granted at PrinterOpen()
+5) Added missing access checks to [add/delete/set]form
+6) Compile fixes for pam_smbpass
+7) fix smbd crash when netbios session request fails from
+ spoolss_connect_to_client().
+8) fixed logic bug that prevent SetPrinter() from storing devmode
+9) Removed extra get_printer_snum() calls from set_printer_hnd_name()
+10) fix joining domain on big endian machine when using -U to smbpasswd
+11) allow command line arg to override smb.conf log level
+12) continue to retry to register 1b name with wins server if there is an old IP there
+13) fix smbclient print crash bug
+14) 9x pnp fix when the config file and driver file are different
+15) force testparm to print the correct value for log level
+16) fix swat to show full log level info
+17) fix server GetPrinterData() fields to be more sensible
+18) fix logic error in SetPrinterDataEx()
+19) Only set smb_read_error if not already set
+20) Fix string returns that require unicode
+21) Merge of printing performance fixes from appliance
+22) lpq parsing fixes
+23) Back port tridge's xcopy /o fix from HEAD
+24) Fix the printer change notify code (unfinished)
+25) Patch for Domain users not showing up
+26) Fixed SetPrinterData(magic key) to support zero length DEVMODE
+27) Ensure that all methods of looking up and connecting to DC's work
+ using identical logic.
+28) Merge in the mutex code to stop multiple domain logon failure
+29) Ignore 0/0 lock
+30) Fix winbindd to respect command line debuglevel as nmbd/smbd
+31) Update with tdbbackup from HEAD
+32) Fix for typo on solaris nss
+33) Merge in the locking changes from HEAD
+34) Added POSIX ACL layer into the vfs
+35) Fix the returning of domain enum
+36) Fix the generation of the MACHINE.SID file into the secrets.tdb.
+37) Enable test for -rdynamic when building binaries
+38) Remove the "stat open" code - make it inline
+39) Fix the mp3 rename bug
+40) Fix for Explorer DFS problems on older Windows 9X machines
+41) implement OpenPrinter() opnum == 0x01
+42) Matched W2K *insane* open semantics....
+43) small fix that will prevent the "failed to marshall
+ R_NET_SAMLOGON" message in the logs
+42) don't do checking of local passdb in smbpasswd if using -r option
+43) fix "smbpasswd -j DOMAIN -r * -U Admin%XXXX" so that it doesn't
+ try to connect to a server named '*'
+44) merge rpcclient code from HEAD
+45) Ensure MACHINE.SID update done before child spawns
+46) Fix the bad path errors for mkdir so mkdir \a\b\c\d works
+47) Removed --with-vfs - always built if available
+48) Fixed psec for 2.2
+49) Fixed the handle leak in the connection management code
+50) fix disable spoolss after the switch to nt status codes
+51) Added Shirish's client side caching policy change
+52) Honor the specversion when parsing the the DEVICEMODE
+53) fix parsing bug when DEVICEMODE's private data does not end
+ on a 4 byte boundary
+54) do not idle an smbd when there is an open pipe
+55) when a new driver is added to a Samba server, cycle through
+ all printers and bump the change_id for each one bound to the driver
+56) allow smbclient to work with a FIFO as well (needed for KDE
+ ioslave)
+57) various updates to pdb_nisplus.c
+58) many small documentation updates
+59) removed many compiler warnings
+
+
+
+Known Bugs
+----------
+
+* Under certain conditions when serving the MS Access 2000
+ executable file and an Access database from a Samba share,
+ it is possible to experience data corruption. This bug does not
+ occur when the database is served from a Samba file share
+ but the Access *.exe is stored on the client's local file system.
+ The exact reason for this bug is unknown at this time.
+
+ =========================================
+
+
+
+
+Older release notes for Samba 2.2.x follow.
+
+-----------------------------------------------------------------------------
+The release notes for 2.2.3a follow :
+
+This is a minor bugfix release for the 2.2.3 release. The 2.2.3
+release had a problem that was visible to Windows 2000 Explorer
+users in that copying files into a share that already existed
+failed with "Access Denied" rather than asking the user if an
+overwrite was required. This was due to an incorrect error mapping
+between the UNIX EXIST error code and the NT status error.
+
+As Windows Explorer is a highly visible end user application a quick
+bugfix release was required, hence 2.2.3a.
+
+Compilation on HPUX versions earlier than HPUX 11 has also been
+corrected.
+
+The cvs.log file is no longer included with this release, as it adds
+13Mb to the size of the release, and is easily available on the Web.
+
+-----------------------------------------------------------------------------
+The release notes for 2.2.3 follow :
+
+There are several important scaling bugs that have been fixed in this release
+for large server systems so an upgrade is recommended.
+
+LDAP update
+-----------
+
+Much work has been done on the LDAP backend code. The configure
+option --with-ldapsam is now considered to be stable. The schema
+used has changed, see the file examples/LDAP/samba.schema for the
+new schema.
+
+New documentation explaining how to set up a Samba only PDC/BDC
+setup has been added in the files Samba-LDAP-HOWTO and Samba-BDC-HOWTO
+in the documentation tree.
+
+winbindd daemon extended
+------------------------
+
+Samba 2.2.2 was the first release to include the winbind daemon.
+This code allows UNIX systems that implement the name service
+switch (nss) to be entered into a Windows NT/2000 domain and
+use the Domain controller for all user and group enumeration.
+
+Samba 2.2.3 fixes the known memory leaks in winbindd and has
+been extended to work with SGI IRIX and HPUX (11.x) in addition
+to the earlier targets of Linux and Solaris.
+
+For more information on using winbind, see the man pages for
+winbindd and wbinfo.
+
+Note that winbindd is not installed by default.
+
+New/Changed parameters in 2.2.3
+--------------------------------
+
+For more information on these parameters, see the man pages for
+smb.conf.
+
+Added/changed parameters.
+-------------------------
+
+unix extensions
+
+Enables the experimental UNIX CIFS extensions in smbd. See the manpage
+for more details.
+
+default devmode
+
+Some printer drivers will crash the Windows NT/2000 spooler service
+if they are given a default devmode, some require it. This parameter
+allows the administrator a choice of whether smbd returns such a
+default devmode for a driver.
+
+share modes
+
+This parameter has been restored to allow people who wish smbd to ignore
+client share modes. This is *very dangerous* and should not be set without
+full knowledge of what this is designed for.
+
+Changes in 2.2.3
+-----------------
+
+1). Fixed shared library compile for Solaris with native compiler.
+2). UNIX CIFS extensions code added (donated by HP).
+3). Changed to using NT status codes on the wire if the client can support
+this.
+4). altname command to show 8.3 name added to smbclient.
+5). const-safe endian macros now used.
+6). client code now uses UNICODE on the wire.
+7). Correctly return fault PDU's on bad handle.
+8). Improved NT error code mapping table.
+9). Many new point and print RPC calls added.
+10). Win9x clients can now see full user list.
+11). field added to identify simultaneous open files (no longer
+use dev/inode/time as unique value).
+12). HPUX ACL code added (donated by HP).
+13). vfs interfaces updated (again !).
+14). MSDOS Code Page 866 -> 1251 mapping added.
+15). winbindd now processes quit/hup signals correctly.
+16). No tdb traversal done on startup/shutdown - ensures scalability.
+17). Fix bug with paths for homes share.
+18). Fixed copyfile for OS/2.
+19). Fix group membership when groups are on more than one line.
+20). Fixed core dumps in posix ACL mapping code.
+21). Tidyup of UNICODE functions (put/get).
+22). Move rpcclient to the new libsmb code.
+23). Add missing Windows 2000 passthough trans2 calls.
+24). Return check all tdb calls.
+25). Make local name lookup work even if wins server is down.
+26). pam session code added to winbind.
+27). Added winbindd cache to all lookups.
+28). Fix allocate bugs that caused file sizes to be incorrect.
+29). Fixed write cache code - now safe to use.
+30). Fixed winbindd memory leaks.
+31). winbindd will now do name lookups (to allow non Open Source
+systems to do the nsswitch WINS lookup). Fixed by SGI.
+32). passdb memory leaks fixed.
+33). LDAP code updates and now properly maintained.
+34). Finally figured out how changeid is meant to work.
+35). Downlevel printing now looks as NT does in print monitor window.
+36). Many fixups in spoolss printing RPC parsing.
+37). Speed up password enumeration as a PDC.
+38). Fix printer changed notify messages (work from HP).
+39). Fix modify timestamp on close code.
+40). Fix long standing mangled names bug.
+41). Fix delete on close semantics.
+42). Stop opening all files with O_NONBLOCK !
+43). Use O_NOFOLLOW for systems that have it and don't want symlinks.
+44). Ensure NT supplementary groups get added to user token.
+45). Try and mitigate effects of DNS timeout (do less lookups).
+46). Added current user connection context stack.
+47). Fixes to utmp code.
+48). smbw code tidyups.
+49). Added tdb open log code. Several tdb fixes.
+
+-----------------------------------------------------------------------------
+The release notes for 2.2.2 follow :
+
+New daemon included - winbindd
+------------------------------
+
+Samba 2.2.2 is the first release to include the winbind daemon.
+This code allows UNIX systems that implement the name service
+switch (nss) to be entered into a Windows NT/2000 domain and
+use the Domain controller for all user and group enumeration.
+
+This allows a Samba server added to a Windows domain to serve
+file and print services with *NO* local users needed in /etc/passwd
+and /etc/group - all users and groups are read directly from the
+Windows domain controller. In addition with pam_winbind which allows
+a PAM enabled UNIX system to use a Windows domain for authentication
+service this allows single sign on and account control across
+UNIX and Windows systems.
+
+The current version of winbindd shipped in 2.2.2 does have some
+memory leaks, which will be addressed for the next Samba release,
+so it is advisable to monitor the winbind process. This code is
+being used in production by several vendors, so the leaks are
+manageable. In addition, this version of winbind does not work
+correctly against a Samba PDC, due to some missing calls on the
+PDC side. These problems are being addressed for the next Samba
+release, but it was thought better to release the code now rather
+than delay the main Samba code to match the winbind release schedule.
+
+For more information on using winbind, see the man pages for
+winbindd and wbinfo.
+
+Note that winbindd is not installed by default.
+
+New/Changed parameters in 2.2.2
+-------------------------------
+
+For more information on these parameters, see the man pages for
+smb.conf.
+
+Added/changed parameters.
+-------------------------
+
+strict allocate
+
+Causes Samba not to create UNIX 'sparse' files, but to follow the
+Windows behavior of always allocating on-disk space.
+
+use mmap
+
+Set to 'on' by default, only set to 'off' on HPUX 11.x or below or other
+UNIX systems that don't have coherent mmap/read-write internal caches.
+You should not need to set this parameter.
+
+nt acl support
+
+This parameter has been changed to a per-share option, and is very
+useful in enabling Windows 2000 SP2 to load/save profiles from a
+Samba share.
+
+New printing parameters.
+------------------------
+
+disable spoolss
+
+Setting this parameter causes Samba to go back to the old 2.0.x
+LANMAN printing behavior, for people who wish to disable the
+new SPOOLSS pipe.
+
+use client driver
+
+Causes Windows NT/2000 clients to need have a local printer driver
+installed and to treat the printer as local.
+
+New LDAP parameters.
+--------------------
+
+Samba 2.2.2 contains new code to maintain a Samba SAM database
+on a remote LDAP server. These parameters have been added as
+part of this code. These parameters are only available when Samba
+has been compiled with the --with-ldapsam option.
+
+ldap admin dn
+ldap ssl
+
+New SSL parameters.
+-------------------
+
+The SSL support in Samba has been fixed. These new parameters
+are part of the changes added. These parameters are only available
+when Samba has been compiled with the --with-ssl option.
+Please see the smb.conf man page for details.
+
+ssl egd socket
+ssl entropy file
+ssl entropy bytes
+
+New winbindd parameters.
+------------------------
+
+These parameters are used by winbindd. See the man page for
+winbindd for details.
+
+winbind separator
+winbind uid
+winbind gid
+winbind cache time
+winbind enum users
+winbind enum groups
+template homedir
+template shell
+
+Removed parameters.
+-------------------
+
+share modes
+ldap root
+ldap root passwd
+
+New Documentation.
+------------------
+
+Some new README's have been added in the docs/ directory. These cover
+using roving profiles with Windows 2000 SP2 (docs/README.Win2kSP2),
+and how to use Samba to help prevent Windows virus spread
+(docs/README.Win32-Viruses).
+
+Quota problems on a Linux 2.4 kernel.
+-------------------------------------
+
+Currently the quota interfaces have diverged between the Linus
+2.4.x kernels and the Alan Cox 2.4.x kernels (the Alan Cox variants
+are shipped with RedHat). Running quota-enabled Samba compiled on
+an Alan Cox kernel works correctly on an Alan Cox kernel (the one
+shipped by default with RedHat 7.x) but fails on a Linus kernel.
+
+This is a mess, and hopefully Alan and Linus will sort it out soon.
+In the meantime we need to ship.....
+
+Changes in 2.2.2
+-----------------
+
+1). mmap tdb code disabled on HPUX. This should prevent the reports of
+tdb corruption on HUPX.
+2). Large file support set to off in Solaris 5.5 and below.
+3). Better CUPS detection.
+4). New SAM (password database) backends - smbpasswd (traditional),
+LDAP, NIS+ and Samba TDB.
+5). Quota fixups on Linux.
+6). libsmbclient stand-alone code added. Can be built as a shared library
+under Linux.
+7). Tru64 ACL support added.
+8). winbindd option added.
+9). Realloc fail tidyup fixes all over the code.
+10). Large improvement in hash table code efficiency - would be found with
+large stat caches.
+11). Error code consistency improved (still needs more work).
+12). Profile shared memory support added to nmbd.
+13). New Windows 2000/NT passthrough info levels added.
+14). readraw/writeraw code rewritten - many bugs fixed.
+15). UNIX password sync (non pam) code fixed, use correct wildcard matcher.
+16). Reverse DNS lookup avoided on socket open.
+17). Bug preventing nmbd re-registering names on WINS server timeout fixed.
+18). Zero length byte range lock code added. Much closer to Windows semantics.
+19). Alignment fault fixes for Linux/Alpha.
+20). Error checking on tdb returns vastly improved.
+21). Handling of delete on close fixed. No longer possible to leave 'dead'
+file entries.
+22). Handling of oplock break failure cleanups improved. Should not be
+able to leave 'dead' entries.
+23). Fix handling of errors trying to set 64 bit locks on 32 bit NFS mounts.
+24). Misc. MS-DFS code fixes.
+25). Ignore logon packets if not a PDC (needed for PDC/BDC failover).
+26). winbind pam module added.
+27). Order N^^2 enumeration of printers problem fixed.
+28). Password backend database code re-ordered to allow different password
+backends (at compile time currently).
+29). Improved print driver version detection for Windows 2000.
+30). Driver DEVMODE initialization fixes.
+31). Improved SYSV print parse code.
+32). Fixed enumeration of large numbers of users/groups from Windows clients.
+Code still too slow.
+33). Fix for buggy NetApp RPC pipe clients.
+34). Fix for NT sending multiple SetPrinterDataEx calls.
+35). Fix for logic bug where smbd could delay oplock break request messages
+from other smbd daemons whilst client kept us busy.
+36). Fix deadlock problem with connections tdb on enumeration.
+37). Fixes for setting/getting NT ACLs - improved POSIX mapping both ways.
+38). Removed unused readbmpx/writebmpx code.
+39). Attempt to fix Linux 2.4.x quota mess.
+40). Improved ctemp code for Windows 2000 compatibility.
+41). Finally understood difference between set EOF and set allocation requests.
+Added strict allocate parameter to help.
+42). Correctly return name types on name to SID lookups.
+43). tdb spinlock code update.
+44). Use pread/pwrite on systems that have it to fix race condition in tdb code.
+
+-----------------------------------------------------------------------------
+The release notes for 2.2.1a follow :
+
+This is a minor bugfix release for 2.2.1, *NOT* security related.
+
+1). 2.2.1 had a bug where using smbpasswd -m to add a Windows NT or
+Windows2000 machine into a Samba hosted PDC would fail due to our
+stricter user name checking. We were disallowing user names
+containing '$', which is needed when using smbpasswd to add a
+machine into a domain. Automatically adding machines (using the
+native Windows tools) into a Samba domain worked correctly.
+
+2.2.1a fixes this single problem.
+
+-----------------------------------------------------------------------------
+The release notes for 2.2.1 follow :
+
+New/Changed parameters in 2.2.1
+-------------------------------
+
+Added parameters.
+-----------------
+
+obey pam restrictions
+
+When Samba is configured to use PAM, turns on or off Samba checking
+the PAM account restrictions. Defaults to off.
+
+pam password change
+
+When Samba is configured to use PAM, turns on or off Samba passing
+the password changes to PAM. Defaults to off.
+
+large readwrite
+
+New option to allow new Windows 2000 large file (64k) streaming
+read/write options. Needs a 64 bit underlying operating system
+(for Linux use kernel 2.4 with glibc 2.2 or above). Can improve performance
+by 10% with Windows 2000 clients. Defaults to off. Not as tested
+as some other Samba code paths.
+
+hide unreadable
+
+Prevents clients from seeing the existence of files that cannot
+be read. Off by default.
+
+enhanced browsing
+
+Turn on/off the enhanced Samba browsing functionality (*1B names).
+Default is "on". Can prevent eternal machines in workgroups when
+WINS servers are not synchronized.
+
+Removed parameters.
+-------------------
+
+domain groups
+domain admin users
+domain guest users
+
+Changes in 2.2.1
+-----------------
+
+1). "find" command removed for smbclient. Internal code now used.
+2). smbspool updates to retry connections from Michael Sweet.
+3). Fix for mapping 8859-15 characters to UNICODE.
+4). Changed "security=server" to try with invalid username to prevent
+ account lockouts.
+5). Fixes to allow Windows 2000 SP2 clients to join a Samba PDC.
+6). Support for Windows 9x Nexus tools to allow security changes from Win9x.
+7). Two locking fixes added. Samba 2.2.1 now passes the Clarion network
+ lock tester tool for distributed databases.
+8). Preliminary support added for Windows 2000 large file read/write SMBs.
+9). Changed random number generator in Samba to prevent guess attacks.
+10). Fixes for tdb corruption in connections.tdb and file locking brlock.tdb.
+ smbd's clean the tdb files on startup and shutdown.
+11). Fixes for default ACLs on Solaris.
+12). Tidyup of password entry caching code.
+13). Correct shutdowns added for send fails. Helps tdb cleanup code.
+14). Prevent invalid '/' characters in workgroup names.
+15). Removed more static arrays in SAMR code.
+16). Client code is now UNICODE on the wire.
+17). Fix 2 second timestamp resolution everywhere if dos timestamp set to yes.
+18). All tdb opens now going through logging function.
+19). Add pam password changing and pam restrictions code.
+20). Printer driver management improvements (delete driver).
+21). Fix difference between NULL security descriptors and empty
+ security descriptors.
+22). Fix SID returns for server roles.
+23). Allow Windows 2000 mmc to view and set Samba share security descriptors.
+24). Allow smbcontrol to forcibly disconnect a share.
+25). tdb fixes for HPUX, OpenBSD and other OS's that don't have a coherent
+ mmap/file read/write cache.
+26). Fix race condition in returning create disposition for file create/open.
+27). Fix NT rewriting of security descriptors to their canonical form for
+ ACLs.
+28). Fix for Samba running on top of Linux VFAT ftruncate bug.
+29). Swat fixes for being run with xinetd that doesn't set the umask.
+30). Fix for slow writes with Win9x Explorer clients. Emulates Microsoft
+ TCP stack early ack specification error.
+31). Changed lock & persistent tdb directory to /var/cache/samba by default on
+ RedHat and Mandrake as they clear the /var/lock/samba directory on reboot.
+
+-----------------------------------------------------------------------------
+The release notes for 2.2.0a follow :
+
+SECURITY FIX
+============
+
+This is a security bugfix release for Samba 2.2.0. This release provides the
+following two changes *ONLY* from the 2.2.0 release.
+
+1). Fix for the security hole discovered by Michal Zalewski (lcamtuf@bos.bindview.com)
+ and described in the security advisory below.
+2). Fix for the hosts allow/hosts deny parameters not being honoured.
+
+No other changes are being made for this release to ensure a security fix only.
+For new functionality (including these security fixes) download Samba 2.2.1
+when it is available.
+
+The security advisory follows :
+
+
+ IMPORTANT: Security bugfix for Samba
+ ------------------------------------
+
+June 23rd 2001
+
+
+Summary
+-------
+
+A serious security hole has been discovered in all versions of Samba
+that allows an attacker to gain root access on the target machine for
+certain types of common Samba configuration.
+
+The immediate fix is to edit your smb.conf configuration file and
+remove all occurances of the macro "%m". Replacing occurances of %m
+with %I is probably the best solution for most sites.
+
+Details
+-------
+
+A remote attacker can use a netbios name containing unix path
+characters which will then be substituted into the %m macro wherever
+it occurs in smb.conf. This can be used to cause Samba to create a log
+file on top of an important system file, which in turn can be used to
+compromise security on the server.
+
+The most commonly used configuration option that can be vulnerable to
+this attack is the "log file" option. The default value for this
+option is VARDIR/log.smbd. If the default is used then Samba is not
+vulnerable to this attack.
+
+The security hole occurs when a log file option like the following is
+used:
+
+ log file = /var/log/samba/%m.log
+
+In that case the attacker can use a locally created symbolic link to
+overwrite any file on the system. This requires local access to the
+server.
+
+If your Samba configuration has something like the following:
+
+ log file = /var/log/samba/%m
+
+Then the attacker could successfully compromise your server remotely
+as no symbolic link is required. This type of configuration is very
+rare.
+
+The most commonly used log file configuration containing %m is the
+distributed in the sample configuration file that comes with Samba:
+
+ log file = /var/log/samba/log.%m
+
+in that case your machine is not vulnerable to this attack unless you
+happen to have a subdirectory in /var/log/samba/ which starts with the
+prefix "log."
+
+Credit
+------
+
+Thanks to Michal Zalewski (lcamtuf@bos.bindview.com) for finding this
+vulnerability.
+
+
+New Release
+-----------
+
+While we recommend that vulnerable sites immediately change their
+smb.conf configuration file to prevent the attack we will also be
+making new releases of Samba within the next 24 hours to properly fix
+the problem. Please see http://www.samba.org/ for the new releases.
+
+Please report any attacks to the appropriate authority.
+
+ The Samba Team
+ security@samba.org
+
+---------------------------------------------------------------------------
+
+The release notes for 2.2.0 follow :
+
+This is the official Samba 2.2.0 release. This version of Samba provides
+the following new features and enhancements.
+
+Integration between Windows oplocks and NFS file opens (IRIX and Linux
+2.4 kernel only). This gives complete data and locking integrity between
+Windows and UNIX file access to the same data files.
+
+Ability to act as an authentication source for Windows 2000 clients as
+well as for NT4.x clients.
+
+Integration with the winbind daemon that provides a single
+sign on facility for UNIX servers in Windows 2000/NT4 networks
+driven by a Windows 2000/NT4 PDC. winbind is not included in
+this release, it currently must be obtained separately. We are
+committed to including winbind in a future Samba 2.2.x release.
+
+Support for native Windows 2000/NT4 printing RPCs. This includes
+support for automatic printer driver download.
+
+Support for server supported Access Control Lists (ACLs).
+This release contains support for the following filesystems:
+
+ Solaris 2.6+
+ SGI Irix
+ Linux Kernel with ACL patch from http://acl.bestbits.at
+ Linux Kernel with XFS ACL support.
+ Caldera/SCO UnixWare
+ IBM AIX
+ FreeBSD (with external patch)
+
+Other platforms will be supported as resources are
+available to test and implement the necessary modules. If
+you are interested in writing the support for a particular
+ACL filesystem, please join the samba-technical mailing
+list and coordinate your efforts.
+
+On PAM (Pluggable Authentication Module) based systems - better debugging
+messages and encrypted password users now have access control verified via
+PAM - Note: Authentication still uses the encrypted password database.
+
+Rewritten internal locking semantics for more robustness.
+This release supports full 64 bit locking semantics on all
+(even 32 bit) platforms. SMB locks are mapped onto POSIX
+locks (32 bit or 64 bit) as the underlying system allows.
+
+Conversion of various internal flat data structures to use
+database records for increased performance and
+flexibility.
+
+Support for acting as a MS-DFS (Distributed File System) server.
+
+Support for manipulating Samba shares using Windows client tools
+(server manager). Per share security can be set using these tools
+and Samba will obey the access restrictions applied.
+
+Samba profiling support (see below).
+
+Compile time option for enabling a (Virtual file system) VFS layer
+to allow non-disk resources to be exported as Windows filesystems
+(such as databases etc.).
+
+The documentation in this release has been updated and converted
+from Yodl to DocBook 4.1. There are many new parameters since 2.0.7
+and some defaults have changed.
+
+Profiling support.
+------------------
+Support for collection of profile information. A shared
+memory area has been created which contains counters for
+the number of calls to and the amount of time spent in
+various system calls, smb transactions and nmbd activity. See
+the file profile.h for a complete listing of the information
+collected. Sample code for a samba pmda (collection agent
+for Performance Co-Pilot) has been included in the pcp
+directory.
+
+To enable the profile data collection code in samba, you must
+compile samba with profile data support (run configure with
+the --with-profiling-data option). On startup, collection of
+data is disabled. To begin collecting data use the smbcontrol
+program to turn on profiling (see the smbcontrol man page).
+Profile information collection can be enabled for nmbd, all smbd
+processes or one or more selected processes. The profiling
+data collected is the aggregate for all processes that have
+profiling enabled.
+
+With samba compiled for profile data collection, you may see
+a very slight degradation in performance even with profiling
+collection turned off. On initial tests with NetBench on an
+SGI Origin 200 server, this degradation was not measurable
+with profile collection off compared to no profile collection
+compiled into samba.
+
+With count profile collection enabled on all clients, the
+degradation was less than 2%. With full profile collection
+enabled on all clients, the degradation was about 8.5%.
+
+=====================================================================
+
+If you think you have found a bug please email a report to :
+
+ <a href="mailto:samba@samba.org">samba@samba.org</a>
+
+As always, all bugs are our responsibility.
+
+Regards,
+
+ The Samba Team.
+</pre>
+
+</body>
+</html>
--- /dev/null
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Release Notes Archive</title>
+</head>
+
+<body>
+
+<h2>The Samba Team are pleased to announce Samba 2.2.5</h2>
+
+<p>
+<pre>
+The Samba Team is proud to announce the release of Samba 2.2.5.
+
+This is the latest stable release of Samba. This is the version that all
+production Samba servers should be running for all current bug-fixes.
+
+There have been several fixes and internal enhancements which include:
+
+* Several compile fixes for Solaris and HP-UX
+* More printing fixes for Windows NT/2k/XP clients
+* New options for the VFS recycle bin library
+* New internal signal handling semantics relating to directory change
+ notification and oplocks
+
+
+Binary packages will be released shortly for major platforms. The source
+code can be downloaded from :
+
+ <a href="/samba/ftp">ftp://ftp.samba.org/pub/samba/</a>
+
+in the file samba-2.2.5.tar.gz or samba-2.2.5.tar.bz2.
+md5sum's are available in the same directory.
+
+The release notes follow.
+
+As always, all bugs are our responsibility.
+
+Regards,
+
+ The Samba Team.
+
+
+
+ WHAT'S NEW IN Samba 2.2.5 - 18th June 2002
+ ===========================================
+
+This is the latest stable release of Samba. This is the version that all
+production Samba servers should be running for all current bug-fixes.
+
+There have been several fixes and internal enhancements which include:
+
+* Several compile fixes for Solaris and HP-UX
+* More printing fixes for Windows NT/2k/XP clients
+* New options for the VFS recycle bin library
+* New internal signal handling semantics relating to directory change
+ notification and oplocks
+
+New/Changed parameters in 2.2.5
+--------------------------------
+
+For more information on these parameters, see the man pages for
+smb.conf(5).
+
+Added/changed parameters
+------------------------
+
+* block size = <INTEGER>
+* force unknown acl user = <boolean>
+* mangling method = [hash|hash2]
+
+
+Deprecated Parameters
+---------------------
+
+The following parameters have been marked as deprecated and will be removed
+in Samba 3.0
+
+* strip dot
+* status
+
+
+Removed Parameters
+------------------
+
+ none
+
+
+Changes in 2.2.5
+----------------
+
+See the cvs log for SAMBA_2_2 for more details
+
+1) Removal of several compiler warnings, incorrect Makefile dependencies,
+ and wrong autoconf tests on various platforms--Solaris & HP-UX 10.20
+ being the predominantly reported platforms
+2) Fixed winbindd crash bug on the IBM s390 running Linux
+3) Inclusion of enhanced Linux quota support
+4) Correctly link against Sun LDAP libraries on Solaris 8 (even through
+ there is no apparent SSL support there)
+5) POSIX conformance patches
+6) Include new configure --enable-cups option (can also be disabled even
+ if CUPS libraries are installed on the system)
+7) Set reasonable default for the "passwd program" parameter using an
+ autoconf test
+8) Added --with-winbind-auth for enabling winbindd_pam_auth_crap() code
+9) fixed bug to prevent root account from being deleted by the
+ "delete user script"
+10) Inclusion of autoconf script for building VFS modules
+11) Add new run time options to the VFS recycle bin library (see
+ examples/VFS/recycle/README for details)
+12) Include findsmb perl script as part of the "make install" process
+13) Return correct error code for EnumPrinters(PRINTER_ENUM_REMOTE, InfoLevel1)
+ to fix a bug where printers appear at the workgroup level in the Windows
+ NT/2k APW browse list
+14) Added support to nmblookup to return NMB flags (See nmblookup(8) for
+ details)
+15) Fix length bug that caused password changes from Windows NT/2k clients to
+ occasionally fail
+16) Correct false password expiration when using --with-ldapsam caused by
+ missing attributes in the directory
+17) added -S option to smbpasswd for storing the SID of a domain controller
+ as the local machine SID in secrets.tdb. See the smbpasswd(8) man page
+ for details.
+18) Various fixes for UNIX CIFS extensions commands
+19) Fixed CIDR notation in "hosts allow/deny"
+20) Change semantics of an idle connection to mean "no open files and no
+ open handles". We cannot idle a connection if there are open named
+ pipe handles. This fixes scalability problem on Samba print servers
+ and NT/2k clients introduced in 2.2.4
+21) Fix germam umlaut problem when returning ACL entries
+22) Return NT_STATUS_OBJECT_NAME_NOT_FOUND for ENOENT. This fixes the bug
+ of running the Microsoft Access executable (msaccess.exe) and database
+ files from a Samba share documented in the 2.2.4 release
+23) Corrected signal handling relating to directory change notification and
+ kernel oplocks
+24) Fix bug in unix_to_nt_time() that appeared on files dated close to Daylight
+ Savings Time
+25) Corrected alignment bug in spoolss parsing code which caused Win2k/XP
+ clients not to be able to view printer properties from a Samba host
+26) Fixed spoolss parsing bug causing printing from ACT! 2000 running on
+ Windows 2k/XP clients to fail
+27) Fixed incorrect error check in mod_share_entry()
+28) Allow %S variable in MS-DFS root paths
+29) Correct a bug regarding the use of 'wbinfo -A'
+30) Fixed libnss_wins.so to correctly work on RedHat 7.3 systems
+31) Store the key for a name-to-sid cache entry in upper case rather than
+ whatever case the request was made in. This gets rid of duplicate
+ cache entries.
+32) Fix bug causing the pid stored in winbindd's pid file to be the wrong id
+33) Enhanced error reporting messages of wbinfo
+34) Parameterize block size on disk size return
+35) Added new parameter to allow incoming ACLs to have owner and group forced
+ to the currently logged in user. This fixes the XCOPY /O problem
+36) Fixed bug in local_change_password() caused by reusing a struct
+ passwd* pointer
+37) Change default value for "ldap port" to 389 if "ldap ssl = no"
+38) Updated HOWTO's, manpages, and general documentation....
+39) Allow root as well as domain admins to open an LDAP connection
+40) Fixed veto files bug with ".*"
+41) Fixed uninitialized variable bug in smbpasswd that was causing a random
+ IP address to be used in the connection when joining a domain
+42) Fix for joining a domain with a netbios name of 15 characters and
+ pre-creating the account on the DC
+43) Added links to new documentation on SWAT welcome page
+
+
+ =========================================
+
+Older releases notes for 2.2.x distributions follow
+
+-----------------------------------------------------------------------------
+The release notes for 2.2.4 follow :
+
+There have been several fixes and internal enhancements which include:
+
+ * More/better SPOOLSS printing functionality for Windows
+ NT/2k/XP clients.
+ * Several fixes relating to serving PC database files such
+ as (Access and FoxPro) from a Samba file share.
+ * Several improves in Samba's VFS layer which can be seen
+ in the inclusion of a "Recycle Bin" vfs module. See
+ examples/VFS/README for more details on this.
+ * Addition of a tool (tdbbackup) for backup/restore of Samba's
+ tdb's
+ * Continued improvements to winbind for greater scalability
+ and stability
+ * Several fixes related to Samba's MS-DFS support
+ * Rpcclient's various printer commands now work (again)
+
+
+New/Changed parameters in 2.2.4
+--------------------------------
+
+For more information on these parameters, see the man pages for
+smb.conf(5).
+
+Added/changed parameters
+------------------------
+
+* csc policy
+* inherit acls
+* nt status support
+* lock spin count
+* lock spin time
+* pid directory
+* winbind use default domain
+
+
+Deprecated parameters
+---------------------
+
+The following parameters have been marked as deprecated
+and will be removed in Samba 3.0
+
+* postscript
+* printer driver
+* printer driver file
+* printer driver location
+
+
+Removed Parameters
+------------------
+
+ none
+
+
+Changes in 2.2.4
+----------------
+
+See the cvs log for SAMBA_2_2 for more details
+
+1) added -c option to smbpasswd
+2) reworked smbpasswd internal command line option parsing
+3) small various bug fixes to experimental pdb_tdb.c
+4) Enforce spoolss RPCs based on the access granted at PrinterOpen()
+5) Added missing access checks to [add/delete/set]form
+6) Compile fixes for pam_smbpass
+7) fix smbd crash when netbios session request fails from
+ spoolss_connect_to_client().
+8) fixed logic bug that prevent SetPrinter() from storing devmode
+9) Removed extra get_printer_snum() calls from set_printer_hnd_name()
+10) fix joining domain on big endian machine when using -U to smbpasswd
+11) allow command line arg to override smb.conf log level
+12) continue to retry to register 1b name with wins server if there is an old IP there
+13) fix smbclient print crash bug
+14) 9x pnp fix when the config file and driver file are different
+15) force testparm to print the correct value for log level
+16) fix swat to show full log level info
+17) fix server GetPrinterData() fields to be more sensible
+18) fix logic error in SetPrinterDataEx()
+19) Only set smb_read_error if not already set
+20) Fix string returns that require unicode
+21) Merge of printing performance fixes from appliance
+22) lpq parsing fixes
+23) Back port tridge's xcopy /o fix from HEAD
+24) Fix the printer change notify code (unfinished)
+25) Patch for Domain users not showing up
+26) Fixed SetPrinterData(magic key) to support zero length DEVMODE
+27) Ensure that all methods of looking up and connecting to DC's work
+ using identical logic.
+28) Merge in the mutex code to stop multiple domain logon failure
+29) Ignore 0/0 lock
+30) Fix winbindd to respect command line debuglevel as nmbd/smbd
+31) Update with tdbbackup from HEAD
+32) Fix for typo on solaris nss
+33) Merge in the locking changes from HEAD
+34) Added POSIX ACL layer into the vfs
+35) Fix the returning of domain enum
+36) Fix the generation of the MACHINE.SID file into the secrets.tdb.
+37) Enable test for -rdynamic when building binaries
+38) Remove the "stat open" code - make it inline
+39) Fix the mp3 rename bug
+40) Fix for Explorer DFS problems on older Windows 9X machines
+41) implement OpenPrinter() opnum == 0x01
+42) Matched W2K *insane* open semantics....
+43) small fix that will prevent the "failed to marshall
+ R_NET_SAMLOGON" message in the logs
+42) don't do checking of local passdb in smbpasswd if using -r option
+43) fix "smbpasswd -j DOMAIN -r * -U Admin%XXXX" so that it doesn't
+ try to connect to a server named '*'
+44) merge rpcclient code from HEAD
+45) Ensure MACHINE.SID update done before child spawns
+46) Fix the bad path errors for mkdir so mkdir \a\b\c\d works
+47) Removed --with-vfs - always built if available
+48) Fixed psec for 2.2
+49) Fixed the handle leak in the connection management code
+50) fix disable spoolss after the switch to nt status codes
+51) Added Shirish's client side caching policy change
+52) Honor the specversion when parsing the the DEVICEMODE
+53) fix parsing bug when DEVICEMODE's private data does not end
+ on a 4 byte boundary
+54) do not idle an smbd when there is an open pipe
+55) when a new driver is added to a Samba server, cycle through
+ all printers and bump the change_id for each one bound to the driver
+56) allow smbclient to work with a FIFO as well (needed for KDE
+ ioslave)
+57) various updates to pdb_nisplus.c
+58) many small documentation updates
+59) removed many compiler warnings
+
+
+-----------------------------------------------------------------------------
+The release notes for 2.2.3a follow :
+
+This is a minor bugfix release for the 2.2.3 release. The 2.2.3
+release had a problem that was visible to Windows 2000 Explorer
+users in that copying files into a share that already existed
+failed with "Access Denied" rather than asking the user if an
+overwrite was required. This was due to an incorrect error mapping
+between the UNIX EXIST error code and the NT status error.
+
+As Windows Explorer is a highly visible end user application a quick
+bugfix release was required, hence 2.2.3a.
+
+Compilation on HPUX versions earlier than HPUX 11 has also been
+corrected.
+
+The cvs.log file is no longer included with this release, as it adds
+13Mb to the size of the release, and is easily available on the Web.
+
+-----------------------------------------------------------------------------
+The release notes for 2.2.3 follow :
+
+There are several important scaling bugs that have been fixed in this release
+for large server systems so an upgrade is recommended.
+
+LDAP update
+-----------
+
+Much work has been done on the LDAP backend code. The configure
+option --with-ldapsam is now considered to be stable. The schema
+used has changed, see the file examples/LDAP/samba.schema for the
+new schema.
+
+New documentation explaining how to set up a Samba only PDC/BDC
+setup has been added in the files Samba-LDAP-HOWTO and Samba-BDC-HOWTO
+in the documentation tree.
+
+winbindd daemon extended
+------------------------
+
+Samba 2.2.2 was the first release to include the winbind daemon.
+This code allows UNIX systems that implement the name service
+switch (nss) to be entered into a Windows NT/2000 domain and
+use the Domain controller for all user and group enumeration.
+
+Samba 2.2.3 fixes the known memory leaks in winbindd and has
+been extended to work with SGI IRIX and HPUX (11.x) in addition
+to the earlier targets of Linux and Solaris.
+
+For more information on using winbind, see the man pages for
+winbindd and wbinfo.
+
+Note that winbindd is not installed by default.
+
+New/Changed parameters in 2.2.3
+--------------------------------
+
+For more information on these parameters, see the man pages for
+smb.conf.
+
+Added/changed parameters.
+-------------------------
+
+unix extensions
+
+Enables the experimental UNIX CIFS extensions in smbd. See the manpage
+for more details.
+
+default devmode
+
+Some printer drivers will crash the Windows NT/2000 spooler service
+if they are given a default devmode, some require it. This parameter
+allows the administrator a choice of whether smbd returns such a
+default devmode for a driver.
+
+share modes
+
+This parameter has been restored to allow people who wish smbd to ignore
+client share modes. This is *very dangerous* and should not be set without
+full knowledge of what this is designed for.
+
+Changes in 2.2.3
+-----------------
+
+1). Fixed shared library compile for Solaris with native compiler.
+2). UNIX CIFS extensions code added (donated by HP).
+3). Changed to using NT status codes on the wire if the client can support
+this.
+4). altname command to show 8.3 name added to smbclient.
+5). const-safe endian macros now used.
+6). client code now uses UNICODE on the wire.
+7). Correctly return fault PDU's on bad handle.
+8). Improved NT error code mapping table.
+9). Many new point and print RPC calls added.
+10). Win9x clients can now see full user list.
+11). field added to identify simultaneous open files (no longer
+use dev/inode/time as unique value).
+12). HPUX ACL code added (donated by HP).
+13). vfs interfaces updated (again !).
+14). MSDOS Code Page 866 -> 1251 mapping added.
+15). winbindd now processes quit/hup signals correctly.
+16). No tdb traversal done on startup/shutdown - ensures scalability.
+17). Fix bug with paths for homes share.
+18). Fixed copyfile for OS/2.
+19). Fix group membership when groups are on more than one line.
+20). Fixed core dumps in posix ACL mapping code.
+21). Tidyup of UNICODE functions (put/get).
+22). Move rpcclient to the new libsmb code.
+23). Add missing Windows 2000 passthough trans2 calls.
+24). Return check all tdb calls.
+25). Make local name lookup work even if wins server is down.
+26). pam session code added to winbind.
+27). Added winbindd cache to all lookups.
+28). Fix allocate bugs that caused file sizes to be incorrect.
+29). Fixed write cache code - now safe to use.
+30). Fixed winbindd memory leaks.
+31). winbindd will now do name lookups (to allow non Open Source
+systems to do the nsswitch WINS lookup). Fixed by SGI.
+32). passdb memory leaks fixed.
+33). LDAP code updates and now properly maintained.
+34). Finally figured out how changeid is meant to work.
+35). Downlevel printing now looks as NT does in print monitor window.
+36). Many fixups in spoolss printing RPC parsing.
+37). Speed up password enumeration as a PDC.
+38). Fix printer changed notify messages (work from HP).
+39). Fix modify timestamp on close code.
+40). Fix long standing mangled names bug.
+41). Fix delete on close semantics.
+42). Stop opening all files with O_NONBLOCK !
+43). Use O_NOFOLLOW for systems that have it and don't want symlinks.
+44). Ensure NT supplementary groups get added to user token.
+45). Try and mitigate effects of DNS timeout (do less lookups).
+46). Added current user connection context stack.
+47). Fixes to utmp code.
+48). smbw code tidyups.
+49). Added tdb open log code. Several tdb fixes.
+
+-----------------------------------------------------------------------------
+The release notes for 2.2.2 follow :
+
+New daemon included - winbindd
+------------------------------
+
+Samba 2.2.2 is the first release to include the winbind daemon.
+This code allows UNIX systems that implement the name service
+switch (nss) to be entered into a Windows NT/2000 domain and
+use the Domain controller for all user and group enumeration.
+
+This allows a Samba server added to a Windows domain to serve
+file and print services with *NO* local users needed in /etc/passwd
+and /etc/group - all users and groups are read directly from the
+Windows domain controller. In addition with pam_winbind which allows
+a PAM enabled UNIX system to use a Windows domain for authentication
+service this allows single sign on and account control across
+UNIX and Windows systems.
+
+The current version of winbindd shipped in 2.2.2 does have some
+memory leaks, which will be addressed for the next Samba release,
+so it is advisable to monitor the winbind process. This code is
+being used in production by several vendors, so the leaks are
+manageable. In addition, this version of winbind does not work
+correctly against a Samba PDC, due to some missing calls on the
+PDC side. These problems are being addressed for the next Samba
+release, but it was thought better to release the code now rather
+than delay the main Samba code to match the winbind release schedule.
+
+For more information on using winbind, see the man pages for
+winbindd and wbinfo.
+
+Note that winbindd is not installed by default.
+
+New/Changed parameters in 2.2.2
+-------------------------------
+
+For more information on these parameters, see the man pages for
+smb.conf.
+
+Added/changed parameters.
+-------------------------
+
+strict allocate
+
+Causes Samba not to create UNIX 'sparse' files, but to follow the
+Windows behavior of always allocating on-disk space.
+
+use mmap
+
+Set to 'on' by default, only set to 'off' on HPUX 11.x or below or other
+UNIX systems that don't have coherent mmap/read-write internal caches.
+You should not need to set this parameter.
+
+nt acl support
+
+This parameter has been changed to a per-share option, and is very
+useful in enabling Windows 2000 SP2 to load/save profiles from a
+Samba share.
+
+New printing parameters.
+------------------------
+
+disable spoolss
+
+Setting this parameter causes Samba to go back to the old 2.0.x
+LANMAN printing behavior, for people who wish to disable the
+new SPOOLSS pipe.
+
+use client driver
+
+Causes Windows NT/2000 clients to need have a local printer driver
+installed and to treat the printer as local.
+
+New LDAP parameters.
+--------------------
+
+Samba 2.2.2 contains new code to maintain a Samba SAM database
+on a remote LDAP server. These parameters have been added as
+part of this code. These parameters are only available when Samba
+has been compiled with the --with-ldapsam option.
+
+ldap admin dn
+ldap ssl
+
+New SSL parameters.
+-------------------
+
+The SSL support in Samba has been fixed. These new parameters
+are part of the changes added. These parameters are only available
+when Samba has been compiled with the --with-ssl option.
+Please see the smb.conf man page for details.
+
+ssl egd socket
+ssl entropy file
+ssl entropy bytes
+
+New winbindd parameters.
+------------------------
+
+These parameters are used by winbindd. See the man page for
+winbindd for details.
+
+winbind separator
+winbind uid
+winbind gid
+winbind cache time
+winbind enum users
+winbind enum groups
+template homedir
+template shell
+
+Removed parameters.
+-------------------
+
+share modes
+ldap root
+ldap root passwd
+
+New Documentation.
+------------------
+
+Some new README's have been added in the docs/ directory. These cover
+using roving profiles with Windows 2000 SP2 (docs/README.Win2kSP2),
+and how to use Samba to help prevent Windows virus spread
+(docs/README.Win32-Viruses).
+
+Quota problems on a Linux 2.4 kernel.
+-------------------------------------
+
+Currently the quota interfaces have diverged between the Linus
+2.4.x kernels and the Alan Cox 2.4.x kernels (the Alan Cox variants
+are shipped with RedHat). Running quota-enabled Samba compiled on
+an Alan Cox kernel works correctly on an Alan Cox kernel (the one
+shipped by default with RedHat 7.x) but fails on a Linus kernel.
+
+This is a mess, and hopefully Alan and Linus will sort it out soon.
+In the meantime we need to ship.....
+
+Changes in 2.2.2
+-----------------
+
+1). mmap tdb code disabled on HPUX. This should prevent the reports of
+tdb corruption on HUPX.
+2). Large file support set to off in Solaris 5.5 and below.
+3). Better CUPS detection.
+4). New SAM (password database) backends - smbpasswd (traditional),
+LDAP, NIS+ and Samba TDB.
+5). Quota fixups on Linux.
+6). libsmbclient stand-alone code added. Can be built as a shared library
+under Linux.
+7). Tru64 ACL support added.
+8). winbindd option added.
+9). Realloc fail tidyup fixes all over the code.
+10). Large improvement in hash table code efficiency - would be found with
+large stat caches.
+11). Error code consistency improved (still needs more work).
+12). Profile shared memory support added to nmbd.
+13). New Windows 2000/NT passthrough info levels added.
+14). readraw/writeraw code rewritten - many bugs fixed.
+15). UNIX password sync (non pam) code fixed, use correct wildcard matcher.
+16). Reverse DNS lookup avoided on socket open.
+17). Bug preventing nmbd re-registering names on WINS server timeout fixed.
+18). Zero length byte range lock code added. Much closer to Windows semantics.
+19). Alignment fault fixes for Linux/Alpha.
+20). Error checking on tdb returns vastly improved.
+21). Handling of delete on close fixed. No longer possible to leave 'dead'
+file entries.
+22). Handling of oplock break failure cleanups improved. Should not be
+able to leave 'dead' entries.
+23). Fix handling of errors trying to set 64 bit locks on 32 bit NFS mounts.
+24). Misc. MS-DFS code fixes.
+25). Ignore logon packets if not a PDC (needed for PDC/BDC failover).
+26). winbind pam module added.
+27). Order N^^2 enumeration of printers problem fixed.
+28). Password backend database code re-ordered to allow different password
+backends (at compile time currently).
+29). Improved print driver version detection for Windows 2000.
+30). Driver DEVMODE initialization fixes.
+31). Improved SYSV print parse code.
+32). Fixed enumeration of large numbers of users/groups from Windows clients.
+Code still too slow.
+33). Fix for buggy NetApp RPC pipe clients.
+34). Fix for NT sending multiple SetPrinterDataEx calls.
+35). Fix for logic bug where smbd could delay oplock break request messages
+from other smbd daemons whilst client kept us busy.
+36). Fix deadlock problem with connections tdb on enumeration.
+37). Fixes for setting/getting NT ACLs - improved POSIX mapping both ways.
+38). Removed unused readbmpx/writebmpx code.
+39). Attempt to fix Linux 2.4.x quota mess.
+40). Improved ctemp code for Windows 2000 compatibility.
+41). Finally understood difference between set EOF and set allocation requests.
+Added strict allocate parameter to help.
+42). Correctly return name types on name to SID lookups.
+43). tdb spinlock code update.
+44). Use pread/pwrite on systems that have it to fix race condition in tdb code.
+
+-----------------------------------------------------------------------------
+The release notes for 2.2.1a follow :
+
+This is a minor bugfix release for 2.2.1, *NOT* security related.
+
+1). 2.2.1 had a bug where using smbpasswd -m to add a Windows NT or
+Windows2000 machine into a Samba hosted PDC would fail due to our
+stricter user name checking. We were disallowing user names
+containing '$', which is needed when using smbpasswd to add a
+machine into a domain. Automatically adding machines (using the
+native Windows tools) into a Samba domain worked correctly.
+
+2.2.1a fixes this single problem.
+
+-----------------------------------------------------------------------------
+The release notes for 2.2.1 follow :
+
+New/Changed parameters in 2.2.1
+-------------------------------
+
+Added parameters.
+-----------------
+
+obey pam restrictions
+
+When Samba is configured to use PAM, turns on or off Samba checking
+the PAM account restrictions. Defaults to off.
+
+pam password change
+
+When Samba is configured to use PAM, turns on or off Samba passing
+the password changes to PAM. Defaults to off.
+
+large readwrite
+
+New option to allow new Windows 2000 large file (64k) streaming
+read/write options. Needs a 64 bit underlying operating system
+(for Linux use kernel 2.4 with glibc 2.2 or above). Can improve performance
+by 10% with Windows 2000 clients. Defaults to off. Not as tested
+as some other Samba code paths.
+
+hide unreadable
+
+Prevents clients from seeing the existence of files that cannot
+be read. Off by default.
+
+enhanced browsing
+
+Turn on/off the enhanced Samba browsing functionality (*1B names).
+Default is "on". Can prevent eternal machines in workgroups when
+WINS servers are not synchronized.
+
+Removed parameters.
+-------------------
+
+domain groups
+domain admin users
+domain guest users
+
+Changes in 2.2.1
+-----------------
+
+1). "find" command removed for smbclient. Internal code now used.
+2). smbspool updates to retry connections from Michael Sweet.
+3). Fix for mapping 8859-15 characters to UNICODE.
+4). Changed "security=server" to try with invalid username to prevent
+ account lockouts.
+5). Fixes to allow Windows 2000 SP2 clients to join a Samba PDC.
+6). Support for Windows 9x Nexus tools to allow security changes from Win9x.
+7). Two locking fixes added. Samba 2.2.1 now passes the Clarion network
+ lock tester tool for distributed databases.
+8). Preliminary support added for Windows 2000 large file read/write SMBs.
+9). Changed random number generator in Samba to prevent guess attacks.
+10). Fixes for tdb corruption in connections.tdb and file locking brlock.tdb.
+ smbd's clean the tdb files on startup and shutdown.
+11). Fixes for default ACLs on Solaris.
+12). Tidyup of password entry caching code.
+13). Correct shutdowns added for send fails. Helps tdb cleanup code.
+14). Prevent invalid '/' characters in workgroup names.
+15). Removed more static arrays in SAMR code.
+16). Client code is now UNICODE on the wire.
+17). Fix 2 second timestamp resolution everywhere if dos timestamp set to yes.
+18). All tdb opens now going through logging function.
+19). Add pam password changing and pam restrictions code.
+20). Printer driver management improvements (delete driver).
+21). Fix difference between NULL security descriptors and empty
+ security descriptors.
+22). Fix SID returns for server roles.
+23). Allow Windows 2000 mmc to view and set Samba share security descriptors.
+24). Allow smbcontrol to forcibly disconnect a share.
+25). tdb fixes for HPUX, OpenBSD and other OS's that don't have a coherent
+ mmap/file read/write cache.
+26). Fix race condition in returning create disposition for file create/open.
+27). Fix NT rewriting of security descriptors to their canonical form for
+ ACLs.
+28). Fix for Samba running on top of Linux VFAT ftruncate bug.
+29). Swat fixes for being run with xinetd that doesn't set the umask.
+30). Fix for slow writes with Win9x Explorer clients. Emulates Microsoft
+ TCP stack early ack specification error.
+31). Changed lock & persistent tdb directory to /var/cache/samba by default on
+ RedHat and Mandrake as they clear the /var/lock/samba directory on reboot.
+
+-----------------------------------------------------------------------------
+The release notes for 2.2.0a follow :
+
+SECURITY FIX
+============
+
+This is a security bugfix release for Samba 2.2.0. This release provides the
+following two changes *ONLY* from the 2.2.0 release.
+
+1). Fix for the security hole discovered by Michal Zalewski (lcamtuf@bos.bindview.com)
+ and described in the security advisory below.
+2). Fix for the hosts allow/hosts deny parameters not being honoured.
+
+No other changes are being made for this release to ensure a security fix only.
+For new functionality (including these security fixes) download Samba 2.2.1
+when it is available.
+
+The security advisory follows :
+
+
+ IMPORTANT: Security bugfix for Samba
+ ------------------------------------
+
+June 23rd 2001
+
+
+Summary
+-------
+
+A serious security hole has been discovered in all versions of Samba
+that allows an attacker to gain root access on the target machine for
+certain types of common Samba configuration.
+
+The immediate fix is to edit your smb.conf configuration file and
+remove all occurances of the macro "%m". Replacing occurances of %m
+with %I is probably the best solution for most sites.
+
+Details
+-------
+
+A remote attacker can use a netbios name containing unix path
+characters which will then be substituted into the %m macro wherever
+it occurs in smb.conf. This can be used to cause Samba to create a log
+file on top of an important system file, which in turn can be used to
+compromise security on the server.
+
+The most commonly used configuration option that can be vulnerable to
+this attack is the "log file" option. The default value for this
+option is VARDIR/log.smbd. If the default is used then Samba is not
+vulnerable to this attack.
+
+The security hole occurs when a log file option like the following is
+used:
+
+ log file = /var/log/samba/%m.log
+
+In that case the attacker can use a locally created symbolic link to
+overwrite any file on the system. This requires local access to the
+server.
+
+If your Samba configuration has something like the following:
+
+ log file = /var/log/samba/%m
+
+Then the attacker could successfully compromise your server remotely
+as no symbolic link is required. This type of configuration is very
+rare.
+
+The most commonly used log file configuration containing %m is the
+distributed in the sample configuration file that comes with Samba:
+
+ log file = /var/log/samba/log.%m
+
+in that case your machine is not vulnerable to this attack unless you
+happen to have a subdirectory in /var/log/samba/ which starts with the
+prefix "log."
+
+Credit
+------
+
+Thanks to Michal Zalewski (lcamtuf@bos.bindview.com) for finding this
+vulnerability.
+
+
+New Release
+-----------
+
+While we recommend that vulnerable sites immediately change their
+smb.conf configuration file to prevent the attack we will also be
+making new releases of Samba within the next 24 hours to properly fix
+the problem. Please see http://www.samba.org/ for the new releases.
+
+Please report any attacks to the appropriate authority.
+
+ The Samba Team
+ security@samba.org
+
+---------------------------------------------------------------------------
+
+The release notes for 2.2.0 follow :
+
+This is the official Samba 2.2.0 release. This version of Samba provides
+the following new features and enhancements.
+
+Integration between Windows oplocks and NFS file opens (IRIX and Linux
+2.4 kernel only). This gives complete data and locking integrity between
+Windows and UNIX file access to the same data files.
+
+Ability to act as an authentication source for Windows 2000 clients as
+well as for NT4.x clients.
+
+Integration with the winbind daemon that provides a single
+sign on facility for UNIX servers in Windows 2000/NT4 networks
+driven by a Windows 2000/NT4 PDC. winbind is not included in
+this release, it currently must be obtained separately. We are
+committed to including winbind in a future Samba 2.2.x release.
+
+Support for native Windows 2000/NT4 printing RPCs. This includes
+support for automatic printer driver download.
+
+Support for server supported Access Control Lists (ACLs).
+This release contains support for the following filesystems:
+
+ Solaris 2.6+
+ SGI Irix
+ Linux Kernel with ACL patch from http://acl.bestbits.at
+ Linux Kernel with XFS ACL support.
+ Caldera/SCO UnixWare
+ IBM AIX
+ FreeBSD (with external patch)
+
+Other platforms will be supported as resources are
+available to test and implement the necessary modules. If
+you are interested in writing the support for a particular
+ACL filesystem, please join the samba-technical mailing
+list and coordinate your efforts.
+
+On PAM (Pluggable Authentication Module) based systems - better debugging
+messages and encrypted password users now have access control verified via
+PAM - Note: Authentication still uses the encrypted password database.
+
+Rewritten internal locking semantics for more robustness.
+This release supports full 64 bit locking semantics on all
+(even 32 bit) platforms. SMB locks are mapped onto POSIX
+locks (32 bit or 64 bit) as the underlying system allows.
+
+Conversion of various internal flat data structures to use
+database records for increased performance and
+flexibility.
+
+Support for acting as a MS-DFS (Distributed File System) server.
+
+Support for manipulating Samba shares using Windows client tools
+(server manager). Per share security can be set using these tools
+and Samba will obey the access restrictions applied.
+
+Samba profiling support (see below).
+
+Compile time option for enabling a (Virtual file system) VFS layer
+to allow non-disk resources to be exported as Windows filesystems
+(such as databases etc.).
+
+The documentation in this release has been updated and converted
+from Yodl to DocBook 4.1. There are many new parameters since 2.0.7
+and some defaults have changed.
+
+Profiling support.
+------------------
+Support for collection of profile information. A shared
+memory area has been created which contains counters for
+the number of calls to and the amount of time spent in
+various system calls, smb transactions and nmbd activity. See
+the file profile.h for a complete listing of the information
+collected. Sample code for a samba pmda (collection agent
+for Performance Co-Pilot) has been included in the pcp
+directory.
+
+To enable the profile data collection code in samba, you must
+compile samba with profile data support (run configure with
+the --with-profiling-data option). On startup, collection of
+data is disabled. To begin collecting data use the smbcontrol
+program to turn on profiling (see the smbcontrol man page).
+Profile information collection can be enabled for nmbd, all smbd
+processes or one or more selected processes. The profiling
+data collected is the aggregate for all processes that have
+profiling enabled.
+
+With samba compiled for profile data collection, you may see
+a very slight degradation in performance even with profiling
+collection turned off. On initial tests with NetBench on an
+SGI Origin 200 server, this degradation was not measurable
+with profile collection off compared to no profile collection
+compiled into samba.
+
+With count profile collection enabled on all clients, the
+degradation was less than 2%. With full profile collection
+enabled on all clients, the degradation was about 8.5%.
+
+=====================================================================
+
+If you think you have found a bug please email a report to :
+
+ samba@samba.org
+
+As always, all bugs are our responsibility.
+
+Regards,
+
+ The Samba Team.
+</pre>
+
+</body>
+</html>
--- /dev/null
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Release Notes Archive</title>
+</head>
+
+<body>
+
+<h2>The Samba Team are pleased to announce Samba 2.2.6</h2>
+
+<p>
+<pre>
+The Samba Team is proud to announce the release of Samba 2.2.6.
+
+This is the latest stable release of Samba and the last planned
+release of the Samba 2.2. branch. This is the version that all
+production Samba servers should be running for all current bug-fixes.
+
+The source code can be downloaded from :
+
+ <a href="/samba/ftp">http://download.samba.org/samba/ftp/</a>
+
+in the file samba-2.2.6.tar.gz or samba-2.2.6.tar.bz2.
+Both archives have been signed as well using the
+<a href="/samba/ftp/samba-pubkey.asc">Samba Distribution Key</a>
+
+Binary packages will be released shortly for major platforms and
+can be found at
+
+ <a href="/samba/ftp/Binary_Packages">http://download.samba.org/samba/ftp/Binary_Packages/</a>
+
+The release notes follow.
+
+As always, all bugs are our responsibility.
+
+ --Enjoy
+ The Samba Team
+
+
+ WHAT'S NEW IN Samba 2.2.6 - 16th October 2002
+ =============================================
+
+This is the latest stable release of Samba. This is the version that all
+production Samba servers should be running for all current bug-fixes.
+
+There have been several fixes and internal enhancements which include:
+
+ * Fixes for MS-RPC printing issues affecting Windows 2000 clients
+ * New support for smb.conf generation in SWAT
+ * Inclusion of several performance enhancements (See --with-sendfile
+ & and the modified smb.conf(5) parameters in these Release Notes)
+ * Fixes for several file locking bugs and returned status codes
+
+
+New Parameters
+--------------
+
+Refer to the smb.conf(5) man page for complete descriptions of new parameters.
+
+ * profile acls (S) workaround for issue with WinXP SP1
+ and roaming user profiles
+
+Removed Parameters
+------------------
+
+ * max packet (G)
+ * packet size (G)
+
+Modified Parameters
+-------------------
+
+ * max xmit (G) new default value
+ * large readwrite (G) new default value
+
+New ./configure Options
+-----------------------
+
+ --with-sendfile Enable experimental sendfile support
+ --with-winbind-ldap-hack Enable winbindd_ldap_hack() functionality
+ for Windows 2000 native mode domains
+
+
+Changes since 2.2.5
+--------------------
+
+See the cvs log for SAMBA_2_2 for more details
+
+1) Fixed several compiler warnings caused by the use of const parameters
+2) Fixed a hang in the main smbd process caused by an EINTR in the
+ wrong place
+3) Fixed string substitutions to accept a length for sanity checks
+4) Fixed 17-bit length field in nmb header
+5) Removed non-portable inline declaration for functions
+6) Performance fix for including files with an smb.conf variable in the
+ path name
+7) Fix for parsing LPRng lpq output
+8) Parsing fix for PRINTER_INFO_2 structure which was causing viewing
+ printer properties to fail
+9) Fix for printer change notification and Windows NT clients which caused
+ the client to go into an infinite loop of refreshing the local printers
+ folder
+10) Allow trans2 and nttrans messages to be processed in oplock break state
+ which fixes a problem with oplock break requests and Win2k clients
+11) Don't crash on setfileinfo on printer fsp
+12) Memory fixes caught by Valgrind
+13) Updates to stop spurious error message in tdb
+14) Fix silly logic bug in 'make smbd processes' and 'status = no' check
+15) Fix compilation of pam_smbpass and --with-ldap
+16) Fix compilation of smbwrapper on Solaris hosts
+17) fix logic error in a check for enabling the winbind_pam_auth_crap() code
+ & fix formatting typo in --with-winbind-auth-challenge
+18) Correcting check for ldap_start_tls()
+19) Fixed a problem with getgroups() where it could include our current
+ effective gid
+20) fix incorrect semantics in the DeletePrinterDriver() spoolss rpc
+ to only attempt to delete the architecture specified by the client
+21) Don't allow TEMP attribute on directory open
+22) Restore VxFS quotas to the 2.2 branch
+23) Added basic "Wizard" functionality to SWAT
+24) Fix initial "allocation size" in NTcreate&X call
+25) Fix for open fid, "nametoolong"
+26) Exit server on receipt of a non-SMB packet. Ensure we have
+ at least smb_size bytes before processing a packet
+27) Replace inet_aton with inet_addr() to correct compile problems on Solaris
+28) Include the "account" objectclass when adding a new account to --with-ldapsam
+ in order to comply with the data model implemented by OpenLDAP 2.1.x
+29) Various fixes for POSIX compliance
+30) Correct alignment & offset bug in EnumPrinterDataEx()
+31) Fix access checks when modifying forms using a print server handle
+ (not just a printer handle)
+32) Account for case data_len == 0 in EnumPrinterDataEx()
+33) Fix logic error in blocking lock code
+34) Fixed various incorrect return codes to clients
+35) Add RESOLVE_DFSPATH to mkdir operations
+36) Fix longstanding bug in Win2k clients by clearing the shortname
+ buffer before returning ASCII short name
+37) added -t option to smbpasswd for explicitly changing a trust
+ account password when operating in security = domain
+38) installed -x option to testparm to eXclude printing all parameter
+ values that are at default settings.
+39) Fix shares/printers view in SWAT so that only Basic options are exposed
+ upon initial entry.
+40) Added 1125 & KOI8-U to codepage list in Makefile.in
+41) Include separate configure checks for *openbsd* & *freebsd* when
+ determining flags used to compile shared libraries.
+42) Merge in free list unlock on error fix
+43) Correctly fail opens with mismatching SYSTEM or HIDDEN attributes
+ if we are mapping system or hidden
+44) Fix bug with stat mode open being done on read-only open with truncate
+45) Fix crash bug discovered where cli struct was being deallocated in a
+ called function
+46) Ensure we open UNIX fifo's non-blocking
+47) Fix DeletePrinterDriver() (hopefully for the last time...yeah right....)
+48) only lowercase global_myname in the %L substitution, not the whole string
+49) Merged Steve French's fix for OS/2 EA return error being removed
+50) Patch from Steve French to fix difference in responses to smbclient
+ //server/share ls / on Samba and Windows 2000
+51) Print error and exit if smb.conf doesn't have security=domain and
+ encrypt passwords=yes when joining domain
+52) Added final Steve French patch for "required" attributes with old dir
+ listings
+53) Initialize user_rid value in WINBIND_USERINFO structure returned by
+ the rpc version of query_user()
+54) Ensure we've failed a lock with a lock denied message before automatically
+ pushing it onto the blocking queue
+55) Add experimental --with-sendfile code
+56) alignment fix in printing code merged from HEAD
+57) Merge fix for other sids in token from HEAD
+58) Merge winbindd with current (more advanced) state of play in APPLIANCE_HEAD
+59) fix smbclient / Win98 off by one bug
+60) Never, *ever* hold a mutex lock in the message database where there may be
+ traversals being attempted
+61) Add LDAP hack for retrieving the SAM sequence number when a member of a
+ Windows 2000 native mode domain
+62) Fix race condition when changing a machine account password as we were
+ no longer locking the secrets entry
+63) Allow '@' as a valid character in domain names
+64) remove jobs from the spool directory when using cups
+65) removed -lresolv for --enable-ldapsam
+66) Memory leak fix and correct use of negative caching in winbindd
+67) Updated spoolss parsing code with known good state of APPLIANCE_HEAD
+68) Delete printer security check was reversed
+69) Windows allows delete printer on a handle opened by an admin user, then
+ used on a pipe handle created by an anonymous user...We do to now...
+70) Make explicit the difference between a tdb key with no data attached, and
+ a non existent entry
+71) Ensure we register the 1c name on the unicast subnet.
+72) Fix inheritance problem when recursively setting ACLs on directories
+73) prevent ACL set on read-only share
+74) Ensure we never have more than MAX_PRINT_JOBS in a queue
+75) Added timeout to tdb_lock_bystring()
+76) Ensure we set FIRST+LAST flags on a bind request
+77) Add version strings to the usage message for smbcacls and smbpasswd
+78) Fix bug in the write cache code
+79) make the default printed values for boolean the same for all parameters
+80) Default all LDAP connections to v3 with compiling with --with-ldapsam
+81) Fix memory leak in smbspool
+82) Fix bug in mangling code that resulted in Win9x clients not being
+ able to execute batch files in deep, non 8.3 directory paths
+83) Fix infinite looping bug in winbindd_getgrent()
+84) Fix crash bug on 64-bit systems (merge from HEAD)
+85) Fix extended character bug when setting LanMan/NT password
+86) Negotiate same SMB read size as a Windows 2000 file server
+ to fix performance bug with NT4 clients
+
+
+ =========================================
+
+Older releases notes for 2.2.x distributions follow
+
+-----------------------------------------------------------------------------
+The release notes for 2.2.5 follow :
+
+There have been several fixes and internal enhancements which include:
+
+* Several compile fixes for Solaris and HP-UX
+* More printing fixes for Windows NT/2k/XP clients
+* New options for the VFS recycle bin library
+* New internal signal handling semantics relating to directory change
+ notification and oplocks
+
+New/Changed parameters in 2.2.5
+--------------------------------
+
+For more information on these parameters, see the man pages for
+smb.conf(5).
+
+Added/changed parameters
+------------------------
+
+* block size = <INTEGER>
+* force unknown acl user = <boolean>
+* mangling method = [hash|hash2]
+
+
+Deprecated Parameters
+---------------------
+
+The following parameters have been marked as deprecated and will be removed
+in Samba 3.0
+
+* strip dot
+* status
+
+
+Removed Parameters
+------------------
+
+ none
+
+
+Changes in 2.2.5
+----------------
+
+See the cvs log for SAMBA_2_2 for more details
+
+1) Removal of several compiler warnings, incorrect Makefile dependencies,
+ and wrong autoconf tests on various platforms--Solaris & HP-UX 10.20
+ being the predominantly reported platforms
+2) Fixed winbindd crash bug on the IBM s390 running Linux
+3) Inclusion of enhanced Linux quota support
+4) Correctly link against Sun LDAP libraries on Solaris 8 (even through
+ there is no apparent SSL support there)
+5) POSIX conformance patches
+6) Include new configure --enable-cups option (can also be disabled even
+ if CUPS libraries are installed on the system)
+7) Set reasonable default for the "passwd program" parameter using an
+ autoconf test
+8) Added --with-winbind-auth for enabling winbindd_pam_auth_crap() code
+9) fixed bug to prevent root account from being deleted by the
+ "delete user script"
+10) Inclusion of autoconf script for building VFS modules
+11) Add new run time options to the VFS recycle bin library (see
+ examples/VFS/recycle/README for details)
+12) Include findsmb perl script as part of the "make install" process
+13) Return correct error code for EnumPrinters(PRINTER_ENUM_REMOTE, InfoLevel1)
+ to fix a bug where printers appear at the workgroup level in the Windows
+ NT/2k APW browse list
+14) Added support to nmblookup to return NMB flags (See nmblookup(8) for
+ details)
+15) Fix length bug that caused password changes from Windows NT/2k clients to
+ occasionally fail
+16) Correct false password expiration when using --with-ldapsam caused by
+ missing attributes in the directory
+17) added -S option to smbpasswd for storing the SID of a domain controller
+ as the local machine SID in secrets.tdb. See the smbpasswd(8) man page
+ for details.
+18) Various fixes for UNIX CIFS extensions commands
+19) Fixed CIDR notation in "hosts allow/deny"
+20) Change semantics of an idle connection to mean "no open files and no
+ open handles". We cannot idle a connection if there are open named
+ pipe handles. This fixes scalability problem on Samba print servers
+ and NT/2k clients introduced in 2.2.4
+21) Fix germam umlaut problem when returning ACL entries
+22) Return NT_STATUS_OBJECT_NAME_NOT_FOUND for ENOENT. This fixes the bug
+ of running the Microsoft Access executable (msaccess.exe) and database
+ files from a Samba share documented in the 2.2.4 release
+23) Corrected signal handling relating to directory change notification and
+ kernel oplocks
+24) Fix bug in unix_to_nt_time() that appeared on files dated close to Daylight
+ Savings Time
+25) Corrected alignment bug in spoolss parsing code which caused Win2k/XP
+ clients not to be able to view printer properties from a Samba host
+26) Fixed spoolss parsing bug causing printing from ACT! 2000 running on
+ Windows 2k/XP clients to fail
+27) Fixed incorrect error check in mod_share_entry()
+28) Allow %S variable in MS-DFS root paths
+29) Correct a bug regarding the use of 'wbinfo -A'
+30) Fixed libnss_wins.so to correctly work on RedHat 7.3 systems
+31) Store the key for a name-to-sid cache entry in upper case rather than
+ whatever case the request was made in. This gets rid of duplicate
+ cache entries.
+32) Fix bug causing the pid stored in winbindd's pid file to be the wrong id
+33) Enhanced error reporting messages of wbinfo
+34) Parameterize block size on disk size return
+35) Added new parameter to allow incoming ACLs to have owner and group forced
+ to the currently logged in user. This fixes the XCOPY /O problem
+36) Fixed bug in local_change_password() caused by reusing a struct
+ passwd* pointer
+37) Change default value for "ldap port" to 389 if "ldap ssl = no"
+38) Updated HOWTO's, manpages, and general documentation....
+39) Allow root as well as domain admins to open an LDAP connection
+40) Fixed veto files bug with ".*"
+41) Fixed uninitialized variable bug in smbpasswd that was causing a random
+ IP address to be used in the connection when joining a domain
+42) Fix for joining a domain with a netbios name of 15 characters and
+ pre-creating the account on the DC
+43) Added links to new documentation on SWAT welcome page
+
+
+
+-----------------------------------------------------------------------------
+The release notes for 2.2.4 follow :
+
+There have been several fixes and internal enhancements which include:
+
+ * More/better SPOOLSS printing functionality for Windows
+ NT/2k/XP clients.
+ * Several fixes relating to serving PC database files such
+ as (Access and FoxPro) from a Samba file share.
+ * Several improves in Samba's VFS layer which can be seen
+ in the inclusion of a "Recycle Bin" vfs module. See
+ examples/VFS/README for more details on this.
+ * Addition of a tool (tdbbackup) for backup/restore of Samba's
+ tdb's
+ * Continued improvements to winbind for greater scalability
+ and stability
+ * Several fixes related to Samba's MS-DFS support
+ * Rpcclient's various printer commands now work (again)
+
+
+New/Changed parameters in 2.2.4
+--------------------------------
+
+For more information on these parameters, see the man pages for
+smb.conf(5).
+
+Added/changed parameters
+------------------------
+
+* csc policy
+* inherit acls
+* nt status support
+* lock spin count
+* lock spin time
+* pid directory
+* winbind use default domain
+
+
+Deprecated parameters
+---------------------
+
+The following parameters have been marked as deprecated
+and will be removed in Samba 3.0
+
+* postscript
+* printer driver
+* printer driver file
+* printer driver location
+
+
+Removed Parameters
+------------------
+
+ none
+
+
+Changes in 2.2.4
+----------------
+
+See the cvs log for SAMBA_2_2 for more details
+
+1) added -c option to smbpasswd
+2) reworked smbpasswd internal command line option parsing
+3) small various bug fixes to experimental pdb_tdb.c
+4) Enforce spoolss RPCs based on the access granted at PrinterOpen()
+5) Added missing access checks to [add/delete/set]form
+6) Compile fixes for pam_smbpass
+7) fix smbd crash when netbios session request fails from
+ spoolss_connect_to_client().
+8) fixed logic bug that prevent SetPrinter() from storing devmode
+9) Removed extra get_printer_snum() calls from set_printer_hnd_name()
+10) fix joining domain on big endian machine when using -U to smbpasswd
+11) allow command line arg to override smb.conf log level
+12) continue to retry to register 1b name with wins server if there is an old IP there
+13) fix smbclient print crash bug
+14) 9x pnp fix when the config file and driver file are different
+15) force testparm to print the correct value for log level
+16) fix swat to show full log level info
+17) fix server GetPrinterData() fields to be more sensible
+18) fix logic error in SetPrinterDataEx()
+19) Only set smb_read_error if not already set
+20) Fix string returns that require unicode
+21) Merge of printing performance fixes from appliance
+22) lpq parsing fixes
+23) Back port tridge's xcopy /o fix from HEAD
+24) Fix the printer change notify code (unfinished)
+25) Patch for Domain users not showing up
+26) Fixed SetPrinterData(magic key) to support zero length DEVMODE
+27) Ensure that all methods of looking up and connecting to DC's work
+ using identical logic.
+28) Merge in the mutex code to stop multiple domain logon failure
+29) Ignore 0/0 lock
+30) Fix winbindd to respect command line debuglevel as nmbd/smbd
+31) Update with tdbbackup from HEAD
+32) Fix for typo on solaris nss
+33) Merge in the locking changes from HEAD
+34) Added POSIX ACL layer into the vfs
+35) Fix the returning of domain enum
+36) Fix the generation of the MACHINE.SID file into the secrets.tdb.
+37) Enable test for -rdynamic when building binaries
+38) Remove the "stat open" code - make it inline
+39) Fix the mp3 rename bug
+40) Fix for Explorer DFS problems on older Windows 9X machines
+41) implement OpenPrinter() opnum == 0x01
+42) Matched W2K *insane* open semantics....
+43) small fix that will prevent the "failed to marshall
+ R_NET_SAMLOGON" message in the logs
+42) don't do checking of local passdb in smbpasswd if using -r option
+43) fix "smbpasswd -j DOMAIN -r * -U Admin%XXXX" so that it doesn't
+ try to connect to a server named '*'
+44) merge rpcclient code from HEAD
+45) Ensure MACHINE.SID update done before child spawns
+46) Fix the bad path errors for mkdir so mkdir \a\b\c\d works
+47) Removed --with-vfs - always built if available
+48) Fixed psec for 2.2
+49) Fixed the handle leak in the connection management code
+50) fix disable spoolss after the switch to nt status codes
+51) Added Shirish's client side caching policy change
+52) Honor the specversion when parsing the the DEVICEMODE
+53) fix parsing bug when DEVICEMODE's private data does not end
+ on a 4 byte boundary
+54) do not idle an smbd when there is an open pipe
+55) when a new driver is added to a Samba server, cycle through
+ all printers and bump the change_id for each one bound to the driver
+56) allow smbclient to work with a FIFO as well (needed for KDE
+ ioslave)
+57) various updates to pdb_nisplus.c
+58) many small documentation updates
+59) removed many compiler warnings
+
+
+-----------------------------------------------------------------------------
+The release notes for 2.2.3a follow :
+
+This is a minor bugfix release for the 2.2.3 release. The 2.2.3
+release had a problem that was visible to Windows 2000 Explorer
+users in that copying files into a share that already existed
+failed with "Access Denied" rather than asking the user if an
+overwrite was required. This was due to an incorrect error mapping
+between the UNIX EXIST error code and the NT status error.
+
+As Windows Explorer is a highly visible end user application a quick
+bugfix release was required, hence 2.2.3a.
+
+Compilation on HPUX versions earlier than HPUX 11 has also been
+corrected.
+
+The cvs.log file is no longer included with this release, as it adds
+13Mb to the size of the release, and is easily available on the Web.
+
+-----------------------------------------------------------------------------
+The release notes for 2.2.3 follow :
+
+There are several important scaling bugs that have been fixed in this release
+for large server systems so an upgrade is recommended.
+
+LDAP update
+-----------
+
+Much work has been done on the LDAP backend code. The configure
+option --with-ldapsam is now considered to be stable. The schema
+used has changed, see the file examples/LDAP/samba.schema for the
+new schema.
+
+New documentation explaining how to set up a Samba only PDC/BDC
+setup has been added in the files Samba-LDAP-HOWTO and Samba-BDC-HOWTO
+in the documentation tree.
+
+winbindd daemon extended
+------------------------
+
+Samba 2.2.2 was the first release to include the winbind daemon.
+This code allows UNIX systems that implement the name service
+switch (nss) to be entered into a Windows NT/2000 domain and
+use the Domain controller for all user and group enumeration.
+
+Samba 2.2.3 fixes the known memory leaks in winbindd and has
+been extended to work with SGI IRIX and HPUX (11.x) in addition
+to the earlier targets of Linux and Solaris.
+
+For more information on using winbind, see the man pages for
+winbindd and wbinfo.
+
+Note that winbindd is not installed by default.
+
+New/Changed parameters in 2.2.3
+--------------------------------
+
+For more information on these parameters, see the man pages for
+smb.conf.
+
+Added/changed parameters.
+-------------------------
+
+unix extensions
+
+Enables the experimental UNIX CIFS extensions in smbd. See the manpage
+for more details.
+
+default devmode
+
+Some printer drivers will crash the Windows NT/2000 spooler service
+if they are given a default devmode, some require it. This parameter
+allows the administrator a choice of whether smbd returns such a
+default devmode for a driver.
+
+share modes
+
+This parameter has been restored to allow people who wish smbd to ignore
+client share modes. This is *very dangerous* and should not be set without
+full knowledge of what this is designed for.
+
+Changes in 2.2.3
+-----------------
+
+1). Fixed shared library compile for Solaris with native compiler.
+2). UNIX CIFS extensions code added (donated by HP).
+3). Changed to using NT status codes on the wire if the client can support
+this.
+4). altname command to show 8.3 name added to smbclient.
+5). const-safe endian macros now used.
+6). client code now uses UNICODE on the wire.
+7). Correctly return fault PDU's on bad handle.
+8). Improved NT error code mapping table.
+9). Many new point and print RPC calls added.
+10). Win9x clients can now see full user list.
+11). field added to identify simultaneous open files (no longer
+use dev/inode/time as unique value).
+12). HPUX ACL code added (donated by HP).
+13). vfs interfaces updated (again !).
+14). MSDOS Code Page 866 -> 1251 mapping added.
+15). winbindd now processes quit/hup signals correctly.
+16). No tdb traversal done on startup/shutdown - ensures scalability.
+17). Fix bug with paths for homes share.
+18). Fixed copyfile for OS/2.
+19). Fix group membership when groups are on more than one line.
+20). Fixed core dumps in posix ACL mapping code.
+21). Tidyup of UNICODE functions (put/get).
+22). Move rpcclient to the new libsmb code.
+23). Add missing Windows 2000 passthough trans2 calls.
+24). Return check all tdb calls.
+25). Make local name lookup work even if wins server is down.
+26). pam session code added to winbind.
+27). Added winbindd cache to all lookups.
+28). Fix allocate bugs that caused file sizes to be incorrect.
+29). Fixed write cache code - now safe to use.
+30). Fixed winbindd memory leaks.
+31). winbindd will now do name lookups (to allow non Open Source
+systems to do the nsswitch WINS lookup). Fixed by SGI.
+32). passdb memory leaks fixed.
+33). LDAP code updates and now properly maintained.
+34). Finally figured out how changeid is meant to work.
+35). Downlevel printing now looks as NT does in print monitor window.
+36). Many fixups in spoolss printing RPC parsing.
+37). Speed up password enumeration as a PDC.
+38). Fix printer changed notify messages (work from HP).
+39). Fix modify timestamp on close code.
+40). Fix long standing mangled names bug.
+41). Fix delete on close semantics.
+42). Stop opening all files with O_NONBLOCK !
+43). Use O_NOFOLLOW for systems that have it and don't want symlinks.
+44). Ensure NT supplementary groups get added to user token.
+45). Try and mitigate effects of DNS timeout (do less lookups).
+46). Added current user connection context stack.
+47). Fixes to utmp code.
+48). smbw code tidyups.
+49). Added tdb open log code. Several tdb fixes.
+
+-----------------------------------------------------------------------------
+The release notes for 2.2.2 follow :
+
+New daemon included - winbindd
+------------------------------
+
+Samba 2.2.2 is the first release to include the winbind daemon.
+This code allows UNIX systems that implement the name service
+switch (nss) to be entered into a Windows NT/2000 domain and
+use the Domain controller for all user and group enumeration.
+
+This allows a Samba server added to a Windows domain to serve
+file and print services with *NO* local users needed in /etc/passwd
+and /etc/group - all users and groups are read directly from the
+Windows domain controller. In addition with pam_winbind which allows
+a PAM enabled UNIX system to use a Windows domain for authentication
+service this allows single sign on and account control across
+UNIX and Windows systems.
+
+The current version of winbindd shipped in 2.2.2 does have some
+memory leaks, which will be addressed for the next Samba release,
+so it is advisable to monitor the winbind process. This code is
+being used in production by several vendors, so the leaks are
+manageable. In addition, this version of winbind does not work
+correctly against a Samba PDC, due to some missing calls on the
+PDC side. These problems are being addressed for the next Samba
+release, but it was thought better to release the code now rather
+than delay the main Samba code to match the winbind release schedule.
+
+For more information on using winbind, see the man pages for
+winbindd and wbinfo.
+
+Note that winbindd is not installed by default.
+
+New/Changed parameters in 2.2.2
+-------------------------------
+
+For more information on these parameters, see the man pages for
+smb.conf.
+
+Added/changed parameters.
+-------------------------
+
+strict allocate
+
+Causes Samba not to create UNIX 'sparse' files, but to follow the
+Windows behavior of always allocating on-disk space.
+
+use mmap
+
+Set to 'on' by default, only set to 'off' on HPUX 11.x or below or other
+UNIX systems that don't have coherent mmap/read-write internal caches.
+You should not need to set this parameter.
+
+nt acl support
+
+This parameter has been changed to a per-share option, and is very
+useful in enabling Windows 2000 SP2 to load/save profiles from a
+Samba share.
+
+New printing parameters.
+------------------------
+
+disable spoolss
+
+Setting this parameter causes Samba to go back to the old 2.0.x
+LANMAN printing behavior, for people who wish to disable the
+new SPOOLSS pipe.
+
+use client driver
+
+Causes Windows NT/2000 clients to need have a local printer driver
+installed and to treat the printer as local.
+
+New LDAP parameters.
+--------------------
+
+Samba 2.2.2 contains new code to maintain a Samba SAM database
+on a remote LDAP server. These parameters have been added as
+part of this code. These parameters are only available when Samba
+has been compiled with the --with-ldapsam option.
+
+ldap admin dn
+ldap ssl
+
+New SSL parameters.
+-------------------
+
+The SSL support in Samba has been fixed. These new parameters
+are part of the changes added. These parameters are only available
+when Samba has been compiled with the --with-ssl option.
+Please see the smb.conf man page for details.
+
+ssl egd socket
+ssl entropy file
+ssl entropy bytes
+
+New winbindd parameters.
+------------------------
+
+These parameters are used by winbindd. See the man page for
+winbindd for details.
+
+winbind separator
+winbind uid
+winbind gid
+winbind cache time
+winbind enum users
+winbind enum groups
+template homedir
+template shell
+
+Removed parameters.
+-------------------
+
+share modes
+ldap root
+ldap root passwd
+
+New Documentation.
+------------------
+
+Some new README's have been added in the docs/ directory. These cover
+using roving profiles with Windows 2000 SP2 (docs/README.Win2kSP2),
+and how to use Samba to help prevent Windows virus spread
+(docs/README.Win32-Viruses).
+
+Quota problems on a Linux 2.4 kernel.
+-------------------------------------
+
+Currently the quota interfaces have diverged between the Linus
+2.4.x kernels and the Alan Cox 2.4.x kernels (the Alan Cox variants
+are shipped with RedHat). Running quota-enabled Samba compiled on
+an Alan Cox kernel works correctly on an Alan Cox kernel (the one
+shipped by default with RedHat 7.x) but fails on a Linus kernel.
+
+This is a mess, and hopefully Alan and Linus will sort it out soon.
+In the meantime we need to ship.....
+
+Changes in 2.2.2
+-----------------
+
+1). mmap tdb code disabled on HPUX. This should prevent the reports of
+tdb corruption on HUPX.
+2). Large file support set to off in Solaris 5.5 and below.
+3). Better CUPS detection.
+4). New SAM (password database) backends - smbpasswd (traditional),
+LDAP, NIS+ and Samba TDB.
+5). Quota fixups on Linux.
+6). libsmbclient stand-alone code added. Can be built as a shared library
+under Linux.
+7). Tru64 ACL support added.
+8). winbindd option added.
+9). Realloc fail tidyup fixes all over the code.
+10). Large improvement in hash table code efficiency - would be found with
+large stat caches.
+11). Error code consistency improved (still needs more work).
+12). Profile shared memory support added to nmbd.
+13). New Windows 2000/NT passthrough info levels added.
+14). readraw/writeraw code rewritten - many bugs fixed.
+15). UNIX password sync (non pam) code fixed, use correct wildcard matcher.
+16). Reverse DNS lookup avoided on socket open.
+17). Bug preventing nmbd re-registering names on WINS server timeout fixed.
+18). Zero length byte range lock code added. Much closer to Windows semantics.
+19). Alignment fault fixes for Linux/Alpha.
+20). Error checking on tdb returns vastly improved.
+21). Handling of delete on close fixed. No longer possible to leave 'dead'
+file entries.
+22). Handling of oplock break failure cleanups improved. Should not be
+able to leave 'dead' entries.
+23). Fix handling of errors trying to set 64 bit locks on 32 bit NFS mounts.
+24). Misc. MS-DFS code fixes.
+25). Ignore logon packets if not a PDC (needed for PDC/BDC failover).
+26). winbind pam module added.
+27). Order N^^2 enumeration of printers problem fixed.
+28). Password backend database code re-ordered to allow different password
+backends (at compile time currently).
+29). Improved print driver version detection for Windows 2000.
+30). Driver DEVMODE initialization fixes.
+31). Improved SYSV print parse code.
+32). Fixed enumeration of large numbers of users/groups from Windows clients.
+Code still too slow.
+33). Fix for buggy NetApp RPC pipe clients.
+34). Fix for NT sending multiple SetPrinterDataEx calls.
+35). Fix for logic bug where smbd could delay oplock break request messages
+from other smbd daemons whilst client kept us busy.
+36). Fix deadlock problem with connections tdb on enumeration.
+37). Fixes for setting/getting NT ACLs - improved POSIX mapping both ways.
+38). Removed unused readbmpx/writebmpx code.
+39). Attempt to fix Linux 2.4.x quota mess.
+40). Improved ctemp code for Windows 2000 compatibility.
+41). Finally understood difference between set EOF and set allocation requests.
+Added strict allocate parameter to help.
+42). Correctly return name types on name to SID lookups.
+43). tdb spinlock code update.
+44). Use pread/pwrite on systems that have it to fix race condition in tdb code.
+
+-----------------------------------------------------------------------------
+The release notes for 2.2.1a follow :
+
+This is a minor bugfix release for 2.2.1, *NOT* security related.
+
+1). 2.2.1 had a bug where using smbpasswd -m to add a Windows NT or
+Windows2000 machine into a Samba hosted PDC would fail due to our
+stricter user name checking. We were disallowing user names
+containing '$', which is needed when using smbpasswd to add a
+machine into a domain. Automatically adding machines (using the
+native Windows tools) into a Samba domain worked correctly.
+
+2.2.1a fixes this single problem.
+
+-----------------------------------------------------------------------------
+The release notes for 2.2.1 follow :
+
+New/Changed parameters in 2.2.1
+-------------------------------
+
+Added parameters.
+-----------------
+
+obey pam restrictions
+
+When Samba is configured to use PAM, turns on or off Samba checking
+the PAM account restrictions. Defaults to off.
+
+pam password change
+
+When Samba is configured to use PAM, turns on or off Samba passing
+the password changes to PAM. Defaults to off.
+
+large readwrite
+
+New option to allow new Windows 2000 large file (64k) streaming
+read/write options. Needs a 64 bit underlying operating system
+(for Linux use kernel 2.4 with glibc 2.2 or above). Can improve performance
+by 10% with Windows 2000 clients. Defaults to off. Not as tested
+as some other Samba code paths.
+
+hide unreadable
+
+Prevents clients from seeing the existence of files that cannot
+be read. Off by default.
+
+enhanced browsing
+
+Turn on/off the enhanced Samba browsing functionality (*1B names).
+Default is "on". Can prevent eternal machines in workgroups when
+WINS servers are not synchronized.
+
+Removed parameters.
+-------------------
+
+domain groups
+domain admin users
+domain guest users
+
+Changes in 2.2.1
+-----------------
+
+1). "find" command removed for smbclient. Internal code now used.
+2). smbspool updates to retry connections from Michael Sweet.
+3). Fix for mapping 8859-15 characters to UNICODE.
+4). Changed "security=server" to try with invalid username to prevent
+ account lockouts.
+5). Fixes to allow Windows 2000 SP2 clients to join a Samba PDC.
+6). Support for Windows 9x Nexus tools to allow security changes from Win9x.
+7). Two locking fixes added. Samba 2.2.1 now passes the Clarion network
+ lock tester tool for distributed databases.
+8). Preliminary support added for Windows 2000 large file read/write SMBs.
+9). Changed random number generator in Samba to prevent guess attacks.
+10). Fixes for tdb corruption in connections.tdb and file locking brlock.tdb.
+ smbd's clean the tdb files on startup and shutdown.
+11). Fixes for default ACLs on Solaris.
+12). Tidyup of password entry caching code.
+13). Correct shutdowns added for send fails. Helps tdb cleanup code.
+14). Prevent invalid '/' characters in workgroup names.
+15). Removed more static arrays in SAMR code.
+16). Client code is now UNICODE on the wire.
+17). Fix 2 second timestamp resolution everywhere if dos timestamp set to yes.
+18). All tdb opens now going through logging function.
+19). Add pam password changing and pam restrictions code.
+20). Printer driver management improvements (delete driver).
+21). Fix difference between NULL security descriptors and empty
+ security descriptors.
+22). Fix SID returns for server roles.
+23). Allow Windows 2000 mmc to view and set Samba share security descriptors.
+24). Allow smbcontrol to forcibly disconnect a share.
+25). tdb fixes for HPUX, OpenBSD and other OS's that don't have a coherent
+ mmap/file read/write cache.
+26). Fix race condition in returning create disposition for file create/open.
+27). Fix NT rewriting of security descriptors to their canonical form for
+ ACLs.
+28). Fix for Samba running on top of Linux VFAT ftruncate bug.
+29). Swat fixes for being run with xinetd that doesn't set the umask.
+30). Fix for slow writes with Win9x Explorer clients. Emulates Microsoft
+ TCP stack early ack specification error.
+31). Changed lock & persistent tdb directory to /var/cache/samba by default on
+ RedHat and Mandrake as they clear the /var/lock/samba directory on reboot.
+
+-----------------------------------------------------------------------------
+The release notes for 2.2.0a follow :
+
+SECURITY FIX
+============
+
+This is a security bugfix release for Samba 2.2.0. This release provides the
+following two changes *ONLY* from the 2.2.0 release.
+
+1). Fix for the security hole discovered by Michal Zalewski (lcamtuf@bos.bindview.com)
+ and described in the security advisory below.
+2). Fix for the hosts allow/hosts deny parameters not being honoured.
+
+No other changes are being made for this release to ensure a security fix only.
+For new functionality (including these security fixes) download Samba 2.2.1
+when it is available.
+
+The security advisory follows :
+
+
+ IMPORTANT: Security bugfix for Samba
+ ------------------------------------
+
+June 23rd 2001
+
+
+Summary
+-------
+
+A serious security hole has been discovered in all versions of Samba
+that allows an attacker to gain root access on the target machine for
+certain types of common Samba configuration.
+
+The immediate fix is to edit your smb.conf configuration file and
+remove all occurances of the macro "%m". Replacing occurances of %m
+with %I is probably the best solution for most sites.
+
+Details
+-------
+
+A remote attacker can use a netbios name containing unix path
+characters which will then be substituted into the %m macro wherever
+it occurs in smb.conf. This can be used to cause Samba to create a log
+file on top of an important system file, which in turn can be used to
+compromise security on the server.
+
+The most commonly used configuration option that can be vulnerable to
+this attack is the "log file" option. The default value for this
+option is VARDIR/log.smbd. If the default is used then Samba is not
+vulnerable to this attack.
+
+The security hole occurs when a log file option like the following is
+used:
+
+ log file = /var/log/samba/%m.log
+
+In that case the attacker can use a locally created symbolic link to
+overwrite any file on the system. This requires local access to the
+server.
+
+If your Samba configuration has something like the following:
+
+ log file = /var/log/samba/%m
+
+Then the attacker could successfully compromise your server remotely
+as no symbolic link is required. This type of configuration is very
+rare.
+
+The most commonly used log file configuration containing %m is the
+distributed in the sample configuration file that comes with Samba:
+
+ log file = /var/log/samba/log.%m
+
+in that case your machine is not vulnerable to this attack unless you
+happen to have a subdirectory in /var/log/samba/ which starts with the
+prefix "log."
+
+Credit
+------
+
+Thanks to Michal Zalewski (lcamtuf@bos.bindview.com) for finding this
+vulnerability.
+
+
+New Release
+-----------
+
+While we recommend that vulnerable sites immediately change their
+smb.conf configuration file to prevent the attack we will also be
+making new releases of Samba within the next 24 hours to properly fix
+the problem. Please see http://www.samba.org/ for the new releases.
+
+Please report any attacks to the appropriate authority.
+
+ The Samba Team
+ security@samba.org
+
+---------------------------------------------------------------------------
+
+The release notes for 2.2.0 follow :
+
+This is the official Samba 2.2.0 release. This version of Samba provides
+the following new features and enhancements.
+
+Integration between Windows oplocks and NFS file opens (IRIX and Linux
+2.4 kernel only). This gives complete data and locking integrity between
+Windows and UNIX file access to the same data files.
+
+Ability to act as an authentication source for Windows 2000 clients as
+well as for NT4.x clients.
+
+Integration with the winbind daemon that provides a single
+sign on facility for UNIX servers in Windows 2000/NT4 networks
+driven by a Windows 2000/NT4 PDC. winbind is not included in
+this release, it currently must be obtained separately. We are
+committed to including winbind in a future Samba 2.2.x release.
+
+Support for native Windows 2000/NT4 printing RPCs. This includes
+support for automatic printer driver download.
+
+Support for server supported Access Control Lists (ACLs).
+This release contains support for the following filesystems:
+
+ Solaris 2.6+
+ SGI Irix
+ Linux Kernel with ACL patch from http://acl.bestbits.at
+ Linux Kernel with XFS ACL support.
+ Caldera/SCO UnixWare
+ IBM AIX
+ FreeBSD (with external patch)
+
+Other platforms will be supported as resources are
+available to test and implement the necessary modules. If
+you are interested in writing the support for a particular
+ACL filesystem, please join the samba-technical mailing
+list and coordinate your efforts.
+
+On PAM (Pluggable Authentication Module) based systems - better debugging
+messages and encrypted password users now have access control verified via
+PAM - Note: Authentication still uses the encrypted password database.
+
+Rewritten internal locking semantics for more robustness.
+This release supports full 64 bit locking semantics on all
+(even 32 bit) platforms. SMB locks are mapped onto POSIX
+locks (32 bit or 64 bit) as the underlying system allows.
+
+Conversion of various internal flat data structures to use
+database records for increased performance and
+flexibility.
+
+Support for acting as a MS-DFS (Distributed File System) server.
+
+Support for manipulating Samba shares using Windows client tools
+(server manager). Per share security can be set using these tools
+and Samba will obey the access restrictions applied.
+
+Samba profiling support (see below).
+
+Compile time option for enabling a (Virtual file system) VFS layer
+to allow non-disk resources to be exported as Windows filesystems
+(such as databases etc.).
+
+The documentation in this release has been updated and converted
+from Yodl to DocBook 4.1. There are many new parameters since 2.0.7
+and some defaults have changed.
+
+Profiling support.
+------------------
+Support for collection of profile information. A shared
+memory area has been created which contains counters for
+the number of calls to and the amount of time spent in
+various system calls, smb transactions and nmbd activity. See
+the file profile.h for a complete listing of the information
+collected. Sample code for a samba pmda (collection agent
+for Performance Co-Pilot) has been included in the pcp
+directory.
+
+To enable the profile data collection code in samba, you must
+compile samba with profile data support (run configure with
+the --with-profiling-data option). On startup, collection of
+data is disabled. To begin collecting data use the smbcontrol
+program to turn on profiling (see the smbcontrol man page).
+Profile information collection can be enabled for nmbd, all smbd
+processes or one or more selected processes. The profiling
+data collected is the aggregate for all processes that have
+profiling enabled.
+
+With samba compiled for profile data collection, you may see
+a very slight degradation in performance even with profiling
+collection turned off. On initial tests with NetBench on an
+SGI Origin 200 server, this degradation was not measurable
+with profile collection off compared to no profile collection
+compiled into samba.
+
+With count profile collection enabled on all clients, the
+degradation was less than 2%. With full profile collection
+enabled on all clients, the degradation was about 8.5%.
+
+=====================================================================
+
+If you think you have found a bug please email a report to :
+
+ samba@samba.org
+
+As always, all bugs are our responsibility.
+
+ --Enjoy
+ The Samba Team
+
+</pre>
+
+</body>
+</html>
--- /dev/null
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Release Notes Archive</title>
+</head>
+
+<body>
+
+<h2>The Samba Team are pleased to announce Samba 2.2.7</h2>
+
+<p>
+<pre>
+The Samba Team is proud to announce the release of Samba 2.2.7.
+
+A security hole has been discovered in versions 2.2.2 through 2.2.6
+of Samba that could potentially allow an attacker to gain root access
+on the target machine. The word "potentially" is used because there
+is no known exploit of this bug, and the Samba Team has not been able to
+craft one ourselves. However, the seriousness of the problem warrants
+this immediate 2.2.7 release.
+
+In addition to addressing this security issue, Samba 2.2.7 also includes
+thirteen unrelated improvements. These improvements result from our
+process of continuous quality assurance and code review, and are part of
+the Samba team's commitment to excellence.
+
+The source code can be downloaded from :
+
+ <a href="/samba/ftp">http://download.samba.org/samba/ftp/</a>
+
+All current source releases have been signed as well using the
+<a href="/samba/ftp/samba-pubkey.asc">Samba Distribution Key</a>
+
+Binary packages for major platforms can be found at
+
+ <a href="/samba/ftp/Binary_Packages">http://download.samba.org/samba/ftp/Binary_Packages/</a>
+
+The release notes follow.
+
+As always, all bugs are our responsibility.
+
+ --Enjoy
+ The Samba Team
+
+
+ WHAT'S NEW IN Samba 2.2.7 - 20th November 2002
+ ==============================================
+
+This is the latest stable release of Samba. This is the version
+that all production Samba servers should be running for all current
+bug-fixes.
+
+IMPORTANT: Security bugfix for Samba
+------------------------------------
+
+Summary
+-------
+
+A security hole has been discovered in versions 2.2.2 through 2.2.6
+of Samba that could potentially allow an attacker to gain root access
+on the target machine. The word "potentially" is used because there
+is no known exploit of this bug, and the Samba Team has not been able to
+craft one ourselves. However, the seriousness of the problem warrants
+this immediate 2.2.7 release.
+
+In addition to addressing this security issue, Samba 2.2.7 also includes
+thirteen unrelated improvements. These improvements result from our
+process of continuous quality assurance and code review, and are part of
+the Samba team's commitment to excellence.
+
+Details
+-------
+
+There was a bug in the length checking for encrypted password change
+requests from clients. A client could potentially send an encrypted
+password, which, when decrypted with the old hashed password could be
+used as a buffer overrun attack on the stack of smbd. The attach would
+have to be crafted such that converting a DOS codepage string to little
+endian UCS2 unicode would translate into an executable block of code.
+
+All versions of Samba between 2.2.2 to 2.2.6 inclusive are vulnerable
+to this problem. This version of Samba 2.2.7 contains a fix for this
+problem.
+
+Earlier versions of Samba are not vulnerable.
+
+There is no known exploit or exploit code for this vulnerability,
+it was discovered by a code audit by Debian Samba maintainers.
+
+Credit
+------
+
+Thanks to Steve Langasek <vorlon@debian.org> and Eloy Paris
+<peloy@debian.org> for bringing this vulnerability to our notice.
+
+Patch for Samba versions 2.2.2 to 2.2.6
+---------------------------------------
+
+The following patch applies cleanly to the above Samba versions
+and will fix the vulnerability for sites that do not wish to upgrade
+to 2.2.7 at this time.
+
+-------------------------------cut here---------------------------------
+--- libsmb/smbencrypt.c.orig Tue Nov 19 17:21:57 2002
++++ libsmb/smbencrypt.c Tue Nov 19 17:22:12 2002
+@@ -63,7 +63,7 @@
+ if(len > 128)
+ len = 128;
+ /* Password must be converted to NT unicode - null terminated. */
+- dos_struni2((char *)wpwd, (const char *)passwd, 256);
++ dos_struni2((char *)wpwd, (const char *)passwd, len);
+ /* Calculate length in bytes */
+ len = strlen_w((const smb_ucs2_t *)wpwd) * sizeof(int16);
+-------------------------------cut here---------------------------------
+
+
+
+Changes since 2.2.6
+--------------------
+
+See the cvs log for SAMBA_2_2 for more details
+
+1) ensure we send the notify message in the same way it is expected
+ to be received by srv_spoolss_receive_message().
+2) attribute matching on truncate only matters when opening truncate
+ with current SYSTEM|HIDDEN -> NONE. It's fine to truncate on open
+ with current NONE -> SYSTEM | HIDDEN.
+3) Fix bug in rpcclient's deldriver command
+4) Don't set global_machine_password_needs_changing if
+ lp_machine_password_timeout() is set to zero
+5) don't parse the BUFFER5 if the buffer length is zero
+6) fix core dump if pdbedit is run as non-root or smbpasswd file does
+ not exist
+7) Ensure can_delete() returns correct error code
+8) correctly return NT_STATUS_DELETE_PENDING from open code
+9) fix bug that assumed dos_unistr2 length was in ucs2 units, not bytes
+10) check the long_archi name is not null when deleting a printer driver.
+ fixes core dump in smbd when using rpcclient's deldriver
+11) fix fd leak with kernel change notify on Linux 2.4 kernels
+12) must add one to the extra_data size to transfer the 0 string
+ terminator. This was causing "wbinfo --sequence" to access past the
+ end of malloced memory
+13) fix for large systems allowing more than 65536 files open in
+ NTcreate&X
+14) Fix bug in %U expansion
+
+
+ =========================================
+
+Older releases notes for 2.2.x distributions follow
+
+-----------------------------------------------------------------------------
+The release notes for 2.2.6 follow :
+
+There have been several fixes and internal enhancements which include:
+
+ * Fixes for MS-RPC printing issues affecting Windows 2000 clients
+ * New support for smb.conf generation in SWAT
+ * Inclusion of several performance enhancements (See --with-sendfile
+ & and the modified smb.conf(5) parameters in these Release Notes)
+ * Fixes for several file locking bugs and returned status codes
+
+
+New Parameters
+--------------
+
+Refer to the smb.conf(5) man page for complete descriptions of new parameters.
+
+ * profile acls (S) workaround for issue with WinXP SP1
+ and roaming user profiles
+
+Removed Parameters
+------------------
+
+ * max packet (G)
+ * packet size (G)
+
+Modified Parameters
+-------------------
+
+ * max xmit (G) new default value
+ * large readwrite (G) new default value
+
+New ./configure Options
+-----------------------
+
+ --with-sendfile Enable experimental sendfile support
+ --with-winbind-ldap-hack Enable winbindd_ldap_hack() functionality
+ for Windows 2000 native mode domains
+
+
+Changes since 2.2.5
+--------------------
+
+See the cvs log for SAMBA_2_2 for more details
+
+1) Fixed several compiler warnings caused by the use of const parameters
+2) Fixed a hang in the main smbd process caused by an EINTR in the
+ wrong place
+3) Fixed string substitutions to accept a length for sanity checks
+4) Fixed 17-bit length field in nmb header
+5) Removed non-portable inline declaration for functions
+6) Performance fix for including files with an smb.conf variable in the
+ path name
+7) Fix for parsing LPRng lpq output
+8) Parsing fix for PRINTER_INFO_2 structure which was causing viewing
+ printer properties to fail
+9) Fix for printer change notification and Windows NT clients which caused
+ the client to go into an infinite loop of refreshing the local printers
+ folder
+10) Allow trans2 and nttrans messages to be processed in oplock break state
+ which fixes a problem with oplock break requests and Win2k clients
+11) Don't crash on setfileinfo on printer fsp
+12) Memory fixes caught by Valgrind
+13) Updates to stop spurious error message in tdb
+14) Fix silly logic bug in 'make smbd processes' and 'status = no' check
+15) Fix compilation of pam_smbpass and --with-ldap
+16) Fix compilation of smbwrapper on Solaris hosts
+17) fix logic error in a check for enabling the winbind_pam_auth_crap() code
+ & fix formatting typo in --with-winbind-auth-challenge
+18) Correcting check for ldap_start_tls()
+19) Fixed a problem with getgroups() where it could include our current
+ effective gid
+20) fix incorrect semantics in the DeletePrinterDriver() spoolss rpc
+ to only attempt to delete the architecture specified by the client
+21) Don't allow TEMP attribute on directory open
+22) Restore VxFS quotas to the 2.2 branch
+23) Added basic "Wizard" functionality to SWAT
+24) Fix initial "allocation size" in NTcreate&X call
+25) Fix for open fid, "nametoolong"
+26) Exit server on receipt of a non-SMB packet. Ensure we have
+ at least smb_size bytes before processing a packet
+27) Replace inet_aton with inet_addr() to correct compile problems on Solaris
+28) Include the "account" objectclass when adding a new account to --with-ldapsam
+ in order to comply with the data model implemented by OpenLDAP 2.1.x
+29) Various fixes for POSIX compliance
+30) Correct alignment & offset bug in EnumPrinterDataEx()
+31) Fix access checks when modifying forms using a print server handle
+ (not just a printer handle)
+32) Account for case data_len == 0 in EnumPrinterDataEx()
+33) Fix logic error in blocking lock code
+34) Fixed various incorrect return codes to clients
+35) Add RESOLVE_DFSPATH to mkdir operations
+36) Fix longstanding bug in Win2k clients by clearing the shortname
+ buffer before returning ASCII short name
+37) added -t option to smbpasswd for explicitly changing a trust
+ account password when operating in security = domain
+38) installed -x option to testparm to eXclude printing all parameter
+ values that are at default settings.
+39) Fix shares/printers view in SWAT so that only Basic options are exposed
+ upon initial entry.
+40) Added 1125 & KOI8-U to codepage list in Makefile.in
+41) Include separate configure checks for *openbsd* & *freebsd* when
+ determining flags used to compile shared libraries.
+42) Merge in free list unlock on error fix
+43) Correctly fail opens with mismatching SYSTEM or HIDDEN attributes
+ if we are mapping system or hidden
+44) Fix bug with stat mode open being done on read-only open with truncate
+45) Fix crash bug discovered where cli struct was being deallocated in a
+ called function
+46) Ensure we open UNIX fifo's non-blocking
+47) Fix DeletePrinterDriver() (hopefully for the last time...yeah right....)
+48) only lowercase global_myname in the %L substitution, not the whole string
+49) Merged Steve French's fix for OS/2 EA return error being removed
+50) Patch from Steve French to fix difference in responses to smbclient
+ //server/share ls / on Samba and Windows 2000
+51) Print error and exit if smb.conf doesn't have security=domain and
+ encrypt passwords=yes when joining domain
+52) Added final Steve French patch for "required" attributes with old dir
+ listings
+53) Initialize user_rid value in WINBIND_USERINFO structure returned by
+ the rpc version of query_user()
+54) Ensure we've failed a lock with a lock denied message before automatically
+ pushing it onto the blocking queue
+55) Add experimental --with-sendfile code
+56) alignment fix in printing code merged from HEAD
+57) Merge fix for other sids in token from HEAD
+58) Merge winbindd with current (more advanced) state of play in APPLIANCE_HEAD
+59) fix smbclient / Win98 off by one bug
+60) Never, *ever* hold a mutex lock in the message database where there may be
+ traversals being attempted
+61) Add LDAP hack for retrieving the SAM sequence number when a member of a
+ Windows 2000 native mode domain
+62) Fix race condition when changing a machine account password as we were
+ no longer locking the secrets entry
+63) Allow '@' as a valid character in domain names
+64) remove jobs from the spool directory when using cups
+65) removed -lresolv for --enable-ldapsam
+66) Memory leak fix and correct use of negative caching in winbindd
+67) Updated spoolss parsing code with known good state of APPLIANCE_HEAD
+68) Delete printer security check was reversed
+69) Windows allows delete printer on a handle opened by an admin user, then
+ used on a pipe handle created by an anonymous user...We do to now...
+70) Make explicit the difference between a tdb key with no data attached, and
+ a non existent entry
+71) Ensure we register the 1c name on the unicast subnet.
+72) Fix inheritance problem when recursively setting ACLs on directories
+73) prevent ACL set on read-only share
+74) Ensure we never have more than MAX_PRINT_JOBS in a queue
+75) Added timeout to tdb_lock_bystring()
+76) Ensure we set FIRST+LAST flags on a bind request
+77) Add version strings to the usage message for smbcacls and smbpasswd
+78) Fix bug in the write cache code
+79) make the default printed values for boolean the same for all parameters
+80) Default all LDAP connections to v3 with compiling with --with-ldapsam
+81) Fix memory leak in smbspool
+82) Fix bug in mangling code that resulted in Win9x clients not being
+ able to execute batch files in deep, non 8.3 directory paths
+83) Fix infinite looping bug in winbindd_getgrent()
+84) Fix crash bug on 64-bit systems (merge from HEAD)
+85) Fix extended character bug when setting LanMan/NT password
+86) Negotiate same SMB read size as a Windows 2000 file server
+ to fix performance bug with NT4 clients
+
+
+ =========================================
+
+Older releases notes for 2.2.x distributions follow
+
+-----------------------------------------------------------------------------
+The release notes for 2.2.5 follow :
+
+There have been several fixes and internal enhancements which include:
+
+* Several compile fixes for Solaris and HP-UX
+* More printing fixes for Windows NT/2k/XP clients
+* New options for the VFS recycle bin library
+* New internal signal handling semantics relating to directory change
+ notification and oplocks
+
+New/Changed parameters in 2.2.5
+--------------------------------
+
+For more information on these parameters, see the man pages for
+smb.conf(5).
+
+Added/changed parameters
+------------------------
+
+* block size = <INTEGER>
+* force unknown acl user = <boolean>
+* mangling method = [hash|hash2]
+
+
+Deprecated Parameters
+---------------------
+
+The following parameters have been marked as deprecated and will be removed
+in Samba 3.0
+
+* strip dot
+* status
+
+
+Removed Parameters
+------------------
+
+ none
+
+
+Changes in 2.2.5
+----------------
+
+See the cvs log for SAMBA_2_2 for more details
+
+1) Removal of several compiler warnings, incorrect Makefile dependencies,
+ and wrong autoconf tests on various platforms--Solaris & HP-UX 10.20
+ being the predominantly reported platforms
+2) Fixed winbindd crash bug on the IBM s390 running Linux
+3) Inclusion of enhanced Linux quota support
+4) Correctly link against Sun LDAP libraries on Solaris 8 (even through
+ there is no apparent SSL support there)
+5) POSIX conformance patches
+6) Include new configure --enable-cups option (can also be disabled even
+ if CUPS libraries are installed on the system)
+7) Set reasonable default for the "passwd program" parameter using an
+ autoconf test
+8) Added --with-winbind-auth for enabling winbindd_pam_auth_crap() code
+9) fixed bug to prevent root account from being deleted by the
+ "delete user script"
+10) Inclusion of autoconf script for building VFS modules
+11) Add new run time options to the VFS recycle bin library (see
+ examples/VFS/recycle/README for details)
+12) Include findsmb perl script as part of the "make install" process
+13) Return correct error code for EnumPrinters(PRINTER_ENUM_REMOTE, InfoLevel1)
+ to fix a bug where printers appear at the workgroup level in the Windows
+ NT/2k APW browse list
+14) Added support to nmblookup to return NMB flags (See nmblookup(8) for
+ details)
+15) Fix length bug that caused password changes from Windows NT/2k clients to
+ occasionally fail
+16) Correct false password expiration when using --with-ldapsam caused by
+ missing attributes in the directory
+17) added -S option to smbpasswd for storing the SID of a domain controller
+ as the local machine SID in secrets.tdb. See the smbpasswd(8) man page
+ for details.
+18) Various fixes for UNIX CIFS extensions commands
+19) Fixed CIDR notation in "hosts allow/deny"
+20) Change semantics of an idle connection to mean "no open files and no
+ open handles". We cannot idle a connection if there are open named
+ pipe handles. This fixes scalability problem on Samba print servers
+ and NT/2k clients introduced in 2.2.4
+21) Fix germam umlaut problem when returning ACL entries
+22) Return NT_STATUS_OBJECT_NAME_NOT_FOUND for ENOENT. This fixes the bug
+ of running the Microsoft Access executable (msaccess.exe) and database
+ files from a Samba share documented in the 2.2.4 release
+23) Corrected signal handling relating to directory change notification and
+ kernel oplocks
+24) Fix bug in unix_to_nt_time() that appeared on files dated close to Daylight
+ Savings Time
+25) Corrected alignment bug in spoolss parsing code which caused Win2k/XP
+ clients not to be able to view printer properties from a Samba host
+26) Fixed spoolss parsing bug causing printing from ACT! 2000 running on
+ Windows 2k/XP clients to fail
+27) Fixed incorrect error check in mod_share_entry()
+28) Allow %S variable in MS-DFS root paths
+29) Correct a bug regarding the use of 'wbinfo -A'
+30) Fixed libnss_wins.so to correctly work on RedHat 7.3 systems
+31) Store the key for a name-to-sid cache entry in upper case rather than
+ whatever case the request was made in. This gets rid of duplicate
+ cache entries.
+32) Fix bug causing the pid stored in winbindd's pid file to be the wrong id
+33) Enhanced error reporting messages of wbinfo
+34) Parameterize block size on disk size return
+35) Added new parameter to allow incoming ACLs to have owner and group forced
+ to the currently logged in user. This fixes the XCOPY /O problem
+36) Fixed bug in local_change_password() caused by reusing a struct
+ passwd* pointer
+37) Change default value for "ldap port" to 389 if "ldap ssl = no"
+38) Updated HOWTO's, manpages, and general documentation....
+39) Allow root as well as domain admins to open an LDAP connection
+40) Fixed veto files bug with ".*"
+41) Fixed uninitialized variable bug in smbpasswd that was causing a random
+ IP address to be used in the connection when joining a domain
+42) Fix for joining a domain with a netbios name of 15 characters and
+ pre-creating the account on the DC
+43) Added links to new documentation on SWAT welcome page
+
+
+
+-----------------------------------------------------------------------------
+The release notes for 2.2.4 follow :
+
+There have been several fixes and internal enhancements which include:
+
+ * More/better SPOOLSS printing functionality for Windows
+ NT/2k/XP clients.
+ * Several fixes relating to serving PC database files such
+ as (Access and FoxPro) from a Samba file share.
+ * Several improves in Samba's VFS layer which can be seen
+ in the inclusion of a "Recycle Bin" vfs module. See
+ examples/VFS/README for more details on this.
+ * Addition of a tool (tdbbackup) for backup/restore of Samba's
+ tdb's
+ * Continued improvements to winbind for greater scalability
+ and stability
+ * Several fixes related to Samba's MS-DFS support
+ * Rpcclient's various printer commands now work (again)
+
+
+New/Changed parameters in 2.2.4
+--------------------------------
+
+For more information on these parameters, see the man pages for
+smb.conf(5).
+
+Added/changed parameters
+------------------------
+
+* csc policy
+* inherit acls
+* nt status support
+* lock spin count
+* lock spin time
+* pid directory
+* winbind use default domain
+
+
+Deprecated parameters
+---------------------
+
+The following parameters have been marked as deprecated
+and will be removed in Samba 3.0
+
+* postscript
+* printer driver
+* printer driver file
+* printer driver location
+
+
+Removed Parameters
+------------------
+
+ none
+
+
+Changes in 2.2.4
+----------------
+
+See the cvs log for SAMBA_2_2 for more details
+
+1) added -c option to smbpasswd
+2) reworked smbpasswd internal command line option parsing
+3) small various bug fixes to experimental pdb_tdb.c
+4) Enforce spoolss RPCs based on the access granted at PrinterOpen()
+5) Added missing access checks to [add/delete/set]form
+6) Compile fixes for pam_smbpass
+7) fix smbd crash when netbios session request fails from
+ spoolss_connect_to_client().
+8) fixed logic bug that prevent SetPrinter() from storing devmode
+9) Removed extra get_printer_snum() calls from set_printer_hnd_name()
+10) fix joining domain on big endian machine when using -U to smbpasswd
+11) allow command line arg to override smb.conf log level
+12) continue to retry to register 1b name with wins server if there is an old IP there
+13) fix smbclient print crash bug
+14) 9x pnp fix when the config file and driver file are different
+15) force testparm to print the correct value for log level
+16) fix swat to show full log level info
+17) fix server GetPrinterData() fields to be more sensible
+18) fix logic error in SetPrinterDataEx()
+19) Only set smb_read_error if not already set
+20) Fix string returns that require unicode
+21) Merge of printing performance fixes from appliance
+22) lpq parsing fixes
+23) Back port tridge's xcopy /o fix from HEAD
+24) Fix the printer change notify code (unfinished)
+25) Patch for Domain users not showing up
+26) Fixed SetPrinterData(magic key) to support zero length DEVMODE
+27) Ensure that all methods of looking up and connecting to DC's work
+ using identical logic.
+28) Merge in the mutex code to stop multiple domain logon failure
+29) Ignore 0/0 lock
+30) Fix winbindd to respect command line debuglevel as nmbd/smbd
+31) Update with tdbbackup from HEAD
+32) Fix for typo on solaris nss
+33) Merge in the locking changes from HEAD
+34) Added POSIX ACL layer into the vfs
+35) Fix the returning of domain enum
+36) Fix the generation of the MACHINE.SID file into the secrets.tdb.
+37) Enable test for -rdynamic when building binaries
+38) Remove the "stat open" code - make it inline
+39) Fix the mp3 rename bug
+40) Fix for Explorer DFS problems on older Windows 9X machines
+41) implement OpenPrinter() opnum == 0x01
+42) Matched W2K *insane* open semantics....
+43) small fix that will prevent the "failed to marshall
+ R_NET_SAMLOGON" message in the logs
+42) don't do checking of local passdb in smbpasswd if using -r option
+43) fix "smbpasswd -j DOMAIN -r * -U Admin%XXXX" so that it doesn't
+ try to connect to a server named '*'
+44) merge rpcclient code from HEAD
+45) Ensure MACHINE.SID update done before child spawns
+46) Fix the bad path errors for mkdir so mkdir \a\b\c\d works
+47) Removed --with-vfs - always built if available
+48) Fixed psec for 2.2
+49) Fixed the handle leak in the connection management code
+50) fix disable spoolss after the switch to nt status codes
+51) Added Shirish's client side caching policy change
+52) Honor the specversion when parsing the the DEVICEMODE
+53) fix parsing bug when DEVICEMODE's private data does not end
+ on a 4 byte boundary
+54) do not idle an smbd when there is an open pipe
+55) when a new driver is added to a Samba server, cycle through
+ all printers and bump the change_id for each one bound to the driver
+56) allow smbclient to work with a FIFO as well (needed for KDE
+ ioslave)
+57) various updates to pdb_nisplus.c
+58) many small documentation updates
+59) removed many compiler warnings
+
+
+-----------------------------------------------------------------------------
+The release notes for 2.2.3a follow :
+
+This is a minor bugfix release for the 2.2.3 release. The 2.2.3
+release had a problem that was visible to Windows 2000 Explorer
+users in that copying files into a share that already existed
+failed with "Access Denied" rather than asking the user if an
+overwrite was required. This was due to an incorrect error mapping
+between the UNIX EXIST error code and the NT status error.
+
+As Windows Explorer is a highly visible end user application a quick
+bugfix release was required, hence 2.2.3a.
+
+Compilation on HPUX versions earlier than HPUX 11 has also been
+corrected.
+
+The cvs.log file is no longer included with this release, as it adds
+13Mb to the size of the release, and is easily available on the Web.
+
+-----------------------------------------------------------------------------
+The release notes for 2.2.3 follow :
+
+There are several important scaling bugs that have been fixed in this release
+for large server systems so an upgrade is recommended.
+
+LDAP update
+-----------
+
+Much work has been done on the LDAP backend code. The configure
+option --with-ldapsam is now considered to be stable. The schema
+used has changed, see the file examples/LDAP/samba.schema for the
+new schema.
+
+New documentation explaining how to set up a Samba only PDC/BDC
+setup has been added in the files Samba-LDAP-HOWTO and Samba-BDC-HOWTO
+in the documentation tree.
+
+winbindd daemon extended
+------------------------
+
+Samba 2.2.2 was the first release to include the winbind daemon.
+This code allows UNIX systems that implement the name service
+switch (nss) to be entered into a Windows NT/2000 domain and
+use the Domain controller for all user and group enumeration.
+
+Samba 2.2.3 fixes the known memory leaks in winbindd and has
+been extended to work with SGI IRIX and HPUX (11.x) in addition
+to the earlier targets of Linux and Solaris.
+
+For more information on using winbind, see the man pages for
+winbindd and wbinfo.
+
+Note that winbindd is not installed by default.
+
+New/Changed parameters in 2.2.3
+--------------------------------
+
+For more information on these parameters, see the man pages for
+smb.conf.
+
+Added/changed parameters.
+-------------------------
+
+unix extensions
+
+Enables the experimental UNIX CIFS extensions in smbd. See the manpage
+for more details.
+
+default devmode
+
+Some printer drivers will crash the Windows NT/2000 spooler service
+if they are given a default devmode, some require it. This parameter
+allows the administrator a choice of whether smbd returns such a
+default devmode for a driver.
+
+share modes
+
+This parameter has been restored to allow people who wish smbd to ignore
+client share modes. This is *very dangerous* and should not be set without
+full knowledge of what this is designed for.
+
+Changes in 2.2.3
+-----------------
+
+1). Fixed shared library compile for Solaris with native compiler.
+2). UNIX CIFS extensions code added (donated by HP).
+3). Changed to using NT status codes on the wire if the client can support
+this.
+4). altname command to show 8.3 name added to smbclient.
+5). const-safe endian macros now used.
+6). client code now uses UNICODE on the wire.
+7). Correctly return fault PDU's on bad handle.
+8). Improved NT error code mapping table.
+9). Many new point and print RPC calls added.
+10). Win9x clients can now see full user list.
+11). field added to identify simultaneous open files (no longer
+use dev/inode/time as unique value).
+12). HPUX ACL code added (donated by HP).
+13). vfs interfaces updated (again !).
+14). MSDOS Code Page 866 -> 1251 mapping added.
+15). winbindd now processes quit/hup signals correctly.
+16). No tdb traversal done on startup/shutdown - ensures scalability.
+17). Fix bug with paths for homes share.
+18). Fixed copyfile for OS/2.
+19). Fix group membership when groups are on more than one line.
+20). Fixed core dumps in posix ACL mapping code.
+21). Tidyup of UNICODE functions (put/get).
+22). Move rpcclient to the new libsmb code.
+23). Add missing Windows 2000 passthough trans2 calls.
+24). Return check all tdb calls.
+25). Make local name lookup work even if wins server is down.
+26). pam session code added to winbind.
+27). Added winbindd cache to all lookups.
+28). Fix allocate bugs that caused file sizes to be incorrect.
+29). Fixed write cache code - now safe to use.
+30). Fixed winbindd memory leaks.
+31). winbindd will now do name lookups (to allow non Open Source
+systems to do the nsswitch WINS lookup). Fixed by SGI.
+32). passdb memory leaks fixed.
+33). LDAP code updates and now properly maintained.
+34). Finally figured out how changeid is meant to work.
+35). Downlevel printing now looks as NT does in print monitor window.
+36). Many fixups in spoolss printing RPC parsing.
+37). Speed up password enumeration as a PDC.
+38). Fix printer changed notify messages (work from HP).
+39). Fix modify timestamp on close code.
+40). Fix long standing mangled names bug.
+41). Fix delete on close semantics.
+42). Stop opening all files with O_NONBLOCK !
+43). Use O_NOFOLLOW for systems that have it and don't want symlinks.
+44). Ensure NT supplementary groups get added to user token.
+45). Try and mitigate effects of DNS timeout (do less lookups).
+46). Added current user connection context stack.
+47). Fixes to utmp code.
+48). smbw code tidyups.
+49). Added tdb open log code. Several tdb fixes.
+
+-----------------------------------------------------------------------------
+The release notes for 2.2.2 follow :
+
+New daemon included - winbindd
+------------------------------
+
+Samba 2.2.2 is the first release to include the winbind daemon.
+This code allows UNIX systems that implement the name service
+switch (nss) to be entered into a Windows NT/2000 domain and
+use the Domain controller for all user and group enumeration.
+
+This allows a Samba server added to a Windows domain to serve
+file and print services with *NO* local users needed in /etc/passwd
+and /etc/group - all users and groups are read directly from the
+Windows domain controller. In addition with pam_winbind which allows
+a PAM enabled UNIX system to use a Windows domain for authentication
+service this allows single sign on and account control across
+UNIX and Windows systems.
+
+The current version of winbindd shipped in 2.2.2 does have some
+memory leaks, which will be addressed for the next Samba release,
+so it is advisable to monitor the winbind process. This code is
+being used in production by several vendors, so the leaks are
+manageable. In addition, this version of winbind does not work
+correctly against a Samba PDC, due to some missing calls on the
+PDC side. These problems are being addressed for the next Samba
+release, but it was thought better to release the code now rather
+than delay the main Samba code to match the winbind release schedule.
+
+For more information on using winbind, see the man pages for
+winbindd and wbinfo.
+
+Note that winbindd is not installed by default.
+
+New/Changed parameters in 2.2.2
+-------------------------------
+
+For more information on these parameters, see the man pages for
+smb.conf.
+
+Added/changed parameters.
+-------------------------
+
+strict allocate
+
+Causes Samba not to create UNIX 'sparse' files, but to follow the
+Windows behavior of always allocating on-disk space.
+
+use mmap
+
+Set to 'on' by default, only set to 'off' on HPUX 11.x or below or other
+UNIX systems that don't have coherent mmap/read-write internal caches.
+You should not need to set this parameter.
+
+nt acl support
+
+This parameter has been changed to a per-share option, and is very
+useful in enabling Windows 2000 SP2 to load/save profiles from a
+Samba share.
+
+New printing parameters.
+------------------------
+
+disable spoolss
+
+Setting this parameter causes Samba to go back to the old 2.0.x
+LANMAN printing behavior, for people who wish to disable the
+new SPOOLSS pipe.
+
+use client driver
+
+Causes Windows NT/2000 clients to need have a local printer driver
+installed and to treat the printer as local.
+
+New LDAP parameters.
+--------------------
+
+Samba 2.2.2 contains new code to maintain a Samba SAM database
+on a remote LDAP server. These parameters have been added as
+part of this code. These parameters are only available when Samba
+has been compiled with the --with-ldapsam option.
+
+ldap admin dn
+ldap ssl
+
+New SSL parameters.
+-------------------
+
+The SSL support in Samba has been fixed. These new parameters
+are part of the changes added. These parameters are only available
+when Samba has been compiled with the --with-ssl option.
+Please see the smb.conf man page for details.
+
+ssl egd socket
+ssl entropy file
+ssl entropy bytes
+
+New winbindd parameters.
+------------------------
+
+These parameters are used by winbindd. See the man page for
+winbindd for details.
+
+winbind separator
+winbind uid
+winbind gid
+winbind cache time
+winbind enum users
+winbind enum groups
+template homedir
+template shell
+
+Removed parameters.
+-------------------
+
+share modes
+ldap root
+ldap root passwd
+
+New Documentation.
+------------------
+
+Some new README's have been added in the docs/ directory. These cover
+using roving profiles with Windows 2000 SP2 (docs/README.Win2kSP2),
+and how to use Samba to help prevent Windows virus spread
+(docs/README.Win32-Viruses).
+
+Quota problems on a Linux 2.4 kernel.
+-------------------------------------
+
+Currently the quota interfaces have diverged between the Linus
+2.4.x kernels and the Alan Cox 2.4.x kernels (the Alan Cox variants
+are shipped with RedHat). Running quota-enabled Samba compiled on
+an Alan Cox kernel works correctly on an Alan Cox kernel (the one
+shipped by default with RedHat 7.x) but fails on a Linus kernel.
+
+This is a mess, and hopefully Alan and Linus will sort it out soon.
+In the meantime we need to ship.....
+
+Changes in 2.2.2
+-----------------
+
+1). mmap tdb code disabled on HPUX. This should prevent the reports of
+tdb corruption on HUPX.
+2). Large file support set to off in Solaris 5.5 and below.
+3). Better CUPS detection.
+4). New SAM (password database) backends - smbpasswd (traditional),
+LDAP, NIS+ and Samba TDB.
+5). Quota fixups on Linux.
+6). libsmbclient stand-alone code added. Can be built as a shared library
+under Linux.
+7). Tru64 ACL support added.
+8). winbindd option added.
+9). Realloc fail tidyup fixes all over the code.
+10). Large improvement in hash table code efficiency - would be found with
+large stat caches.
+11). Error code consistency improved (still needs more work).
+12). Profile shared memory support added to nmbd.
+13). New Windows 2000/NT passthrough info levels added.
+14). readraw/writeraw code rewritten - many bugs fixed.
+15). UNIX password sync (non pam) code fixed, use correct wildcard matcher.
+16). Reverse DNS lookup avoided on socket open.
+17). Bug preventing nmbd re-registering names on WINS server timeout fixed.
+18). Zero length byte range lock code added. Much closer to Windows semantics.
+19). Alignment fault fixes for Linux/Alpha.
+20). Error checking on tdb returns vastly improved.
+21). Handling of delete on close fixed. No longer possible to leave 'dead'
+file entries.
+22). Handling of oplock break failure cleanups improved. Should not be
+able to leave 'dead' entries.
+23). Fix handling of errors trying to set 64 bit locks on 32 bit NFS mounts.
+24). Misc. MS-DFS code fixes.
+25). Ignore logon packets if not a PDC (needed for PDC/BDC failover).
+26). winbind pam module added.
+27). Order N^^2 enumeration of printers problem fixed.
+28). Password backend database code re-ordered to allow different password
+backends (at compile time currently).
+29). Improved print driver version detection for Windows 2000.
+30). Driver DEVMODE initialization fixes.
+31). Improved SYSV print parse code.
+32). Fixed enumeration of large numbers of users/groups from Windows clients.
+Code still too slow.
+33). Fix for buggy NetApp RPC pipe clients.
+34). Fix for NT sending multiple SetPrinterDataEx calls.
+35). Fix for logic bug where smbd could delay oplock break request messages
+from other smbd daemons whilst client kept us busy.
+36). Fix deadlock problem with connections tdb on enumeration.
+37). Fixes for setting/getting NT ACLs - improved POSIX mapping both ways.
+38). Removed unused readbmpx/writebmpx code.
+39). Attempt to fix Linux 2.4.x quota mess.
+40). Improved ctemp code for Windows 2000 compatibility.
+41). Finally understood difference between set EOF and set allocation requests.
+Added strict allocate parameter to help.
+42). Correctly return name types on name to SID lookups.
+43). tdb spinlock code update.
+44). Use pread/pwrite on systems that have it to fix race condition in tdb code.
+
+-----------------------------------------------------------------------------
+The release notes for 2.2.1a follow :
+
+This is a minor bugfix release for 2.2.1, *NOT* security related.
+
+1). 2.2.1 had a bug where using smbpasswd -m to add a Windows NT or
+Windows2000 machine into a Samba hosted PDC would fail due to our
+stricter user name checking. We were disallowing user names
+containing '$', which is needed when using smbpasswd to add a
+machine into a domain. Automatically adding machines (using the
+native Windows tools) into a Samba domain worked correctly.
+
+2.2.1a fixes this single problem.
+
+-----------------------------------------------------------------------------
+The release notes for 2.2.1 follow :
+
+New/Changed parameters in 2.2.1
+-------------------------------
+
+Added parameters.
+-----------------
+
+obey pam restrictions
+
+When Samba is configured to use PAM, turns on or off Samba checking
+the PAM account restrictions. Defaults to off.
+
+pam password change
+
+When Samba is configured to use PAM, turns on or off Samba passing
+the password changes to PAM. Defaults to off.
+
+large readwrite
+
+New option to allow new Windows 2000 large file (64k) streaming
+read/write options. Needs a 64 bit underlying operating system
+(for Linux use kernel 2.4 with glibc 2.2 or above). Can improve performance
+by 10% with Windows 2000 clients. Defaults to off. Not as tested
+as some other Samba code paths.
+
+hide unreadable
+
+Prevents clients from seeing the existence of files that cannot
+be read. Off by default.
+
+enhanced browsing
+
+Turn on/off the enhanced Samba browsing functionality (*1B names).
+Default is "on". Can prevent eternal machines in workgroups when
+WINS servers are not synchronized.
+
+Removed parameters.
+-------------------
+
+domain groups
+domain admin users
+domain guest users
+
+Changes in 2.2.1
+-----------------
+
+1). "find" command removed for smbclient. Internal code now used.
+2). smbspool updates to retry connections from Michael Sweet.
+3). Fix for mapping 8859-15 characters to UNICODE.
+4). Changed "security=server" to try with invalid username to prevent
+ account lockouts.
+5). Fixes to allow Windows 2000 SP2 clients to join a Samba PDC.
+6). Support for Windows 9x Nexus tools to allow security changes from Win9x.
+7). Two locking fixes added. Samba 2.2.1 now passes the Clarion network
+ lock tester tool for distributed databases.
+8). Preliminary support added for Windows 2000 large file read/write SMBs.
+9). Changed random number generator in Samba to prevent guess attacks.
+10). Fixes for tdb corruption in connections.tdb and file locking brlock.tdb.
+ smbd's clean the tdb files on startup and shutdown.
+11). Fixes for default ACLs on Solaris.
+12). Tidyup of password entry caching code.
+13). Correct shutdowns added for send fails. Helps tdb cleanup code.
+14). Prevent invalid '/' characters in workgroup names.
+15). Removed more static arrays in SAMR code.
+16). Client code is now UNICODE on the wire.
+17). Fix 2 second timestamp resolution everywhere if dos timestamp set to yes.
+18). All tdb opens now going through logging function.
+19). Add pam password changing and pam restrictions code.
+20). Printer driver management improvements (delete driver).
+21). Fix difference between NULL security descriptors and empty
+ security descriptors.
+22). Fix SID returns for server roles.
+23). Allow Windows 2000 mmc to view and set Samba share security descriptors.
+24). Allow smbcontrol to forcibly disconnect a share.
+25). tdb fixes for HPUX, OpenBSD and other OS's that don't have a coherent
+ mmap/file read/write cache.
+26). Fix race condition in returning create disposition for file create/open.
+27). Fix NT rewriting of security descriptors to their canonical form for
+ ACLs.
+28). Fix for Samba running on top of Linux VFAT ftruncate bug.
+29). Swat fixes for being run with xinetd that doesn't set the umask.
+30). Fix for slow writes with Win9x Explorer clients. Emulates Microsoft
+ TCP stack early ack specification error.
+31). Changed lock & persistent tdb directory to /var/cache/samba by default on
+ RedHat and Mandrake as they clear the /var/lock/samba directory on reboot.
+
+-----------------------------------------------------------------------------
+The release notes for 2.2.0a follow :
+
+SECURITY FIX
+============
+
+This is a security bugfix release for Samba 2.2.0. This release provides the
+following two changes *ONLY* from the 2.2.0 release.
+
+1). Fix for the security hole discovered by Michal Zalewski (lcamtuf@bos.bindview.com)
+ and described in the security advisory below.
+2). Fix for the hosts allow/hosts deny parameters not being honoured.
+
+No other changes are being made for this release to ensure a security fix only.
+For new functionality (including these security fixes) download Samba 2.2.1
+when it is available.
+
+The security advisory follows :
+
+
+ IMPORTANT: Security bugfix for Samba
+ ------------------------------------
+
+June 23rd 2001
+
+
+Summary
+-------
+
+A serious security hole has been discovered in all versions of Samba
+that allows an attacker to gain root access on the target machine for
+certain types of common Samba configuration.
+
+The immediate fix is to edit your smb.conf configuration file and
+remove all occurances of the macro "%m". Replacing occurances of %m
+with %I is probably the best solution for most sites.
+
+Details
+-------
+
+A remote attacker can use a netbios name containing unix path
+characters which will then be substituted into the %m macro wherever
+it occurs in smb.conf. This can be used to cause Samba to create a log
+file on top of an important system file, which in turn can be used to
+compromise security on the server.
+
+The most commonly used configuration option that can be vulnerable to
+this attack is the "log file" option. The default value for this
+option is VARDIR/log.smbd. If the default is used then Samba is not
+vulnerable to this attack.
+
+The security hole occurs when a log file option like the following is
+used:
+
+ log file = /var/log/samba/%m.log
+
+In that case the attacker can use a locally created symbolic link to
+overwrite any file on the system. This requires local access to the
+server.
+
+If your Samba configuration has something like the following:
+
+ log file = /var/log/samba/%m
+
+Then the attacker could successfully compromise your server remotely
+as no symbolic link is required. This type of configuration is very
+rare.
+
+The most commonly used log file configuration containing %m is the
+distributed in the sample configuration file that comes with Samba:
+
+ log file = /var/log/samba/log.%m
+
+in that case your machine is not vulnerable to this attack unless you
+happen to have a subdirectory in /var/log/samba/ which starts with the
+prefix "log."
+
+Credit
+------
+
+Thanks to Michal Zalewski (lcamtuf@bos.bindview.com) for finding this
+vulnerability.
+
+
+New Release
+-----------
+
+While we recommend that vulnerable sites immediately change their
+smb.conf configuration file to prevent the attack we will also be
+making new releases of Samba within the next 24 hours to properly fix
+the problem. Please see http://www.samba.org/ for the new releases.
+
+Please report any attacks to the appropriate authority.
+
+ The Samba Team
+ security@samba.org
+
+---------------------------------------------------------------------------
+
+The release notes for 2.2.0 follow :
+
+This is the official Samba 2.2.0 release. This version of Samba provides
+the following new features and enhancements.
+
+Integration between Windows oplocks and NFS file opens (IRIX and Linux
+2.4 kernel only). This gives complete data and locking integrity between
+Windows and UNIX file access to the same data files.
+
+Ability to act as an authentication source for Windows 2000 clients as
+well as for NT4.x clients.
+
+Integration with the winbind daemon that provides a single
+sign on facility for UNIX servers in Windows 2000/NT4 networks
+driven by a Windows 2000/NT4 PDC. winbind is not included in
+this release, it currently must be obtained separately. We are
+committed to including winbind in a future Samba 2.2.x release.
+
+Support for native Windows 2000/NT4 printing RPCs. This includes
+support for automatic printer driver download.
+
+Support for server supported Access Control Lists (ACLs).
+This release contains support for the following filesystems:
+
+ Solaris 2.6+
+ SGI Irix
+ Linux Kernel with ACL patch from http://acl.bestbits.at
+ Linux Kernel with XFS ACL support.
+ Caldera/SCO UnixWare
+ IBM AIX
+ FreeBSD (with external patch)
+
+Other platforms will be supported as resources are
+available to test and implement the necessary modules. If
+you are interested in writing the support for a particular
+ACL filesystem, please join the samba-technical mailing
+list and coordinate your efforts.
+
+On PAM (Pluggable Authentication Module) based systems - better debugging
+messages and encrypted password users now have access control verified via
+PAM - Note: Authentication still uses the encrypted password database.
+
+Rewritten internal locking semantics for more robustness.
+This release supports full 64 bit locking semantics on all
+(even 32 bit) platforms. SMB locks are mapped onto POSIX
+locks (32 bit or 64 bit) as the underlying system allows.
+
+Conversion of various internal flat data structures to use
+database records for increased performance and
+flexibility.
+
+Support for acting as a MS-DFS (Distributed File System) server.
+
+Support for manipulating Samba shares using Windows client tools
+(server manager). Per share security can be set using these tools
+and Samba will obey the access restrictions applied.
+
+Samba profiling support (see below).
+
+Compile time option for enabling a (Virtual file system) VFS layer
+to allow non-disk resources to be exported as Windows filesystems
+(such as databases etc.).
+
+The documentation in this release has been updated and converted
+from Yodl to DocBook 4.1. There are many new parameters since 2.0.7
+and some defaults have changed.
+
+Profiling support.
+------------------
+Support for collection of profile information. A shared
+memory area has been created which contains counters for
+the number of calls to and the amount of time spent in
+various system calls, smb transactions and nmbd activity. See
+the file profile.h for a complete listing of the information
+collected. Sample code for a samba pmda (collection agent
+for Performance Co-Pilot) has been included in the pcp
+directory.
+
+To enable the profile data collection code in samba, you must
+compile samba with profile data support (run configure with
+the --with-profiling-data option). On startup, collection of
+data is disabled. To begin collecting data use the smbcontrol
+program to turn on profiling (see the smbcontrol man page).
+Profile information collection can be enabled for nmbd, all smbd
+processes or one or more selected processes. The profiling
+data collected is the aggregate for all processes that have
+profiling enabled.
+
+With samba compiled for profile data collection, you may see
+a very slight degradation in performance even with profiling
+collection turned off. On initial tests with NetBench on an
+SGI Origin 200 server, this degradation was not measurable
+with profile collection off compared to no profile collection
+compiled into samba.
+
+With count profile collection enabled on all clients, the
+degradation was less than 2%. With full profile collection
+enabled on all clients, the degradation was about 8.5%.
+
+=====================================================================
+
+If you think you have found a bug please email a report to :
+
+ samba@samba.org
+
+As always, all bugs are our responsibility.
+
+ --Enjoy
+ The Samba Team
+
+</pre>
+
+</body>
+</html>
--- /dev/null
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Release Notes Archive</title>
+</head>
+
+<body>
+
+<h2>The Samba Team are pleased to announce Samba 2.2.7a</h2>
+
+<p>
+<pre>
+The Samba Team is proud to announce the release of Samba 2.2.7a.
+
+This is the latest stable release of Samba and the version that all
+production Samba servers should be running for all current bug-fixes.
+
+The source code can be downloaded from :
+
+ <a href="/samba/ftp">http://download.samba.org/samba/ftp/</a>
+
+in the file samba-2.2.7a.tar.gz or samba-2.2.7a.tar.bz2.
+Both archives have been signed as well using the
+<a href="/samba/ftp/samba-pubkey.asc">Samba Distribution Key</a>
+
+Binary packages will be released shortly for major platforms and
+can be found at
+
+ <a href="/samba/ftp/Binary_Packages">http://download.samba.org/samba/ftp/Binary_Packages/</a>
+
+The release notes follow.
+
+As always, all bugs are our responsibility.
+
+ --Enjoy
+ The Samba Team
+
+
+ WHAT'S NEW IN Samba 2.2.7a - 10th December 2002
+ ===============================================
+
+This is the latest stable release of Samba. This is the version
+that all production Samba servers should be running for all current
+bug-fixes. The primary reason for this release is to correct problems
+with large file (>2Gb) support. Please see the "Changes..." section
+for more details.
+
+
+
+Changes since 2.2.7
+--------------------
+
+See the cvs log for SAMBA_2_2 for more details
+
+1) Fix for smbclient reporting negative file sizes on dir command
+ and negative statistics being reported when using put or get
+ on large files.
+2) Fix bug in determination of allocation size
+3) Fix 64bit size problems which prevented copying of files larger
+ than 2 GBytes.
+4) Fix for xcopy /s problem with old DOS clients not sending correct
+ attributes on subsequent SMBsearch calls.
+5) Fix bug in call to standard_sub_advanced giving a 0 length. This
+ fixes the string overflow in string_sub errors.
+6) Correctly handle querygroup rpcclient command
+7) fix broken incremental tar in smbtar command
+
+
+ =========================================
+
+Older releases notes for 2.2.x distributions follow
+
+-----------------------------------------------------------------------------
+The release notes for 2.2.7 follow :
+
+IMPORTANT: Security bugfix for Samba
+------------------------------------
+
+Summary
+-------
+
+A security hole has been discovered in versions 2.2.2 through 2.2.6
+of Samba that could potentially allow an attacker to gain root access
+on the target machine. The word "potentially" is used because there
+is no known exploit of this bug, and the Samba Team has not been able to
+craft one ourselves. However, the seriousness of the problem warrants
+this immediate 2.2.7 release.
+
+In addition to addressing this security issue, Samba 2.2.7 also includes
+thirteen unrelated improvements. These improvements result from our
+process of continuous quality assurance and code review, and are part of
+the Samba team's commitment to excellence.
+
+Details
+-------
+
+There was a bug in the length checking for encrypted password change
+requests from clients. A client could potentially send an encrypted
+password, which, when decrypted with the old hashed password could be
+used as a buffer overrun attack on the stack of smbd. The attach would
+have to be crafted such that converting a DOS codepage string to little
+endian UCS2 unicode would translate into an executable block of code.
+
+All versions of Samba between 2.2.2 to 2.2.6 inclusive are vulnerable
+to this problem. This version of Samba 2.2.7 contains a fix for this
+problem.
+
+Earlier versions of Samba are not vulnerable.
+
+There is no known exploit or exploit code for this vulnerability,
+it was discovered by a code audit by Debian Samba maintainers.
+
+Credit
+------
+
+Thanks to Steve Langasek <vorlon@debian.org> and Eloy Paris
+<peloy@debian.org> for bringing this vulnerability to our notice.
+
+Patch for Samba versions 2.2.2 to 2.2.6
+---------------------------------------
+
+The following patch applies cleanly to the above Samba versions
+and will fix the vulnerability for sites that do not wish to upgrade
+to 2.2.7 at this time.
+
+-------------------------------cut here---------------------------------
+--- libsmb/smbencrypt.c.orig Tue Nov 19 17:21:57 2002
++++ libsmb/smbencrypt.c Tue Nov 19 17:22:12 2002
+@@ -63,7 +63,7 @@
+ if(len > 128)
+ len = 128;
+ /* Password must be converted to NT unicode - null terminated. */
+- dos_struni2((char *)wpwd, (const char *)passwd, 256);
++ dos_struni2((char *)wpwd, (const char *)passwd, len);
+ /* Calculate length in bytes */
+ len = strlen_w((const smb_ucs2_t *)wpwd) * sizeof(int16);
+-------------------------------cut here---------------------------------
+
+
+
+Changes since 2.2.6
+--------------------
+
+See the cvs log for SAMBA_2_2 for more details
+
+1) ensure we send the notify message in the same way it is expected
+ to be received by srv_spoolss_receive_message().
+2) attribute matching on truncate only matters when opening truncate
+ with current SYSTEM|HIDDEN -> NONE. It's fine to truncate on open
+ with current NONE -> SYSTEM | HIDDEN.
+3) Fix bug in rpcclient's deldriver command
+4) Don't set global_machine_password_needs_changing if
+ lp_machine_password_timeout() is set to zero
+5) don't parse the BUFFER5 if the buffer length is zero
+6) fix core dump if pdbedit is run as non-root or smbpasswd file does
+ not exist
+7) Ensure can_delete() returns correct error code
+8) correctly return NT_STATUS_DELETE_PENDING from open code
+9) fix bug that assumed dos_unistr2 length was in ucs2 units, not bytes
+10) check the long_archi name is not null when deleting a printer driver.
+ fixes core dump in smbd when using rpcclient's deldriver
+11) fix fd leak with kernel change notify on Linux 2.4 kernels
+12) must add one to the extra_data size to transfer the 0 string
+ terminator. This was causing "wbinfo --sequence" to access past the
+ end of malloced memory
+13) fix for large systems allowing more than 65536 files open in
+ NTcreate&X
+14) Fix bug in %U expansion
+
+
+-----------------------------------------------------------------------------
+The release notes for 2.2.6 follow :
+
+There have been several fixes and internal enhancements which include:
+
+ * Fixes for MS-RPC printing issues affecting Windows 2000 clients
+ * New support for smb.conf generation in SWAT
+ * Inclusion of several performance enhancements (See --with-sendfile
+ & and the modified smb.conf(5) parameters in these Release Notes)
+ * Fixes for several file locking bugs and returned status codes
+
+
+New Parameters
+--------------
+
+Refer to the smb.conf(5) man page for complete descriptions of new parameters.
+
+ * profile acls (S) workaround for issue with WinXP SP1
+ and roaming user profiles
+
+Removed Parameters
+------------------
+
+ * max packet (G)
+ * packet size (G)
+
+Modified Parameters
+-------------------
+
+ * max xmit (G) new default value
+ * large readwrite (G) new default value
+
+New ./configure Options
+-----------------------
+
+ --with-sendfile Enable experimental sendfile support
+ --with-winbind-ldap-hack Enable winbindd_ldap_hack() functionality
+ for Windows 2000 native mode domains
+
+
+Changes since 2.2.5
+--------------------
+
+See the cvs log for SAMBA_2_2 for more details
+
+1) Fixed several compiler warnings caused by the use of const parameters
+2) Fixed a hang in the main smbd process caused by an EINTR in the
+ wrong place
+3) Fixed string substitutions to accept a length for sanity checks
+4) Fixed 17-bit length field in nmb header
+5) Removed non-portable inline declaration for functions
+6) Performance fix for including files with an smb.conf variable in the
+ path name
+7) Fix for parsing LPRng lpq output
+8) Parsing fix for PRINTER_INFO_2 structure which was causing viewing
+ printer properties to fail
+9) Fix for printer change notification and Windows NT clients which caused
+ the client to go into an infinite loop of refreshing the local printers
+ folder
+10) Allow trans2 and nttrans messages to be processed in oplock break state
+ which fixes a problem with oplock break requests and Win2k clients
+11) Don't crash on setfileinfo on printer fsp
+12) Memory fixes caught by Valgrind
+13) Updates to stop spurious error message in tdb
+14) Fix silly logic bug in 'make smbd processes' and 'status = no' check
+15) Fix compilation of pam_smbpass and --with-ldap
+16) Fix compilation of smbwrapper on Solaris hosts
+17) fix logic error in a check for enabling the winbind_pam_auth_crap() code
+ & fix formatting typo in --with-winbind-auth-challenge
+18) Correcting check for ldap_start_tls()
+19) Fixed a problem with getgroups() where it could include our current
+ effective gid
+20) fix incorrect semantics in the DeletePrinterDriver() spoolss rpc
+ to only attempt to delete the architecture specified by the client
+21) Don't allow TEMP attribute on directory open
+22) Restore VxFS quotas to the 2.2 branch
+23) Added basic "Wizard" functionality to SWAT
+24) Fix initial "allocation size" in NTcreate&X call
+25) Fix for open fid, "nametoolong"
+26) Exit server on receipt of a non-SMB packet. Ensure we have
+ at least smb_size bytes before processing a packet
+27) Replace inet_aton with inet_addr() to correct compile problems on Solaris
+28) Include the "account" objectclass when adding a new account to --with-ldapsam
+ in order to comply with the data model implemented by OpenLDAP 2.1.x
+29) Various fixes for POSIX compliance
+30) Correct alignment & offset bug in EnumPrinterDataEx()
+31) Fix access checks when modifying forms using a print server handle
+ (not just a printer handle)
+32) Account for case data_len == 0 in EnumPrinterDataEx()
+33) Fix logic error in blocking lock code
+34) Fixed various incorrect return codes to clients
+35) Add RESOLVE_DFSPATH to mkdir operations
+36) Fix longstanding bug in Win2k clients by clearing the shortname
+ buffer before returning ASCII short name
+37) added -t option to smbpasswd for explicitly changing a trust
+ account password when operating in security = domain
+38) installed -x option to testparm to eXclude printing all parameter
+ values that are at default settings.
+39) Fix shares/printers view in SWAT so that only Basic options are exposed
+ upon initial entry.
+40) Added 1125 & KOI8-U to codepage list in Makefile.in
+41) Include separate configure checks for *openbsd* & *freebsd* when
+ determining flags used to compile shared libraries.
+42) Merge in free list unlock on error fix
+43) Correctly fail opens with mismatching SYSTEM or HIDDEN attributes
+ if we are mapping system or hidden
+44) Fix bug with stat mode open being done on read-only open with truncate
+45) Fix crash bug discovered where cli struct was being deallocated in a
+ called function
+46) Ensure we open UNIX fifo's non-blocking
+47) Fix DeletePrinterDriver() (hopefully for the last time...yeah right....)
+48) only lowercase global_myname in the %L substitution, not the whole string
+49) Merged Steve French's fix for OS/2 EA return error being removed
+50) Patch from Steve French to fix difference in responses to smbclient
+ //server/share ls / on Samba and Windows 2000
+51) Print error and exit if smb.conf doesn't have security=domain and
+ encrypt passwords=yes when joining domain
+52) Added final Steve French patch for "required" attributes with old dir
+ listings
+53) Initialize user_rid value in WINBIND_USERINFO structure returned by
+ the rpc version of query_user()
+54) Ensure we've failed a lock with a lock denied message before automatically
+ pushing it onto the blocking queue
+55) Add experimental --with-sendfile code
+56) alignment fix in printing code merged from HEAD
+57) Merge fix for other sids in token from HEAD
+58) Merge winbindd with current (more advanced) state of play in APPLIANCE_HEAD
+59) fix smbclient / Win98 off by one bug
+60) Never, *ever* hold a mutex lock in the message database where there may be
+ traversals being attempted
+61) Add LDAP hack for retrieving the SAM sequence number when a member of a
+ Windows 2000 native mode domain
+62) Fix race condition when changing a machine account password as we were
+ no longer locking the secrets entry
+63) Allow '@' as a valid character in domain names
+64) remove jobs from the spool directory when using cups
+65) removed -lresolv for --enable-ldapsam
+66) Memory leak fix and correct use of negative caching in winbindd
+67) Updated spoolss parsing code with known good state of APPLIANCE_HEAD
+68) Delete printer security check was reversed
+69) Windows allows delete printer on a handle opened by an admin user, then
+ used on a pipe handle created by an anonymous user...We do to now...
+70) Make explicit the difference between a tdb key with no data attached, and
+ a non existent entry
+71) Ensure we register the 1c name on the unicast subnet.
+72) Fix inheritance problem when recursively setting ACLs on directories
+73) prevent ACL set on read-only share
+74) Ensure we never have more than MAX_PRINT_JOBS in a queue
+75) Added timeout to tdb_lock_bystring()
+76) Ensure we set FIRST+LAST flags on a bind request
+77) Add version strings to the usage message for smbcacls and smbpasswd
+78) Fix bug in the write cache code
+79) make the default printed values for boolean the same for all parameters
+80) Default all LDAP connections to v3 with compiling with --with-ldapsam
+81) Fix memory leak in smbspool
+82) Fix bug in mangling code that resulted in Win9x clients not being
+ able to execute batch files in deep, non 8.3 directory paths
+83) Fix infinite looping bug in winbindd_getgrent()
+84) Fix crash bug on 64-bit systems (merge from HEAD)
+85) Fix extended character bug when setting LanMan/NT password
+86) Negotiate same SMB read size as a Windows 2000 file server
+ to fix performance bug with NT4 clients
+
+
+-----------------------------------------------------------------------------
+The release notes for 2.2.5 follow :
+
+There have been several fixes and internal enhancements which include:
+
+* Several compile fixes for Solaris and HP-UX
+* More printing fixes for Windows NT/2k/XP clients
+* New options for the VFS recycle bin library
+* New internal signal handling semantics relating to directory change
+ notification and oplocks
+
+New/Changed parameters in 2.2.5
+--------------------------------
+
+For more information on these parameters, see the man pages for
+smb.conf(5).
+
+Added/changed parameters
+------------------------
+
+* block size = <INTEGER>
+* force unknown acl user = <boolean>
+* mangling method = [hash|hash2]
+
+
+Deprecated Parameters
+---------------------
+
+The following parameters have been marked as deprecated and will be removed
+in Samba 3.0
+
+* strip dot
+* status
+
+
+Removed Parameters
+------------------
+
+ none
+
+
+Changes in 2.2.5
+----------------
+
+See the cvs log for SAMBA_2_2 for more details
+
+1) Removal of several compiler warnings, incorrect Makefile dependencies,
+ and wrong autoconf tests on various platforms--Solaris & HP-UX 10.20
+ being the predominantly reported platforms
+2) Fixed winbindd crash bug on the IBM s390 running Linux
+3) Inclusion of enhanced Linux quota support
+4) Correctly link against Sun LDAP libraries on Solaris 8 (even through
+ there is no apparent SSL support there)
+5) POSIX conformance patches
+6) Include new configure --enable-cups option (can also be disabled even
+ if CUPS libraries are installed on the system)
+7) Set reasonable default for the "passwd program" parameter using an
+ autoconf test
+8) Added --with-winbind-auth for enabling winbindd_pam_auth_crap() code
+9) fixed bug to prevent root account from being deleted by the
+ "delete user script"
+10) Inclusion of autoconf script for building VFS modules
+11) Add new run time options to the VFS recycle bin library (see
+ examples/VFS/recycle/README for details)
+12) Include findsmb perl script as part of the "make install" process
+13) Return correct error code for EnumPrinters(PRINTER_ENUM_REMOTE, InfoLevel1)
+ to fix a bug where printers appear at the workgroup level in the Windows
+ NT/2k APW browse list
+14) Added support to nmblookup to return NMB flags (See nmblookup(8) for
+ details)
+15) Fix length bug that caused password changes from Windows NT/2k clients to
+ occasionally fail
+16) Correct false password expiration when using --with-ldapsam caused by
+ missing attributes in the directory
+17) added -S option to smbpasswd for storing the SID of a domain controller
+ as the local machine SID in secrets.tdb. See the smbpasswd(8) man page
+ for details.
+18) Various fixes for UNIX CIFS extensions commands
+19) Fixed CIDR notation in "hosts allow/deny"
+20) Change semantics of an idle connection to mean "no open files and no
+ open handles". We cannot idle a connection if there are open named
+ pipe handles. This fixes scalability problem on Samba print servers
+ and NT/2k clients introduced in 2.2.4
+21) Fix germam umlaut problem when returning ACL entries
+22) Return NT_STATUS_OBJECT_NAME_NOT_FOUND for ENOENT. This fixes the bug
+ of running the Microsoft Access executable (msaccess.exe) and database
+ files from a Samba share documented in the 2.2.4 release
+23) Corrected signal handling relating to directory change notification and
+ kernel oplocks
+24) Fix bug in unix_to_nt_time() that appeared on files dated close to Daylight
+ Savings Time
+25) Corrected alignment bug in spoolss parsing code which caused Win2k/XP
+ clients not to be able to view printer properties from a Samba host
+26) Fixed spoolss parsing bug causing printing from ACT! 2000 running on
+ Windows 2k/XP clients to fail
+27) Fixed incorrect error check in mod_share_entry()
+28) Allow %S variable in MS-DFS root paths
+29) Correct a bug regarding the use of 'wbinfo -A'
+30) Fixed libnss_wins.so to correctly work on RedHat 7.3 systems
+31) Store the key for a name-to-sid cache entry in upper case rather than
+ whatever case the request was made in. This gets rid of duplicate
+ cache entries.
+32) Fix bug causing the pid stored in winbindd's pid file to be the wrong id
+33) Enhanced error reporting messages of wbinfo
+34) Parameterize block size on disk size return
+35) Added new parameter to allow incoming ACLs to have owner and group forced
+ to the currently logged in user. This fixes the XCOPY /O problem
+36) Fixed bug in local_change_password() caused by reusing a struct
+ passwd* pointer
+37) Change default value for "ldap port" to 389 if "ldap ssl = no"
+38) Updated HOWTO's, manpages, and general documentation....
+39) Allow root as well as domain admins to open an LDAP connection
+40) Fixed veto files bug with ".*"
+41) Fixed uninitialized variable bug in smbpasswd that was causing a random
+ IP address to be used in the connection when joining a domain
+42) Fix for joining a domain with a netbios name of 15 characters and
+ pre-creating the account on the DC
+43) Added links to new documentation on SWAT welcome page
+
+
+
+-----------------------------------------------------------------------------
+The release notes for 2.2.4 follow :
+
+There have been several fixes and internal enhancements which include:
+
+ * More/better SPOOLSS printing functionality for Windows
+ NT/2k/XP clients.
+ * Several fixes relating to serving PC database files such
+ as (Access and FoxPro) from a Samba file share.
+ * Several improves in Samba's VFS layer which can be seen
+ in the inclusion of a "Recycle Bin" vfs module. See
+ examples/VFS/README for more details on this.
+ * Addition of a tool (tdbbackup) for backup/restore of Samba's
+ tdb's
+ * Continued improvements to winbind for greater scalability
+ and stability
+ * Several fixes related to Samba's MS-DFS support
+ * Rpcclient's various printer commands now work (again)
+
+
+New/Changed parameters in 2.2.4
+--------------------------------
+
+For more information on these parameters, see the man pages for
+smb.conf(5).
+
+Added/changed parameters
+------------------------
+
+* csc policy
+* inherit acls
+* nt status support
+* lock spin count
+* lock spin time
+* pid directory
+* winbind use default domain
+
+
+Deprecated parameters
+---------------------
+
+The following parameters have been marked as deprecated
+and will be removed in Samba 3.0
+
+* postscript
+* printer driver
+* printer driver file
+* printer driver location
+
+
+Removed Parameters
+------------------
+
+ none
+
+
+Changes in 2.2.4
+----------------
+
+See the cvs log for SAMBA_2_2 for more details
+
+1) added -c option to smbpasswd
+2) reworked smbpasswd internal command line option parsing
+3) small various bug fixes to experimental pdb_tdb.c
+4) Enforce spoolss RPCs based on the access granted at PrinterOpen()
+5) Added missing access checks to [add/delete/set]form
+6) Compile fixes for pam_smbpass
+7) fix smbd crash when netbios session request fails from
+ spoolss_connect_to_client().
+8) fixed logic bug that prevent SetPrinter() from storing devmode
+9) Removed extra get_printer_snum() calls from set_printer_hnd_name()
+10) fix joining domain on big endian machine when using -U to smbpasswd
+11) allow command line arg to override smb.conf log level
+12) continue to retry to register 1b name with wins server if there is an old IP there
+13) fix smbclient print crash bug
+14) 9x pnp fix when the config file and driver file are different
+15) force testparm to print the correct value for log level
+16) fix swat to show full log level info
+17) fix server GetPrinterData() fields to be more sensible
+18) fix logic error in SetPrinterDataEx()
+19) Only set smb_read_error if not already set
+20) Fix string returns that require unicode
+21) Merge of printing performance fixes from appliance
+22) lpq parsing fixes
+23) Back port tridge's xcopy /o fix from HEAD
+24) Fix the printer change notify code (unfinished)
+25) Patch for Domain users not showing up
+26) Fixed SetPrinterData(magic key) to support zero length DEVMODE
+27) Ensure that all methods of looking up and connecting to DC's work
+ using identical logic.
+28) Merge in the mutex code to stop multiple domain logon failure
+29) Ignore 0/0 lock
+30) Fix winbindd to respect command line debuglevel as nmbd/smbd
+31) Update with tdbbackup from HEAD
+32) Fix for typo on solaris nss
+33) Merge in the locking changes from HEAD
+34) Added POSIX ACL layer into the vfs
+35) Fix the returning of domain enum
+36) Fix the generation of the MACHINE.SID file into the secrets.tdb.
+37) Enable test for -rdynamic when building binaries
+38) Remove the "stat open" code - make it inline
+39) Fix the mp3 rename bug
+40) Fix for Explorer DFS problems on older Windows 9X machines
+41) implement OpenPrinter() opnum == 0x01
+42) Matched W2K *insane* open semantics....
+43) small fix that will prevent the "failed to marshall
+ R_NET_SAMLOGON" message in the logs
+42) don't do checking of local passdb in smbpasswd if using -r option
+43) fix "smbpasswd -j DOMAIN -r * -U Admin%XXXX" so that it doesn't
+ try to connect to a server named '*'
+44) merge rpcclient code from HEAD
+45) Ensure MACHINE.SID update done before child spawns
+46) Fix the bad path errors for mkdir so mkdir \a\b\c\d works
+47) Removed --with-vfs - always built if available
+48) Fixed psec for 2.2
+49) Fixed the handle leak in the connection management code
+50) fix disable spoolss after the switch to nt status codes
+51) Added Shirish's client side caching policy change
+52) Honor the specversion when parsing the the DEVICEMODE
+53) fix parsing bug when DEVICEMODE's private data does not end
+ on a 4 byte boundary
+54) do not idle an smbd when there is an open pipe
+55) when a new driver is added to a Samba server, cycle through
+ all printers and bump the change_id for each one bound to the driver
+56) allow smbclient to work with a FIFO as well (needed for KDE
+ ioslave)
+57) various updates to pdb_nisplus.c
+58) many small documentation updates
+59) removed many compiler warnings
+
+
+-----------------------------------------------------------------------------
+The release notes for 2.2.3a follow :
+
+This is a minor bugfix release for the 2.2.3 release. The 2.2.3
+release had a problem that was visible to Windows 2000 Explorer
+users in that copying files into a share that already existed
+failed with "Access Denied" rather than asking the user if an
+overwrite was required. This was due to an incorrect error mapping
+between the UNIX EXIST error code and the NT status error.
+
+As Windows Explorer is a highly visible end user application a quick
+bugfix release was required, hence 2.2.3a.
+
+Compilation on HPUX versions earlier than HPUX 11 has also been
+corrected.
+
+The cvs.log file is no longer included with this release, as it adds
+13Mb to the size of the release, and is easily available on the Web.
+
+-----------------------------------------------------------------------------
+The release notes for 2.2.3 follow :
+
+There are several important scaling bugs that have been fixed in this release
+for large server systems so an upgrade is recommended.
+
+LDAP update
+-----------
+
+Much work has been done on the LDAP backend code. The configure
+option --with-ldapsam is now considered to be stable. The schema
+used has changed, see the file examples/LDAP/samba.schema for the
+new schema.
+
+New documentation explaining how to set up a Samba only PDC/BDC
+setup has been added in the files Samba-LDAP-HOWTO and Samba-BDC-HOWTO
+in the documentation tree.
+
+winbindd daemon extended
+------------------------
+
+Samba 2.2.2 was the first release to include the winbind daemon.
+This code allows UNIX systems that implement the name service
+switch (nss) to be entered into a Windows NT/2000 domain and
+use the Domain controller for all user and group enumeration.
+
+Samba 2.2.3 fixes the known memory leaks in winbindd and has
+been extended to work with SGI IRIX and HPUX (11.x) in addition
+to the earlier targets of Linux and Solaris.
+
+For more information on using winbind, see the man pages for
+winbindd and wbinfo.
+
+Note that winbindd is not installed by default.
+
+New/Changed parameters in 2.2.3
+--------------------------------
+
+For more information on these parameters, see the man pages for
+smb.conf.
+
+Added/changed parameters.
+-------------------------
+
+unix extensions
+
+Enables the experimental UNIX CIFS extensions in smbd. See the manpage
+for more details.
+
+default devmode
+
+Some printer drivers will crash the Windows NT/2000 spooler service
+if they are given a default devmode, some require it. This parameter
+allows the administrator a choice of whether smbd returns such a
+default devmode for a driver.
+
+share modes
+
+This parameter has been restored to allow people who wish smbd to ignore
+client share modes. This is *very dangerous* and should not be set without
+full knowledge of what this is designed for.
+
+Changes in 2.2.3
+-----------------
+
+1). Fixed shared library compile for Solaris with native compiler.
+2). UNIX CIFS extensions code added (donated by HP).
+3). Changed to using NT status codes on the wire if the client can support
+this.
+4). altname command to show 8.3 name added to smbclient.
+5). const-safe endian macros now used.
+6). client code now uses UNICODE on the wire.
+7). Correctly return fault PDU's on bad handle.
+8). Improved NT error code mapping table.
+9). Many new point and print RPC calls added.
+10). Win9x clients can now see full user list.
+11). field added to identify simultaneous open files (no longer
+use dev/inode/time as unique value).
+12). HPUX ACL code added (donated by HP).
+13). vfs interfaces updated (again !).
+14). MSDOS Code Page 866 -> 1251 mapping added.
+15). winbindd now processes quit/hup signals correctly.
+16). No tdb traversal done on startup/shutdown - ensures scalability.
+17). Fix bug with paths for homes share.
+18). Fixed copyfile for OS/2.
+19). Fix group membership when groups are on more than one line.
+20). Fixed core dumps in posix ACL mapping code.
+21). Tidyup of UNICODE functions (put/get).
+22). Move rpcclient to the new libsmb code.
+23). Add missing Windows 2000 passthough trans2 calls.
+24). Return check all tdb calls.
+25). Make local name lookup work even if wins server is down.
+26). pam session code added to winbind.
+27). Added winbindd cache to all lookups.
+28). Fix allocate bugs that caused file sizes to be incorrect.
+29). Fixed write cache code - now safe to use.
+30). Fixed winbindd memory leaks.
+31). winbindd will now do name lookups (to allow non Open Source
+systems to do the nsswitch WINS lookup). Fixed by SGI.
+32). passdb memory leaks fixed.
+33). LDAP code updates and now properly maintained.
+34). Finally figured out how changeid is meant to work.
+35). Downlevel printing now looks as NT does in print monitor window.
+36). Many fixups in spoolss printing RPC parsing.
+37). Speed up password enumeration as a PDC.
+38). Fix printer changed notify messages (work from HP).
+39). Fix modify timestamp on close code.
+40). Fix long standing mangled names bug.
+41). Fix delete on close semantics.
+42). Stop opening all files with O_NONBLOCK !
+43). Use O_NOFOLLOW for systems that have it and don't want symlinks.
+44). Ensure NT supplementary groups get added to user token.
+45). Try and mitigate effects of DNS timeout (do less lookups).
+46). Added current user connection context stack.
+47). Fixes to utmp code.
+48). smbw code tidyups.
+49). Added tdb open log code. Several tdb fixes.
+
+-----------------------------------------------------------------------------
+The release notes for 2.2.2 follow :
+
+New daemon included - winbindd
+------------------------------
+
+Samba 2.2.2 is the first release to include the winbind daemon.
+This code allows UNIX systems that implement the name service
+switch (nss) to be entered into a Windows NT/2000 domain and
+use the Domain controller for all user and group enumeration.
+
+This allows a Samba server added to a Windows domain to serve
+file and print services with *NO* local users needed in /etc/passwd
+and /etc/group - all users and groups are read directly from the
+Windows domain controller. In addition with pam_winbind which allows
+a PAM enabled UNIX system to use a Windows domain for authentication
+service this allows single sign on and account control across
+UNIX and Windows systems.
+
+The current version of winbindd shipped in 2.2.2 does have some
+memory leaks, which will be addressed for the next Samba release,
+so it is advisable to monitor the winbind process. This code is
+being used in production by several vendors, so the leaks are
+manageable. In addition, this version of winbind does not work
+correctly against a Samba PDC, due to some missing calls on the
+PDC side. These problems are being addressed for the next Samba
+release, but it was thought better to release the code now rather
+than delay the main Samba code to match the winbind release schedule.
+
+For more information on using winbind, see the man pages for
+winbindd and wbinfo.
+
+Note that winbindd is not installed by default.
+
+New/Changed parameters in 2.2.2
+-------------------------------
+
+For more information on these parameters, see the man pages for
+smb.conf.
+
+Added/changed parameters.
+-------------------------
+
+strict allocate
+
+Causes Samba not to create UNIX 'sparse' files, but to follow the
+Windows behavior of always allocating on-disk space.
+
+use mmap
+
+Set to 'on' by default, only set to 'off' on HPUX 11.x or below or other
+UNIX systems that don't have coherent mmap/read-write internal caches.
+You should not need to set this parameter.
+
+nt acl support
+
+This parameter has been changed to a per-share option, and is very
+useful in enabling Windows 2000 SP2 to load/save profiles from a
+Samba share.
+
+New printing parameters.
+------------------------
+
+disable spoolss
+
+Setting this parameter causes Samba to go back to the old 2.0.x
+LANMAN printing behavior, for people who wish to disable the
+new SPOOLSS pipe.
+
+use client driver
+
+Causes Windows NT/2000 clients to need have a local printer driver
+installed and to treat the printer as local.
+
+New LDAP parameters.
+--------------------
+
+Samba 2.2.2 contains new code to maintain a Samba SAM database
+on a remote LDAP server. These parameters have been added as
+part of this code. These parameters are only available when Samba
+has been compiled with the --with-ldapsam option.
+
+ldap admin dn
+ldap ssl
+
+New SSL parameters.
+-------------------
+
+The SSL support in Samba has been fixed. These new parameters
+are part of the changes added. These parameters are only available
+when Samba has been compiled with the --with-ssl option.
+Please see the smb.conf man page for details.
+
+ssl egd socket
+ssl entropy file
+ssl entropy bytes
+
+New winbindd parameters.
+------------------------
+
+These parameters are used by winbindd. See the man page for
+winbindd for details.
+
+winbind separator
+winbind uid
+winbind gid
+winbind cache time
+winbind enum users
+winbind enum groups
+template homedir
+template shell
+
+Removed parameters.
+-------------------
+
+share modes
+ldap root
+ldap root passwd
+
+New Documentation.
+------------------
+
+Some new README's have been added in the docs/ directory. These cover
+using roving profiles with Windows 2000 SP2 (docs/README.Win2kSP2),
+and how to use Samba to help prevent Windows virus spread
+(docs/README.Win32-Viruses).
+
+Quota problems on a Linux 2.4 kernel.
+-------------------------------------
+
+Currently the quota interfaces have diverged between the Linus
+2.4.x kernels and the Alan Cox 2.4.x kernels (the Alan Cox variants
+are shipped with RedHat). Running quota-enabled Samba compiled on
+an Alan Cox kernel works correctly on an Alan Cox kernel (the one
+shipped by default with RedHat 7.x) but fails on a Linus kernel.
+
+This is a mess, and hopefully Alan and Linus will sort it out soon.
+In the meantime we need to ship.....
+
+Changes in 2.2.2
+-----------------
+
+1). mmap tdb code disabled on HPUX. This should prevent the reports of
+tdb corruption on HUPX.
+2). Large file support set to off in Solaris 5.5 and below.
+3). Better CUPS detection.
+4). New SAM (password database) backends - smbpasswd (traditional),
+LDAP, NIS+ and Samba TDB.
+5). Quota fixups on Linux.
+6). libsmbclient stand-alone code added. Can be built as a shared library
+under Linux.
+7). Tru64 ACL support added.
+8). winbindd option added.
+9). Realloc fail tidyup fixes all over the code.
+10). Large improvement in hash table code efficiency - would be found with
+large stat caches.
+11). Error code consistency improved (still needs more work).
+12). Profile shared memory support added to nmbd.
+13). New Windows 2000/NT passthrough info levels added.
+14). readraw/writeraw code rewritten - many bugs fixed.
+15). UNIX password sync (non pam) code fixed, use correct wildcard matcher.
+16). Reverse DNS lookup avoided on socket open.
+17). Bug preventing nmbd re-registering names on WINS server timeout fixed.
+18). Zero length byte range lock code added. Much closer to Windows semantics.
+19). Alignment fault fixes for Linux/Alpha.
+20). Error checking on tdb returns vastly improved.
+21). Handling of delete on close fixed. No longer possible to leave 'dead'
+file entries.
+22). Handling of oplock break failure cleanups improved. Should not be
+able to leave 'dead' entries.
+23). Fix handling of errors trying to set 64 bit locks on 32 bit NFS mounts.
+24). Misc. MS-DFS code fixes.
+25). Ignore logon packets if not a PDC (needed for PDC/BDC failover).
+26). winbind pam module added.
+27). Order N^^2 enumeration of printers problem fixed.
+28). Password backend database code re-ordered to allow different password
+backends (at compile time currently).
+29). Improved print driver version detection for Windows 2000.
+30). Driver DEVMODE initialization fixes.
+31). Improved SYSV print parse code.
+32). Fixed enumeration of large numbers of users/groups from Windows clients.
+Code still too slow.
+33). Fix for buggy NetApp RPC pipe clients.
+34). Fix for NT sending multiple SetPrinterDataEx calls.
+35). Fix for logic bug where smbd could delay oplock break request messages
+from other smbd daemons whilst client kept us busy.
+36). Fix deadlock problem with connections tdb on enumeration.
+37). Fixes for setting/getting NT ACLs - improved POSIX mapping both ways.
+38). Removed unused readbmpx/writebmpx code.
+39). Attempt to fix Linux 2.4.x quota mess.
+40). Improved ctemp code for Windows 2000 compatibility.
+41). Finally understood difference between set EOF and set allocation requests.
+Added strict allocate parameter to help.
+42). Correctly return name types on name to SID lookups.
+43). tdb spinlock code update.
+44). Use pread/pwrite on systems that have it to fix race condition in tdb code.
+
+-----------------------------------------------------------------------------
+The release notes for 2.2.1a follow :
+
+This is a minor bugfix release for 2.2.1, *NOT* security related.
+
+1). 2.2.1 had a bug where using smbpasswd -m to add a Windows NT or
+Windows2000 machine into a Samba hosted PDC would fail due to our
+stricter user name checking. We were disallowing user names
+containing '$', which is needed when using smbpasswd to add a
+machine into a domain. Automatically adding machines (using the
+native Windows tools) into a Samba domain worked correctly.
+
+2.2.1a fixes this single problem.
+
+-----------------------------------------------------------------------------
+The release notes for 2.2.1 follow :
+
+New/Changed parameters in 2.2.1
+-------------------------------
+
+Added parameters.
+-----------------
+
+obey pam restrictions
+
+When Samba is configured to use PAM, turns on or off Samba checking
+the PAM account restrictions. Defaults to off.
+
+pam password change
+
+When Samba is configured to use PAM, turns on or off Samba passing
+the password changes to PAM. Defaults to off.
+
+large readwrite
+
+New option to allow new Windows 2000 large file (64k) streaming
+read/write options. Needs a 64 bit underlying operating system
+(for Linux use kernel 2.4 with glibc 2.2 or above). Can improve performance
+by 10% with Windows 2000 clients. Defaults to off. Not as tested
+as some other Samba code paths.
+
+hide unreadable
+
+Prevents clients from seeing the existence of files that cannot
+be read. Off by default.
+
+enhanced browsing
+
+Turn on/off the enhanced Samba browsing functionality (*1B names).
+Default is "on". Can prevent eternal machines in workgroups when
+WINS servers are not synchronized.
+
+Removed parameters.
+-------------------
+
+domain groups
+domain admin users
+domain guest users
+
+Changes in 2.2.1
+-----------------
+
+1). "find" command removed for smbclient. Internal code now used.
+2). smbspool updates to retry connections from Michael Sweet.
+3). Fix for mapping 8859-15 characters to UNICODE.
+4). Changed "security=server" to try with invalid username to prevent
+ account lockouts.
+5). Fixes to allow Windows 2000 SP2 clients to join a Samba PDC.
+6). Support for Windows 9x Nexus tools to allow security changes from Win9x.
+7). Two locking fixes added. Samba 2.2.1 now passes the Clarion network
+ lock tester tool for distributed databases.
+8). Preliminary support added for Windows 2000 large file read/write SMBs.
+9). Changed random number generator in Samba to prevent guess attacks.
+10). Fixes for tdb corruption in connections.tdb and file locking brlock.tdb.
+ smbd's clean the tdb files on startup and shutdown.
+11). Fixes for default ACLs on Solaris.
+12). Tidyup of password entry caching code.
+13). Correct shutdowns added for send fails. Helps tdb cleanup code.
+14). Prevent invalid '/' characters in workgroup names.
+15). Removed more static arrays in SAMR code.
+16). Client code is now UNICODE on the wire.
+17). Fix 2 second timestamp resolution everywhere if dos timestamp set to yes.
+18). All tdb opens now going through logging function.
+19). Add pam password changing and pam restrictions code.
+20). Printer driver management improvements (delete driver).
+21). Fix difference between NULL security descriptors and empty
+ security descriptors.
+22). Fix SID returns for server roles.
+23). Allow Windows 2000 mmc to view and set Samba share security descriptors.
+24). Allow smbcontrol to forcibly disconnect a share.
+25). tdb fixes for HPUX, OpenBSD and other OS's that don't have a coherent
+ mmap/file read/write cache.
+26). Fix race condition in returning create disposition for file create/open.
+27). Fix NT rewriting of security descriptors to their canonical form for
+ ACLs.
+28). Fix for Samba running on top of Linux VFAT ftruncate bug.
+29). Swat fixes for being run with xinetd that doesn't set the umask.
+30). Fix for slow writes with Win9x Explorer clients. Emulates Microsoft
+ TCP stack early ack specification error.
+31). Changed lock & persistent tdb directory to /var/cache/samba by default on
+ RedHat and Mandrake as they clear the /var/lock/samba directory on reboot.
+
+-----------------------------------------------------------------------------
+The release notes for 2.2.0a follow :
+
+SECURITY FIX
+============
+
+This is a security bugfix release for Samba 2.2.0. This release provides the
+following two changes *ONLY* from the 2.2.0 release.
+
+1). Fix for the security hole discovered by Michal Zalewski (lcamtuf@bos.bindview.com)
+ and described in the security advisory below.
+2). Fix for the hosts allow/hosts deny parameters not being honoured.
+
+No other changes are being made for this release to ensure a security fix only.
+For new functionality (including these security fixes) download Samba 2.2.1
+when it is available.
+
+The security advisory follows :
+
+
+ IMPORTANT: Security bugfix for Samba
+ ------------------------------------
+
+June 23rd 2001
+
+
+Summary
+-------
+
+A serious security hole has been discovered in all versions of Samba
+that allows an attacker to gain root access on the target machine for
+certain types of common Samba configuration.
+
+The immediate fix is to edit your smb.conf configuration file and
+remove all occurances of the macro "%m". Replacing occurances of %m
+with %I is probably the best solution for most sites.
+
+Details
+-------
+
+A remote attacker can use a netbios name containing unix path
+characters which will then be substituted into the %m macro wherever
+it occurs in smb.conf. This can be used to cause Samba to create a log
+file on top of an important system file, which in turn can be used to
+compromise security on the server.
+
+The most commonly used configuration option that can be vulnerable to
+this attack is the "log file" option. The default value for this
+option is VARDIR/log.smbd. If the default is used then Samba is not
+vulnerable to this attack.
+
+The security hole occurs when a log file option like the following is
+used:
+
+ log file = /var/log/samba/%m.log
+
+In that case the attacker can use a locally created symbolic link to
+overwrite any file on the system. This requires local access to the
+server.
+
+If your Samba configuration has something like the following:
+
+ log file = /var/log/samba/%m
+
+Then the attacker could successfully compromise your server remotely
+as no symbolic link is required. This type of configuration is very
+rare.
+
+The most commonly used log file configuration containing %m is the
+distributed in the sample configuration file that comes with Samba:
+
+ log file = /var/log/samba/log.%m
+
+in that case your machine is not vulnerable to this attack unless you
+happen to have a subdirectory in /var/log/samba/ which starts with the
+prefix "log."
+
+Credit
+------
+
+Thanks to Michal Zalewski (lcamtuf@bos.bindview.com) for finding this
+vulnerability.
+
+
+New Release
+-----------
+
+While we recommend that vulnerable sites immediately change their
+smb.conf configuration file to prevent the attack we will also be
+making new releases of Samba within the next 24 hours to properly fix
+the problem. Please see http://www.samba.org/ for the new releases.
+
+Please report any attacks to the appropriate authority.
+
+ The Samba Team
+ security@samba.org
+
+---------------------------------------------------------------------------
+
+The release notes for 2.2.0 follow :
+
+This is the official Samba 2.2.0 release. This version of Samba provides
+the following new features and enhancements.
+
+Integration between Windows oplocks and NFS file opens (IRIX and Linux
+2.4 kernel only). This gives complete data and locking integrity between
+Windows and UNIX file access to the same data files.
+
+Ability to act as an authentication source for Windows 2000 clients as
+well as for NT4.x clients.
+
+Integration with the winbind daemon that provides a single
+sign on facility for UNIX servers in Windows 2000/NT4 networks
+driven by a Windows 2000/NT4 PDC. winbind is not included in
+this release, it currently must be obtained separately. We are
+committed to including winbind in a future Samba 2.2.x release.
+
+Support for native Windows 2000/NT4 printing RPCs. This includes
+support for automatic printer driver download.
+
+Support for server supported Access Control Lists (ACLs).
+This release contains support for the following filesystems:
+
+ Solaris 2.6+
+ SGI Irix
+ Linux Kernel with ACL patch from http://acl.bestbits.at
+ Linux Kernel with XFS ACL support.
+ Caldera/SCO UnixWare
+ IBM AIX
+ FreeBSD (with external patch)
+
+Other platforms will be supported as resources are
+available to test and implement the necessary modules. If
+you are interested in writing the support for a particular
+ACL filesystem, please join the samba-technical mailing
+list and coordinate your efforts.
+
+On PAM (Pluggable Authentication Module) based systems - better debugging
+messages and encrypted password users now have access control verified via
+PAM - Note: Authentication still uses the encrypted password database.
+
+Rewritten internal locking semantics for more robustness.
+This release supports full 64 bit locking semantics on all
+(even 32 bit) platforms. SMB locks are mapped onto POSIX
+locks (32 bit or 64 bit) as the underlying system allows.
+
+Conversion of various internal flat data structures to use
+database records for increased performance and
+flexibility.
+
+Support for acting as a MS-DFS (Distributed File System) server.
+
+Support for manipulating Samba shares using Windows client tools
+(server manager). Per share security can be set using these tools
+and Samba will obey the access restrictions applied.
+
+Samba profiling support (see below).
+
+Compile time option for enabling a (Virtual file system) VFS layer
+to allow non-disk resources to be exported as Windows filesystems
+(such as databases etc.).
+
+The documentation in this release has been updated and converted
+from Yodl to DocBook 4.1. There are many new parameters since 2.0.7
+and some defaults have changed.
+
+Profiling support.
+------------------
+Support for collection of profile information. A shared
+memory area has been created which contains counters for
+the number of calls to and the amount of time spent in
+various system calls, smb transactions and nmbd activity. See
+the file profile.h for a complete listing of the information
+collected. Sample code for a samba pmda (collection agent
+for Performance Co-Pilot) has been included in the pcp
+directory.
+
+To enable the profile data collection code in samba, you must
+compile samba with profile data support (run configure with
+the --with-profiling-data option). On startup, collection of
+data is disabled. To begin collecting data use the smbcontrol
+program to turn on profiling (see the smbcontrol man page).
+Profile information collection can be enabled for nmbd, all smbd
+processes or one or more selected processes. The profiling
+data collected is the aggregate for all processes that have
+profiling enabled.
+
+With samba compiled for profile data collection, you may see
+a very slight degradation in performance even with profiling
+collection turned off. On initial tests with NetBench on an
+SGI Origin 200 server, this degradation was not measurable
+with profile collection off compared to no profile collection
+compiled into samba.
+
+With count profile collection enabled on all clients, the
+degradation was less than 2%. With full profile collection
+enabled on all clients, the degradation was about 8.5%.
+
+=====================================================================
+
+If you think you have found a bug please email a report to :
+
+ samba@samba.org
+
+As always, all bugs are our responsibility.
+
+ --Enjoy
+ The Samba Team
+
+</pre>
+
+</body>
+</html>
--- /dev/null
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Release Notes Archive</title>
+</head>
+
+<body>
+
+<h2>The Samba Team announces Samba 2.2.8</h2>
+
+<p>
+<pre>
+ ****************************************
+ * IMPORTANT: Security bugfix for Samba *
+ ****************************************
+
+This release provides an important security fix outlined in the
+release notes that follow. This is the latest stable release of
+Samba and the version that all production Samba servers should be
+running for all current bug-fixes.
+
+The source code can be downloaded from :
+
+ <a href="/samba/ftp">http://download.samba.org/samba/ftp/</a>
+
+in the file samba-2.2.8.tar.gz or samba-2.2.8.tar.bz2.
+Both archives have been signed using the Samba Distribution Key.
+
+Binary packages will be released shortly for major platforms and
+can be found at
+
+ <a href="/samba/ftp/Binary_Packages">http://download.samba.org/samba/ftp/Binary_Packages/</a>
+
+As always, all bugs are our responsibility.
+
+ --Sincerely
+ The Samba Team
+
+
+Summary
+-------
+
+The SuSE security audit team, in particular <a href="mailto:krahmer@suse.de">Sebastian
+Krahmer</a>, has found a flaw in the Samba main smbd code which
+could allow an external attacker to remotely and anonymously gain
+Super User (root) privileges on a server running a Samba server.
+
+This flaw exists in previous versions of Samba from 2.0.x to 2.2.7a
+inclusive. This is a serious problem and all sites should either
+upgrade to Samba 2.2.8 immediately or prohibit access to TCP ports 139
+and 445. Advice created by Andrew Tridgell, the leader of the Samba Team,
+on how to protect an unpatched Samba server is given at the end of this
+section.
+
+The SMB/CIFS protocol implemented by Samba is vulnerable to many
+attacks, even without specific security holes. The TCP ports 139 and
+the new port 445 (used by Win2k and the Samba 3.0 alpha code in
+particular) should never be exposed to untrusted networks.
+
+Description
+-----------
+
+A buffer overrun condition exists in the SMB/CIFS packet fragment
+re-assembly code in smbd which would allow an attacker to cause smbd
+to overwrite arbitrary areas of memory in its own process address
+space. This could allow a skilled attacker to inject binary specific
+exploit code into smbd.
+
+This version of Samba adds explicit overrun and overflow checks on
+fragment re-assembly of SMB/CIFS packets to ensure that only valid
+re-assembly is performed by smbd.
+
+In addition, the same checks have been added to the re-assembly
+functions in the client code, making it safe for use in other
+services.
+
+Credit
+------
+
+This security flaw was discovered and reported to the Samba Team by
+Sebastian Krahmer <krahmer@suse.de> of the SuSE Security Audit Team.
+The fix was prepared by Jeremy Allison and reviewed by engineers from
+the Samba Team, SuSE, HP, SGI, Apple, and the Linux vendor engineers
+on the Linux Vendor security mailing list.
+
+The Samba Team would like to thank SuSE and Sebastian Krahmer for
+their excellent auditing work and for drawing attention to this flaw.
+
+Patch Availability
+-----------------
+
+As this is a security issue, patches for this flaw specific to earlier
+versions of Samba will be posted on the samba-technical@samba.org
+mailing list as requested.
+
+
+************************************
+Protecting an unpatched Samba server
+************************************
+
+ Samba Team, March 2003
+
+ This is a note on how to provide your Samba server some
+ protection against the recently discovered remote security
+ hole if you are unable to upgrade to the fixed version
+ immediately. Even if you do upgrade you might like to think
+ about the suggestions in this note to provide you with
+ additional levels of protection.
+
+
+ Using host based protection
+ ---------------------------
+
+ In many installations of Samba the greatest threat comes for
+ outside your immediate network. By default Samba will accept
+ connections from any host, which means that if you run an
+ insecure version of Samba on a host that is directly
+ connected to the Internet you can be especially vulnerable.
+
+ One of the simplest fixes in this case is to use the 'hosts
+ allow' and 'hosts deny' options in the Samba smb.conf
+ configuration file to only allow access to your server from a
+ specific range of hosts. An example might be:
+
+
+ hosts allow = 127.0.0.1 192.168.2.0/24 192.168.3.0/24
+ hosts deny = 0.0.0.0/0
+
+ The above will only allow SMB connections from 'localhost'
+ (your own computer) and from the two private networks
+ 192.168.2 and 192.168.3. All other connections will be
+ refused connections as soon as the client sends its first
+ packet. The refusal will be marked as a 'not listening on
+ called name' error.
+
+
+ Using interface protection
+ --------------------------
+
+ By default Samba will accept connections on any network
+ interface that it finds on your system. That means if you
+ have a ISDN line or a PPP connection to the Internet then
+ Samba will accept connections on those links. This may not be
+ what you want.
+
+ You can change this behavior using options like the
+ following:
+
+ interfaces = eth* lo
+ bind interfaces only = yes
+
+ that tells Samba to only listen for connections on interfaces
+ with a name starting with 'eth' such as eth0, eth1, plus on
+ the loopback interface called 'lo'. The name you will need to
+ use depends on what OS you are using. In the above I used the
+ common name for ethernet adapters on Linux.
+
+ If you use the above and someone tries to make a SMB
+ connection to your host over a PPP interface called 'ppp0',
+ they will get a TCP connection refused reply. In that
+ case no Samba code is run at all as the operating system has
+ been told not to pass connections from that interface to any
+ process.
+
+
+ Using a firewall
+ ----------------
+
+ Many people use a firewall to deny access to services that
+ they don't want exposed outside their network. This can be a
+ very good idea, although I would recommend using it in
+ conjunction with the above methods so that you are protected
+ even if your firewall is not active for some reason.
+
+ If you are setting up a firewall then you need to know what
+ TCP and UDP ports to allow and block. Samba uses the
+ following:
+
+ UDP/137 - used by nmbd
+ UDP/138 - used by nmbd
+ TCP/139 - used by smbd
+ TCP/445 - used by smbd
+
+ The last one is important as many older firewall setups may
+ not be aware of it, given that this port was only added to
+ the protocol in recent years.
+
+
+ Using a IPC$ share deny
+ -----------------------
+
+ If the above methods are not suitable, then you could also
+ place a more specific deny on the IPC$ share that is used in
+ the recently discovered security hole. This allows you to
+ offer access to other shares while denying access to IPC$
+ from potentially untrustworthy hosts.
+
+ To do that you could use:
+
+ [ipc$]
+ hosts allow = 192.168.115.0/24 127.0.0.1
+ hosts deny = 0.0.0.0/0
+
+ this would tell Samba that IPC$ connections are not allowed
+ from anywhere but the two listed places (localhost and a
+ local subnet). Connections to other shares would still be
+ allowed. As the IPC$ share is the only share that is always
+ accessible anonymously this provides some level of protection
+ against attackers that do not know a username/password for
+ your host.
+
+
+ If you use this method then clients will be given a 'access
+ denied' reply when they try to access the IPC$ share. That
+ means that those clients will not be able to browse shares,
+ and may also be unable to access some other resources.
+
+ I don't recommend this method unless you cannot use one of
+ the other methods listed above for some reason.
+
+
+ Upgrading Samba
+ ---------------
+
+ Of course the best solution is to upgrade Samba to a version
+ where the bug has been fixed. If you wish to also use one of
+ the additional measures above then that would certainly be a
+ good idea.
+
+ Please check regularly on http://www.samba.org/ for updates
+ and important announcements.
+
+
+ ****************************************
+ ****************************************
+
+-----------------------------------------------------------------
+
+Changes since 2.2.7a
+--------------------
+
+New Parameters
+
+ * acl compatibility
+
+Additional Changes:
+ See the cvs log for SAMBA_2_2 for more details
+
+1) smbumount lazy patch from Mandrake
+2) Check for too many processes *before* the fork.
+3) make sure we don't run over the end of 'name' in unix_convert()
+4) set umask to 0 before creating socket directory.
+5) Fix the LARGE_SMB_OFF_T problems and allow smbd to do the right
+ thing in interactive mode when a log file dir is also specified.
+6) Fix delete on close semantics to match W2K.
+7) Correctly return access denied on share mode deny when we can't
+ open the file.
+8) Always use safe_strcpy not pstrcpy for malloc()'d strings
+9) Fixes for HP-UX only having limited POSIX lock range
+10) Added uid/gid caching code. Reduces load on winbindd.
+11) Removed extra copy of server name in the printername field (it was
+ mangling the the name to be \\server\\\server\printer
+12) Fix dumb perror used without errno being set.
+13) Do retries correctly if the connection to the DC has failed.
+14) Correctly check for inet_addr fail.
+15) Ensure we use getgrnam() unless BROKEN_GETGRNAM is defined.
+16) Fix for missing if (setting_acls) on default perms.
+17) Fix to cache the sidtype
+18) fix printer settings on Solaris (big-endian) print servers.
+ ASCII -> UNICODE conversion bug.
+19) Small fix check correct error return.
+20) Ensure space_avail is unsigned.
+21) patch to check for a valid [f]chmod_acl function pointer
+ before calling it. Fixes seg fault in audit VFS module
+22) When checking is_locked() new WRITE locks conflict with existing
+ READ locks even if the context is the same.
+23) Merge off-by-one crash fixes from HEAD
+24) Move off-by-one buggy malloc()/safe_strcpy() combination to
+ strdup() instead.
+25) Merge from HEAD. Use pstrcpy not safe_strcpy.
+26) Fix to allow blocking lock notification to be done rapidly (no wait
+ for smb -> smb lock release). Adds new PENDING_LOCK type to lockdb
+ (does not interfere with existing locks).
+27) Doxygen cleanups for code documentation
+28) limit the unix domain sockets used by winbindd by adding a
+ "last_access" field to winbindd connections, and will close
+ the oldest idle connection once the number of open connections goes
+ over WINBINDD_MAX_SIMULTANEOUS_CLIENTS (defined in local.h as 200
+ currently)
+29) Fix a couple of string handling errors in smbd/dir.c that would
+ cause smbd to crash
+30) Fix seg fault in smbpasswd when specifying the new password
+ as a command line argument
+31) Correct 64-but file sizes issues with smbtar and smbclient
+32) Add batch mode option to pdbedit
+33) Add protection in nmbd against malformed reply packets
+34) Fix bug with sendfile profiling support in smbstatus output
+35) Correct bug in "hide unreadable" smb.conf parameter that
+ resulted in incorrect directory listings
+36) Fix bug in group enumeration in winbindd
+37) Correct build issues with libsmbclient on Solaris
+38) Fix memory leak and bad pointer dereference in password
+ changing code in smbd
+39) Fix for changing attributes on a file truncate
+40) Ensure smbd process count never gets to -1 if limiting number
+ of processes
+41) Ensure we return disk full by default on short writes
+42) Don't delete jobs submitted after the lpq time
+43) Fix reference count bug where smbds would not terminate
+ with no open resources
+44) Performance fix when using quota support on HP-UX
+45) Fixes for --with-ldapsam
+ * Default to port 389 when "ldap ssl != on"
+ * add support for rebinding to the master directory server
+ for password changes when "ldap server" points to a read-only
+ slave
+46) Add -W and -X command line flags to smbpasswd for extracting and
+ setting the machine/domain SID in secrets.tdb. See the
+ smbpasswd(8) man page for details.
+47) Added (c) Luke Howard to winbind_nss_solaris.c for coded
+ obtained from PADL's nss_ldap library.
+48) Fix bug in samr_dispinfo query in winbindd
+49) Fix segfault in NTLMSSP password changing code for
+ guest connections
+50) Correct pstring/fstring mismatches
+51) Send level II oplock break requests synchronously to prevent
+ condition where one smbd would continually lock a share entry
+ in locking.tdb
+52) Miscellaneous cleanups for tdb error conditions and appending
+ data in a record
+53) Implement correct open file truncate semantics with DOS
+ attributes
+54) Enforce wide links = no on files as well as directories
+55) Include shared library checks for Stratus VOS
+56) Include support for CUPS printer classes and logging the remote
+ client name
+57) Include "WinXP" (Windows XP) and "Win2K3" (Windows .NET) values
+ for %a
+58) Increase the max PDU size to deal with some troublesome printer
+ drivers and Windows NT 4.0 clients
+59) increment the process counter immediately after the fork
+ (not just when we receive the first smb packet)
+60) Ensure rename sets errno correctly
+61) Unify ACL code (back-port from 3.0)
+62) Fix some further issues around off_t and large offsets
+</pre>
+
+</body>
+</html>
--- /dev/null
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Release Notes Archive</title>
+</head>
+
+<body>
+
+<h2>The Samba Team announces Samba 2.2.8a</h2>
+
+<p>
+<pre>
+ ****************************************
+ * IMPORTANT: Security bugfix for Samba *
+ ****************************************
+
+This release provides an important security fix outlined in the
+release notes that follow. This is the latest stable release of
+Samba and the version that all production Samba servers should be
+running for all current bug-fixes.
+
+The source code can be downloaded from :
+
+ <a href="/samba/ftp">http://download.samba.org/samba/ftp/</a>
+
+in the file samba-2.2.8a.tar.gz or samba-2.2.8a.tar.bz2.
+Both archives have been signed using the Samba Distribution Key.
+
+Binary packages will be released shortly for major platforms and
+can be found at
+
+ <a href="/samba/ftp/Binary_Packages">http://download.samba.org/samba/ftp/Binary_Packages/</a>
+
+As always, all bugs are our responsibility.
+
+ --Sincerely
+ The Samba Team
+
+Summary
+-------
+
+Digital Defense, Inc. has alerted the Samba Team to a serious
+vulnerability in all stable versions of Samba currently shipping.
+The Common Vulnerabilities and Exposures (CVE) project has assigned
+the ID CAN-2003-0201 to this defect.
+
+This vulnerability, if exploited correctly, leads to an anonymous
+user gaining root access on a Samba serving system. All versions
+of Samba up to and including Samba 2.2.8 are vulnerable. An active
+exploit of the bug has been reported in the wild. Alpha versions of
+Samba 3.0 and above are *NOT* vulnerable.
+
+
+Credit
+------
+
+The Samba Team would like to thank Erik Parker and the team at
+Digital Defense, Inc. for their efforts spent in the responsible
+and timely reporting of this bug.
+
+
+Patch Availability
+------------------
+
+The Samba 2.2.8a release contains only updates to address this
+security issue. A roll-up patch for release 2.2.7a and 2.0.10
+addressing both CAN-2003-0201 and CAN-2003-0085 can be obtained
+from http://www.samba.org/samba/ftp/patches/security/.
+
+
+ ========================================
+
+
+Older releases notes for 2.2.x distributions follow
+
+-----------------------------------------------------------------
+
+The release notes for 2.2.8 follow:
+
+ ****************************************
+ * IMPORTANT: Security bugfix for Samba *
+ ****************************************
+
+
+Summary
+-------
+
+The SuSE security audit team, in particular <a href="mailto:krahmer@suse.de">Sebastian
+Krahmer</a>, has found a flaw in the Samba main smbd code which
+could allow an external attacker to remotely and anonymously gain
+Super User (root) privileges on a server running a Samba server.
+
+This flaw exists in previous versions of Samba from 2.0.x to 2.2.7a
+inclusive. This is a serious problem and all sites should either
+upgrade to Samba 2.2.8 immediately or prohibit access to TCP ports 139
+and 445. Advice created by Andrew Tridgell, the leader of the Samba Team,
+on how to protect an unpatched Samba server is given at the end of this
+section.
+
+The SMB/CIFS protocol implemented by Samba is vulnerable to many
+attacks, even without specific security holes. The TCP ports 139 and
+the new port 445 (used by Win2k and the Samba 3.0 alpha code in
+particular) should never be exposed to untrusted networks.
+
+Description
+-----------
+
+A buffer overrun condition exists in the SMB/CIFS packet fragment
+re-assembly code in smbd which would allow an attacker to cause smbd
+to overwrite arbitrary areas of memory in its own process address
+space. This could allow a skilled attacker to inject binary specific
+exploit code into smbd.
+
+This version of Samba adds explicit overrun and overflow checks on
+fragment re-assembly of SMB/CIFS packets to ensure that only valid
+re-assembly is performed by smbd.
+
+In addition, the same checks have been added to the re-assembly
+functions in the client code, making it safe for use in other
+services.
+
+Credit
+------
+
+This security flaw was discovered and reported to the Samba Team by
+Sebastian Krahmer <krahmer@suse.de> of the SuSE Security Audit Team.
+The fix was prepared by Jeremy Allison and reviewed by engineers from
+the Samba Team, SuSE, HP, SGI, Apple, and the Linux vendor engineers
+on the Linux Vendor security mailing list.
+
+The Samba Team would like to thank SuSE and Sebastian Krahmer for
+their excellent auditing work and for drawing attention to this flaw.
+
+Patch Availability
+-----------------
+
+As this is a security issue, patches for this flaw specific to earlier
+versions of Samba will be posted on the samba-technical@samba.org
+mailing list as requested.
+
+
+************************************
+Protecting an unpatched Samba server
+************************************
+
+ Samba Team, March 2003
+
+ This is a note on how to provide your Samba server some
+ protection against the recently discovered remote security
+ hole if you are unable to upgrade to the fixed version
+ immediately. Even if you do upgrade you might like to think
+ about the suggestions in this note to provide you with
+ additional levels of protection.
+
+
+ Using host based protection
+ ---------------------------
+
+ In many installations of Samba the greatest threat comes for
+ outside your immediate network. By default Samba will accept
+ connections from any host, which means that if you run an
+ insecure version of Samba on a host that is directly
+ connected to the Internet you can be especially vulnerable.
+
+ One of the simplest fixes in this case is to use the 'hosts
+ allow' and 'hosts deny' options in the Samba smb.conf
+ configuration file to only allow access to your server from a
+ specific range of hosts. An example might be:
+
+
+ hosts allow = 127.0.0.1 192.168.2.0/24 192.168.3.0/24
+ hosts deny = 0.0.0.0/0
+
+ The above will only allow SMB connections from 'localhost'
+ (your own computer) and from the two private networks
+ 192.168.2 and 192.168.3. All other connections will be
+ refused connections as soon as the client sends its first
+ packet. The refusal will be marked as a 'not listening on
+ called name' error.
+
+
+ Using interface protection
+ --------------------------
+
+ By default Samba will accept connections on any network
+ interface that it finds on your system. That means if you
+ have a ISDN line or a PPP connection to the Internet then
+ Samba will accept connections on those links. This may not be
+ what you want.
+
+ You can change this behavior using options like the
+ following:
+
+ interfaces = eth* lo
+ bind interfaces only = yes
+
+ that tells Samba to only listen for connections on interfaces
+ with a name starting with 'eth' such as eth0, eth1, plus on
+ the loopback interface called 'lo'. The name you will need to
+ use depends on what OS you are using. In the above I used the
+ common name for ethernet adapters on Linux.
+
+ If you use the above and someone tries to make a SMB
+ connection to your host over a PPP interface called 'ppp0',
+ they will get a TCP connection refused reply. In that
+ case no Samba code is run at all as the operating system has
+ been told not to pass connections from that interface to any
+ process.
+
+
+ Using a firewall
+ ----------------
+
+ Many people use a firewall to deny access to services that
+ they don't want exposed outside their network. This can be a
+ very good idea, although I would recommend using it in
+ conjunction with the above methods so that you are protected
+ even if your firewall is not active for some reason.
+
+ If you are setting up a firewall then you need to know what
+ TCP and UDP ports to allow and block. Samba uses the
+ following:
+
+ UDP/137 - used by nmbd
+ UDP/138 - used by nmbd
+ TCP/139 - used by smbd
+ TCP/445 - used by smbd
+
+ The last one is important as many older firewall setups may
+ not be aware of it, given that this port was only added to
+ the protocol in recent years.
+
+
+ Using a IPC$ share deny
+ -----------------------
+
+ If the above methods are not suitable, then you could also
+ place a more specific deny on the IPC$ share that is used in
+ the recently discovered security hole. This allows you to
+ offer access to other shares while denying access to IPC$
+ from potentially untrustworthy hosts.
+
+ To do that you could use:
+
+ [ipc$]
+ hosts allow = 192.168.115.0/24 127.0.0.1
+ hosts deny = 0.0.0.0/0
+
+ this would tell Samba that IPC$ connections are not allowed
+ from anywhere but the two listed places (localhost and a
+ local subnet). Connections to other shares would still be
+ allowed. As the IPC$ share is the only share that is always
+ accessible anonymously this provides some level of protection
+ against attackers that do not know a username/password for
+ your host.
+
+
+ If you use this method then clients will be given a 'access
+ denied' reply when they try to access the IPC$ share. That
+ means that those clients will not be able to browse shares,
+ and may also be unable to access some other resources.
+
+ I don't recommend this method unless you cannot use one of
+ the other methods listed above for some reason.
+
+
+ Upgrading Samba
+ ---------------
+
+ Of course the best solution is to upgrade Samba to a version
+ where the bug has been fixed. If you wish to also use one of
+ the additional measures above then that would certainly be a
+ good idea.
+
+ Please check regularly on http://www.samba.org/ for updates
+ and important announcements.
+
+
+ ****************************************
+ ****************************************
+
+-----------------------------------------------------------------
+
+Changes since 2.2.7a
+--------------------
+
+New Parameters
+
+ * acl compatibility
+
+Additional Changes:
+ See the cvs log for SAMBA_2_2 for more details
+
+1) smbumount lazy patch from Mandrake
+2) Check for too many processes *before* the fork.
+3) make sure we don't run over the end of 'name' in unix_convert()
+4) set umask to 0 before creating socket directory.
+5) Fix the LARGE_SMB_OFF_T problems and allow smbd to do the right
+ thing in interactive mode when a log file dir is also specified.
+6) Fix delete on close semantics to match W2K.
+7) Correctly return access denied on share mode deny when we can't
+ open the file.
+8) Always use safe_strcpy not pstrcpy for malloc()'d strings
+9) Fixes for HP-UX only having limited POSIX lock range
+10) Added uid/gid caching code. Reduces load on winbindd.
+11) Removed extra copy of server name in the printername field (it was
+ mangling the the name to be \\server\\\server\printer
+12) Fix dumb perror used without errno being set.
+13) Do retries correctly if the connection to the DC has failed.
+14) Correctly check for inet_addr fail.
+15) Ensure we use getgrnam() unless BROKEN_GETGRNAM is defined.
+16) Fix for missing if (setting_acls) on default perms.
+17) Fix to cache the sidtype
+18) fix printer settings on Solaris (big-endian) print servers.
+ ASCII -> UNICODE conversion bug.
+19) Small fix check correct error return.
+20) Ensure space_avail is unsigned.
+21) patch to check for a valid [f]chmod_acl function pointer
+ before calling it. Fixes seg fault in audit VFS module
+22) When checking is_locked() new WRITE locks conflict with existing
+ READ locks even if the context is the same.
+23) Merge off-by-one crash fixes from HEAD
+24) Move off-by-one buggy malloc()/safe_strcpy() combination to
+ strdup() instead.
+25) Merge from HEAD. Use pstrcpy not safe_strcpy.
+26) Fix to allow blocking lock notification to be done rapidly (no wait
+ for smb -> smb lock release). Adds new PENDING_LOCK type to lockdb
+ (does not interfere with existing locks).
+27) Doxygen cleanups for code documentation
+28) limit the unix domain sockets used by winbindd by adding a
+ "last_access" field to winbindd connections, and will close
+ the oldest idle connection once the number of open connections goes
+ over WINBINDD_MAX_SIMULTANEOUS_CLIENTS (defined in local.h as 200
+ currently)
+29) Fix a couple of string handling errors in smbd/dir.c that would
+ cause smbd to crash
+30) Fix seg fault in smbpasswd when specifying the new password
+ as a command line argument
+31) Correct 64-but file sizes issues with smbtar and smbclient
+32) Add batch mode option to pdbedit
+33) Add protection in nmbd against malformed reply packets
+34) Fix bug with sendfile profiling support in smbstatus output
+35) Correct bug in "hide unreadable" smb.conf parameter that
+ resulted in incorrect directory listings
+36) Fix bug in group enumeration in winbindd
+37) Correct build issues with libsmbclient on Solaris
+38) Fix memory leak and bad pointer dereference in password
+ changing code in smbd
+39) Fix for changing attributes on a file truncate
+40) Ensure smbd process count never gets to -1 if limiting number
+ of processes
+41) Ensure we return disk full by default on short writes
+42) Don't delete jobs submitted after the lpq time
+43) Fix reference count bug where smbds would not terminate
+ with no open resources
+44) Performance fix when using quota support on HP-UX
+45) Fixes for --with-ldapsam
+ * Default to port 389 when "ldap ssl != on"
+ * add support for rebinding to the master directory server
+ for password changes when "ldap server" points to a read-only
+ slave
+46) Add -W and -X command line flags to smbpasswd for extracting and
+ setting the machine/domain SID in secrets.tdb. See the
+ smbpasswd(8) man page for details.
+47) Added (c) Luke Howard to winbind_nss_solaris.c for coded
+ obtained from PADL's nss_ldap library.
+48) Fix bug in samr_dispinfo query in winbindd
+49) Fix segfault in NTLMSSP password changing code for
+ guest connections
+50) Correct pstring/fstring mismatches
+51) Send level II oplock break requests synchronously to prevent
+ condition where one smbd would continually lock a share entry
+ in locking.tdb
+52) Miscellaneous cleanups for tdb error conditions and appending
+ data in a record
+53) Implement correct open file truncate semantics with DOS
+ attributes
+54) Enforce wide links = no on files as well as directories
+55) Include shared library checks for Stratus VOS
+56) Include support for CUPS printer classes and logging the remote
+ client name
+57) Include "WinXP" (Windows XP) and "Win2K3" (Windows .NET) values
+ for %a
+58) Increase the max PDU size to deal with some troublesome printer
+ drivers and Windows NT 4.0 clients
+59) increment the process counter immediately after the fork
+ (not just when we receive the first smb packet)
+60) Ensure rename sets errno correctly
+61) Unify ACL code (back-port from 3.0)
+62) Fix some further issues around off_t and large offsets
+</pre>
+
+</body>
+</html>
--- /dev/null
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Release Notes Archive</title>
+</head>
+
+<body>
+
+<h2>The Samba Team announces Samba 2.2.9</h2>
+
+<p>
+<pre>
+
+ =============================
+ Release Notes for Samba 2.2.9
+ May 8, 2004
+ =============================
+
+This is the latest stable release of the Samba 2.2 code base.
+This is a maintenance release of Samba 2.2.8a to address the
+problem with user password changes after applying the Microsoft
+hotfix described in KB828741 to Windows NT 4.0/200x/XP clients.
+No other changes have been applied since Samba 2.2.8a.
+
+There are no further Samba 2.2.x releases planned at this time.
+
+
+The source code can be downloaded from :
+
+ <a href="/samba/ftp">http://download.samba.org/samba/ftp/</a>
+
+in the file samba-2.2.9.tar.gz. The uncompressed archive has
+been signed using the Samba Distribution Key.
+
+As always, all bugs are our responsibility.
+
+ --Sincerely
+ The Samba Team
+
+Older releases notes for 2.2.x distributions follow
+
+ ------------------------------------------------------
+
+ ===========================================
+ What's new in Samba 2.2.8a - 7th April 2003
+ ===========================================
+
+ ****************************************
+ * IMPORTANT: Security bugfix for Samba *
+ ****************************************
+
+Summary
+-------
+
+Digital Defense, Inc. has alerted the Samba Team to a serious
+vulnerability in all stable versions of Samba currently shipping.
+The Common Vulnerabilities and Exposures (CVE) project has assigned
+the ID CAN-2003-0201 to this defect.
+
+This vulnerability, if exploited correctly, leads to an anonymous
+user gaining root access on a Samba serving system. All versions
+of Samba up to and including Samba 2.2.8 are vulnerable. An active
+exploit of the bug has been reported in the wild. Alpha versions of
+Samba 3.0 and above are *NOT* vulnerable.
+
+
+Credit
+------
+
+The Samba Team would like to thank Erik Parker and the team at
+Digital Defense, Inc. for their efforts spent in the responsible
+and timely reporting of this bug.
+
+
+Patch Availability
+------------------
+
+The Samba 2.2.8a release contains only updates to address this
+security issue. A roll-up patch for release 2.2.7a and 2.0.10
+addressing both CAN-2003-0201 and CAN-2003-0085 can be obtained
+from http://www.samba.org/samba/ftp/patches/security/.
+
+
+ ========================================
+
+
+The release notes for 2.2.8 follow:
+
+ ****************************************
+ * IMPORTANT: Security bugfix for Samba *
+ ****************************************
+
+
+Summary
+-------
+
+The SuSE security audit team, in particular <a href="mailto:krahmer@suse.de">Sebastian
+Krahmer</a>, has found a flaw in the Samba main smbd code which
+could allow an external attacker to remotely and anonymously gain
+Super User (root) privileges on a server running a Samba server.
+
+This flaw exists in previous versions of Samba from 2.0.x to 2.2.7a
+inclusive. This is a serious problem and all sites should either
+upgrade to Samba 2.2.8 immediately or prohibit access to TCP ports 139
+and 445. Advice created by Andrew Tridgell, the leader of the Samba Team,
+on how to protect an unpatched Samba server is given at the end of this
+section.
+
+The SMB/CIFS protocol implemented by Samba is vulnerable to many
+attacks, even without specific security holes. The TCP ports 139 and
+the new port 445 (used by Win2k and the Samba 3.0 alpha code in
+particular) should never be exposed to untrusted networks.
+
+Description
+-----------
+
+A buffer overrun condition exists in the SMB/CIFS packet fragment
+re-assembly code in smbd which would allow an attacker to cause smbd
+to overwrite arbitrary areas of memory in its own process address
+space. This could allow a skilled attacker to inject binary specific
+exploit code into smbd.
+
+This version of Samba adds explicit overrun and overflow checks on
+fragment re-assembly of SMB/CIFS packets to ensure that only valid
+re-assembly is performed by smbd.
+
+In addition, the same checks have been added to the re-assembly
+functions in the client code, making it safe for use in other
+services.
+
+Credit
+------
+
+This security flaw was discovered and reported to the Samba Team by
+Sebastian Krahmer <krahmer@suse.de> of the SuSE Security Audit Team.
+The fix was prepared by Jeremy Allison and reviewed by engineers from
+the Samba Team, SuSE, HP, SGI, Apple, and the Linux vendor engineers
+on the Linux Vendor security mailing list.
+
+The Samba Team would like to thank SuSE and Sebastian Krahmer for
+their excellent auditing work and for drawing attention to this flaw.
+
+Patch Availability
+-----------------
+
+As this is a security issue, patches for this flaw specific to earlier
+versions of Samba will be posted on the samba-technical@samba.org
+mailing list as requested.
+
+
+************************************
+Protecting an unpatched Samba server
+************************************
+
+ Samba Team, March 2003
+
+ This is a note on how to provide your Samba server some
+ protection against the recently discovered remote security
+ hole if you are unable to upgrade to the fixed version
+ immediately. Even if you do upgrade you might like to think
+ about the suggestions in this note to provide you with
+ additional levels of protection.
+
+
+ Using host based protection
+ ---------------------------
+
+ In many installations of Samba the greatest threat comes for
+ outside your immediate network. By default Samba will accept
+ connections from any host, which means that if you run an
+ insecure version of Samba on a host that is directly
+ connected to the Internet you can be especially vulnerable.
+
+ One of the simplest fixes in this case is to use the 'hosts
+ allow' and 'hosts deny' options in the Samba smb.conf
+ configuration file to only allow access to your server from a
+ specific range of hosts. An example might be:
+
+
+ hosts allow = 127.0.0.1 192.168.2.0/24 192.168.3.0/24
+ hosts deny = 0.0.0.0/0
+
+ The above will only allow SMB connections from 'localhost'
+ (your own computer) and from the two private networks
+ 192.168.2 and 192.168.3. All other connections will be
+ refused connections as soon as the client sends its first
+ packet. The refusal will be marked as a 'not listening on
+ called name' error.
+
+
+ Using interface protection
+ --------------------------
+
+ By default Samba will accept connections on any network
+ interface that it finds on your system. That means if you
+ have a ISDN line or a PPP connection to the Internet then
+ Samba will accept connections on those links. This may not be
+ what you want.
+
+ You can change this behavior using options like the
+ following:
+
+ interfaces = eth* lo
+ bind interfaces only = yes
+
+ that tells Samba to only listen for connections on interfaces
+ with a name starting with 'eth' such as eth0, eth1, plus on
+ the loopback interface called 'lo'. The name you will need to
+ use depends on what OS you are using. In the above I used the
+ common name for ethernet adapters on Linux.
+
+ If you use the above and someone tries to make a SMB
+ connection to your host over a PPP interface called 'ppp0',
+ they will get a TCP connection refused reply. In that
+ case no Samba code is run at all as the operating system has
+ been told not to pass connections from that interface to any
+ process.
+
+
+ Using a firewall
+ ----------------
+
+ Many people use a firewall to deny access to services that
+ they don't want exposed outside their network. This can be a
+ very good idea, although I would recommend using it in
+ conjunction with the above methods so that you are protected
+ even if your firewall is not active for some reason.
+
+ If you are setting up a firewall then you need to know what
+ TCP and UDP ports to allow and block. Samba uses the
+ following:
+
+ UDP/137 - used by nmbd
+ UDP/138 - used by nmbd
+ TCP/139 - used by smbd
+ TCP/445 - used by smbd
+
+ The last one is important as many older firewall setups may
+ not be aware of it, given that this port was only added to
+ the protocol in recent years.
+
+
+ Using a IPC$ share deny
+ -----------------------
+
+ If the above methods are not suitable, then you could also
+ place a more specific deny on the IPC$ share that is used in
+ the recently discovered security hole. This allows you to
+ offer access to other shares while denying access to IPC$
+ from potentially untrustworthy hosts.
+
+ To do that you could use:
+
+ [ipc$]
+ hosts allow = 192.168.115.0/24 127.0.0.1
+ hosts deny = 0.0.0.0/0
+
+ this would tell Samba that IPC$ connections are not allowed
+ from anywhere but the two listed places (localhost and a
+ local subnet). Connections to other shares would still be
+ allowed. As the IPC$ share is the only share that is always
+ accessible anonymously this provides some level of protection
+ against attackers that do not know a username/password for
+ your host.
+
+
+ If you use this method then clients will be given a 'access
+ denied' reply when they try to access the IPC$ share. That
+ means that those clients will not be able to browse shares,
+ and may also be unable to access some other resources.
+
+ I don't recommend this method unless you cannot use one of
+ the other methods listed above for some reason.
+
+
+ Upgrading Samba
+ ---------------
+
+ Of course the best solution is to upgrade Samba to a version
+ where the bug has been fixed. If you wish to also use one of
+ the additional measures above then that would certainly be a
+ good idea.
+
+ Please check regularly on http://www.samba.org/ for updates
+ and important announcements.
+
+
+ ****************************************
+ ****************************************
+
+-----------------------------------------------------------------
+
+Changes since 2.2.7a
+--------------------
+
+New Parameters
+
+ * acl compatibility
+
+Additional Changes:
+ See the cvs log for SAMBA_2_2 for more details
+
+1) smbumount lazy patch from Mandrake
+2) Check for too many processes *before* the fork.
+3) make sure we don't run over the end of 'name' in unix_convert()
+4) set umask to 0 before creating socket directory.
+5) Fix the LARGE_SMB_OFF_T problems and allow smbd to do the right
+ thing in interactive mode when a log file dir is also specified.
+6) Fix delete on close semantics to match W2K.
+7) Correctly return access denied on share mode deny when we can't
+ open the file.
+8) Always use safe_strcpy not pstrcpy for malloc()'d strings
+9) Fixes for HP-UX only having limited POSIX lock range
+10) Added uid/gid caching code. Reduces load on winbindd.
+11) Removed extra copy of server name in the printername field (it was
+ mangling the the name to be \\server\\\server\printer
+12) Fix dumb perror used without errno being set.
+13) Do retries correctly if the connection to the DC has failed.
+14) Correctly check for inet_addr fail.
+15) Ensure we use getgrnam() unless BROKEN_GETGRNAM is defined.
+16) Fix for missing if (setting_acls) on default perms.
+17) Fix to cache the sidtype
+18) fix printer settings on Solaris (big-endian) print servers.
+ ASCII -> UNICODE conversion bug.
+19) Small fix check correct error return.
+20) Ensure space_avail is unsigned.
+21) patch to check for a valid [f]chmod_acl function pointer
+ before calling it. Fixes seg fault in audit VFS module
+22) When checking is_locked() new WRITE locks conflict with existing
+ READ locks even if the context is the same.
+23) Merge off-by-one crash fixes from HEAD
+24) Move off-by-one buggy malloc()/safe_strcpy() combination to
+ strdup() instead.
+25) Merge from HEAD. Use pstrcpy not safe_strcpy.
+26) Fix to allow blocking lock notification to be done rapidly (no wait
+ for smb -> smb lock release). Adds new PENDING_LOCK type to lockdb
+ (does not interfere with existing locks).
+27) Doxygen cleanups for code documentation
+28) limit the unix domain sockets used by winbindd by adding a
+ "last_access" field to winbindd connections, and will close
+ the oldest idle connection once the number of open connections goes
+ over WINBINDD_MAX_SIMULTANEOUS_CLIENTS (defined in local.h as 200
+ currently)
+29) Fix a couple of string handling errors in smbd/dir.c that would
+ cause smbd to crash
+30) Fix seg fault in smbpasswd when specifying the new password
+ as a command line argument
+31) Correct 64-but file sizes issues with smbtar and smbclient
+32) Add batch mode option to pdbedit
+33) Add protection in nmbd against malformed reply packets
+34) Fix bug with sendfile profiling support in smbstatus output
+35) Correct bug in "hide unreadable" smb.conf parameter that
+ resulted in incorrect directory listings
+36) Fix bug in group enumeration in winbindd
+37) Correct build issues with libsmbclient on Solaris
+38) Fix memory leak and bad pointer dereference in password
+ changing code in smbd
+39) Fix for changing attributes on a file truncate
+40) Ensure smbd process count never gets to -1 if limiting number
+ of processes
+41) Ensure we return disk full by default on short writes
+42) Don't delete jobs submitted after the lpq time
+43) Fix reference count bug where smbds would not terminate
+ with no open resources
+44) Performance fix when using quota support on HP-UX
+45) Fixes for --with-ldapsam
+ * Default to port 389 when "ldap ssl != on"
+ * add support for rebinding to the master directory server
+ for password changes when "ldap server" points to a read-only
+ slave
+46) Add -W and -X command line flags to smbpasswd for extracting and
+ setting the machine/domain SID in secrets.tdb. See the
+ smbpasswd(8) man page for details.
+47) Added (c) Luke Howard to winbind_nss_solaris.c for coded
+ obtained from PADL's nss_ldap library.
+48) Fix bug in samr_dispinfo query in winbindd
+49) Fix segfault in NTLMSSP password changing code for
+ guest connections
+50) Correct pstring/fstring mismatches
+51) Send level II oplock break requests synchronously to prevent
+ condition where one smbd would continually lock a share entry
+ in locking.tdb
+52) Miscellaneous cleanups for tdb error conditions and appending
+ data in a record
+53) Implement correct open file truncate semantics with DOS
+ attributes
+54) Enforce wide links = no on files as well as directories
+55) Include shared library checks for Stratus VOS
+56) Include support for CUPS printer classes and logging the remote
+ client name
+57) Include "WinXP" (Windows XP) and "Win2K3" (Windows .NET) values
+ for %a
+58) Increase the max PDU size to deal with some troublesome printer
+ drivers and Windows NT 4.0 clients
+59) increment the process counter immediately after the fork
+ (not just when we receive the first smb packet)
+60) Ensure rename sets errno correctly
+61) Unify ACL code (back-port from 3.0)
+62) Fix some further issues around off_t and large offsets
+
+</body>
+</html>
--- /dev/null
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Release Notes Archive</title>
+</head>
+
+<body>
+
+<h2>The Samba Team announces the first official release of Samba 3.0</h2>
+
+<p>
+<pre>
+The Samba Team is proud to announce the availability of the
+first official, stable release of the Samba 3.0.0 code base.
+
+The source code can be downloaded from :
+
+ <a href="http://download.samba.org/samba/ftp/">http://download.samba.org/samba/ftp/</a>
+
+The uncompressed tarball and patch file have been signed
+using GnuPG. The Samba public key is available at
+
+ <a href="http://download.samba.org/samba/ftp/samba-pubkey.asc">http://download.samba.org/samba/ftp/samba-pubkey.asc</a>
+
+Binary packages are available at
+
+ <a href="http://download.samba.org/samba/ftp/Binary_Packages/">http://download.samba.org/samba/ftp/Binary_Packages/</a>
+
+A simplified version of the CVS log of updates since 3.0.0rc4
+can be found in the the download directory under the name
+ChangeLog-3.0.0rc4-3.0.0.
+
+Please file any bugs you find in this release at
+
+ <a href="https://bugzilla.samba.org/">https://bugzilla.samba.org/</a>
+
+As always, all bugs are our responsibility.
+
+ --Enjoy
+ The Samba Team
+
+
+#######################################################################
+ WHATS NEW IN Samba 3.0.0
+ September 24, 2003
+ ==============================
+
+This is the first official release of Samba 3.0.0 code base. Work
+on the SAMBA_3_0 CVS branch continues. Please refer to the section
+on "Known Issues" for more details.
+
+
+Major new features:
+-------------------
+
+1) Active Directory support. Samba 3.0 is now able to
+ join a ADS realm as a member server and authenticate
+ users using LDAP/Kerberos.
+
+2) Unicode support. Samba will now negotiate UNICODE on the wire
+ and internally there is now a much better infrastructure for
+ multi-byte and UNICODE character sets.
+
+3) New authentication system. The internal authentication system
+ has been almost completely rewritten. Most of the changes are
+ internal, but the new auth system is also very configurable.
+
+4) New default filename mangling system.
+
+5) A new "net" command has been added. It is somewhat similar to
+ the "net" command in windows. Eventually we plan to replace
+ numerous other utilities (such as smbpasswd) with subcommands
+ in "net".
+
+6) Samba now negotiates NT-style status32 codes on the wire. This
+ improves error handling a lot.
+
+7) Better Windows 2000/XP/2003 printing support including publishing
+ printer attributes in active directory.
+
+8) New loadable module support for passdb backends and character
+ sets.
+
+9) New default dual-daemon winbindd support for better performance.
+
+10) Support for migrating from a Windows NT 4.0 domain to a Samba
+ domain and maintaining user, group and domain SIDs.
+
+11) Support for establishing trust relationships with Windows NT 4.0
+ domain controllers.
+
+12) Initial support for a distributed Winbind architecture using
+ an LDAP directory for storing SID to uid/gid mappings.
+
+13) Major updates to the Samba documentation tree.
+
+14) Full support for client and server SMB signing to ensure
+ compatibility with default Windows 2003 security settings.
+
+15) Improvement of ACL mapping features based on code donated by
+ Andreas Grnbacher.
+
+
+Plus lots of other improvements!
+
+
+Additional Documentation
+------------------------
+
+Please refer to Samba documentation tree (included in the docs/
+subdirectory) for extensive explanations of installing, configuring
+and maintaining Samba 3.0 servers and clients. It is advised to
+begin with the Samba-HOWTO-Collection for overviews and specific
+tasks (the current book is up to approximately 400 pages) and to
+refer to the various man pages for information on individual options.
+
+We are very glad to be able to include the second edition of
+"Using Samba" by Jay Ts, Robert Eckstein, and David Collier-Brown
+(O'Reilly & Associates) in this release. The book is available
+on-line at http://samba.org/samba/docs/ and is included with
+the Samba Web Administration Tool (SWAT). Thanks to the authors and
+publisher for making "Using Samba" under the GNU Free Documentation
+License.
+
+
+######################################################################
+Changes since 3.0rc4
+####################
+
+Please refer to the CVS log for the SAMBA_3_0 branch for complete
+details:
+
+1) Fix bug that prevented filenames of length >100 characters
+ from being restored using smbclient's tar functionality.
+2) Fix bug that prevented fast path code in strchr_m()
+ from being used.
+3) Make sure we store the desired access flag on incoming
+ SAMR rpc calls.
+4) Fix smbd crash when dealing with mangled file names.
+5) Ensure that the group comment field is not overwritten
+ if it already exists.
+6) Fix bug that prevented 'net rpc join' from working
+ with mixed mode AD domains (bug 442).
+7) Fix crash in smbd when a Samba PDC is not able to
+ enumerate trusted domains (bug 450).
+8) Fix crash bug found by the Samba4 testsuite.
+9) Fix bug that prevented smbd from returning an ACL list
+ if one of the SIDs could not be resolved (bug 470).
+10) Remove -P option from smbclient printing scripts since it
+ has a different meaning in Samba 3.0 (bug 473).
+11) Sync smbldap-tools with latest version from idealx cvs tree.
+12) Cleanup some warnings produced by the Sun C compiler.
+13) Several fixes for SWAT relating to international character
+ sets.
+
+
+Changes since 3.0rc3
+####################
+
+1) Fix incorrect error message in testparm.c regarding 'map system'.
+2) Protect against core dump if ioctl for print job sends invalid
+ fid.
+3) Fix bug in generic hash cacluation.
+4) Remove references to unused 'strip dot' parameter
+5) Fix CPU burn bug in multi-byte character conversion.
+6) Use opt_target_workgroup instead of lp_workgroup() in vampire
+ code so we can override the value in smb.conf with the -w option.
+7) Display an error if we can't create a posix account for the
+ user when running 'net rpc vampire' (bug 323).
+8) Fix UTF8 conversion bugs in LDAP passdb and idmap code (bug 296).
+9) Fix smbd crash when changing the machine trust account password
+ (bug 273).
+10) Remove getpwnam() calls from init_sam_from_xxx(). This means
+ that %u & %g will no longer expand in the "login ..." set of
+ smb.conf options, but %U and %G still do. The payback is that
+ winbindd local accounts for users work with 'wbinfo -u'
+ when winbind is running on a Samba PDC.
+11) Fix unitiailized timestamp where merging print_jobs and
+ lpq listing.
+12) Fix bug in debian packaging files affecting non-i386 platforms.
+
+
+Changes since 3.0rc2
+####################
+
+1) Remove Perl module dependencies in generated RedHat 8/9 RPMS.
+2) Update mount helper to take synonyms for file_mode and
+ dir_mode (fmask and dmask).
+3) Fix portability bug with log2pcaphex.
+4) Use different algorithm to generate codepages source code which
+ allows to take gaps into account thus making unnecessary
+ extended [index] = value, syntax in to_ucs2 array (bug 380).
+5) Fix comment strings to 43 bytes as per spec.
+6) Fix pam_winbind compile bug on FreeBSD (bug 261).
+7) Support for in-memory keytabs, which are needed to make heimdal
+ work properly. MIT does not support them, so this check will be
+ used to decide whether to use them. (partial fix for bug 372).
+8) Disable RC4-HMAC on broken heimdal setups. (remainder of bug
+ 372).
+9) Correct bug in smbclient that resulted in errors when untarring
+ long filenames (bug 308).
+10) Improve autoconf checks for PAM header files and libs.
+11) Added fast path to convert_string() when dealing with
+ ASCII->ASCII, UCS2-LE->ASCII, and ASCII->UCS2-LE with
+ values <= 0x7F.
+12) Quiet debug messages when we don't find a module and it is not
+ a critical error (bug 375).
+13) Fix UNIX passwd sync properly.
+14) Fix more transitive trust issues in winbindd (bug 305).
+15) Ensure that winbindd functions with 'disable netbios = yes'
+16) Store the real short domain name in secrets.tdb as soon as we
+ know it. Also display an error message when joining an AD
+ domain and the 'workgroup' parameter has not been specified.
+17) Return 0 DFS links instead of -1 when dfs support is not enabled.
+18) Update LDAP schema for Netscape DS 4.x and Novell eDirectory 8.7
+19) Ensure that name types can be specified using name#type notation
+ in the 'net' command (bug 73).
+20) Add retry looks to ADS sequence number and domain SID lookups
+ (bug 364).
+21) use a variant of alloc_sub_basic() for string lists such as
+ 'valid users', 'write list', and 'read list' (bug 397).
+22) Fix seg fault when winbindd receives an error from the AD server
+ in response to an LDAP search (bug 282).
+23) Update findsmb to use the new syntax for smbclient and nmblookup.
+24) Fix bug that prevented variables from being used in explicitly
+ defined path in [homes].
+25) Only set SIDs when they're returned by the MySQL query
+ (pdb_mysql.so).
+26) Include support for NTLMv2 key exchange.
+27) Revert default for 'client ntlmv2 auth' to off (bug 359).
+28) Fix crash in winbindd when the trust account password gets
+ changed underneath us via 'net rpc changetrustpw' (bug 382).
+29) Use djb-algorithm string hash - faster than the tdb one we
+ used to use. Does not change on disk format or hashing location.
+30) Implements some kind of improved AFS support for Samba on
+ Linux with OpenAFS 1.2.10. './configure --with-fake-kaserver'
+ assumes that you have OpenAFS on your machine.
+31) When enumerating dfs shares loop from 0 to lp_numservices() instead
+ of relying on lp_servicename(n) to return an empty string for
+ invalid service numbers (bug 403).
+32) Fix crash bug in 'net rpc samdump' (bug 334).
+33) Fix crash bug in WINS NSS module (bug 299).
+34) Fix a few minor compile errors on HP-UX.
+
+
+
+Changes since 3.0rc1
+####################
+
+1) Add levels 261 and 262 to search. Found using Samba4 tester.
+2) Correct bad error return code in session setup reply
+3) Fix bug where smbd returned DOS error codes from SMBsearch
+ even when NT1 protocol was negotiated.
+4) Implement SMBexit properly.
+5) Return group lists from a Samba PDC to a Windows 9x/ME box
+ in implementing user level access control (bug 314).
+6) Prevent SWAT from crashing when adding shares (bug 254)
+7) Fix various documentation issues (bugs 304 & 214)
+8) Fix wins server listing in SWAT (bug 197)
+9) Fix problem in rpcclient that caused enumerating printer
+ drivers to report failure (bug 294).
+10) Use kerberos 5 authentication in our client code whenever possible
+11) Fix schannel bug that caused Active Directory DC's to downgrade our
+ machine account to an NT member.
+12) Implement missing SAMR_REMOVE_USER_FOREIGN_DOMAIN call (bug 252).
+13) Implement automatic generation of include/version.h
+14) Include initial version of smbldap-tool scripts for the Samba
+ 3.0 schema.
+15) Implement numerous fixes for multi-byte character strings.
+16) Enable 'unix extensions' parameter by default.
+17) Make sure we set the SID type when falling back to the rid
+ algorithm (bug 245).
+18) Correct linking problems with pam_smbpass (bug 327).
+19) Add SYSV defines for Irix and Solaris to ensure the 'printing'
+ parameter default to the correct value (bug 230)
+20) Fix recursion bug in alloc_string_sub() (bug 289, et. al.)
+21) Ensure that 'make install' includes the static and shared
+ versions of the libsmbclient libraries.
+22) Add CP850 and CP437 internal character set support (bug 150).
+23) Add support to examples/LDAP/convertSambaAccount for generating
+ LDIF modify files instead of just add (303).
+24) Fix support for -W option in smbclient (bug 39)
+25) Remove 'ldap trust ids' parameter since it could not be supported
+ by the current architecture.
+26) Don't crash when no argument is given to -T in smbclient (bug 345).
+27) Ensure smbadduser contains the same paths for the smbpasswd file
+ as the other Samba tools (bug 290).
+28) Port of 'available = no' fix for [homes] from SAMBA_2_2 cvs tree.
+29) Add sanity checks to DeletePrinterData[Ex]() and ensure that the
+ modified printer is written to disk.
+30) Force winbindd to periodically update the trusted domain cache.
+31) Remove outdated import/export script to convert an smbpasswd file
+ to and from and LDAP directory. Use the pdbedit tool instead.
+32) Ensure that %U substitution is restored on next valid packet
+ if a logon fails.
+
+
+Changes since 3.0beta3
+######################
+
+1) Various memory leak fixes.
+2) Provide full support for SMB signing (server and client)
+3) Check for broken getgrouplist() in glibc.
+4) Don't get stuck in an infinite loop listing directories
+ recursively if the server returns an empty directory name
+ (bug 222).
+5) Idle LDAP connections after 150 seconds.
+6) Patched make uninstallmodules (bug 236).
+7) Fix bug that caused smbd to return incomplete directory listings
+ when UNIX files contained MS wildcard characters.
+8) Quiet default debug messages in command line tools.
+9) Fixes to avoid panics on invalid multi-byte strings.
+10) Fix error messages when creating a new smbpasswd file (bug 198).
+11) Implemented better detection routines in autoconf scripts for
+ locating ads support on the host OS.
+12) Fix bug that caused libraries in /usr/local/lib to be ignored
+ (bug 174).
+13) Ensure winbindd_ads uses the correct realm or domain name when
+ connecting to trusted DC.
+14) Ensure a correct prototype is created for snprintf() (bug 187)
+15) Stop files being created on read-only shares in some circumstances.
+16) Fix wbinfo -p (bug 251)
+17) Support schannel on any tcp/ip connection if necessary
+18) Correct bug in user_in_list() so that it works with winbind groups
+ again.
+19) Ensure the schannel bind credentials default to the domain
+ of the destination host.
+20) Default password expiration time in account_pol.tdb to never
+ expire. Remove any existing account_pol.tdb file to reset
+ the new default policy (bug 184).
+21) Add buttons to SWAT to change the view of smb.conf (bug 212)
+22) Fix incorrect checks that determine whether or not the 'add user
+ script' has been set.
+23) More cleanup for internal character set conversions.
+24) Fixes for multi-byte strings in stat cache code.
+25) Ensure that the net command honors the 'workgroup' parameter
+ in smb.conf when not overridden from the command line.
+26) Add gss-spnego support to the ntlm_auth tool.
+27) Add vfs_default_quota VFS module.
+28) Added server support for NT quota interfaces.
+29) Prevent Krb5 replay attacks by adding a replay_cache.
+30) Fix problems with winbindd and transitive trusts in AD domains.
+31) Added -S to client tools for setting SMB signing options on the
+ command line.
+32) Fix bug causing the 'passwd change program' to be called as the
+ connected user and not root.
+33) Fixed data corruption bug in byte-range locking (e.g. affected MS Excel).
+34) Support winbindd on FreeBSD is possible.
+35) Look at only the first OID in the security blob sent in the session
+ setup request to determine the token type.
+36) Only push locks onto a blocking lock queue if the posix lock failed with
+ EACCES or EAGAIN (this means another lock conflicts). Else return an
+ error and don't queue the request.
+37) Fix command line argument processing for smbtar.
+38) Correct issue that caused smbd to return generic unix_user.<uid>
+ for lookupsid().
+39) Default to algorithmic mapping when generating a rid for a group
+ mapping.
+40) Expand %g and %G in logon script, profile path, etc... during
+ a domain logon (bug 208).
+41) Make sure smbclient obeys '-s <config>'
+42) Added win2k3 shadow copy operations to VFS interface.
+43) Allow connections to samba domain member as SERVER\user (don't
+ always default to DOMAIN\user).
+44) Remove checks in winbindd that caused it to attempt to use
+ non-transitive trust relationships.
+45) Remove delays in winbindd caused by invalid DNS lookups.
+46) Fix supplementary group memberships on systems with slightly
+ broken NSS implementations (bug 267).
+47) Correct issue that prevented smbclient from viewing shares on
+ a win2k server when using a non-anonymous connection (bug 284).
+48) Add --domain=DOMAIN_NAME to wbinfo for limiting operations like
+ 'wbinfo -u' to a single domain. The '.' character represents
+ our domain.
+49) Fix group enumeration bug when using an LDAP directory for
+ storing group mappings.
+50) Default to use NTLMv2 if available. Fallback to not use LM/NTLM
+ when the extended security capability bit is not set.
+51) Fix crash in 'wbinfo -a' when using extended characters in the
+ username (bug 269).
+52) Fix multi-byte strupper() panics (bug 205).
+53) Add vfs_readonly VFS module.
+54) Make sure to initialize the sambaNextUserRid and sambaNextGroupRid
+ attributes when using 'idmap backend = ldap' (bug 280).
+55) Make sure that users shared between a Samba PDC and member
+ samba server are seen as domain users and not local users on the
+ domain member.
+56) Fix Query FS Info level 2.
+57) Allow enumeration of users and groups by win9x "file server" (bug
+ 286).
+58) Create symlinks during install for modules that support mutliple
+ functions (bug 91).
+59) More iconv detection fixes.
+60) Fix path length error in vfs_recycle module (bug 291).
+61) Added server support for the LSA_DS UUID on the \lsarpc pipe.
+ (server DsRoleGetPrimaryDomainInfo() is currently disabled).
+62) Fix SMBseek and get/set position calls.
+62) Fix SetFileInfo level 1.
+63) Added tool to convert smbd log file to a pcap file (log2pcaphex).
+
+
+
+Changes since 3.0beta2
+######################
+
+1) Added fix for Japanese case names in statcache code;
+ these can change size on upper casing.
+2) Correct issues with iconv detection in configure script
+ (support needed to find iconv libraries on FreeBSD).
+3) Fix bug that caused a WINS server to be marked as dead
+ incorrectly (bug #190).
+4) Removing additional deadlocks conditions that prevented
+ winbindd from running on a Samba PDC (used for trust
+ relationships).
+5) Add support for searching for Active Directory for
+ published printers (net ads printer search).
+6) Separate UNIX username from DOMAIN\username in pipe
+ credentials.
+7) Auth modules now support returning NT_STATUS_NOT_IMPLEMENTED
+ for cases that they cannot handle.
+8) Flush winbindd connection cache when the machine trust account
+ password is changed while a connection is open (bug #200).
+9) Add support for 'OSVersion' server printer data string
+ (corrects problem with uploading printer drivers from
+ WinXP clients).
+10) Numerous memory leak fixes.
+11) LDAP fixes ("passdb backend = ldapsam" & "idmap backend = ldap"):
+ - Store domain SID in LDAP directory.
+ - store idmap information in existing entries (use sambaSID=...
+ if adding a new entry).
+12) Fix incorrect usage of primary group SID when looking up user
+ groups (bug #109).
+13) Remove idmap_XX_to_XX calls from smbd. Move back to the the
+ winbind_XXX and local_XXX calls used in 2.2.
+14) All uid/gid allocation must involve winbindd now (we do not
+ attempt to map unknown SIDs to a UNIX identify).
+15) Add 'winbind trusted domains only' parameter to force a domain
+ member. The server to use matching users names from /etc/passwd
+ for its domain (needed for domain member of a Samba domain).
+16) Rename 'idmap only' to 'enable rid algorithm' for better clarity
+ (defaults to "yes").
+17) Add support for multi-byte statcache code (bug #185)
+18) Fix open mode race condition.
+19) Implement winbindd local account management functions. Refer to
+ the "Winbind Changes" section for details.
+20) Move RID allocation functions into idmap backend.
+21) Fix parsing error that prevented publishing printers from a
+ Samba server in an AD domain.
+22) Revive NTLMSSP support for named pipes.
+23) More SCHANNEL fixes.
+24) Correct SMB signing with NTLMSSP.
+25) Fix coherency bug in print handle/printer object caching code
+ that could cause XP clients to infinitely loop while updating
+ their local printer cache.
+26) Make winbindd use its dual-daemon mode by default (use -Y to
+ start as a single process).
+27) Add support to nmbd and winbindd for 'smbcontrol <pid>
+ reload-config'.
+28) Correct problem with smbtar when dealing with files > 8Gb
+ (bug #102).
+
+
+
+Changes since 3.0beta1
+######################
+
+1) Rework our smb signing code again, this factors out some of
+ the common MAC calculation code, and now supports multiple
+ outstanding packets (bug #40).
+2) Enforce 'client plaintext auth', 'client lanman auth' and 'client
+ ntlmv2 auth'.
+3) Correct timestamp problem on 64-bit machines (bug #140).
+4) Add extra debugging statements to winbindd for tracking down
+ failures.
+5) Fix bug when aliased 'winbind uid/gid' parameters are used.
+ ('winbind uid/gid' are now replaced with 'idmap uid/gid').
+6) Added an auth flag that indicates if we should be allowed
+ to fall back to NTLMSSP for SASL if krb5 fails.
+7) Fixed the bug that forced us not to use the winbindd cache when
+ we have a primary ADS domain and a secondary (trusted) NT4
+ domain.
+8) Use lp_realm() to find the default realm for 'net ads password'.
+9) Removed editreg from standard build until it is portable..
+10) Fix domain membership for servers not running winbindd.
+11) Correct race condition in determining the high water mark
+ in the idmap backend (bug #181).
+12) Set the user's primary unix group from usrmgr.exe (partial
+ fix for bug #45).
+13) Show comments when doing 'net group -l' (bug #3).
+14) Add trivial extension to 'net' to dump current local idmap
+ and restore mappings as well.
+15) Modify 'net rpc vampire' to add new and existing users to
+ both the idmap and the SAM. This code needs further testing.
+16) Fix crash bug in ADS searches.
+17) Build libnss_wins.so as part of nsswitch target (bug #160).
+18) Make net rpc vampire return an error if the sam sync RPC
+ returns an error.
+19) Fail to join an NT 4 domain as a BDC if a workstation account
+ using our name exists.
+20) Fix various memory leaks in server and client code
+21) Remove the short option to --set-auth-user for wbinfo (-A) to
+ prevent confusion with the -a option (bug #158).
+22) Added new 'map acl inherit' parameter.
+23) Removed unused 'privileges' code from group mapping database.
+24) Don't segfault on empty passdb backend list (bug #136).
+25) Fixed acl sorting algorithm for Windows 2000 clients.
+26) Replace universal group cache with netsamlogon_cache
+ from APPLIANCE_HEAD branch.
+27) Fix autoconf detection issues surrounding --with-ads=yes
+ but no Krb5 header files installed (bug #152).
+28) Add LDAP lookup for domain sequence number in case we are
+ joined using NT4 protocols to a native mode AD domain.
+29) Fix backend method selection for trusted NT 4 (or 2k
+ mixed mode) domains.
+30) Fixed bug that caused us to enumerate domain local groups
+ from native mode AD domains other than our own.
+31) Correct group enumeration for viewing in the Windows
+ security tab (bug #110).
+32) Consolidate the DC location code.
+33) Moved 'ads server' functionality into 'password server' for
+ backwards compatibility.
+34) Fix winbindd_idmap tdb upgrades from a 2.2 installation.
+ ( if you installed beta1, be sure to
+ 'mv idmap.tdb winbindd_idmap.tdb' ).
+35) Fix pdb_ldap segfaults, and wrong default values for
+ ldapsam_compat.
+36) Enable negative connection cache for winbindd's ADS backend
+ functions.
+37) Enable address caching for active directory DC's so we don't
+ have to hit DNS so much.
+38) Fix bug in idmap code that caused mapping to randomly be
+ redefined.
+39) Add tdb locking code to prevent race condition when adding a
+ new mapping to idmap.
+40) Fix 'map to guest = bad user' when acting as a PDC supporting
+ trust relationships.
+41) Prevent deadlock issues when running winbindd on a Samba PDC
+ to handle allocating uids & gids for trusted users and groups
+42) added LOCALE patch from Steve Langasek (bug #122).
+43) Add the 'guest' passdb backend automatically to the end of
+ the 'passdb backend' list if 'guest account' has a valid
+ username.
+44) Remove samstrict_dc auth method. Rework 'samstrict' to only
+ handle our local names (or domain name if we are a PDC).
+ Move existing permissive 'sam' method to 'sam_ignoredomain'
+ and make 'samstrict' the new default 'sam' auth method.
+45) Match Windows NT4/2k behavior when authenticating a user with
+ and unknown domain (default to our domain if we are a DC or
+ domain member; default to our local name if we are a
+ standalone server).
+46) Fix Get_Pwnam() to always fall back to lookup 'user' if the
+ 'DOMAIN\user' lookup fails. This matches 2.2. behavior.
+47) Fix the trustdom_cache code to update the list of trusted
+ domains when operating as a domain member and not using
+ winbindd.
+48) Remove 'nisplussam' passdb backend since it has suffered for
+ too long without a maintainer.
+
+
+
+
+######################################################################
+Upgrading from a previous Samba 3.0 beta
+########################################
+
+Beginning with Samba 3.0.0beta3, the RID allocation functions
+have been moved into winbindd. Previously these were handled
+by each passdb backend. This means that winbindd must be running
+to automatically allocate RIDs for users and/or groups. Otherwise,
+smbd will use the 2.2 algorithm for generating new RIDs.
+
+If you are using 'passdb backend = tdbsam' with a previous Samba
+3.0 beta release (or possibly alpha), it may be necessary to
+move the RID_COUNTER entry from /usr/local/samba/private/passdb.tdb
+to winbindd_idmap.tdb. To do this:
+
+1) Ensure that winbindd_idmap.tdb exists (launch winbindd at least
+ once)
+2) build tdbtool by executing 'make tdbtool' in the source/tdb/
+ directory
+3) run: (note that 'tdb>' is the tool's prompt for input)
+
+ root# ./tdbtool /usr/local/samba/private/passdb.tdb
+ tdb> show RID_COUNTER
+ key 12 bytes
+ RID_COUNTER
+ data 4 bytes
+ [000] 0A 52 00 00 .R.
+
+ tdb> move RID_COUNTER /usr/local/samba/var/locks/winbindd_idmap.tdb
+ ....
+ record moved
+
+If you are using 'passdb backend = ldapsam', it will be necessary to
+store idmap entries in the LDAP directory as well (i.e. idmap backend
+= ldap). Refer to the 'net idmap' command for more information on
+migrating SID<->UNIX id mappings from one backend to another.
+
+If the RID_COUNTER record does not exist, then these instructions are
+unneccessary and the new RID_COUNTER record will be correctly generated
+if needed.
+
+
+
+########################
+Upgrading from Samba 2.2
+########################
+
+This section is provided to help administrators understand the details
+involved with upgrading a Samba 2.2 server to Samba 3.0.
+
+
+Building
+--------
+
+Many of the options to the GNU autoconf script have been modified
+in the 3.0 release. The most noticeable are:
+
+ * removal of --with-tdbsam (is now included by default; see section
+ on passdb backends and authentication for more details)
+
+ * --with-ldapsam is now on used to provided backward compatible
+ parameters for LDAP enabled Samba 2.2 servers. Refer to the passdb
+ backend and authentication section for more details
+
+ * inclusion of non-standard passdb modules may be enabled using
+ --with-expsam. This includes an XML backend and a mysql backend.
+
+ * removal of --with-msdfs (is now enabled by default)
+
+ * removal of --with-ssl (no longer supported)
+
+ * --with-utmp now defaults to 'yes' on supported systems
+
+ * --with-sendfile-support is now enabled by default on supported
+ systems
+
+
+Parameters
+----------
+
+This section contains a brief listing of changes to smb.conf options
+in the 3.0.0 release. Please refer to the smb.conf(5) man page for
+complete descriptions of new or modified parameters.
+
+Removed Parameters (order alphabetically):
+
+ * admin log
+ * alternate permissions
+ * character set
+ * client codepage
+ * code page directory
+ * coding system
+ * domain admin group
+ * domain guest group
+ * force unknown acl user
+ * nt smb support
+ * postscript
+ * printer driver
+ * printer driver file
+ * printer driver location
+ * status
+ * strip dot
+ * total print jobs
+ * use rhosts
+ * valid chars
+ * vfs options
+
+New Parameters (new parameters have been grouped by function):
+
+ Remote management
+ -----------------
+ * abort shutdown script
+ * shutdown script
+
+ User and Group Account Management
+ ---------------------------------
+ * add group script
+ * add machine script
+ * add user to group script
+ * algorithmic rid base
+ * delete group script
+ * delete user from group script
+ * passdb backend
+ * set primary group script
+
+ Authentication
+ --------------
+ * auth methods
+ * realm
+
+ Protocol Options
+ ----------------
+ * client lanman auth
+ * client NTLMv2 auth
+ * client schannel
+ * client signing
+ * client use spnego
+ * disable netbios
+ * ntlm auth
+ * paranoid server security
+ * server schannel
+ * server signing
+ * smb ports
+ * use spnego
+
+ File Service
+ ------------
+ * get quota command
+ * hide special files
+ * hide unwriteable files
+ * hostname lookups
+ * kernel change notify
+ * mangle prefix
+ * map acl inherit
+ * msdfs proxy
+ * set quota command
+ * use sendfile
+ * vfs objects
+
+ Printing
+ --------
+ * max reported print jobs
+
+ UNICODE and Character Sets
+ --------------------------
+ * display charset
+ * dos charset
+ * unicode
+ * unix charset
+
+ SID to uid/gid Mappings
+ -----------------------
+ * idmap backend
+ * idmap gid
+ * idmap uid
+ * winbind enable local accounts
+ * winbind trusted domains only
+ * template primary group
+ * enable rid algorithm
+
+ LDAP
+ ----
+ * ldap delete dn
+ * ldap group suffix
+ * ldap idmap suffix
+ * ldap machine suffix
+ * ldap passwd sync
+ * ldap user suffix
+
+ General Configuration
+ ---------------------
+ * preload modules
+ * private dir
+
+Modified Parameters (changes in behavior):
+
+ * encrypt passwords (enabled by default)
+ * mangling method (set to 'hash2' by default)
+ * passwd chat
+ * passwd program
+ * restrict anonymous (integer value)
+ * security (new 'ads' value)
+ * strict locking (enabled by default)
+ * unix extensions (enabled by default)
+ * winbind cache time (increased to 5 minutes)
+ * winbind uid (deprecated in favor of 'idmap uid')
+ * winbind gid (deprecated in favor of 'idmap gid')
+
+
+Databases
+---------
+
+This section contains brief descriptions of any new databases
+introduced in Samba 3.0. Please remember to backup your existing
+${lock directory}/*tdb before upgrading to Samba 3.0. Samba will
+upgrade databases as they are opened (if necessary), but downgrading
+from 3.0 to 2.2 is an unsupported path.
+
+Name Description Backup?
+---- ----------- -------
+account_policy User policy settings yes
+gencache Generic caching db no
+group_mapping Mapping table from Windows yes
+ groups/SID to unix groups
+winbindd_idmap ID map table from SIDS to UNIX yes
+ uids/gids.
+namecache Name resolution cache entries no
+netsamlogon_cache Cache of NET_USER_INFO_3 structure no
+ returned as part of a successful
+ net_sam_logon request
+printing/*.tdb Cached output from 'lpq no
+ command' created on a per print
+ service basis
+registry Read-only samba registry skeleton no
+ that provides support for exporting
+ various db tables via the winreg RPCs
+
+
+Changes in Behavior
+-------------------
+
+The following issues are known changes in behavior between Samba 2.2 and
+Samba 3.0 that may affect certain installations of Samba.
+
+ 1) When operating as a member of a Windows domain, Samba 2.2 would
+ map any users authenticated by the remote DC to the 'guest account'
+ if a uid could not be obtained via the getpwnam() call. Samba 3.0
+ rejects the connection as NT_STATUS_LOGON_FAILURE. There is no
+ current work around to re-establish the 2.2 behavior.
+
+ 2) When adding machines to a Samba 2.2 controlled domain, the
+ 'add user script' was used to create the UNIX identity of the
+ machine trust account. Samba 3.0 introduces a new 'add machine
+ script' that must be specified for this purpose. Samba 3.0 will
+ not fall back to using the 'add user script' in the absence of
+ an 'add machine script'
+
+
+######################################################################
+Passdb Backends and Authentication
+##################################
+
+There have been a few new changes that Samba administrators should be
+aware of when moving to Samba 3.0.
+
+ 1) encrypted passwords have been enabled by default in order to
+ inter-operate better with out-of-the-box Windows client
+ installations. This does mean that either (a) a samba account
+ must be created for each user, or (b) 'encrypt passwords = no'
+ must be explicitly defined in smb.conf.
+
+ 2) Inclusion of new 'security = ads' option for integration
+ with an Active Directory domain using the native Windows
+ Kerberos 5 and LDAP protocols.
+
+ MIT kerberos 1.3.1 supports the ARCFOUR-HMAC-MD5 encryption
+ type which is neccessary for servers on which the
+ administrator password has not been changed, or kerberos-enabled
+ SMB connections to servers that require Kerberos SMB signing.
+ Besides this one difference, either MIT or Heimdal Kerberos
+ distributions are usable by Samba 3.0.
+
+
+Samba 3.0 also includes the possibility of setting up chains
+of authentication methods (auth methods) and account storage
+backends (passdb backend). Please refer to the smb.conf(5)
+man page for details. While both parameters assume sane default
+values, it is likely that you will need to understand what the
+values actually mean in order to ensure Samba operates correctly.
+
+The recommended passdb backends at this time are
+
+ * smbpasswd - 2.2 compatible flat file format
+ * tdbsam - attribute rich database intended as an smbpasswd
+ replacement for stand alone servers
+ * ldapsam - attribute rich account storage and retrieval
+ backend utilizing an LDAP directory.
+ * ldapsam_compat - a 2.2 backward compatible LDAP account
+ backend
+
+Certain functions of the smbpasswd(8) tool have been split between the
+new smbpasswd(8) utility, the net(8) tool, and the new pdbedit(8)
+utility. See the respective man pages for details.
+
+
+######################################################################
+LDAP
+####
+
+This section outlines the new features affecting Samba / LDAP
+integration.
+
+New Schema
+----------
+
+A new object class (sambaSamAccount) has been introduced to replace
+the old sambaAccount. This change aids us in the renaming of attributes
+to prevent clashes with attributes from other vendors. There is a
+conversion script (examples/LDAP/convertSambaAccount) to modify and LDIF
+file to the new schema.
+
+Example:
+
+ $ ldapsearch .... -b "ou=people,dc=..." > old.ldif
+ $ convertSambaAccount <DOM SID> old.ldif new.ldif
+
+The <DOM SID> can be obtained by running 'net getlocalsid <DOMAINNAME>'
+on the Samba PDC as root.
+
+The old sambaAccount schema may still be used by specifying the
+"ldapsam_compat" passdb backend. However, the sambaAccount and
+associated attributes have been moved to the historical section of
+the schema file and must be uncommented before use if needed.
+The 2.2 object class declaration for a sambaAccount has not changed
+in the 3.0 samba.schema file.
+
+Other new object classes and their uses include:
+
+ * sambaDomain - domain information used to allocate rids
+ for users and groups as necessary. The attributes are added
+ in 'ldap suffix' directory entry automatically if
+ an idmap uid/gid range has been set and the 'ldapsam'
+ passdb backend has been selected.
+
+ * sambaGroupMapping - an object representing the
+ relationship between a posixGroup and a Windows
+ group/SID. These entries are stored in the 'ldap
+ group suffix' and managed by the 'net groupmap' command.
+
+ * sambaUnixIdPool - created in the 'ldap idmap suffix' entry
+ automatically and contains the next available 'idmap uid' and
+ 'idmap gid'
+
+ * sambaIdmapEntry - object storing a mapping between a
+ SID and a UNIX uid/gid. These objects are created by the
+ idmap_ldap module as needed.
+
+ * sambaSidEntry - object representing a SID alone, as a Structural
+ class on which to build the sambaIdmapEntry.
+
+
+New Suffix for Searching
+------------------------
+
+The following new smb.conf parameters have been added to aid in directing
+certain LDAP queries when 'passdb backend = ldapsam://...' has been
+specified.
+
+ * ldap suffix - used to search for user and computer accounts
+ * ldap user suffix - used to store user accounts
+ * ldap machine suffix - used to store machine trust accounts
+ * ldap group suffix - location of posixGroup/sambaGroupMapping entries
+ * ldap idmap suffix - location of sambaIdmapEntry objects
+
+If an 'ldap suffix' is defined, it will be appended to all of the
+remaining sub-suffix parameters. In this case, the order of the suffix
+listings in smb.conf is important. Always place the 'ldap suffix' first
+in the list.
+
+Due to a limitation in Samba's smb.conf parsing, you should not surround
+the DN's with quotation marks.
+
+
+IdMap LDAP support
+------------------
+
+Samba 3.0 supports an ldap backend for the idmap subsystem. The
+following options would inform Samba that the idmap table should be
+stored on the directory server onterose in the "ou=idmap,dc=plainjoe,
+dc=org" partition.
+
+ [global]
+ ...
+ idmap backend = ldap:ldap://onterose/
+ ldap idmap suffix = ou=idmap,dc=plainjoe,dc=org
+ idmap uid = 40000-50000
+ idmap gid = 40000-50000
+
+This configuration allows winbind installations on multiple servers to
+share a uid/gid number space, thus avoiding the interoperability problems
+with NFS that were present in Samba 2.2.
+
+
+
+######################################################################
+Trust Relationships and a Samba Domain
+######################################
+
+Samba 3.0.0beta2 is able to utilize winbindd as the means of
+allocating uids and gids to trusted users and groups. More
+information regarding Samba's support for establishing trust
+relationships can be found in the Samba-HOWTO-Collection included
+in the docs/ directory of this release.
+
+First create your Samba PDC and ensure that everything is
+working correctly before moving on the trusts.
+
+To establish Samba as the trusting domain (named SAMBA) from a Windows NT
+4.0 domain named WINDOWS:
+
+ 1) create the trust account for SAMBA in "User Manager for Domains"
+ 2) connect the trust from the Samba domain using
+ 'net rpc trustdom establish GLASS'
+
+To create a trustlationship with SAMBA as the trusted domain:
+
+ 1) create the initial trust account for GLASS using
+ 'smbpasswd -a -i GLASS'. You may need to create a UNIX
+ account for GLASS$ prior to this step (depending on your
+ local configuration).
+ 2) connect the trust from a WINDOWS DC using "User Manager
+ for Domains"
+
+Now join winbindd on the Samba PDC to the SAMBA domain using
+the normal steps for adding a Samba server to an NT4 domain:
+(note that smbd & nmbd must be running at this point)
+
+ root# net rpc join -U root
+ Password: <enter root password from smbpasswd file here>
+
+Start winbindd and test the join with 'wbinfo -t'.
+
+Now test the trust relationship by connecting to the SAMBA DC
+(e.g. POGO) as a user from the WINDOWS domain:
+
+ $ smbclient //pogo/netlogon -U Administrator -W WINDOWS
+ Password:
+
+Now connect to the WINDOWS DC (e.g. CRYSTAL) as a Samba user:
+
+ $ smbclient //crystal/netlogon -U root -W WINDOWS
+ Password:
+
+######################################################################
+Changes in Winbind
+##################
+
+Beginning with Samba3.0.0beta3, winbindd has been given new account
+manage functionality equivalent to the 'add user script' family of
+smb.conf parameters. The idmap design has also been changed to
+centralize control of foreign SID lookups and matching to UNIX
+uids and gids.
+
+
+Brief Description of Changes
+----------------------------
+
+1) The sid_to_uid() family of functions (smbd/uid.c) have been
+ reverted to the 2.2.x design. This means that when resolving a
+ SID to a UID or similar mapping:
+
+ a) First consult winbindd
+ b) perform a local lookup only if winbindd fails to
+ return a successful answer
+
+ There are some variations to this, but these two rules generally
+ apply.
+
+2) All idmap lookups have been moved into winbindd. This means that
+ a server must run winbindd (and support NSS) in order to achieve
+ any mappings of SID to dynamically allocated UNIX ids. This was
+ a conscious design choice.
+
+3) New functions have been added to winbindd to emulate the 'add user
+ script' family of smbd functions without requiring that external
+ scripts be defined. This functionality is controlled by the 'winbind
+ enable local accounts' smb.conf parameter (enabled by default).
+
+ However, this account management functionality is only supported
+ in a local tdb (winbindd_idmap.tdb). If these new UNIX accounts
+ must be shared among multiple Samba servers (such as a PDC and BDCs),
+ it will be necessary to define your own 'add user script', et. al.
+ programs that place the accounts/groups in some form of directory
+ such as NIS or LDAP. This requirement was deemed beyond the scope
+ of winbind's account management functions. Solutions for
+ distributing UNIX system information have been deployed and tested
+ for many years. We saw no need to reinvent the wheel.
+
+4) A member of a Samba controlled domain running winbindd is now able
+ to map domain users directly onto existing UNIX accounts while still
+ automatically creating accounts for trusted users and groups. This
+ behavior is controlled by the 'winbind trusted domains only' smb.conf
+ parameter (disabled by default to provide 2.2.x winbind behavior).
+
+5) Group mapping support is wrapped in the local_XX_to_XX() functions
+ in smbd/uid.c. The reason that group mappings are not included
+ in winbindd is because the purpose of Samba's group map is to
+ match any Windows SID with an existing UNIX group. These UNIX
+ groups can be created by winbindd (see next section), but the
+ SID<->gid mapping is retreived by smbd, not winbindd.
+
+
+Examples
+--------
+
+* security = server running winbindd to allocate accounts on demand
+
+* Samba PDC running winbindd to handle the automatic creation of UNIX
+ identities for machine trust accounts
+
+* Automtically creating UNIX user and groups when migrating a Windows NT
+ 4.0 PDC to a Samba PDC. Winbindd must be running when executing
+ 'net rpc vampire' for this to work.
+
+
+######################################################################
+Known Issues
+############
+
+* There are several bugs currently logged against the 3.0 codebase
+ that affect the use of NT 4.0 GUI domain management tools when run
+ against a Samba 3.0 PDC. This bugs should be released in an early
+ 3.0.x release.
+
+Please refer to https://bugzilla.samba.org/ for a current list of bugs
+filed against the Samba 3.0 codebase.
+
+
+######################################################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored.
+
+A new bugzilla installation has been established to help support the
+Samba 3.0 community of users. This server, located at
+https://bugzilla.samba.org/, has replaced the older jitterbug server
+previously located at http://bugs.samba.org/.
+</pre>
+
+</body>
+</html>
--- /dev/null
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Release Notes Archive</title>
+</head>
+
+<body>
+
+<h2>Samba 3.0.1 Available for Download</h2>
+
+<p>
+<pre>
+The Samba Team is proud to announce the availability
+of the first patch release of the Samba 3.0 code base.
+This is the latest stable release of Samba and the
+version that all production Samba servers should be running
+for all current bug-fixes. Some of the more common bugs in
+3.0.0 addressed in the release include:
+
+ * Substitution problems with smb.conf variables.
+ * Errors in return codes which caused some applications
+ to fail to open files.
+ * General Protection Faults on Windows 2000/XP clients
+ using Samba point-n-print features.
+ * Several miscellaneous crash bugs.
+ * Access problems when enumerating group mappings are
+ stored in an LDAP Directory.
+ * Several common SWAT bugs when writing changes to
+ smb.conf.
+ * Internal inconsistencies when 'winbind use default
+ domain = yes'
+
+The source code can be downloaded from :
+
+ <a href="http://download.samba.org/samba/ftp/">http://download.samba.org/samba/ftp/</a>
+
+The uncompressed tarball and patch file have been signed
+using GnuPG. The Samba public key is available at
+
+ <a href="http://download.samba.org/samba/ftp/samba-pubkey.asc">http://download.samba.org/samba/ftp/samba-pubkey.asc</a>
+
+Binary packages are available at
+
+ <a href="http://download.samba.org/samba/ftp/Binary_Packages/">http://download.samba.org/samba/ftp/Binary_Packages/</a>
+
+A simplified version of the CVS log of updates since 3.0.0 can
+be found in the the download directory under the name
+<a href="/samba/ftp/ChangeLog-3.0.0-3.0.1">ChangeLog-3.0.0-3.0.1</a>.
+The release notes are also available on-line at
+
+ <a href="http://www.samba.org/samba/whatsnew/samba-3.0.1.html">http://www.samba.org/samba/whatsnew/samba-3.0.1.html</a>
+
+Please file any bugs you find in this release at
+
+ <a href="https://bugzilla.samba.org/">https://bugzilla.samba.org/</a>
+
+As always, all bugs are our responsibility.
+
+ --Enjoy
+ The Samba Team
+
+
+#######################################################################
+ WHATS NEW IN Samba 3.0.1
+ December 15, 2003
+ ===============================
+
+This is the latest stable release of Samba. This is the
+version that all production Samba servers should be running
+for all current bug-fixes. Some of the more common bugs in
+3.0.0 addressed in the release include:
+
+ * Substitution problems with smb.conf variables.
+ * Errors in return codes which caused some applications
+ to fail to open files.
+ * General Protection Faults on Windows 2000/XP clients
+ using Samba point-n-print features.
+ * Several miscellaneous crash bugs.
+ * Access problems when enumerating group mappings are
+ stored in an LDAP Directory.
+ * Several common SWAT bugs when writing changes to
+ smb.conf.
+ * Internal inconsistencies when 'winbind use default
+ domain = yes'
+
+
+######################################################################
+Changes
+#######
+Changes since 3.0.1rc2
+----------------------
+
+Please refer to the CVS log for the SAMBA_3_0 branch for complete
+details:
+
+1) Fix uninitialized variable in passdb.c.
+2) Fix formal parameter type in get_static() in nsswitch/wins.c.
+3) Fix problem mounting directories when mount.cifs is installed
+ with the setuid bit on.
+4) Fix bug that prevent --mandir from overriding the defaults
+ given in the --with-fhs macro.
+5) Fix bug in in-memory Kerberos keytab detection routines
+ in configure.in
+
+
+Changes since 3.0.1rc1
+-----------------------
+
+1) Update version string in smbldap-tools Makefile to 0.8.2.
+2) Correct a problem with "net rpc vampire" mis-parsing the
+ alias member info reply.
+3) Ensure the ${libdir} is created by the installclientlib script.
+4) Fix detection of Windows 2003 client architecture in the smb.conf
+ %a variable.
+5) Ensure that smbd calls the add user script for a missing UNIX
+ user on kerberos auth call (bug 445).
+6) Fix bugs in hosts allow/deny when using a mismatched
+ network/netmask pair.
+7) Protect alloc_sub_basic() from crashing when the source string
+ is NULL (partial work on bug 687).
+8) Fix spinlocks on IRIX.
+9) Corrected some bad destination paths when running "configure
+ --with-fhs".
+10) Add packaging files for Fedora Core 1.
+11) Correct bug in SWAT install script for non-english languages.
+12) Support character set ISO-8859-1 internally (bug 558).
+13) Fixed more LDAP access errors when looking up group mappings
+ (bug 281).
+14) Fix UNISTR2 length bug in LsaQueryInfo(3) that caused SID
+ resolution to fail on local files on on domain members
+ (bug 875).
+
+
+Changes since 3.0.1pre3
+-----------------------
+
+Removed Parameters
+ * hide local users
+
+Added Parameters
+ * passwd chat timeout
+
+1) Fix for pdbedit error code returns (bug 763).
+2) Make sure we only enumerate group mapping entries (not
+ /etc/group) even when doing local aliases.
+3) Relax check on the pipe name in a dce/rpc bind response to work
+ around issues with establishing trusts to a Windows 2003 domain.
+4) Ensure we mangle names ending in '.' in hash2 mangling method.
+5) Correct parsing issues with munged dial string.
+6) Fix bugs in quota support for XFS.
+7) Add a cleaner method for applications that need to provide name->SID
+ mappings to do this via NSS rather than having to know the
+ winbindd pipe protocol.
+8) Adds a variant of the winbindd_getgroups() call called
+ winbindd_getusersids() that provides direct SID->SIDs listing of a
+ users supplementary groups. This is enough to allow non-Samba
+ applications to do ACL checking.
+9) Make sure we don't append the 'ldap suffix' when writing out the
+ 'ldap XXX suffix' values in SWAT (bug 328).
+10) Fix renames across file systems.
+11) Ensure that items in a list of strings containing whitespace are
+ written out surrounded by single quotes. This means that both
+ double and single quotes are now used to surround strings in
+ smb.conf (bug 481).
+12) Enable SWAT to correctly determine if winbindd is running (bug
+ 398).
+13) Include WWW-Authenticate field in 401 response for bad auth
+ attempt (bug 629).
+14) Add support for NTLM2 (NTLMv2 session security).
+15) Add support for variable-length session keys.
+16) More privilege fixes for group enumeration in LDAP (bug 281).
+17) Use the dns name (or IP) as the originating client name when
+ using CUPS (bug 467).
+18) Fix various SMB signing bugs.
+19) Fix ACL propagation on a DFS root (bug 263).
+20) Disable NTLM2 for RPC pipes.
+21) Allow the client to specify the NTLM2 flags got NTLMSSP
+ authentication.
+22) Change the name of the job passed off to cups from "Test Page" to
+ "smbprn.00000033 Test Page" so that we can get the smb jobid back.
+ This allow users to delete jobs with cups printing backend (partial
+ work on bug 770).
+23) Fix build of winbindd with static pdb modules.
+24) Retrieve the correct ACL group bits if the file has an ACL
+ (bug 802).
+25) Implement "net rpc group members": Get members of a domain group
+ in human-readable format.
+26) Add MacOSX (Darwin) specific charset module code.
+27) Use samr_dispinfo(level == 1) for enumerating domain users so we
+ can include the full name in gecos field (bug 587).
+28) Add support for winbind's NSS library on FeeeBSD 5.1 (bug 797).
+29) Implement 'net rpc group list [global|local|builtin]*' for a
+ select listing of the respective user databases.
+30) Don't automatically set NT status code flag unless client tells
+ us it can cope.
+31) Add 'net status [sessions|shares] [parseable]'.
+32) Don't mistake pre-existing UNIX jobs for smb jobs (remainder of
+ bug 770).
+33) Add 'Replicator' and 'RAS Servers' to list of builtin SIDs
+ (bug 608).
+34) Fix inverted logic in hosts allow/deny checks caused by s/strcmp/strequal/
+ (bug 846).
+35) Implement correct version SamrRemoveSidForeignDomain() (bug 252).
+36) Fix typo in 'hash' mangling algorithm.
+37) Support munged dial for ldapsam (bug 800).
+38) Fix process_incoming_data() to return the number of bytes handled this
+ call whether we have a complete PDU or not; fixes bug with multiple
+ PDU request rpc's broken over SMBwriteX calls each.
+39) Fix incorrect smb flags2 for connections to pre-NT servers (causes
+ smbclient to fail to OS2 for example) (bug 821).
+
+
+
+Changes since 3.0.1pre2
+-----------------------
+
+Please refer to the CVS log for the SAMBA_3_0 branch for complete
+details:
+
+1) Skip over the winbind separator when looking up a user.
+ This fixes the bug that prevented local users from
+ matching an AD user when not running winbindd (bug 698).
+2) Fix a problem with configure on *BSD systems. Make sure
+ we add -liconv etc to LDFLAGS.
+3) Fix core dump bug when "security = server" and the authentication
+ server goes away.
+4) Correct crash bug due to an empty munged dial string.
+5) Show files locked by a specific user (smbstatus -u 'user')
+ (bug 590).
+6) Fix bug preventing print jobs from display in the queue
+ monitor used by Windows NT and later clients (bug 660).
+7) Fix several reported problems with point-n-print from
+ Windows 2000/XP clients due to a bug in the EnumPrinterDataEx()
+ reply (bug 338, 527 & 643).
+8) Fix a handful of potential memory leaks in the LDAP code used
+ by ldapsam[_compat] and the LDAP idmap backend.
+
+
+Changes since 3.0.1pre1
+-----------------------
+
+1) Match Samba 2.2 behavior; make ACB_NORMAL the default ACB value.
+2) Updated Japanese welcome file in SWAT.
+3) Fix to nt-time <-> unix-time functions reversible.
+4) Ensure that winbindd uses the the escaped DN when querying
+ an AD ldap server.
+5) Fix portability issues when compiling (bug 505, 550)
+6) Compile fix for tdbbackup when Samba needs to override
+ non-C99 compliant implementations of snprintf().
+7) Use @PICSUFFIX@ instead of .po in Makefile.in (bug 574).
+8) Make sure we break out of samsync loop on error.
+9) Ensure error code path doesn't free unmalloc()'d memory
+ (bug 628).
+10) Add configure test for krb5_keytab_entry keyblock vs key
+ member (bug 636).
+11) Fixed spinlocks.
+12) Modified testparm so that all output so all debug output goes
+ to stderr, and all file processing goes to stdout.
+13) Fix error return code for BUFFER_TOO_SMALL in smbcacls
+ and smbcquotas.
+14) Fix "NULL dest in safe_strcpy()" log message by ensuring that
+ we have a devmode before copying a string to the devicename.
+15) Support mapping REALM.COM\user to a local user account (without
+ running winbindd) for compatibility with 2.2.x release.
+16) Ensure we don't use mmap() on blacklisted systems.
+17) fixed a number of bugs and memory leaks in the AIX
+ winbindd shim
+18) Call initgroups() in SWAT before becomming the user so that
+ secondary group permissions can be used when writing to
+ smb.conf.
+19) Fix signing problems when reverse connecting back to a
+ client for printer notify
+20) Fix signing problems caused by a miss-sequence bug.
+21) Missing map in errormap for ERROR_MORE_DATA -> ERRDOS, ERRmoredata.
+ Fixes NEXUS tools running on Win9x clients (bug 64).
+22) Don't leave the domain field uninitialized in cli_lsa.c if some
+ SID could not be mapped.
+23) Fix segfault in mount.cifs helper when there is no options
+ specified during mount.
+24) Change the \n after the password prompt to go to tty instead
+ of stdout (bug 668).
+25) Stop net -P from prompting for machine account password (bug 451).
+26) Change in behavior to Not only change the effective uid but also
+ the real uid when becoming unprivileged.
+27) Cope with Exchange 5.5 cleartext pop password auth.
+28) New files for support of initshutdown pipe. Win2k doesn't
+ respond properly to all requests on the winreg pipe, so we need
+ to handle this new pipe (bug 534).
+29) Added more va_copy() checks in configure.in.
+30) Include fixes for libsmbclient build problems.
+31) Missing UNIX -> DOS codepage conversion in lanman.c.
+32) Allow DFMS-S filenames can now have arbitrary case (bug 667).
+33) Parameterize the listen backlog in smbd and make it larger by
+ default. A backlog of 5 is way too small these days.
+34) Check for an invalid fid before dereferencing the fsp pointer
+ (bug 696).
+35) Remove invalid memory frees and return codes in pdb_ldap.c.
+36) Prompt for password when invoking --set-auth-user and no
+ password is given.
+37) Bind the nmbd sending socket to the 'socket address'.
+38) Re-order link command for smbd, rpcclient and smbpasswd to ensure
+ $LDFLAGS occurs before any library specification (bug 661).
+39) Fix large number of printf() calls for 64-bit size_t.
+40) Fix AC_CHECK_MEMBER so that SLES8 does correctly finds the
+ keyblock in the krb5 structs.
+41) Remove #include <compat.h> in hopes to avoid problems with
+ apache header files.
+42) Correct winbindd build problems on HP-UX 11.
+43) Lowercase netgroups lookups (bug 703).
+44) Use the actual size of the buffer in strftime instead of a made
+ up value which just happens to be less than sizeof(fstring).
+ (bug 713).
+45) Add ldaplibs to pdbedit link line (bug 651).
+46) Fix crash bug in smbclient completion (bug 659).
+47) Fix packet length for browse list reply (bug 771).
+48) Fix coredump in cli_get_backup_list().
+49) Make sure that we expand %N (bug 612).
+50) Allow rpcclient adddriver command to specify printer driver
+ version (bug 514).
+51) Compile tdbdump by default.
+52) Apply patches to fix iconv detection for FreeBSD.
+53) Do not allow the 'guest account' to be added to a passdb backend
+ using smbpasswd or pdbedit (bug 624).
+54) Save LDFLAGS during iconv detection (bug 57).
+55) Run krb5 logins through the username map if the winbindd
+ lookup fails (bug 698).
+56) Add const for lp_set_name_resolve_order() to avoid compiler
+ warnings (bug 471).
+57) Add support for the %i macro in smb.conf to stand in for the for
+ the local IP address to which a client connected.
+58) Allow winbindd to match local accounts to domain SID when
+ 'winbind trusted domains only = yes' (bug 680).
+59) Remove code in idmap_ldap that searches the user suffix and group
+ suffix. It's not needed and provides inconsistent functionality
+ from the tdb backend.
+60) Patch to handle munged dial string for Windows 200 TSE.
+61) Correct the "smbldap_open: cannot access when not root error"
+ messages when looking up group information (bug 281).
+
+
+
+Changes since 3.0.0
+-------------------
+
+Modified parameters
+ * mangled map (deprecated)
+
+Removed Parameters
+ * mangled stack (unused)
+
+
+1) Change the interface for init_unistr2 to not take a length
+ but a flags field. We were assuming that
+ 2*strlen(mb_string) == length of ucs2-le string. (bug 480).
+2) Allow d_printf() to handle strings with escaped quotation
+ marks since the msg file includes the escape character (bug 489).
+3) Fix bad html table row termination in SWAT wizard code (bug 413).
+4) Fix to parse the level-2 strings.
+5) Fix for "valid users = %S" in [homes]. Fix read/write
+ list as well.
+6) Change AC_CHECK_LIB_EXT to prepend libraries instead of append.
+ This is the same way AC_CHECK_LIB works (bug 508).
+7) Testparm output fixes for clarity.
+8) Fix broken wins hook functionality -- i18n bug (bug 528).
+9) Take care of condition where DOS and NT error codes must differ.
+10) Default to using only built-in charsets when a working iconv
+ implementation cannot be located.
+11) Wrap internals of sys_setgroups() so the sys_XX() call can
+ be done unconditionally (bug 550).
+12) Remove duplicate smbspool link on SWAT's front page (bug 541).
+13) Save and restore CFLAGS before/after AC_PROG_CC. Ensures that
+ --enable-debug=[yes|no] works correctly.
+14) Allow ^C to interrupt smbpasswd if using our getpass
+ (e.g. smbpasswd command).
+15) Support signing only on RPC's (bug 167).
+16) Correct bug that prevented Excel 2000 clients from opening
+ files marked as read-only.
+17) Portability fix bugs 546 - 549).
+18) Explicitly initialize the value of AR for vendor makes that don't
+ do this (e.g. HPUX 11). (bug 552).
+19) More i18n fixes for SWAT (bug 413).
+20) Change the cwd before the postexec script to ensure that a
+ umount will succeed.
+21) Correct double free that caused winbindd to crash when a DC
+ is rebooted (bug 437).
+22) Fix incorrect mode sum (bug 562).
+23) Canonicalize SMB_INFO_ALLOCATION in the same was as
+ SMB_FS_FULL_SIZE_INFORMATION (bug 564).
+24) Add script to generate *msg files.
+25) Add Dutch SWAT translation file.
+26) Make sure to call get_user_groups() with the full winbindd
+ name for a user if he/she has one (bug 406).
+27) Fix up error code returns from Samba4 tester. Ensure invalid
+ paths are validated the same way.
+28) Allow Samba3 to pass the Samba4 RAW-READ tests.
+29) Refuse to configure if --with-expsam=$BACKEND was used but no
+ libraries were found for $BACKEND.
+30) Move sysquotas autoconf tests to a separate file.
+31) Match W2K w.r.t. writelock and writeclose. Samba4 torture
+ tester
+32) Make sure that the files that contain the static_init_$subsystem;
+ macro get recompiled after configure by removing the object
+ files.
+33) Ensure canceling a blocking lock returns the correct error
+ message.
+
+
+
+######################################################################
+
+ =======================================
+ The original 3.0.0 release notes follow
+ =======================================
+
+
+Major new features:
+-------------------
+
+1) Active Directory support. Samba 3.0 is now able to
+ join a ADS realm as a member server and authenticate
+ users using LDAP/Kerberos.
+
+2) Unicode support. Samba will now negotiate UNICODE on the wire
+ and internally there is now a much better infrastructure for
+ multi-byte and UNICODE character sets.
+
+3) New authentication system. The internal authentication system
+ has been almost completely rewritten. Most of the changes are
+ internal, but the new auth system is also very configurable.
+
+4) New default filename mangling system.
+
+5) A new "net" command has been added. It is somewhat similar to
+ the "net" command in windows. Eventually we plan to replace
+ numerous other utilities (such as smbpasswd) with subcommands
+ in "net".
+
+6) Samba now negotiates NT-style status32 codes on the wire. This
+ improves error handling a lot.
+
+7) Better Windows 2000/XP/2003 printing support including publishing
+ printer attributes in active directory.
+
+8) New loadable module support for passdb backends and character
+ sets.
+
+9) New default dual-daemon winbindd support for better performance.
+
+10) Support for migrating from a Windows NT 4.0 domain to a Samba
+ domain and maintaining user, group and domain SIDs.
+
+11) Support for establishing trust relationships with Windows NT 4.0
+ domain controllers.
+
+12) Initial support for a distributed Winbind architecture using
+ an LDAP directory for storing SID to uid/gid mappings.
+
+13) Major updates to the Samba documentation tree.
+
+14) Full support for client and server SMB signing to ensure
+ compatibility with default Windows 2003 security settings.
+
+15) Improvement of ACL mapping features based on code donated by
+ Andreas Grünbacher.
+
+
+Plus lots of other improvements!
+
+
+Additional Documentation
+------------------------
+
+Please refer to Samba documentation tree (included in the docs/
+subdirectory) for extensive explanations of installing, configuring
+and maintaining Samba 3.0 servers and clients. It is advised to
+begin with the Samba-HOWTO-Collection for overviews and specific
+tasks (the current book is up to approximately 400 pages) and to
+refer to the various man pages for information on individual options.
+
+We are very glad to be able to include the second edition of
+"Using Samba" by Jay Ts, Robert Eckstein, and David Collier-Brown
+(O'Reilly & Associates) in this release. The book is available
+on-line at http://samba.org/samba/docs/ and is included with
+the Samba Web Administration Tool (SWAT). Thanks to the authors and
+publisher for making "Using Samba" under the GNU Free Documentation
+License.
+
+
+######################################################################
+Upgrading from a previous Samba 3.0 beta
+########################################
+
+Beginning with Samba 3.0.0beta3, the RID allocation functions
+have been moved into winbindd. Previously these were handled
+by each passdb backend. This means that winbindd must be running
+to automatically allocate RIDs for users and/or groups. Otherwise,
+smbd will use the 2.2 algorithm for generating new RIDs.
+
+If you are using 'passdb backend = tdbsam' with a previous Samba
+3.0 beta release (or possibly alpha), it may be necessary to
+move the RID_COUNTER entry from /usr/local/samba/private/passdb.tdb
+to winbindd_idmap.tdb. To do this:
+
+1) Ensure that winbindd_idmap.tdb exists (launch winbindd at least
+ once)
+2) build tdbtool by executing 'make tdbtool' in the source/tdb/
+ directory
+3) run: (note that 'tdb>' is the tool's prompt for input)
+
+ root# ./tdbtool /usr/local/samba/private/passdb.tdb
+ tdb> show RID_COUNTER
+ key 12 bytes
+ RID_COUNTER
+ data 4 bytes
+ [000] 0A 52 00 00 .R.
+
+ tdb> move RID_COUNTER /usr/local/samba/var/locks/winbindd_idmap.tdb
+ ....
+ record moved
+
+If you are using 'passdb backend = ldapsam', it will be necessary to
+store idmap entries in the LDAP directory as well (i.e. idmap backend
+= ldap). Refer to the 'net idmap' command for more information on
+migrating SID<->UNIX id mappings from one backend to another.
+
+If the RID_COUNTER record does not exist, then these instructions are
+unneccessary and the new RID_COUNTER record will be correctly generated
+if needed.
+
+
+
+########################
+Upgrading from Samba 2.2
+########################
+
+This section is provided to help administrators understand the details
+involved with upgrading a Samba 2.2 server to Samba 3.0.
+
+
+Building
+--------
+
+Many of the options to the GNU autoconf script have been modified
+in the 3.0 release. The most noticeable are:
+
+ * removal of --with-tdbsam (is now included by default; see section
+ on passdb backends and authentication for more details)
+
+ * --with-ldapsam is now on used to provided backward compatible
+ parameters for LDAP enabled Samba 2.2 servers. Refer to the passdb
+ backend and authentication section for more details
+
+ * inclusion of non-standard passdb modules may be enabled using
+ --with-expsam. This includes an XML backend and a mysql backend.
+
+ * removal of --with-msdfs (is now enabled by default)
+
+ * removal of --with-ssl (no longer supported)
+
+ * --with-utmp now defaults to 'yes' on supported systems
+
+ * --with-sendfile-support is now enabled by default on supported
+ systems
+
+
+Parameters
+----------
+
+This section contains a brief listing of changes to smb.conf options
+in the 3.0.0 release. Please refer to the smb.conf(5) man page for
+complete descriptions of new or modified parameters.
+
+Removed Parameters (order alphabetically):
+
+ * admin log
+ * alternate permissions
+ * character set
+ * client codepage
+ * code page directory
+ * coding system
+ * domain admin group
+ * domain guest group
+ * force unknown acl user
+ * hide local users
+ * nt smb support
+ * postscript
+ * printer driver
+ * printer driver file
+ * printer driver location
+ * status
+ * strip dot
+ * total print jobs
+ * use rhosts
+ * valid chars
+ * vfs options
+
+New Parameters (new parameters have been grouped by function):
+
+ Remote management
+ -----------------
+ * abort shutdown script
+ * shutdown script
+
+ User and Group Account Management
+ ---------------------------------
+ * add group script
+ * add machine script
+ * add user to group script
+ * algorithmic rid base
+ * delete group script
+ * delete user from group script
+ * passdb backend
+ * set primary group script
+
+ Authentication
+ --------------
+ * auth methods
+ * realm
+ * passwd chat timeout
+
+ Protocol Options
+ ----------------
+ * client lanman auth
+ * client NTLMv2 auth
+ * client schannel
+ * client signing
+ * client use spnego
+ * disable netbios
+ * ntlm auth
+ * paranoid server security
+ * server schannel
+ * server signing
+ * smb ports
+ * use spnego
+
+ File Service
+ ------------
+ * get quota command
+ * hide special files
+ * hide unwriteable files
+ * hostname lookups
+ * kernel change notify
+ * mangle prefix
+ * map acl inherit
+ * msdfs proxy
+ * set quota command
+ * use sendfile
+ * vfs objects
+
+ Printing
+ --------
+ * max reported print jobs
+
+ UNICODE and Character Sets
+ --------------------------
+ * display charset
+ * dos charset
+ * unicode
+ * unix charset
+
+ SID to uid/gid Mappings
+ -----------------------
+ * idmap backend
+ * idmap gid
+ * idmap uid
+ * winbind enable local accounts
+ * winbind trusted domains only
+ * template primary group
+ * enable rid algorithm
+
+ LDAP
+ ----
+ * ldap delete dn
+ * ldap group suffix
+ * ldap idmap suffix
+ * ldap machine suffix
+ * ldap passwd sync
+ * ldap user suffix
+
+ General Configuration
+ ---------------------
+ * preload modules
+ * private dir
+
+Modified Parameters (changes in behavior):
+
+ * encrypt passwords (enabled by default)
+ * mangling method (set to 'hash2' by default)
+ * passwd chat
+ * passwd program
+ * restrict anonymous (integer value)
+ * security (new 'ads' value)
+ * strict locking (enabled by default)
+ * unix extensions (enabled by default)
+ * winbind cache time (increased to 5 minutes)
+ * winbind uid (deprecated in favor of 'idmap uid')
+ * winbind gid (deprecated in favor of 'idmap gid')
+
+
+Databases
+---------
+
+This section contains brief descriptions of any new databases
+introduced in Samba 3.0. Please remember to backup your existing
+${lock directory}/*tdb before upgrading to Samba 3.0. Samba will
+upgrade databases as they are opened (if necessary), but downgrading
+from 3.0 to 2.2 is an unsupported path.
+
+Name Description Backup?
+---- ----------- -------
+account_policy User policy settings yes
+gencache Generic caching db no
+group_mapping Mapping table from Windows yes
+ groups/SID to unix groups
+winbindd_idmap ID map table from SIDS to UNIX yes
+ uids/gids.
+namecache Name resolution cache entries no
+netsamlogon_cache Cache of NET_USER_INFO_3 structure no
+ returned as part of a successful
+ net_sam_logon request
+printing/*.tdb Cached output from 'lpq no
+ command' created on a per print
+ service basis
+registry Read-only samba registry skeleton no
+ that provides support for exporting
+ various db tables via the winreg RPCs
+
+
+Changes in Behavior
+-------------------
+
+The following issues are known changes in behavior between Samba 2.2 and
+Samba 3.0 that may affect certain installations of Samba.
+
+ 1) When operating as a member of a Windows domain, Samba 2.2 would
+ map any users authenticated by the remote DC to the 'guest account'
+ if a uid could not be obtained via the getpwnam() call. Samba 3.0
+ rejects the connection as NT_STATUS_LOGON_FAILURE. There is no
+ current work around to re-establish the 2.2 behavior.
+
+ 2) When adding machines to a Samba 2.2 controlled domain, the
+ 'add user script' was used to create the UNIX identity of the
+ machine trust account. Samba 3.0 introduces a new 'add machine
+ script' that must be specified for this purpose. Samba 3.0 will
+ not fall back to using the 'add user script' in the absence of
+ an 'add machine script'
+
+
+######################################################################
+Passdb Backends and Authentication
+##################################
+
+There have been a few new changes that Samba administrators should be
+aware of when moving to Samba 3.0.
+
+ 1) encrypted passwords have been enabled by default in order to
+ inter-operate better with out-of-the-box Windows client
+ installations. This does mean that either (a) a samba account
+ must be created for each user, or (b) 'encrypt passwords = no'
+ must be explicitly defined in smb.conf.
+
+ 2) Inclusion of new 'security = ads' option for integration
+ with an Active Directory domain using the native Windows
+ Kerberos 5 and LDAP protocols.
+
+ MIT kerberos 1.3.1 supports the ARCFOUR-HMAC-MD5 encryption
+ type which is neccessary for servers on which the
+ administrator password has not been changed, or kerberos-enabled
+ SMB connections to servers that require Kerberos SMB signing.
+ Besides this one difference, either MIT or Heimdal Kerberos
+ distributions are usable by Samba 3.0.
+
+
+Samba 3.0 also includes the possibility of setting up chains
+of authentication methods (auth methods) and account storage
+backends (passdb backend). Please refer to the smb.conf(5)
+man page for details. While both parameters assume sane default
+values, it is likely that you will need to understand what the
+values actually mean in order to ensure Samba operates correctly.
+
+The recommended passdb backends at this time are
+
+ * smbpasswd - 2.2 compatible flat file format
+ * tdbsam - attribute rich database intended as an smbpasswd
+ replacement for stand alone servers
+ * ldapsam - attribute rich account storage and retrieval
+ backend utilizing an LDAP directory.
+ * ldapsam_compat - a 2.2 backward compatible LDAP account
+ backend
+
+Certain functions of the smbpasswd(8) tool have been split between the
+new smbpasswd(8) utility, the net(8) tool, and the new pdbedit(8)
+utility. See the respective man pages for details.
+
+
+######################################################################
+LDAP
+####
+
+This section outlines the new features affecting Samba / LDAP
+integration.
+
+New Schema
+----------
+
+A new object class (sambaSamAccount) has been introduced to replace
+the old sambaAccount. This change aids us in the renaming of attributes
+to prevent clashes with attributes from other vendors. There is a
+conversion script (examples/LDAP/convertSambaAccount) to modify and LDIF
+file to the new schema.
+
+Example:
+
+ $ ldapsearch .... -b "ou=people,dc=..." > old.ldif
+ $ convertSambaAccount <DOM SID> old.ldif new.ldif
+
+The <DOM SID> can be obtained by running 'net getlocalsid <DOMAINNAME>'
+on the Samba PDC as root.
+
+The old sambaAccount schema may still be used by specifying the
+"ldapsam_compat" passdb backend. However, the sambaAccount and
+associated attributes have been moved to the historical section of
+the schema file and must be uncommented before use if needed.
+The 2.2 object class declaration for a sambaAccount has not changed
+in the 3.0 samba.schema file.
+
+Other new object classes and their uses include:
+
+ * sambaDomain - domain information used to allocate rids
+ for users and groups as necessary. The attributes are added
+ in 'ldap suffix' directory entry automatically if
+ an idmap uid/gid range has been set and the 'ldapsam'
+ passdb backend has been selected.
+
+ * sambaGroupMapping - an object representing the
+ relationship between a posixGroup and a Windows
+ group/SID. These entries are stored in the 'ldap
+ group suffix' and managed by the 'net groupmap' command.
+
+ * sambaUnixIdPool - created in the 'ldap idmap suffix' entry
+ automatically and contains the next available 'idmap uid' and
+ 'idmap gid'
+
+ * sambaIdmapEntry - object storing a mapping between a
+ SID and a UNIX uid/gid. These objects are created by the
+ idmap_ldap module as needed.
+
+ * sambaSidEntry - object representing a SID alone, as a Structural
+ class on which to build the sambaIdmapEntry.
+
+
+New Suffix for Searching
+------------------------
+
+The following new smb.conf parameters have been added to aid in directing
+certain LDAP queries when 'passdb backend = ldapsam://...' has been
+specified.
+
+ * ldap suffix - used to search for user and computer accounts
+ * ldap user suffix - used to store user accounts
+ * ldap machine suffix - used to store machine trust accounts
+ * ldap group suffix - location of posixGroup/sambaGroupMapping entries
+ * ldap idmap suffix - location of sambaIdmapEntry objects
+
+If an 'ldap suffix' is defined, it will be appended to all of the
+remaining sub-suffix parameters. In this case, the order of the suffix
+listings in smb.conf is important. Always place the 'ldap suffix' first
+in the list.
+
+Due to a limitation in Samba's smb.conf parsing, you should not surround
+the DN's with quotation marks.
+
+
+IdMap LDAP support
+------------------
+
+Samba 3.0 supports an ldap backend for the idmap subsystem. The
+following options would inform Samba that the idmap table should be
+stored on the directory server onterose in the "ou=idmap,dc=plainjoe,
+dc=org" partition.
+
+ [global]
+ ...
+ idmap backend = ldap:ldap://onterose/
+ ldap idmap suffix = ou=idmap,dc=plainjoe,dc=org
+ idmap uid = 40000-50000
+ idmap gid = 40000-50000
+
+This configuration allows winbind installations on multiple servers to
+share a uid/gid number space, thus avoiding the interoperability problems
+with NFS that were present in Samba 2.2.
+
+
+
+######################################################################
+Trust Relationships and a Samba Domain
+######################################
+
+Samba 3.0.0beta2 is able to utilize winbindd as the means of
+allocating uids and gids to trusted users and groups. More
+information regarding Samba's support for establishing trust
+relationships can be found in the Samba-HOWTO-Collection included
+in the docs/ directory of this release.
+
+First create your Samba PDC and ensure that everything is
+working correctly before moving on the trusts.
+
+To establish Samba as the trusting domain (named SAMBA) from a Windows NT
+4.0 domain named WINDOWS:
+
+ 1) create the trust account for SAMBA in "User Manager for Domains"
+ 2) connect the trust from the Samba domain using
+ 'net rpc trustdom establish GLASS'
+
+To create a trustlationship with SAMBA as the trusted domain:
+
+ 1) create the initial trust account for GLASS using
+ 'smbpasswd -a -i GLASS'. You may need to create a UNIX
+ account for GLASS$ prior to this step (depending on your
+ local configuration).
+ 2) connect the trust from a WINDOWS DC using "User Manager
+ for Domains"
+
+Now join winbindd on the Samba PDC to the SAMBA domain using
+the normal steps for adding a Samba server to an NT4 domain:
+(note that smbd & nmbd must be running at this point)
+
+ root# net rpc join -U root
+ Password: <enter root password from smbpasswd file here>
+
+Start winbindd and test the join with 'wbinfo -t'.
+
+Now test the trust relationship by connecting to the SAMBA DC
+(e.g. POGO) as a user from the WINDOWS domain:
+
+ $ smbclient //pogo/netlogon -U Administrator -W WINDOWS
+ Password:
+
+Now connect to the WINDOWS DC (e.g. CRYSTAL) as a Samba user:
+
+ $ smbclient //crystal/netlogon -U root -W WINDOWS
+ Password:
+
+######################################################################
+Changes in Winbind
+##################
+
+Beginning with Samba3.0.0beta3, winbindd has been given new account
+manage functionality equivalent to the 'add user script' family of
+smb.conf parameters. The idmap design has also been changed to
+centralize control of foreign SID lookups and matching to UNIX
+uids and gids.
+
+
+Brief Description of Changes
+----------------------------
+
+1) The sid_to_uid() family of functions (smbd/uid.c) have been
+ reverted to the 2.2.x design. This means that when resolving a
+ SID to a UID or similar mapping:
+
+ a) First consult winbindd
+ b) perform a local lookup only if winbindd fails to
+ return a successful answer
+
+ There are some variations to this, but these two rules generally
+ apply.
+
+2) All idmap lookups have been moved into winbindd. This means that
+ a server must run winbindd (and support NSS) in order to achieve
+ any mappings of SID to dynamically allocated UNIX ids. This was
+ a conscious design choice.
+
+3) New functions have been added to winbindd to emulate the 'add user
+ script' family of smbd functions without requiring that external
+ scripts be defined. This functionality is controlled by the 'winbind
+ enable local accounts' smb.conf parameter (enabled by default).
+
+ However, this account management functionality is only supported
+ in a local tdb (winbindd_idmap.tdb). If these new UNIX accounts
+ must be shared among multiple Samba servers (such as a PDC and BDCs),
+ it will be necessary to define your own 'add user script', et. al.
+ programs that place the accounts/groups in some form of directory
+ such as NIS or LDAP. This requirement was deemed beyond the scope
+ of winbind's account management functions. Solutions for
+ distributing UNIX system information have been deployed and tested
+ for many years. We saw no need to reinvent the wheel.
+
+4) A member of a Samba controlled domain running winbindd is now able
+ to map domain users directly onto existing UNIX accounts while still
+ automatically creating accounts for trusted users and groups. This
+ behavior is controlled by the 'winbind trusted domains only' smb.conf
+ parameter (disabled by default to provide 2.2.x winbind behavior).
+
+5) Group mapping support is wrapped in the local_XX_to_XX() functions
+ in smbd/uid.c. The reason that group mappings are not included
+ in winbindd is because the purpose of Samba's group map is to
+ match any Windows SID with an existing UNIX group. These UNIX
+ groups can be created by winbindd (see next section), but the
+ SID<->gid mapping is retreived by smbd, not winbindd.
+
+
+Examples
+--------
+
+* security = server running winbindd to allocate accounts on demand
+
+* Samba PDC running winbindd to handle the automatic creation of UNIX
+ identities for machine trust accounts
+
+* Automtically creating UNIX user and groups when migrating a Windows NT
+ 4.0 PDC to a Samba PDC. Winbindd must be running when executing
+ 'net rpc vampire' for this to work.
+
+
+######################################################################
+Known Issues
+############
+
+* There are several bugs currently logged against the 3.0 codebase
+ that affect the use of NT 4.0 GUI domain management tools when run
+ against a Samba 3.0 PDC. This bugs should be released in an early
+ 3.0.x release.
+
+Please refer to https://bugzilla.samba.org/ for a current list of bugs
+filed against the Samba 3.0 codebase.
+
+
+######################################################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored.
+
+A new bugzilla installation has been established to help support the
+Samba 3.0 community of users. This server, located at
+https://bugzilla.samba.org/, has replaced the older jitterbug server
+previously located at http://bugs.samba.org/.
+
+</pre>
+
+</body>
+</html>
--- /dev/null
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Release Notes Archive</title>
+</head>
+
+<body>
+
+<h2>Samba 3.0.2 Available for Download</h2>
+
+<p>
+<pre>
+This is the latest stable release of Samba. This is the version
+that all production Samba servers should be running for all
+current bug-fixes.
+
+<em>Security Announcement:</em> It has been confirmed that
+previous versions of Samba 3.0 are susceptible to a password
+initialization bug that could grant an attacker unauthorized
+access to a user account created by the mksmbpasswd.sh shell
+script.
+
+The Common Vulnerabilities and Exposures project (cve.mitre.org)
+has assigned the name CAN-2004-0082 to this issue.
+
+Samba administrators not wishing to upgrade to the current
+version should download the 3.0.2 release, build the pdbedit
+tool, and run
+
+ root# pdbedit-3.0.2 --force-initialized-passwords
+
+This will disable all accounts not possessing a valid password
+(e.g. the password field has been set a string of X's).
+
+Samba servers running 3.0.2 are not vulnerable to this bug
+regardless of whether or not pdbedit has been used to sanitize
+the passdb backend.
+
+Additionally, some of the more visible bugs in 3.0.1 addressed
+in the 3.0.2 release include:
+
+ o Joining a Samba domain from Pre-SP2 Windows 2000 clients.
+ o Logging onto a Samba domain from Windows XP clients.
+ o Problems with the %U and %u smb.conf variables in relation
+ to Windows 9x/ME clients.
+ o Kerberos failures due to an invalid in memory keytab
+ detection test.
+ o Updates to the ntlm_auth tool.
+ o Fixes for various SMB signing errors.
+ o Better separation of WINS and DNS queries for domain
+ controllers.
+ o Issues with nss_winbind FreeBSD and Solaris.
+ o Several crash bugs in smbd and winbindd.
+ o Output formatting fixes for smbclient for better
+ compatibility with scripts based on the 2.2 version.
+
+The source code can be downloaded from :
+
+ <a href="http://download.samba.org/samba/ftp/">http://download.samba.org/samba/ftp/</a>
+
+The uncompressed tarball and patch file have been signed
+using GnuPG. The Samba public key is available at
+
+ <a href="http://download.samba.org/samba/ftp/samba-pubkey.asc">http://download.samba.org/samba/ftp/samba-pubkey.asc</a>
+
+Binary packages are available at
+
+ <a href="http://download.samba.org/samba/ftp/Binary_Packages/">http://download.samba.org/samba/ftp/Binary_Packages/</a>
+
+A simplified version of the CVS log of updates since 3.0.1
+can be found in the the download directory under the name
+<a href="/samba/ftp/ChangeLog-3.0.1-3.0.2">ChangeLog-3.0.1-3.0.2</a>.
+
+Please file any bugs you find in this release at
+
+ <a href="https://bugzilla.samba.org/">https://bugzilla.samba.org/</a>
+
+As always, all bugs are our responsibility.
+
+ --Enjoy
+ The Samba Team
+
+
+#######################################################################
+ =============================
+ Release Notes for Samba 3.0.2
+ February 9, 2004
+ =============================
+
+This is the latest stable release of Samba. This is the version
+that all production Samba servers should be running for all current
+bug-fixes.
+
+It has been confirmed that previous versions of Samba 3.0 are
+susceptible to a password initialization bug that could grant an
+attacker unauthorized access to a user account created by the
+mksmbpasswd.sh shell script.
+
+The Common Vulnerabilities and Exposures project (cve.mitre.org)
+has assigned the name CAN-2004-0082 to this issue.
+
+Samba administrators not wishing to upgrade to the current
+version should download the 3.0.2 release, build the pdbedit
+tool, and run
+
+ root# pdbedit-3.0.2 --force-initialized-passwords
+
+This will disable all accounts not possessing a valid password
+(e.g. the password field has been set a string of X's).
+
+Samba servers running 3.0.2 are not vulnerable to this bug
+regardless of whether or not pdbedit has been used to sanitize
+the passdb backend.
+
+Some of the more visible bugs in 3.0.1 addressed in the 3.0.2
+release include:
+
+ o Joining a Samba domain from Pre-SP2 Windows 2000 clients.
+ o Logging onto a Samba domain from Windows XP clients.
+ o Problems with the %U and %u smb.conf variables in relation to
+ Windows 9x/ME clients.
+ o Kerberos failures due to an invalid in memory keytab detection
+ test.
+ o Updates to the ntlm_auth tool.
+ o Fixes for various SMB signing errors.
+ o Better separation of WINS and DNS queries for domain controllers.
+ o Issues with nss_winbind FreeBSD and Solaris.
+ o Several crash bugs in smbd and winbindd.
+ o Output formatting fixes for smbclient for better compatibility
+ with scripts based on the 2.2 version.
+
+
+######################################################################
+Changes
+#######
+Changes since 3.0.1
+-------------------
+
+smb.conf changes
+----------------
+
+ Parameter Name Action
+ -------------- ------
+ ldap replication sleep New
+ read size removed (unused)
+ source environment removed (unused)
+
+
+commits
+-------
+
+Please refer to the CVS log for the SAMBA_3_0 branch for complete
+details. The list of changes per contributor are as follows:
+
+o Jeremy Allison <jra@samba.org>
+ * Revert change that broke Exchange clear text samlogons.
+ * Fix gcc 3.4 warning in MS-DFS code.
+ * Tidy up of NTLMSSP code.
+ * Fixes for SMB signing errors
+ * BUG 815: Workaround NT4 bug to support plaintext
+ password logins and UNICODE.
+ * Fix SMB signing bug when copying large files.
+ * Correct error logic in mkdir_internals() (caused a panic
+ when combined with --enable-developer).
+
+
+o Petri Asikainen <paca@sci.fi>
+ * BUG 330, 387:Fix single valued attribute updates when
+ working with Novell NDS.
+
+
+o Andrew Bartlet <abartlet@samba.org>
+ * Correctly handle per-pipe NTLMSSP inside a NULL session.
+ * Fix segfault in gencache
+ * Fix early free() of encrypted_session_key.
+ * Change DC lookup routines to more carefully separate
+ DNS names (realms) from NetBIOS domain names.
+ * Add new sid_to_dn() function for internal winbindd use.
+ * Refactor cli_ds_enum_domain_trusts().
+ * BUG 707: Implement range retrieval of ADS attributes (based
+ on work from Volker <vl@samba.org> and Guenther Deschner
+ <gd@suse.com>).
+ * Automatically initialize the signing engine if a session key
+ is available.
+ * BUG 916: Do not perform a + -> ' ' substitution for squid URL
+ encoded strings, only form input in SWAT.
+ * Resets the NTLMSSP state for new negotiate packets.
+ * Add 2-byte alignments in net_samlogon() queries to parse
+ odd-length plain text passwords.
+ * Allow Windows groups with no members in winbindd.
+ * Allow normal authentication in the absence of a server
+ generated session key.
+ * More optimizations for looking up UNIX group lists.
+ * Clean up error codes and return values for pam_winbindd
+ and winbindd PAM interface.
+ * Fix string return values in ntlm_auth tool.
+ * Fix segfault when 'security = ads' but no realm is defined.
+ * BUG 722: Allow winbindd to map machine accounts to uids.
+ * More cleanups for winbindd's find_our_domain().
+ * More clearly detect whether a domain controller is an NT4
+ or mixed-mode AD DC (additional bug fixes by jerry & jmcd).
+ * Increase separation between DNS queries for hosts and queries
+ for AD domain controllers.
+ * Include additional NT_STATUS to PAM error mappings.
+
+
+o Justin Baugh <justin.baugh@request.com>
+ * BUG 948: Implement missing functions required for FreeBSD
+ nss_winbind support.
+
+
+o Alexander Bokovoy <ab@samba.org>
+ * BUG 922: Make sure enable fast path for strlower_m() and
+ strupper_m().
+
+
+o Luca Bolcioni <Luca.Bolcioni@yacme.com>
+ * Fix crash when using 'security = server' and 'encrypt
+ passwords = no' by always initializing the session key.
+
+
+o Dmitry Butskoj <buc@odusz.elektra.ru>
+ * Fix for special files being hidden from admins.
+
+
+o Gerald (Jerry) Carter <jerry@samba.org>
+ * Fix bug in the lanman session key generation. Caused
+ "decode_pw: incorrect password length" error messages.
+ * Save the right case for the located user name in
+ fill_sam_account(). Fixes %U/%u expansion for win9x clients.
+ * BUG 897: Add well known rid for pre win2k compatible access
+ group.
+ * BUG 887: Correct typo in delete user script example.
+ * Use short lived TALLOC_CTX* for allocating printer objects
+ from the print handle cache.
+ * BUG 912: Fix check for HAVE_MEMORY_KEYTAB.
+ * Fix several warnings reported by the SUN Forte C compiler.
+ * Fully control DNS queries for AD DC's using 'name resolve order'.
+ * BUG 770: Send the SMBjobid for UNIX jobs back to the client.
+ * BUG 972: Fix segfault in cli_ds_getprimarydominfo().
+ * BUG 936: fix bind credentials for schannel binds in smbd.
+ * BUG 446: Fix output of smbclient for better compatibility
+ with scripts based on the 2.2 version (including Amanda).
+ * BUG 891, 949: Fedora packaging fixes.
+ * Fix bug that caused rpcclient to incorrectly retrieve
+ the SID for a server (this causing all calls that required
+ this information to fail).
+ * BUG 977: Don't create a homes share for a user if a static
+ share already exists by the same name.
+ * Removed unused smb.conf options.
+ * Set the disable flag for template accounts created by
+ mksmbpasswd.sh.
+ * Disable any account has no passwords and does not have the
+ ACB_PWNOTREQ bit set.
+
+
+o Guenther Deschner <gd@suse.com>
+ * Install smbwrapper.so should be put into the $(libdir)
+ and not $(bindir).
+ * Add the capability to specify the new user password
+ for "net ads password" on the command line.
+ * Correctly detect AFS headers on SuSE.
+
+
+o James Flemer <jflemer@uvm.edu>
+ * Fix AIX compile bug by linking HAVE_ATTR_LIST to
+ HAVE_SYS_ATTRIBUTES_H.
+
+
+o Luke Howard <lukeh@PADL.COM>
+ * Fix segfault in session setup reply caused by a early free().
+
+
+o Stoian Ivanov <sdr@bultra.com>
+ * Implement grepable output for smbclient -L.
+
+
+o LaMont Jones <lamont@debian.org>
+ * BUG 225328 (Debian): Correct false failure LFS test that resulted
+ in _GNU_SOURCE not being defined (thus resulting in strndup()
+ not being defined).
+
+
+o Volker Lendecke <vl@samba.org>
+ * BUG 583: Ensure that user names always contain the short
+ version of the domain name.
+ * Fix our parsing of the LDAP uri.
+ * Don't show the 'afs username map' in the SWAT basic view.
+ * Fix SMB signing issues in relation to failed NTLMSSP logins.
+ * BUG 924: Fix return codes in smbtorture harness.
+ * Always lower-case usernames before handing it to AFS code.
+ * Add a German translation for SWAT.
+ * Fix a segfaults in winbindd.
+ * Fix the user's domain passed to register_vuid() from
+ reply_spnego_kerberos().
+ * Add NSS example code in nss_winbind to convert UNIX
+ id's <-> Windows SIDs.
+ * Display more descriptive error messages for login via 'net'.
+ * Fix compiler warning in the net tool.
+ * Fix length bug when decoding base64 strings.
+ * Ensure we don't call getpwnam() inside a loop that is iterating
+ over users with getpwent(). This broke on glibc 2.3.2.
+
+
+o Herb Lewis <herb@samba.org>
+ * Fix bit rot in psec.
+
+
+o Jianliang Lu <j.lu@tiesse.com>
+ * Ensure we delete the group mapping before calling the delete
+ group script.
+ * Define well known RID for managing the "Power Users" group.
+ * BUG 381: check builtin (not local) group SID when updating
+ group membership.
+ * BUG 101: set the SV_TYPE_PRINTQ_SERVER flag in host announcement
+ packet.
+
+
+o John Klinger <john.klinger@lmco.com>
+ * Implement initgroups() call in nss_winbind on Solaris.
+
+
+o Jim McDonough <jmcd@us.ibm.com>
+ * Fix regression in net rpc join caused by recent changes
+ to cli_lsa_query_info_policy().
+ * BUG 964: Fix crash bug in 'net rpc join' using a preexisting
+ machine account.
+
+
+o MORIYAMA Masayuki <moriyama@miraclelinux.com>
+ * BUG 570: Ensure that configure honors the LDFLAGS variable.
+
+
+o Stefan Metzmacher <metze@samba.org>
+ * Implement LDAP rebind sleep patch.
+ * Revert to 2.2 quota code because of so many broken quota files
+ out there.
+ * Fix XFS quotas: HAVE_XFS_QUOTA -> HAVE_XFS_QUOTAS
+ XFS_USER_QUOTA -> USRQUOTA
+ XFS_GROUP_QUOTA -> GRPQUOTA
+ * Fix disk_free calculation with group quotas.
+ * Add debug class 'quota' and a lot of DEBUG()'s
+ to the quota code.
+ * Fix sys_chown() when no chown() is present.
+ * Add SIGABRT to fault handling in order to catch got a
+ backtrace if an error occurs the OpenLDAP client libs.
+
+
+o <ndb@theghet.to>
+ * Allow an existing LDAP machine account to be re-used when
+ joining an AD domain.
+
+
+o James Peach <jpeach@sgi.com>
+ * BUG 889: Change smbd to use pread/pwrite on platforms that
+ support these calls. Can lead to a significant speed increase.
+
+
+o Tim Potter <tpot@samba.org>
+ * BUG 905: Remove POBAD_CC to fix Solaris Forte compiles.
+ * BUG 924: Fix typo in RW2 torture test.
+
+
+o Richard Sharpe <shape@samba.org>
+ * Small fixes to torture.c to cleanup the error handling
+ and prevent crashes.
+
+
+o J. Tournier <jerome.tournier@IDEALX.com>
+ * Small fixes for the smbldap-tool scripts.
+
+
+o Jelmer Vernooij <jelmer@samba.org>
+ * Put functions for generating SQL queries in pdb_sql.c
+ * Add pgSQL backend (based on patch by Hamish Friedlander)
+ * BUG 908: Fix -s option to smbcontrol.
+ * Add smbget utility - a wget-clone for the SMB/CIFS protocol.
+ * Fix for libnss_wins on IRIX platforms.
+ * Fix swatdir for --with-fhs.
+
+
+
+Changes since 3.0.0
+----------------------
+
+ Parameter Name Action
+ -------------- ------
+ hide local users Removed
+ mangled map Deprecated
+ mangled stack Removed
+ passwd chat timeout New
+
+
+commits
+-------
+
+o Change the interface for init_unistr2 to not take a length
+ but a flags field. We were assuming that
+ 2*strlen(mb_string) == length of ucs2-le string. (bug 480).
+o Allow d_printf() to handle strings with escaped quotation
+ marks since the msg file includes the escape character (bug 489).
+o Fix bad html table row termination in SWAT wizard code (bug 413).
+o Fix to parse the level-2 strings.
+o Fix for "valid users = %S" in [homes]. Fix read/write
+ list as well.
+o Change AC_CHECK_LIB_EXT to prepend libraries instead of append.
+ This is the same way AC_CHECK_LIB works (bug 508).
+o Testparm output fixes for clarity.
+o Fix broken wins hook functionality -- i18n bug (bug 528).
+o Take care of condition where DOS and NT error codes must differ.
+o Default to using only built-in charsets when a working iconv
+ implementation cannot be located.
+o Wrap internals of sys_setgroups() so the sys_XX() call can
+ be done unconditionally (bug 550).
+o Remove duplicate smbspool link on SWAT's front page (bug 541).
+o Save and restore CFLAGS before/after AC_PROG_CC. Ensures that
+ --enable-debug=[yes|no] works correctly.
+o Allow ^C to interrupt smbpasswd if using our getpass
+ (e.g. smbpasswd command).
+o Support signing only on RPC's (bug 167).
+o Correct bug that prevented Excel 2000 clients from opening
+ files marked as read-only.
+o Portability fix bugs 546 - 549).
+o Explicitly initialize the value of AR for vendor makes that don't
+ do this (e.g. HPUX 11). (bug 552).
+o More i18n fixes for SWAT (bug 413).
+o Change the cwd before the postexec script to ensure that a
+ umount will succeed.
+o Correct double free that caused winbindd to crash when a DC
+ is rebooted (bug 437).
+o Fix incorrect mode sum (bug 562).
+o Canonicalize SMB_INFO_ALLOCATION in the same was as
+ SMB_FS_FULL_SIZE_INFORMATION (bug 564).
+o Add script to generate *msg files.
+o Add Dutch SWAT translation file.
+o Make sure to call get_user_groups() with the full winbindd
+ name for a user if he/she has one (bug 406).
+o Fix up error code returns from Samba4 tester. Ensure invalid
+ paths are validated the same way.
+o Allow Samba3 to pass the Samba4 RAW-READ tests.
+o Refuse to configure if --with-expsam=$BACKEND was used but no
+ libraries were found for $BACKEND.
+o Move sysquotas autoconf tests to a separate file.
+o Match W2K w.r.t. writelock and writeclose. Samba4 torture
+ tester
+o Make sure that the files that contain the static_init_$subsystem;
+ macro get recompiled after configure by removing the object
+ files.
+o Ensure canceling a blocking lock returns the correct error
+ message.
+o Match Samba 2.2 behavior; make ACB_NORMAL the default ACB value.
+o Updated Japanese welcome file in SWAT.
+o Fix to nt-time <-> unix-time functions reversible.
+o Ensure that winbindd uses the the escaped DN when querying
+ an AD ldap server.
+o Fix portability issues when compiling (bug 505, 550)
+o Compile fix for tdbbackup when Samba needs to override
+ non-C99 compliant implementations of snprintf().
+o Use @PICSUFFIX@ instead of .po in Makefile.in (bug 574).
+o Make sure we break out of samsync loop on error.
+o Ensure error code path doesn't free unmalloc()'d memory
+ (bug 628).
+o Add configure test for krb5_keytab_entry keyblock vs key
+ member (bug 636).
+o Fixed spinlocks.
+o Modified testparm so that all output so all debug output goes
+ to stderr, and all file processing goes to stdout.
+o Fix error return code for BUFFER_TOO_SMALL in smbcacls
+ and smbcquotas.
+o Fix "NULL dest in safe_strcpy()" log message by ensuring that
+ we have a devmode before copying a string to the devicename.
+o Support mapping REALM.COM\user to a local user account (without
+ running winbindd) for compatibility with 2.2.x release.
+o Ensure we don't use mmap() on blacklisted systems.
+o fixed a number of bugs and memory leaks in the AIX
+ winbindd shim
+o Call initgroups() in SWAT before becomming the user so that
+ secondary group permissions can be used when writing to
+ smb.conf.
+o Fix signing problems when reverse connecting back to a
+ client for printer notify
+o Fix signing problems caused by a miss-sequence bug.
+o Missing map in errormap for ERROR_MORE_DATA -> ERRDOS, ERRmoredata.
+ Fixes NEXUS tools running on Win9x clients (bug 64).
+o Don't leave the domain field uninitialized in cli_lsa.c if some
+ SID could not be mapped.
+o Fix segfault in mount.cifs helper when there is no options
+ specified during mount.
+o Change the \n after the password prompt to go to tty instead
+ of stdout (bug 668).
+o Stop net -P from prompting for machine account password (bug 451).
+o Change in behavior to Not only change the effective uid but also
+ the real uid when becoming unprivileged.
+o Cope with Exchange 5.5 cleartext pop password auth.
+o New files for support of initshutdown pipe. Win2k doesn't
+ respond properly to all requests on the winreg pipe, so we need
+ to handle this new pipe (bug 534).
+o Added more va_copy() checks in configure.in.
+o Include fixes for libsmbclient build problems.
+o Missing UNIX -> DOS codepage conversion in lanman.c.
+o Allow DFMS-S filenames can now have arbitrary case (bug 667).
+o Parameterize the listen backlog in smbd and make it larger by
+ default. A backlog of 5 is way too small these days.
+o Check for an invalid fid before dereferencing the fsp pointer
+ (bug 696).
+o Remove invalid memory frees and return codes in pdb_ldap.c.
+o Prompt for password when invoking --set-auth-user and no
+ password is given.
+o Bind the nmbd sending socket to the 'socket address'.
+o Re-order link command for smbd, rpcclient and smbpasswd to ensure
+ $LDFLAGS occurs before any library specification (bug 661).
+o Fix large number of printf() calls for 64-bit size_t.
+o Fix AC_CHECK_MEMBER so that SLES8 does correctly finds the
+ keyblock in the krb5 structs.
+o Remove #include <compat.h> in hopes to avoid problems with
+ apache header files.
+o Correct winbindd build problems on HP-UX 11.
+o Lowercase netgroups lookups (bug 703).
+o Use the actual size of the buffer in strftime instead of a made
+ up value which just happens to be less than sizeof(fstring).
+ (bug 713).
+o Add ldaplibs to pdbedit link line (bug 651).
+o Fix crash bug in smbclient completion (bug 659).
+o Fix packet length for browse list reply (bug 771).
+o Fix coredump in cli_get_backup_list().
+o Make sure that we expand %N (bug 612).
+o Allow rpcclient adddriver command to specify printer driver
+ version (bug 514).
+o Compile tdbdump by default.
+o Apply patches to fix iconv detection for FreeBSD.
+o Do not allow the 'guest account' to be added to a passdb backend
+ using smbpasswd or pdbedit (bug 624).
+o Save LDFLAGS during iconv detection (bug 57).
+o Run krb5 logins through the username map if the winbindd
+ lookup fails (bug 698).
+o Add const for lp_set_name_resolve_order() to avoid compiler
+ warnings (bug 471).
+o Add support for the %i macro in smb.conf to stand in for the for
+ the local IP address to which a client connected.
+o Allow winbindd to match local accounts to domain SID when
+ 'winbind trusted domains only = yes' (bug 680).
+o Remove code in idmap_ldap that searches the user suffix and group
+ suffix. It's not needed and provides inconsistent functionality
+ from the tdb backend.
+o Patch to handle munged dial string for Windows 200 TSE.
+o Correct the "smbldap_open: cannot access when not root error"
+ messages when looking up group information (bug 281).
+o Skip over the winbind separator when looking up a user.
+ This fixes the bug that prevented local users from
+ matching an AD user when not running winbindd (bug 698).
+o Fix a problem with configure on *BSD systems. Make sure
+ we add -liconv etc to LDFLAGS.
+o Fix core dump bug when "security = server" and the authentication
+ server goes away.
+o Correct crash bug due to an empty munged dial string.
+o Show files locked by a specific user (smbstatus -u 'user')
+ (bug 590).
+o Fix bug preventing print jobs from display in the queue
+ monitor used by Windows NT and later clients (bug 660).
+o Fix several reported problems with point-n-print from
+ Windows 2000/XP clients due to a bug in the EnumPrinterDataEx()
+ reply (bug 338, 527 & 643).
+o Fix a handful of potential memory leaks in the LDAP code used
+ by ldapsam[_compat] and the LDAP idmap backend.
+o Fix for pdbedit error code returns (bug 763).
+o Make sure we only enumerate group mapping entries (not
+ /etc/group) even when doing local aliases.
+o Relax check on the pipe name in a dce/rpc bind response to work
+ around issues with establishing trusts to a Windows 2003 domain.
+o Ensure we mangle names ending in '.' in hash2 mangling method.
+o Correct parsing issues with munged dial string.
+o Fix bugs in quota support for XFS.
+o Add a cleaner method for applications that need to provide
+ name->SID mappings to do this via NSS rather than having to
+ know the winbindd pipe protocol.
+o Adds a variant of the winbindd_getgroups() call called
+ winbindd_getusersids() that provides direct SID->SIDs listing of
+ a users supplementary groups. This is enough to allow non-Samba
+ applications to do ACL checking.
+o Make sure we don't append the 'ldap suffix' when writing out the
+ 'ldap XXX suffix' values in SWAT (bug 328).
+o Fix renames across file systems.
+o Ensure that items in a list of strings containing whitespace are
+ written out surrounded by single quotes. This means that both
+ double and single quotes are now used to surround strings in
+ smb.conf (bug 481).
+o Enable SWAT to correctly determine if winbindd is running (bug
+ 398).
+o Include WWW-Authenticate field in 401 response for bad auth
+ attempt (bug 629).
+o Add support for NTLM2 (NTLMv2 session security).
+o Add support for variable-length session keys.
+o More privilege fixes for group enumeration in LDAP (bug 281).
+o Use the dns name (or IP) as the originating client name when
+ using CUPS (bug 467).
+o Fix various SMB signing bugs.
+o Fix ACL propagation on a DFS root (bug 263).
+o Disable NTLM2 for RPC pipes.
+o Allow the client to specify the NTLM2 flags got NTLMSSP
+ authentication.
+o Change the name of the job passed off to cups from "Test Page"
+ to "smbprn.00000033 Test Page" so that we can get the smb
+ jobid back. This allow users to delete jobs with cups printing
+ backend (partial work on bug 770).
+o Fix build of winbindd with static pdb modules.
+o Retrieve the correct ACL group bits if the file has an ACL
+ (bug 802).
+o Implement "net rpc group members": Get members of a domain group
+ in human-readable format.
+o Add MacOSX (Darwin) specific charset module code.
+o Use samr_dispinfo(level == 1) for enumerating domain users so we
+ can include the full name in gecos field (bug 587).
+o Add support for winbind's NSS library on FeeeBSD 5.1 (bug 797).
+o Implement 'net rpc group list [global|local|builtin]*' for a
+ select listing of the respective user databases.
+o Don't automatically set NT status code flag unless client tells
+ us it can cope.
+o Add 'net status [sessions|shares] [parseable]'.
+o Don't mistake pre-existing UNIX jobs for smb jobs (remainder of
+ bug 770).
+o Add 'Replicator' and 'RAS Servers' to list of builtin SIDs
+ (bug 608).
+o Fix inverted logic in hosts allow/deny checks caused by
+ s/strcmp/strequal/ (bug 846).
+o Implement correct version SamrRemoveSidForeignDomain() (bug 252).
+o Fix typo in 'hash' mangling algorithm.
+o Support munged dial for ldapsam (bug 800).
+o Fix process_incoming_data() to return the number of bytes handled
+ this call whether we have a complete PDU or not; fixes bug
+ with multiple PDU request rpc's broken over SMBwriteX calls
+ each.
+o Fix incorrect smb flags2 for connections to pre-NT servers
+ (causes smbclient to fail to OS2 for example) (bug 821).
+o Update version string in smbldap-tools Makefile to 0.8.2.
+o Correct a problem with "net rpc vampire" mis-parsing the
+ alias member info reply.
+o Ensure the ${libdir} is created by the installclientlib script.
+o Fix detection of Windows 2003 client architecture in the smb.conf
+ %a variable.
+o Ensure that smbd calls the add user script for a missing UNIX
+ user on kerberos auth call (bug 445).
+o Fix bugs in hosts allow/deny when using a mismatched
+ network/netmask pair.
+o Protect alloc_sub_basic() from crashing when the source string
+ is NULL (partial work on bug 687).
+o Fix spinlocks on IRIX.
+o Corrected some bad destination paths when running "configure
+ --with-fhs".
+o Add packaging files for Fedora Core 1.
+o Correct bug in SWAT install script for non-english languages.
+o Support character set ISO-8859-1 internally (bug 558).
+o Fixed more LDAP access errors when looking up group mappings
+ (bug 281).
+o Fix UNISTR2 length bug in LsaQueryInfo(3) that caused SID
+ resolution to fail on local files on on domain members
+ (bug 875).
+o Fix uninitialized variable in passdb.c.
+o Fix formal parameter type in get_static() in nsswitch/wins.c.
+o Fix problem mounting directories when mount.cifs is installed
+ with the setuid bit on.
+o Fix bug that prevent --mandir from overriding the defaults
+ given in the --with-fhs macro.
+o Fix bug in in-memory Kerberos keytab detection routines
+ in configure.in
+
+
+
+######################################################################
+
+ =======================================
+ The original 3.0.0 release notes follow
+ =======================================
+
+
+Major new features:
+-------------------
+
+1) Active Directory support. Samba 3.0 is now able to
+ join a ADS realm as a member server and authenticate
+ users using LDAP/Kerberos.
+
+2) Unicode support. Samba will now negotiate UNICODE on the wire
+ and internally there is now a much better infrastructure for
+ multi-byte and UNICODE character sets.
+
+3) New authentication system. The internal authentication system
+ has been almost completely rewritten. Most of the changes are
+ internal, but the new auth system is also very configurable.
+
+4) New default filename mangling system.
+
+5) A new "net" command has been added. It is somewhat similar to
+ the "net" command in windows. Eventually we plan to replace
+ numerous other utilities (such as smbpasswd) with subcommands
+ in "net".
+
+6) Samba now negotiates NT-style status32 codes on the wire. This
+ improves error handling a lot.
+
+7) Better Windows 2000/XP/2003 printing support including publishing
+ printer attributes in active directory.
+
+8) New loadable module support for passdb backends and character
+ sets.
+
+9) New default dual-daemon winbindd support for better performance.
+
+10) Support for migrating from a Windows NT 4.0 domain to a Samba
+ domain and maintaining user, group and domain SIDs.
+
+11) Support for establishing trust relationships with Windows NT 4.0
+ domain controllers.
+
+12) Initial support for a distributed Winbind architecture using
+ an LDAP directory for storing SID to uid/gid mappings.
+
+13) Major updates to the Samba documentation tree.
+
+14) Full support for client and server SMB signing to ensure
+ compatibility with default Windows 2003 security settings.
+
+15) Improvement of ACL mapping features based on code donated by
+ Andreas Grünbacher.
+
+
+Plus lots of other improvements!
+
+
+Additional Documentation
+------------------------
+
+Please refer to Samba documentation tree (included in the docs/
+subdirectory) for extensive explanations of installing, configuring
+and maintaining Samba 3.0 servers and clients. It is advised to
+begin with the Samba-HOWTO-Collection for overviews and specific
+tasks (the current book is up to approximately 400 pages) and to
+refer to the various man pages for information on individual options.
+
+We are very glad to be able to include the second edition of
+"Using Samba" by Jay Ts, Robert Eckstein, and David Collier-Brown
+(O'Reilly & Associates) in this release. The book is available
+on-line at http://samba.org/samba/docs/ and is included with
+the Samba Web Administration Tool (SWAT). Thanks to the authors and
+publisher for making "Using Samba" under the GNU Free Documentation
+License.
+
+
+######################################################################
+Upgrading from a previous Samba 3.0 beta
+########################################
+
+Beginning with Samba 3.0.0beta3, the RID allocation functions
+have been moved into winbindd. Previously these were handled
+by each passdb backend. This means that winbindd must be running
+to automatically allocate RIDs for users and/or groups. Otherwise,
+smbd will use the 2.2 algorithm for generating new RIDs.
+
+If you are using 'passdb backend = tdbsam' with a previous Samba
+3.0 beta release (or possibly alpha), it may be necessary to
+move the RID_COUNTER entry from /usr/local/samba/private/passdb.tdb
+to winbindd_idmap.tdb. To do this:
+
+1) Ensure that winbindd_idmap.tdb exists (launch winbindd at least
+ once)
+2) build tdbtool by executing 'make tdbtool' in the source/tdb/
+ directory
+3) run: (note that 'tdb>' is the tool's prompt for input)
+
+ root# ./tdbtool /usr/local/samba/private/passdb.tdb
+ tdb> show RID_COUNTER
+ key 12 bytes
+ RID_COUNTER
+ data 4 bytes
+ [000] 0A 52 00 00 .R.
+
+ tdb> move RID_COUNTER /usr/local/samba/var/locks/winbindd_idmap.tdb
+ ....
+ record moved
+
+If you are using 'passdb backend = ldapsam', it will be necessary to
+store idmap entries in the LDAP directory as well (i.e. idmap backend
+= ldap). Refer to the 'net idmap' command for more information on
+migrating SID<->UNIX id mappings from one backend to another.
+
+If the RID_COUNTER record does not exist, then these instructions are
+unneccessary and the new RID_COUNTER record will be correctly generated
+if needed.
+
+
+
+########################
+Upgrading from Samba 2.2
+########################
+
+This section is provided to help administrators understand the details
+involved with upgrading a Samba 2.2 server to Samba 3.0.
+
+
+Building
+--------
+
+Many of the options to the GNU autoconf script have been modified
+in the 3.0 release. The most noticeable are:
+
+ * removal of --with-tdbsam (is now included by default; see section
+ on passdb backends and authentication for more details)
+
+ * --with-ldapsam is now on used to provided backward compatible
+ parameters for LDAP enabled Samba 2.2 servers. Refer to the passdb
+ backend and authentication section for more details
+
+ * inclusion of non-standard passdb modules may be enabled using
+ --with-expsam. This includes an XML backend and a mysql backend.
+
+ * removal of --with-msdfs (is now enabled by default)
+
+ * removal of --with-ssl (no longer supported)
+
+ * --with-utmp now defaults to 'yes' on supported systems
+
+ * --with-sendfile-support is now enabled by default on supported
+ systems
+
+
+Parameters
+----------
+
+This section contains a brief listing of changes to smb.conf options
+in the 3.0.0 release. Please refer to the smb.conf(5) man page for
+complete descriptions of new or modified parameters.
+
+Removed Parameters (order alphabetically):
+
+ * admin log
+ * alternate permissions
+ * character set
+ * client codepage
+ * code page directory
+ * coding system
+ * domain admin group
+ * domain guest group
+ * force unknown acl user
+ * hide local users
+ * mangled stack
+ * nt smb support
+ * postscript
+ * printer driver
+ * printer driver file
+ * printer driver location
+ * read size
+ * source environment
+ * status
+ * strip dot
+ * total print jobs
+ * use rhosts
+ * valid chars
+ * vfs options
+
+New Parameters (new parameters have been grouped by function):
+
+ Remote management
+ -----------------
+ * abort shutdown script
+ * shutdown script
+
+ User and Group Account Management
+ ---------------------------------
+ * add group script
+ * add machine script
+ * add user to group script
+ * algorithmic rid base
+ * delete group script
+ * delete user from group script
+ * passdb backend
+ * set primary group script
+
+ Authentication
+ --------------
+ * auth methods
+ * realm
+ * passwd chat timeout
+
+ Protocol Options
+ ----------------
+ * client lanman auth
+ * client NTLMv2 auth
+ * client schannel
+ * client signing
+ * client use spnego
+ * disable netbios
+ * ntlm auth
+ * paranoid server security
+ * server schannel
+ * server signing
+ * smb ports
+ * use spnego
+
+ File Service
+ ------------
+ * get quota command
+ * hide special files
+ * hide unwriteable files
+ * hostname lookups
+ * kernel change notify
+ * mangle prefix
+ * map acl inherit
+ * msdfs proxy
+ * set quota command
+ * use sendfile
+ * vfs objects
+
+ Printing
+ --------
+ * max reported print jobs
+
+ UNICODE and Character Sets
+ --------------------------
+ * display charset
+ * dos charset
+ * unicode
+ * unix charset
+
+ SID to uid/gid Mappings
+ -----------------------
+ * idmap backend
+ * idmap gid
+ * idmap uid
+ * winbind enable local accounts
+ * winbind trusted domains only
+ * template primary group
+ * enable rid algorithm
+
+ LDAP
+ ----
+ * ldap delete dn
+ * ldap group suffix
+ * ldap idmap suffix
+ * ldap machine suffix
+ * ldap passwd sync
+ * ldap replication sleep
+ * ldap user suffix
+
+ General Configuration
+ ---------------------
+ * preload modules
+ * private dir
+
+Modified Parameters (changes in behavior):
+
+ * encrypt passwords (enabled by default)
+ * mangling method (set to 'hash2' by default)
+ * passwd chat
+ * passwd program
+ * restrict anonymous (integer value)
+ * security (new 'ads' value)
+ * strict locking (enabled by default)
+ * unix extensions (enabled by default)
+ * winbind cache time (increased to 5 minutes)
+ * winbind uid (deprecated in favor of 'idmap uid')
+ * winbind gid (deprecated in favor of 'idmap gid')
+
+
+Databases
+---------
+
+This section contains brief descriptions of any new databases
+introduced in Samba 3.0. Please remember to backup your existing
+${lock directory}/*tdb before upgrading to Samba 3.0. Samba will
+upgrade databases as they are opened (if necessary), but downgrading
+from 3.0 to 2.2 is an unsupported path.
+
+Name Description Backup?
+---- ----------- -------
+account_policy User policy settings yes
+gencache Generic caching db no
+group_mapping Mapping table from Windows yes
+ groups/SID to unix groups
+winbindd_idmap ID map table from SIDS to UNIX yes
+ uids/gids.
+namecache Name resolution cache entries no
+netsamlogon_cache Cache of NET_USER_INFO_3 structure no
+ returned as part of a successful
+ net_sam_logon request
+printing/*.tdb Cached output from 'lpq no
+ command' created on a per print
+ service basis
+registry Read-only samba registry skeleton no
+ that provides support for exporting
+ various db tables via the winreg RPCs
+
+
+Changes in Behavior
+-------------------
+
+The following issues are known changes in behavior between Samba 2.2 and
+Samba 3.0 that may affect certain installations of Samba.
+
+ 1) When operating as a member of a Windows domain, Samba 2.2 would
+ map any users authenticated by the remote DC to the 'guest account'
+ if a uid could not be obtained via the getpwnam() call. Samba 3.0
+ rejects the connection as NT_STATUS_LOGON_FAILURE. There is no
+ current work around to re-establish the 2.2 behavior.
+
+ 2) When adding machines to a Samba 2.2 controlled domain, the
+ 'add user script' was used to create the UNIX identity of the
+ machine trust account. Samba 3.0 introduces a new 'add machine
+ script' that must be specified for this purpose. Samba 3.0 will
+ not fall back to using the 'add user script' in the absence of
+ an 'add machine script'
+
+
+######################################################################
+Passdb Backends and Authentication
+##################################
+
+There have been a few new changes that Samba administrators should be
+aware of when moving to Samba 3.0.
+
+ 1) encrypted passwords have been enabled by default in order to
+ inter-operate better with out-of-the-box Windows client
+ installations. This does mean that either (a) a samba account
+ must be created for each user, or (b) 'encrypt passwords = no'
+ must be explicitly defined in smb.conf.
+
+ 2) Inclusion of new 'security = ads' option for integration
+ with an Active Directory domain using the native Windows
+ Kerberos 5 and LDAP protocols.
+
+ MIT kerberos 1.3.1 supports the ARCFOUR-HMAC-MD5 encryption
+ type which is neccessary for servers on which the
+ administrator password has not been changed, or kerberos-enabled
+ SMB connections to servers that require Kerberos SMB signing.
+ Besides this one difference, either MIT or Heimdal Kerberos
+ distributions are usable by Samba 3.0.
+
+
+Samba 3.0 also includes the possibility of setting up chains
+of authentication methods (auth methods) and account storage
+backends (passdb backend). Please refer to the smb.conf(5)
+man page for details. While both parameters assume sane default
+values, it is likely that you will need to understand what the
+values actually mean in order to ensure Samba operates correctly.
+
+The recommended passdb backends at this time are
+
+ * smbpasswd - 2.2 compatible flat file format
+ * tdbsam - attribute rich database intended as an smbpasswd
+ replacement for stand alone servers
+ * ldapsam - attribute rich account storage and retrieval
+ backend utilizing an LDAP directory.
+ * ldapsam_compat - a 2.2 backward compatible LDAP account
+ backend
+
+Certain functions of the smbpasswd(8) tool have been split between the
+new smbpasswd(8) utility, the net(8) tool, and the new pdbedit(8)
+utility. See the respective man pages for details.
+
+
+######################################################################
+LDAP
+####
+
+This section outlines the new features affecting Samba / LDAP
+integration.
+
+New Schema
+----------
+
+A new object class (sambaSamAccount) has been introduced to replace
+the old sambaAccount. This change aids us in the renaming of
+attributes to prevent clashes with attributes from other vendors.
+There is a conversion script (examples/LDAP/convertSambaAccount) to
+modify and LDIF file to the new schema.
+
+Example:
+
+ $ ldapsearch .... -b "ou=people,dc=..." > sambaAcct.ldif
+ $ convertSambaAccount --sid=<Domain SID> \
+ --input=sambaAcct.ldif --output=sambaSamAcct.ldif \
+ --changetype=[modify|add]
+
+The <DOM SID> can be obtained by running 'net getlocalsid
+<DOMAINNAME>' on the Samba PDC as root. The changetype determines
+the format of the generated LDIF output--either create new entries
+or modify existing entries.
+
+The old sambaAccount schema may still be used by specifying the
+"ldapsam_compat" passdb backend. However, the sambaAccount and
+associated attributes have been moved to the historical section of
+the schema file and must be uncommented before use if needed.
+The 2.2 object class declaration for a sambaAccount has not changed
+in the 3.0 samba.schema file.
+
+Other new object classes and their uses include:
+
+ * sambaDomain - domain information used to allocate rids
+ for users and groups as necessary. The attributes are added
+ in 'ldap suffix' directory entry automatically if
+ an idmap uid/gid range has been set and the 'ldapsam'
+ passdb backend has been selected.
+
+ * sambaGroupMapping - an object representing the
+ relationship between a posixGroup and a Windows
+ group/SID. These entries are stored in the 'ldap
+ group suffix' and managed by the 'net groupmap' command.
+
+ * sambaUnixIdPool - created in the 'ldap idmap suffix' entry
+ automatically and contains the next available 'idmap uid' and
+ 'idmap gid'
+
+ * sambaIdmapEntry - object storing a mapping between a
+ SID and a UNIX uid/gid. These objects are created by the
+ idmap_ldap module as needed.
+
+ * sambaSidEntry - object representing a SID alone, as a Structural
+ class on which to build the sambaIdmapEntry.
+
+
+New Suffix for Searching
+------------------------
+
+The following new smb.conf parameters have been added to aid in directing
+certain LDAP queries when 'passdb backend = ldapsam://...' has been
+specified.
+
+ * ldap suffix - used to search for user and computer accounts
+ * ldap user suffix - used to store user accounts
+ * ldap machine suffix - used to store machine trust accounts
+ * ldap group suffix - location of posixGroup/sambaGroupMapping entries
+ * ldap idmap suffix - location of sambaIdmapEntry objects
+
+If an 'ldap suffix' is defined, it will be appended to all of the
+remaining sub-suffix parameters. In this case, the order of the suffix
+listings in smb.conf is important. Always place the 'ldap suffix' first
+in the list.
+
+Due to a limitation in Samba's smb.conf parsing, you should not surround
+the DN's with quotation marks.
+
+
+IdMap LDAP support
+------------------
+
+Samba 3.0 supports an ldap backend for the idmap subsystem. The
+following options would inform Samba that the idmap table should be
+stored on the directory server onterose in the "ou=idmap,dc=plainjoe,
+dc=org" partition.
+
+ [global]
+ ...
+ idmap backend = ldap:ldap://onterose/
+ ldap idmap suffix = ou=idmap,dc=plainjoe,dc=org
+ idmap uid = 40000-50000
+ idmap gid = 40000-50000
+
+This configuration allows winbind installations on multiple servers to
+share a uid/gid number space, thus avoiding the interoperability problems
+with NFS that were present in Samba 2.2.
+
+
+
+######################################################################
+Trust Relationships and a Samba Domain
+######################################
+
+Samba 3.0.0beta2 is able to utilize winbindd as the means of
+allocating uids and gids to trusted users and groups. More
+information regarding Samba's support for establishing trust
+relationships can be found in the Samba-HOWTO-Collection included
+in the docs/ directory of this release.
+
+First create your Samba PDC and ensure that everything is
+working correctly before moving on the trusts.
+
+To establish Samba as the trusting domain (named SAMBA) from a Windows NT
+4.0 domain named WINDOWS:
+
+ 1) create the trust account for SAMBA in "User Manager for Domains"
+ 2) connect the trust from the Samba domain using
+ 'net rpc trustdom establish GLASS'
+
+To create a trustlationship with SAMBA as the trusted domain:
+
+ 1) create the initial trust account for GLASS using
+ 'smbpasswd -a -i GLASS'. You may need to create a UNIX
+ account for GLASS$ prior to this step (depending on your
+ local configuration).
+ 2) connect the trust from a WINDOWS DC using "User Manager
+ for Domains"
+
+Now join winbindd on the Samba PDC to the SAMBA domain using
+the normal steps for adding a Samba server to an NT4 domain:
+(note that smbd & nmbd must be running at this point)
+
+ root# net rpc join -U root
+ Password: <enter root password from smbpasswd file here>
+
+Start winbindd and test the join with 'wbinfo -t'.
+
+Now test the trust relationship by connecting to the SAMBA DC
+(e.g. POGO) as a user from the WINDOWS domain:
+
+ $ smbclient //pogo/netlogon -U Administrator -W WINDOWS
+ Password:
+
+Now connect to the WINDOWS DC (e.g. CRYSTAL) as a Samba user:
+
+ $ smbclient //crystal/netlogon -U root -W WINDOWS
+ Password:
+
+######################################################################
+Changes in Winbind
+##################
+
+Beginning with Samba3.0.0beta3, winbindd has been given new account
+manage functionality equivalent to the 'add user script' family of
+smb.conf parameters. The idmap design has also been changed to
+centralize control of foreign SID lookups and matching to UNIX
+uids and gids.
+
+
+Brief Description of Changes
+----------------------------
+
+1) The sid_to_uid() family of functions (smbd/uid.c) have been
+ reverted to the 2.2.x design. This means that when resolving a
+ SID to a UID or similar mapping:
+
+ a) First consult winbindd
+ b) perform a local lookup only if winbindd fails to
+ return a successful answer
+
+ There are some variations to this, but these two rules generally
+ apply.
+
+2) All idmap lookups have been moved into winbindd. This means that
+ a server must run winbindd (and support NSS) in order to achieve
+ any mappings of SID to dynamically allocated UNIX ids. This was
+ a conscious design choice.
+
+3) New functions have been added to winbindd to emulate the 'add user
+ script' family of smbd functions without requiring that external
+ scripts be defined. This functionality is controlled by the 'winbind
+ enable local accounts' smb.conf parameter (enabled by default).
+
+ However, this account management functionality is only supported
+ in a local tdb (winbindd_idmap.tdb). If these new UNIX accounts
+ must be shared among multiple Samba servers (such as a PDC and BDCs),
+ it will be necessary to define your own 'add user script', et. al.
+ programs that place the accounts/groups in some form of directory
+ such as NIS or LDAP. This requirement was deemed beyond the scope
+ of winbind's account management functions. Solutions for
+ distributing UNIX system information have been deployed and tested
+ for many years. We saw no need to reinvent the wheel.
+
+4) A member of a Samba controlled domain running winbindd is now able
+ to map domain users directly onto existing UNIX accounts while still
+ automatically creating accounts for trusted users and groups. This
+ behavior is controlled by the 'winbind trusted domains only' smb.conf
+ parameter (disabled by default to provide 2.2.x winbind behavior).
+
+5) Group mapping support is wrapped in the local_XX_to_XX() functions
+ in smbd/uid.c. The reason that group mappings are not included
+ in winbindd is because the purpose of Samba's group map is to
+ match any Windows SID with an existing UNIX group. These UNIX
+ groups can be created by winbindd (see next section), but the
+ SID<->gid mapping is retreived by smbd, not winbindd.
+
+
+Examples
+--------
+
+* security = server running winbindd to allocate accounts on demand
+
+* Samba PDC running winbindd to handle the automatic creation of UNIX
+ identities for machine trust accounts
+
+* Automtically creating UNIX user and groups when migrating a Windows NT
+ 4.0 PDC to a Samba PDC. Winbindd must be running when executing
+ 'net rpc vampire' for this to work.
+
+
+######################################################################
+Known Issues
+############
+
+* There are several bugs currently logged against the 3.0 codebase
+ that affect the use of NT 4.0 GUI domain management tools when run
+ against a Samba 3.0 PDC. This bugs should be released in an early
+ 3.0.x release.
+
+Please refer to https://bugzilla.samba.org/ for a current list of bugs
+filed against the Samba 3.0 codebase.
+
+
+######################################################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored.
+
+A new bugzilla installation has been established to help support the
+Samba 3.0 community of users. This server, located at
+https://bugzilla.samba.org/, has replaced the older jitterbug server
+previously located at http://bugs.samba.org/.
+
+</pre>
+
+</body>
+</html>
--- /dev/null
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Release Notes Archive</title>
+</head>
+
+<body>
+
+<h2>Samba 3.0.2a Available for Download</h2>
+
+<p>
+<pre>
+Samba 3.0.2a is a minor patch release for the 3.0.2 code base
+to address, in particular, a problem when using pdbedit to
+sanitize (--force-initialized-passwords) Samba's tdbsam
+backend. This is the latest stable release of Samba. This
+is the version that all production Samba servers should be
+running for all current bug-fixes.
+
+******************* <em>Attention! Achtung! Kree!</em> *********************
+
+Beginning with Samba 3.0.2, passwords for accounts with a last
+change time (LCT-XXX in smbpasswd, sambaPwdLastSet attribute in
+ldapsam, etc...) of zero (0) will be regarded as uninitialized
+strings. This will cause authentication to fail for such
+accounts. If you have valid passwords that meet this criteria,
+you must update the last change time to a non-zero value. If you
+do not, then 'pdbedit --force-initialized-passwords' will disable
+these accounts and reset the password hashes to a string of X's.
+
+******************* <em>Attention! Achtung! Kree!</em> *********************
+
+
+######################################################################
+Changes
+#######
+
+Changes since 3.0.2
+-------------------
+
+commits
+-------
+
+Please refer to the CVS log for the SAMBA_3_0 branch for complete
+details. The list of changes per contributor are as follows:
+
+
+o Jeremy Allison <jra@samba.org>
+ * Added paranoia checks in parsing code.
+
+
+o Andrew Bartlet <abartlet@samba.org>
+ * Ensure that changes to uninitialized passwords in ldapsam
+ are written to the DIT.
+
+
+o Gerald (Jerry) Carter <jerry@samba.org>
+ * Fixed iterator in tdbsam.
+ * Fix bug that disabled accounts with a valid NT password
+ hash, but no LanMan hash.
+
+
+o Steve French <sfrench@us.ibm.com>
+ * Added missing nosetuid and noexec options.
+
+
+o Bostjan Golob <golob@gimb.org>
+ * BUG 1046: Don't overwrite usernames of entries returned
+ by getpwent_list().
+
+
+o Sebastian Krahmer <krahmer@suse.de>
+ * Fixed potential crash bug in NTLMSSP parsing code.
+
+
+o Tim Potter <tpot@samba.org>
+ * Fixed logic in tdb_brlock error checking.
+
+
+o Urban Widmark <urban@teststation.com>
+ * Set nosuid,nodev flags in smbmnt by default.
+
+
+Changes for older versions follow below:
+
+ --------------------------------------------------
+
+ =============================
+ Release Notes for Samba 3.0.2
+ February 9, 2004
+ =============================
+
+<em>Security Announcement:</em> It has been confirmed that
+previous versions of Samba 3.0 are susceptible to a password
+initialization bug that could grant an attacker unauthorized
+access to a user account created by the mksmbpasswd.sh shell
+script.
+
+The Common Vulnerabilities and Exposures project (cve.mitre.org)
+has assigned the name CAN-2004-0082 to this issue.
+
+Samba administrators not wishing to upgrade to the current
+version should download the 3.0.2 release, build the pdbedit
+tool, and run
+
+ root# pdbedit-3.0.2 --force-initialized-passwords
+
+This will disable all accounts not possessing a valid password
+(e.g. the password field has been set a string of X's).
+
+Samba servers running 3.0.2 are not vulnerable to this bug
+regardless of whether or not pdbedit has been used to sanitize
+the passdb backend.
+
+Some of the more visible bugs in 3.0.1 addressed in the 3.0.2
+release include:
+
+ o Joining a Samba domain from Pre-SP2 Windows 2000 clients.
+ o Logging onto a Samba domain from Windows XP clients.
+ o Problems with the %U and %u smb.conf variables in relation to
+ Windows 9x/ME clients.
+ o Kerberos failures due to an invalid in memory keytab detection
+ test.
+ o Updates to the ntlm_auth tool.
+ o Fixes for various SMB signing errors.
+ o Better separation of WINS and DNS queries for domain controllers.
+ o Issues with nss_winbind FreeBSD and Solaris.
+ o Several crash bugs in smbd and winbindd.
+ o Output formatting fixes for smbclient for better compatibility
+ with scripts based on the 2.2 version.
+
+
+Changes since 3.0.1
+-------------------
+
+smb.conf changes
+----------------
+
+ Parameter Name Action
+ -------------- ------
+ ldap replication sleep New
+ read size removed (unused)
+ source environment removed (unused)
+
+
+commits
+-------
+
+Please refer to the CVS log for the SAMBA_3_0 branch for complete
+details. The list of changes per contributor are as follows:
+
+o Jeremy Allison <jra@samba.org>
+ * Revert change that broke Exchange clear text samlogons.
+ * Fix gcc 3.4 warning in MS-DFS code.
+ * Tidy up of NTLMSSP code.
+ * Fixes for SMB signing errors
+ * BUG 815: Workaround NT4 bug to support plaintext
+ password logins and UNICODE.
+ * Fix SMB signing bug when copying large files.
+ * Correct error logic in mkdir_internals() (caused a panic
+ when combined with --enable-developer).
+ * BUG 830: Protect against crashes due to bad character
+ conversions.
+
+
+o Petri Asikainen <paca@sci.fi>
+ * BUG 330, 387:Fix single valued attribute updates when
+ working with Novell NDS.
+
+
+o Andrew Bartlet <abartlet@samba.org>
+ * Correctly handle per-pipe NTLMSSP inside a NULL session.
+ * Fix segfault in gencache
+ * Fix early free() of encrypted_session_key.
+ * Change DC lookup routines to more carefully separate
+ DNS names (realms) from NetBIOS domain names.
+ * Add new sid_to_dn() function for internal winbindd use.
+ * Refactor cli_ds_enum_domain_trusts().
+ * BUG 707: Implement range retrieval of ADS attributes (based
+ on work from Volker <vl@samba.org> and Guenther Deschner
+ <gd@suse.com>).
+ * Automatically initialize the signing engine if a session key
+ is available.
+ * BUG 916: Do not perform a + -> ' ' substitution for squid URL
+ encoded strings, only form input in SWAT.
+ * Resets the NTLMSSP state for new negotiate packets.
+ * Add 2-byte alignments in net_samlogon() queries to parse
+ odd-length plain text passwords.
+ * Allow Windows groups with no members in winbindd.
+ * Allow normal authentication in the absence of a server
+ generated session key.
+ * More optimizations for looking up UNIX group lists.
+ * Clean up error codes and return values for pam_winbindd
+ and winbindd PAM interface.
+ * Fix string return values in ntlm_auth tool.
+ * Fix segfault when 'security = ads' but no realm is defined.
+ * BUG 722: Allow winbindd to map machine accounts to uids.
+ * More cleanups for winbindd's find_our_domain().
+ * More clearly detect whether a domain controller is an NT4
+ or mixed-mode AD DC (additional bug fixes by jerry & jmcd).
+ * Increase separation between DNS queries for hosts and queries
+ for AD domain controllers.
+ * Include additional NT_STATUS to PAM error mappings.
+ * Password initialization fixes.
+
+
+o Justin Baugh <justin.baugh@request.com>
+ * BUG 948: Implement missing functions required for FreeBSD
+ nss_winbind support.
+
+
+o Alexander Bokovoy <ab@samba.org>
+ * BUG 922: Make sure enable fast path for strlower_m() and
+ strupper_m().
+
+
+o Luca Bolcioni <Luca.Bolcioni@yacme.com>
+ * Fix crash when using 'security = server' and 'encrypt
+ passwords = no' by always initializing the session key.
+
+
+o Dmitry Butskoj <buc@odusz.elektra.ru>
+ * Fix for special files being hidden from admins.
+
+
+o Gerald (Jerry) Carter <jerry@samba.org>
+ * Fix bug in the lanman session key generation. Caused
+ "decode_pw: incorrect password length" error messages.
+ * Save the right case for the located user name in
+ fill_sam_account(). Fixes %U/%u expansion for win9x clients.
+ * BUG 897: Add well known rid for pre win2k compatible access
+ group.
+ * BUG 887: Correct typo in delete user script example.
+ * Use short lived TALLOC_CTX* for allocating printer objects
+ from the print handle cache.
+ * BUG 912: Fix check for HAVE_MEMORY_KEYTAB.
+ * Fix several warnings reported by the SUN Forte C compiler.
+ * Fully control DNS queries for AD DC's using 'name resolve order'.
+ * BUG 770: Send the SMBjobid for UNIX jobs back to the client.
+ * BUG 972: Fix segfault in cli_ds_getprimarydominfo().
+ * BUG 936: fix bind credentials for schannel binds in smbd.
+ * BUG 446: Fix output of smbclient for better compatibility
+ with scripts based on the 2.2 version (including Amanda).
+ * BUG 891, 949: Fedora packaging fixes.
+ * Fix bug that caused rpcclient to incorrectly retrieve
+ the SID for a server (this causing all calls that required
+ this information to fail).
+ * BUG 977: Don't create a homes share for a user if a static
+ share already exists by the same name.
+ * Removed unused smb.conf options.
+ * Password initialization fixes.
+ * Set the disable flag for template accounts created by
+ mksmbpasswd.sh.
+ * Disable any account has no passwords and does not have the
+ ACB_PWNOTREQ bit set.
+
+
+o Guenther Deschner <gd@suse.com>
+ * Install smbwrapper.so should be put into the $(libdir)
+ and not $(bindir).
+ * Add the capability to specify the new user password
+ for "net ads password" on the command line.
+ * Correctly detect AFS headers on SuSE.
+
+
+o James Flemer <jflemer@uvm.edu>
+ * Fix AIX compile bug by linking HAVE_ATTR_LIST to
+ HAVE_SYS_ATTRIBUTES_H.
+
+
+o Luke Howard <lukeh@PADL.COM>
+ * Fix segfault in session setup reply caused by a early free().
+
+
+o Stoian Ivanov <sdr@bultra.com>
+ * Implement grepable output for smbclient -L.
+
+
+o LaMont Jones <lamont@debian.org>
+ * BUG 225328 (Debian): Correct false failure LFS test that resulted
+ in _GNU_SOURCE not being defined (thus resulting in strndup()
+ not being defined).
+
+
+o Volker Lendecke <vl@samba.org>
+ * BUG 583: Ensure that user names always contain the short
+ version of the domain name.
+ * Fix our parsing of the LDAP uri.
+ * Don't show the 'afs username map' in the SWAT basic view.
+ * Fix SMB signing issues in relation to failed NTLMSSP logins.
+ * BUG 924: Fix return codes in smbtorture harness.
+ * Always lower-case usernames before handing it to AFS code.
+ * Add a German translation for SWAT.
+ * Fix a segfaults in winbindd.
+ * Fix the user's domain passed to register_vuid() from
+ reply_spnego_kerberos().
+ * Add NSS example code in nss_winbind to convert UNIX
+ id's <-> Windows SIDs.
+ * Display more descriptive error messages for login via 'net'.
+ * Fix compiler warning in the net tool.
+ * Fix length bug when decoding base64 strings.
+ * Ensure we don't call getpwnam() inside a loop that is iterating
+ over users with getpwent(). This broke on glibc 2.3.2.
+
+
+o Herb Lewis <herb@samba.org>
+ * Fix bit rot in psec.
+
+
+o Jianliang Lu <j.lu@tiesse.com>
+ * Ensure we delete the group mapping before calling the delete
+ group script.
+ * Define well known RID for managing the "Power Users" group.
+ * BUG 381: check builtin (not local) group SID when updating
+ group membership.
+ * BUG 101: set the SV_TYPE_PRINTQ_SERVER flag in host announcement
+ packet.
+
+
+o John Klinger <john.klinger@lmco.com>
+ * Implement initgroups() call in nss_winbind on Solaris.
+
+
+o Jim McDonough <jmcd@us.ibm.com>
+ * Fix regression in net rpc join caused by recent changes
+ to cli_lsa_query_info_policy().
+ * BUG 964: Fix crash bug in 'net rpc join' using a preexisting
+ machine account.
+
+
+o MORIYAMA Masayuki <moriyama@miraclelinux.com>
+ * BUG 570: Ensure that configure honors the LDFLAGS variable.
+
+
+o Stefan Metzmacher <metze@samba.org>
+ * Implement LDAP rebind sleep patch.
+ * Revert to 2.2 quota code because of so many broken quota files
+ out there.
+ * Fix XFS quotas: HAVE_XFS_QUOTA -> HAVE_XFS_QUOTAS
+ XFS_USER_QUOTA -> USRQUOTA
+ XFS_GROUP_QUOTA -> GRPQUOTA
+ * Fix disk_free calculation with group quotas.
+ * Add debug class 'quota' and a lot of DEBUG()'s
+ to the quota code.
+ * Fix sys_chown() when no chown() is present.
+ * Add SIGABRT to fault handling in order to catch got a
+ backtrace if an error occurs the OpenLDAP client libs.
+
+
+o <ndb@theghet.to>
+ * Allow an existing LDAP machine account to be re-used when
+ joining an AD domain.
+
+
+o James Peach <jpeach@sgi.com>
+ * BUG 889: Change smbd to use pread/pwrite on platforms that
+ support these calls. Can lead to a significant speed increase.
+
+
+o Tim Potter <tpot@samba.org>
+ * BUG 905: Remove POBAD_CC to fix Solaris Forte compiles.
+ * BUG 924: Fix typo in RW2 torture test.
+
+
+o Richard Sharpe <shape@samba.org>
+ * Small fixes to torture.c to cleanup the error handling
+ and prevent crashes.
+
+
+o J. Tournier <jerome.tournier@IDEALX.com>
+ * Small fixes for the smbldap-tool scripts.
+
+
+o Andrew Tridgell <tridge@samba.org>
+ * Fix src len check in pull_usc2().
+
+
+o Jelmer Vernooij <jelmer@samba.org>
+ * Put functions for generating SQL queries in pdb_sql.c
+ * Add pgSQL backend (based on patch by Hamish Friedlander)
+ * BUG 908: Fix -s option to smbcontrol.
+ * Add smbget utility - a wget-clone for the SMB/CIFS protocol.
+ * Fix for libnss_wins on IRIX platforms.
+ * Fix swatdir for --with-fhs.
+
+
+ --------------------------------------------------
+
+ =============================
+ Release Notes for Samba 3.0.1
+ December 15, 2003
+ =============================
+
+Some of the more common bugs in 3.0.0 addressed in the release
+include:
+
+ o Substitution problems with smb.conf variables.
+ o Errors in return codes which caused some applications
+ to fail to open files.
+ o General Protection Faults on Windows 2000/XP clients
+ using Samba point-n-print features.
+ o Several miscellaneous crash bugs.
+ o Access problems when enumerating group mappings are
+ stored in an LDAP Directory.
+ o Several common SWAT bugs when writing changes to
+ smb.conf.
+ o Internal inconsistencies when 'winbind use default
+ domain = yes'
+
+
+
+Changes since 3.0.0
+----------------------
+
+ Parameter Name Action
+ -------------- ------
+ hide local users Removed
+ mangled map Deprecated
+ mangled stack Removed
+ passwd chat timeout New
+
+
+commits
+-------
+
+o Change the interface for init_unistr2 to not take a length
+ but a flags field. We were assuming that
+ 2*strlen(mb_string) == length of ucs2-le string. (bug 480).
+o Allow d_printf() to handle strings with escaped quotation
+ marks since the msg file includes the escape character (bug 489).
+o Fix bad html table row termination in SWAT wizard code (bug 413).
+o Fix to parse the level-2 strings.
+o Fix for "valid users = %S" in [homes]. Fix read/write
+ list as well.
+o Change AC_CHECK_LIB_EXT to prepend libraries instead of append.
+ This is the same way AC_CHECK_LIB works (bug 508).
+o Testparm output fixes for clarity.
+o Fix broken wins hook functionality -- i18n bug (bug 528).
+o Take care of condition where DOS and NT error codes must differ.
+o Default to using only built-in charsets when a working iconv
+ implementation cannot be located.
+o Wrap internals of sys_setgroups() so the sys_XX() call can
+ be done unconditionally (bug 550).
+o Remove duplicate smbspool link on SWAT's front page (bug 541).
+o Save and restore CFLAGS before/after AC_PROG_CC. Ensures that
+ --enable-debug=[yes|no] works correctly.
+o Allow ^C to interrupt smbpasswd if using our getpass
+ (e.g. smbpasswd command).
+o Support signing only on RPC's (bug 167).
+o Correct bug that prevented Excel 2000 clients from opening
+ files marked as read-only.
+o Portability fix bugs 546 - 549).
+o Explicitly initialize the value of AR for vendor makes that don't
+ do this (e.g. HPUX 11). (bug 552).
+o More i18n fixes for SWAT (bug 413).
+o Change the cwd before the postexec script to ensure that a
+ umount will succeed.
+o Correct double free that caused winbindd to crash when a DC
+ is rebooted (bug 437).
+o Fix incorrect mode sum (bug 562).
+o Canonicalize SMB_INFO_ALLOCATION in the same was as
+ SMB_FS_FULL_SIZE_INFORMATION (bug 564).
+o Add script to generate *msg files.
+o Add Dutch SWAT translation file.
+o Make sure to call get_user_groups() with the full winbindd
+ name for a user if he/she has one (bug 406).
+o Fix up error code returns from Samba4 tester. Ensure invalid
+ paths are validated the same way.
+o Allow Samba3 to pass the Samba4 RAW-READ tests.
+o Refuse to configure if --with-expsam=$BACKEND was used but no
+ libraries were found for $BACKEND.
+o Move sysquotas autoconf tests to a separate file.
+o Match W2K w.r.t. writelock and writeclose. Samba4 torture
+ tester
+o Make sure that the files that contain the static_init_$subsystem;
+ macro get recompiled after configure by removing the object
+ files.
+o Ensure canceling a blocking lock returns the correct error
+ message.
+o Match Samba 2.2 behavior; make ACB_NORMAL the default ACB value.
+o Updated Japanese welcome file in SWAT.
+o Fix to nt-time <-> unix-time functions reversible.
+o Ensure that winbindd uses the the escaped DN when querying
+ an AD ldap server.
+o Fix portability issues when compiling (bug 505, 550)
+o Compile fix for tdbbackup when Samba needs to override
+ non-C99 compliant implementations of snprintf().
+o Use @PICSUFFIX@ instead of .po in Makefile.in (bug 574).
+o Make sure we break out of samsync loop on error.
+o Ensure error code path doesn't free unmalloc()'d memory
+ (bug 628).
+o Add configure test for krb5_keytab_entry keyblock vs key
+ member (bug 636).
+o Fixed spinlocks.
+o Modified testparm so that all output so all debug output goes
+ to stderr, and all file processing goes to stdout.
+o Fix error return code for BUFFER_TOO_SMALL in smbcacls
+ and smbcquotas.
+o Fix "NULL dest in safe_strcpy()" log message by ensuring that
+ we have a devmode before copying a string to the devicename.
+o Support mapping REALM.COM\user to a local user account (without
+ running winbindd) for compatibility with 2.2.x release.
+o Ensure we don't use mmap() on blacklisted systems.
+o fixed a number of bugs and memory leaks in the AIX
+ winbindd shim
+o Call initgroups() in SWAT before becomming the user so that
+ secondary group permissions can be used when writing to
+ smb.conf.
+o Fix signing problems when reverse connecting back to a
+ client for printer notify
+o Fix signing problems caused by a miss-sequence bug.
+o Missing map in errormap for ERROR_MORE_DATA -> ERRDOS, ERRmoredata.
+ Fixes NEXUS tools running on Win9x clients (bug 64).
+o Don't leave the domain field uninitialized in cli_lsa.c if some
+ SID could not be mapped.
+o Fix segfault in mount.cifs helper when there is no options
+ specified during mount.
+o Change the \n after the password prompt to go to tty instead
+ of stdout (bug 668).
+o Stop net -P from prompting for machine account password (bug 451).
+o Change in behavior to Not only change the effective uid but also
+ the real uid when becoming unprivileged.
+o Cope with Exchange 5.5 cleartext pop password auth.
+o New files for support of initshutdown pipe. Win2k doesn't
+ respond properly to all requests on the winreg pipe, so we need
+ to handle this new pipe (bug 534).
+o Added more va_copy() checks in configure.in.
+o Include fixes for libsmbclient build problems.
+o Missing UNIX -> DOS codepage conversion in lanman.c.
+o Allow DFMS-S filenames can now have arbitrary case (bug 667).
+o Parameterize the listen backlog in smbd and make it larger by
+ default. A backlog of 5 is way too small these days.
+o Check for an invalid fid before dereferencing the fsp pointer
+ (bug 696).
+o Remove invalid memory frees and return codes in pdb_ldap.c.
+o Prompt for password when invoking --set-auth-user and no
+ password is given.
+o Bind the nmbd sending socket to the 'socket address'.
+o Re-order link command for smbd, rpcclient and smbpasswd to ensure
+ $LDFLAGS occurs before any library specification (bug 661).
+o Fix large number of printf() calls for 64-bit size_t.
+o Fix AC_CHECK_MEMBER so that SLES8 does correctly finds the
+ keyblock in the krb5 structs.
+o Remove #include <compat.h> in hopes to avoid problems with
+ apache header files.
+o Correct winbindd build problems on HP-UX 11.
+o Lowercase netgroups lookups (bug 703).
+o Use the actual size of the buffer in strftime instead of a made
+ up value which just happens to be less than sizeof(fstring).
+ (bug 713).
+o Add ldaplibs to pdbedit link line (bug 651).
+o Fix crash bug in smbclient completion (bug 659).
+o Fix packet length for browse list reply (bug 771).
+o Fix coredump in cli_get_backup_list().
+o Make sure that we expand %N (bug 612).
+o Allow rpcclient adddriver command to specify printer driver
+ version (bug 514).
+o Compile tdbdump by default.
+o Apply patches to fix iconv detection for FreeBSD.
+o Do not allow the 'guest account' to be added to a passdb backend
+ using smbpasswd or pdbedit (bug 624).
+o Save LDFLAGS during iconv detection (bug 57).
+o Run krb5 logins through the username map if the winbindd
+ lookup fails (bug 698).
+o Add const for lp_set_name_resolve_order() to avoid compiler
+ warnings (bug 471).
+o Add support for the %i macro in smb.conf to stand in for the for
+ the local IP address to which a client connected.
+o Allow winbindd to match local accounts to domain SID when
+ 'winbind trusted domains only = yes' (bug 680).
+o Remove code in idmap_ldap that searches the user suffix and group
+ suffix. It's not needed and provides inconsistent functionality
+ from the tdb backend.
+o Patch to handle munged dial string for Windows 200 TSE.
+o Correct the "smbldap_open: cannot access when not root error"
+ messages when looking up group information (bug 281).
+o Skip over the winbind separator when looking up a user.
+ This fixes the bug that prevented local users from
+ matching an AD user when not running winbindd (bug 698).
+o Fix a problem with configure on *BSD systems. Make sure
+ we add -liconv etc to LDFLAGS.
+o Fix core dump bug when "security = server" and the authentication
+ server goes away.
+o Correct crash bug due to an empty munged dial string.
+o Show files locked by a specific user (smbstatus -u 'user')
+ (bug 590).
+o Fix bug preventing print jobs from display in the queue
+ monitor used by Windows NT and later clients (bug 660).
+o Fix several reported problems with point-n-print from
+ Windows 2000/XP clients due to a bug in the EnumPrinterDataEx()
+ reply (bug 338, 527 & 643).
+o Fix a handful of potential memory leaks in the LDAP code used
+ by ldapsam[_compat] and the LDAP idmap backend.
+o Fix for pdbedit error code returns (bug 763).
+o Make sure we only enumerate group mapping entries (not
+ /etc/group) even when doing local aliases.
+o Relax check on the pipe name in a dce/rpc bind response to work
+ around issues with establishing trusts to a Windows 2003 domain.
+o Ensure we mangle names ending in '.' in hash2 mangling method.
+o Correct parsing issues with munged dial string.
+o Fix bugs in quota support for XFS.
+o Add a cleaner method for applications that need to provide
+ name->SID mappings to do this via NSS rather than having to
+ know the winbindd pipe protocol.
+o Adds a variant of the winbindd_getgroups() call called
+ winbindd_getusersids() that provides direct SID->SIDs listing of
+ a users supplementary groups. This is enough to allow non-Samba
+ applications to do ACL checking.
+o Make sure we don't append the 'ldap suffix' when writing out the
+ 'ldap XXX suffix' values in SWAT (bug 328).
+o Fix renames across file systems.
+o Ensure that items in a list of strings containing whitespace are
+ written out surrounded by single quotes. This means that both
+ double and single quotes are now used to surround strings in
+ smb.conf (bug 481).
+o Enable SWAT to correctly determine if winbindd is running (bug
+ 398).
+o Include WWW-Authenticate field in 401 response for bad auth
+ attempt (bug 629).
+o Add support for NTLM2 (NTLMv2 session security).
+o Add support for variable-length session keys.
+o More privilege fixes for group enumeration in LDAP (bug 281).
+o Use the dns name (or IP) as the originating client name when
+ using CUPS (bug 467).
+o Fix various SMB signing bugs.
+o Fix ACL propagation on a DFS root (bug 263).
+o Disable NTLM2 for RPC pipes.
+o Allow the client to specify the NTLM2 flags got NTLMSSP
+ authentication.
+o Change the name of the job passed off to cups from "Test Page"
+ to "smbprn.00000033 Test Page" so that we can get the smb
+ jobid back. This allow users to delete jobs with cups printing
+ backend (partial work on bug 770).
+o Fix build of winbindd with static pdb modules.
+o Retrieve the correct ACL group bits if the file has an ACL
+ (bug 802).
+o Implement "net rpc group members": Get members of a domain group
+ in human-readable format.
+o Add MacOSX (Darwin) specific charset module code.
+o Use samr_dispinfo(level == 1) for enumerating domain users so we
+ can include the full name in gecos field (bug 587).
+o Add support for winbind's NSS library on FeeeBSD 5.1 (bug 797).
+o Implement 'net rpc group list [global|local|builtin]*' for a
+ select listing of the respective user databases.
+o Don't automatically set NT status code flag unless client tells
+ us it can cope.
+o Add 'net status [sessions|shares] [parseable]'.
+o Don't mistake pre-existing UNIX jobs for smb jobs (remainder of
+ bug 770).
+o Add 'Replicator' and 'RAS Servers' to list of builtin SIDs
+ (bug 608).
+o Fix inverted logic in hosts allow/deny checks caused by
+ s/strcmp/strequal/ (bug 846).
+o Implement correct version SamrRemoveSidForeignDomain() (bug 252).
+o Fix typo in 'hash' mangling algorithm.
+o Support munged dial for ldapsam (bug 800).
+o Fix process_incoming_data() to return the number of bytes handled
+ this call whether we have a complete PDU or not; fixes bug
+ with multiple PDU request rpc's broken over SMBwriteX calls
+ each.
+o Fix incorrect smb flags2 for connections to pre-NT servers
+ (causes smbclient to fail to OS2 for example) (bug 821).
+o Update version string in smbldap-tools Makefile to 0.8.2.
+o Correct a problem with "net rpc vampire" mis-parsing the
+ alias member info reply.
+o Ensure the ${libdir} is created by the installclientlib script.
+o Fix detection of Windows 2003 client architecture in the smb.conf
+ %a variable.
+o Ensure that smbd calls the add user script for a missing UNIX
+ user on kerberos auth call (bug 445).
+o Fix bugs in hosts allow/deny when using a mismatched
+ network/netmask pair.
+o Protect alloc_sub_basic() from crashing when the source string
+ is NULL (partial work on bug 687).
+o Fix spinlocks on IRIX.
+o Corrected some bad destination paths when running "configure
+ --with-fhs".
+o Add packaging files for Fedora Core 1.
+o Correct bug in SWAT install script for non-english languages.
+o Support character set ISO-8859-1 internally (bug 558).
+o Fixed more LDAP access errors when looking up group mappings
+ (bug 281).
+o Fix UNISTR2 length bug in LsaQueryInfo(3) that caused SID
+ resolution to fail on local files on on domain members
+ (bug 875).
+o Fix uninitialized variable in passdb.c.
+o Fix formal parameter type in get_static() in nsswitch/wins.c.
+o Fix problem mounting directories when mount.cifs is installed
+ with the setuid bit on.
+o Fix bug that prevent --mandir from overriding the defaults
+ given in the --with-fhs macro.
+o Fix bug in in-memory Kerberos keytab detection routines
+ in configure.in
+
+
+
+######################################################################
+
+ The original 3.0.0 release notes follow
+ =======================================
+ WHATS NEW IN Samba 3.0.0
+ September 24, 2003
+ =======================================
+
+
+Major new features:
+-------------------
+
+1) Active Directory support. Samba 3.0 is now able to
+ join a ADS realm as a member server and authenticate
+ users using LDAP/Kerberos.
+
+2) Unicode support. Samba will now negotiate UNICODE on the wire
+ and internally there is now a much better infrastructure for
+ multi-byte and UNICODE character sets.
+
+3) New authentication system. The internal authentication system
+ has been almost completely rewritten. Most of the changes are
+ internal, but the new auth system is also very configurable.
+
+4) New default filename mangling system.
+
+5) A new "net" command has been added. It is somewhat similar to
+ the "net" command in windows. Eventually we plan to replace
+ numerous other utilities (such as smbpasswd) with subcommands
+ in "net".
+
+6) Samba now negotiates NT-style status32 codes on the wire. This
+ improves error handling a lot.
+
+7) Better Windows 2000/XP/2003 printing support including publishing
+ printer attributes in active directory.
+
+8) New loadable module support for passdb backends and character
+ sets.
+
+9) New default dual-daemon winbindd support for better performance.
+
+10) Support for migrating from a Windows NT 4.0 domain to a Samba
+ domain and maintaining user, group and domain SIDs.
+
+11) Support for establishing trust relationships with Windows NT 4.0
+ domain controllers.
+
+12) Initial support for a distributed Winbind architecture using
+ an LDAP directory for storing SID to uid/gid mappings.
+
+13) Major updates to the Samba documentation tree.
+
+14) Full support for client and server SMB signing to ensure
+ compatibility with default Windows 2003 security settings.
+
+15) Improvement of ACL mapping features based on code donated by
+ Andreas Grünbacher.
+
+
+Plus lots of other improvements!
+
+
+Additional Documentation
+------------------------
+
+Please refer to Samba documentation tree (included in the docs/
+subdirectory) for extensive explanations of installing, configuring
+and maintaining Samba 3.0 servers and clients. It is advised to
+begin with the Samba-HOWTO-Collection for overviews and specific
+tasks (the current book is up to approximately 400 pages) and to
+refer to the various man pages for information on individual options.
+
+We are very glad to be able to include the second edition of
+"Using Samba" by Jay Ts, Robert Eckstein, and David Collier-Brown
+(O'Reilly & Associates) in this release. The book is available
+on-line at http://samba.org/samba/docs/ and is included with
+the Samba Web Administration Tool (SWAT). Thanks to the authors and
+publisher for making "Using Samba" under the GNU Free Documentation
+License.
+
+
+######################################################################
+Upgrading from a previous Samba 3.0 beta
+########################################
+
+Beginning with Samba 3.0.0beta3, the RID allocation functions
+have been moved into winbindd. Previously these were handled
+by each passdb backend. This means that winbindd must be running
+to automatically allocate RIDs for users and/or groups. Otherwise,
+smbd will use the 2.2 algorithm for generating new RIDs.
+
+If you are using 'passdb backend = tdbsam' with a previous Samba
+3.0 beta release (or possibly alpha), it may be necessary to
+move the RID_COUNTER entry from /usr/local/samba/private/passdb.tdb
+to winbindd_idmap.tdb. To do this:
+
+1) Ensure that winbindd_idmap.tdb exists (launch winbindd at least
+ once)
+2) build tdbtool by executing 'make tdbtool' in the source/tdb/
+ directory
+3) run: (note that 'tdb>' is the tool's prompt for input)
+
+ root# ./tdbtool /usr/local/samba/private/passdb.tdb
+ tdb> show RID_COUNTER
+ key 12 bytes
+ RID_COUNTER
+ data 4 bytes
+ [000] 0A 52 00 00 .R.
+
+ tdb> move RID_COUNTER /usr/local/samba/var/locks/winbindd_idmap.tdb
+ ....
+ record moved
+
+If you are using 'passdb backend = ldapsam', it will be necessary to
+store idmap entries in the LDAP directory as well (i.e. idmap backend
+= ldap). Refer to the 'net idmap' command for more information on
+migrating SID<->UNIX id mappings from one backend to another.
+
+If the RID_COUNTER record does not exist, then these instructions are
+unneccessary and the new RID_COUNTER record will be correctly generated
+if needed.
+
+
+
+########################
+Upgrading from Samba 2.2
+########################
+
+This section is provided to help administrators understand the details
+involved with upgrading a Samba 2.2 server to Samba 3.0.
+
+
+Building
+--------
+
+Many of the options to the GNU autoconf script have been modified
+in the 3.0 release. The most noticeable are:
+
+ * removal of --with-tdbsam (is now included by default; see section
+ on passdb backends and authentication for more details)
+
+ * --with-ldapsam is now on used to provided backward compatible
+ parameters for LDAP enabled Samba 2.2 servers. Refer to the passdb
+ backend and authentication section for more details
+
+ * inclusion of non-standard passdb modules may be enabled using
+ --with-expsam. This includes an XML backend and a mysql backend.
+
+ * removal of --with-msdfs (is now enabled by default)
+
+ * removal of --with-ssl (no longer supported)
+
+ * --with-utmp now defaults to 'yes' on supported systems
+
+ * --with-sendfile-support is now enabled by default on supported
+ systems
+
+
+Parameters
+----------
+
+This section contains a brief listing of changes to smb.conf options
+in the 3.0.0 release. Please refer to the smb.conf(5) man page for
+complete descriptions of new or modified parameters.
+
+Removed Parameters (order alphabetically):
+
+ * admin log
+ * alternate permissions
+ * character set
+ * client codepage
+ * code page directory
+ * coding system
+ * domain admin group
+ * domain guest group
+ * force unknown acl user
+ * hide local users
+ * mangled stack
+ * nt smb support
+ * postscript
+ * printer driver
+ * printer driver file
+ * printer driver location
+ * read size
+ * source environment
+ * status
+ * strip dot
+ * total print jobs
+ * use rhosts
+ * valid chars
+ * vfs options
+
+New Parameters (new parameters have been grouped by function):
+
+ Remote management
+ -----------------
+ * abort shutdown script
+ * shutdown script
+
+ User and Group Account Management
+ ---------------------------------
+ * add group script
+ * add machine script
+ * add user to group script
+ * algorithmic rid base
+ * delete group script
+ * delete user from group script
+ * passdb backend
+ * set primary group script
+
+ Authentication
+ --------------
+ * auth methods
+ * realm
+ * passwd chat timeout
+
+ Protocol Options
+ ----------------
+ * client lanman auth
+ * client NTLMv2 auth
+ * client schannel
+ * client signing
+ * client use spnego
+ * disable netbios
+ * ntlm auth
+ * paranoid server security
+ * server schannel
+ * server signing
+ * smb ports
+ * use spnego
+
+ File Service
+ ------------
+ * get quota command
+ * hide special files
+ * hide unwriteable files
+ * hostname lookups
+ * kernel change notify
+ * mangle prefix
+ * map acl inherit
+ * msdfs proxy
+ * set quota command
+ * use sendfile
+ * vfs objects
+
+ Printing
+ --------
+ * max reported print jobs
+
+ UNICODE and Character Sets
+ --------------------------
+ * display charset
+ * dos charset
+ * unicode
+ * unix charset
+
+ SID to uid/gid Mappings
+ -----------------------
+ * idmap backend
+ * idmap gid
+ * idmap uid
+ * winbind enable local accounts
+ * winbind trusted domains only
+ * template primary group
+ * enable rid algorithm
+
+ LDAP
+ ----
+ * ldap delete dn
+ * ldap group suffix
+ * ldap idmap suffix
+ * ldap machine suffix
+ * ldap passwd sync
+ * ldap replication sleep
+ * ldap user suffix
+
+ General Configuration
+ ---------------------
+ * preload modules
+ * private dir
+
+Modified Parameters (changes in behavior):
+
+ * encrypt passwords (enabled by default)
+ * mangling method (set to 'hash2' by default)
+ * passwd chat
+ * passwd program
+ * restrict anonymous (integer value)
+ * security (new 'ads' value)
+ * strict locking (enabled by default)
+ * unix extensions (enabled by default)
+ * winbind cache time (increased to 5 minutes)
+ * winbind uid (deprecated in favor of 'idmap uid')
+ * winbind gid (deprecated in favor of 'idmap gid')
+
+
+Databases
+---------
+
+This section contains brief descriptions of any new databases
+introduced in Samba 3.0. Please remember to backup your existing
+${lock directory}/*tdb before upgrading to Samba 3.0. Samba will
+upgrade databases as they are opened (if necessary), but downgrading
+from 3.0 to 2.2 is an unsupported path.
+
+Name Description Backup?
+---- ----------- -------
+account_policy User policy settings yes
+gencache Generic caching db no
+group_mapping Mapping table from Windows yes
+ groups/SID to unix groups
+winbindd_idmap ID map table from SIDS to UNIX yes
+ uids/gids.
+namecache Name resolution cache entries no
+netsamlogon_cache Cache of NET_USER_INFO_3 structure no
+ returned as part of a successful
+ net_sam_logon request
+printing/*.tdb Cached output from 'lpq no
+ command' created on a per print
+ service basis
+registry Read-only samba registry skeleton no
+ that provides support for exporting
+ various db tables via the winreg RPCs
+
+
+Changes in Behavior
+-------------------
+
+The following issues are known changes in behavior between Samba 2.2 and
+Samba 3.0 that may affect certain installations of Samba.
+
+ 1) When operating as a member of a Windows domain, Samba 2.2 would
+ map any users authenticated by the remote DC to the 'guest account'
+ if a uid could not be obtained via the getpwnam() call. Samba 3.0
+ rejects the connection as NT_STATUS_LOGON_FAILURE. There is no
+ current work around to re-establish the 2.2 behavior.
+
+ 2) When adding machines to a Samba 2.2 controlled domain, the
+ 'add user script' was used to create the UNIX identity of the
+ machine trust account. Samba 3.0 introduces a new 'add machine
+ script' that must be specified for this purpose. Samba 3.0 will
+ not fall back to using the 'add user script' in the absence of
+ an 'add machine script'
+
+
+######################################################################
+Passdb Backends and Authentication
+##################################
+
+There have been a few new changes that Samba administrators should be
+aware of when moving to Samba 3.0.
+
+ 1) encrypted passwords have been enabled by default in order to
+ inter-operate better with out-of-the-box Windows client
+ installations. This does mean that either (a) a samba account
+ must be created for each user, or (b) 'encrypt passwords = no'
+ must be explicitly defined in smb.conf.
+
+ 2) Inclusion of new 'security = ads' option for integration
+ with an Active Directory domain using the native Windows
+ Kerberos 5 and LDAP protocols.
+
+ MIT kerberos 1.3.1 supports the ARCFOUR-HMAC-MD5 encryption
+ type which is neccessary for servers on which the
+ administrator password has not been changed, or kerberos-enabled
+ SMB connections to servers that require Kerberos SMB signing.
+ Besides this one difference, either MIT or Heimdal Kerberos
+ distributions are usable by Samba 3.0.
+
+
+Samba 3.0 also includes the possibility of setting up chains
+of authentication methods (auth methods) and account storage
+backends (passdb backend). Please refer to the smb.conf(5)
+man page for details. While both parameters assume sane default
+values, it is likely that you will need to understand what the
+values actually mean in order to ensure Samba operates correctly.
+
+The recommended passdb backends at this time are
+
+ * smbpasswd - 2.2 compatible flat file format
+ * tdbsam - attribute rich database intended as an smbpasswd
+ replacement for stand alone servers
+ * ldapsam - attribute rich account storage and retrieval
+ backend utilizing an LDAP directory.
+ * ldapsam_compat - a 2.2 backward compatible LDAP account
+ backend
+
+Certain functions of the smbpasswd(8) tool have been split between the
+new smbpasswd(8) utility, the net(8) tool, and the new pdbedit(8)
+utility. See the respective man pages for details.
+
+
+######################################################################
+LDAP
+####
+
+This section outlines the new features affecting Samba / LDAP
+integration.
+
+New Schema
+----------
+
+A new object class (sambaSamAccount) has been introduced to replace
+the old sambaAccount. This change aids us in the renaming of
+attributes to prevent clashes with attributes from other vendors.
+There is a conversion script (examples/LDAP/convertSambaAccount) to
+modify and LDIF file to the new schema.
+
+Example:
+
+ $ ldapsearch .... -b "ou=people,dc=..." > sambaAcct.ldif
+ $ convertSambaAccount --sid=<Domain SID> \
+ --input=sambaAcct.ldif --output=sambaSamAcct.ldif \
+ --changetype=[modify|add]
+
+The <DOM SID> can be obtained by running 'net getlocalsid
+<DOMAINNAME>' on the Samba PDC as root. The changetype determines
+the format of the generated LDIF output--either create new entries
+or modify existing entries.
+
+The old sambaAccount schema may still be used by specifying the
+"ldapsam_compat" passdb backend. However, the sambaAccount and
+associated attributes have been moved to the historical section of
+the schema file and must be uncommented before use if needed.
+The 2.2 object class declaration for a sambaAccount has not changed
+in the 3.0 samba.schema file.
+
+Other new object classes and their uses include:
+
+ * sambaDomain - domain information used to allocate rids
+ for users and groups as necessary. The attributes are added
+ in 'ldap suffix' directory entry automatically if
+ an idmap uid/gid range has been set and the 'ldapsam'
+ passdb backend has been selected.
+
+ * sambaGroupMapping - an object representing the
+ relationship between a posixGroup and a Windows
+ group/SID. These entries are stored in the 'ldap
+ group suffix' and managed by the 'net groupmap' command.
+
+ * sambaUnixIdPool - created in the 'ldap idmap suffix' entry
+ automatically and contains the next available 'idmap uid' and
+ 'idmap gid'
+
+ * sambaIdmapEntry - object storing a mapping between a
+ SID and a UNIX uid/gid. These objects are created by the
+ idmap_ldap module as needed.
+
+ * sambaSidEntry - object representing a SID alone, as a Structural
+ class on which to build the sambaIdmapEntry.
+
+
+New Suffix for Searching
+------------------------
+
+The following new smb.conf parameters have been added to aid in directing
+certain LDAP queries when 'passdb backend = ldapsam://...' has been
+specified.
+
+ * ldap suffix - used to search for user and computer accounts
+ * ldap user suffix - used to store user accounts
+ * ldap machine suffix - used to store machine trust accounts
+ * ldap group suffix - location of posixGroup/sambaGroupMapping entries
+ * ldap idmap suffix - location of sambaIdmapEntry objects
+
+If an 'ldap suffix' is defined, it will be appended to all of the
+remaining sub-suffix parameters. In this case, the order of the suffix
+listings in smb.conf is important. Always place the 'ldap suffix' first
+in the list.
+
+Due to a limitation in Samba's smb.conf parsing, you should not surround
+the DN's with quotation marks.
+
+
+IdMap LDAP support
+------------------
+
+Samba 3.0 supports an ldap backend for the idmap subsystem. The
+following options would inform Samba that the idmap table should be
+stored on the directory server onterose in the "ou=idmap,dc=plainjoe,
+dc=org" partition.
+
+ [global]
+ ...
+ idmap backend = ldap:ldap://onterose/
+ ldap idmap suffix = ou=idmap,dc=plainjoe,dc=org
+ idmap uid = 40000-50000
+ idmap gid = 40000-50000
+
+This configuration allows winbind installations on multiple servers to
+share a uid/gid number space, thus avoiding the interoperability problems
+with NFS that were present in Samba 2.2.
+
+
+
+######################################################################
+Trust Relationships and a Samba Domain
+######################################
+
+Samba 3.0.0beta2 is able to utilize winbindd as the means of
+allocating uids and gids to trusted users and groups. More
+information regarding Samba's support for establishing trust
+relationships can be found in the Samba-HOWTO-Collection included
+in the docs/ directory of this release.
+
+First create your Samba PDC and ensure that everything is
+working correctly before moving on the trusts.
+
+To establish Samba as the trusting domain (named SAMBA) from a Windows NT
+4.0 domain named WINDOWS:
+
+ 1) create the trust account for SAMBA in "User Manager for Domains"
+ 2) connect the trust from the Samba domain using
+ 'net rpc trustdom establish GLASS'
+
+To create a trustlationship with SAMBA as the trusted domain:
+
+ 1) create the initial trust account for GLASS using
+ 'smbpasswd -a -i GLASS'. You may need to create a UNIX
+ account for GLASS$ prior to this step (depending on your
+ local configuration).
+ 2) connect the trust from a WINDOWS DC using "User Manager
+ for Domains"
+
+Now join winbindd on the Samba PDC to the SAMBA domain using
+the normal steps for adding a Samba server to an NT4 domain:
+(note that smbd & nmbd must be running at this point)
+
+ root# net rpc join -U root
+ Password: <enter root password from smbpasswd file here>
+
+Start winbindd and test the join with 'wbinfo -t'.
+
+Now test the trust relationship by connecting to the SAMBA DC
+(e.g. POGO) as a user from the WINDOWS domain:
+
+ $ smbclient //pogo/netlogon -U Administrator -W WINDOWS
+ Password:
+
+Now connect to the WINDOWS DC (e.g. CRYSTAL) as a Samba user:
+
+ $ smbclient //crystal/netlogon -U root -W WINDOWS
+ Password:
+
+######################################################################
+Changes in Winbind
+##################
+
+Beginning with Samba3.0.0beta3, winbindd has been given new account
+manage functionality equivalent to the 'add user script' family of
+smb.conf parameters. The idmap design has also been changed to
+centralize control of foreign SID lookups and matching to UNIX
+uids and gids.
+
+
+Brief Description of Changes
+----------------------------
+
+1) The sid_to_uid() family of functions (smbd/uid.c) have been
+ reverted to the 2.2.x design. This means that when resolving a
+ SID to a UID or similar mapping:
+
+ a) First consult winbindd
+ b) perform a local lookup only if winbindd fails to
+ return a successful answer
+
+ There are some variations to this, but these two rules generally
+ apply.
+
+2) All idmap lookups have been moved into winbindd. This means that
+ a server must run winbindd (and support NSS) in order to achieve
+ any mappings of SID to dynamically allocated UNIX ids. This was
+ a conscious design choice.
+
+3) New functions have been added to winbindd to emulate the 'add user
+ script' family of smbd functions without requiring that external
+ scripts be defined. This functionality is controlled by the 'winbind
+ enable local accounts' smb.conf parameter (enabled by default).
+
+ However, this account management functionality is only supported
+ in a local tdb (winbindd_idmap.tdb). If these new UNIX accounts
+ must be shared among multiple Samba servers (such as a PDC and BDCs),
+ it will be necessary to define your own 'add user script', et. al.
+ programs that place the accounts/groups in some form of directory
+ such as NIS or LDAP. This requirement was deemed beyond the scope
+ of winbind's account management functions. Solutions for
+ distributing UNIX system information have been deployed and tested
+ for many years. We saw no need to reinvent the wheel.
+
+4) A member of a Samba controlled domain running winbindd is now able
+ to map domain users directly onto existing UNIX accounts while still
+ automatically creating accounts for trusted users and groups. This
+ behavior is controlled by the 'winbind trusted domains only' smb.conf
+ parameter (disabled by default to provide 2.2.x winbind behavior).
+
+5) Group mapping support is wrapped in the local_XX_to_XX() functions
+ in smbd/uid.c. The reason that group mappings are not included
+ in winbindd is because the purpose of Samba's group map is to
+ match any Windows SID with an existing UNIX group. These UNIX
+ groups can be created by winbindd (see next section), but the
+ SID<->gid mapping is retreived by smbd, not winbindd.
+
+
+Examples
+--------
+
+* security = server running winbindd to allocate accounts on demand
+
+* Samba PDC running winbindd to handle the automatic creation of UNIX
+ identities for machine trust accounts
+
+* Automtically creating UNIX user and groups when migrating a Windows NT
+ 4.0 PDC to a Samba PDC. Winbindd must be running when executing
+ 'net rpc vampire' for this to work.
+
+
+######################################################################
+Known Issues
+############
+
+* There are several bugs currently logged against the 3.0 codebase
+ that affect the use of NT 4.0 GUI domain management tools when run
+ against a Samba 3.0 PDC. This bugs should be released in an early
+ 3.0.x release.
+
+Please refer to https://bugzilla.samba.org/ for a current list of bugs
+filed against the Samba 3.0 codebase.
+
+
+######################################################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored.
+
+A new bugzilla installation has been established to help support the
+Samba 3.0 community of users. This server, located at
+https://bugzilla.samba.org/, has replaced the older jitterbug server
+previously located at http://bugs.samba.org/.
+</pre>
+
+</body>
+</html>
--- /dev/null
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Release Notes Archive</title>
+</head>
+
+<body>
+
+<h2>Samba 3.0.3 Available for Download</h2>
+
+<p>
+<pre>
+This is the latest stable release of Samba. This is the version
+that production Samba servers should be running for all
+current bug-fixes. There have been several issues fixes since
+the 3.0.2a release and new features have been added as well.
+See the "Changes" section for details on exact updates.
+
+Common bugs fixed in Samba 3.0.3 include:
+
+ o Crash bugs and change notify issues in Samba's
+ printing code.
+ o Honoring secondary group membership on domain member
+ servers.
+ o TDB scalability issue surrounding the TDB_CLEAR_IF_FIRST
+ flag.
+ o Substitution errors for %[UuGg] in smb.conf.
+ o winbindd crashes when using ADS security mode.
+ o SMB signing errors.
+ o Delays in winbindd startup caused by unnecessary
+ connections to trusted domain controllers.
+ o Various small memory leaks.
+ o Winbindd failing due to expired Kerberos tickets.
+
+New features introduced in Samba 3.0.3 include:
+
+ o Improved support for i18n character sets.
+ o Support for account lockout policy based on
+ bad password attempts.
+ o Improved support for long password changes (>14
+ characters) and strong password enforcement.
+ o Support for Windows aliases (i.e. nested groups).
+ o Experimental support for storing DOS attribute on files
+ and folders in Extended Attributes.
+ o Support for local nested groups via winbindd.
+ o Specifying options to be passed directly to the CUPS
+ libraries.
+
+The source code can be downloaded from :
+
+ <a href="/samba/ftp/">http://download.samba.org/samba/ftp/</a>
+
+The uncompressed tarball and patch file have been signed
+using GnuPG. The Samba public key is available at
+
+ <a href="/samba/ftp/samba-pubkey.asc">http://download.samba.org/samba/ftp/samba-pubkey.asc</a>
+
+Binary packages are available at
+
+ <a href="/samba/ftp/Binary_Packages/">http://download.samba.org/samba/ftp/Binary_Packages/</a>
+
+The release notes are also available on-line at
+
+ <a href="/samba/whatsnew/samba-3.0.3.html">http://www.samba.org/samba/whatsnew/samba-3.0.3.html</a>
+
+As always, all bugs (<a href="https://bugzilla.samba.org/">https://bugzilla.samba.org/</a>) are our
+responsibility.
+
+ --Enjoy
+ The Samba Team
+
+ --------------------------------------------------
+
+ =============================
+ Release Notes for Samba 3.0.3
+ April 29, 2004
+ =============================
+
+This is the latest stable release of Samba. This is the version
+that production Samba servers should be running for all
+current bug-fixes. There have been several issues fixes since
+the 3.0.2a release and new features have been added as well.
+See the "Changes" section for details on exact updates.
+
+Common bugs fixed in Samba 3.0.3 include:
+
+ o Crash bugs and change notify issues in Samba's printing code.
+ o Honoring secondary group membership on domain member servers.
+ o TDB scalability issue surrounding the TDB_CLEAR_IF_FIRST flag.
+ o Substitution errors for %[UuGg] in smb.conf.
+ o winbindd crashes when using ADS security mode.
+ o SMB signing errors.
+ o Delays in winbindd startup caused by unnecessary
+ connections to trusted domain controllers.
+ o Various small memory leaks.
+ o Winbindd failing due to expired Kerberos tickets.
+
+New features introduced in Samba 3.0.3 include:
+
+ o Improved support for i18n character sets.
+ o Support for account lockout policy based on
+ bad password attempts.
+ o Improved support for long password changes (>14
+ characters) and strong password enforcement.
+ o Support for Windows aliases (i.e. nested groups).
+ o Experimental support for storing DOS attribute on files
+ and folders in Extended Attributes.
+ o Support for local nested groups via winbindd.
+ o Specifying options to be passed directly to the CUPS libraries.
+
+Please be aware that the Samba source code repository was
+migrated from CVS to Subversion on April 4, 2004. Details on
+accessing the Samba source tree via anonymous svn can be found
+at http://svn.samba.org/samba/subversion.html.
+
+
+######################################################################
+Changes
+#######
+
+Changes since 3.0.3rc1
+----------------------
+
+commits
+-------
+
+o Timur Bakeyev <timur@com.bat.ru>
+ * BUG 1141: Fix nss*.so names on FreeBSD 5.x.
+
+
+o Gerald Carter <jerry@samba.org>
+ * BUG 1288: resolve any machine netbios name (0x00) and not just
+ servers (0x20).
+ * BUG 1199: Fix potential symlink issue in
+ examples/printing/smbprint.
+
+
+o Landon Fuller <landonf@opendarwin.org>
+ * BUG 1232: patch from landonf@opendarwin.org (Landon Fuller)
+ to fix user/group enumeration on systems whose libc does not
+ call setgrent() before trying to enumerate users (i.e.
+ FreeBSD 5.2).
+
+
+o Volker Lendecke <vl@samba.org>
+ * Correct case where adding a domain user to a XP local group
+ did a lsalookupname on the user without domain prefix, and
+ failed.
+ * Fix segfault in winbindd caused by 'wbinfo -a'.
+
+
+o Stefan Metzmacher <metze@samba.org>
+ * Add shadow_copy vfs module.
+ * Fix segault in login_cache support.
+
+
+o Tim Potter <tpot@samba.org>
+ * Relicense tdb python module as LGPL.
+
+
+o Jelmer Vernooij <jelmer@samba.org>
+ * Fix syntax error in example mysql table
+
+
+
+Changes since 3.0.2a
+--------------------
+smb.conf changes
+----------------
+
+ Parameter Name Action
+ -------------- ------
+ cups options New
+ ea support New
+ only user Deprecated
+ store dos attributes New
+ unicode Removed
+ winbind nested groups New
+
+
+commits
+-------
+
+o Jeremy Allison <jra@samba.org>
+ * Ensure that Kerberos mutex is always properly unlocked.
+ * Removed Heimdal "in-memory keytab" support.
+ * Fixup the 'multiple-vuids' bugs in our server code.
+ * Correct return code from lsa_lookup_sids() on unmapped
+ sids (based on work by vl@samba.org).
+ * Fix the "too many fcntl locks" scalability problem
+ raised by tridge.
+ * Fixup correct (as per W2K3) returns for lookupsids
+ as well as lookupnames.
+ * Fixups for delete-on-close semantics as per Win2k3 behavior.
+ * Make SMB_FILE_ACCESS_INFORMATION call work correctly.
+ * Fix "unable to initialize" bug when smbd hasn't been run with
+ new system and a user is being added via pdbedit/smbpasswd.
+ * Added NTrename SMB (0xA5).
+ * Fixup correct timeout values for blocking lock timeouts.
+ * Fix various bugs reported by 'gentest'.
+ * More locking fixes in the case where we own the lock.
+ * Fix up regression in IS_NAME_VALID and renames.
+ * Don't set allocation size on directories.
+ * Return correct error code on fail if file exists and target
+ is a directory.
+ * Added client "hardlink" comment to test doing NT rename with
+ hard links. Added hardlink_internals() code - UNIX extensions
+ now use this as well.
+ * Use a common function to parse all pathnames from the wire for
+ much closer emulation of Win2k3 error return codes.
+ * Implement check_path_syntax() and rewrite string sub
+ functions for better multibyte support.
+ * Ensure msdfs referrals are multibyte safe.
+ * Allow msdfs symlink syntax to be more forgiving.
+ eg. sym_link -> msdfs://server/share/path/in/share
+ or sym_link -> msdfs:\\server\share\path\in\share.
+ * Cleanup multibyte netbios name support in nmbd ( based on patch
+ by MORIYAMA Masayuki <moriyama@miraclelinux.com>).
+ * Fix check_path_syntax() for multibyte encodings which have
+ no '\' as second byte (based on work by ab@samba.org.
+ * Fix the "dfs self-referrals as anonymous user" problem
+ (based on patch from vl@samba.org).
+ * BUG 1064: Ensure truncate attribute checking is done correctly
+ on "hidden" dot files.
+ * Fix bug in anonymous dfs self-referrals again.
+ * Fix get/set of EA's in client library
+ * Added support for OS/2 EA's in smbd server.
+ * Added 'ea support' parameter to smb.conf.
+ * Added 'store dos attributes' parameter to smb.conf.
+ * Fix wildcard identical rename.
+ * Fix reply_ctemp - make compatible with w2k3.
+ * Fix wildcard unlink.
+ * Fix wildcard src with wildcard dest renames.
+ * BUG 1139: Fix based on suggestion by jdev@panix.com.
+ swap lookups for user and group - group will do an
+ algorithmic lookup if it fails, user won't.
+ * Make EA's lookups case independent.
+ * Fix SETPATHINFO in 'unix extensions' support.
+ * Make 3.x pass the Samba 4.x RAW-SEARCH tests - except for
+ the UNIX info levels, and the short case preserve names.
+
+
+o Timur Bakeyev <timur@com.bat.ru>
+ * BUG 1144: only set --with-fhs when the argument is 'yes'
+ * BUG 1152: Allow python modules to build despite libraries added
+ to LDFLAGS instead of LDPATH.
+
+
+o Craig Barratt <cbarratt@users.sourceforge.net>
+ * BUG 389: Allow multiple exclude arguments with smbclient
+ tar -Xr options (better support for Amanda backup client).
+
+
+o Andrew Bartlet <abartlet@samba.org>
+ * Include support for linking with cracklib for enforcing strong
+ password changes.
+ * Add support for >14 character password changes from Windows
+ clients.
+ * Add 'admin set password' capability to 'net rpc'.
+ * Allow 'net rpc samdump' to work with any joined domain
+ regardless of smb.conf settings.
+ * Use an allocated buffer for count_chars.
+ * Add sanity checks for changes in the domain SID in an
+ LDAP DIT.
+ * Implement python unit tests for Samba's multibyte string
+ support.
+ * Remove 'unicode' smb.conf option.
+ * BUG 1138: Fix support for 'optional' SMB signing and other
+ signing bugs.
+ * BUG 169: Fix NTLMv2-only behavior.
+ * Ensure 'net' honors the 'netbios name' in the smb.conf by
+ default.
+ * Support SMB signing on connections using only the LANMAN
+ password and generate the correct the 'session key' for these
+ connections.
+ * Implement --required-membership-of=, an ntlm_auth option
+ that restricts all authentication to members of this particular
+ group.
+ * Improve our fall back code for password changes.
+ * Only send the ntlm_auth 'ntlm-server-1' helper client a '.'
+ after the server had said something (such as an error).
+ * Add 'ntlm-server-1' helper protocol to ntlm_auth.
+
+
+o Alexander Bokovoy <ab@samba.org>
+ * Fix incorrect size calculation of the directory name
+ in recycle.so.
+ * Fix problems with very long filenames in both smbd and smbclient
+ caused by truncating paths during character conversions.
+ * Fix smbfs problem with Tree Disconnect issued before smbfs
+ starts its work.
+
+
+o Gerald Carter <jerry@samba.org>
+ * BUG 850: Fix 'make installmodules' bug on True64.
+ * BUG 66: mark 'only user' deprecated.
+ * Remove corrupt tdb and shutdown (only for printing tdbs,
+ connections, sessionid & locking).
+ * decrement smbd counter in connections.tdb in smb_panic().
+ * RedHat specfile updates.
+ * Fix xattr.h build issue on Debian testing and SuSE 8.2.
+ * BUG 1147; bad pointer case in get_stored_queue_info()
+ causing seg fault.
+ * BUG 761: read the config file before initialized default
+ values for printing options; don't default to bsd printing
+ Linux.
+ * Allow the 'printing' parameter to be set on a per share basis.
+ * BUG 503: RedHat/Fedora packaging fixes regarding logrotate.
+ * BUG 848: don't create winbind local users/groups that already
+ exist in the tdb.
+ * BUG 1080: fix declaration of SMB_BIG_UINT (broke compile on
+ LynxOS/ppc).
+ * BUG 488: fix the 'show client in col 1' button and correctly
+ enumerate active connections.
+ * BUG 1007 (partial): Fix abort in smbd caused by byte ordering
+ problem when storing the updating pid for the lpq cache.
+ * BUG 1007 (partial): Fix print change notify bugs.
+ * BUG 1165, 1126: Fix bug with secondary groups (security = ads)
+ and winbind use default domain = yes. Also ensures that
+ * BUG 1151: Ensure that winbindd users are passed through
+ the username map.
+ * Fix client rpc binds for ASU derived servers (pc netlink,
+ etc...).
+ * BUG 417, 1128: Ensure that the current_user_info is set
+ consistently so that %[UuGg] is expanded correctly.
+ * BUG 1195: Fix crash in winbindd when the ADS server is
+ unavailable.
+ * BUG 1185: Set reconnect time to be the same as the
+ 'winbind cache time'.
+ * Ensure that we return the sec_desc in smb_io_printer_info_2.
+ * Change Samba printers Win32 attribute to PRINTER_ATTRIBUTE_LOCAL.
+ * BUG 1095: Honor the '-l' option in smbclient.
+ * BUG 1023: surround get_group_from_gid() with become_unbecome_root()
+ block.
+ * Ensure server schannel uses the auth level requested by the
+ client.
+ * Removed --with-cracklib option due to potential crash issue.
+ * Fix -lcrypto linking problem with wbinfo.
+ * BUG 761: allow printing parameter to set defaults on a per
+ share basis.
+ * Add 'cups options' parameter to allow raw printing without
+ changing /etc/cups/cupsd.conf.
+ * BUG 1081, 1183: Added remove_duplicate_gids() to smbd and
+ winbindd.
+ * BUG 1246: Fix typo in Fedora /etc/init.d/winbind.
+
+
+o Robert Dahlem <Robert.Dahlem@gmx.net>
+ * BUG 1048: Don't return short names when when 'mangled names = no'
+
+
+o Guenther Deschner <gd@suse.com>
+ * Remove hard coded attribute name in the ads ranged retrieval
+ code.
+ * Add --with-libdir and --with-mandir to autoconf script.
+
+
+o Bostjan Golob <golob@gimb.org>
+ * BUG 1046: Fix getpwent_list() so that the username is not
+ overwritten by other fields.
+
+
+o Steve French <sfrench@us.ibm.com>
+ * Update mount.cifs to version 1.1.
+ * Disable dev (MS_NODEV) on user mounts from cifs vfs.
+ * Fixes to minor security bug in the mount helper.
+ * Fix credential file mounting for cifs vfs.
+ * Fix free of incremented pointer in cifsvfs mount helper.
+ * Fix path canonicalization of the mount target path and help
+ text display in the cifs mount helper.
+ * Add missing guest mount option for mount.cifs.
+
+
+o SATOH Fumiyasu <fumiya@miraclelinux.com>
+ * BUG 1055; formatting fixes for 'net share'.
+ * BUG 692: correct truncation of share names and workgroup
+ names in smbclient.
+ * BUG 1088: use strchr_m() for query_host (smbclient -L).
+ * Patch from to internally count characters correctly.
+
+
+o Paul Green <paulg@samba.org>
+ * Update VOS _POSIX_C_SOURCE macro to 200112L.
+ * Fix bug in configure.ion by moving the first use of
+ AC_CHECK_HEADERS so it is always executed.
+ * Fix configure.in to only use $BLDSHARED to select whether to
+ build static or shared libraries.
+
+
+o Pat Haywarrd <Pat.Hayward@propero.net>
+ * Make the session_users list dynamic (max of 128K).
+
+
+o Cal Heldenbrand <calzplace@yahoo.com>
+ * Fix for for 'pam_smbpass migrate' functionality.
+
+
+o Chris Hertel <crh@samba.org>
+ * fix enumeration of shares 12 characters in length via
+ smbclient.
+
+
+o Ulrich Holeschak <ulrich@holeschak.de>
+ * BUG 932: fix local password change using pam_smbpass
+
+
+o Krischan Jodies <kj@sernet.de>
+ * Implement 'net rpc group delete'
+
+
+o John Klinger <john.klinger@lmco.com>
+ * Return NSS_SUCCESS once the max number of gids possible
+ has been found in initgroups() on Solaris.
+ * BUG 1182: Re-enable the -n 'no cache' option for winbindd.
+
+
+o Volker Lendecke <vl@samba.org>
+ * Fix success message for net groupmap modify.
+ * Fix errors when enumerating members of groups in 'net rpc'.
+ * Match Windows behavior in samr_lookup_names() by returning
+ ALIAS(4) when you search in BUILTIN.
+ * Fix server SAMR code to be able to set alias info for
+ builtin as well.
+ * Fix duplication of logic when creating groups via smbd.
+ * Ensure that the HWM values are set correctly after running
+ 'net idmap'.
+ * Add 'net rpc group add'.
+ * Implement 'net groupmap set' and 'net groupmap cleanup'.
+ * Add 'net rpc group [add|del]mem' for domain groups and aliases.
+ * Fix wb_delgrpmem (wbinfo -o).
+ * As a DC we should not reply to lsalookupnames on DCNAME\\user.
+ * Fix sambaUserWorkstations on a Samba DC.
+ * Implement wbinfo -k: Have winbind generate an AFS token after
+ authenticating the user.
+ * Add expand_msdfs VFS module for providing referrals based on the
+ the client's IP address.
+ * Implement client side NETLOGON GetDCName function.
+ * Fix caching of name->sid lookups.
+ * Add support in winbindd for expanding nested local groups.
+ * Fix memleak in winbindd.
+ * Fix msdfs proxy.
+ * Don't list domain groups from BUILTIN.
+ * Fix memleak in policy handle utility functions.
+ * Decrease winbindd startup time by only contacting trusted
+ domains as necessary.
+ * Allow winbindd to ask the DC for its domain for a trusted
+ DC.
+ * Fix Netscape DS schema based on comments from
+ <thomas.mueller@christ-wasser.de>.
+
+
+o Herb Lewis <herb@samba.org>
+ * Fix typo for tag in proto file.
+ * Add missing #ifdef HAVE_BICONV stuff.
+ * Truncate Samba's netbios name at the first '.' (not
+ right to left).
+
+
+o Derrell Lipman <Derrell.Lipman@UnwiredUniverse.com>
+ * Bug fixes and enhancements to libsmbclient library.
+
+
+o Jianliang Lu <j.lu@tiesse.com>
+ * Enforce the 'user must change password at next login' flag.
+ * Decode meaning of 'fields present' flags (improves support
+ for usrmgr.exe).
+ * NTLMv2 fixes.
+ * Don't force an upper case domain name in the ntlmssp code.
+
+
+o L. Lucius <ib@digicron.com>.
+ * type fixes.
+
+
+o Jim McDonough <jmcd@us.ibm.com>
+ * Add versioning support to tdbsam.
+ * Update the IBM Directory Server schema with the OpenLDAP
+ file.
+ * Various decoding fixes to improve usrmgr.exe support.
+ * Fix statfs redeclaration of statfs struct on ppc
+ * Implement support for password lockout of Samba domain
+ controllers and standalone servers.
+ * Get MungedDial attribute actually working with full TS
+ strings in it for pdb_ldap.
+ * BUG 1208 (partial): Improvements for working with expired krb5
+ tickets in winbindd.
+ * Use timegm, or our already existing replacement instead of
+ timezone (spotted by Andrzej Tobola <san@iem.pw.edu.pl>).
+ * Remove modifyTimestamp from list of our attributes.
+ * Fix lsalookupnames to check for domain users as well as local
+ users.
+ * Merge struct uuid replacement for GUID from trunk.
+ * BUG 1208: Finish support for handling expired tickets in
+ winbindd (in conjunction with Guenther Deschner <gd@suse.de>).
+
+
+o Stefan Metzmacher <metze@samba.org>
+ * Implement new VERSION schema based on subversion revision
+ numbers.
+
+
+o Heinrich Mislik <Heinrich.Mislik@univie.ac.at>
+ o BUG 979 -- Fix quota display on AIX.
+
+
+o James Peach <jpeach@sgi.com>
+ * Correct check for printf() format when using the SGI MIPSPro
+ compiler.
+ * BUG 1038: support backtrace for 'panic action' on IRIX.
+ * BUG 768: Accept profileing arg to IRIX init script.
+ * BUG 748: Relax arg parsing to sambalp script (IRIX).
+ * BUG 758: Fix pdma build.
+ * Search IRIX ABI paths for libiconv. Based on initial fix from
+ Jason Mader.
+
+
+o Kurt Pfeifle <kpfeifle@danka.de>
+ * Add example shell script for migrating drivers and printers
+ from a Windows print server to a Samba print server using
+ smbclient/rpcclient (examples/printing/VamireDriversFunctions).
+
+
+o Tim Potter <tpot@samba.org>
+ * Fix logic bug in tdb non-blocking lock routines when
+ errno == EAGAIN.
+ * BUG 1025: Include sys/acl.h in check for broken nisplus
+ include files.
+ * BUG 1066: s/printf/d_printf/g in SWAT.
+ * BUG 1098: rename internal msleep() function to fix build
+ problems on AIX.
+ * BUG 1112: Fix for writable printerdata problem in python bindings.
+ * BUG 1154: Remove reference to <sys/mman.h> in tdbdump.c.
+ * BUG 1155: enclose use of fchown() with guards.
+
+
+o Richard Sharpe <rsharpe@samba.org>
+ * Add support to smbclient for multiple logins on the same
+ session (based on work by abartlet@samba.org).
+ * Correct blocking condition in smbd's use of accept() on IRIX.
+ * Add support for printing out the MAC address on nmblookup.
+
+
+o Simo Source <idra@samba.org>
+ * Replace unknown_3 with fields_present in SAMR code.
+ * More length checks in strlcat().
+
+
+o Andrew Tridgell <tridge@samba.org>
+ * Rewrote the AIX UESS backend for winbindd.
+ * Fixed compilation with --enable-dmalloc.
+ * Change tdb license to LGPL (see source/tdb/tdb.c).
+ * Force winbindd to use schannel in clients connections to
+ DC's if possible.
+
+
+o Jelmer Vernooij <jelmer@samba.org>
+ * Fix ETA Calculation when resuming downloads in smbget.
+ * Add -O (for writing downloaded files to standard out)
+ based on patch by Bas van Sisseren <bas@dnd.utwente.nl>.
+
+
+o TAKEDA yasuma <yasuma@miraclelinux.com>
+ * BUG 900: fix token processing in cmd_symlink, cmd_link,
+ cmd_chown, cmd_chmod smbclient functions.
+
+
+o Shiro Yamada <shiro@miraclelinux.com>
+ * BUG 1129: install image files for SWAT.
+
+
+Changes for older versions follow below:
+
+ --------------------------------------------------
+
+ ==============================
+ Release Notes for Samba 3.0.2a
+ February 13, 2004
+ ==============================
+
+Samba 3.0.2a is a minor patch release for the 3.0.2 code base
+to address, in particular, a problem when using pdbedit to
+sanitize (--force-initialized-passwords) Samba's tdbsam
+backend. This is the latest stable release of Samba. This
+is the version that all production Samba servers should be
+running for all current bug-fixes.
+
+******************* Attention! Achtung! Kree! *********************
+
+Beginning with Samba 3.0.2, passwords for accounts with a last
+change time (LCT-XXX in smbpasswd, sambaPwdLastSet attribute in
+ldapsam, etc...) of zero (0) will be regarded as uninitialized
+strings. This will cause authentication to fail for such
+accounts. If you have valid passwords that meet this criteria,
+you must update the last change time to a non-zero value. If you
+do not, then 'pdbedit --force-initialized-passwords' will disable
+these accounts and reset the password hashes to a string of X's.
+
+******************* Attention! Achtung! Kree! *********************
+
+
+Changes since 3.0.2
+-------------------
+
+commits
+-------
+
+Please refer to the CVS log for the SAMBA_3_0 branch for complete
+details. The list of changes per contributor are as follows:
+
+
+o Jeremy Allison <jra@samba.org>
+ * Added paranoia checks in parsing code.
+
+
+o Andrew Bartlet <abartlet@samba.org>
+ * Ensure that changes to uninitialized passwords in ldapsam
+ are written to the DIT.
+
+
+o Gerald (Jerry) Carter <jerry@samba.org>
+ * Fixed iterator in tdbsam.
+ * Fix bug that disabled accounts with a valid NT password
+ hash, but no LanMan hash.
+
+
+o Steve French <sfrench@us.ibm.com>
+ * Added missing nosetuid and noexec options.
+
+
+o Bostjan Golob <golob@gimb.org>
+ * BUG 1046: Don't overwrite usernames of entries returned
+ by getpwent_list().
+
+
+o Sebastian Krahmer <krahmer@suse.de>
+ * Fixed potential crash bug in NTLMSSP parsing code.
+
+
+o Tim Potter <tpot@samba.org>
+ * Fixed logic in tdb_brlock error checking.
+
+
+o Urban Widmark <urban@teststation.com>
+ * Set nosuid,nodev flags in smbmnt by default.
+
+
+ --------------------------------------------------
+
+ =============================
+ Release Notes for Samba 3.0.2
+ February 9, 2004
+ =============================
+
+It has been confirmed that previous versions of Samba 3.0 are
+susceptible to a password initialization bug that could grant an
+attacker unauthorized access to a user account created by the
+mksmbpasswd.sh shell script.
+
+The Common Vulnerabilities and Exposures project (cve.mitre.org)
+has assigned the name CAN-2004-0082 to this issue.
+
+Samba administrators not wishing to upgrade to the current
+version should download the 3.0.2 release, build the pdbedit
+tool, and run
+
+ root# pdbedit-3.0.2 --force-initialized-passwords
+
+This will disable all accounts not possessing a valid password
+(e.g. the password field has been set a string of X's).
+
+Samba servers running 3.0.2 are not vulnerable to this bug
+regardless of whether or not pdbedit has been used to sanitize
+the passdb backend.
+
+Some of the more visible bugs in 3.0.1 addressed in the 3.0.2
+release include:
+
+ o Joining a Samba domain from Pre-SP2 Windows 2000 clients.
+ o Logging onto a Samba domain from Windows XP clients.
+ o Problems with the %U and %u smb.conf variables in relation to
+ Windows 9x/ME clients.
+ o Kerberos failures due to an invalid in memory keytab detection
+ test.
+ o Updates to the ntlm_auth tool.
+ o Fixes for various SMB signing errors.
+ o Better separation of WINS and DNS queries for domain controllers.
+ o Issues with nss_winbind FreeBSD and Solaris.
+ o Several crash bugs in smbd and winbindd.
+ o Output formatting fixes for smbclient for better compatibility
+ with scripts based on the 2.2 version.
+
+
+Changes since 3.0.1
+-------------------
+
+smb.conf changes
+----------------
+
+ Parameter Name Action
+ -------------- ------
+ ldap replication sleep New
+ read size removed (unused)
+ source environment removed (unused)
+
+
+commits
+-------
+
+Please refer to the CVS log for the SAMBA_3_0 branch for complete
+details. The list of changes per contributor are as follows:
+
+o Jeremy Allison <jra@samba.org>
+ * Revert change that broke Exchange clear text samlogons.
+ * Fix gcc 3.4 warning in MS-DFS code.
+ * Tidy up of NTLMSSP code.
+ * Fixes for SMB signing errors
+ * BUG 815: Workaround NT4 bug to support plaintext
+ password logins and UNICODE.
+ * Fix SMB signing bug when copying large files.
+ * Correct error logic in mkdir_internals() (caused a panic
+ when combined with --enable-developer).
+ * BUG 830: Protect against crashes due to bad character
+ conversions.
+
+
+o Petri Asikainen <paca@sci.fi>
+ * BUG 330, 387:Fix single valued attribute updates when
+ working with Novell NDS.
+
+
+o Andrew Bartlet <abartlet@samba.org>
+ * Correctly handle per-pipe NTLMSSP inside a NULL session.
+ * Fix segfault in gencache
+ * Fix early free() of encrypted_session_key.
+ * Change DC lookup routines to more carefully separate
+ DNS names (realms) from NetBIOS domain names.
+ * Add new sid_to_dn() function for internal winbindd use.
+ * Refactor cli_ds_enum_domain_trusts().
+ * BUG 707: Implement range retrieval of ADS attributes (based
+ on work from Volker <vl@samba.org> and Guenther Deschner
+ <gd@suse.com>).
+ * Automatically initialize the signing engine if a session key
+ is available.
+ * BUG 916: Do not perform a + -> ' ' substitution for squid URL
+ encoded strings, only form input in SWAT.
+ * Resets the NTLMSSP state for new negotiate packets.
+ * Add 2-byte alignments in net_samlogon() queries to parse
+ odd-length plain text passwords.
+ * Allow Windows groups with no members in winbindd.
+ * Allow normal authentication in the absence of a server
+ generated session key.
+ * More optimizations for looking up UNIX group lists.
+ * Clean up error codes and return values for pam_winbindd
+ and winbindd PAM interface.
+ * Fix string return values in ntlm_auth tool.
+ * Fix segfault when 'security = ads' but no realm is defined.
+ * BUG 722: Allow winbindd to map machine accounts to uids.
+ * More cleanups for winbindd's find_our_domain().
+ * More clearly detect whether a domain controller is an NT4
+ or mixed-mode AD DC (additional bug fixes by jerry & jmcd).
+ * Increase separation between DNS queries for hosts and queries
+ for AD domain controllers.
+ * Include additional NT_STATUS to PAM error mappings.
+ * Password initialization fixes.
+
+
+o Justin Baugh <justin.baugh@request.com>
+ * BUG 948: Implement missing functions required for FreeBSD
+ nss_winbind support.
+
+
+o Alexander Bokovoy <ab@samba.org>
+ * BUG 922: Make sure enable fast path for strlower_m() and
+ strupper_m().
+
+
+o Luca Bolcioni <Luca.Bolcioni@yacme.com>
+ * Fix crash when using 'security = server' and 'encrypt
+ passwords = no' by always initializing the session key.
+
+
+o Dmitry Butskoj <buc@odusz.elektra.ru>
+ * Fix for special files being hidden from admins.
+
+
+o Gerald (Jerry) Carter <jerry@samba.org>
+ * Fix bug in the lanman session key generation. Caused
+ "decode_pw: incorrect password length" error messages.
+ * Save the right case for the located user name in
+ fill_sam_account(). Fixes %U/%u expansion for win9x clients.
+ * BUG 897: Add well known rid for pre win2k compatible access
+ group.
+ * BUG 887: Correct typo in delete user script example.
+ * Use short lived TALLOC_CTX* for allocating printer objects
+ from the print handle cache.
+ * BUG 912: Fix check for HAVE_MEMORY_KEYTAB.
+ * Fix several warnings reported by the SUN Forte C compiler.
+ * Fully control DNS queries for AD DC's using 'name resolve order'.
+ * BUG 770: Send the SMBjobid for UNIX jobs back to the client.
+ * BUG 972: Fix segfault in cli_ds_getprimarydominfo().
+ * BUG 936: fix bind credentials for schannel binds in smbd.
+ * BUG 446: Fix output of smbclient for better compatibility
+ with scripts based on the 2.2 version (including Amanda).
+ * BUG 891, 949: Fedora packaging fixes.
+ * Fix bug that caused rpcclient to incorrectly retrieve
+ the SID for a server (this causing all calls that required
+ this information to fail).
+ * BUG 977: Don't create a homes share for a user if a static
+ share already exists by the same name.
+ * Removed unused smb.conf options.
+ * Password initialization fixes.
+ * Set the disable flag for template accounts created by
+ mksmbpasswd.sh.
+ * Disable any account has no passwords and does not have the
+ ACB_PWNOTREQ bit set.
+
+
+o Guenther Deschner <gd@suse.com>
+ * Install smbwrapper.so should be put into the $(libdir)
+ and not $(bindir).
+ * Add the capability to specify the new user password
+ for "net ads password" on the command line.
+ * Correctly detect AFS headers on SuSE.
+
+
+o James Flemer <jflemer@uvm.edu>
+ * Fix AIX compile bug by linking HAVE_ATTR_LIST to
+ HAVE_SYS_ATTRIBUTES_H.
+
+
+o Luke Howard <lukeh@PADL.COM>
+ * Fix segfault in session setup reply caused by a early free().
+
+
+o Stoian Ivanov <sdr@bultra.com>
+ * Implement grepable output for smbclient -L.
+
+
+o LaMont Jones <lamont@debian.org>
+ * BUG 225328 (Debian): Correct false failure LFS test that resulted
+ in _GNU_SOURCE not being defined (thus resulting in strndup()
+ not being defined).
+
+
+o Volker Lendecke <vl@samba.org>
+ * BUG 583: Ensure that user names always contain the short
+ version of the domain name.
+ * Fix our parsing of the LDAP uri.
+ * Don't show the 'afs username map' in the SWAT basic view.
+ * Fix SMB signing issues in relation to failed NTLMSSP logins.
+ * BUG 924: Fix return codes in smbtorture harness.
+ * Always lower-case usernames before handing it to AFS code.
+ * Add a German translation for SWAT.
+ * Fix a segfaults in winbindd.
+ * Fix the user's domain passed to register_vuid() from
+ reply_spnego_kerberos().
+ * Add NSS example code in nss_winbind to convert UNIX
+ id's <-> Windows SIDs.
+ * Display more descriptive error messages for login via 'net'.
+ * Fix compiler warning in the net tool.
+ * Fix length bug when decoding base64 strings.
+ * Ensure we don't call getpwnam() inside a loop that is iterating
+ over users with getpwent(). This broke on glibc 2.3.2.
+
+
+o Herb Lewis <herb@samba.org>
+ * Fix bit rot in psec.
+
+
+o Jianliang Lu <j.lu@tiesse.com>
+ * Ensure we delete the group mapping before calling the delete
+ group script.
+ * Define well known RID for managing the "Power Users" group.
+ * BUG 381: check builtin (not local) group SID when updating
+ group membership.
+ * BUG 101: set the SV_TYPE_PRINTQ_SERVER flag in host announcement
+ packet.
+
+
+o John Klinger <john.klinger@lmco.com>
+ * Implement initgroups() call in nss_winbind on Solaris.
+
+
+o Jim McDonough <jmcd@us.ibm.com>
+ * Fix regression in net rpc join caused by recent changes
+ to cli_lsa_query_info_policy().
+ * BUG 964: Fix crash bug in 'net rpc join' using a preexisting
+ machine account.
+
+
+o MORIYAMA Masayuki <moriyama@miraclelinux.com>
+ * BUG 570: Ensure that configure honors the LDFLAGS variable.
+
+
+o Stefan Metzmacher <metze@samba.org>
+ * Implement LDAP rebind sleep patch.
+ * Revert to 2.2 quota code because of so many broken quota files
+ out there.
+ * Fix XFS quotas: HAVE_XFS_QUOTA -> HAVE_XFS_QUOTAS
+ XFS_USER_QUOTA -> USRQUOTA
+ XFS_GROUP_QUOTA -> GRPQUOTA
+ * Fix disk_free calculation with group quotas.
+ * Add debug class 'quota' and a lot of DEBUG()'s
+ to the quota code.
+ * Fix sys_chown() when no chown() is present.
+ * Add SIGABRT to fault handling in order to catch got a
+ backtrace if an error occurs the OpenLDAP client libs.
+
+
+o <ndb@theghet.to>
+ * Allow an existing LDAP machine account to be re-used when
+ joining an AD domain.
+
+
+o James Peach <jpeach@sgi.com>
+ * BUG 889: Change smbd to use pread/pwrite on platforms that
+ support these calls. Can lead to a significant speed increase.
+
+
+o Tim Potter <tpot@samba.org>
+ * BUG 905: Remove POBAD_CC to fix Solaris Forte compiles.
+ * BUG 924: Fix typo in RW2 torture test.
+
+
+o Richard Sharpe <shape@samba.org>
+ * Small fixes to torture.c to cleanup the error handling
+ and prevent crashes.
+
+
+o J. Tournier <jerome.tournier@IDEALX.com>
+ * Small fixes for the smbldap-tool scripts.
+
+
+o Andrew Tridgell <tridge@samba.org>
+ * Fix src len check in pull_usc2().
+
+
+o Jelmer Vernooij <jelmer@samba.org>
+ * Put functions for generating SQL queries in pdb_sql.c
+ * Add pgSQL backend (based on patch by Hamish Friedlander)
+ * BUG 908: Fix -s option to smbcontrol.
+ * Add smbget utility - a wget-clone for the SMB/CIFS protocol.
+ * Fix for libnss_wins on IRIX platforms.
+ * Fix swatdir for --with-fhs.
+
+
+ --------------------------------------------------
+
+ =============================
+ Release Notes for Samba 3.0.1
+ December 15, 2003
+ =============================
+
+Some of the more common bugs in 3.0.0 addressed in the release
+include:
+
+ o Substitution problems with smb.conf variables.
+ o Errors in return codes which caused some applications
+ to fail to open files.
+ o General Protection Faults on Windows 2000/XP clients
+ using Samba point-n-print features.
+ o Several miscellaneous crash bugs.
+ o Access problems when enumerating group mappings are
+ stored in an LDAP Directory.
+ o Several common SWAT bugs when writing changes to
+ smb.conf.
+ o Internal inconsistencies when 'winbind use default
+ domain = yes'
+
+
+
+Changes since 3.0.0
+----------------------
+
+ Parameter Name Action
+ -------------- ------
+ hide local users Removed
+ mangled map Deprecated
+ mangled stack Removed
+ passwd chat timeout New
+
+
+commits
+-------
+
+o Change the interface for init_unistr2 to not take a length
+ but a flags field. We were assuming that
+ 2*strlen(mb_string) == length of ucs2-le string. (bug 480).
+o Allow d_printf() to handle strings with escaped quotation
+ marks since the msg file includes the escape character (bug 489).
+o Fix bad html table row termination in SWAT wizard code (bug 413).
+o Fix to parse the level-2 strings.
+o Fix for "valid users = %S" in [homes]. Fix read/write
+ list as well.
+o Change AC_CHECK_LIB_EXT to prepend libraries instead of append.
+ This is the same way AC_CHECK_LIB works (bug 508).
+o Testparm output fixes for clarity.
+o Fix broken wins hook functionality -- i18n bug (bug 528).
+o Take care of condition where DOS and NT error codes must differ.
+o Default to using only built-in charsets when a working iconv
+ implementation cannot be located.
+o Wrap internals of sys_setgroups() so the sys_XX() call can
+ be done unconditionally (bug 550).
+o Remove duplicate smbspool link on SWAT's front page (bug 541).
+o Save and restore CFLAGS before/after AC_PROG_CC. Ensures that
+ --enable-debug=[yes|no] works correctly.
+o Allow ^C to interrupt smbpasswd if using our getpass
+ (e.g. smbpasswd command).
+o Support signing only on RPC's (bug 167).
+o Correct bug that prevented Excel 2000 clients from opening
+ files marked as read-only.
+o Portability fix bugs 546 - 549).
+o Explicitly initialize the value of AR for vendor makes that don't
+ do this (e.g. HPUX 11). (bug 552).
+o More i18n fixes for SWAT (bug 413).
+o Change the cwd before the postexec script to ensure that a
+ umount will succeed.
+o Correct double free that caused winbindd to crash when a DC
+ is rebooted (bug 437).
+o Fix incorrect mode sum (bug 562).
+o Canonicalize SMB_INFO_ALLOCATION in the same was as
+ SMB_FS_FULL_SIZE_INFORMATION (bug 564).
+o Add script to generate *msg files.
+o Add Dutch SWAT translation file.
+o Make sure to call get_user_groups() with the full winbindd
+ name for a user if he/she has one (bug 406).
+o Fix up error code returns from Samba4 tester. Ensure invalid
+ paths are validated the same way.
+o Allow Samba3 to pass the Samba4 RAW-READ tests.
+o Refuse to configure if --with-expsam=$BACKEND was used but no
+ libraries were found for $BACKEND.
+o Move sysquotas autoconf tests to a separate file.
+o Match W2K w.r.t. writelock and writeclose. Samba4 torture
+ tester
+o Make sure that the files that contain the static_init_$subsystem;
+ macro get recompiled after configure by removing the object
+ files.
+o Ensure canceling a blocking lock returns the correct error
+ message.
+o Match Samba 2.2 behavior; make ACB_NORMAL the default ACB value.
+o Updated Japanese welcome file in SWAT.
+o Fix to nt-time <-> unix-time functions reversible.
+o Ensure that winbindd uses the the escaped DN when querying
+ an AD ldap server.
+o Fix portability issues when compiling (bug 505, 550)
+o Compile fix for tdbbackup when Samba needs to override
+ non-C99 compliant implementations of snprintf().
+o Use @PICSUFFIX@ instead of .po in Makefile.in (bug 574).
+o Make sure we break out of samsync loop on error.
+o Ensure error code path doesn't free unmalloc()'d memory
+ (bug 628).
+o Add configure test for krb5_keytab_entry keyblock vs key
+ member (bug 636).
+o Fixed spinlocks.
+o Modified testparm so that all output so all debug output goes
+ to stderr, and all file processing goes to stdout.
+o Fix error return code for BUFFER_TOO_SMALL in smbcacls
+ and smbcquotas.
+o Fix "NULL dest in safe_strcpy()" log message by ensuring that
+ we have a devmode before copying a string to the devicename.
+o Support mapping REALM.COM\user to a local user account (without
+ running winbindd) for compatibility with 2.2.x release.
+o Ensure we don't use mmap() on blacklisted systems.
+o fixed a number of bugs and memory leaks in the AIX
+ winbindd shim
+o Call initgroups() in SWAT before becomming the user so that
+ secondary group permissions can be used when writing to
+ smb.conf.
+o Fix signing problems when reverse connecting back to a
+ client for printer notify
+o Fix signing problems caused by a miss-sequence bug.
+o Missing map in errormap for ERROR_MORE_DATA -> ERRDOS, ERRmoredata.
+ Fixes NEXUS tools running on Win9x clients (bug 64).
+o Don't leave the domain field uninitialized in cli_lsa.c if some
+ SID could not be mapped.
+o Fix segfault in mount.cifs helper when there is no options
+ specified during mount.
+o Change the \n after the password prompt to go to tty instead
+ of stdout (bug 668).
+o Stop net -P from prompting for machine account password (bug 451).
+o Change in behavior to Not only change the effective uid but also
+ the real uid when becoming unprivileged.
+o Cope with Exchange 5.5 cleartext pop password auth.
+o New files for support of initshutdown pipe. Win2k doesn't
+ respond properly to all requests on the winreg pipe, so we need
+ to handle this new pipe (bug 534).
+o Added more va_copy() checks in configure.in.
+o Include fixes for libsmbclient build problems.
+o Missing UNIX -> DOS codepage conversion in lanman.c.
+o Allow DFMS-S filenames can now have arbitrary case (bug 667).
+o Parameterize the listen backlog in smbd and make it larger by
+ default. A backlog of 5 is way too small these days.
+o Check for an invalid fid before dereferencing the fsp pointer
+ (bug 696).
+o Remove invalid memory frees and return codes in pdb_ldap.c.
+o Prompt for password when invoking --set-auth-user and no
+ password is given.
+o Bind the nmbd sending socket to the 'socket address'.
+o Re-order link command for smbd, rpcclient and smbpasswd to ensure
+ $LDFLAGS occurs before any library specification (bug 661).
+o Fix large number of printf() calls for 64-bit size_t.
+o Fix AC_CHECK_MEMBER so that SLES8 does correctly finds the
+ keyblock in the krb5 structs.
+o Remove #include <compat.h> in hopes to avoid problems with
+ apache header files.
+o Correct winbindd build problems on HP-UX 11.
+o Lowercase netgroups lookups (bug 703).
+o Use the actual size of the buffer in strftime instead of a made
+ up value which just happens to be less than sizeof(fstring).
+ (bug 713).
+o Add ldaplibs to pdbedit link line (bug 651).
+o Fix crash bug in smbclient completion (bug 659).
+o Fix packet length for browse list reply (bug 771).
+o Fix coredump in cli_get_backup_list().
+o Make sure that we expand %N (bug 612).
+o Allow rpcclient adddriver command to specify printer driver
+ version (bug 514).
+o Compile tdbdump by default.
+o Apply patches to fix iconv detection for FreeBSD.
+o Do not allow the 'guest account' to be added to a passdb backend
+ using smbpasswd or pdbedit (bug 624).
+o Save LDFLAGS during iconv detection (bug 57).
+o Run krb5 logins through the username map if the winbindd
+ lookup fails (bug 698).
+o Add const for lp_set_name_resolve_order() to avoid compiler
+ warnings (bug 471).
+o Add support for the %i macro in smb.conf to stand in for the for
+ the local IP address to which a client connected.
+o Allow winbindd to match local accounts to domain SID when
+ 'winbind trusted domains only = yes' (bug 680).
+o Remove code in idmap_ldap that searches the user suffix and group
+ suffix. It's not needed and provides inconsistent functionality
+ from the tdb backend.
+o Patch to handle munged dial string for Windows 2000 TSE.
+ Thanks to Gaz de France, Direction de la Recherche, Service
+ Informatique Métier for their supporting this work by Aurelien
+ Degrémont <adegremont@idealx.com>.
+o Correct the "smbldap_open: cannot access when not root error"
+ messages when looking up group information (bug 281).
+o Skip over the winbind separator when looking up a user.
+ This fixes the bug that prevented local users from
+ matching an AD user when not running winbindd (bug 698).
+o Fix a problem with configure on *BSD systems. Make sure
+ we add -liconv etc to LDFLAGS.
+o Fix core dump bug when "security = server" and the authentication
+ server goes away.
+o Correct crash bug due to an empty munged dial string.
+o Show files locked by a specific user (smbstatus -u 'user')
+ (bug 590).
+o Fix bug preventing print jobs from display in the queue
+ monitor used by Windows NT and later clients (bug 660).
+o Fix several reported problems with point-n-print from
+ Windows 2000/XP clients due to a bug in the EnumPrinterDataEx()
+ reply (bug 338, 527 & 643).
+o Fix a handful of potential memory leaks in the LDAP code used
+ by ldapsam[_compat] and the LDAP idmap backend.
+o Fix for pdbedit error code returns (bug 763).
+o Make sure we only enumerate group mapping entries (not
+ /etc/group) even when doing local aliases.
+o Relax check on the pipe name in a dce/rpc bind response to work
+ around issues with establishing trusts to a Windows 2003 domain.
+o Ensure we mangle names ending in '.' in hash2 mangling method.
+o Correct parsing issues with munged dial string.
+o Fix bugs in quota support for XFS.
+o Add a cleaner method for applications that need to provide
+ name->SID mappings to do this via NSS rather than having to
+ know the winbindd pipe protocol.
+o Adds a variant of the winbindd_getgroups() call called
+ winbindd_getusersids() that provides direct SID->SIDs listing of
+ a users supplementary groups. This is enough to allow non-Samba
+ applications to do ACL checking.
+o Make sure we don't append the 'ldap suffix' when writing out the
+ 'ldap XXX suffix' values in SWAT (bug 328).
+o Fix renames across file systems.
+o Ensure that items in a list of strings containing whitespace are
+ written out surrounded by single quotes. This means that both
+ double and single quotes are now used to surround strings in
+ smb.conf (bug 481).
+o Enable SWAT to correctly determine if winbindd is running (bug
+ 398).
+o Include WWW-Authenticate field in 401 response for bad auth
+ attempt (bug 629).
+o Add support for NTLM2 (NTLMv2 session security).
+o Add support for variable-length session keys.
+o More privilege fixes for group enumeration in LDAP (bug 281).
+o Use the dns name (or IP) as the originating client name when
+ using CUPS (bug 467).
+o Fix various SMB signing bugs.
+o Fix ACL propagation on a DFS root (bug 263).
+o Disable NTLM2 for RPC pipes.
+o Allow the client to specify the NTLM2 flags got NTLMSSP
+ authentication.
+o Change the name of the job passed off to cups from "Test Page"
+ to "smbprn.00000033 Test Page" so that we can get the smb
+ jobid back. This allow users to delete jobs with cups printing
+ backend (partial work on bug 770).
+o Fix build of winbindd with static pdb modules.
+o Retrieve the correct ACL group bits if the file has an ACL
+ (bug 802).
+o Implement "net rpc group members": Get members of a domain group
+ in human-readable format.
+o Add MacOSX (Darwin) specific charset module code.
+o Use samr_dispinfo(level == 1) for enumerating domain users so we
+ can include the full name in gecos field (bug 587).
+o Add support for winbind's NSS library on FeeeBSD 5.1 (bug 797).
+o Implement 'net rpc group list [global|local|builtin]*' for a
+ select listing of the respective user databases.
+o Don't automatically set NT status code flag unless client tells
+ us it can cope.
+o Add 'net status [sessions|shares] [parseable]'.
+o Don't mistake pre-existing UNIX jobs for smb jobs (remainder of
+ bug 770).
+o Add 'Replicator' and 'RAS Servers' to list of builtin SIDs
+ (bug 608).
+o Fix inverted logic in hosts allow/deny checks caused by
+ s/strcmp/strequal/ (bug 846).
+o Implement correct version SamrRemoveSidForeignDomain() (bug 252).
+o Fix typo in 'hash' mangling algorithm.
+o Support munged dial for ldapsam (bug 800).
+o Fix process_incoming_data() to return the number of bytes handled
+ this call whether we have a complete PDU or not; fixes bug
+ with multiple PDU request rpc's broken over SMBwriteX calls
+ each.
+o Fix incorrect smb flags2 for connections to pre-NT servers
+ (causes smbclient to fail to OS2 for example) (bug 821).
+o Update version string in smbldap-tools Makefile to 0.8.2.
+o Correct a problem with "net rpc vampire" mis-parsing the
+ alias member info reply.
+o Ensure the ${libdir} is created by the installclientlib script.
+o Fix detection of Windows 2003 client architecture in the smb.conf
+ %a variable.
+o Ensure that smbd calls the add user script for a missing UNIX
+ user on kerberos auth call (bug 445).
+o Fix bugs in hosts allow/deny when using a mismatched
+ network/netmask pair.
+o Protect alloc_sub_basic() from crashing when the source string
+ is NULL (partial work on bug 687).
+o Fix spinlocks on IRIX.
+o Corrected some bad destination paths when running "configure
+ --with-fhs".
+o Add packaging files for Fedora Core 1.
+o Correct bug in SWAT install script for non-english languages.
+o Support character set ISO-8859-1 internally (bug 558).
+o Fixed more LDAP access errors when looking up group mappings
+ (bug 281).
+o Fix UNISTR2 length bug in LsaQueryInfo(3) that caused SID
+ resolution to fail on local files on on domain members
+ (bug 875).
+o Fix uninitialized variable in passdb.c.
+o Fix formal parameter type in get_static() in nsswitch/wins.c.
+o Fix problem mounting directories when mount.cifs is installed
+ with the setuid bit on.
+o Fix bug that prevent --mandir from overriding the defaults
+ given in the --with-fhs macro.
+o Fix bug in in-memory Kerberos keytab detection routines
+ in configure.in
+
+
+
+######################################################################
+
+ The original 3.0.0 release notes follow
+ =======================================
+ WHATS NEW IN Samba 3.0.0
+ September 24, 2003
+ =======================================
+
+
+Major new features:
+-------------------
+
+1) Active Directory support. Samba 3.0 is now able to
+ join a ADS realm as a member server and authenticate
+ users using LDAP/Kerberos.
+
+2) Unicode support. Samba will now negotiate UNICODE on the wire
+ and internally there is now a much better infrastructure for
+ multi-byte and UNICODE character sets.
+
+3) New authentication system. The internal authentication system
+ has been almost completely rewritten. Most of the changes are
+ internal, but the new auth system is also very configurable.
+
+4) New default filename mangling system.
+
+5) A new "net" command has been added. It is somewhat similar to
+ the "net" command in windows. Eventually we plan to replace
+ numerous other utilities (such as smbpasswd) with subcommands
+ in "net".
+
+6) Samba now negotiates NT-style status32 codes on the wire. This
+ improves error handling a lot.
+
+7) Better Windows 2000/XP/2003 printing support including publishing
+ printer attributes in active directory.
+
+8) New loadable module support for passdb backends and character
+ sets.
+
+9) New default dual-daemon winbindd support for better performance.
+
+10) Support for migrating from a Windows NT 4.0 domain to a Samba
+ domain and maintaining user, group and domain SIDs.
+
+11) Support for establishing trust relationships with Windows NT 4.0
+ domain controllers.
+
+12) Initial support for a distributed Winbind architecture using
+ an LDAP directory for storing SID to uid/gid mappings.
+
+13) Major updates to the Samba documentation tree.
+
+14) Full support for client and server SMB signing to ensure
+ compatibility with default Windows 2003 security settings.
+
+15) Improvement of ACL mapping features based on code donated by
+ Andreas Grünbacher.
+
+
+Plus lots of other improvements!
+
+
+Additional Documentation
+------------------------
+
+Please refer to Samba documentation tree (included in the docs/
+subdirectory) for extensive explanations of installing, configuring
+and maintaining Samba 3.0 servers and clients. It is advised to
+begin with the Samba-HOWTO-Collection for overviews and specific
+tasks (the current book is up to approximately 400 pages) and to
+refer to the various man pages for information on individual options.
+
+We are very glad to be able to include the second edition of
+"Using Samba" by Jay Ts, Robert Eckstein, and David Collier-Brown
+(O'Reilly & Associates) in this release. The book is available
+on-line at http://samba.org/samba/docs/ and is included with
+the Samba Web Administration Tool (SWAT). Thanks to the authors and
+publisher for making "Using Samba" under the GNU Free Documentation
+License.
+
+
+######################################################################
+Upgrading from a previous Samba 3.0 beta
+########################################
+
+Beginning with Samba 3.0.0beta3, the RID allocation functions
+have been moved into winbindd. Previously these were handled
+by each passdb backend. This means that winbindd must be running
+to automatically allocate RIDs for users and/or groups. Otherwise,
+smbd will use the 2.2 algorithm for generating new RIDs.
+
+If you are using 'passdb backend = tdbsam' with a previous Samba
+3.0 beta release (or possibly alpha), it may be necessary to
+move the RID_COUNTER entry from /usr/local/samba/private/passdb.tdb
+to winbindd_idmap.tdb. To do this:
+
+1) Ensure that winbindd_idmap.tdb exists (launch winbindd at least
+ once)
+2) build tdbtool by executing 'make tdbtool' in the source/tdb/
+ directory
+3) run: (note that 'tdb>' is the tool's prompt for input)
+
+ root# ./tdbtool /usr/local/samba/private/passdb.tdb
+ tdb> show RID_COUNTER
+ key 12 bytes
+ RID_COUNTER
+ data 4 bytes
+ [000] 0A 52 00 00 .R.
+
+ tdb> move RID_COUNTER /usr/local/samba/var/locks/winbindd_idmap.tdb
+ ....
+ record moved
+
+If you are using 'passdb backend = ldapsam', it will be necessary to
+store idmap entries in the LDAP directory as well (i.e. idmap backend
+= ldap). Refer to the 'net idmap' command for more information on
+migrating SID<->UNIX id mappings from one backend to another.
+
+If the RID_COUNTER record does not exist, then these instructions are
+unneccessary and the new RID_COUNTER record will be correctly generated
+if needed.
+
+
+
+########################
+Upgrading from Samba 2.2
+########################
+
+This section is provided to help administrators understand the details
+involved with upgrading a Samba 2.2 server to Samba 3.0.
+
+
+Building
+--------
+
+Many of the options to the GNU autoconf script have been modified
+in the 3.0 release. The most noticeable are:
+
+ * removal of --with-tdbsam (is now included by default; see section
+ on passdb backends and authentication for more details)
+
+ * --with-ldapsam is now on used to provided backward compatible
+ parameters for LDAP enabled Samba 2.2 servers. Refer to the passdb
+ backend and authentication section for more details
+
+ * inclusion of non-standard passdb modules may be enabled using
+ --with-expsam. This includes an XML backend and a mysql backend.
+
+ * removal of --with-msdfs (is now enabled by default)
+
+ * removal of --with-ssl (no longer supported)
+
+ * --with-utmp now defaults to 'yes' on supported systems
+
+ * --with-sendfile-support is now enabled by default on supported
+ systems
+
+
+Parameters
+----------
+
+This section contains a brief listing of changes to smb.conf options
+in the 3.0.0 release. Please refer to the smb.conf(5) man page for
+complete descriptions of new or modified parameters.
+
+Removed Parameters (order alphabetically):
+
+ * admin log
+ * alternate permissions
+ * character set
+ * client codepage
+ * code page directory
+ * coding system
+ * domain admin group
+ * domain guest group
+ * force unknown acl user
+ * hide local users
+ * mangled stack
+ * nt smb support
+ * postscript
+ * printer driver
+ * printer driver file
+ * printer driver location
+ * read size
+ * source environment
+ * status
+ * strip dot
+ * total print jobs
+ * use rhosts
+ * valid chars
+ * vfs options
+
+New Parameters (new parameters have been grouped by function):
+
+ Remote management
+ -----------------
+ * abort shutdown script
+ * shutdown script
+
+ User and Group Account Management
+ ---------------------------------
+ * add group script
+ * add machine script
+ * add user to group script
+ * algorithmic rid base
+ * delete group script
+ * delete user from group script
+ * passdb backend
+ * set primary group script
+
+ Authentication
+ --------------
+ * auth methods
+ * realm
+ * passwd chat timeout
+
+ Protocol Options
+ ----------------
+ * client lanman auth
+ * client NTLMv2 auth
+ * client schannel
+ * client signing
+ * client use spnego
+ * disable netbios
+ * ntlm auth
+ * paranoid server security
+ * server schannel
+ * server signing
+ * smb ports
+ * use spnego
+
+ File Service
+ ------------
+ * get quota command
+ * hide special files
+ * hide unwriteable files
+ * hostname lookups
+ * kernel change notify
+ * mangle prefix
+ * map acl inherit
+ * msdfs proxy
+ * set quota command
+ * use sendfile
+ * vfs objects
+
+ Printing
+ --------
+ * max reported print jobs
+
+ UNICODE and Character Sets
+ --------------------------
+ * display charset
+ * dos charset
+ * unicode
+ * unix charset
+
+ SID to uid/gid Mappings
+ -----------------------
+ * idmap backend
+ * idmap gid
+ * idmap uid
+ * winbind enable local accounts
+ * winbind trusted domains only
+ * template primary group
+ * enable rid algorithm
+
+ LDAP
+ ----
+ * ldap delete dn
+ * ldap group suffix
+ * ldap idmap suffix
+ * ldap machine suffix
+ * ldap passwd sync
+ * ldap replication sleep
+ * ldap user suffix
+
+ General Configuration
+ ---------------------
+ * preload modules
+ * private dir
+
+Modified Parameters (changes in behavior):
+
+ * encrypt passwords (enabled by default)
+ * mangling method (set to 'hash2' by default)
+ * passwd chat
+ * passwd program
+ * restrict anonymous (integer value)
+ * security (new 'ads' value)
+ * strict locking (enabled by default)
+ * unix extensions (enabled by default)
+ * winbind cache time (increased to 5 minutes)
+ * winbind uid (deprecated in favor of 'idmap uid')
+ * winbind gid (deprecated in favor of 'idmap gid')
+
+
+Databases
+---------
+
+This section contains brief descriptions of any new databases
+introduced in Samba 3.0. Please remember to backup your existing
+${lock directory}/*tdb before upgrading to Samba 3.0. Samba will
+upgrade databases as they are opened (if necessary), but downgrading
+from 3.0 to 2.2 is an unsupported path.
+
+Name Description Backup?
+---- ----------- -------
+account_policy User policy settings yes
+gencache Generic caching db no
+group_mapping Mapping table from Windows yes
+ groups/SID to unix groups
+winbindd_idmap ID map table from SIDS to UNIX yes
+ uids/gids.
+namecache Name resolution cache entries no
+netsamlogon_cache Cache of NET_USER_INFO_3 structure no
+ returned as part of a successful
+ net_sam_logon request
+printing/*.tdb Cached output from 'lpq no
+ command' created on a per print
+ service basis
+registry Read-only samba registry skeleton no
+ that provides support for exporting
+ various db tables via the winreg RPCs
+
+
+Changes in Behavior
+-------------------
+
+The following issues are known changes in behavior between Samba 2.2 and
+Samba 3.0 that may affect certain installations of Samba.
+
+ 1) When operating as a member of a Windows domain, Samba 2.2 would
+ map any users authenticated by the remote DC to the 'guest account'
+ if a uid could not be obtained via the getpwnam() call. Samba 3.0
+ rejects the connection as NT_STATUS_LOGON_FAILURE. There is no
+ current work around to re-establish the 2.2 behavior.
+
+ 2) When adding machines to a Samba 2.2 controlled domain, the
+ 'add user script' was used to create the UNIX identity of the
+ machine trust account. Samba 3.0 introduces a new 'add machine
+ script' that must be specified for this purpose. Samba 3.0 will
+ not fall back to using the 'add user script' in the absence of
+ an 'add machine script'
+
+
+######################################################################
+Passdb Backends and Authentication
+##################################
+
+There have been a few new changes that Samba administrators should be
+aware of when moving to Samba 3.0.
+
+ 1) encrypted passwords have been enabled by default in order to
+ inter-operate better with out-of-the-box Windows client
+ installations. This does mean that either (a) a samba account
+ must be created for each user, or (b) 'encrypt passwords = no'
+ must be explicitly defined in smb.conf.
+
+ 2) Inclusion of new 'security = ads' option for integration
+ with an Active Directory domain using the native Windows
+ Kerberos 5 and LDAP protocols.
+
+ MIT kerberos 1.3.1 supports the ARCFOUR-HMAC-MD5 encryption
+ type which is neccessary for servers on which the
+ administrator password has not been changed, or kerberos-enabled
+ SMB connections to servers that require Kerberos SMB signing.
+ Besides this one difference, either MIT or Heimdal Kerberos
+ distributions are usable by Samba 3.0.
+
+
+Samba 3.0 also includes the possibility of setting up chains
+of authentication methods (auth methods) and account storage
+backends (passdb backend). Please refer to the smb.conf(5)
+man page for details. While both parameters assume sane default
+values, it is likely that you will need to understand what the
+values actually mean in order to ensure Samba operates correctly.
+
+The recommended passdb backends at this time are
+
+ * smbpasswd - 2.2 compatible flat file format
+ * tdbsam - attribute rich database intended as an smbpasswd
+ replacement for stand alone servers
+ * ldapsam - attribute rich account storage and retrieval
+ backend utilizing an LDAP directory.
+ * ldapsam_compat - a 2.2 backward compatible LDAP account
+ backend
+
+Certain functions of the smbpasswd(8) tool have been split between the
+new smbpasswd(8) utility, the net(8) tool, and the new pdbedit(8)
+utility. See the respective man pages for details.
+
+
+######################################################################
+LDAP
+####
+
+This section outlines the new features affecting Samba / LDAP
+integration.
+
+New Schema
+----------
+
+A new object class (sambaSamAccount) has been introduced to replace
+the old sambaAccount. This change aids us in the renaming of
+attributes to prevent clashes with attributes from other vendors.
+There is a conversion script (examples/LDAP/convertSambaAccount) to
+modify and LDIF file to the new schema.
+
+Example:
+
+ $ ldapsearch .... -b "ou=people,dc=..." > sambaAcct.ldif
+ $ convertSambaAccount --sid=<Domain SID> \
+ --input=sambaAcct.ldif --output=sambaSamAcct.ldif \
+ --changetype=[modify|add]
+
+The <DOM SID> can be obtained by running 'net getlocalsid
+<DOMAINNAME>' on the Samba PDC as root. The changetype determines
+the format of the generated LDIF output--either create new entries
+or modify existing entries.
+
+The old sambaAccount schema may still be used by specifying the
+"ldapsam_compat" passdb backend. However, the sambaAccount and
+associated attributes have been moved to the historical section of
+the schema file and must be uncommented before use if needed.
+The 2.2 object class declaration for a sambaAccount has not changed
+in the 3.0 samba.schema file.
+
+Other new object classes and their uses include:
+
+ * sambaDomain - domain information used to allocate rids
+ for users and groups as necessary. The attributes are added
+ in 'ldap suffix' directory entry automatically if
+ an idmap uid/gid range has been set and the 'ldapsam'
+ passdb backend has been selected.
+
+ * sambaGroupMapping - an object representing the
+ relationship between a posixGroup and a Windows
+ group/SID. These entries are stored in the 'ldap
+ group suffix' and managed by the 'net groupmap' command.
+
+ * sambaUnixIdPool - created in the 'ldap idmap suffix' entry
+ automatically and contains the next available 'idmap uid' and
+ 'idmap gid'
+
+ * sambaIdmapEntry - object storing a mapping between a
+ SID and a UNIX uid/gid. These objects are created by the
+ idmap_ldap module as needed.
+
+ * sambaSidEntry - object representing a SID alone, as a Structural
+ class on which to build the sambaIdmapEntry.
+
+
+New Suffix for Searching
+------------------------
+
+The following new smb.conf parameters have been added to aid in directing
+certain LDAP queries when 'passdb backend = ldapsam://...' has been
+specified.
+
+ * ldap suffix - used to search for user and computer accounts
+ * ldap user suffix - used to store user accounts
+ * ldap machine suffix - used to store machine trust accounts
+ * ldap group suffix - location of posixGroup/sambaGroupMapping entries
+ * ldap idmap suffix - location of sambaIdmapEntry objects
+
+If an 'ldap suffix' is defined, it will be appended to all of the
+remaining sub-suffix parameters. In this case, the order of the suffix
+listings in smb.conf is important. Always place the 'ldap suffix' first
+in the list.
+
+Due to a limitation in Samba's smb.conf parsing, you should not surround
+the DN's with quotation marks.
+
+
+IdMap LDAP support
+------------------
+
+Samba 3.0 supports an ldap backend for the idmap subsystem. The
+following options would inform Samba that the idmap table should be
+stored on the directory server onterose in the "ou=idmap,dc=plainjoe,
+dc=org" partition.
+
+ [global]
+ ...
+ idmap backend = ldap:ldap://onterose/
+ ldap idmap suffix = ou=idmap,dc=plainjoe,dc=org
+ idmap uid = 40000-50000
+ idmap gid = 40000-50000
+
+This configuration allows winbind installations on multiple servers to
+share a uid/gid number space, thus avoiding the interoperability problems
+with NFS that were present in Samba 2.2.
+
+
+
+######################################################################
+Trust Relationships and a Samba Domain
+######################################
+
+Samba 3.0.0beta2 is able to utilize winbindd as the means of
+allocating uids and gids to trusted users and groups. More
+information regarding Samba's support for establishing trust
+relationships can be found in the Samba-HOWTO-Collection included
+in the docs/ directory of this release.
+
+First create your Samba PDC and ensure that everything is
+working correctly before moving on the trusts.
+
+To establish Samba as the trusting domain (named SAMBA) from a Windows NT
+4.0 domain named WINDOWS:
+
+ 1) create the trust account for SAMBA in "User Manager for Domains"
+ 2) connect the trust from the Samba domain using
+ 'net rpc trustdom establish GLASS'
+
+To create a trustlationship with SAMBA as the trusted domain:
+
+ 1) create the initial trust account for GLASS using
+ 'smbpasswd -a -i GLASS'. You may need to create a UNIX
+ account for GLASS$ prior to this step (depending on your
+ local configuration).
+ 2) connect the trust from a WINDOWS DC using "User Manager
+ for Domains"
+
+Now join winbindd on the Samba PDC to the SAMBA domain using
+the normal steps for adding a Samba server to an NT4 domain:
+(note that smbd & nmbd must be running at this point)
+
+ root# net rpc join -U root
+ Password: <enter root password from smbpasswd file here>
+
+Start winbindd and test the join with 'wbinfo -t'.
+
+Now test the trust relationship by connecting to the SAMBA DC
+(e.g. POGO) as a user from the WINDOWS domain:
+
+ $ smbclient //pogo/netlogon -U Administrator -W WINDOWS
+ Password:
+
+Now connect to the WINDOWS DC (e.g. CRYSTAL) as a Samba user:
+
+ $ smbclient //crystal/netlogon -U root -W WINDOWS
+ Password:
+
+######################################################################
+Changes in Winbind
+##################
+
+Beginning with Samba3.0.0beta3, winbindd has been given new account
+manage functionality equivalent to the 'add user script' family of
+smb.conf parameters. The idmap design has also been changed to
+centralize control of foreign SID lookups and matching to UNIX
+uids and gids.
+
+
+Brief Description of Changes
+----------------------------
+
+1) The sid_to_uid() family of functions (smbd/uid.c) have been
+ reverted to the 2.2.x design. This means that when resolving a
+ SID to a UID or similar mapping:
+
+ a) First consult winbindd
+ b) perform a local lookup only if winbindd fails to
+ return a successful answer
+
+ There are some variations to this, but these two rules generally
+ apply.
+
+2) All idmap lookups have been moved into winbindd. This means that
+ a server must run winbindd (and support NSS) in order to achieve
+ any mappings of SID to dynamically allocated UNIX ids. This was
+ a conscious design choice.
+
+3) New functions have been added to winbindd to emulate the 'add user
+ script' family of smbd functions without requiring that external
+ scripts be defined. This functionality is controlled by the 'winbind
+ enable local accounts' smb.conf parameter (enabled by default).
+
+ However, this account management functionality is only supported
+ in a local tdb (winbindd_idmap.tdb). If these new UNIX accounts
+ must be shared among multiple Samba servers (such as a PDC and BDCs),
+ it will be necessary to define your own 'add user script', et. al.
+ programs that place the accounts/groups in some form of directory
+ such as NIS or LDAP. This requirement was deemed beyond the scope
+ of winbind's account management functions. Solutions for
+ distributing UNIX system information have been deployed and tested
+ for many years. We saw no need to reinvent the wheel.
+
+4) A member of a Samba controlled domain running winbindd is now able
+ to map domain users directly onto existing UNIX accounts while still
+ automatically creating accounts for trusted users and groups. This
+ behavior is controlled by the 'winbind trusted domains only' smb.conf
+ parameter (disabled by default to provide 2.2.x winbind behavior).
+
+5) Group mapping support is wrapped in the local_XX_to_XX() functions
+ in smbd/uid.c. The reason that group mappings are not included
+ in winbindd is because the purpose of Samba's group map is to
+ match any Windows SID with an existing UNIX group. These UNIX
+ groups can be created by winbindd (see next section), but the
+ SID<->gid mapping is retreived by smbd, not winbindd.
+
+
+Examples
+--------
+
+* security = server running winbindd to allocate accounts on demand
+
+* Samba PDC running winbindd to handle the automatic creation of UNIX
+ identities for machine trust accounts
+
+* Automtically creating UNIX user and groups when migrating a Windows NT
+ 4.0 PDC to a Samba PDC. Winbindd must be running when executing
+ 'net rpc vampire' for this to work.
+
+
+######################################################################
+Known Issues
+############
+
+* There are several bugs currently logged against the 3.0 codebase
+ that affect the use of NT 4.0 GUI domain management tools when run
+ against a Samba 3.0 PDC. This bugs should be released in an early
+ 3.0.x release.
+
+Please refer to https://bugzilla.samba.org/ for a current list of bugs
+filed against the Samba 3.0 codebase.
+
+
+######################################################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored.
+
+A new bugzilla installation has been established to help support the
+Samba 3.0 community of users. This server, located at
+https://bugzilla.samba.org/, has replaced the older jitterbug server
+previously located at http://bugs.samba.org/.
+</pre>
+
+</body>
+</html>
--- /dev/null
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Release Notes Archive</title>
+</head>
+
+<body>
+
+<h2>Samba 3.0.4 Available for Download</h2>
+
+<p>
+<pre>
+ =============================
+ Release Notes for Samba 3.0.4
+ May 8, 2004
+ =============================
+
+This is the latest stable release of Samba. This is the version
+that production Samba servers should be running for all
+current bug-fixes. There have been several issues fixes since
+the 3.0.3 release and new features have been added as well.
+See the "Changes" section for details on exact updates.
+
+Common bugs fixed in Samba 3.0.4 include:
+
+ o Password changing after applying the patch described in
+ the Microsoft KB828741 article to Windows clients.
+ o Crashes in smbd.
+ o Managing print jobs via Windows on Big-Endian servers.
+ o Several memory leaks in winbindd and smbd.
+ o Compile issues on AIX and *BSD.
+
+
+######################################################################
+Changes
+#######
+
+Changes since 3.0.3
+--------------------
+
+commits
+-------
+
+o Jeremy Allison <jra@samba.org>
+ * Fix path processing for DeletePrinterDriverEx().
+ * BUG 1303: Fix for Microsoft hotfix MS04-011 password change
+ breakage.
+
+
+o Andrew Bartlett <abartlet@samba.org>
+ * Fix alignment bug in GetDomPwInfo().
+
+
+o Alexander Bokovoy <ab@samba.org>
+ * Fix utime[s]() issues in smbwrapper on systems
+ that can boot both the 2.4 and 2.6 Linux kernels.
+
+
+o Gerald Carter <jerry@samba.org>
+ * Fedora packaging fixes.
+ * BUG 1302: Fix seg fault by not trying to optimize a list of
+ invalid gids using the wrong array size.
+ * BUG 1309: fix seg fault caused by trying to strdup(NULL)
+ seen when 'security = share'.
+ * Fix problems when using IBM's compiler on AIX.
+ * Link Developer's Guide, Example Guide, and multi-page HOWTO
+ into SWAT's welcome page.
+ * BUG 1293: fix double free in printer publishing code.
+
+
+o Wim Delvaux <wim.delvaux@adaptiveplanet.com>
+ * Fix for handling timeouts in socket connections.
+
+
+o Michel Gravey <michel.gravey@optogone.com>
+ * BUG 483: patch from to fix password hash creation in SWAT.
+
+
+o Volker Lendecke <vl@samba.org>
+ * Close the open NT pipes before the tdis.
+ * Fix AFS related build issues.
+ * Handle error conditions when base64 encoding a blob of 0 bytes.
+
+
+o Herb Lewis <herb@samba.org>
+ * Added 'acls' debug class.
+
+o kawasa_r@itg.hitachi.co.jp
+ * Multiple variable initialization and memory leak fixes.
+
+
+o Stephan Kulow <coolo@suse.de>
+ * Fix string length bug in libsmbclient that caused KDE's
+ Konqueror to crash.
+ * BUG 429: More libsmbclient fixes.
+
+
+o Jim McDonough <jmcd@us.ibm.com>
+ * BUG 1007, 1279: Store the print job using a little-endian key.
+
+
+o Eric Mertens
+ o Compile fix for OpenBSD (ENOTSUP not supported).
+
+
+o Stefan Metzmacher <metze@samba.org>
+ * Correct bug in disks quota views from explorer.
+
+
+o Tim Potter <tpot@samba.org>
+ BUG 1305: Correct debug output.
+
+
+o Richard Sharpe <rsharpe@samba.org>
+ * Fix incorrect error code mapping.
+
+
+o Jelmer Vernooij <jelmer@samba.org>
+ * Add additional NT_STATUS errorm mappings.
+
+
+Changes for older versions follow below:
+
+ --------------------------------------------------
+
+ =============================
+ Release Notes for Samba 3.0.3
+ April 29, 2004
+ =============================
+
+
+Common bugs fixed in Samba 3.0.3 include:
+
+ o Crash bugs and change notify issues in Samba's printing code.
+ o Honoring secondary group membership on domain member servers.
+ o TDB scalability issue surrounding the TDB_CLEAR_IF_FIRST flag.
+ o Substitution errors for %[UuGg] in smb.conf.
+ o winbindd crashes when using ADS security mode.
+ o SMB signing errors.
+ o Delays in winbindd startup caused by unnecessary
+ connections to trusted domain controllers.
+ o Various small memory leaks.
+ o Winbindd failing due to expired Kerberos tickets.
+
+New features introduced in Samba 3.0.3 include:
+
+ o Improved support for i18n character sets.
+ o Support for account lockout policy based on
+ bad password attempts.
+ o Improved support for long password changes (>14
+ characters) and strong password enforcement.
+ o Support for Windows aliases (i.e. nested groups).
+ o Experimental support for storing DOS attribute on files
+ and folders in Extended Attributes.
+ o Support for local nested groups via winbindd.
+ o Specifying options to be passed directly to the CUPS libraries.
+
+Please be aware that the Samba source code repository was
+migrated from CVS to Subversion on April 4, 2004. Details on
+accessing the Samba source tree via anonymous svn can be found
+at http://svn.samba.org/samba/subversion.html.
+
+
+Changes since 3.0.2a
+--------------------
+smb.conf changes
+----------------
+
+ Parameter Name Action
+ -------------- ------
+ cups options New
+ ea support New
+ only user Deprecated
+ store dos attributes New
+ unicode Removed
+ winbind nested groups New
+
+
+commits
+-------
+
+o Jeremy Allison <jra@samba.org>
+ * Ensure that Kerberos mutex is always properly unlocked.
+ * Removed Heimdal "in-memory keytab" support.
+ * Fixup the 'multiple-vuids' bugs in our server code.
+ * Correct return code from lsa_lookup_sids() on unmapped
+ sids (based on work by vl@samba.org).
+ * Fix the "too many fcntl locks" scalability problem
+ raised by tridge.
+ * Fixup correct (as per W2K3) returns for lookupsids
+ as well as lookupnames.
+ * Fixups for delete-on-close semantics as per Win2k3 behavior.
+ * Make SMB_FILE_ACCESS_INFORMATION call work correctly.
+ * Fix "unable to initialize" bug when smbd hasn't been run with
+ new system and a user is being added via pdbedit/smbpasswd.
+ * Added NTrename SMB (0xA5).
+ * Fixup correct timeout values for blocking lock timeouts.
+ * Fix various bugs reported by 'gentest'.
+ * More locking fixes in the case where we own the lock.
+ * Fix up regression in IS_NAME_VALID and renames.
+ * Don't set allocation size on directories.
+ * Return correct error code on fail if file exists and target
+ is a directory.
+ * Added client "hardlink" comment to test doing NT rename with
+ hard links. Added hardlink_internals() code - UNIX extensions
+ now use this as well.
+ * Use a common function to parse all pathnames from the wire for
+ much closer emulation of Win2k3 error return codes.
+ * Implement check_path_syntax() and rewrite string sub
+ functions for better multibyte support.
+ * Ensure msdfs referrals are multibyte safe.
+ * Allow msdfs symlink syntax to be more forgiving.
+ eg. sym_link -> msdfs://server/share/path/in/share
+ or sym_link -> msdfs:\\server\share\path\in\share.
+ * Cleanup multibyte netbios name support in nmbd ( based on patch
+ by MORIYAMA Masayuki <moriyama@miraclelinux.com>).
+ * Fix check_path_syntax() for multibyte encodings which have
+ no '\' as second byte (based on work by ab@samba.org.
+ * Fix the "dfs self-referrals as anonymous user" problem
+ (based on patch from vl@samba.org).
+ * BUG 1064: Ensure truncate attribute checking is done correctly
+ on "hidden" dot files.
+ * Fix bug in anonymous dfs self-referrals again.
+ * Fix get/set of EA's in client library
+ * Added support for OS/2 EA's in smbd server.
+ * Added 'ea support' parameter to smb.conf.
+ * Added 'store dos attributes' parameter to smb.conf.
+ * Fix wildcard identical rename.
+ * Fix reply_ctemp - make compatible with w2k3.
+ * Fix wildcard unlink.
+ * Fix wildcard src with wildcard dest renames.
+ * BUG 1139: Fix based on suggestion by jdev@panix.com.
+ swap lookups for user and group - group will do an
+ algorithmic lookup if it fails, user won't.
+ * Make EA's lookups case independent.
+ * Fix SETPATHINFO in 'unix extensions' support.
+ * Make 3.x pass the Samba 4.x RAW-SEARCH tests - except for
+ the UNIX info levels, and the short case preserve names.
+
+
+o Timur Bakeyev <timur@com.bat.ru>
+ * BUG 1144: only set --with-fhs when the argument is 'yes'
+ * BUG 1152: Allow python modules to build despite libraries added
+ to LDFLAGS instead of LDPATH.
+ * BUG 1141: Fix nss*.so names on FreeBSD 5.x.
+
+
+o Craig Barratt <cbarratt@users.sourceforge.net>
+ * BUG 389: Allow multiple exclude arguments with smbclient
+ tar -Xr options (better support for Amanda backup client).
+
+
+o Andrew Bartlett <abartlet@samba.org>
+ * Include support for linking with cracklib for enforcing strong
+ password changes.
+ * Add support for >14 character password changes from Windows
+ clients.
+ * Add 'admin set password' capability to 'net rpc'.
+ * Allow 'net rpc samdump' to work with any joined domain
+ regardless of smb.conf settings.
+ * Use an allocated buffer for count_chars.
+ * Add sanity checks for changes in the domain SID in an
+ LDAP DIT.
+ * Implement python unit tests for Samba's multibyte string
+ support.
+ * Remove 'unicode' smb.conf option.
+ * BUG 1138: Fix support for 'optional' SMB signing and other
+ signing bugs.
+ * BUG 169: Fix NTLMv2-only behavior.
+ * Ensure 'net' honors the 'netbios name' in the smb.conf by
+ default.
+ * Support SMB signing on connections using only the LANMAN
+ password and generate the correct the 'session key' for these
+ connections.
+ * Implement --required-membership-of=, an ntlm_auth option
+ that restricts all authentication to members of this particular
+ group.
+ * Improve our fall back code for password changes.
+ * Only send the ntlm_auth 'ntlm-server-1' helper client a '.'
+ after the server had said something (such as an error).
+ * Add 'ntlm-server-1' helper protocol to ntlm_auth.
+
+
+o Alexander Bokovoy <ab@samba.org>
+ * Fix incorrect size calculation of the directory name
+ in recycle.so.
+ * Fix problems with very long filenames in both smbd and smbclient
+ caused by truncating paths during character conversions.
+ * Fix smbfs problem with Tree Disconnect issued before smbfs
+ starts its work.
+
+
+o Gerald Carter <jerry@samba.org>
+ * BUG 850: Fix 'make installmodules' bug on True64.
+ * BUG 66: mark 'only user' deprecated.
+ * Remove corrupt tdb and shutdown (only for printing tdbs,
+ connections, sessionid & locking).
+ * decrement smbd counter in connections.tdb in smb_panic().
+ * RedHat specfile updates.
+ * Fix xattr.h build issue on Debian testing and SuSE 8.2.
+ * BUG 1147; bad pointer case in get_stored_queue_info()
+ causing seg fault.
+ * BUG 761: read the config file before initialized default
+ values for printing options; don't default to bsd printing
+ Linux.
+ * Allow the 'printing' parameter to be set on a per share basis.
+ * BUG 503: RedHat/Fedora packaging fixes regarding logrotate.
+ * BUG 848: don't create winbind local users/groups that already
+ exist in the tdb.
+ * BUG 1080: fix declaration of SMB_BIG_UINT (broke compile on
+ LynxOS/ppc).
+ * BUG 488: fix the 'show client in col 1' button and correctly
+ enumerate active connections.
+ * BUG 1007 (partial): Fix abort in smbd caused by byte ordering
+ problem when storing the updating pid for the lpq cache.
+ * BUG 1007 (partial): Fix print change notify bugs.
+ * BUG 1165, 1126: Fix bug with secondary groups (security = ads)
+ and winbind use default domain = yes. Also ensures that
+ * BUG 1151: Ensure that winbindd users are passed through
+ the username map.
+ * Fix client rpc binds for ASU derived servers (pc netlink,
+ etc...).
+ * BUG 417, 1128: Ensure that the current_user_info is set
+ consistently so that %[UuGg] is expanded correctly.
+ * BUG 1195: Fix crash in winbindd when the ADS server is
+ unavailable.
+ * BUG 1185: Set reconnect time to be the same as the
+ 'winbind cache time'.
+ * Ensure that we return the sec_desc in smb_io_printer_info_2.
+ * Change Samba printers Win32 attribute to PRINTER_ATTRIBUTE_LOCAL.
+ * BUG 1095: Honor the '-l' option in smbclient.
+ * BUG 1023: surround get_group_from_gid() with become_unbecome_root()
+ block.
+ * Ensure server schannel uses the auth level requested by the
+ client.
+ * Removed --with-cracklib option due to potential crash issue.
+ * Fix -lcrypto linking problem with wbinfo.
+ * BUG 761: allow printing parameter to set defaults on a per
+ share basis.
+ * Add 'cups options' parameter to allow raw printing without
+ changing /etc/cups/cupsd.conf.
+ * BUG 1081, 1183: Added remove_duplicate_gids() to smbd and
+ winbindd.
+ * BUG 1246: Fix typo in Fedora /etc/init.d/winbind.
+ * BUG 1288: resolve any machine netbios name (0x00) and not just
+ servers (0x20).
+ * BUG 1199: Fix potential symlink issue in
+ examples/printing/smbprint.
+
+
+o Robert Dahlem <Robert.Dahlem@gmx.net>
+ * BUG 1048: Don't return short names when when 'mangled names = no'
+
+
+o Guenther Deschner <gd@suse.com>
+ * Remove hard coded attribute name in the ads ranged retrieval
+ code.
+ * Add --with-libdir and --with-mandir to autoconf script.
+
+
+o Bostjan Golob <golob@gimb.org>
+ * BUG 1046: Fix getpwent_list() so that the username is not
+ overwritten by other fields.
+
+
+o Landon Fuller <landonf@opendarwin.org>
+ * BUG 1232: patch from landonf@opendarwin.org (Landon Fuller)
+ to fix user/group enumeration on systems whose libc does not
+ call setgrent() before trying to enumerate users (i.e.
+ FreeBSD 5.2).
+
+
+o Steve French <sfrench@us.ibm.com>
+ * Update mount.cifs to version 1.1.
+ * Disable dev (MS_NODEV) on user mounts from cifs vfs.
+ * Fixes to minor security bug in the mount helper.
+ * Fix credential file mounting for cifs vfs.
+ * Fix free of incremented pointer in cifsvfs mount helper.
+ * Fix path canonicalization of the mount target path and help
+ text display in the cifs mount helper.
+ * Add missing guest mount option for mount.cifs.
+
+
+o SATOH Fumiyasu <fumiya@miraclelinux.com>
+ * BUG 1055; formatting fixes for 'net share'.
+ * BUG 692: correct truncation of share names and workgroup
+ names in smbclient.
+ * BUG 1088: use strchr_m() for query_host (smbclient -L).
+ * Patch from to internally count characters correctly.
+
+
+o Paul Green <paulg@samba.org>
+ * Update VOS _POSIX_C_SOURCE macro to 200112L.
+ * Fix bug in configure.ion by moving the first use of
+ AC_CHECK_HEADERS so it is always executed.
+ * Fix configure.in to only use $BLDSHARED to select whether to
+ build static or shared libraries.
+
+
+o Pat Haywarrd <Pat.Hayward@propero.net>
+ * Make the session_users list dynamic (max of 128K).
+
+
+o Cal Heldenbrand <calzplace@yahoo.com>
+ * Fix for for 'pam_smbpass migrate' functionality.
+
+
+o Chris Hertel <crh@samba.org>
+ * fix enumeration of shares 12 characters in length via
+ smbclient.
+
+
+o Ulrich Holeschak <ulrich@holeschak.de>
+ * BUG 932: fix local password change using pam_smbpass
+
+
+o Krischan Jodies <kj@sernet.de>
+ * Implement 'net rpc group delete'
+
+
+o John Klinger <john.klinger@lmco.com>
+ * Return NSS_SUCCESS once the max number of gids possible
+ has been found in initgroups() on Solaris.
+ * BUG 1182: Re-enable the -n 'no cache' option for winbindd.
+
+
+o Volker Lendecke <vl@samba.org>
+ * Fix success message for net groupmap modify.
+ * Fix errors when enumerating members of groups in 'net rpc'.
+ * Match Windows behavior in samr_lookup_names() by returning
+ ALIAS(4) when you search in BUILTIN.
+ * Fix server SAMR code to be able to set alias info for
+ builtin as well.
+ * Fix duplication of logic when creating groups via smbd.
+ * Ensure that the HWM values are set correctly after running
+ 'net idmap'.
+ * Add 'net rpc group add'.
+ * Implement 'net groupmap set' and 'net groupmap cleanup'.
+ * Add 'net rpc group [add|del]mem' for domain groups and aliases.
+ * Fix wb_delgrpmem (wbinfo -o).
+ * As a DC we should not reply to lsalookupnames on DCNAME\\user.
+ * Fix sambaUserWorkstations on a Samba DC.
+ * Implement wbinfo -k: Have winbind generate an AFS token after
+ authenticating the user.
+ * Add expand_msdfs VFS module for providing referrals based on the
+ the client's IP address.
+ * Implement client side NETLOGON GetDCName function.
+ * Fix caching of name->sid lookups.
+ * Add support in winbindd for expanding nested local groups.
+ * Fix memleak in winbindd.
+ * Fix msdfs proxy.
+ * Don't list domain groups from BUILTIN.
+ * Fix memleak in policy handle utility functions.
+ * Decrease winbindd startup time by only contacting trusted
+ domains as necessary.
+ * Allow winbindd to ask the DC for its domain for a trusted
+ DC.
+ * Fix Netscape DS schema based on comments from
+ <thomas.mueller@christ-wasser.de>.
+ * Correct case where adding a domain user to a XP local group
+ did a lsalookupname on the user without domain prefix, and
+ failed.
+ * Fix segfault in winbindd caused by 'wbinfo -a'.
+
+
+o Herb Lewis <herb@samba.org>
+ * Fix typo for tag in proto file.
+ * Add missing #ifdef HAVE_BICONV stuff.
+ * Truncate Samba's netbios name at the first '.' (not
+ right to left).
+
+
+o Derrell Lipman <Derrell.Lipman@UnwiredUniverse.com>
+ * Bug fixes and enhancements to libsmbclient library.
+
+
+o Jianliang Lu <j.lu@tiesse.com>
+ * Enforce the 'user must change password at next login' flag.
+ * Decode meaning of 'fields present' flags (improves support
+ for usrmgr.exe).
+ * NTLMv2 fixes.
+ * Don't force an upper case domain name in the ntlmssp code.
+
+
+o L. Lucius <ib@digicron.com>.
+ * type fixes.
+
+
+o Jim McDonough <jmcd@us.ibm.com>
+ * Add versioning support to tdbsam.
+ * Update the IBM Directory Server schema with the OpenLDAP
+ file.
+ * Various decoding fixes to improve usrmgr.exe support.
+ * Fix statfs redeclaration of statfs struct on ppc
+ * Implement support for password lockout of Samba domain
+ controllers and standalone servers.
+ * Get MungedDial attribute actually working with full TS
+ strings in it for pdb_ldap.
+ * BUG 1208 (partial): Improvements for working with expired krb5
+ tickets in winbindd.
+ * Use timegm, or our already existing replacement instead of
+ timezone (spotted by Andrzej Tobola <san@iem.pw.edu.pl>).
+ * Remove modifyTimestamp from list of our attributes.
+ * Fix lsalookupnames to check for domain users as well as local
+ users.
+ * Merge struct uuid replacement for GUID from trunk.
+ * BUG 1208: Finish support for handling expired tickets in
+ winbindd (in conjunction with Guenther Deschner <gd@suse.de>).
+
+
+o Stefan Metzmacher <metze@samba.org>
+ * Implement new VERSION schema based on subversion revision
+ numbers.
+ * Add shadow_copy vfs module.
+ * Fix segault in login_cache support.
+
+
+o Heinrich Mislik <Heinrich.Mislik@univie.ac.at>
+ o BUG 979 -- Fix quota display on AIX.
+
+
+o James Peach <jpeach@sgi.com>
+ * Correct check for printf() format when using the SGI MIPSPro
+ compiler.
+ * BUG 1038: support backtrace for 'panic action' on IRIX.
+ * BUG 768: Accept profileing arg to IRIX init script.
+ * BUG 748: Relax arg parsing to sambalp script (IRIX).
+ * BUG 758: Fix pdma build.
+ * Search IRIX ABI paths for libiconv. Based on initial fix from
+ Jason Mader.
+
+
+o Kurt Pfeifle <kpfeifle@danka.de>
+ * Add example shell script for migrating drivers and printers
+ from a Windows print server to a Samba print server using
+ smbclient/rpcclient (examples/printing/VamireDriversFunctions).
+
+
+o Tim Potter <tpot@samba.org>
+ * Fix logic bug in tdb non-blocking lock routines when
+ errno == EAGAIN.
+ * BUG 1025: Include sys/acl.h in check for broken nisplus
+ include files.
+ * BUG 1066: s/printf/d_printf/g in SWAT.
+ * BUG 1098: rename internal msleep() function to fix build
+ problems on AIX.
+ * BUG 1112: Fix for writable printerdata problem in python bindings.
+ * BUG 1154: Remove reference to <sys/mman.h> in tdbdump.c.
+ * BUG 1155: enclose use of fchown() with guards.
+ * Relicense tdb python module as LGPL.
+
+
+o Richard Sharpe <rsharpe@samba.org>
+ * Add support to smbclient for multiple logins on the same
+ session (based on work by abartlet@samba.org).
+ * Correct blocking condition in smbd's use of accept() on IRIX.
+ * Add support for printing out the MAC address on nmblookup.
+
+
+o Simo Source <idra@samba.org>
+ * Replace unknown_3 with fields_present in SAMR code.
+ * More length checks in strlcat().
+
+
+o Andrew Tridgell <tridge@samba.org>
+ * Rewrote the AIX UESS backend for winbindd.
+ * Fixed compilation with --enable-dmalloc.
+ * Change tdb license to LGPL (see source/tdb/tdb.c).
+ * Force winbindd to use schannel in clients connections to
+ DC's if possible.
+
+
+o Jelmer Vernooij <jelmer@samba.org>
+ * Fix ETA Calculation when resuming downloads in smbget.
+ * Add -O (for writing downloaded files to standard out)
+ based on patch by Bas van Sisseren <bas@dnd.utwente.nl>.
+ * Fix syntax error in example mysql table
+
+
+o TAKEDA yasuma <yasuma@miraclelinux.com>
+ * BUG 900: fix token processing in cmd_symlink, cmd_link,
+ cmd_chown, cmd_chmod smbclient functions.
+
+
+o Shiro Yamada <shiro@miraclelinux.com>
+ * BUG 1129: install image files for SWAT.
+
+
+ --------------------------------------------------
+
+ ==============================
+ Release Notes for Samba 3.0.2a
+ February 13, 2004
+ ==============================
+
+Samba 3.0.2a is a minor patch release for the 3.0.2 code base
+to address, in particular, a problem when using pdbedit to
+sanitize (--force-initialized-passwords) Samba's tdbsam
+backend. This is the latest stable release of Samba. This
+is the version that all production Samba servers should be
+running for all current bug-fixes.
+
+******************* Attention! Achtung! Kree! *********************
+
+Beginning with Samba 3.0.2, passwords for accounts with a last
+change time (LCT-XXX in smbpasswd, sambaPwdLastSet attribute in
+ldapsam, etc...) of zero (0) will be regarded as uninitialized
+strings. This will cause authentication to fail for such
+accounts. If you have valid passwords that meet this criteria,
+you must update the last change time to a non-zero value. If you
+do not, then 'pdbedit --force-initialized-passwords' will disable
+these accounts and reset the password hashes to a string of X's.
+
+******************* Attention! Achtung! Kree! *********************
+
+
+Changes since 3.0.2
+-------------------
+
+commits
+-------
+
+Please refer to the CVS log for the SAMBA_3_0 branch for complete
+details. The list of changes per contributor are as follows:
+
+
+o Jeremy Allison <jra@samba.org>
+ * Added paranoia checks in parsing code.
+
+
+o Andrew Bartlett <abartlet@samba.org>
+ * Ensure that changes to uninitialized passwords in ldapsam
+ are written to the DIT.
+
+
+o Gerald (Jerry) Carter <jerry@samba.org>
+ * Fixed iterator in tdbsam.
+ * Fix bug that disabled accounts with a valid NT password
+ hash, but no LanMan hash.
+
+
+o Steve French <sfrench@us.ibm.com>
+ * Added missing nosetuid and noexec options.
+
+
+o Bostjan Golob <golob@gimb.org>
+ * BUG 1046: Don't overwrite usernames of entries returned
+ by getpwent_list().
+
+
+o Sebastian Krahmer <krahmer@suse.de>
+ * Fixed potential crash bug in NTLMSSP parsing code.
+
+
+o Tim Potter <tpot@samba.org>
+ * Fixed logic in tdb_brlock error checking.
+
+
+o Urban Widmark <urban@teststation.com>
+ * Set nosuid,nodev flags in smbmnt by default.
+
+
+ --------------------------------------------------
+
+ =============================
+ Release Notes for Samba 3.0.2
+ February 9, 2004
+ =============================
+
+It has been confirmed that previous versions of Samba 3.0 are
+susceptible to a password initialization bug that could grant an
+attacker unauthorized access to a user account created by the
+mksmbpasswd.sh shell script.
+
+The Common Vulnerabilities and Exposures project (cve.mitre.org)
+has assigned the name CAN-2004-0082 to this issue.
+
+Samba administrators not wishing to upgrade to the current
+version should download the 3.0.2 release, build the pdbedit
+tool, and run
+
+ root# pdbedit-3.0.2 --force-initialized-passwords
+
+This will disable all accounts not possessing a valid password
+(e.g. the password field has been set a string of X's).
+
+Samba servers running 3.0.2 are not vulnerable to this bug
+regardless of whether or not pdbedit has been used to sanitize
+the passdb backend.
+
+Some of the more visible bugs in 3.0.1 addressed in the 3.0.2
+release include:
+
+ o Joining a Samba domain from Pre-SP2 Windows 2000 clients.
+ o Logging onto a Samba domain from Windows XP clients.
+ o Problems with the %U and %u smb.conf variables in relation to
+ Windows 9x/ME clients.
+ o Kerberos failures due to an invalid in memory keytab detection
+ test.
+ o Updates to the ntlm_auth tool.
+ o Fixes for various SMB signing errors.
+ o Better separation of WINS and DNS queries for domain controllers.
+ o Issues with nss_winbind FreeBSD and Solaris.
+ o Several crash bugs in smbd and winbindd.
+ o Output formatting fixes for smbclient for better compatibility
+ with scripts based on the 2.2 version.
+
+
+Changes since 3.0.1
+-------------------
+
+smb.conf changes
+----------------
+
+ Parameter Name Action
+ -------------- ------
+ ldap replication sleep New
+ read size removed (unused)
+ source environment removed (unused)
+
+
+commits
+-------
+
+Please refer to the CVS log for the SAMBA_3_0 branch for complete
+details. The list of changes per contributor are as follows:
+
+o Jeremy Allison <jra@samba.org>
+ * Revert change that broke Exchange clear text samlogons.
+ * Fix gcc 3.4 warning in MS-DFS code.
+ * Tidy up of NTLMSSP code.
+ * Fixes for SMB signing errors
+ * BUG 815: Workaround NT4 bug to support plaintext
+ password logins and UNICODE.
+ * Fix SMB signing bug when copying large files.
+ * Correct error logic in mkdir_internals() (caused a panic
+ when combined with --enable-developer).
+ * BUG 830: Protect against crashes due to bad character
+ conversions.
+
+
+o Petri Asikainen <paca@sci.fi>
+ * BUG 330, 387:Fix single valued attribute updates when
+ working with Novell NDS.
+
+
+o Andrew Bartlett <abartlet@samba.org>
+ * Correctly handle per-pipe NTLMSSP inside a NULL session.
+ * Fix segfault in gencache
+ * Fix early free() of encrypted_session_key.
+ * Change DC lookup routines to more carefully separate
+ DNS names (realms) from NetBIOS domain names.
+ * Add new sid_to_dn() function for internal winbindd use.
+ * Refactor cli_ds_enum_domain_trusts().
+ * BUG 707: Implement range retrieval of ADS attributes (based
+ on work from Volker <vl@samba.org> and Guenther Deschner
+ <gd@suse.com>).
+ * Automatically initialize the signing engine if a session key
+ is available.
+ * BUG 916: Do not perform a + -> ' ' substitution for squid URL
+ encoded strings, only form input in SWAT.
+ * Resets the NTLMSSP state for new negotiate packets.
+ * Add 2-byte alignments in net_samlogon() queries to parse
+ odd-length plain text passwords.
+ * Allow Windows groups with no members in winbindd.
+ * Allow normal authentication in the absence of a server
+ generated session key.
+ * More optimizations for looking up UNIX group lists.
+ * Clean up error codes and return values for pam_winbindd
+ and winbindd PAM interface.
+ * Fix string return values in ntlm_auth tool.
+ * Fix segfault when 'security = ads' but no realm is defined.
+ * BUG 722: Allow winbindd to map machine accounts to uids.
+ * More cleanups for winbindd's find_our_domain().
+ * More clearly detect whether a domain controller is an NT4
+ or mixed-mode AD DC (additional bug fixes by jerry & jmcd).
+ * Increase separation between DNS queries for hosts and queries
+ for AD domain controllers.
+ * Include additional NT_STATUS to PAM error mappings.
+ * Password initialization fixes.
+
+
+o Justin Baugh <justin.baugh@request.com>
+ * BUG 948: Implement missing functions required for FreeBSD
+ nss_winbind support.
+
+
+o Alexander Bokovoy <ab@samba.org>
+ * BUG 922: Make sure enable fast path for strlower_m() and
+ strupper_m().
+
+
+o Luca Bolcioni <Luca.Bolcioni@yacme.com>
+ * Fix crash when using 'security = server' and 'encrypt
+ passwords = no' by always initializing the session key.
+
+
+o Dmitry Butskoj <buc@odusz.elektra.ru>
+ * Fix for special files being hidden from admins.
+
+
+o Gerald (Jerry) Carter <jerry@samba.org>
+ * Fix bug in the lanman session key generation. Caused
+ "decode_pw: incorrect password length" error messages.
+ * Save the right case for the located user name in
+ fill_sam_account(). Fixes %U/%u expansion for win9x clients.
+ * BUG 897: Add well known rid for pre win2k compatible access
+ group.
+ * BUG 887: Correct typo in delete user script example.
+ * Use short lived TALLOC_CTX* for allocating printer objects
+ from the print handle cache.
+ * BUG 912: Fix check for HAVE_MEMORY_KEYTAB.
+ * Fix several warnings reported by the SUN Forte C compiler.
+ * Fully control DNS queries for AD DC's using 'name resolve order'.
+ * BUG 770: Send the SMBjobid for UNIX jobs back to the client.
+ * BUG 972: Fix segfault in cli_ds_getprimarydominfo().
+ * BUG 936: fix bind credentials for schannel binds in smbd.
+ * BUG 446: Fix output of smbclient for better compatibility
+ with scripts based on the 2.2 version (including Amanda).
+ * BUG 891, 949: Fedora packaging fixes.
+ * Fix bug that caused rpcclient to incorrectly retrieve
+ the SID for a server (this causing all calls that required
+ this information to fail).
+ * BUG 977: Don't create a homes share for a user if a static
+ share already exists by the same name.
+ * Removed unused smb.conf options.
+ * Password initialization fixes.
+ * Set the disable flag for template accounts created by
+ mksmbpasswd.sh.
+ * Disable any account has no passwords and does not have the
+ ACB_PWNOTREQ bit set.
+
+
+o Guenther Deschner <gd@suse.com>
+ * Install smbwrapper.so should be put into the $(libdir)
+ and not $(bindir).
+ * Add the capability to specify the new user password
+ for "net ads password" on the command line.
+ * Correctly detect AFS headers on SuSE.
+
+
+o James Flemer <jflemer@uvm.edu>
+ * Fix AIX compile bug by linking HAVE_ATTR_LIST to
+ HAVE_SYS_ATTRIBUTES_H.
+
+
+o Luke Howard <lukeh@PADL.COM>
+ * Fix segfault in session setup reply caused by a early free().
+
+
+o Stoian Ivanov <sdr@bultra.com>
+ * Implement grepable output for smbclient -L.
+
+
+o LaMont Jones <lamont@debian.org>
+ * BUG 225328 (Debian): Correct false failure LFS test that resulted
+ in _GNU_SOURCE not being defined (thus resulting in strndup()
+ not being defined).
+
+
+o Volker Lendecke <vl@samba.org>
+ * BUG 583: Ensure that user names always contain the short
+ version of the domain name.
+ * Fix our parsing of the LDAP uri.
+ * Don't show the 'afs username map' in the SWAT basic view.
+ * Fix SMB signing issues in relation to failed NTLMSSP logins.
+ * BUG 924: Fix return codes in smbtorture harness.
+ * Always lower-case usernames before handing it to AFS code.
+ * Add a German translation for SWAT.
+ * Fix a segfaults in winbindd.
+ * Fix the user's domain passed to register_vuid() from
+ reply_spnego_kerberos().
+ * Add NSS example code in nss_winbind to convert UNIX
+ id's <-> Windows SIDs.
+ * Display more descriptive error messages for login via 'net'.
+ * Fix compiler warning in the net tool.
+ * Fix length bug when decoding base64 strings.
+ * Ensure we don't call getpwnam() inside a loop that is iterating
+ over users with getpwent(). This broke on glibc 2.3.2.
+
+
+o Herb Lewis <herb@samba.org>
+ * Fix bit rot in psec.
+
+
+o Jianliang Lu <j.lu@tiesse.com>
+ * Ensure we delete the group mapping before calling the delete
+ group script.
+ * Define well known RID for managing the "Power Users" group.
+ * BUG 381: check builtin (not local) group SID when updating
+ group membership.
+ * BUG 101: set the SV_TYPE_PRINTQ_SERVER flag in host announcement
+ packet.
+
+
+o John Klinger <john.klinger@lmco.com>
+ * Implement initgroups() call in nss_winbind on Solaris.
+
+
+o Jim McDonough <jmcd@us.ibm.com>
+ * Fix regression in net rpc join caused by recent changes
+ to cli_lsa_query_info_policy().
+ * BUG 964: Fix crash bug in 'net rpc join' using a preexisting
+ machine account.
+
+
+o MORIYAMA Masayuki <moriyama@miraclelinux.com>
+ * BUG 570: Ensure that configure honors the LDFLAGS variable.
+
+
+o Stefan Metzmacher <metze@samba.org>
+ * Implement LDAP rebind sleep patch.
+ * Revert to 2.2 quota code because of so many broken quota files
+ out there.
+ * Fix XFS quotas: HAVE_XFS_QUOTA -> HAVE_XFS_QUOTAS
+ XFS_USER_QUOTA -> USRQUOTA
+ XFS_GROUP_QUOTA -> GRPQUOTA
+ * Fix disk_free calculation with group quotas.
+ * Add debug class 'quota' and a lot of DEBUG()'s
+ to the quota code.
+ * Fix sys_chown() when no chown() is present.
+ * Add SIGABRT to fault handling in order to catch got a
+ backtrace if an error occurs the OpenLDAP client libs.
+
+
+o <ndb@theghet.to>
+ * Allow an existing LDAP machine account to be re-used when
+ joining an AD domain.
+
+
+o James Peach <jpeach@sgi.com>
+ * BUG 889: Change smbd to use pread/pwrite on platforms that
+ support these calls. Can lead to a significant speed increase.
+
+
+o Tim Potter <tpot@samba.org>
+ * BUG 905: Remove POBAD_CC to fix Solaris Forte compiles.
+ * BUG 924: Fix typo in RW2 torture test.
+
+
+o Richard Sharpe <shape@samba.org>
+ * Small fixes to torture.c to cleanup the error handling
+ and prevent crashes.
+
+
+o J. Tournier <jerome.tournier@IDEALX.com>
+ * Small fixes for the smbldap-tool scripts.
+
+
+o Andrew Tridgell <tridge@samba.org>
+ * Fix src len check in pull_usc2().
+
+
+o Jelmer Vernooij <jelmer@samba.org>
+ * Put functions for generating SQL queries in pdb_sql.c
+ * Add pgSQL backend (based on patch by Hamish Friedlander)
+ * BUG 908: Fix -s option to smbcontrol.
+ * Add smbget utility - a wget-clone for the SMB/CIFS protocol.
+ * Fix for libnss_wins on IRIX platforms.
+ * Fix swatdir for --with-fhs.
+
+
+ --------------------------------------------------
+
+ =============================
+ Release Notes for Samba 3.0.1
+ December 15, 2003
+ =============================
+
+Some of the more common bugs in 3.0.0 addressed in the release
+include:
+
+ o Substitution problems with smb.conf variables.
+ o Errors in return codes which caused some applications
+ to fail to open files.
+ o General Protection Faults on Windows 2000/XP clients
+ using Samba point-n-print features.
+ o Several miscellaneous crash bugs.
+ o Access problems when enumerating group mappings are
+ stored in an LDAP Directory.
+ o Several common SWAT bugs when writing changes to
+ smb.conf.
+ o Internal inconsistencies when 'winbind use default
+ domain = yes'
+
+
+
+Changes since 3.0.0
+----------------------
+
+ Parameter Name Action
+ -------------- ------
+ hide local users Removed
+ mangled map Deprecated
+ mangled stack Removed
+ passwd chat timeout New
+
+
+commits
+-------
+
+o Change the interface for init_unistr2 to not take a length
+ but a flags field. We were assuming that
+ 2*strlen(mb_string) == length of ucs2-le string. (bug 480).
+o Allow d_printf() to handle strings with escaped quotation
+ marks since the msg file includes the escape character (bug 489).
+o Fix bad html table row termination in SWAT wizard code (bug 413).
+o Fix to parse the level-2 strings.
+o Fix for "valid users = %S" in [homes]. Fix read/write
+ list as well.
+o Change AC_CHECK_LIB_EXT to prepend libraries instead of append.
+ This is the same way AC_CHECK_LIB works (bug 508).
+o Testparm output fixes for clarity.
+o Fix broken wins hook functionality -- i18n bug (bug 528).
+o Take care of condition where DOS and NT error codes must differ.
+o Default to using only built-in charsets when a working iconv
+ implementation cannot be located.
+o Wrap internals of sys_setgroups() so the sys_XX() call can
+ be done unconditionally (bug 550).
+o Remove duplicate smbspool link on SWAT's front page (bug 541).
+o Save and restore CFLAGS before/after AC_PROG_CC. Ensures that
+ --enable-debug=[yes|no] works correctly.
+o Allow ^C to interrupt smbpasswd if using our getpass
+ (e.g. smbpasswd command).
+o Support signing only on RPC's (bug 167).
+o Correct bug that prevented Excel 2000 clients from opening
+ files marked as read-only.
+o Portability fix bugs 546 - 549).
+o Explicitly initialize the value of AR for vendor makes that don't
+ do this (e.g. HPUX 11). (bug 552).
+o More i18n fixes for SWAT (bug 413).
+o Change the cwd before the postexec script to ensure that a
+ umount will succeed.
+o Correct double free that caused winbindd to crash when a DC
+ is rebooted (bug 437).
+o Fix incorrect mode sum (bug 562).
+o Canonicalize SMB_INFO_ALLOCATION in the same was as
+ SMB_FS_FULL_SIZE_INFORMATION (bug 564).
+o Add script to generate *msg files.
+o Add Dutch SWAT translation file.
+o Make sure to call get_user_groups() with the full winbindd
+ name for a user if he/she has one (bug 406).
+o Fix up error code returns from Samba4 tester. Ensure invalid
+ paths are validated the same way.
+o Allow Samba3 to pass the Samba4 RAW-READ tests.
+o Refuse to configure if --with-expsam=$BACKEND was used but no
+ libraries were found for $BACKEND.
+o Move sysquotas autoconf tests to a separate file.
+o Match W2K w.r.t. writelock and writeclose. Samba4 torture
+ tester
+o Make sure that the files that contain the static_init_$subsystem;
+ macro get recompiled after configure by removing the object
+ files.
+o Ensure canceling a blocking lock returns the correct error
+ message.
+o Match Samba 2.2 behavior; make ACB_NORMAL the default ACB value.
+o Updated Japanese welcome file in SWAT.
+o Fix to nt-time <-> unix-time functions reversible.
+o Ensure that winbindd uses the the escaped DN when querying
+ an AD ldap server.
+o Fix portability issues when compiling (bug 505, 550)
+o Compile fix for tdbbackup when Samba needs to override
+ non-C99 compliant implementations of snprintf().
+o Use @PICSUFFIX@ instead of .po in Makefile.in (bug 574).
+o Make sure we break out of samsync loop on error.
+o Ensure error code path doesn't free unmalloc()'d memory
+ (bug 628).
+o Add configure test for krb5_keytab_entry keyblock vs key
+ member (bug 636).
+o Fixed spinlocks.
+o Modified testparm so that all output so all debug output goes
+ to stderr, and all file processing goes to stdout.
+o Fix error return code for BUFFER_TOO_SMALL in smbcacls
+ and smbcquotas.
+o Fix "NULL dest in safe_strcpy()" log message by ensuring that
+ we have a devmode before copying a string to the devicename.
+o Support mapping REALM.COM\user to a local user account (without
+ running winbindd) for compatibility with 2.2.x release.
+o Ensure we don't use mmap() on blacklisted systems.
+o fixed a number of bugs and memory leaks in the AIX
+ winbindd shim
+o Call initgroups() in SWAT before becomming the user so that
+ secondary group permissions can be used when writing to
+ smb.conf.
+o Fix signing problems when reverse connecting back to a
+ client for printer notify
+o Fix signing problems caused by a miss-sequence bug.
+o Missing map in errormap for ERROR_MORE_DATA -> ERRDOS, ERRmoredata.
+ Fixes NEXUS tools running on Win9x clients (bug 64).
+o Don't leave the domain field uninitialized in cli_lsa.c if some
+ SID could not be mapped.
+o Fix segfault in mount.cifs helper when there is no options
+ specified during mount.
+o Change the \n after the password prompt to go to tty instead
+ of stdout (bug 668).
+o Stop net -P from prompting for machine account password (bug 451).
+o Change in behavior to Not only change the effective uid but also
+ the real uid when becoming unprivileged.
+o Cope with Exchange 5.5 cleartext pop password auth.
+o New files for support of initshutdown pipe. Win2k doesn't
+ respond properly to all requests on the winreg pipe, so we need
+ to handle this new pipe (bug 534).
+o Added more va_copy() checks in configure.in.
+o Include fixes for libsmbclient build problems.
+o Missing UNIX -> DOS codepage conversion in lanman.c.
+o Allow DFMS-S filenames can now have arbitrary case (bug 667).
+o Parameterize the listen backlog in smbd and make it larger by
+ default. A backlog of 5 is way too small these days.
+o Check for an invalid fid before dereferencing the fsp pointer
+ (bug 696).
+o Remove invalid memory frees and return codes in pdb_ldap.c.
+o Prompt for password when invoking --set-auth-user and no
+ password is given.
+o Bind the nmbd sending socket to the 'socket address'.
+o Re-order link command for smbd, rpcclient and smbpasswd to ensure
+ $LDFLAGS occurs before any library specification (bug 661).
+o Fix large number of printf() calls for 64-bit size_t.
+o Fix AC_CHECK_MEMBER so that SLES8 does correctly finds the
+ keyblock in the krb5 structs.
+o Remove #include <compat.h> in hopes to avoid problems with
+ apache header files.
+o Correct winbindd build problems on HP-UX 11.
+o Lowercase netgroups lookups (bug 703).
+o Use the actual size of the buffer in strftime instead of a made
+ up value which just happens to be less than sizeof(fstring).
+ (bug 713).
+o Add ldaplibs to pdbedit link line (bug 651).
+o Fix crash bug in smbclient completion (bug 659).
+o Fix packet length for browse list reply (bug 771).
+o Fix coredump in cli_get_backup_list().
+o Make sure that we expand %N (bug 612).
+o Allow rpcclient adddriver command to specify printer driver
+ version (bug 514).
+o Compile tdbdump by default.
+o Apply patches to fix iconv detection for FreeBSD.
+o Do not allow the 'guest account' to be added to a passdb backend
+ using smbpasswd or pdbedit (bug 624).
+o Save LDFLAGS during iconv detection (bug 57).
+o Run krb5 logins through the username map if the winbindd
+ lookup fails (bug 698).
+o Add const for lp_set_name_resolve_order() to avoid compiler
+ warnings (bug 471).
+o Add support for the %i macro in smb.conf to stand in for the for
+ the local IP address to which a client connected.
+o Allow winbindd to match local accounts to domain SID when
+ 'winbind trusted domains only = yes' (bug 680).
+o Remove code in idmap_ldap that searches the user suffix and group
+ suffix. It's not needed and provides inconsistent functionality
+ from the tdb backend.
+o Patch to handle munged dial string for Windows 2000 TSE.
+ Thanks to Gaz de France, Direction de la Recherche, Service
+ Informatique Métier for their supporting this work by Aurelien
+ Degrémont <adegremont@idealx.com>.
+o Correct the "smbldap_open: cannot access when not root error"
+ messages when looking up group information (bug 281).
+o Skip over the winbind separator when looking up a user.
+ This fixes the bug that prevented local users from
+ matching an AD user when not running winbindd (bug 698).
+o Fix a problem with configure on *BSD systems. Make sure
+ we add -liconv etc to LDFLAGS.
+o Fix core dump bug when "security = server" and the authentication
+ server goes away.
+o Correct crash bug due to an empty munged dial string.
+o Show files locked by a specific user (smbstatus -u 'user')
+ (bug 590).
+o Fix bug preventing print jobs from display in the queue
+ monitor used by Windows NT and later clients (bug 660).
+o Fix several reported problems with point-n-print from
+ Windows 2000/XP clients due to a bug in the EnumPrinterDataEx()
+ reply (bug 338, 527 & 643).
+o Fix a handful of potential memory leaks in the LDAP code used
+ by ldapsam[_compat] and the LDAP idmap backend.
+o Fix for pdbedit error code returns (bug 763).
+o Make sure we only enumerate group mapping entries (not
+ /etc/group) even when doing local aliases.
+o Relax check on the pipe name in a dce/rpc bind response to work
+ around issues with establishing trusts to a Windows 2003 domain.
+o Ensure we mangle names ending in '.' in hash2 mangling method.
+o Correct parsing issues with munged dial string.
+o Fix bugs in quota support for XFS.
+o Add a cleaner method for applications that need to provide
+ name->SID mappings to do this via NSS rather than having to
+ know the winbindd pipe protocol.
+o Adds a variant of the winbindd_getgroups() call called
+ winbindd_getusersids() that provides direct SID->SIDs listing of
+ a users supplementary groups. This is enough to allow non-Samba
+ applications to do ACL checking.
+o Make sure we don't append the 'ldap suffix' when writing out the
+ 'ldap XXX suffix' values in SWAT (bug 328).
+o Fix renames across file systems.
+o Ensure that items in a list of strings containing whitespace are
+ written out surrounded by single quotes. This means that both
+ double and single quotes are now used to surround strings in
+ smb.conf (bug 481).
+o Enable SWAT to correctly determine if winbindd is running (bug
+ 398).
+o Include WWW-Authenticate field in 401 response for bad auth
+ attempt (bug 629).
+o Add support for NTLM2 (NTLMv2 session security).
+o Add support for variable-length session keys.
+o More privilege fixes for group enumeration in LDAP (bug 281).
+o Use the dns name (or IP) as the originating client name when
+ using CUPS (bug 467).
+o Fix various SMB signing bugs.
+o Fix ACL propagation on a DFS root (bug 263).
+o Disable NTLM2 for RPC pipes.
+o Allow the client to specify the NTLM2 flags got NTLMSSP
+ authentication.
+o Change the name of the job passed off to cups from "Test Page"
+ to "smbprn.00000033 Test Page" so that we can get the smb
+ jobid back. This allow users to delete jobs with cups printing
+ backend (partial work on bug 770).
+o Fix build of winbindd with static pdb modules.
+o Retrieve the correct ACL group bits if the file has an ACL
+ (bug 802).
+o Implement "net rpc group members": Get members of a domain group
+ in human-readable format.
+o Add MacOSX (Darwin) specific charset module code.
+o Use samr_dispinfo(level == 1) for enumerating domain users so we
+ can include the full name in gecos field (bug 587).
+o Add support for winbind's NSS library on FeeeBSD 5.1 (bug 797).
+o Implement 'net rpc group list [global|local|builtin]*' for a
+ select listing of the respective user databases.
+o Don't automatically set NT status code flag unless client tells
+ us it can cope.
+o Add 'net status [sessions|shares] [parseable]'.
+o Don't mistake pre-existing UNIX jobs for smb jobs (remainder of
+ bug 770).
+o Add 'Replicator' and 'RAS Servers' to list of builtin SIDs
+ (bug 608).
+o Fix inverted logic in hosts allow/deny checks caused by
+ s/strcmp/strequal/ (bug 846).
+o Implement correct version SamrRemoveSidForeignDomain() (bug 252).
+o Fix typo in 'hash' mangling algorithm.
+o Support munged dial for ldapsam (bug 800).
+o Fix process_incoming_data() to return the number of bytes handled
+ this call whether we have a complete PDU or not; fixes bug
+ with multiple PDU request rpc's broken over SMBwriteX calls
+ each.
+o Fix incorrect smb flags2 for connections to pre-NT servers
+ (causes smbclient to fail to OS2 for example) (bug 821).
+o Update version string in smbldap-tools Makefile to 0.8.2.
+o Correct a problem with "net rpc vampire" mis-parsing the
+ alias member info reply.
+o Ensure the ${libdir} is created by the installclientlib script.
+o Fix detection of Windows 2003 client architecture in the smb.conf
+ %a variable.
+o Ensure that smbd calls the add user script for a missing UNIX
+ user on kerberos auth call (bug 445).
+o Fix bugs in hosts allow/deny when using a mismatched
+ network/netmask pair.
+o Protect alloc_sub_basic() from crashing when the source string
+ is NULL (partial work on bug 687).
+o Fix spinlocks on IRIX.
+o Corrected some bad destination paths when running "configure
+ --with-fhs".
+o Add packaging files for Fedora Core 1.
+o Correct bug in SWAT install script for non-english languages.
+o Support character set ISO-8859-1 internally (bug 558).
+o Fixed more LDAP access errors when looking up group mappings
+ (bug 281).
+o Fix UNISTR2 length bug in LsaQueryInfo(3) that caused SID
+ resolution to fail on local files on on domain members
+ (bug 875).
+o Fix uninitialized variable in passdb.c.
+o Fix formal parameter type in get_static() in nsswitch/wins.c.
+o Fix problem mounting directories when mount.cifs is installed
+ with the setuid bit on.
+o Fix bug that prevent --mandir from overriding the defaults
+ given in the --with-fhs macro.
+o Fix bug in in-memory Kerberos keytab detection routines
+ in configure.in
+
+
+
+######################################################################
+
+ The original 3.0.0 release notes follow
+ =======================================
+ WHATS NEW IN Samba 3.0.0
+ September 24, 2003
+ =======================================
+
+
+Major new features:
+-------------------
+
+1) Active Directory support. Samba 3.0 is now able to
+ join a ADS realm as a member server and authenticate
+ users using LDAP/Kerberos.
+
+2) Unicode support. Samba will now negotiate UNICODE on the wire
+ and internally there is now a much better infrastructure for
+ multi-byte and UNICODE character sets.
+
+3) New authentication system. The internal authentication system
+ has been almost completely rewritten. Most of the changes are
+ internal, but the new auth system is also very configurable.
+
+4) New default filename mangling system.
+
+5) A new "net" command has been added. It is somewhat similar to
+ the "net" command in windows. Eventually we plan to replace
+ numerous other utilities (such as smbpasswd) with subcommands
+ in "net".
+
+6) Samba now negotiates NT-style status32 codes on the wire. This
+ improves error handling a lot.
+
+7) Better Windows 2000/XP/2003 printing support including publishing
+ printer attributes in active directory.
+
+8) New loadable module support for passdb backends and character
+ sets.
+
+9) New default dual-daemon winbindd support for better performance.
+
+10) Support for migrating from a Windows NT 4.0 domain to a Samba
+ domain and maintaining user, group and domain SIDs.
+
+11) Support for establishing trust relationships with Windows NT 4.0
+ domain controllers.
+
+12) Initial support for a distributed Winbind architecture using
+ an LDAP directory for storing SID to uid/gid mappings.
+
+13) Major updates to the Samba documentation tree.
+
+14) Full support for client and server SMB signing to ensure
+ compatibility with default Windows 2003 security settings.
+
+15) Improvement of ACL mapping features based on code donated by
+ Andreas Grünbacher.
+
+
+Plus lots of other improvements!
+
+
+Additional Documentation
+------------------------
+
+Please refer to Samba documentation tree (included in the docs/
+subdirectory) for extensive explanations of installing, configuring
+and maintaining Samba 3.0 servers and clients. It is advised to
+begin with the Samba-HOWTO-Collection for overviews and specific
+tasks (the current book is up to approximately 400 pages) and to
+refer to the various man pages for information on individual options.
+
+We are very glad to be able to include the second edition of
+"Using Samba" by Jay Ts, Robert Eckstein, and David Collier-Brown
+(O'Reilly & Associates) in this release. The book is available
+on-line at http://samba.org/samba/docs/ and is included with
+the Samba Web Administration Tool (SWAT). Thanks to the authors and
+publisher for making "Using Samba" under the GNU Free Documentation
+License.
+
+
+######################################################################
+Upgrading from a previous Samba 3.0 beta
+########################################
+
+Beginning with Samba 3.0.0beta3, the RID allocation functions
+have been moved into winbindd. Previously these were handled
+by each passdb backend. This means that winbindd must be running
+to automatically allocate RIDs for users and/or groups. Otherwise,
+smbd will use the 2.2 algorithm for generating new RIDs.
+
+If you are using 'passdb backend = tdbsam' with a previous Samba
+3.0 beta release (or possibly alpha), it may be necessary to
+move the RID_COUNTER entry from /usr/local/samba/private/passdb.tdb
+to winbindd_idmap.tdb. To do this:
+
+1) Ensure that winbindd_idmap.tdb exists (launch winbindd at least
+ once)
+2) build tdbtool by executing 'make tdbtool' in the source/tdb/
+ directory
+3) run: (note that 'tdb>' is the tool's prompt for input)
+
+ root# ./tdbtool /usr/local/samba/private/passdb.tdb
+ tdb> show RID_COUNTER
+ key 12 bytes
+ RID_COUNTER
+ data 4 bytes
+ [000] 0A 52 00 00 .R.
+
+ tdb> move RID_COUNTER /usr/local/samba/var/locks/winbindd_idmap.tdb
+ ....
+ record moved
+
+If you are using 'passdb backend = ldapsam', it will be necessary to
+store idmap entries in the LDAP directory as well (i.e. idmap backend
+= ldap). Refer to the 'net idmap' command for more information on
+migrating SID<->UNIX id mappings from one backend to another.
+
+If the RID_COUNTER record does not exist, then these instructions are
+unneccessary and the new RID_COUNTER record will be correctly generated
+if needed.
+
+
+
+########################
+Upgrading from Samba 2.2
+########################
+
+This section is provided to help administrators understand the details
+involved with upgrading a Samba 2.2 server to Samba 3.0.
+
+
+Building
+--------
+
+Many of the options to the GNU autoconf script have been modified
+in the 3.0 release. The most noticeable are:
+
+ * removal of --with-tdbsam (is now included by default; see section
+ on passdb backends and authentication for more details)
+
+ * --with-ldapsam is now on used to provided backward compatible
+ parameters for LDAP enabled Samba 2.2 servers. Refer to the passdb
+ backend and authentication section for more details
+
+ * inclusion of non-standard passdb modules may be enabled using
+ --with-expsam. This includes an XML backend and a mysql backend.
+
+ * removal of --with-msdfs (is now enabled by default)
+
+ * removal of --with-ssl (no longer supported)
+
+ * --with-utmp now defaults to 'yes' on supported systems
+
+ * --with-sendfile-support is now enabled by default on supported
+ systems
+
+
+Parameters
+----------
+
+This section contains a brief listing of changes to smb.conf options
+in the 3.0.0 release. Please refer to the smb.conf(5) man page for
+complete descriptions of new or modified parameters.
+
+Removed Parameters (order alphabetically):
+
+ * admin log
+ * alternate permissions
+ * character set
+ * client codepage
+ * code page directory
+ * coding system
+ * domain admin group
+ * domain guest group
+ * force unknown acl user
+ * hide local users
+ * mangled stack
+ * nt smb support
+ * postscript
+ * printer driver
+ * printer driver file
+ * printer driver location
+ * read size
+ * source environment
+ * status
+ * strip dot
+ * total print jobs
+ * use rhosts
+ * valid chars
+ * vfs options
+
+New Parameters (new parameters have been grouped by function):
+
+ Remote management
+ -----------------
+ * abort shutdown script
+ * shutdown script
+
+ User and Group Account Management
+ ---------------------------------
+ * add group script
+ * add machine script
+ * add user to group script
+ * algorithmic rid base
+ * delete group script
+ * delete user from group script
+ * passdb backend
+ * set primary group script
+
+ Authentication
+ --------------
+ * auth methods
+ * realm
+ * passwd chat timeout
+
+ Protocol Options
+ ----------------
+ * client lanman auth
+ * client NTLMv2 auth
+ * client schannel
+ * client signing
+ * client use spnego
+ * disable netbios
+ * ntlm auth
+ * paranoid server security
+ * server schannel
+ * server signing
+ * smb ports
+ * use spnego
+
+ File Service
+ ------------
+ * get quota command
+ * hide special files
+ * hide unwriteable files
+ * hostname lookups
+ * kernel change notify
+ * mangle prefix
+ * map acl inherit
+ * msdfs proxy
+ * set quota command
+ * use sendfile
+ * vfs objects
+
+ Printing
+ --------
+ * max reported print jobs
+
+ UNICODE and Character Sets
+ --------------------------
+ * display charset
+ * dos charset
+ * unicode
+ * unix charset
+
+ SID to uid/gid Mappings
+ -----------------------
+ * idmap backend
+ * idmap gid
+ * idmap uid
+ * winbind enable local accounts
+ * winbind trusted domains only
+ * template primary group
+ * enable rid algorithm
+
+ LDAP
+ ----
+ * ldap delete dn
+ * ldap group suffix
+ * ldap idmap suffix
+ * ldap machine suffix
+ * ldap passwd sync
+ * ldap replication sleep
+ * ldap user suffix
+
+ General Configuration
+ ---------------------
+ * preload modules
+ * private dir
+
+Modified Parameters (changes in behavior):
+
+ * encrypt passwords (enabled by default)
+ * mangling method (set to 'hash2' by default)
+ * passwd chat
+ * passwd program
+ * restrict anonymous (integer value)
+ * security (new 'ads' value)
+ * strict locking (enabled by default)
+ * unix extensions (enabled by default)
+ * winbind cache time (increased to 5 minutes)
+ * winbind uid (deprecated in favor of 'idmap uid')
+ * winbind gid (deprecated in favor of 'idmap gid')
+
+
+Databases
+---------
+
+This section contains brief descriptions of any new databases
+introduced in Samba 3.0. Please remember to backup your existing
+${lock directory}/*tdb before upgrading to Samba 3.0. Samba will
+upgrade databases as they are opened (if necessary), but downgrading
+from 3.0 to 2.2 is an unsupported path.
+
+Name Description Backup?
+---- ----------- -------
+account_policy User policy settings yes
+gencache Generic caching db no
+group_mapping Mapping table from Windows yes
+ groups/SID to unix groups
+winbindd_idmap ID map table from SIDS to UNIX yes
+ uids/gids.
+namecache Name resolution cache entries no
+netsamlogon_cache Cache of NET_USER_INFO_3 structure no
+ returned as part of a successful
+ net_sam_logon request
+printing/*.tdb Cached output from 'lpq no
+ command' created on a per print
+ service basis
+registry Read-only samba registry skeleton no
+ that provides support for exporting
+ various db tables via the winreg RPCs
+
+
+Changes in Behavior
+-------------------
+
+The following issues are known changes in behavior between Samba 2.2 and
+Samba 3.0 that may affect certain installations of Samba.
+
+ 1) When operating as a member of a Windows domain, Samba 2.2 would
+ map any users authenticated by the remote DC to the 'guest account'
+ if a uid could not be obtained via the getpwnam() call. Samba 3.0
+ rejects the connection as NT_STATUS_LOGON_FAILURE. There is no
+ current work around to re-establish the 2.2 behavior.
+
+ 2) When adding machines to a Samba 2.2 controlled domain, the
+ 'add user script' was used to create the UNIX identity of the
+ machine trust account. Samba 3.0 introduces a new 'add machine
+ script' that must be specified for this purpose. Samba 3.0 will
+ not fall back to using the 'add user script' in the absence of
+ an 'add machine script'
+
+
+######################################################################
+Passdb Backends and Authentication
+##################################
+
+There have been a few new changes that Samba administrators should be
+aware of when moving to Samba 3.0.
+
+ 1) encrypted passwords have been enabled by default in order to
+ inter-operate better with out-of-the-box Windows client
+ installations. This does mean that either (a) a samba account
+ must be created for each user, or (b) 'encrypt passwords = no'
+ must be explicitly defined in smb.conf.
+
+ 2) Inclusion of new 'security = ads' option for integration
+ with an Active Directory domain using the native Windows
+ Kerberos 5 and LDAP protocols.
+
+ MIT kerberos 1.3.1 supports the ARCFOUR-HMAC-MD5 encryption
+ type which is neccessary for servers on which the
+ administrator password has not been changed, or kerberos-enabled
+ SMB connections to servers that require Kerberos SMB signing.
+ Besides this one difference, either MIT or Heimdal Kerberos
+ distributions are usable by Samba 3.0.
+
+
+Samba 3.0 also includes the possibility of setting up chains
+of authentication methods (auth methods) and account storage
+backends (passdb backend). Please refer to the smb.conf(5)
+man page for details. While both parameters assume sane default
+values, it is likely that you will need to understand what the
+values actually mean in order to ensure Samba operates correctly.
+
+The recommended passdb backends at this time are
+
+ * smbpasswd - 2.2 compatible flat file format
+ * tdbsam - attribute rich database intended as an smbpasswd
+ replacement for stand alone servers
+ * ldapsam - attribute rich account storage and retrieval
+ backend utilizing an LDAP directory.
+ * ldapsam_compat - a 2.2 backward compatible LDAP account
+ backend
+
+Certain functions of the smbpasswd(8) tool have been split between the
+new smbpasswd(8) utility, the net(8) tool, and the new pdbedit(8)
+utility. See the respective man pages for details.
+
+
+######################################################################
+LDAP
+####
+
+This section outlines the new features affecting Samba / LDAP
+integration.
+
+New Schema
+----------
+
+A new object class (sambaSamAccount) has been introduced to replace
+the old sambaAccount. This change aids us in the renaming of
+attributes to prevent clashes with attributes from other vendors.
+There is a conversion script (examples/LDAP/convertSambaAccount) to
+modify and LDIF file to the new schema.
+
+Example:
+
+ $ ldapsearch .... -b "ou=people,dc=..." > sambaAcct.ldif
+ $ convertSambaAccount --sid=<Domain SID> \
+ --input=sambaAcct.ldif --output=sambaSamAcct.ldif \
+ --changetype=[modify|add]
+
+The <DOM SID> can be obtained by running 'net getlocalsid
+<DOMAINNAME>' on the Samba PDC as root. The changetype determines
+the format of the generated LDIF output--either create new entries
+or modify existing entries.
+
+The old sambaAccount schema may still be used by specifying the
+"ldapsam_compat" passdb backend. However, the sambaAccount and
+associated attributes have been moved to the historical section of
+the schema file and must be uncommented before use if needed.
+The 2.2 object class declaration for a sambaAccount has not changed
+in the 3.0 samba.schema file.
+
+Other new object classes and their uses include:
+
+ * sambaDomain - domain information used to allocate rids
+ for users and groups as necessary. The attributes are added
+ in 'ldap suffix' directory entry automatically if
+ an idmap uid/gid range has been set and the 'ldapsam'
+ passdb backend has been selected.
+
+ * sambaGroupMapping - an object representing the
+ relationship between a posixGroup and a Windows
+ group/SID. These entries are stored in the 'ldap
+ group suffix' and managed by the 'net groupmap' command.
+
+ * sambaUnixIdPool - created in the 'ldap idmap suffix' entry
+ automatically and contains the next available 'idmap uid' and
+ 'idmap gid'
+
+ * sambaIdmapEntry - object storing a mapping between a
+ SID and a UNIX uid/gid. These objects are created by the
+ idmap_ldap module as needed.
+
+ * sambaSidEntry - object representing a SID alone, as a Structural
+ class on which to build the sambaIdmapEntry.
+
+
+New Suffix for Searching
+------------------------
+
+The following new smb.conf parameters have been added to aid in directing
+certain LDAP queries when 'passdb backend = ldapsam://...' has been
+specified.
+
+ * ldap suffix - used to search for user and computer accounts
+ * ldap user suffix - used to store user accounts
+ * ldap machine suffix - used to store machine trust accounts
+ * ldap group suffix - location of posixGroup/sambaGroupMapping entries
+ * ldap idmap suffix - location of sambaIdmapEntry objects
+
+If an 'ldap suffix' is defined, it will be appended to all of the
+remaining sub-suffix parameters. In this case, the order of the suffix
+listings in smb.conf is important. Always place the 'ldap suffix' first
+in the list.
+
+Due to a limitation in Samba's smb.conf parsing, you should not surround
+the DN's with quotation marks.
+
+
+IdMap LDAP support
+------------------
+
+Samba 3.0 supports an ldap backend for the idmap subsystem. The
+following options would inform Samba that the idmap table should be
+stored on the directory server onterose in the "ou=idmap,dc=plainjoe,
+dc=org" partition.
+
+ [global]
+ ...
+ idmap backend = ldap:ldap://onterose/
+ ldap idmap suffix = ou=idmap,dc=plainjoe,dc=org
+ idmap uid = 40000-50000
+ idmap gid = 40000-50000
+
+This configuration allows winbind installations on multiple servers to
+share a uid/gid number space, thus avoiding the interoperability problems
+with NFS that were present in Samba 2.2.
+
+
+
+######################################################################
+Trust Relationships and a Samba Domain
+######################################
+
+Samba 3.0.0beta2 is able to utilize winbindd as the means of
+allocating uids and gids to trusted users and groups. More
+information regarding Samba's support for establishing trust
+relationships can be found in the Samba-HOWTO-Collection included
+in the docs/ directory of this release.
+
+First create your Samba PDC and ensure that everything is
+working correctly before moving on the trusts.
+
+To establish Samba as the trusting domain (named SAMBA) from a Windows NT
+4.0 domain named WINDOWS:
+
+ 1) create the trust account for SAMBA in "User Manager for Domains"
+ 2) connect the trust from the Samba domain using
+ 'net rpc trustdom establish GLASS'
+
+To create a trustlationship with SAMBA as the trusted domain:
+
+ 1) create the initial trust account for GLASS using
+ 'smbpasswd -a -i GLASS'. You may need to create a UNIX
+ account for GLASS$ prior to this step (depending on your
+ local configuration).
+ 2) connect the trust from a WINDOWS DC using "User Manager
+ for Domains"
+
+Now join winbindd on the Samba PDC to the SAMBA domain using
+the normal steps for adding a Samba server to an NT4 domain:
+(note that smbd & nmbd must be running at this point)
+
+ root# net rpc join -U root
+ Password: <enter root password from smbpasswd file here>
+
+Start winbindd and test the join with 'wbinfo -t'.
+
+Now test the trust relationship by connecting to the SAMBA DC
+(e.g. POGO) as a user from the WINDOWS domain:
+
+ $ smbclient //pogo/netlogon -U Administrator -W WINDOWS
+ Password:
+
+Now connect to the WINDOWS DC (e.g. CRYSTAL) as a Samba user:
+
+ $ smbclient //crystal/netlogon -U root -W WINDOWS
+ Password:
+
+######################################################################
+Changes in Winbind
+##################
+
+Beginning with Samba3.0.0beta3, winbindd has been given new account
+manage functionality equivalent to the 'add user script' family of
+smb.conf parameters. The idmap design has also been changed to
+centralize control of foreign SID lookups and matching to UNIX
+uids and gids.
+
+
+Brief Description of Changes
+----------------------------
+
+1) The sid_to_uid() family of functions (smbd/uid.c) have been
+ reverted to the 2.2.x design. This means that when resolving a
+ SID to a UID or similar mapping:
+
+ a) First consult winbindd
+ b) perform a local lookup only if winbindd fails to
+ return a successful answer
+
+ There are some variations to this, but these two rules generally
+ apply.
+
+2) All idmap lookups have been moved into winbindd. This means that
+ a server must run winbindd (and support NSS) in order to achieve
+ any mappings of SID to dynamically allocated UNIX ids. This was
+ a conscious design choice.
+
+3) New functions have been added to winbindd to emulate the 'add user
+ script' family of smbd functions without requiring that external
+ scripts be defined. This functionality is controlled by the 'winbind
+ enable local accounts' smb.conf parameter (enabled by default).
+
+ However, this account management functionality is only supported
+ in a local tdb (winbindd_idmap.tdb). If these new UNIX accounts
+ must be shared among multiple Samba servers (such as a PDC and BDCs),
+ it will be necessary to define your own 'add user script', et. al.
+ programs that place the accounts/groups in some form of directory
+ such as NIS or LDAP. This requirement was deemed beyond the scope
+ of winbind's account management functions. Solutions for
+ distributing UNIX system information have been deployed and tested
+ for many years. We saw no need to reinvent the wheel.
+
+4) A member of a Samba controlled domain running winbindd is now able
+ to map domain users directly onto existing UNIX accounts while still
+ automatically creating accounts for trusted users and groups. This
+ behavior is controlled by the 'winbind trusted domains only' smb.conf
+ parameter (disabled by default to provide 2.2.x winbind behavior).
+
+5) Group mapping support is wrapped in the local_XX_to_XX() functions
+ in smbd/uid.c. The reason that group mappings are not included
+ in winbindd is because the purpose of Samba's group map is to
+ match any Windows SID with an existing UNIX group. These UNIX
+ groups can be created by winbindd (see next section), but the
+ SID<->gid mapping is retreived by smbd, not winbindd.
+
+
+Examples
+--------
+
+* security = server running winbindd to allocate accounts on demand
+
+* Samba PDC running winbindd to handle the automatic creation of UNIX
+ identities for machine trust accounts
+
+* Automtically creating UNIX user and groups when migrating a Windows NT
+ 4.0 PDC to a Samba PDC. Winbindd must be running when executing
+ 'net rpc vampire' for this to work.
+
+
+######################################################################
+Known Issues
+############
+
+* There are several bugs currently logged against the 3.0 codebase
+ that affect the use of NT 4.0 GUI domain management tools when run
+ against a Samba 3.0 PDC. This bugs should be released in an early
+ 3.0.x release.
+
+Please refer to https://bugzilla.samba.org/ for a current list of bugs
+filed against the Samba 3.0 codebase.
+
+
+######################################################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored.
+
+A new bugzilla installation has been established to help support the
+Samba 3.0 community of users. This server, located at
+https://bugzilla.samba.org/, has replaced the older jitterbug server
+previously located at http://bugs.samba.org/.
+</pre>
+
+</body>
+</html>
--- /dev/null
+<!--#include virtual="/samba/header.html" -->
+
+ <H2>Security Release -- Samba 3.0.5 Available for Download</H2>
+
+<p>
+<pre>
+ =============================
+ Release Notes for Samba 3.0.5
+ July 20, 2004
+ =============================
+
+######################## SECURITY RELEASE ########################
+
+Summary: Multiple Potential Buffer Overruns in Samba 3.0.x
+CVE ID: CAN-2004-0600, CAN-2004-0686
+ (http://cve.mitre.org/)
+
+
+This is the latest stable release of Samba. This is the version
+that production Samba servers should be running for all current
+bug-fixes.
+
+It has been confirmed that versions of Samba 3 prior to v3.0.5
+are vulnerable to two potential buffer overruns. The individual
+details are given below.
+
+
+-------------
+CAN-2004-0600
+-------------
+
+Affected Versions: Samba 3.0.2 and later
+
+The internal routine used by the Samba Web Administration
+Tool (SWAT v3.0.2 and later) to decode the base64 data
+during HTTP basic authentication is subject to a buffer
+overrun caused by an invalid base64 character. It is
+recommended that all Samba v3.0.2 or later installations
+running SWAT either (a) upgrade to v3.0.5, or (b) disable
+the swat administration service as a temporary workaround.
+
+This same code is used internally to decode the
+sambaMungedDial attribute value when using the ldapsam
+passdb backend. While we do not believe that the base64
+decoding routines used by the ldapsam passdb backend can
+be exploited, sites using an LDAP directory service with
+Samba are strongly encouraged to verify that the DIT only
+allows write access to sambaSamAccount attributes by a
+sufficiently authorized user.
+
+The Samba Team would like to heartily thank Evgeny Demidov
+for analyzing and reporting this bug.
+
+
+-------------
+CAN-2004-0686
+-------------
+
+Affected Versions: Samba 3.0.0 and later
+
+A buffer overrun has been located in the code used to support
+the 'mangling method = hash' smb.conf option. Please be aware
+that the default setting for this parameter is 'mangling method
+= hash2' and therefore not vulnerable.
+
+Affected Samba 3 installations can avoid this possible security
+bug by using the default hash2 mangling method. Server
+installations requiring the hash mangling method are encouraged
+to upgrade to Samba 3.0.5.
+
+##################################################################
+
+
+The source code can be downloaded from :
+
+ <a href="/samba/ftp">http://download.samba.org/samba/ftp/</a>
+
+in the file samba-3.0.5.tar.gz. The uncompressed archive has
+been signed using the Samba Distribution Key.
+
+Our code, Our bugs, Our responsibility (<a href="https://bugzilla.samba.org/">Samba Bugzilla</a>).
+
+ -- The Samba Team
+
+
+
+Changes for older versions follow below:
+
+ --------------------------------------------------
+
+ =============================
+ Release Notes for Samba 3.0.4
+ May 8, 2004
+ =============================
+
+This is the latest stable release of Samba. This is the version
+that production Samba servers should be running for all
+current bug-fixes. There have been several issues fixes since
+the 3.0.3 release and new features have been added as well.
+See the "Changes" section for details on exact updates.
+
+Common bugs fixed in Samba 3.0.4 include:
+
+ o Password changing after applying the patch described in
+ the Microsoft KB828741 article to Windows clients.
+ o Crashes in smbd.
+ o Managing print jobs via Windows on Big-Endian servers.
+ o Several memory leaks in winbindd and smbd.
+ o Compile issues on AIX and *BSD.
+
+
+######################################################################
+Changes
+#######
+
+Changes since 3.0.3
+--------------------
+
+commits
+-------
+
+o Jeremy Allison <jra@samba.org>
+ * Fix path processing for DeletePrinterDriverEx().
+ * BUG 1303: Fix for Microsoft hotfix MS04-011 password change
+ breakage.
+
+
+o Andrew Bartlett <abartlet@samba.org>
+ * Fix alignment bug in GetDomPwInfo().
+
+
+o Alexander Bokovoy <ab@samba.org>
+ * Fix utime[s]() issues in smbwrapper on systems
+ that can boot both the 2.4 and 2.6 Linux kernels.
+
+
+o Gerald Carter <jerry@samba.org>
+ * Fedora packaging fixes.
+ * BUG 1302: Fix seg fault by not trying to optimize a list of
+ invalid gids using the wrong array size.
+ * BUG 1309: fix seg fault caused by trying to strdup(NULL)
+ seen when 'security = share'.
+ * Fix problems when using IBM's compiler on AIX.
+ * Link Developer's Guide, Example Guide, and multi-page HOWTO
+ into SWAT's welcome page.
+ * BUG 1293: fix double free in printer publishing code.
+
+
+o Wim Delvaux <wim.delvaux@adaptiveplanet.com>
+ * Fix for handling timeouts in socket connections.
+
+
+o Michel Gravey <michel.gravey@optogone.com>
+ * BUG 483: patch from to fix password hash creation in SWAT.
+
+
+o Volker Lendecke <vl@samba.org>
+ * Close the open NT pipes before the tdis.
+ * Fix AFS related build issues.
+ * Handle error conditions when base64 encoding a blob of 0 bytes.
+
+
+o Herb Lewis <herb@samba.org>
+ * Added 'acls' debug class.
+
+o kawasa_r@itg.hitachi.co.jp
+ * Multiple variable initialization and memory leak fixes.
+
+
+o Stephan Kulow <coolo@suse.de>
+ * Fix string length bug in libsmbclient that caused KDE's
+ Konqueror to crash.
+ * BUG 429: More libsmbclient fixes.
+
+
+o Jim McDonough <jmcd@us.ibm.com>
+ * BUG 1007, 1279: Store the print job using a little-endian key.
+
+
+o Eric Mertens
+ o Compile fix for OpenBSD (ENOTSUP not supported).
+
+
+o Stefan Metzmacher <metze@samba.org>
+ * Correct bug in disks quota views from explorer.
+
+
+o Tim Potter <tpot@samba.org>
+ BUG 1305: Correct debug output.
+
+
+o Richard Sharpe <rsharpe@samba.org>
+ * Fix incorrect error code mapping.
+
+
+o Jelmer Vernooij <jelmer@samba.org>
+ * Add additional NT_STATUS errorm mappings.
+
+
+ --------------------------------------------------
+
+ =============================
+ Release Notes for Samba 3.0.3
+ April 29, 2004
+ =============================
+
+
+Common bugs fixed in Samba 3.0.3 include:
+
+ o Crash bugs and change notify issues in Samba's printing code.
+ o Honoring secondary group membership on domain member servers.
+ o TDB scalability issue surrounding the TDB_CLEAR_IF_FIRST flag.
+ o Substitution errors for %[UuGg] in smb.conf.
+ o winbindd crashes when using ADS security mode.
+ o SMB signing errors.
+ o Delays in winbindd startup caused by unnecessary
+ connections to trusted domain controllers.
+ o Various small memory leaks.
+ o Winbindd failing due to expired Kerberos tickets.
+
+New features introduced in Samba 3.0.3 include:
+
+ o Improved support for i18n character sets.
+ o Support for account lockout policy based on
+ bad password attempts.
+ o Improved support for long password changes (>14
+ characters) and strong password enforcement.
+ o Support for Windows aliases (i.e. nested groups).
+ o Experimental support for storing DOS attribute on files
+ and folders in Extended Attributes.
+ o Support for local nested groups via winbindd.
+ o Specifying options to be passed directly to the CUPS libraries.
+
+Please be aware that the Samba source code repository was
+migrated from CVS to Subversion on April 4, 2004. Details on
+accessing the Samba source tree via anonymous svn can be found
+at http://svn.samba.org/samba/subversion.html.
+
+
+Changes since 3.0.2a
+--------------------
+smb.conf changes
+----------------
+
+ Parameter Name Action
+ -------------- ------
+ cups options New
+ ea support New
+ only user Deprecated
+ store dos attributes New
+ unicode Removed
+ winbind nested groups New
+
+
+commits
+-------
+
+o Jeremy Allison <jra@samba.org>
+ * Ensure that Kerberos mutex is always properly unlocked.
+ * Removed Heimdal "in-memory keytab" support.
+ * Fixup the 'multiple-vuids' bugs in our server code.
+ * Correct return code from lsa_lookup_sids() on unmapped
+ sids (based on work by vl@samba.org).
+ * Fix the "too many fcntl locks" scalability problem
+ raised by tridge.
+ * Fixup correct (as per W2K3) returns for lookupsids
+ as well as lookupnames.
+ * Fixups for delete-on-close semantics as per Win2k3 behavior.
+ * Make SMB_FILE_ACCESS_INFORMATION call work correctly.
+ * Fix "unable to initialize" bug when smbd hasn't been run with
+ new system and a user is being added via pdbedit/smbpasswd.
+ * Added NTrename SMB (0xA5).
+ * Fixup correct timeout values for blocking lock timeouts.
+ * Fix various bugs reported by 'gentest'.
+ * More locking fixes in the case where we own the lock.
+ * Fix up regression in IS_NAME_VALID and renames.
+ * Don't set allocation size on directories.
+ * Return correct error code on fail if file exists and target
+ is a directory.
+ * Added client "hardlink" comment to test doing NT rename with
+ hard links. Added hardlink_internals() code - UNIX extensions
+ now use this as well.
+ * Use a common function to parse all pathnames from the wire for
+ much closer emulation of Win2k3 error return codes.
+ * Implement check_path_syntax() and rewrite string sub
+ functions for better multibyte support.
+ * Ensure msdfs referrals are multibyte safe.
+ * Allow msdfs symlink syntax to be more forgiving.
+ eg. sym_link -> msdfs://server/share/path/in/share
+ or sym_link -> msdfs:\\server\share\path\in\share.
+ * Cleanup multibyte netbios name support in nmbd ( based on patch
+ by MORIYAMA Masayuki <moriyama@miraclelinux.com>).
+ * Fix check_path_syntax() for multibyte encodings which have
+ no '\' as second byte (based on work by ab@samba.org.
+ * Fix the "dfs self-referrals as anonymous user" problem
+ (based on patch from vl@samba.org).
+ * BUG 1064: Ensure truncate attribute checking is done correctly
+ on "hidden" dot files.
+ * Fix bug in anonymous dfs self-referrals again.
+ * Fix get/set of EA's in client library
+ * Added support for OS/2 EA's in smbd server.
+ * Added 'ea support' parameter to smb.conf.
+ * Added 'store dos attributes' parameter to smb.conf.
+ * Fix wildcard identical rename.
+ * Fix reply_ctemp - make compatible with w2k3.
+ * Fix wildcard unlink.
+ * Fix wildcard src with wildcard dest renames.
+ * BUG 1139: Fix based on suggestion by jdev@panix.com.
+ swap lookups for user and group - group will do an
+ algorithmic lookup if it fails, user won't.
+ * Make EA's lookups case independent.
+ * Fix SETPATHINFO in 'unix extensions' support.
+ * Make 3.x pass the Samba 4.x RAW-SEARCH tests - except for
+ the UNIX info levels, and the short case preserve names.
+
+
+o Timur Bakeyev <timur@com.bat.ru>
+ * BUG 1144: only set --with-fhs when the argument is 'yes'
+ * BUG 1152: Allow python modules to build despite libraries added
+ to LDFLAGS instead of LDPATH.
+ * BUG 1141: Fix nss*.so names on FreeBSD 5.x.
+
+
+o Craig Barratt <cbarratt@users.sourceforge.net>
+ * BUG 389: Allow multiple exclude arguments with smbclient
+ tar -Xr options (better support for Amanda backup client).
+
+
+o Andrew Bartlett <abartlet@samba.org>
+ * Include support for linking with cracklib for enforcing strong
+ password changes.
+ * Add support for >14 character password changes from Windows
+ clients.
+ * Add 'admin set password' capability to 'net rpc'.
+ * Allow 'net rpc samdump' to work with any joined domain
+ regardless of smb.conf settings.
+ * Use an allocated buffer for count_chars.
+ * Add sanity checks for changes in the domain SID in an
+ LDAP DIT.
+ * Implement python unit tests for Samba's multibyte string
+ support.
+ * Remove 'unicode' smb.conf option.
+ * BUG 1138: Fix support for 'optional' SMB signing and other
+ signing bugs.
+ * BUG 169: Fix NTLMv2-only behavior.
+ * Ensure 'net' honors the 'netbios name' in the smb.conf by
+ default.
+ * Support SMB signing on connections using only the LANMAN
+ password and generate the correct the 'session key' for these
+ connections.
+ * Implement --required-membership-of=, an ntlm_auth option
+ that restricts all authentication to members of this particular
+ group.
+ * Improve our fall back code for password changes.
+ * Only send the ntlm_auth 'ntlm-server-1' helper client a '.'
+ after the server had said something (such as an error).
+ * Add 'ntlm-server-1' helper protocol to ntlm_auth.
+
+
+o Alexander Bokovoy <ab@samba.org>
+ * Fix incorrect size calculation of the directory name
+ in recycle.so.
+ * Fix problems with very long filenames in both smbd and smbclient
+ caused by truncating paths during character conversions.
+ * Fix smbfs problem with Tree Disconnect issued before smbfs
+ starts its work.
+
+
+o Gerald Carter <jerry@samba.org>
+ * BUG 850: Fix 'make installmodules' bug on True64.
+ * BUG 66: mark 'only user' deprecated.
+ * Remove corrupt tdb and shutdown (only for printing tdbs,
+ connections, sessionid & locking).
+ * decrement smbd counter in connections.tdb in smb_panic().
+ * RedHat specfile updates.
+ * Fix xattr.h build issue on Debian testing and SuSE 8.2.
+ * BUG 1147; bad pointer case in get_stored_queue_info()
+ causing seg fault.
+ * BUG 761: read the config file before initialized default
+ values for printing options; don't default to bsd printing
+ Linux.
+ * Allow the 'printing' parameter to be set on a per share basis.
+ * BUG 503: RedHat/Fedora packaging fixes regarding logrotate.
+ * BUG 848: don't create winbind local users/groups that already
+ exist in the tdb.
+ * BUG 1080: fix declaration of SMB_BIG_UINT (broke compile on
+ LynxOS/ppc).
+ * BUG 488: fix the 'show client in col 1' button and correctly
+ enumerate active connections.
+ * BUG 1007 (partial): Fix abort in smbd caused by byte ordering
+ problem when storing the updating pid for the lpq cache.
+ * BUG 1007 (partial): Fix print change notify bugs.
+ * BUG 1165, 1126: Fix bug with secondary groups (security = ads)
+ and winbind use default domain = yes. Also ensures that
+ * BUG 1151: Ensure that winbindd users are passed through
+ the username map.
+ * Fix client rpc binds for ASU derived servers (pc netlink,
+ etc...).
+ * BUG 417, 1128: Ensure that the current_user_info is set
+ consistently so that %[UuGg] is expanded correctly.
+ * BUG 1195: Fix crash in winbindd when the ADS server is
+ unavailable.
+ * BUG 1185: Set reconnect time to be the same as the
+ 'winbind cache time'.
+ * Ensure that we return the sec_desc in smb_io_printer_info_2.
+ * Change Samba printers Win32 attribute to PRINTER_ATTRIBUTE_LOCAL.
+ * BUG 1095: Honor the '-l' option in smbclient.
+ * BUG 1023: surround get_group_from_gid() with become_unbecome_root()
+ block.
+ * Ensure server schannel uses the auth level requested by the
+ client.
+ * Removed --with-cracklib option due to potential crash issue.
+ * Fix -lcrypto linking problem with wbinfo.
+ * BUG 761: allow printing parameter to set defaults on a per
+ share basis.
+ * Add 'cups options' parameter to allow raw printing without
+ changing /etc/cups/cupsd.conf.
+ * BUG 1081, 1183: Added remove_duplicate_gids() to smbd and
+ winbindd.
+ * BUG 1246: Fix typo in Fedora /etc/init.d/winbind.
+ * BUG 1288: resolve any machine netbios name (0x00) and not just
+ servers (0x20).
+ * BUG 1199: Fix potential symlink issue in
+ examples/printing/smbprint.
+
+
+o Robert Dahlem <Robert.Dahlem@gmx.net>
+ * BUG 1048: Don't return short names when when 'mangled names = no'
+
+
+o Guenther Deschner <gd@suse.com>
+ * Remove hard coded attribute name in the ads ranged retrieval
+ code.
+ * Add --with-libdir and --with-mandir to autoconf script.
+
+
+o Bostjan Golob <golob@gimb.org>
+ * BUG 1046: Fix getpwent_list() so that the username is not
+ overwritten by other fields.
+
+
+o Landon Fuller <landonf@opendarwin.org>
+ * BUG 1232: patch from landonf@opendarwin.org (Landon Fuller)
+ to fix user/group enumeration on systems whose libc does not
+ call setgrent() before trying to enumerate users (i.e.
+ FreeBSD 5.2).
+
+
+o Steve French <sfrench@us.ibm.com>
+ * Update mount.cifs to version 1.1.
+ * Disable dev (MS_NODEV) on user mounts from cifs vfs.
+ * Fixes to minor security bug in the mount helper.
+ * Fix credential file mounting for cifs vfs.
+ * Fix free of incremented pointer in cifsvfs mount helper.
+ * Fix path canonicalization of the mount target path and help
+ text display in the cifs mount helper.
+ * Add missing guest mount option for mount.cifs.
+
+
+o SATOH Fumiyasu <fumiya@miraclelinux.com>
+ * BUG 1055; formatting fixes for 'net share'.
+ * BUG 692: correct truncation of share names and workgroup
+ names in smbclient.
+ * BUG 1088: use strchr_m() for query_host (smbclient -L).
+ * Patch from to internally count characters correctly.
+
+
+o Paul Green <paulg@samba.org>
+ * Update VOS _POSIX_C_SOURCE macro to 200112L.
+ * Fix bug in configure.ion by moving the first use of
+ AC_CHECK_HEADERS so it is always executed.
+ * Fix configure.in to only use $BLDSHARED to select whether to
+ build static or shared libraries.
+
+
+o Pat Haywarrd <Pat.Hayward@propero.net>
+ * Make the session_users list dynamic (max of 128K).
+
+
+o Cal Heldenbrand <calzplace@yahoo.com>
+ * Fix for for 'pam_smbpass migrate' functionality.
+
+
+o Chris Hertel <crh@samba.org>
+ * fix enumeration of shares 12 characters in length via
+ smbclient.
+
+
+o Ulrich Holeschak <ulrich@holeschak.de>
+ * BUG 932: fix local password change using pam_smbpass
+
+
+o Krischan Jodies <kj@sernet.de>
+ * Implement 'net rpc group delete'
+
+
+o John Klinger <john.klinger@lmco.com>
+ * Return NSS_SUCCESS once the max number of gids possible
+ has been found in initgroups() on Solaris.
+ * BUG 1182: Re-enable the -n 'no cache' option for winbindd.
+
+
+o Volker Lendecke <vl@samba.org>
+ * Fix success message for net groupmap modify.
+ * Fix errors when enumerating members of groups in 'net rpc'.
+ * Match Windows behavior in samr_lookup_names() by returning
+ ALIAS(4) when you search in BUILTIN.
+ * Fix server SAMR code to be able to set alias info for
+ builtin as well.
+ * Fix duplication of logic when creating groups via smbd.
+ * Ensure that the HWM values are set correctly after running
+ 'net idmap'.
+ * Add 'net rpc group add'.
+ * Implement 'net groupmap set' and 'net groupmap cleanup'.
+ * Add 'net rpc group [add|del]mem' for domain groups and aliases.
+ * Fix wb_delgrpmem (wbinfo -o).
+ * As a DC we should not reply to lsalookupnames on DCNAME\\user.
+ * Fix sambaUserWorkstations on a Samba DC.
+ * Implement wbinfo -k: Have winbind generate an AFS token after
+ authenticating the user.
+ * Add expand_msdfs VFS module for providing referrals based on the
+ the client's IP address.
+ * Implement client side NETLOGON GetDCName function.
+ * Fix caching of name->sid lookups.
+ * Add support in winbindd for expanding nested local groups.
+ * Fix memleak in winbindd.
+ * Fix msdfs proxy.
+ * Don't list domain groups from BUILTIN.
+ * Fix memleak in policy handle utility functions.
+ * Decrease winbindd startup time by only contacting trusted
+ domains as necessary.
+ * Allow winbindd to ask the DC for its domain for a trusted
+ DC.
+ * Fix Netscape DS schema based on comments from
+ <thomas.mueller@christ-wasser.de>.
+ * Correct case where adding a domain user to a XP local group
+ did a lsalookupname on the user without domain prefix, and
+ failed.
+ * Fix segfault in winbindd caused by 'wbinfo -a'.
+
+
+o Herb Lewis <herb@samba.org>
+ * Fix typo for tag in proto file.
+ * Add missing #ifdef HAVE_BICONV stuff.
+ * Truncate Samba's netbios name at the first '.' (not
+ right to left).
+
+
+o Derrell Lipman <Derrell.Lipman@UnwiredUniverse.com>
+ * Bug fixes and enhancements to libsmbclient library.
+
+
+o Jianliang Lu <j.lu@tiesse.com>
+ * Enforce the 'user must change password at next login' flag.
+ * Decode meaning of 'fields present' flags (improves support
+ for usrmgr.exe).
+ * NTLMv2 fixes.
+ * Don't force an upper case domain name in the ntlmssp code.
+
+
+o L. Lucius <ib@digicron.com>.
+ * type fixes.
+
+
+o Jim McDonough <jmcd@us.ibm.com>
+ * Add versioning support to tdbsam.
+ * Update the IBM Directory Server schema with the OpenLDAP
+ file.
+ * Various decoding fixes to improve usrmgr.exe support.
+ * Fix statfs redeclaration of statfs struct on ppc
+ * Implement support for password lockout of Samba domain
+ controllers and standalone servers.
+ * Get MungedDial attribute actually working with full TS
+ strings in it for pdb_ldap.
+ * BUG 1208 (partial): Improvements for working with expired krb5
+ tickets in winbindd.
+ * Use timegm, or our already existing replacement instead of
+ timezone (spotted by Andrzej Tobola <san@iem.pw.edu.pl>).
+ * Remove modifyTimestamp from list of our attributes.
+ * Fix lsalookupnames to check for domain users as well as local
+ users.
+ * Merge struct uuid replacement for GUID from trunk.
+ * BUG 1208: Finish support for handling expired tickets in
+ winbindd (in conjunction with Guenther Deschner <gd@suse.de>).
+
+
+o Stefan Metzmacher <metze@samba.org>
+ * Implement new VERSION schema based on subversion revision
+ numbers.
+ * Add shadow_copy vfs module.
+ * Fix segault in login_cache support.
+
+
+o Heinrich Mislik <Heinrich.Mislik@univie.ac.at>
+ o BUG 979 -- Fix quota display on AIX.
+
+
+o James Peach <jpeach@sgi.com>
+ * Correct check for printf() format when using the SGI MIPSPro
+ compiler.
+ * BUG 1038: support backtrace for 'panic action' on IRIX.
+ * BUG 768: Accept profileing arg to IRIX init script.
+ * BUG 748: Relax arg parsing to sambalp script (IRIX).
+ * BUG 758: Fix pdma build.
+ * Search IRIX ABI paths for libiconv. Based on initial fix from
+ Jason Mader.
+
+
+o Kurt Pfeifle <kpfeifle@danka.de>
+ * Add example shell script for migrating drivers and printers
+ from a Windows print server to a Samba print server using
+ smbclient/rpcclient (examples/printing/VamireDriversFunctions).
+
+
+o Tim Potter <tpot@samba.org>
+ * Fix logic bug in tdb non-blocking lock routines when
+ errno == EAGAIN.
+ * BUG 1025: Include sys/acl.h in check for broken nisplus
+ include files.
+ * BUG 1066: s/printf/d_printf/g in SWAT.
+ * BUG 1098: rename internal msleep() function to fix build
+ problems on AIX.
+ * BUG 1112: Fix for writable printerdata problem in python bindings.
+ * BUG 1154: Remove reference to <sys/mman.h> in tdbdump.c.
+ * BUG 1155: enclose use of fchown() with guards.
+ * Relicense tdb python module as LGPL.
+
+
+o Richard Sharpe <rsharpe@samba.org>
+ * Add support to smbclient for multiple logins on the same
+ session (based on work by abartlet@samba.org).
+ * Correct blocking condition in smbd's use of accept() on IRIX.
+ * Add support for printing out the MAC address on nmblookup.
+
+
+o Simo Source <idra@samba.org>
+ * Replace unknown_3 with fields_present in SAMR code.
+ * More length checks in strlcat().
+
+
+o Andrew Tridgell <tridge@samba.org>
+ * Rewrote the AIX UESS backend for winbindd.
+ * Fixed compilation with --enable-dmalloc.
+ * Change tdb license to LGPL (see source/tdb/tdb.c).
+ * Force winbindd to use schannel in clients connections to
+ DC's if possible.
+
+
+o Jelmer Vernooij <jelmer@samba.org>
+ * Fix ETA Calculation when resuming downloads in smbget.
+ * Add -O (for writing downloaded files to standard out)
+ based on patch by Bas van Sisseren <bas@dnd.utwente.nl>.
+ * Fix syntax error in example mysql table
+
+
+o TAKEDA yasuma <yasuma@miraclelinux.com>
+ * BUG 900: fix token processing in cmd_symlink, cmd_link,
+ cmd_chown, cmd_chmod smbclient functions.
+
+
+o Shiro Yamada <shiro@miraclelinux.com>
+ * BUG 1129: install image files for SWAT.
+
+
+ --------------------------------------------------
+
+ ==============================
+ Release Notes for Samba 3.0.2a
+ February 13, 2004
+ ==============================
+
+Samba 3.0.2a is a minor patch release for the 3.0.2 code base
+to address, in particular, a problem when using pdbedit to
+sanitize (--force-initialized-passwords) Samba's tdbsam
+backend. This is the latest stable release of Samba. This
+is the version that all production Samba servers should be
+running for all current bug-fixes.
+
+******************* Attention! Achtung! Kree! *********************
+
+Beginning with Samba 3.0.2, passwords for accounts with a last
+change time (LCT-XXX in smbpasswd, sambaPwdLastSet attribute in
+ldapsam, etc...) of zero (0) will be regarded as uninitialized
+strings. This will cause authentication to fail for such
+accounts. If you have valid passwords that meet this criteria,
+you must update the last change time to a non-zero value. If you
+do not, then 'pdbedit --force-initialized-passwords' will disable
+these accounts and reset the password hashes to a string of X's.
+
+******************* Attention! Achtung! Kree! *********************
+
+
+Changes since 3.0.2
+-------------------
+
+commits
+-------
+
+Please refer to the CVS log for the SAMBA_3_0 branch for complete
+details. The list of changes per contributor are as follows:
+
+
+o Jeremy Allison <jra@samba.org>
+ * Added paranoia checks in parsing code.
+
+
+o Andrew Bartlett <abartlet@samba.org>
+ * Ensure that changes to uninitialized passwords in ldapsam
+ are written to the DIT.
+
+
+o Gerald (Jerry) Carter <jerry@samba.org>
+ * Fixed iterator in tdbsam.
+ * Fix bug that disabled accounts with a valid NT password
+ hash, but no LanMan hash.
+
+
+o Steve French <sfrench@us.ibm.com>
+ * Added missing nosetuid and noexec options.
+
+
+o Bostjan Golob <golob@gimb.org>
+ * BUG 1046: Don't overwrite usernames of entries returned
+ by getpwent_list().
+
+
+o Sebastian Krahmer <krahmer@suse.de>
+ * Fixed potential crash bug in NTLMSSP parsing code.
+
+
+o Tim Potter <tpot@samba.org>
+ * Fixed logic in tdb_brlock error checking.
+
+
+o Urban Widmark <urban@teststation.com>
+ * Set nosuid,nodev flags in smbmnt by default.
+
+
+ --------------------------------------------------
+
+ =============================
+ Release Notes for Samba 3.0.2
+ February 9, 2004
+ =============================
+
+It has been confirmed that previous versions of Samba 3.0 are
+susceptible to a password initialization bug that could grant an
+attacker unauthorized access to a user account created by the
+mksmbpasswd.sh shell script.
+
+The Common Vulnerabilities and Exposures project (cve.mitre.org)
+has assigned the name CAN-2004-0082 to this issue.
+
+Samba administrators not wishing to upgrade to the current
+version should download the 3.0.2 release, build the pdbedit
+tool, and run
+
+ root# pdbedit-3.0.2 --force-initialized-passwords
+
+This will disable all accounts not possessing a valid password
+(e.g. the password field has been set a string of X's).
+
+Samba servers running 3.0.2 are not vulnerable to this bug
+regardless of whether or not pdbedit has been used to sanitize
+the passdb backend.
+
+Some of the more visible bugs in 3.0.1 addressed in the 3.0.2
+release include:
+
+ o Joining a Samba domain from Pre-SP2 Windows 2000 clients.
+ o Logging onto a Samba domain from Windows XP clients.
+ o Problems with the %U and %u smb.conf variables in relation to
+ Windows 9x/ME clients.
+ o Kerberos failures due to an invalid in memory keytab detection
+ test.
+ o Updates to the ntlm_auth tool.
+ o Fixes for various SMB signing errors.
+ o Better separation of WINS and DNS queries for domain controllers.
+ o Issues with nss_winbind FreeBSD and Solaris.
+ o Several crash bugs in smbd and winbindd.
+ o Output formatting fixes for smbclient for better compatibility
+ with scripts based on the 2.2 version.
+
+
+Changes since 3.0.1
+-------------------
+
+smb.conf changes
+----------------
+
+ Parameter Name Action
+ -------------- ------
+ ldap replication sleep New
+ read size removed (unused)
+ source environment removed (unused)
+
+
+commits
+-------
+
+Please refer to the CVS log for the SAMBA_3_0 branch for complete
+details. The list of changes per contributor are as follows:
+
+o Jeremy Allison <jra@samba.org>
+ * Revert change that broke Exchange clear text samlogons.
+ * Fix gcc 3.4 warning in MS-DFS code.
+ * Tidy up of NTLMSSP code.
+ * Fixes for SMB signing errors
+ * BUG 815: Workaround NT4 bug to support plaintext
+ password logins and UNICODE.
+ * Fix SMB signing bug when copying large files.
+ * Correct error logic in mkdir_internals() (caused a panic
+ when combined with --enable-developer).
+ * BUG 830: Protect against crashes due to bad character
+ conversions.
+
+
+o Petri Asikainen <paca@sci.fi>
+ * BUG 330, 387:Fix single valued attribute updates when
+ working with Novell NDS.
+
+
+o Andrew Bartlett <abartlet@samba.org>
+ * Correctly handle per-pipe NTLMSSP inside a NULL session.
+ * Fix segfault in gencache
+ * Fix early free() of encrypted_session_key.
+ * Change DC lookup routines to more carefully separate
+ DNS names (realms) from NetBIOS domain names.
+ * Add new sid_to_dn() function for internal winbindd use.
+ * Refactor cli_ds_enum_domain_trusts().
+ * BUG 707: Implement range retrieval of ADS attributes (based
+ on work from Volker <vl@samba.org> and Guenther Deschner
+ <gd@suse.com>).
+ * Automatically initialize the signing engine if a session key
+ is available.
+ * BUG 916: Do not perform a + -> ' ' substitution for squid URL
+ encoded strings, only form input in SWAT.
+ * Resets the NTLMSSP state for new negotiate packets.
+ * Add 2-byte alignments in net_samlogon() queries to parse
+ odd-length plain text passwords.
+ * Allow Windows groups with no members in winbindd.
+ * Allow normal authentication in the absence of a server
+ generated session key.
+ * More optimizations for looking up UNIX group lists.
+ * Clean up error codes and return values for pam_winbindd
+ and winbindd PAM interface.
+ * Fix string return values in ntlm_auth tool.
+ * Fix segfault when 'security = ads' but no realm is defined.
+ * BUG 722: Allow winbindd to map machine accounts to uids.
+ * More cleanups for winbindd's find_our_domain().
+ * More clearly detect whether a domain controller is an NT4
+ or mixed-mode AD DC (additional bug fixes by jerry & jmcd).
+ * Increase separation between DNS queries for hosts and queries
+ for AD domain controllers.
+ * Include additional NT_STATUS to PAM error mappings.
+ * Password initialization fixes.
+
+
+o Justin Baugh <justin.baugh@request.com>
+ * BUG 948: Implement missing functions required for FreeBSD
+ nss_winbind support.
+
+
+o Alexander Bokovoy <ab@samba.org>
+ * BUG 922: Make sure enable fast path for strlower_m() and
+ strupper_m().
+
+
+o Luca Bolcioni <Luca.Bolcioni@yacme.com>
+ * Fix crash when using 'security = server' and 'encrypt
+ passwords = no' by always initializing the session key.
+
+
+o Dmitry Butskoj <buc@odusz.elektra.ru>
+ * Fix for special files being hidden from admins.
+
+
+o Gerald (Jerry) Carter <jerry@samba.org>
+ * Fix bug in the lanman session key generation. Caused
+ "decode_pw: incorrect password length" error messages.
+ * Save the right case for the located user name in
+ fill_sam_account(). Fixes %U/%u expansion for win9x clients.
+ * BUG 897: Add well known rid for pre win2k compatible access
+ group.
+ * BUG 887: Correct typo in delete user script example.
+ * Use short lived TALLOC_CTX* for allocating printer objects
+ from the print handle cache.
+ * BUG 912: Fix check for HAVE_MEMORY_KEYTAB.
+ * Fix several warnings reported by the SUN Forte C compiler.
+ * Fully control DNS queries for AD DC's using 'name resolve order'.
+ * BUG 770: Send the SMBjobid for UNIX jobs back to the client.
+ * BUG 972: Fix segfault in cli_ds_getprimarydominfo().
+ * BUG 936: fix bind credentials for schannel binds in smbd.
+ * BUG 446: Fix output of smbclient for better compatibility
+ with scripts based on the 2.2 version (including Amanda).
+ * BUG 891, 949: Fedora packaging fixes.
+ * Fix bug that caused rpcclient to incorrectly retrieve
+ the SID for a server (this causing all calls that required
+ this information to fail).
+ * BUG 977: Don't create a homes share for a user if a static
+ share already exists by the same name.
+ * Removed unused smb.conf options.
+ * Password initialization fixes.
+ * Set the disable flag for template accounts created by
+ mksmbpasswd.sh.
+ * Disable any account has no passwords and does not have the
+ ACB_PWNOTREQ bit set.
+
+
+o Guenther Deschner <gd@suse.com>
+ * Install smbwrapper.so should be put into the $(libdir)
+ and not $(bindir).
+ * Add the capability to specify the new user password
+ for "net ads password" on the command line.
+ * Correctly detect AFS headers on SuSE.
+
+
+o James Flemer <jflemer@uvm.edu>
+ * Fix AIX compile bug by linking HAVE_ATTR_LIST to
+ HAVE_SYS_ATTRIBUTES_H.
+
+
+o Luke Howard <lukeh@PADL.COM>
+ * Fix segfault in session setup reply caused by a early free().
+
+
+o Stoian Ivanov <sdr@bultra.com>
+ * Implement grepable output for smbclient -L.
+
+
+o LaMont Jones <lamont@debian.org>
+ * BUG 225328 (Debian): Correct false failure LFS test that resulted
+ in _GNU_SOURCE not being defined (thus resulting in strndup()
+ not being defined).
+
+
+o Volker Lendecke <vl@samba.org>
+ * BUG 583: Ensure that user names always contain the short
+ version of the domain name.
+ * Fix our parsing of the LDAP uri.
+ * Don't show the 'afs username map' in the SWAT basic view.
+ * Fix SMB signing issues in relation to failed NTLMSSP logins.
+ * BUG 924: Fix return codes in smbtorture harness.
+ * Always lower-case usernames before handing it to AFS code.
+ * Add a German translation for SWAT.
+ * Fix a segfaults in winbindd.
+ * Fix the user's domain passed to register_vuid() from
+ reply_spnego_kerberos().
+ * Add NSS example code in nss_winbind to convert UNIX
+ id's <-> Windows SIDs.
+ * Display more descriptive error messages for login via 'net'.
+ * Fix compiler warning in the net tool.
+ * Fix length bug when decoding base64 strings.
+ * Ensure we don't call getpwnam() inside a loop that is iterating
+ over users with getpwent(). This broke on glibc 2.3.2.
+
+
+o Herb Lewis <herb@samba.org>
+ * Fix bit rot in psec.
+
+
+o Jianliang Lu <j.lu@tiesse.com>
+ * Ensure we delete the group mapping before calling the delete
+ group script.
+ * Define well known RID for managing the "Power Users" group.
+ * BUG 381: check builtin (not local) group SID when updating
+ group membership.
+ * BUG 101: set the SV_TYPE_PRINTQ_SERVER flag in host announcement
+ packet.
+
+
+o John Klinger <john.klinger@lmco.com>
+ * Implement initgroups() call in nss_winbind on Solaris.
+
+
+o Jim McDonough <jmcd@us.ibm.com>
+ * Fix regression in net rpc join caused by recent changes
+ to cli_lsa_query_info_policy().
+ * BUG 964: Fix crash bug in 'net rpc join' using a preexisting
+ machine account.
+
+
+o MORIYAMA Masayuki <moriyama@miraclelinux.com>
+ * BUG 570: Ensure that configure honors the LDFLAGS variable.
+
+
+o Stefan Metzmacher <metze@samba.org>
+ * Implement LDAP rebind sleep patch.
+ * Revert to 2.2 quota code because of so many broken quota files
+ out there.
+ * Fix XFS quotas: HAVE_XFS_QUOTA -> HAVE_XFS_QUOTAS
+ XFS_USER_QUOTA -> USRQUOTA
+ XFS_GROUP_QUOTA -> GRPQUOTA
+ * Fix disk_free calculation with group quotas.
+ * Add debug class 'quota' and a lot of DEBUG()'s
+ to the quota code.
+ * Fix sys_chown() when no chown() is present.
+ * Add SIGABRT to fault handling in order to catch got a
+ backtrace if an error occurs the OpenLDAP client libs.
+
+
+o <ndb@theghet.to>
+ * Allow an existing LDAP machine account to be re-used when
+ joining an AD domain.
+
+
+o James Peach <jpeach@sgi.com>
+ * BUG 889: Change smbd to use pread/pwrite on platforms that
+ support these calls. Can lead to a significant speed increase.
+
+
+o Tim Potter <tpot@samba.org>
+ * BUG 905: Remove POBAD_CC to fix Solaris Forte compiles.
+ * BUG 924: Fix typo in RW2 torture test.
+
+
+o Richard Sharpe <shape@samba.org>
+ * Small fixes to torture.c to cleanup the error handling
+ and prevent crashes.
+
+
+o J. Tournier <jerome.tournier@IDEALX.com>
+ * Small fixes for the smbldap-tool scripts.
+
+
+o Andrew Tridgell <tridge@samba.org>
+ * Fix src len check in pull_usc2().
+
+
+o Jelmer Vernooij <jelmer@samba.org>
+ * Put functions for generating SQL queries in pdb_sql.c
+ * Add pgSQL backend (based on patch by Hamish Friedlander)
+ * BUG 908: Fix -s option to smbcontrol.
+ * Add smbget utility - a wget-clone for the SMB/CIFS protocol.
+ * Fix for libnss_wins on IRIX platforms.
+ * Fix swatdir for --with-fhs.
+
+
+ --------------------------------------------------
+
+ =============================
+ Release Notes for Samba 3.0.1
+ December 15, 2003
+ =============================
+
+Some of the more common bugs in 3.0.0 addressed in the release
+include:
+
+ o Substitution problems with smb.conf variables.
+ o Errors in return codes which caused some applications
+ to fail to open files.
+ o General Protection Faults on Windows 2000/XP clients
+ using Samba point-n-print features.
+ o Several miscellaneous crash bugs.
+ o Access problems when enumerating group mappings are
+ stored in an LDAP Directory.
+ o Several common SWAT bugs when writing changes to
+ smb.conf.
+ o Internal inconsistencies when 'winbind use default
+ domain = yes'
+
+
+
+Changes since 3.0.0
+----------------------
+
+ Parameter Name Action
+ -------------- ------
+ hide local users Removed
+ mangled map Deprecated
+ mangled stack Removed
+ passwd chat timeout New
+
+
+commits
+-------
+
+o Change the interface for init_unistr2 to not take a length
+ but a flags field. We were assuming that
+ 2*strlen(mb_string) == length of ucs2-le string. (bug 480).
+o Allow d_printf() to handle strings with escaped quotation
+ marks since the msg file includes the escape character (bug 489).
+o Fix bad html table row termination in SWAT wizard code (bug 413).
+o Fix to parse the level-2 strings.
+o Fix for "valid users = %S" in [homes]. Fix read/write
+ list as well.
+o Change AC_CHECK_LIB_EXT to prepend libraries instead of append.
+ This is the same way AC_CHECK_LIB works (bug 508).
+o Testparm output fixes for clarity.
+o Fix broken wins hook functionality -- i18n bug (bug 528).
+o Take care of condition where DOS and NT error codes must differ.
+o Default to using only built-in charsets when a working iconv
+ implementation cannot be located.
+o Wrap internals of sys_setgroups() so the sys_XX() call can
+ be done unconditionally (bug 550).
+o Remove duplicate smbspool link on SWAT's front page (bug 541).
+o Save and restore CFLAGS before/after AC_PROG_CC. Ensures that
+ --enable-debug=[yes|no] works correctly.
+o Allow ^C to interrupt smbpasswd if using our getpass
+ (e.g. smbpasswd command).
+o Support signing only on RPC's (bug 167).
+o Correct bug that prevented Excel 2000 clients from opening
+ files marked as read-only.
+o Portability fix bugs 546 - 549).
+o Explicitly initialize the value of AR for vendor makes that don't
+ do this (e.g. HPUX 11). (bug 552).
+o More i18n fixes for SWAT (bug 413).
+o Change the cwd before the postexec script to ensure that a
+ umount will succeed.
+o Correct double free that caused winbindd to crash when a DC
+ is rebooted (bug 437).
+o Fix incorrect mode sum (bug 562).
+o Canonicalize SMB_INFO_ALLOCATION in the same was as
+ SMB_FS_FULL_SIZE_INFORMATION (bug 564).
+o Add script to generate *msg files.
+o Add Dutch SWAT translation file.
+o Make sure to call get_user_groups() with the full winbindd
+ name for a user if he/she has one (bug 406).
+o Fix up error code returns from Samba4 tester. Ensure invalid
+ paths are validated the same way.
+o Allow Samba3 to pass the Samba4 RAW-READ tests.
+o Refuse to configure if --with-expsam=$BACKEND was used but no
+ libraries were found for $BACKEND.
+o Move sysquotas autoconf tests to a separate file.
+o Match W2K w.r.t. writelock and writeclose. Samba4 torture
+ tester
+o Make sure that the files that contain the static_init_$subsystem;
+ macro get recompiled after configure by removing the object
+ files.
+o Ensure canceling a blocking lock returns the correct error
+ message.
+o Match Samba 2.2 behavior; make ACB_NORMAL the default ACB value.
+o Updated Japanese welcome file in SWAT.
+o Fix to nt-time <-> unix-time functions reversible.
+o Ensure that winbindd uses the the escaped DN when querying
+ an AD ldap server.
+o Fix portability issues when compiling (bug 505, 550)
+o Compile fix for tdbbackup when Samba needs to override
+ non-C99 compliant implementations of snprintf().
+o Use @PICSUFFIX@ instead of .po in Makefile.in (bug 574).
+o Make sure we break out of samsync loop on error.
+o Ensure error code path doesn't free unmalloc()'d memory
+ (bug 628).
+o Add configure test for krb5_keytab_entry keyblock vs key
+ member (bug 636).
+o Fixed spinlocks.
+o Modified testparm so that all output so all debug output goes
+ to stderr, and all file processing goes to stdout.
+o Fix error return code for BUFFER_TOO_SMALL in smbcacls
+ and smbcquotas.
+o Fix "NULL dest in safe_strcpy()" log message by ensuring that
+ we have a devmode before copying a string to the devicename.
+o Support mapping REALM.COM\user to a local user account (without
+ running winbindd) for compatibility with 2.2.x release.
+o Ensure we don't use mmap() on blacklisted systems.
+o fixed a number of bugs and memory leaks in the AIX
+ winbindd shim
+o Call initgroups() in SWAT before becomming the user so that
+ secondary group permissions can be used when writing to
+ smb.conf.
+o Fix signing problems when reverse connecting back to a
+ client for printer notify
+o Fix signing problems caused by a miss-sequence bug.
+o Missing map in errormap for ERROR_MORE_DATA -> ERRDOS, ERRmoredata.
+ Fixes NEXUS tools running on Win9x clients (bug 64).
+o Don't leave the domain field uninitialized in cli_lsa.c if some
+ SID could not be mapped.
+o Fix segfault in mount.cifs helper when there is no options
+ specified during mount.
+o Change the \n after the password prompt to go to tty instead
+ of stdout (bug 668).
+o Stop net -P from prompting for machine account password (bug 451).
+o Change in behavior to Not only change the effective uid but also
+ the real uid when becoming unprivileged.
+o Cope with Exchange 5.5 cleartext pop password auth.
+o New files for support of initshutdown pipe. Win2k doesn't
+ respond properly to all requests on the winreg pipe, so we need
+ to handle this new pipe (bug 534).
+o Added more va_copy() checks in configure.in.
+o Include fixes for libsmbclient build problems.
+o Missing UNIX -> DOS codepage conversion in lanman.c.
+o Allow DFMS-S filenames can now have arbitrary case (bug 667).
+o Parameterize the listen backlog in smbd and make it larger by
+ default. A backlog of 5 is way too small these days.
+o Check for an invalid fid before dereferencing the fsp pointer
+ (bug 696).
+o Remove invalid memory frees and return codes in pdb_ldap.c.
+o Prompt for password when invoking --set-auth-user and no
+ password is given.
+o Bind the nmbd sending socket to the 'socket address'.
+o Re-order link command for smbd, rpcclient and smbpasswd to ensure
+ $LDFLAGS occurs before any library specification (bug 661).
+o Fix large number of printf() calls for 64-bit size_t.
+o Fix AC_CHECK_MEMBER so that SLES8 does correctly finds the
+ keyblock in the krb5 structs.
+o Remove #include <compat.h> in hopes to avoid problems with
+ apache header files.
+o Correct winbindd build problems on HP-UX 11.
+o Lowercase netgroups lookups (bug 703).
+o Use the actual size of the buffer in strftime instead of a made
+ up value which just happens to be less than sizeof(fstring).
+ (bug 713).
+o Add ldaplibs to pdbedit link line (bug 651).
+o Fix crash bug in smbclient completion (bug 659).
+o Fix packet length for browse list reply (bug 771).
+o Fix coredump in cli_get_backup_list().
+o Make sure that we expand %N (bug 612).
+o Allow rpcclient adddriver command to specify printer driver
+ version (bug 514).
+o Compile tdbdump by default.
+o Apply patches to fix iconv detection for FreeBSD.
+o Do not allow the 'guest account' to be added to a passdb backend
+ using smbpasswd or pdbedit (bug 624).
+o Save LDFLAGS during iconv detection (bug 57).
+o Run krb5 logins through the username map if the winbindd
+ lookup fails (bug 698).
+o Add const for lp_set_name_resolve_order() to avoid compiler
+ warnings (bug 471).
+o Add support for the %i macro in smb.conf to stand in for the for
+ the local IP address to which a client connected.
+o Allow winbindd to match local accounts to domain SID when
+ 'winbind trusted domains only = yes' (bug 680).
+o Remove code in idmap_ldap that searches the user suffix and group
+ suffix. It's not needed and provides inconsistent functionality
+ from the tdb backend.
+o Patch to handle munged dial string for Windows 2000 TSE.
+ Thanks to Gaz de France, Direction de la Recherche, Service
+ Informatique Métier for their supporting this work by Aurelien
+ Degrémont <adegremont@idealx.com>.
+o Correct the "smbldap_open: cannot access when not root error"
+ messages when looking up group information (bug 281).
+o Skip over the winbind separator when looking up a user.
+ This fixes the bug that prevented local users from
+ matching an AD user when not running winbindd (bug 698).
+o Fix a problem with configure on *BSD systems. Make sure
+ we add -liconv etc to LDFLAGS.
+o Fix core dump bug when "security = server" and the authentication
+ server goes away.
+o Correct crash bug due to an empty munged dial string.
+o Show files locked by a specific user (smbstatus -u 'user')
+ (bug 590).
+o Fix bug preventing print jobs from display in the queue
+ monitor used by Windows NT and later clients (bug 660).
+o Fix several reported problems with point-n-print from
+ Windows 2000/XP clients due to a bug in the EnumPrinterDataEx()
+ reply (bug 338, 527 & 643).
+o Fix a handful of potential memory leaks in the LDAP code used
+ by ldapsam[_compat] and the LDAP idmap backend.
+o Fix for pdbedit error code returns (bug 763).
+o Make sure we only enumerate group mapping entries (not
+ /etc/group) even when doing local aliases.
+o Relax check on the pipe name in a dce/rpc bind response to work
+ around issues with establishing trusts to a Windows 2003 domain.
+o Ensure we mangle names ending in '.' in hash2 mangling method.
+o Correct parsing issues with munged dial string.
+o Fix bugs in quota support for XFS.
+o Add a cleaner method for applications that need to provide
+ name->SID mappings to do this via NSS rather than having to
+ know the winbindd pipe protocol.
+o Adds a variant of the winbindd_getgroups() call called
+ winbindd_getusersids() that provides direct SID->SIDs listing of
+ a users supplementary groups. This is enough to allow non-Samba
+ applications to do ACL checking.
+o Make sure we don't append the 'ldap suffix' when writing out the
+ 'ldap XXX suffix' values in SWAT (bug 328).
+o Fix renames across file systems.
+o Ensure that items in a list of strings containing whitespace are
+ written out surrounded by single quotes. This means that both
+ double and single quotes are now used to surround strings in
+ smb.conf (bug 481).
+o Enable SWAT to correctly determine if winbindd is running (bug
+ 398).
+o Include WWW-Authenticate field in 401 response for bad auth
+ attempt (bug 629).
+o Add support for NTLM2 (NTLMv2 session security).
+o Add support for variable-length session keys.
+o More privilege fixes for group enumeration in LDAP (bug 281).
+o Use the dns name (or IP) as the originating client name when
+ using CUPS (bug 467).
+o Fix various SMB signing bugs.
+o Fix ACL propagation on a DFS root (bug 263).
+o Disable NTLM2 for RPC pipes.
+o Allow the client to specify the NTLM2 flags got NTLMSSP
+ authentication.
+o Change the name of the job passed off to cups from "Test Page"
+ to "smbprn.00000033 Test Page" so that we can get the smb
+ jobid back. This allow users to delete jobs with cups printing
+ backend (partial work on bug 770).
+o Fix build of winbindd with static pdb modules.
+o Retrieve the correct ACL group bits if the file has an ACL
+ (bug 802).
+o Implement "net rpc group members": Get members of a domain group
+ in human-readable format.
+o Add MacOSX (Darwin) specific charset module code.
+o Use samr_dispinfo(level == 1) for enumerating domain users so we
+ can include the full name in gecos field (bug 587).
+o Add support for winbind's NSS library on FeeeBSD 5.1 (bug 797).
+o Implement 'net rpc group list [global|local|builtin]*' for a
+ select listing of the respective user databases.
+o Don't automatically set NT status code flag unless client tells
+ us it can cope.
+o Add 'net status [sessions|shares] [parseable]'.
+o Don't mistake pre-existing UNIX jobs for smb jobs (remainder of
+ bug 770).
+o Add 'Replicator' and 'RAS Servers' to list of builtin SIDs
+ (bug 608).
+o Fix inverted logic in hosts allow/deny checks caused by
+ s/strcmp/strequal/ (bug 846).
+o Implement correct version SamrRemoveSidForeignDomain() (bug 252).
+o Fix typo in 'hash' mangling algorithm.
+o Support munged dial for ldapsam (bug 800).
+o Fix process_incoming_data() to return the number of bytes handled
+ this call whether we have a complete PDU or not; fixes bug
+ with multiple PDU request rpc's broken over SMBwriteX calls
+ each.
+o Fix incorrect smb flags2 for connections to pre-NT servers
+ (causes smbclient to fail to OS2 for example) (bug 821).
+o Update version string in smbldap-tools Makefile to 0.8.2.
+o Correct a problem with "net rpc vampire" mis-parsing the
+ alias member info reply.
+o Ensure the ${libdir} is created by the installclientlib script.
+o Fix detection of Windows 2003 client architecture in the smb.conf
+ %a variable.
+o Ensure that smbd calls the add user script for a missing UNIX
+ user on kerberos auth call (bug 445).
+o Fix bugs in hosts allow/deny when using a mismatched
+ network/netmask pair.
+o Protect alloc_sub_basic() from crashing when the source string
+ is NULL (partial work on bug 687).
+o Fix spinlocks on IRIX.
+o Corrected some bad destination paths when running "configure
+ --with-fhs".
+o Add packaging files for Fedora Core 1.
+o Correct bug in SWAT install script for non-english languages.
+o Support character set ISO-8859-1 internally (bug 558).
+o Fixed more LDAP access errors when looking up group mappings
+ (bug 281).
+o Fix UNISTR2 length bug in LsaQueryInfo(3) that caused SID
+ resolution to fail on local files on on domain members
+ (bug 875).
+o Fix uninitialized variable in passdb.c.
+o Fix formal parameter type in get_static() in nsswitch/wins.c.
+o Fix problem mounting directories when mount.cifs is installed
+ with the setuid bit on.
+o Fix bug that prevent --mandir from overriding the defaults
+ given in the --with-fhs macro.
+o Fix bug in in-memory Kerberos keytab detection routines
+ in configure.in
+
+
+
+######################################################################
+
+ The original 3.0.0 release notes follow
+ =======================================
+ WHATS NEW IN Samba 3.0.0
+ September 24, 2003
+ =======================================
+
+
+Major new features:
+-------------------
+
+1) Active Directory support. Samba 3.0 is now able to
+ join a ADS realm as a member server and authenticate
+ users using LDAP/Kerberos.
+
+2) Unicode support. Samba will now negotiate UNICODE on the wire
+ and internally there is now a much better infrastructure for
+ multi-byte and UNICODE character sets.
+
+3) New authentication system. The internal authentication system
+ has been almost completely rewritten. Most of the changes are
+ internal, but the new auth system is also very configurable.
+
+4) New default filename mangling system.
+
+5) A new "net" command has been added. It is somewhat similar to
+ the "net" command in windows. Eventually we plan to replace
+ numerous other utilities (such as smbpasswd) with subcommands
+ in "net".
+
+6) Samba now negotiates NT-style status32 codes on the wire. This
+ improves error handling a lot.
+
+7) Better Windows 2000/XP/2003 printing support including publishing
+ printer attributes in active directory.
+
+8) New loadable module support for passdb backends and character
+ sets.
+
+9) New default dual-daemon winbindd support for better performance.
+
+10) Support for migrating from a Windows NT 4.0 domain to a Samba
+ domain and maintaining user, group and domain SIDs.
+
+11) Support for establishing trust relationships with Windows NT 4.0
+ domain controllers.
+
+12) Initial support for a distributed Winbind architecture using
+ an LDAP directory for storing SID to uid/gid mappings.
+
+13) Major updates to the Samba documentation tree.
+
+14) Full support for client and server SMB signing to ensure
+ compatibility with default Windows 2003 security settings.
+
+15) Improvement of ACL mapping features based on code donated by
+ Andreas Grünbacher.
+
+
+Plus lots of other improvements!
+
+
+Additional Documentation
+------------------------
+
+Please refer to Samba documentation tree (included in the docs/
+subdirectory) for extensive explanations of installing, configuring
+and maintaining Samba 3.0 servers and clients. It is advised to
+begin with the Samba-HOWTO-Collection for overviews and specific
+tasks (the current book is up to approximately 400 pages) and to
+refer to the various man pages for information on individual options.
+
+We are very glad to be able to include the second edition of
+"Using Samba" by Jay Ts, Robert Eckstein, and David Collier-Brown
+(O'Reilly & Associates) in this release. The book is available
+on-line at http://samba.org/samba/docs/ and is included with
+the Samba Web Administration Tool (SWAT). Thanks to the authors and
+publisher for making "Using Samba" under the GNU Free Documentation
+License.
+
+
+######################################################################
+Upgrading from a previous Samba 3.0 beta
+########################################
+
+Beginning with Samba 3.0.0beta3, the RID allocation functions
+have been moved into winbindd. Previously these were handled
+by each passdb backend. This means that winbindd must be running
+to automatically allocate RIDs for users and/or groups. Otherwise,
+smbd will use the 2.2 algorithm for generating new RIDs.
+
+If you are using 'passdb backend = tdbsam' with a previous Samba
+3.0 beta release (or possibly alpha), it may be necessary to
+move the RID_COUNTER entry from /usr/local/samba/private/passdb.tdb
+to winbindd_idmap.tdb. To do this:
+
+1) Ensure that winbindd_idmap.tdb exists (launch winbindd at least
+ once)
+2) build tdbtool by executing 'make tdbtool' in the source/tdb/
+ directory
+3) run: (note that 'tdb>' is the tool's prompt for input)
+
+ root# ./tdbtool /usr/local/samba/private/passdb.tdb
+ tdb> show RID_COUNTER
+ key 12 bytes
+ RID_COUNTER
+ data 4 bytes
+ [000] 0A 52 00 00 .R.
+
+ tdb> move RID_COUNTER /usr/local/samba/var/locks/winbindd_idmap.tdb
+ ....
+ record moved
+
+If you are using 'passdb backend = ldapsam', it will be necessary to
+store idmap entries in the LDAP directory as well (i.e. idmap backend
+= ldap). Refer to the 'net idmap' command for more information on
+migrating SID<->UNIX id mappings from one backend to another.
+
+If the RID_COUNTER record does not exist, then these instructions are
+unneccessary and the new RID_COUNTER record will be correctly generated
+if needed.
+
+
+
+########################
+Upgrading from Samba 2.2
+########################
+
+This section is provided to help administrators understand the details
+involved with upgrading a Samba 2.2 server to Samba 3.0.
+
+
+Building
+--------
+
+Many of the options to the GNU autoconf script have been modified
+in the 3.0 release. The most noticeable are:
+
+ * removal of --with-tdbsam (is now included by default; see section
+ on passdb backends and authentication for more details)
+
+ * --with-ldapsam is now on used to provided backward compatible
+ parameters for LDAP enabled Samba 2.2 servers. Refer to the passdb
+ backend and authentication section for more details
+
+ * inclusion of non-standard passdb modules may be enabled using
+ --with-expsam. This includes an XML backend and a mysql backend.
+
+ * removal of --with-msdfs (is now enabled by default)
+
+ * removal of --with-ssl (no longer supported)
+
+ * --with-utmp now defaults to 'yes' on supported systems
+
+ * --with-sendfile-support is now enabled by default on supported
+ systems
+
+
+Parameters
+----------
+
+This section contains a brief listing of changes to smb.conf options
+in the 3.0.0 release. Please refer to the smb.conf(5) man page for
+complete descriptions of new or modified parameters.
+
+Removed Parameters (order alphabetically):
+
+ * admin log
+ * alternate permissions
+ * character set
+ * client codepage
+ * code page directory
+ * coding system
+ * domain admin group
+ * domain guest group
+ * force unknown acl user
+ * hide local users
+ * mangled stack
+ * nt smb support
+ * postscript
+ * printer driver
+ * printer driver file
+ * printer driver location
+ * read size
+ * source environment
+ * status
+ * strip dot
+ * total print jobs
+ * use rhosts
+ * valid chars
+ * vfs options
+
+New Parameters (new parameters have been grouped by function):
+
+ Remote management
+ -----------------
+ * abort shutdown script
+ * shutdown script
+
+ User and Group Account Management
+ ---------------------------------
+ * add group script
+ * add machine script
+ * add user to group script
+ * algorithmic rid base
+ * delete group script
+ * delete user from group script
+ * passdb backend
+ * set primary group script
+
+ Authentication
+ --------------
+ * auth methods
+ * realm
+ * passwd chat timeout
+
+ Protocol Options
+ ----------------
+ * client lanman auth
+ * client NTLMv2 auth
+ * client schannel
+ * client signing
+ * client use spnego
+ * disable netbios
+ * ntlm auth
+ * paranoid server security
+ * server schannel
+ * server signing
+ * smb ports
+ * use spnego
+
+ File Service
+ ------------
+ * get quota command
+ * hide special files
+ * hide unwriteable files
+ * hostname lookups
+ * kernel change notify
+ * mangle prefix
+ * map acl inherit
+ * msdfs proxy
+ * set quota command
+ * use sendfile
+ * vfs objects
+
+ Printing
+ --------
+ * max reported print jobs
+
+ UNICODE and Character Sets
+ --------------------------
+ * display charset
+ * dos charset
+ * unicode
+ * unix charset
+
+ SID to uid/gid Mappings
+ -----------------------
+ * idmap backend
+ * idmap gid
+ * idmap uid
+ * winbind enable local accounts
+ * winbind trusted domains only
+ * template primary group
+ * enable rid algorithm
+
+ LDAP
+ ----
+ * ldap delete dn
+ * ldap group suffix
+ * ldap idmap suffix
+ * ldap machine suffix
+ * ldap passwd sync
+ * ldap replication sleep
+ * ldap user suffix
+
+ General Configuration
+ ---------------------
+ * preload modules
+ * private dir
+
+Modified Parameters (changes in behavior):
+
+ * encrypt passwords (enabled by default)
+ * mangling method (set to 'hash2' by default)
+ * passwd chat
+ * passwd program
+ * restrict anonymous (integer value)
+ * security (new 'ads' value)
+ * strict locking (enabled by default)
+ * unix extensions (enabled by default)
+ * winbind cache time (increased to 5 minutes)
+ * winbind uid (deprecated in favor of 'idmap uid')
+ * winbind gid (deprecated in favor of 'idmap gid')
+
+
+Databases
+---------
+
+This section contains brief descriptions of any new databases
+introduced in Samba 3.0. Please remember to backup your existing
+${lock directory}/*tdb before upgrading to Samba 3.0. Samba will
+upgrade databases as they are opened (if necessary), but downgrading
+from 3.0 to 2.2 is an unsupported path.
+
+Name Description Backup?
+---- ----------- -------
+account_policy User policy settings yes
+gencache Generic caching db no
+group_mapping Mapping table from Windows yes
+ groups/SID to unix groups
+winbindd_idmap ID map table from SIDS to UNIX yes
+ uids/gids.
+namecache Name resolution cache entries no
+netsamlogon_cache Cache of NET_USER_INFO_3 structure no
+ returned as part of a successful
+ net_sam_logon request
+printing/*.tdb Cached output from 'lpq no
+ command' created on a per print
+ service basis
+registry Read-only samba registry skeleton no
+ that provides support for exporting
+ various db tables via the winreg RPCs
+
+
+Changes in Behavior
+-------------------
+
+The following issues are known changes in behavior between Samba 2.2 and
+Samba 3.0 that may affect certain installations of Samba.
+
+ 1) When operating as a member of a Windows domain, Samba 2.2 would
+ map any users authenticated by the remote DC to the 'guest account'
+ if a uid could not be obtained via the getpwnam() call. Samba 3.0
+ rejects the connection as NT_STATUS_LOGON_FAILURE. There is no
+ current work around to re-establish the 2.2 behavior.
+
+ 2) When adding machines to a Samba 2.2 controlled domain, the
+ 'add user script' was used to create the UNIX identity of the
+ machine trust account. Samba 3.0 introduces a new 'add machine
+ script' that must be specified for this purpose. Samba 3.0 will
+ not fall back to using the 'add user script' in the absence of
+ an 'add machine script'
+
+
+######################################################################
+Passdb Backends and Authentication
+##################################
+
+There have been a few new changes that Samba administrators should be
+aware of when moving to Samba 3.0.
+
+ 1) encrypted passwords have been enabled by default in order to
+ inter-operate better with out-of-the-box Windows client
+ installations. This does mean that either (a) a samba account
+ must be created for each user, or (b) 'encrypt passwords = no'
+ must be explicitly defined in smb.conf.
+
+ 2) Inclusion of new 'security = ads' option for integration
+ with an Active Directory domain using the native Windows
+ Kerberos 5 and LDAP protocols.
+
+ MIT kerberos 1.3.1 supports the ARCFOUR-HMAC-MD5 encryption
+ type which is neccessary for servers on which the
+ administrator password has not been changed, or kerberos-enabled
+ SMB connections to servers that require Kerberos SMB signing.
+ Besides this one difference, either MIT or Heimdal Kerberos
+ distributions are usable by Samba 3.0.
+
+
+Samba 3.0 also includes the possibility of setting up chains
+of authentication methods (auth methods) and account storage
+backends (passdb backend). Please refer to the smb.conf(5)
+man page for details. While both parameters assume sane default
+values, it is likely that you will need to understand what the
+values actually mean in order to ensure Samba operates correctly.
+
+The recommended passdb backends at this time are
+
+ * smbpasswd - 2.2 compatible flat file format
+ * tdbsam - attribute rich database intended as an smbpasswd
+ replacement for stand alone servers
+ * ldapsam - attribute rich account storage and retrieval
+ backend utilizing an LDAP directory.
+ * ldapsam_compat - a 2.2 backward compatible LDAP account
+ backend
+
+Certain functions of the smbpasswd(8) tool have been split between the
+new smbpasswd(8) utility, the net(8) tool, and the new pdbedit(8)
+utility. See the respective man pages for details.
+
+
+######################################################################
+LDAP
+####
+
+This section outlines the new features affecting Samba / LDAP
+integration.
+
+New Schema
+----------
+
+A new object class (sambaSamAccount) has been introduced to replace
+the old sambaAccount. This change aids us in the renaming of
+attributes to prevent clashes with attributes from other vendors.
+There is a conversion script (examples/LDAP/convertSambaAccount) to
+modify and LDIF file to the new schema.
+
+Example:
+
+ $ ldapsearch .... -b "ou=people,dc=..." > sambaAcct.ldif
+ $ convertSambaAccount --sid=<Domain SID> \
+ --input=sambaAcct.ldif --output=sambaSamAcct.ldif \
+ --changetype=[modify|add]
+
+The <DOM SID> can be obtained by running 'net getlocalsid
+<DOMAINNAME>' on the Samba PDC as root. The changetype determines
+the format of the generated LDIF output--either create new entries
+or modify existing entries.
+
+The old sambaAccount schema may still be used by specifying the
+"ldapsam_compat" passdb backend. However, the sambaAccount and
+associated attributes have been moved to the historical section of
+the schema file and must be uncommented before use if needed.
+The 2.2 object class declaration for a sambaAccount has not changed
+in the 3.0 samba.schema file.
+
+Other new object classes and their uses include:
+
+ * sambaDomain - domain information used to allocate rids
+ for users and groups as necessary. The attributes are added
+ in 'ldap suffix' directory entry automatically if
+ an idmap uid/gid range has been set and the 'ldapsam'
+ passdb backend has been selected.
+
+ * sambaGroupMapping - an object representing the
+ relationship between a posixGroup and a Windows
+ group/SID. These entries are stored in the 'ldap
+ group suffix' and managed by the 'net groupmap' command.
+
+ * sambaUnixIdPool - created in the 'ldap idmap suffix' entry
+ automatically and contains the next available 'idmap uid' and
+ 'idmap gid'
+
+ * sambaIdmapEntry - object storing a mapping between a
+ SID and a UNIX uid/gid. These objects are created by the
+ idmap_ldap module as needed.
+
+ * sambaSidEntry - object representing a SID alone, as a Structural
+ class on which to build the sambaIdmapEntry.
+
+
+New Suffix for Searching
+------------------------
+
+The following new smb.conf parameters have been added to aid in directing
+certain LDAP queries when 'passdb backend = ldapsam://...' has been
+specified.
+
+ * ldap suffix - used to search for user and computer accounts
+ * ldap user suffix - used to store user accounts
+ * ldap machine suffix - used to store machine trust accounts
+ * ldap group suffix - location of posixGroup/sambaGroupMapping entries
+ * ldap idmap suffix - location of sambaIdmapEntry objects
+
+If an 'ldap suffix' is defined, it will be appended to all of the
+remaining sub-suffix parameters. In this case, the order of the suffix
+listings in smb.conf is important. Always place the 'ldap suffix' first
+in the list.
+
+Due to a limitation in Samba's smb.conf parsing, you should not surround
+the DN's with quotation marks.
+
+
+IdMap LDAP support
+------------------
+
+Samba 3.0 supports an ldap backend for the idmap subsystem. The
+following options would inform Samba that the idmap table should be
+stored on the directory server onterose in the "ou=idmap,dc=plainjoe,
+dc=org" partition.
+
+ [global]
+ ...
+ idmap backend = ldap:ldap://onterose/
+ ldap idmap suffix = ou=idmap,dc=plainjoe,dc=org
+ idmap uid = 40000-50000
+ idmap gid = 40000-50000
+
+This configuration allows winbind installations on multiple servers to
+share a uid/gid number space, thus avoiding the interoperability problems
+with NFS that were present in Samba 2.2.
+
+
+
+######################################################################
+Trust Relationships and a Samba Domain
+######################################
+
+Samba 3.0.0beta2 is able to utilize winbindd as the means of
+allocating uids and gids to trusted users and groups. More
+information regarding Samba's support for establishing trust
+relationships can be found in the Samba-HOWTO-Collection included
+in the docs/ directory of this release.
+
+First create your Samba PDC and ensure that everything is
+working correctly before moving on the trusts.
+
+To establish Samba as the trusting domain (named SAMBA) from a Windows NT
+4.0 domain named WINDOWS:
+
+ 1) create the trust account for SAMBA in "User Manager for Domains"
+ 2) connect the trust from the Samba domain using
+ 'net rpc trustdom establish GLASS'
+
+To create a trustlationship with SAMBA as the trusted domain:
+
+ 1) create the initial trust account for GLASS using
+ 'smbpasswd -a -i GLASS'. You may need to create a UNIX
+ account for GLASS$ prior to this step (depending on your
+ local configuration).
+ 2) connect the trust from a WINDOWS DC using "User Manager
+ for Domains"
+
+Now join winbindd on the Samba PDC to the SAMBA domain using
+the normal steps for adding a Samba server to an NT4 domain:
+(note that smbd & nmbd must be running at this point)
+
+ root# net rpc join -U root
+ Password: <enter root password from smbpasswd file here>
+
+Start winbindd and test the join with 'wbinfo -t'.
+
+Now test the trust relationship by connecting to the SAMBA DC
+(e.g. POGO) as a user from the WINDOWS domain:
+
+ $ smbclient //pogo/netlogon -U Administrator -W WINDOWS
+ Password:
+
+Now connect to the WINDOWS DC (e.g. CRYSTAL) as a Samba user:
+
+ $ smbclient //crystal/netlogon -U root -W WINDOWS
+ Password:
+
+######################################################################
+Changes in Winbind
+##################
+
+Beginning with Samba3.0.0beta3, winbindd has been given new account
+manage functionality equivalent to the 'add user script' family of
+smb.conf parameters. The idmap design has also been changed to
+centralize control of foreign SID lookups and matching to UNIX
+uids and gids.
+
+
+Brief Description of Changes
+----------------------------
+
+1) The sid_to_uid() family of functions (smbd/uid.c) have been
+ reverted to the 2.2.x design. This means that when resolving a
+ SID to a UID or similar mapping:
+
+ a) First consult winbindd
+ b) perform a local lookup only if winbindd fails to
+ return a successful answer
+
+ There are some variations to this, but these two rules generally
+ apply.
+
+2) All idmap lookups have been moved into winbindd. This means that
+ a server must run winbindd (and support NSS) in order to achieve
+ any mappings of SID to dynamically allocated UNIX ids. This was
+ a conscious design choice.
+
+3) New functions have been added to winbindd to emulate the 'add user
+ script' family of smbd functions without requiring that external
+ scripts be defined. This functionality is controlled by the 'winbind
+ enable local accounts' smb.conf parameter (enabled by default).
+
+ However, this account management functionality is only supported
+ in a local tdb (winbindd_idmap.tdb). If these new UNIX accounts
+ must be shared among multiple Samba servers (such as a PDC and BDCs),
+ it will be necessary to define your own 'add user script', et. al.
+ programs that place the accounts/groups in some form of directory
+ such as NIS or LDAP. This requirement was deemed beyond the scope
+ of winbind's account management functions. Solutions for
+ distributing UNIX system information have been deployed and tested
+ for many years. We saw no need to reinvent the wheel.
+
+4) A member of a Samba controlled domain running winbindd is now able
+ to map domain users directly onto existing UNIX accounts while still
+ automatically creating accounts for trusted users and groups. This
+ behavior is controlled by the 'winbind trusted domains only' smb.conf
+ parameter (disabled by default to provide 2.2.x winbind behavior).
+
+5) Group mapping support is wrapped in the local_XX_to_XX() functions
+ in smbd/uid.c. The reason that group mappings are not included
+ in winbindd is because the purpose of Samba's group map is to
+ match any Windows SID with an existing UNIX group. These UNIX
+ groups can be created by winbindd (see next section), but the
+ SID<->gid mapping is retreived by smbd, not winbindd.
+
+
+Examples
+--------
+
+* security = server running winbindd to allocate accounts on demand
+
+* Samba PDC running winbindd to handle the automatic creation of UNIX
+ identities for machine trust accounts
+
+* Automtically creating UNIX user and groups when migrating a Windows NT
+ 4.0 PDC to a Samba PDC. Winbindd must be running when executing
+ 'net rpc vampire' for this to work.
+
+
+######################################################################
+Known Issues
+############
+
+* There are several bugs currently logged against the 3.0 codebase
+ that affect the use of NT 4.0 GUI domain management tools when run
+ against a Samba 3.0 PDC. This bugs should be released in an early
+ 3.0.x release.
+
+Please refer to https://bugzilla.samba.org/ for a current list of bugs
+filed against the Samba 3.0 codebase.
+
+
+######################################################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored.
+
+A new bugzilla installation has been established to help support the
+Samba 3.0 community of users. This server, located at
+https://bugzilla.samba.org/, has replaced the older jitterbug server
+previously located at http://bugs.samba.org/.
+</pre>
+<!--#include virtual="/samba/footer.html" -->
--- /dev/null
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Release Notes Archive</title>
+</head>
+
+<body>
+
+<h3>Samba Team Announces Samba 1.9.17</h3>
+
+<pre>
+Greater speed and scalability for corporate networks with
+Windows-compatible clients
+
+
+Canberra, Australia, August 26 1997 - The Samba Team is pleased to
+announce version 1.9.17 of Samba, the leading suite of corporate network
+integration tools. Designed to service any Server Message Block (SMB)
+client, Samba is compatible with all Microsoft (tm) Networking clients
+including Windows 95 (tm), Windows NT (tm) Workstation and Server,
+Windows for Workgroups (tm), IBM OS/2 (tm), smbfs for Linux and
+Thursby Software Systems DAVE (tm) Macintosh SMB client.
+
+Samba is distinguished by its scalability, speed and flexibility. It is
+freely distributed with source code, and has high-quality support.
+Over ninety specialist support companies worldwide offer commercial
+support for Samba, which is also supported by copious Internet
+resources and a mailing list with ten thousand subscribers.
+
+Sites with Microsoft Windows NT or Windows 95 clients benefit
+particularly from this new release. Samba now functions as a logon
+server for Windows 95 and supports roving profiles. Already a favorite
+with administrators because of its flexible and dynamic configuration
+options, version 1.9.17 of Samba has even more reasons for being used
+to serve files and printers to Microsoft clients.
+
+Samba has an assured future. With many hundreds of thousands of
+installed systems around the world, Samba is making it possible for many
+kinds of systems to share files that have been incompatible until now.
+The Samba Team has been consulting widely with large (and small) users
+of the product about future directions for Samba and will be
+publishing a road-map with the next major release. Anyone wishing to
+provide input should send a message to the mailing list
+<a href="mailto:samba-plans@samba.org">samba-plans@samba.org</a>
+
+Besides this, the next release will focus on better integration of
+non-UNIX ports, further performance improvements and scalability to
+hundreds of thousands of machines in an SMB network.
+
+
+<strong>Also in release 1.9.17 of Samba:</strong>
+
+<strong>CIFS Support</strong>
+
+Samba implements the Common Internet Filesystem protocol, the Internet
+Engineering Task Force draft protocol for extending SMB to the Internet.
+Samba keeps pace with CIFS developments. See
+<a href="http://anu.samba.org/cifs/">http://anu.samba.org/cifs/</a>.
+
+<strong>More speed</strong>
+
+Samba now passes the most rigorous Ziff-Davis NetBench test suite with
+flying colors. Performance is not lost when more users are added, up to
+the limits of the host operating system. When used with technologies
+such 64-bit operating systems (such as some versions of UNIX, MVS or
+VMS), many CPUs and Gibabit ethernet, pre-release versions of Samba
+1.9.17 have been running for some months at several large sites
+supporting tens of thousands of users.
+
+<strong>More servers</strong>
+
+Samba runs on UNIX (tm) and near clones from over 30 vendors, besides
+IBM MVS (tm), Digital Equipment VMS (tm), Stratos VOS (tm), all versions of
+IBM OS/2 Warp (tm), Novell Netware (tm), Amiga OS (tm) and others.
+Most corporate data servers are supported, besides countless small
+networks running less powerful operating systems.
+
+<strong>More clients</strong>
+
+Windows NT, Windows 95, Linux, OS/2 Warp, Windows for Workgroups come
+with SMB network file systems by default. Windows 3.1, DOS, AIX and others
+have equivalent add-ons. Different SMB clients have different extensions and
+different bugs. Samba goes to great lengths to accommodate clients that
+are in use, and is now more compatible with more types of clients than
+any other SMB server.
+
+<strong>Larger networks</strong>
+
+Release 1.9.17 provides support for over 2,000 clients simultaneously
+per samba server. Many Samba servers of this scale can work together.
+Some sites have shown that a user database of 100 000 users shared
+between 20 servers works. We do not know what the upper limit is,
+although we plan to find out. The Samba Team has been focusing on
+providing reliable wide-area operation, and acknowledges the support of
+major UNIX system vendors who have helped in testing on large WANs.
+
+<strong>Better Browsing</strong>
+
+This release improves Samba maintenance of browse lists (the Network
+Neighborhood), especially across large multi-segmented networks. Samba
+can provide a picture of what machines are available on even very large
+networks, beyond the scope of any other SMB product.
+
+
+<strong>More Information and Downloading</strong>
+
+For more information on Samba see
+
+ <a href="http://samba.canberra.edu.au/pub/samba/">http://samba.canberra.edu.au/pub/samba/</a>
+
+Demand for Samba is very high. For a faster download and to minimize
+Internet traffic over the period following this release, please use a
+Samba mirror site. The list of mirror sites is contained in
+
+ <a href="ftp://samba.org/pub/samba/MIRRORS.txt">ftp://samba.org/pub/samba/MIRRORS.txt</a>
+
+The official master ftp location is
+
+ <a href="ftp://samba.org/pub/samba/samba-latest.tar.gz">ftp://samba.org/pub/samba/samba-latest.tar.gz</a>
+
+Some of the products mentioned in this document are registered
+trademarks of other companies. The samba-bugs@samba.org address
+referred to in this release is *not* to be used for general enquiries or
+support requests. See the web pages for information about the general
+Samba mailing list and a listing of commercial support providers.
+
+<strong>Thanks</strong>
+
+This release of Samba was made possible with the generous help of the
+following companies (in alphabetical order):
+
+Aquasoft Pty Ltd. : <a href="http://www.aquasoft.com.au">http://www.aquasoft.com.au</a>
+Red Hat Software. : <a href="http://www.redhat.com">http://www.redhat.com</a>
+Silicon Graphics, Inc. : <a href="http://www.sgi.com.">http://www.sgi.com.</a>
+Whistle Communications : <a href="http://www.whistle.com">http://www.whistle.com</a>
+
+Please note that this does not imply endorsement of Samba by the above
+named companies.
+
+
+<strong>Samba Team members</strong>
+
+The Samba Team are (in alphabetical order) :
+
+Jeremy Allison - Whistle Communications
+Paul Blackman - University of Canberra
+Dave Fenwick - Asset Software
+Chris Hertel - University of Minnesota
+Peter Kelly - ETS
+Luke Leighton - Pires
+Richard Sharpe - NS Computer Software
+Dan Shearer - University of South Australia
+John Terpstra - Aquasoft Pty Ltd.
+Andrew Tridgell - Australian National University
+Volker Lendeke - Service Network, GmbH.
+
+<strong>Copying</strong>
+
+Unrestricted reproduction rights of this press release are granted, so
+long as it remains clear that:
+
+ i) Samba is copyright by Andrew Tridgell and the Samba Team, 1992-1997
+ ii) Samba is made available freely under the widely-used
+ GNU public license. A copy of this is at
+
+ <a href="ftp://samba.org/pub/samba/COPYING">ftp://samba.org/pub/samba/COPYING</a>
+
+ This license encourages commercial use and modification. The
+ only restriction is that all source code incorporating Samba
+ must always be freely available
+ iii) The contact for all issues related to intellectual
+ property rights for Samba is <a href="mailto:samba-bugs@samba.org">samba-bugs@samba.org</a>
+
+
+Regards,
+ The Samba Team.
+</pre>
+
+</body>
+</html>
--- /dev/null
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Release Notes Archive</title>
+</head>
+
+<body>
+
+<h3>The Samba Team are pleased to announce Samba 1.9.17p1.</h3>
+
+<pre>
+This is a patch release designed to fix the few bugs that
+users had reported with our last major release, 1.9.17.
+
+This release adds no new functionality, and if you
+were not impacted by the bugs then there is no need
+to upgrade from 1.9.17.
+
+The list of fixed bugs are :
+
+-------------------fix list--------------------------------
+Fix for DOS and Windows 95 clients having trouble
+deleting files on a Samba share in a DOS command line
+environment.
+
+Fixes to set the 'flag' bits correctly when talking to a
+non-Samba WINS server.
+
+Fix for NT clients being dropped when using security=server.
+
+Fixes to the printer queue reporting code.
+
+Fix for the name map mangle bug (mangling .html -> .htm was
+not working).
+------------------------------------------------------------
+
+The full release notes (from WHATSNEW.txt in the release)
+are listed below.
+
+This new release may be obtained from the following
+URL:
+
+<a href="ftp://samba.org/pub/samba/samba-1.9.17p1.tar.gz">ftp://samba.org/pub/samba/samba-1.9.17p1.tar.gz</a>
+
+as a GNU gzip compressed tar file. Thanks to SGI for
+providing the samba.org Web server hardware.
+
+RedHat rpm packaged files will be built by the Samba
+team, a further announcement will be provided shortly
+describing their availability.
+
+The samba web pages are found at :
+
+<a href="http://samba.org/">http://samba.org/</a>
+
+As usual, please report any bugs with this release to
+
+<a href="mailto:samba-bugs@samba.org">samba-bugs@samba.org</a>
+
+Regards,
+
+
+ The Samba Team.
+
+----------------cut here for WHATSNEW.txt-------------------
+ WHATS NEW IN 1.9.17p1 - September 5 1997
+ ========================================
+
+New stable patch release: Samba - version 1.9.17p1.
+---------------------------------------------------
+
+This is a patch release which superceedes the
+last stable release of Samba, release 1.9.17.
+This release fixes the few bugs that users reported
+in the previous stable release (1.9.17).
+
+These bugfixes are :
+
+Fix for DOS and Windows 95 clients having trouble
+deleting files on a Samba share in a DOS command line
+environment.
+
+Fixes to set the 'flag' bits correctly when talking to a
+non-Samba WINS server.
+
+Fix for NT clients being dropped when using security=server.
+
+Fixes to the printer queue reporting code.
+
+Fix for the name map mangle bug (mangling .html -> .htm was
+not working).
+
+If you are not affected by any of these problems then there
+is no need to upgrade.
+
+The release notes from the previous stable release follow.
+
+The Samba Team.
+
+-------------Previous release notes-------------------------
+
+New stable release of Samba - 1.9.17
+------------------------------------
+
+This is the new stable release of Samba, superceeding
+the last stable release 1.9.16p11. All users are
+encouraged to upgrade to this new release as there have
+been many improvements to the code since that time.
+
+Changes since 1.9.16p11.
+------------------------
+
+Improved browsing support.
+--------------------------
+
+Samba now should support propagation of browse lists
+across subnets correctly. Look in the file docs/BROWSING.txt
+as it has been largely re-written to explain how to do this.
+
+*IMPORTANT* All Samba servers acting as local/domain master
+browsers must be running 1.9.17 (or later).
+
+Thanks to Silicon Graphics for allowing us to test the new
+code on their corporate network.
+
+
+Improved share mode handling
+----------------------------
+
+The handling of share modes has been completely rewritten.
+Samba can now run agressive PC Benchmarks (Ziff-Davis
+NetBench) correctly with many hundreds of concurrent PC's.
+The confidence level on share mode handling in Samba
+is now much higher than it was previously. PC database
+packages should be safe when run against a Samba share.
+Thanks to Silicon Graphics for testing this code for us.
+
+If at all possible compile Samba to use the new share
+mode handling with shared memory (set the flags
+FAST_SHARE_MODES in the Makefile). This will be *much* faster
+than old file-based share modes. FAST_SHARE_MODES have
+been turned on by default on the following platforms in
+the Makefile :
+
+ Linux
+ Solaris
+ BSDI
+ IRIX 5.x.x
+ FreeBSD
+
+Roving profile support.
+-----------------------
+
+Roving profiles are believed to work correctly
+with Windows NT 4.x and Windows 95. Domain logons
+are fully implemented *for Windows 95 machines only*.
+
+
+Updated documentation
+---------------------
+All options are now documented in the smb.conf man page
+we believe. Much work has been done by Samba Team members
+to improve the quality and quantity of the Samba documentation.
+
+Many bugfixes and improvements
+------------------------------
+From around the 'net around the world. Many
+thanks to everyone who contributed.
+
+Commercial thanks.
+------------------
+
+Thanks to Cisco for the new netbios alias code support.
+Thanks to Silicon Graphics for the help with the cross
+subnet browsing and NetBench code.
+Thanks to Whistle for funding one of the Samba Team
+members.
+
+Reporting bugs
+--------------
+
+The Samba Team believes that this is a stable
+production release, but all software has bugs.
+If you have problems, or think you have found a
+bug please email a report to :
+
+<a href="mailto:samba-bugs@samba.org">samba-bugs@samba.org</a>
+
+Stating the version number of Samba that you
+are running, and *full details* of the steps
+we need to reproduce the problem.
+
+As always, all bugs are our responsibility.
+
+Regards,
+
+ The Samba Team.
+</pre>
+
+</body>
+</html>
--- /dev/null
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Release Notes Archive</title>
+</head>
+
+<body>
+
+<h3>The Samba Team announce Samba 1.9.17p2.</h3>
+
+<pre>
+Security fix release: Samba - version 1.9.17p2.<p>
+
+This new stable release fixes a very important security hole in all
+versions of Samba.<p>
+
+The security hole allows a remote user to obtain root access on the
+Samba server. A program which exploits this bug has been posted to the
+internet.<p>
+
+The security hole is only known to affect Samba servers running on
+Intel based hardware, and has only been demonstrated for Intel
+Linux. It is likley that exploits for other architectures would be
+very difficult but the possibility cannot be excluded completely.<p>
+
+This patch fixes the security hole for all platforms.<p>
+
+This patch also adds a routine which will log a message when a user
+attempts to take advantage of the security hole.<p>
+
+A number of other minor bugs have also been fixed in this release.<p>
+
+This new release may be obtained from the following
+URL:
+
+<a href="ftp://samba.org/pub/samba/samba-1.9.17p2.tar.gz">ftp://samba.org/pub/samba/samba-1.9.17p2.tar.gz</a>
+
+as a GNU gzip compressed tar file. Thanks to SGI for
+providing the samba.org Web server hardware.
+
+RedHat rpm packaged files will be built by the Samba
+team, a further announcement will be provided shortly
+describing their availability.
+
+The samba web pages are found at :
+
+<a href="http://samba.org/">http://samba.org/</a>
+
+As usual, please report any bugs with this release to
+
+<a href="mailto:samba-bugs@samba.org">samba-bugs@samba.org</a>
+
+Regards,
+
+
+ The Samba Team.
+
+</pre>
+
+</body>
+</html>
--- /dev/null
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"\r
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">\r
+<html xmlns="http://www.w3.org/1999/xhtml">\r
+\r
+<head>\r
+<title>Samba - Release Notes Archive</title>\r
+</head>\r
+\r
+<body>\r
+\r
+<h3>The Samba Team are pleased to announce Samba 1.9.17p3.</h3>\r
+<pre>\r
+This is a patch release designed to fix the few bugs that\r
+users had reported with our last major release, 1.9.17p2.\r
+\r
+This release adds no new functionality, and if you\r
+were not impacted by the bugs then there is no need\r
+to upgrade from 1.9.17p2.\r
+\r
+Note however, that *all* users should upgrade to at\r
+least Samba version 1.9.17p2 due to a critical security\r
+bug fix that was integrated at that time.\r
+\r
+This new release may be obtained from the following\r
+URL:\r
+\r
+<a href="ftp://samba.org/pub/samba/samba-1.9.17p3.tar.gz">ftp://samba.org/pub/samba/samba-1.9.17p3.tar.gz</a>\r
+\r
+as a GNU gzip compressed tar file. Thanks to SGI for\r
+providing the samba.org Web server hardware.\r
+\r
+RedHat rpm files for Linux will be made available for\r
+this release, their availability will announced at a\r
+later date.\r
+\r
+Regards,\r
+\r
+ The Samba Team.\r
+\r
+--------------------release notes------------------------\r
+\r
+\r
+ WHATS NEW IN 1.9.17p3 - October 14th 1997\r
+ ===========================================\r
+\r
+Update release: Samba - version 1.9.17p3.\r
+-----------------------------------------\r
+\r
+This is the latest stable release of Samba. This is the\r
+version that all production Samba servers should be running\r
+for all current bug-fixes.\r
+\r
+Here are a list of the fixes in this release (the fixes\r
+introduced between 1.9.17p2 and 1.9.17p3) :\r
+\r
+1). Removed truncation problem with long browse lists.\r
+2). Crash bug when dead share mode memory entries need removing.\r
+3). Race condition in slow share mode code.\r
+4). Potential buffer overflow from password server.\r
+5). Fix for read-prediction growing read-only files.\r
+6). Many quota code fixes.\r
+7). Fix for spelling mistake in attack warning :-).\r
+8). Removed 'ERRbaddirectory' error code - caused problem with\r
+ Visual Basic apps.\r
+9). Allow 'hosts allow/deny' to work before client packet parsed.\r
+10). Wrapping log file causes incorrect errors to be returned to\r
+ the clients.\r
+11). Crash fix for nmbd Get_Hostbyname bad return.\r
+12). 'become_root' 'unbecome_root' added to fix changing uid problems.\r
+13). No magic scripts or printing done on exceptional file close\r
+problems.\r
+\r
+Reporting bugs\r
+--------------\r
+\r
+The Samba Team believes that this is a stable\r
+production release, but all software has bugs.\r
+If you have problems, or think you have found a\r
+bug please email a report to :\r
+\r
+<a href="mailto:samba-bugs@samba.org">samba-bugs@samba.org</a>\r
+\r
+Stating the version number of Samba that you\r
+are running, and *full details* of the steps\r
+we need to reproduce the problem.\r
+\r
+As always, all bugs are our responsibility.\r
+\r
+Regards,\r
+\r
+ The Samba Team.\r
+\r
+-------------Previous release notes-------------------------\r
+\r
+Security fix release: Samba - version 1.9.17p2.\r
+----------------------------------------------\r
+\r
+This new stable release fixes a very important security hole in all\r
+versions of Samba.\r
+\r
+The security hole allows a remote user to obtain root access on the\r
+Samba server. A program which exploits this bug has been posted to the\r
+internet.\r
+\r
+The security hole is only known to affect Samba servers running on\r
+Intel based hardware, and has only been demonstrated for Intel\r
+Linux. It is likley that exploits for other architectures would be\r
+very difficult but the possibility cannot be excluded completely.\r
+\r
+This patch fixes the security hole for all platforms.\r
+\r
+This patch also adds a routine which will log a message when a user\r
+attempts to take advantage of the security hole.\r
+\r
+A number of other minor bugs have also been fixed in this release.\r
+\r
+The Samba Team.\r
+\r
+\r
+-------------Previous release notes-------------------------\r
+\r
+New stable release of Samba - 1.9.17\r
+------------------------------------\r
+\r
+This is the new stable release of Samba, superceeding\r
+the last stable release 1.9.16p11. All users are\r
+encouraged to upgrade to this new release as there have\r
+been many improvements to the code since that time.\r
+\r
+Changes since 1.9.16p11.\r
+------------------------\r
+\r
+Improved browsing support.\r
+--------------------------\r
+\r
+Samba now should support propagation of browse lists\r
+across subnets correctly. Look in the file docs/BROWSING.txt\r
+as it has been largely re-written to explain how to do this.\r
+\r
+*IMPORTANT* All Samba servers acting as local/domain master\r
+browsers must be running 1.9.17 (or later).\r
+\r
+Thanks to Silicon Graphics for allowing us to test the new\r
+code on their corporate network.\r
+\r
+\r
+Improved share mode handling\r
+----------------------------\r
+\r
+The handling of share modes has been completely rewritten.\r
+Samba can now run agressive PC Benchmarks (Ziff-Davis\r
+NetBench) correctly with many hundreds of concurrent PC's.\r
+The confidence level on share mode handling in Samba\r
+is now much higher than it was previously. PC database\r
+packages should be safe when run against a Samba share.\r
+Thanks to Silicon Graphics for testing this code for us.\r
+\r
+If at all possible compile Samba to use the new share\r
+mode handling with shared memory (set the flags\r
+FAST_SHARE_MODES in the Makefile). This will be *much* faster\r
+than old file-based share modes. FAST_SHARE_MODES have\r
+been turned on by default on the following platforms in\r
+the Makefile :\r
+\r
+ Linux\r
+ Solaris\r
+ BSDI\r
+ IRIX 5.x.x\r
+ FreeBSD\r
+\r
+Roving profile support.\r
+-----------------------\r
+\r
+Roving profiles are believed to work correctly\r
+with Windows NT 4.x and Windows 95. Domain logons\r
+are fully implemented *for Windows 95 machines only*.\r
+\r
+\r
+Updated documentation\r
+---------------------\r
+All options are now documented in the smb.conf man page\r
+we believe. Much work has been done by Samba Team members\r
+to improve the quality and quantity of the Samba documentation.\r
+\r
+Many bugfixes and improvements\r
+------------------------------\r
+From around the 'net around the world. Many\r
+thanks to everyone who contributed.\r
+\r
+Commercial thanks.\r
+------------------\r
+\r
+Thanks to Cisco for the new netbios alias code support.\r
+Thanks to Silicon Graphics for the help with the cross\r
+subnet browsing and NetBench code.\r
+Thanks to Whistle for funding one of the Samba Team\r
+members.\r
+\r
+Reporting bugs\r
+--------------\r
+\r
+The Samba Team believes that this is a stable\r
+production release, but all software has bugs.\r
+If you have problems, or think you have found a\r
+bug please email a report to :\r
+\r
+<a href="mailto:samba-bugs@samba.org">samba-bugs@samba.org</a>\r
+\r
+Stating the version number of Samba that you\r
+are running, and *full details* of the steps\r
+we need to reproduce the problem.\r
+\r
+As always, all bugs are our responsibility.\r
+\r
+Regards,\r
+\r
+ The Samba Team.\r
+</pre>\r
+\r
+</body>\r
+</html>
\ No newline at end of file
--- /dev/null
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"\r
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">\r
+<html xmlns="http://www.w3.org/1999/xhtml">\r
+\r
+<head>\r
+<title>Samba - Release Notes Archive</title>\r
+</head>\r
+\r
+<body>\r
+\r
+<h3>The Samba Team are pleased to announce Samba 1.9.17p4.</h3>\r
+\r
+<pre>\r
+This is a patch release designed to fix the few bugs that\r
+users had reported with our last major release, 1.9.17p3.\r
+\r
+This release adds no new functionality, and if you\r
+were not impacted by the bugs then there is no need\r
+to upgrade from 1.9.17p3.\r
+\r
+Note however, that *all* users should upgrade to at\r
+least Samba version 1.9.17p2 due to a critical security\r
+bug fix that was integrated at that time.\r
+\r
+RedHat rpm files for Linux will be made available for \r
+this release, their availability will announced at a\r
+later date.\r
+\r
+This new release may be obtained from the following URL:\r
+<a href="ftp://samba.org/pub/samba/samba-1.9.17p4.tar.gz">ftp://samba.org/pub/samba/samba-1.9.17p4.tar.gz</a>\r
+\r
+For details on previous releases see <a href="./samba1.9.17p3.html">samba1.9.17p3.html</a>\r
+\r
+Regards,\r
+\r
+ The Samba Team.\r
+\r
+--------------------release notes------------------------\r
+\r
+ WHATS NEW IN 1.9.17p4 - October 21st. 1997\r
+ ==========================================\r
+\r
+Update release: Samba - version 1.9.17p4.\r
+-----------------------------------------\r
+\r
+This is the latest stable release of Samba. This is the\r
+version that all production Samba servers should be running\r
+for all current bug-fixes.\r
+\r
+Here are a list of the fixes in this release (the fixes\r
+introduced between 1.9.17p3 and 1.9.17p4) :\r
+\r
+1). Fix in nmbd for Windows 95 machines hanging on logout !\r
+2). Fix for slow share mode code leaving zero length share\r
+ files.\r
+3). Fix for security = server, some broken NT4.x servers don't \r
+ set the guest bit on connections. New code to check logged \r
+ in user matches requested user.\r
+4). Fix for security = server. Problem with previous workaround\r
+ which caused machine logon restrictions on an NT server to fail.\r
+ This code has been completely re-written.\r
+5). New option 'dos filetimes' to fix UTIME_WORKAROUND problem.\r
+6). Fix so nmbd ignores loopback packets.\r
+7). Fix for nmbd ignoring WINS negative responses.\r
+8). New PAM support from RedHat for new PAM version.\r
+9). Memory leak fix when files included from an smb.conf\r
+ are changed.\r
+10). Client now logs when connecting as 'guest'.\r
+11). Updated documentation.\r
+\r
+Reporting bugs\r
+--------------\r
+ \r
+The Samba Team believes that this is a stable\r
+production release, but all software has bugs. \r
+If you have problems, or think you have found a\r
+bug please email a report to :\r
+\r
+<a href="mailto:samba-bugs@samba.org">samba-bugs@samba.org</a>\r
+\r
+Stating the version number of Samba that you\r
+are running, and *full details* of the steps \r
+we need to reproduce the problem.\r
+\r
+As always, all bugs are our responsibility.\r
+\r
+Regards,\r
+\r
+ The Samba Team.\r
+</pre>\r
+\r
+</body>\r
+</html>\r
--- /dev/null
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"\r
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">\r
+<html xmlns="http://www.w3.org/1999/xhtml">\r
+\r
+<head>\r
+<title>Samba - Release Notes Archive</title>\r
+</head>\r
+\r
+<body>\r
+\r
+<h3>The Samba Team are pleased to announce Samba 1.9.17p5.</h3>\r
+<pre>\r
+This is a patch release designed to fix the few bugs that\r
+users had reported with our last stable release, 1.9.17p4.\r
+\r
+This release adds no new functionality, and if you\r
+were not impacted by the bugs then there is no need\r
+to upgrade from 1.9.17p4.\r
+\r
+Note however, that *all* users should upgrade to at\r
+least Samba version 1.9.17p2 due to a critical security\r
+bug fix that was integrated at that time.\r
+\r
+This is intended to be the last release in the Samba \r
+1.9.17 code series. The next release will be 1.9.18 \r
+which should be soon. This 1.9.17p5 release is being\r
+made so that people who wish to stay with the 1.9.17\r
+series of code for a while will be running with the\r
+most stable version of that code base available.\r
+\r
+The release may be downloaded from the URL :\r
+\r
+<a href="ftp://samba.org/pub/samba/samba-1.9.17p5.tar.gz">ftp://samba.org/pub/samba/samba-1.9.17p5.tar.gz</a>\r
+\r
+Regards,\r
+\r
+ The Samba Team.\r
+\r
+--------------------release notes------------------------\r
+\r
+ WHATS NEW IN 1.9.17p5 - December 19th. 1997\r
+ ===========================================\r
+\r
+Update release: Samba - version 1.9.17p5.\r
+-----------------------------------------\r
+\r
+This is the latest stable release of Samba. This is the\r
+version that all production Samba servers should be running\r
+for all current bug-fixes.\r
+\r
+Here are a list of the fixes in this release (the fixes\r
+introduced between 1.9.17p4 and 1.9.17p5) :\r
+\r
+1). Addition of 'remote browse sync' parameter.\r
+2). Fix for bug where nmbd would not stop announcing itself\r
+ as a local master browser once it had lost the election.\r
+3). No longer fill in status fields in node status reply for\r
+ security.\r
+4). Code added to seach the nmbd name cache for the results\r
+ of a previous dns search.\r
+5). Treat WORKGROUP<1c> names correctly when registering (don't\r
+ treat them as a normal group name).\r
+6). Fix bug in the handling of the 'character set' parameter.\r
+7). Disable read prediction code by default - conflicts with\r
+ locking fixes.\r
+8). Fix bug with name mangling with UNIX filenames containing ':'.\r
+\r
+Reporting bugs\r
+--------------\r
+\r
+The Samba Team believes that this is a stable\r
+production release, but all software has bugs.\r
+If you have problems, or think you have found a\r
+bug please email a report to :\r
+\r
+<a href="mailto:samba-bugs@samba.org">samba-bugs@samba.org</a>\r
+\r
+Stating the version number of Samba that you\r
+are running, and *full details* of the steps\r
+we need to reproduce the problem.\r
+\r
+As always, all bugs are our responsibility.\r
+\r
+Regards,\r
+\r
+ The Samba Team.\r
+\r
+For details on previous releases see <a href="./samba1.9.17p4.html">samba1.9.17p4.html</a>\r
+</pre>\r
+\r
+</body>\r
+</html>\r
--- /dev/null
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"\r
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">\r
+<html xmlns="http://www.w3.org/1999/xhtml">\r
+\r
+<head>\r
+<title>Samba - Release Notes Archive</title>\r
+</head>\r
+\r
+<body>\r
+\r
+<h3>The Samba Team are pleased to announce Samba 1.9.18.</h3>\r
+<pre>\r
+This is a new major stable release and contains new functionality\r
+It is recommended that all production server systems upgrade to\r
+this release.\r
+\r
+The release may be downloaded from the URL :\r
+<a href="ftp://samba.org/pub/samba/samba-1.9.18.tar.gz">ftp://samba.org/pub/samba/samba-1.9.18.tar.gz</a>\r
+The release notes follow.\r
+\r
+Regards,\r
+\r
+ Samba Team.\r
+\r
+------------------------------------------------------------\r
+ WHATS NEW IN 1.9.18 - January 7th 1998.\r
+ =======================================\r
+\r
+This is the latest stable release of Samba. This is the\r
+version that all production Samba servers should be running\r
+for all current bug-fixes.\r
+\r
+This release contains several major changes and much re-written\r
+code.\r
+\r
+The main changes are :\r
+\r
+1). Oplock support now operational.\r
+-----------------------------------\r
+\r
+Samba now supports 'exclusive' and 'batch' oplocks.\r
+These are an advanced networked file system feature\r
+that allows clients to obtain a exclusive use of a\r
+file. This allows a client to cache any changes it\r
+makes locally, and greatly improves performance.\r
+\r
+Windows NT has this feature and prior to this\r
+release this was one of the reasons Windows NT\r
+could be faster in some situations. Samba has\r
+now been benchmarked as out performing Windows\r
+NT on equivalently priced hardware.\r
+\r
+The oplock code in Samba has been extensively\r
+tested and is believed to be completely stable.\r
+\r
+Please report any problems to the samba-bugs alias.\r
+\r
+2). NetBIOS name daemon re-written.\r
+-----------------------------------\r
+\r
+The old nmbd that has caused some users problems\r
+has now been completely re-written and now is\r
+much easier to maintain and add changes to.\r
+\r
+Changes include support for multi-homed hosts\r
+in the same way as an NT Server with multiple\r
+IP interfaces behaves (registers with the WINS\r
+server as a multi-homed name type), and also\r
+support for multi-homed name registration in\r
+the Samba WINS server. Another added feature\r
+is robustness in the face of WINS server failure,\r
+nmbd will now keep trying to contact the WINS\r
+server until it is successful, in the same\r
+way as an NT Server.\r
+\r
+Also in this release is an implementation\r
+of the Lanman announce protocol used by\r
+OS/2 clients. Thanks to Jacco de Leeuw for\r
+this code.\r
+\r
+3). New Internationalization support.\r
+-------------------------------------\r
+\r
+With this release Samba no longer needs to be\r
+separately compiled for Japanese (Kanji) support,\r
+the same binary will serve both Kanji and non-Kanji\r
+clients.\r
+\r
+A new method of dynamically loading client code pages\r
+has been added to allow the case insensitivity to\r
+be done dependent on the code page of the client.\r
+\r
+Note that Samba still will only handle one client\r
+code page at a time. This will be fixed when\r
+Samba is fully UNICODE enabled.\r
+\r
+Please see the new man page for make_smbcodepage\r
+for details on adding additional client code page\r
+support.\r
+\r
+4). New Printing support.\r
+-------------------------\r
+\r
+An implementation of the Windows 95 automatic printer\r
+driver installation has been added to smbd. To use this\r
+new feature please read the document:\r
+\r
+docs/PRINTER_DRIVER.txt\r
+\r
+Thanks to Jean-Francois Micouleau, and also Herb Lewis\r
+of Silicon Graphics for this new code.\r
+\r
+Printer support on System V systems (notably Solaris)\r
+has been improved with the addition of code generously\r
+donated by Norm Jacobs of Sun Microsystems. Sun have\r
+also made a Solaris SPARC workstation available to the\r
+Samba Team to aid in their porting efforts.\r
+\r
+\r
+Changed code.\r
+-------------\r
+\r
+Samba no longer needs the libdes library to support\r
+encrypted passwords. Samba now contains a restricted\r
+version of DES that can only be used for authentication\r
+purposes (to comply with the USA export encryption\r
+regulations and to allow USA Mirror sites to carry\r
+Samba source code). The 'encrypt passwords' parameter\r
+may now be used without recompiling.\r
+\r
+Much of the internals of Samba has been re-structured\r
+to support the oplock and Domain controller changes.\r
+\r
+Samba now contains an implementation of share modes\r
+using System V shared memory as well as the mmap()\r
+based code. This was done to allow the 'FAST_SHARE_MODES'\r
+to be used on more systems (especially HPUX 9.x) that\r
+have System V shared memory, but not the mmap() call.\r
+\r
+The System V shared memory code is used by default on\r
+many systems as it has benchmarked as faster on many\r
+systems.\r
+\r
+The Automount code has been slightly re-shuffled, such\r
+that the home directory (and profile location) can be\r
+specified by \\%N\homes and \\%N\homes\profiles\r
+respectively, which are the defaults for these values.\r
+If -DAUTOMOUNT is enabled, then %N is the server\r
+component of the user's NIS auto.home entry. Obviously,\r
+you will need to be running Samba on the user's home\r
+server as well as the one they just logged in on.\r
+\r
+The RPC Domain code has been moved into a separate directory\r
+rpc_pipe/, and a LGPL License issued specifically for code\r
+in this directory. This is so that people can use this\r
+code in other projects.\r
+\r
+Missing feature.\r
+----------------\r
+\r
+One feature that we wanted to get into this release\r
+that was not possible due to the re-write of the nmbd\r
+code was the scalability features in the Samba WINS server.\r
+This feature is now tentatively scheduled for the next\r
+release (1.9.19). Apologies to anyone who was hoping\r
+for this feature to be included. The nmbd re-write\r
+will make it much easier to add such things in future.\r
+\r
+New parameters in smb.conf.\r
+---------------------------\r
+\r
+New Global parameters.\r
+----------------------\r
+\r
+Documented in the smb.conf man pages :\r
+\r
+ "bind interfaces only"\r
+\r
+ "lm announce"\r
+ "lm interval"\r
+\r
+ "logon drive"\r
+ "logon home"\r
+\r
+ "min wins ttl"\r
+ "max wins ttl"\r
+\r
+ "username level"\r
+\r
+New Share level parameters.\r
+---------------------------\r
+\r
+Documented in the smb.conf man pages :\r
+\r
+ "delete veto files"\r
+ "oplocks"\r
+\r
+Nascent web interface for configuration.\r
+----------------------------------------\r
+\r
+source/wsmbconf.c is a cgi-bin program for editing smb.conf. It can\r
+also be run standalone. This is in a very early stage of development.\r
+\r
+Debugging support.\r
+------------------\r
+\r
+smbd and nmbd will now modify their debug log level when\r
+they receive a USR1 signal (increase debug level by one)\r
+and USR2 signal (decrease debug level by one). This has\r
+been added to aid administrators track down faults that\r
+only occur after long periods of time, or transiently.\r
+\r
+Reporting bugs.\r
+---------------\r
+\r
+If you have problems, or think you have found a\r
+bug please email a report to :\r
+\r
+ <a href="mailto:samba-bugs@samba.org">samba-bugs@samba.org</a>\r
+\r
+Please state the version number of Samba that\r
+you are running, and *full details* of the steps\r
+we need to reproduce the problem.\r
+\r
+As always, all bugs are our responsibility.\r
+\r
+Regards,\r
+\r
+ The Samba Team.\r
+</pre>\r
+\r
+</body>\r
+</html>\r
+\r
--- /dev/null
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"\r
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">\r
+<html xmlns="http://www.w3.org/1999/xhtml">\r
+\r
+<head>\r
+<title>Samba - Release Notes Archive</title>\r
+</head>\r
+\r
+<body>\r
+\r
+<h3>The Samba Team are pleased to announce Samba 1.9.18p1.</h3>\r
+\r
+<pre>\r
+It may be fetched via ftp from :\r
+\r
+<a href="ftp://samba.org/pub/samba/samba-1.9.18p1.tar.gz">ftp://samba.org/pub/samba/samba-1.9.18p1.tar.gz</a>\r
+\r
+This is a bugfix release, designed to address issues\r
+that users have reported with the 1.9.18 major release.\r
+\r
+Due to an oplock problem in 1.9.18 (fixed in this \r
+release) that could cause data loss in certain \r
+circumstances, it is recommended that all 1.9.18 \r
+users upgrade to 1.9.18p1.\r
+\r
+The release notes follow.\r
+\r
+Please report all problems to :\r
+\r
+<a href="mailto:samba-bugs@samba.org">samba-bugs@samba.org</a>\r
+\r
+Regards,\r
+\r
+ The Samba Team.\r
+\r
+--------------release notes------------------------------\r
+\r
+ WHATS NEW IN 1.9.18p1 - January 12th 1998.\r
+ ==========================================\r
+\r
+This is the latest stable release of Samba. This is the\r
+version that all production Samba servers should be running\r
+for all current bug-fixes.\r
+\r
+Bugfixes added since 1.9.18\r
+---------------------------\r
+\r
+1). Fix for oplock-break problem. If an open crossed\r
+with an oplock break on the wire it was possible for the \r
+same fnum to be re-used. This caused a rare but fatal\r
+problem.\r
+2). Fix for adding printers to Windows NT 4.x. Now\r
+return correct "no space error" when buffer of zero \r
+given.\r
+3). Fix for nmbd core dumps when running on architectures\r
+that cannot access structures on non-aligned boundaries\r
+(sparc, alpha etc).\r
+4). Compiler warnings in nmbd fixed.\r
+5). Makefile updated for Linux 2.0 versions (new smbmount\r
+commands should only be compiled for 2.1.x kernels).\r
+6). Addition of a timestamp to attack warning messages.\r
+\r
+Changes in 1.9.18.\r
+------------------\r
+\r
+This release contains several major changes and much re-written \r
+code.\r
+\r
+The main changes are :\r
+\r
+1). Oplock support now operational.\r
+-----------------------------------\r
+\r
+Samba now supports 'exclusive' and 'batch' oplocks.\r
+These are an advanced networked file system feature\r
+that allows clients to obtain a exclusive use of a \r
+file. This allows a client to cache any changes it\r
+makes locally, and greatly improves performance.\r
+\r
+Windows NT has this feature and prior to this\r
+release this was one of the reasons Windows NT\r
+could be faster in some situations. Samba has\r
+now been benchmarked as out performing Windows\r
+NT on equivalently priced hardware.\r
+\r
+The oplock code in Samba has been extensively\r
+tested and is believed to be completely stable.\r
+\r
+Please report any problems to the samba-bugs alias.\r
+\r
+2). NetBIOS name daemon re-written.\r
+-----------------------------------\r
+\r
+The old nmbd that has caused some users problems\r
+has now been completely re-written and now is\r
+much easier to maintain and add changes to.\r
+\r
+Changes include support for multi-homed hosts\r
+in the same way as an NT Server with multiple\r
+IP interfaces behaves (registers with the WINS\r
+server as a multi-homed name type), and also\r
+support for multi-homed name registration in\r
+the Samba WINS server. Another added feature\r
+is robustness in the face of WINS server failure,\r
+nmbd will now keep trying to contact the WINS \r
+server until it is successful, in the same\r
+way as an NT Server.\r
+\r
+Also in this release is an implementation\r
+of the Lanman announce protocol used by\r
+OS/2 clients. Thanks to Jacco de Leeuw for \r
+this code.\r
+\r
+3). New Internationalization support.\r
+-------------------------------------\r
+\r
+With this release Samba no longer needs to be\r
+separately compiled for Japanese (Kanji) support,\r
+the same binary will serve both Kanji and non-Kanji\r
+clients.\r
+\r
+A new method of dynamically loading client code pages\r
+has been added to allow the case insensitivity to\r
+be done dependent on the code page of the client.\r
+\r
+Note that Samba still will only handle one client\r
+code page at a time. This will be fixed when\r
+Samba is fully UNICODE enabled.\r
+\r
+Please see the new man page for make_smbcodepage\r
+for details on adding additional client code page\r
+support.\r
+\r
+4). New Printing support.\r
+-------------------------\r
+\r
+An implementation of the Windows 95 automatic printer\r
+driver installation has been added to smbd. To use this\r
+new feature please read the document:\r
+\r
+docs/PRINTER_DRIVER.txt\r
+\r
+Thanks to Jean-Francois Micouleau, and also Herb Lewis\r
+of Silicon Graphics for this new code.\r
+\r
+Printer support on System V systems (notably Solaris)\r
+has been improved with the addition of code generously\r
+donated by Norm Jacobs of Sun Microsystems. Sun have\r
+also made a Solaris SPARC workstation available to the\r
+Samba Team to aid in their porting efforts.\r
+\r
+\r
+Changed code.\r
+-------------\r
+\r
+Samba no longer needs the libdes library to support\r
+encrypted passwords. Samba now contains a restricted\r
+version of DES that can only be used for authentication\r
+purposes (to comply with the USA export encryption\r
+regulations and to allow USA Mirror sites to carry\r
+Samba source code). The 'encrypt passwords' parameter\r
+may now be used without recompiling.\r
+\r
+Much of the internals of Samba has been re-structured\r
+to support the oplock and Domain controller changes.\r
+\r
+Samba now contains an implementation of share modes\r
+using System V shared memory as well as the mmap()\r
+based code. This was done to allow the 'FAST_SHARE_MODES'\r
+to be used on more systems (especially HPUX 9.x) that\r
+have System V shared memory, but not the mmap() call.\r
+\r
+The System V shared memory code is used by default on\r
+many systems as it has benchmarked as faster on many\r
+systems.\r
+\r
+The Automount code has been slightly re-shuffled, such\r
+that the home directory (and profile location) can be\r
+specified by \\%N\homes and \\%N\homes\profiles\r
+respectively, which are the defaults for these values.\r
+If -DAUTOMOUNT is enabled, then %N is the server\r
+component of the user's NIS auto.home entry. Obviously,\r
+you will need to be running Samba on the user's home\r
+server as well as the one they just logged in on.\r
+\r
+The RPC Domain code has been moved into a separate directory\r
+rpc_pipe/, and a LGPL License issued specifically for code\r
+in this directory. This is so that people can use this\r
+code in other projects.\r
+\r
+Missing feature.\r
+----------------\r
+\r
+One feature that we wanted to get into this release\r
+that was not possible due to the re-write of the nmbd\r
+code was the scalability features in the Samba WINS server.\r
+This feature is now tentatively scheduled for the next\r
+release (1.9.19). Apologies to anyone who was hoping\r
+for this feature to be included. The nmbd re-write\r
+will make it much easier to add such things in future.\r
+\r
+New parameters in smb.conf.\r
+---------------------------\r
+\r
+New Global parameters.\r
+----------------------\r
+\r
+Documented in the smb.conf man pages :\r
+\r
+ "bind interfaces only"\r
+\r
+ "lm announce"\r
+ "lm interval"\r
+\r
+ "logon drive"\r
+ "logon home"\r
+\r
+ "min wins ttl"\r
+ "max wins ttl"\r
+\r
+ "username level"\r
+\r
+New Share level parameters.\r
+---------------------------\r
+\r
+Documented in the smb.conf man pages :\r
+\r
+ "delete veto files"\r
+ "oplocks"\r
+\r
+Nascent web interface for configuration.\r
+----------------------------------------\r
+\r
+source/wsmbconf.c is a cgi-bin program for editing smb.conf. It can\r
+also be run standalone. This is in a very early stage of development.\r
+\r
+Debugging support.\r
+------------------\r
+\r
+smbd and nmbd will now modify their debug log level when\r
+they receive a USR1 signal (increase debug level by one)\r
+and USR2 signal (decrease debug level by one). This has\r
+been added to aid administrators track down faults that\r
+only occur after long periods of time, or transiently.\r
+\r
+Reporting bugs.\r
+---------------\r
+\r
+If you have problems, or think you have found a\r
+bug please email a report to :\r
+\r
+ <a href="mailto:samba-bugs@samba.org">samba-bugs@samba.org</a>\r
+\r
+Please state the version number of Samba that\r
+you are running, and *full details* of the steps\r
+we need to reproduce the problem.\r
+\r
+As always, all bugs are our responsibility.\r
+\r
+Regards,\r
+\r
+ The Samba Team.\r
+</pre>\r
+\r
+</body>\r
+</html>
\ No newline at end of file
--- /dev/null
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Release Notes Archive</title>
+</head>
+
+<body>
+
+<h2>The Samba Team are pleased to announce Samba 1.9.18p10</h2>
+
+<p>
+<pre>
+Note that the 1.9.18p9 code was not distributed due to a
+problem discovered during the final QA testing phase. However,
+in order not to allow any confusion about versions the Samba
+Team are upping the patch revision number to ensure we can
+identify a particular release of code exactly.
+
+It may be fetched via ftp from :
+
+<a href="ftp://samba.org/pub/samba/samba-1.9.18p10.tar.gz">ftp://samba.org/pub/samba/samba-1.9.18p10.tar.gz</a>
+
+Binary packages are available immediately for this release
+for the folowing systems :
+
+Bull
+Debian Linux
+Digital UNIX
+OSF
+SuSE Linux - release 5.2
+RedHat Linux - release 5.1 for Intel and Alpha architectures.
+Sinix
+Solaris - release 2.51 for Intel and Sparc architectures.
+
+Binary packages for other systems will be made available
+within a short time. A separate announcement will be made
+for the release of these packages.
+
+Offers of binary Samba packages for various systems are
+welcome and should be sent to samba-bugs@samba.org.
+
+It is intended that this be the final release of the 1.9.18
+series of Samba code (security bugfixes notwithstanding, of
+course). A new major release, known as Samba-2, will be made
+available in alpha form shortly.
+
+If you have problems, or think you have found a bug please email
+a report to :
+
+ <a href="mailto:samba-bugs@samba.org">samba-bugs@samba.org</a>
+
+As always, all bugs are our responsibility.
+
+Without further ado, here are the release notes.
+
+Regards,
+
+ The Samba Team.
+
+--------------------------------------------------------
+ WHATS NEW IN 1.9.18p10 - August 24th 1998.
+ ==========================================
+
+This is the latest stable release of Samba. This is the
+version that all production Samba servers should be running
+for all current bug-fixes.
+
+Note that the 1.9.18p9 code was not distributed due to a (rare)
+crash bug discovered during the final QA testing phase. However,
+in order not to allow any confusion about versions the Samba
+Team are upping the patch revision number to ensure we can
+identify a particular release of code exactly.
+
+Note that most Samba Team effort is now going into working on the
+next major release which should contain some Windows NT Domain
+features. It is intended that any future work on the 1.9.18 series
+be security critical only bug fixes.
+
+An announcement will be made when the first alpha release of the next
+Samba series is available.
+
+There are several new parameters for smb.conf
+as well as a number of significant documentation updates.
+
+New parameters in 1.9.18p10.
+----------------------------
+
+strict sync
+-----------
+
+This is a new per-share parameter, added due to some problems
+in the Windows 98 explorer. The Windows 98 explorer seems to
+always set the bit that causes writes to be synchronised to disk
+before continuing. This *kills* performance for copying of large
+files, and is almost certainly not what was intended (many
+windows programs don't know the difference between flush and
+sync). This new parameter is set to off by default and in
+this setting means that Samba will now ignore the sync bit
+in SMB requests. To regain the old behaviour set:
+
+"strict sync = on" in the [global] section of the smb.conf.
+
+ole locking compatibility
+-------------------------
+
+This global parameter allows administrators who are confident in
+the abilities of their UNIX nfs locking daemon to turn off
+the mapping of OLE generated byte range locks that Samba does
+to prevent nfs locking daemons from crashing. This parameter
+is set to on by default (ie. the same behavior as previous
+Samba versions).
+
+queuepause command
+------------------
+
+This printer share specific parameter is part of the new print
+queue pausing code donated by Dirk DeWachter. This parameter
+specifies the UNIX command to run to pause a given print queue.
+See the smb.conf man page for details.
+
+queueresume command
+------------------
+
+This printer share specific parameter is part of the new print
+queue pausing code donated by Dirk DeWachter. This parameter
+specifies the UNIX command to run to resume a given print queue.
+See the smb.conf man page for details.
+
+Deprecated parameter - networkstation user login
+------------------------------------------------
+
+The default of the "networkstation user login" parameter has
+now changed from true to false, as new code in Samba protects
+smbd from the Windows NT bug this parameter was introduced
+to fix. This parameter is now deprecated and will be removed
+in a future Samba release.
+
+Deprecated parameter - domain controller
+----------------------------------------
+
+The meaning of this parameter changed in a previous Samba release
+from a string to a boolean (yes/no) value. It is currently not used
+within the Samba source and should be removed from all current smb.conf
+files. It is left behind for compatibility reasons.
+
+Bugfixes added since 1.9.18p8
+-----------------------------
+
+1). Fixed bug that could cause password changing code to coredump
+2). Fixed bug with client using incorrect WORKGROUP on startup.
+3). Added print queue pausing code from Dirk.DeWachter@rug.ac.be
+ (see "queuepause command" and "queueresume command" above).
+4). "strict sync" parameter added (see above).
+5). "ole locking compatibility" parameter added (see above).
+6). Several changes to file byte range locking code to allow
+ clients to correctly request exclusive and shared locks.
+7). Fixed race condition in browser code that starts a new election
+ if we need one - previously we could have failed to register the
+ name we needed to participate in the election.
+8). Fixed accidental overwrite of buffer that could cause nmbd crash.
+9). Fixed small memory leak in WINS server code when rejecting a
+ registration.
+10). Fix 'recursion desired' flag when sending queries from nmbd
+ WINS server.
+11). Make sure we're using the correct version number in browser
+ elections.
+12). Fixed stupid bug I introduced in 1.9.18p8 that sent the username
+ mapped user name to the password server in "security=server" mode.
+13). Fixed filename translation bug where pathnames were going through
+ the dos to unix conversion function twice.
+14). Fix from klausr@ITAP.Physik.Uni-Stuttgart.De to stop smbd's that
+ only write a few log entries from growing the log without bound.
+15). Fix from branko.cibej@hermes.si to not reload the parameter file
+ in the SIGHUP handler.
+16). Added '-U' for remote user name to smbpasswd to allow normal users
+ to change their password on an NT server if their UNIX username
+ is different.
+17). Fixed map username bug where username would only be mapped
+ once.
+18). Fix from <Thomas.Hepper@icem.de> to strip mount options in
+ an automount home map.
+19). Fixed bug in scanning directories where if a mangled name was
+ returned as a resume key the 'find next' would fail. Thanks to
+ Zoltan Palmai <ZSPA@chevron.com> for finding that one.
+20). Fix from John Blair to allow smbclient to 'put' from standard
+ input.
+21). Fix to go back to unix wildcard semantics for 'veto files' and 'hidden
+ files' parameters.
+22). Fix for Kanji characters in wildcards.
+23). Fix to stop file descriptor leak on failure in password change code.
+24). Fix to cause nmbd to re-install SIGPIPE handler.
+
+Documentation Updates.
+----------------------
+The following documentation files have been updated or created. Users
+are advised to check the following files for anything that may affect
+or help site configuration.
+
+1) smb.conf.5 (updated)
+2) BROWSING_Config.txt (new)
+3) DOMAIN_CONTROL.txt (updated)
+4) BROWSING.txt (updated)
+5) Recent-FAQs.txt (new)
+6) UNIX_SECURITY.txt (updated)
+7) UNIX_INSTALL.txt (updated)
+8) Printing.txt (updated)
+9) DIAGNOSIS.txt (updated)
+
+
+If you have problems, or think you have found a bug please email
+a report to :
+
+ <a href="mailto:samba-bugs@samba.org">samba-bugs@samba.org</a>
+
+As always, all bugs are our responsibility.
+
+Regards,
+
+ The Samba Team.
+</pre>
+
+</body>
+</html>
--- /dev/null
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"\r
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">\r
+<html xmlns="http://www.w3.org/1999/xhtml">\r
+\r
+<head>\r
+<title>Samba - Release Notes Archive</title>\r
+</head>\r
+\r
+<body>\r
+\r
+<h3>The Samba Team are pleased to announce Samba 1.9.18p2.</h3>\r
+\r
+<pre>\r
+It may be fetched via ftp from :\r
+\r
+<a href="ftp://samba.org/pub/samba/samba-1.9.18p2.tar.gz">ftp://samba.org/pub/samba/samba-1.9.18p2.tar.gz</a>\r
+\r
+This is a bugfix release, designed to address issues\r
+that users have reported with the 1.9.18p1 release.\r
+\r
+Due to an oplock deadlock problem in 1.9.18p1 (fixed \r
+in this release) that could cause out of control smbd \r
+processes under heavy load, it is recommended that all \r
+1.9.18 and 1.9.18p1 users upgrade to 1.9.18p2.\r
+\r
+An official Linux rpm release of this version will\r
+be made on Friday 30th January (USA Pacific time).\r
+\r
+The release notes follow.\r
+\r
+Please report all problems to :\r
+\r
+<a href="mailto:samba-bugs@samba.org">samba-bugs@samba.org</a>\r
+\r
+Regards,\r
+\r
+ The Samba Team.\r
+\r
+--------------release notes------------------------------\r
+\r
+ WHATS NEW IN 1.9.18p2 - January 26th 1998.\r
+ ==========================================\r
+\r
+This is the latest stable release of Samba. This is the\r
+version that all production Samba servers should be running\r
+for all current bug-fixes.\r
+\r
+Bugfixes added since 1.9.18p1\r
+-----------------------------\r
+\r
+1). A deadlock condition in the oplock code has been found\r
+and fixed. This occured under heavy load at large sites. Several\r
+of the sites who reported the original problem have now been \r
+testing the code in this (1.9.18p2) release for a week now with\r
+no problems (previously the problem occurred within 3-6 hours).\r
+(Thanks to Peter Crawshaw of Mount Allison University for\r
+his great help in tracking down this bug).\r
+2). Fix for a share level security problem that caused \r
+'valid users' not to work correctly.\r
+3). Addition of Russian code page support.\r
+4). Fix to the password changing code (thanks to Randy Boring\r
+at Thursby Software Systems for this).\r
+5). More fixes to the Windows 95 printer driver support\r
+code from Herb Lewis at SGI.\r
+6). Two NetBIOS over TCP source name type fixes in nmbd.\r
+7). Memory leak in the dynamic loading of services in an\r
+smb.conf file fixed.\r
+8). LPRng parsing code fix.\r
+9). Fix to try and return a 'best guess' of create time\r
+under UNIX (which doens't store such a file attribute).\r
+10). Added parameters to samba/examples/smb.conf.default file :\r
+Remote announce, Remote browse sync, username map, filename\r
+case preservation and sensitivity options.\r
+11). Reply to trans2 calls now aligns all parameters and\r
+data on 4 byte boundary.\r
+12). Fixed SIGTERM bug where nmbd would hang on exit.\r
+13). Fixed WINS server bug to allow spaces in WINS names.\r
+\r
+Bugfixes added since 1.9.18\r
+---------------------------\r
+\r
+1). Fix for oplock-break problem. If an open crossed\r
+with an oplock break on the wire it was possible for the \r
+same fnum to be re-used. This caused a rare but fatal\r
+problem.\r
+2). Fix for adding printers to Windows NT 4.x. Now\r
+return correct "no space error" when buffer of zero \r
+given.\r
+3). Fix for nmbd core dumps when running on architectures\r
+that cannot access structures on non-aligned boundaries\r
+(sparc, alpha etc).\r
+4). Compiler warnings in nmbd fixed.\r
+5). Makefile updated for Linux 2.0 versions (new smbmount\r
+commands should only be compiled for 2.1.x kernels).\r
+6). Addition of a timestamp to attack warning messages.\r
+\r
+Changes in 1.9.18.\r
+------------------\r
+\r
+This release contains several major changes and much re-written \r
+code.\r
+\r
+The main changes are :\r
+\r
+1). Oplock support now operational.\r
+-----------------------------------\r
+\r
+Samba now supports 'exclusive' and 'batch' oplocks.\r
+These are an advanced networked file system feature\r
+that allows clients to obtain a exclusive use of a \r
+file. This allows a client to cache any changes it\r
+makes locally, and greatly improves performance.\r
+\r
+Windows NT has this feature and prior to this\r
+release this was one of the reasons Windows NT\r
+could be faster in some situations. Samba has\r
+now been benchmarked as out performing Windows\r
+NT on equivalently priced hardware.\r
+\r
+The oplock code in Samba has been extensively\r
+tested and is believed to be completely stable.\r
+\r
+Please report any problems to the samba-bugs alias.\r
+\r
+2). NetBIOS name daemon re-written.\r
+-----------------------------------\r
+\r
+The old nmbd that has caused some users problems\r
+has now been completely re-written and now is\r
+much easier to maintain and add changes to.\r
+\r
+Changes include support for multi-homed hosts\r
+in the same way as an NT Server with multiple\r
+IP interfaces behaves (registers with the WINS\r
+server as a multi-homed name type), and also\r
+support for multi-homed name registration in\r
+the Samba WINS server. Another added feature\r
+is robustness in the face of WINS server failure,\r
+nmbd will now keep trying to contact the WINS \r
+server until it is successful, in the same\r
+way as an NT Server.\r
+\r
+Also in this release is an implementation\r
+of the Lanman announce protocol used by\r
+OS/2 clients. Thanks to Jacco de Leeuw for \r
+this code.\r
+\r
+3). New Internationalization support.\r
+-------------------------------------\r
+\r
+With this release Samba no longer needs to be\r
+separately compiled for Japanese (Kanji) support,\r
+the same binary will serve both Kanji and non-Kanji\r
+clients.\r
+\r
+A new method of dynamically loading client code pages\r
+has been added to allow the case insensitivity to\r
+be done dependent on the code page of the client.\r
+\r
+Note that Samba still will only handle one client\r
+code page at a time. This will be fixed when\r
+Samba is fully UNICODE enabled.\r
+\r
+Please see the new man page for make_smbcodepage\r
+for details on adding additional client code page\r
+support.\r
+\r
+4). New Printing support.\r
+-------------------------\r
+\r
+An implementation of the Windows 95 automatic printer\r
+driver installation has been added to smbd. To use this\r
+new feature please read the document:\r
+\r
+docs/PRINTER_DRIVER.txt\r
+\r
+Thanks to Jean-Francois Micouleau, and also Herb Lewis\r
+of Silicon Graphics for this new code.\r
+\r
+Printer support on System V systems (notably Solaris)\r
+has been improved with the addition of code generously\r
+donated by Norm Jacobs of Sun Microsystems. Sun have\r
+also made a Solaris SPARC workstation available to the\r
+Samba Team to aid in their porting efforts.\r
+\r
+\r
+Changed code.\r
+-------------\r
+\r
+Samba no longer needs the libdes library to support\r
+encrypted passwords. Samba now contains a restricted\r
+version of DES that can only be used for authentication\r
+purposes (to comply with the USA export encryption\r
+regulations and to allow USA Mirror sites to carry\r
+Samba source code). The 'encrypt passwords' parameter\r
+may now be used without recompiling.\r
+\r
+Much of the internals of Samba has been re-structured\r
+to support the oplock and Domain controller changes.\r
+\r
+Samba now contains an implementation of share modes\r
+using System V shared memory as well as the mmap()\r
+based code. This was done to allow the 'FAST_SHARE_MODES'\r
+to be used on more systems (especially HPUX 9.x) that\r
+have System V shared memory, but not the mmap() call.\r
+\r
+The System V shared memory code is used by default on\r
+many systems as it has benchmarked as faster on many\r
+systems.\r
+\r
+The Automount code has been slightly re-shuffled, such\r
+that the home directory (and profile location) can be\r
+specified by \\%N\homes and \\%N\homes\profiles\r
+respectively, which are the defaults for these values.\r
+If -DAUTOMOUNT is enabled, then %N is the server\r
+component of the user's NIS auto.home entry. Obviously,\r
+you will need to be running Samba on the user's home\r
+server as well as the one they just logged in on.\r
+\r
+The RPC Domain code has been moved into a separate directory\r
+rpc_pipe/, and a LGPL License issued specifically for code\r
+in this directory. This is so that people can use this\r
+code in other projects.\r
+\r
+Missing feature.\r
+----------------\r
+\r
+One feature that we wanted to get into this release\r
+that was not possible due to the re-write of the nmbd\r
+code was the scalability features in the Samba WINS server.\r
+This feature is now tentatively scheduled for the next\r
+release (1.9.19). Apologies to anyone who was hoping\r
+for this feature to be included. The nmbd re-write\r
+will make it much easier to add such things in future.\r
+\r
+New parameters in smb.conf.\r
+---------------------------\r
+\r
+New Global parameters.\r
+----------------------\r
+\r
+Documented in the smb.conf man pages :\r
+\r
+ "bind interfaces only"\r
+\r
+ "lm announce"\r
+ "lm interval"\r
+\r
+ "logon drive"\r
+ "logon home"\r
+\r
+ "min wins ttl"\r
+ "max wins ttl"\r
+\r
+ "username level"\r
+\r
+New Share level parameters.\r
+---------------------------\r
+\r
+Documented in the smb.conf man pages :\r
+\r
+ "delete veto files"\r
+ "oplocks"\r
+\r
+Nascent web interface for configuration.\r
+----------------------------------------\r
+\r
+source/wsmbconf.c is a cgi-bin program for editing smb.conf. It can\r
+also be run standalone. This is in a very early stage of development.\r
+\r
+Debugging support.\r
+------------------\r
+\r
+smbd and nmbd will now modify their debug log level when\r
+they receive a USR1 signal (increase debug level by one)\r
+and USR2 signal (decrease debug level by one). This has\r
+been added to aid administrators track down faults that\r
+only occur after long periods of time, or transiently.\r
+\r
+Reporting bugs.\r
+---------------\r
+\r
+If you have problems, or think you have found a\r
+bug please email a report to :\r
+\r
+ <a href="mailto:samba-bugs@samba.org">samba-bugs@samba.org</a>\r
+\r
+Please state the version number of Samba that\r
+you are running, and *full details* of the steps\r
+we need to reproduce the problem.\r
+\r
+As always, all bugs are our responsibility.\r
+\r
+Regards,\r
+\r
+ The Samba Team.\r
+\r
+-----------------end release notes----------------\r
+</pre>\r
+\r
+</body>\r
+</html>
\ No newline at end of file
--- /dev/null
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"\r
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">\r
+<html xmlns="http://www.w3.org/1999/xhtml">\r
+\r
+<head>\r
+<title>Samba - Release Notes Archive</title>\r
+</head>\r
+\r
+<body>\r
+\r
+<h3>The Samba Team are pleased to announce Samba 1.9.18p3.</h3>\r
+\r
+<pre>\r
+It may be fetched via ftp from :\r
+\r
+<a href="ftp://samba.org/pub/samba/samba-1.9.18p3.tar.gz">ftp://samba.org/pub/samba/samba-1.9.18p3.tar.gz</a>\r
+\r
+This is a bugfix release, designed to address issues\r
+that users have reported with the 1.9.18p2 release.\r
+\r
+Defects fixed include using Samba with Visual C++ \r
+(the 'file changed' dialog defect), running out of \r
+file handles when using oplocks, and a packet \r
+padding ambiguity that could cause Windows 95 to \r
+hang on some rare occasions. For the full list of \r
+changes please see the release notes below.\r
+\r
+Binary packages are also available for the following\r
+operating systems :\r
+\r
+Caldera Linux.\r
+--------------\r
+<a href="ftp://samba.org/pub/samba/Binary_Packages/caldera">ftp://samba.org/pub/samba/Binary_Packages/caldera</a>\r
+\r
+Red Hat Linux 4.2 Intel, 5.0 Intel and Alpha.\r
+---------------------------------------------\r
+<a href="ftp://samba.org/pub/samba/Binary_Packages/redhat">ftp://samba.org/pub/samba/Binary_Packages/redhat</a>\r
+\r
+Slackware Linux.\r
+----------------\r
+<a href="ftp://samba.org/pub/samba/Binary_Packages/Slackware">ftp://samba.org/pub/samba/Binary_Packages/Slackware</a>\r
+\r
+SGI IRIX.\r
+---------\r
+<a href="ftp://samba.org/pub/samba/Binary_Packages/IRIX">ftp://samba.org/pub/samba/Binary_Packages/IRIX</a>\r
+\r
+Digital Unix OSF1 alpha.\r
+------------------------\r
+<a href="ftp://samba.org/pub/samba/Binary_Packages/DigitalUnix">ftp://samba.org/pub/samba/Binary_Packages/DigitalUnix</a>\r
+\r
+\r
+The Samba Team is preparing to issue a CD distribution of each \r
+stable release of the Samba SMB server. Contributions under\r
+Free Software licenses would be very welcome. Please read the\r
+full text of the announcement at :\r
+\r
+<a href="/samba/sambacd.html">http://samba.org/samba/sambacd.html</a>\r
+\r
+Here are the release notes. Remember, all bugs\r
+are our responsibility - please report them\r
+to <a href="mailto:samba-bugs@samba.org">samba-bugs@samba.org</a>.\r
+\r
+Regards,\r
+\r
+ The Samba Team.\r
+\r
+-------------------------------------------------------------\r
+\r
+ WHATS NEW IN 1.9.18p3 - February 18th 1998.\r
+ ===========================================\r
+\r
+This is the latest stable release of Samba. This is the\r
+version that all production Samba servers should be running\r
+for all current bug-fixes.\r
+\r
+New Parameters\r
+--------------\r
+\r
+Two new paramters were added - these are :\r
+\r
+In the [global] section of smb.conf :\r
+\r
+networkstation user login\r
+\r
+This code (submitted by Rob Nielsen) allows the code many people \r
+were having problems with that queries an NT password server to \r
+be turned off at runtime rather than compile time. Please see the \r
+documentation in the smb.conf manual page for details. This is a \r
+security option - it must only be turned off after checks have been\r
+made to ensure that your NT password server does not suffer from the\r
+bug this code was meant to protect against !\r
+\r
+In the [global] or services section of smb.conf :\r
+\r
+dos filetime resolution\r
+\r
+Setting this paramter to true fixes the problem that people using \r
+Microsoft Visual C++ and Samba 1.9.18 were having with files being \r
+reported as changed. Please see the documentation in the smb.conf \r
+manual page for details.\r
+\r
+Bugfixes added since 1.9.18p2\r
+-----------------------------\r
+\r
+1). Fix to cause oplocked files to be broken when open\r
+file table is full before giving up and reporting 'too\r
+many open files'. This fix seems to help many applications\r
+on Win95.\r
+2). Fix to stop extra files being closed in user logoff\r
+code.\r
+3). Fix to stop padded packet being returned on\r
+trans2 call. This bug could cause Windows 95 to freeze\r
+on some (rare) occasions.\r
+4). Added fix for Visual C++ filetime changes (see above).\r
+5). Made security check code an option (see above).\r
+6). Fixed printer job enumeration in smbclient.\r
+7). Re-added code into smbclient that causes it to do NetBIOS\r
+broadcast name lookups (as it used to in 1.9.17).\r
+8). Fixed code dump bug in smbtar.\r
+9). Fixed mapping code between Appletalk and Kanji filenames.\r
+10). Tuned shared memory size based on open file table size.\r
+11). Made nmbd log file names consistant with smbd.\r
+12). Fixed nmbd problem where packet queues could grow\r
+without bound when connection to WINS server was down.\r
+13). Fix for DCE login code.\r
+14). Fix for system V printing to remove extra space\r
+in printer name.\r
+15). Patch to add a new substitution paramter (%p) in\r
+a service patchname. Adds NIS home path (see the man page\r
+on smb.conf for details). Patch from Julian Field.\r
+16). Fix to stop smbpassword code from failing when\r
+parsing invalid uid fields.\r
+17). Made volume serial number constant based on machine\r
+and service name.\r
+18). Added expand environment variables code from Branko \r
+Cibej. See the man page on smb.conf for details.\r
+19). Fixed warnings in change_lanman_password code.\r
+\r
+\r
+Bugfixes added since 1.9.18p1\r
+-----------------------------\r
+\r
+1). A deadlock condition in the oplock code has been found\r
+and fixed. This occured under heavy load at large sites. Several\r
+of the sites who reported the original problem have now been \r
+testing the code in this (1.9.18p2) release for a week now with\r
+no problems (previously the problem occurred within 3-6 hours).\r
+(Thanks to Peter Crawshaw of Mount Allison University for\r
+his great help in tracking down this bug).\r
+2). Fix for a share level security problem that caused \r
+'valid users' not to work correctly.\r
+3). Addition of Russian code page support.\r
+4). Fix to the password changing code (thanks to Randy Boring\r
+at Thursby Software Systems for this).\r
+5). More fixes to the Windows 95 printer driver support\r
+code from Herb Lewis at SGI.\r
+6). Two NetBIOS over TCP source name type fixes in nmbd.\r
+7). Memory leak in the dynamic loading of services in an\r
+smb.conf file fixed.\r
+8). LPRng parsing code fix.\r
+9). Fix to try and return a 'best guess' of create time\r
+under UNIX (which doens't store such a file attribute).\r
+10). Added parameters to samba/examples/smb.conf.default file :\r
+Remote announce, Remote browse sync, username map, filename\r
+case preservation and sensitivity options.\r
+11). Reply to trans2 calls now aligns all parameters and\r
+data on 4 byte boundary.\r
+12). Fixed SIGTERM bug where nmbd would hang on exit.\r
+13). Fixed WINS server bug to allow spaces in WINS names.\r
+\r
+Bugfixes added since 1.9.18\r
+---------------------------\r
+\r
+1). Fix for oplock-break problem. If an open crossed\r
+with an oplock break on the wire it was possible for the \r
+same fnum to be re-used. This caused a rare but fatal\r
+problem.\r
+2). Fix for adding printers to Windows NT 4.x. Now\r
+return correct "no space error" when buffer of zero \r
+given.\r
+3). Fix for nmbd core dumps when running on architectures\r
+that cannot access structures on non-aligned boundaries\r
+(sparc, alpha etc).\r
+4). Compiler warnings in nmbd fixed.\r
+5). Makefile updated for Linux 2.0 versions (new smbmount\r
+commands should only be compiled for 2.1.x kernels).\r
+6). Addition of a timestamp to attack warning messages.\r
+\r
+Changes in 1.9.18.\r
+------------------\r
+\r
+This release contains several major changes and much re-written \r
+code.\r
+\r
+The main changes are :\r
+\r
+1). Oplock support now operational.\r
+-----------------------------------\r
+\r
+Samba now supports 'exclusive' and 'batch' oplocks.\r
+These are an advanced networked file system feature\r
+that allows clients to obtain a exclusive use of a \r
+file. This allows a client to cache any changes it\r
+makes locally, and greatly improves performance.\r
+\r
+Windows NT has this feature and prior to this\r
+release this was one of the reasons Windows NT\r
+could be faster in some situations. Samba has\r
+now been benchmarked as out performing Windows\r
+NT on equivalently priced hardware.\r
+\r
+The oplock code in Samba has been extensively\r
+tested and is believed to be completely stable.\r
+\r
+Please report any problems to the samba-bugs alias.\r
+\r
+2). NetBIOS name daemon re-written.\r
+-----------------------------------\r
+\r
+The old nmbd that has caused some users problems\r
+has now been completely re-written and now is\r
+much easier to maintain and add changes to.\r
+\r
+Changes include support for multi-homed hosts\r
+in the same way as an NT Server with multiple\r
+IP interfaces behaves (registers with the WINS\r
+server as a multi-homed name type), and also\r
+support for multi-homed name registration in\r
+the Samba WINS server. Another added feature\r
+is robustness in the face of WINS server failure,\r
+nmbd will now keep trying to contact the WINS \r
+server until it is successful, in the same\r
+way as an NT Server.\r
+\r
+Also in this release is an implementation\r
+of the Lanman announce protocol used by\r
+OS/2 clients. Thanks to Jacco de Leeuw for \r
+this code.\r
+\r
+3). New Internationalization support.\r
+-------------------------------------\r
+\r
+With this release Samba no longer needs to be\r
+separately compiled for Japanese (Kanji) support,\r
+the same binary will serve both Kanji and non-Kanji\r
+clients.\r
+\r
+A new method of dynamically loading client code pages\r
+has been added to allow the case insensitivity to\r
+be done dependent on the code page of the client.\r
+\r
+Note that Samba still will only handle one client\r
+code page at a time. This will be fixed when\r
+Samba is fully UNICODE enabled.\r
+\r
+Please see the new man page for make_smbcodepage\r
+for details on adding additional client code page\r
+support.\r
+\r
+4). New Printing support.\r
+-------------------------\r
+\r
+An implementation of the Windows 95 automatic printer\r
+driver installation has been added to smbd. To use this\r
+new feature please read the document:\r
+\r
+docs/PRINTER_DRIVER.txt\r
+\r
+Thanks to Jean-Francois Micouleau, and also Herb Lewis\r
+of Silicon Graphics for this new code.\r
+\r
+Printer support on System V systems (notably Solaris)\r
+has been improved with the addition of code generously\r
+donated by Norm Jacobs of Sun Microsystems. Sun have\r
+also made a Solaris SPARC workstation available to the\r
+Samba Team to aid in their porting efforts.\r
+\r
+\r
+Changed code.\r
+-------------\r
+\r
+Samba no longer needs the libdes library to support\r
+encrypted passwords. Samba now contains a restricted\r
+version of DES that can only be used for authentication\r
+purposes (to comply with the USA export encryption\r
+regulations and to allow USA Mirror sites to carry\r
+Samba source code). The 'encrypt passwords' parameter\r
+may now be used without recompiling.\r
+\r
+Much of the internals of Samba has been re-structured\r
+to support the oplock and Domain controller changes.\r
+\r
+Samba now contains an implementation of share modes\r
+using System V shared memory as well as the mmap()\r
+based code. This was done to allow the 'FAST_SHARE_MODES'\r
+to be used on more systems (especially HPUX 9.x) that\r
+have System V shared memory, but not the mmap() call.\r
+\r
+The System V shared memory code is used by default on\r
+many systems as it has benchmarked as faster on many\r
+systems.\r
+\r
+The Automount code has been slightly re-shuffled, such\r
+that the home directory (and profile location) can be\r
+specified by \\%N\homes and \\%N\homes\profiles\r
+respectively, which are the defaults for these values.\r
+If -DAUTOMOUNT is enabled, then %N is the server\r
+component of the user's NIS auto.home entry. Obviously,\r
+you will need to be running Samba on the user's home\r
+server as well as the one they just logged in on.\r
+\r
+The RPC Domain code has been moved into a separate directory\r
+rpc_pipe/, and a LGPL License issued specifically for code\r
+in this directory. This is so that people can use this\r
+code in other projects.\r
+\r
+Missing feature.\r
+----------------\r
+\r
+One feature that we wanted to get into this release\r
+that was not possible due to the re-write of the nmbd\r
+code was the scalability features in the Samba WINS server.\r
+This feature is now tentatively scheduled for the next\r
+release (1.9.19). Apologies to anyone who was hoping\r
+for this feature to be included. The nmbd re-write\r
+will make it much easier to add such things in future.\r
+\r
+New parameters in smb.conf.\r
+---------------------------\r
+\r
+New Global parameters.\r
+----------------------\r
+\r
+Documented in the smb.conf man pages :\r
+\r
+ "bind interfaces only"\r
+\r
+ "lm announce"\r
+ "lm interval"\r
+\r
+ "logon drive"\r
+ "logon home"\r
+\r
+ "min wins ttl"\r
+ "max wins ttl"\r
+\r
+ "username level"\r
+\r
+New Share level parameters.\r
+---------------------------\r
+\r
+Documented in the smb.conf man pages :\r
+\r
+ "delete veto files"\r
+ "oplocks"\r
+\r
+Nascent web interface for configuration.\r
+----------------------------------------\r
+\r
+source/wsmbconf.c is a cgi-bin program for editing smb.conf. It can\r
+also be run standalone. This is in a very early stage of development.\r
+\r
+Debugging support.\r
+------------------\r
+\r
+smbd and nmbd will now modify their debug log level when\r
+they receive a USR1 signal (increase debug level by one)\r
+and USR2 signal (decrease debug level by one). This has\r
+been added to aid administrators track down faults that\r
+only occur after long periods of time, or transiently.\r
+\r
+Reporting bugs.\r
+---------------\r
+\r
+If you have problems, or think you have found a\r
+bug please email a report to :\r
+\r
+ <a href="mailto:samba-bugs@samba.org">samba-bugs@samba.org</a>\r
+\r
+Please state the version number of Samba that\r
+you are running, and *full details* of the steps\r
+we need to reproduce the problem.\r
+\r
+As always, all bugs are our responsibility.\r
+\r
+Regards,\r
+\r
+ The Samba Team.\r
+</pre>\r
+\r
+</body>\r
+</html>\r
--- /dev/null
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"\r
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">\r
+<html xmlns="http://www.w3.org/1999/xhtml">\r
+\r
+<head>\r
+<title>Samba - Release Notes Archive</title>\r
+</head>\r
+\r
+<body>\r
+\r
+<h3>The Samba Team are pleased to announce Samba 1.9.18p4.</h3>\r
+\r
+<pre>\r
+The Samba Team are pleased to announce Samba 1.9.18p4.\r
+\r
+It may be fetched via ftp from :\r
+\r
+<a href="ftp://samba.org/pub/samba/samba-1.9.18p4.tar.gz">ftp://samba.org/pub/samba/samba-1.9.18p4.tar.gz</a>\r
+\r
+This is a bugfix release, designed to address issues\r
+that users have reported with the 1.9.18p3 release.\r
+\r
+There is some new functionality, described below.\r
+\r
+Password Changing.\r
+------------------\r
+\r
+Samba now supports Windows 95 clients changing both\r
+their SMB and UNIX passwords. Samba must be set up\r
+with encrypted passwords for this to work correctly.\r
+See the file docs/ENCRYPTION.txt and the list of\r
+new parameters in the release notes below for details.\r
+\r
+Samba can also now change Windows NT user passwords from\r
+a UNIX machine. Read the documentation of the command\r
+smbpasswd for details on how to change an NT user\r
+password from a UNIX machine with Samba installed.\r
+\r
+Name Resolution Order.\r
+----------------------\r
+\r
+Samba now supports a administrator defined name\r
+resolution order. This includes using WINS, broadcast,\r
+local lmhosts and DNS lookups to resolve host names.\r
+All the relevent Samba tools have been upgraded to\r
+use the selected name resolution mechanisms when\r
+resolving host names. Name resolution can now be \r
+changed to use only the defined methods, in the\r
+defined order. By default Samba 1.9.18p4 uses the \r
+same name lookup mechanisms in the same order as \r
+Samba 1.9.18p3.\r
+\r
+Korean and Traditional Chinese Character support.\r
+-------------------------------------------------\r
+\r
+Samba has been changed to allow easier multibyte\r
+character support. As a result the multibyte support\r
+has been extended from Japanese to include Korean\r
+Hangul and Traditional Chinese.\r
+\r
+Binary Packages\r
+---------------\r
+\r
+Binary packages are also available for the following\r
+operating systems :\r
+\r
+Caldera Linux.\r
+--------------\r
+<a href="ftp://samba.org/pub/samba/Binary_Packages/caldera">ftp://samba.org/pub/samba/Binary_Packages/caldera</a>\r
+\r
+Red Hat Linux 4.2 Intel, 5.0 Intel and Alpha.\r
+---------------------------------------------\r
+<a href="ftp://samba.org/pub/samba/Binary_Packages/redhat">ftp://samba.org/pub/samba/Binary_Packages/redhat</a>\r
+\r
+SGI IRIX.\r
+---------\r
+<a href="ftp://samba.org/pub/samba/Binary_Packages/IRIX">ftp://samba.org/pub/samba/Binary_Packages/IRIX</a>\r
+\r
+Digital Unix OSF1 alpha.\r
+------------------------\r
+<a href="ftp://samba.org/pub/samba/Binary_Packages/DigitalUnix">ftp://samba.org/pub/samba/Binary_Packages/DigitalUnix</a>\r
+\r
+Here are the release notes. Remember, all bugs\r
+are our responsibility - please report them\r
+to <a href="mailto:samba-bugs@samba.org">samba-bugs@samba.org</a>.\r
+\r
+Regards,\r
+\r
+ The Samba Team.\r
+\r
+-------------------------------------------------------------\r
+ WHATS NEW IN 1.9.18p4 - March 27th 1998.\r
+ ===========================================\r
+\r
+This is the latest stable release of Samba. This is the\r
+version that all production Samba servers should be running\r
+for all current bug-fixes.\r
+\r
+Note that most Samba Team effort is now going into working on the\r
+next major release which should contain some Windows NT Domain \r
+features. It is intended that any future work on the 1.9.18 series\r
+be maintenance only fixes.\r
+\r
+An announcement will be made when the first alpha release of the next\r
+Samba series is available.\r
+\r
+Added features in 1.9.18p4\r
+--------------------------\r
+\r
+Changing passwords now supported\r
+--------------------------------\r
+\r
+Samba now supports changing the SMB password from a Windows 95 client,\r
+using the standard Windows 95 password changing dialog. Note that by\r
+default\r
+this changes the SMB password, not the UNIX password (Samba must be set\r
+up\r
+with encrypted passwords in order to support this).\r
+\r
+The smbpasswd program has been re-written to take advantage of this\r
+feature, and now has no need to be a setuid root program, thus\r
+eliminating\r
+a potential security hole. As a side effect of this change smbpasswd\r
+can now be used on a UNIX machine to change users passwords on an NT\r
+machine.\r
+\r
+The new password changing code can also synchronize a users UNIX\r
+password at the same time a SMB password is being changed, if Samba\r
+is compiled with password changing enabled, and the new parameter\r
+'unix password sync' is set to True. By default this is off, as\r
+it allows the password change program to be called as root, which\r
+may be considered a security problem at some sites.\r
+\r
+Name resolution order now user selectable\r
+-----------------------------------------\r
+\r
+The resolution of NetBIOS names into IP addresses can be done in\r
+several different ways (broadcast, lmhosts, DNS lookup, WINS). \r
+Previous versions of Samba were inconsistant in which commands\r
+used which methods to look up IP addresses from a name. New in\r
+this version is a parameter (name resolve order, mentioned in\r
+the new parameters list below) that allows administrators to\r
+select the methods of name resolution, and the order in which\r
+such methods are applied. All Samba utilities have been changed\r
+to use the new name to IP address name resolution code and\r
+so this can be controlled from a central place.\r
+\r
+Expanded multi-byte character support\r
+-------------------------------------\r
+\r
+In previous versions of Samba, Kanji (Japanese) character \r
+support was treated as a special case, making it the only\r
+multi-byte character set natively supported in Samba. New\r
+code has been added to generalize the multi-byte codepage\r
+support, with the effect that other multibyte codepage support\r
+can be easily added. The new codepages that this version\r
+ships with are Korean Hangul and Traditional Chinese.\r
+\r
+New Parameters in 1.9.18p4\r
+--------------------------\r
+\r
+name resolve order = lmhosts wins hosts bcast\r
+\r
+This parameter allows control over the order in which netbios name to\r
+IP Address resolution is attempted. Any method NOT specified will be\r
+excluded from the name resolution process. If this parameter is not\r
+specified then the above default order will be observed - this is\r
+consistent with prior releases. See the smb.conf and smbclient man\r
+pages for full details. See the above text for the announcement on\r
+this feature.\r
+\r
+fake directory create times\r
+\r
+This parameter is a compatibility option for software developers\r
+using Microsoft NMAKE make tool, saving files onto a Samba share.\r
+Setting this parameter to true causes Samba to lie to the client\r
+about the creation time of a directory, so NMAKE commands don't\r
+re-compile every file.\r
+\r
+unix password sync\r
+\r
+This parameter is set to False by default. When set to True, it\r
+causes Samba to attempt to synchronize the users UNIX password\r
+when a user is changing their SMB password. This causes the\r
+password change program to be run as root (as the new password\r
+change code has no access to the plaintext of the old password).\r
+Because of this, it is set off by default to allow sites to\r
+set their own security policy regarding UNIX and SMB password\r
+synchronization.\r
+\r
+This parameter has no effect if Samba has been compiled without\r
+password changing enabled.\r
+\r
+Changed compile-time default in 1.9.18p4\r
+----------------------------------------\r
+\r
+The maximum length of a printer share name has now been increased to 15\r
+characters - the same as file share names. Any one who needs to revert\r
+back\r
+to 8 character printer share name support can do so by adjusting the\r
+#define\r
+in local.h.\r
+\r
+Bugfixes added since 1.9.18p3\r
+-----------------------------\r
+\r
+1). Fix for nmbd leaving the child nmbd running when doing DNS\r
+lookups as a WINS server.\r
+2). Fix core dump in smbd when acting as a logon server with \r
+security=share.\r
+3). Workaround for a bug in FTP OnNet software NBT implementation.\r
+It does a broadcast name release for WORKGROUP<0> and WORKGROUP<1e>\r
+names and don't set the group bit.\r
+4). Ensure all the NetBIOS aliases are added to all the known \r
+interfaces on nmbd initialization.\r
+5). Fix bug in multiple query name responses print code.\r
+6). Fix to send out mailslot reply on correct interface.\r
+7). Fix retranmission queue to scan WINS server subnet so\r
+nmbd retransmits queries needed when acting as a WINS server.\r
+Thanks to Andrey Alekseyev <<a href="mailto:fetch@muffin.arcadia.spb.ru">fetch@muffin.arcadia.spb.ru</a>> for\r
+spotting this one.\r
+8). Send host announcement to correct 0x1d name rather than\r
+0x1e name.\r
+9). Fix for WINS server when returning multi-homed record,\r
+was returning one garbage IP address.\r
+10). Fix for Thursby Software's 'Dave' client - ensure\r
+that a vuid of zero is always returned for them when in\r
+share level security (the spec say's it shouldn't matter,\r
+but it was causing them grief).\r
+11). Added KRB4 authentication code.\r
+12). Fix to allow max printer name to be 15 characters (see above).\r
+13). Fix for name mangling cache bug - cache wasn't being\r
+used in some cases.\r
+14). Fix for RH5.0 broken system V shared memory include\r
+files.\r
+15). Fix for broken redirector use of resume keys between\r
+deletes in a directory. Samba now returns zero as resume\r
+keys (as does NT) and uses the resume filename instead.\r
+16). Fix for systems that have a broken implementation\r
+of isalnum() - was causing gethostbyname to fail.\r
+17). Fix for 'hide files' bug not working correctly (bug\r
+in is_in_path function - fix from Steven Hartland \r
+<<a href="mailto:steven_hartland@pa.press.net">steven_hartland@pa.press.net</a>>.\r
+18). Fixed bug in smbclient where debug log level on the\r
+command line was being overridden by the log level in smb.conf.\r
+19). Fixed bug in USE_MMAP code where client sending\r
+a silly offset to readraw could cause a smbd core dump.\r
+\r
+Bugfixes added since 1.9.18p2\r
+-----------------------------\r
+\r
+1). Fix to cause oplocked files to be broken when open\r
+file table is full before giving up and reporting 'too\r
+many open files'. This fix seems to help many applications\r
+on Win95.\r
+2). Fix to stop extra files being closed in user logoff\r
+code.\r
+3). Fix to stop padded packet being returned on\r
+trans2 call. This bug could cause Windows 95 to freeze\r
+on some (rare) occasions.\r
+4). Added fix for Visual C++ filetime changes (see above).\r
+5). Made security check code an option (see above).\r
+6). Fixed printer job enumeration in smbclient.\r
+7). Re-added code into smbclient that causes it to do NetBIOS\r
+broadcast name lookups (as it used to in 1.9.17).\r
+8). Fixed code dump bug in smbtar.\r
+9). Fixed mapping code between Appletalk and Kanji filenames.\r
+10). Tuned shared memory size based on open file table size.\r
+11). Made nmbd log file names consistant with smbd.\r
+12). Fixed nmbd problem where packet queues could grow\r
+without bound when connection to WINS server was down.\r
+13). Fix for DCE login code.\r
+14). Fix for system V printing to remove extra space\r
+in printer name.\r
+15). Patch to add a new substitution paramter (%p) in\r
+a service patchname. Adds NIS home path (see the man page\r
+on smb.conf for details). Patch from Julian Field.\r
+16). Fix to stop smbpassword code from failing when\r
+parsing invalid uid fields.\r
+17). Made volume serial number constant based on machine\r
+and service name.\r
+18). Added expand environment variables code from Branko \r
+Cibej. See the man page on smb.conf for details.\r
+19). Fixed warnings in change_lanman_password code.\r
+\r
+\r
+Bugfixes added since 1.9.18p1\r
+-----------------------------\r
+\r
+1). A deadlock condition in the oplock code has been found\r
+and fixed. This occured under heavy load at large sites. Several\r
+of the sites who reported the original problem have now been \r
+testing the code in this (1.9.18p2) release for a week now with\r
+no problems (previously the problem occurred within 3-6 hours).\r
+(Thanks to Peter Crawshaw of Mount Allison University for\r
+his great help in tracking down this bug).\r
+2). Fix for a share level security problem that caused \r
+'valid users' not to work correctly.\r
+3). Addition of Russian code page support.\r
+4). Fix to the password changing code (thanks to Randy Boring\r
+at Thursby Software Systems for this).\r
+5). More fixes to the Windows 95 printer driver support\r
+code from Herb Lewis at SGI.\r
+6). Two NetBIOS over TCP source name type fixes in nmbd.\r
+7). Memory leak in the dynamic loading of services in an\r
+smb.conf file fixed.\r
+8). LPRng parsing code fix.\r
+9). Fix to try and return a 'best guess' of create time\r
+under UNIX (which doens't store such a file attribute).\r
+10). Added parameters to samba/examples/smb.conf.default file :\r
+Remote announce, Remote browse sync, username map, filename\r
+case preservation and sensitivity options.\r
+11). Reply to trans2 calls now aligns all parameters and\r
+data on 4 byte boundary.\r
+12). Fixed SIGTERM bug where nmbd would hang on exit.\r
+13). Fixed WINS server bug to allow spaces in WINS names.\r
+\r
+Bugfixes added since 1.9.18\r
+---------------------------\r
+\r
+1). Fix for oplock-break problem. If an open crossed\r
+with an oplock break on the wire it was possible for the \r
+same fnum to be re-used. This caused a rare but fatal\r
+problem.\r
+2). Fix for adding printers to Windows NT 4.x. Now\r
+return correct "no space error" when buffer of zero \r
+given.\r
+3). Fix for nmbd core dumps when running on architectures\r
+that cannot access structures on non-aligned boundaries\r
+(sparc, alpha etc).\r
+4). Compiler warnings in nmbd fixed.\r
+5). Makefile updated for Linux 2.0 versions (new smbmount\r
+commands should only be compiled for 2.1.x kernels).\r
+6). Addition of a timestamp to attack warning messages.\r
+\r
+Changes in 1.9.18.\r
+------------------\r
+\r
+This release contains several major changes and much re-written \r
+code.\r
+\r
+The main changes are :\r
+\r
+1). Oplock support now operational.\r
+-----------------------------------\r
+\r
+Samba now supports 'exclusive' and 'batch' oplocks.\r
+These are an advanced networked file system feature\r
+that allows clients to obtain a exclusive use of a \r
+file. This allows a client to cache any changes it\r
+makes locally, and greatly improves performance.\r
+\r
+Windows NT has this feature and prior to this\r
+release this was one of the reasons Windows NT\r
+could be faster in some situations. Samba has\r
+now been benchmarked as out performing Windows\r
+NT on equivalently priced hardware.\r
+\r
+The oplock code in Samba has been extensively\r
+tested and is believed to be completely stable.\r
+\r
+Please report any problems to the samba-bugs alias.\r
+\r
+2). NetBIOS name daemon re-written.\r
+-----------------------------------\r
+\r
+The old nmbd that has caused some users problems\r
+has now been completely re-written and now is\r
+much easier to maintain and add changes to.\r
+\r
+Changes include support for multi-homed hosts\r
+in the same way as an NT Server with multiple\r
+IP interfaces behaves (registers with the WINS\r
+server as a multi-homed name type), and also\r
+support for multi-homed name registration in\r
+the Samba WINS server. Another added feature\r
+is robustness in the face of WINS server failure,\r
+nmbd will now keep trying to contact the WINS \r
+server until it is successful, in the same\r
+way as an NT Server.\r
+\r
+Also in this release is an implementation\r
+of the Lanman announce protocol used by\r
+OS/2 clients. Thanks to Jacco de Leeuw for \r
+this code.\r
+\r
+3). New Internationalization support.\r
+-------------------------------------\r
+\r
+With this release Samba no longer needs to be\r
+separately compiled for Japanese (Kanji) support,\r
+the same binary will serve both Kanji and non-Kanji\r
+clients.\r
+\r
+A new method of dynamically loading client code pages\r
+has been added to allow the case insensitivity to\r
+be done dependent on the code page of the client.\r
+\r
+Note that Samba still will only handle one client\r
+code page at a time. This will be fixed when\r
+Samba is fully UNICODE enabled.\r
+\r
+Please see the new man page for make_smbcodepage\r
+for details on adding additional client code page\r
+support.\r
+\r
+4). New Printing support.\r
+-------------------------\r
+\r
+An implementation of the Windows 95 automatic printer\r
+driver installation has been added to smbd. To use this\r
+new feature please read the document:\r
+\r
+docs/PRINTER_DRIVER.txt\r
+\r
+Thanks to Jean-Francois Micouleau, and also Herb Lewis\r
+of Silicon Graphics for this new code.\r
+\r
+Printer support on System V systems (notably Solaris)\r
+has been improved with the addition of code generously\r
+donated by Norm Jacobs of Sun Microsystems. Sun have\r
+also made a Solaris SPARC workstation available to the\r
+Samba Team to aid in their porting efforts.\r
+\r
+\r
+Changed code.\r
+-------------\r
+\r
+Samba no longer needs the libdes library to support\r
+encrypted passwords. Samba now contains a restricted\r
+version of DES that can only be used for authentication\r
+purposes (to comply with the USA export encryption\r
+regulations and to allow USA Mirror sites to carry\r
+Samba source code). The 'encrypt passwords' parameter\r
+may now be used without recompiling.\r
+\r
+Much of the internals of Samba has been re-structured\r
+to support the oplock and Domain controller changes.\r
+\r
+Samba now contains an implementation of share modes\r
+using System V shared memory as well as the mmap()\r
+based code. This was done to allow the 'FAST_SHARE_MODES'\r
+to be used on more systems (especially HPUX 9.x) that\r
+have System V shared memory, but not the mmap() call.\r
+\r
+The System V shared memory code is used by default on\r
+many systems as it has benchmarked as faster on many\r
+systems.\r
+\r
+The Automount code has been slightly re-shuffled, such\r
+that the home directory (and profile location) can be\r
+specified by \\%N\homes and \\%N\homes\profiles\r
+respectively, which are the defaults for these values.\r
+If -DAUTOMOUNT is enabled, then %N is the server\r
+component of the user's NIS auto.home entry. Obviously,\r
+you will need to be running Samba on the user's home\r
+server as well as the one they just logged in on.\r
+\r
+The RPC Domain code has been moved into a separate directory\r
+rpc_pipe/, and a LGPL License issued specifically for code\r
+in this directory. This is so that people can use this\r
+code in other projects.\r
+\r
+Missing feature.\r
+----------------\r
+\r
+One feature that we wanted to get into this release\r
+that was not possible due to the re-write of the nmbd\r
+code was the scalability features in the Samba WINS server.\r
+This feature is now tentatively scheduled for the next\r
+release (1.9.19). Apologies to anyone who was hoping\r
+for this feature to be included. The nmbd re-write\r
+will make it much easier to add such things in future.\r
+\r
+New parameters in smb.conf.\r
+---------------------------\r
+\r
+New Global parameters.\r
+----------------------\r
+\r
+Documented in the smb.conf man pages :\r
+\r
+ "bind interfaces only"\r
+\r
+ "lm announce"\r
+ "lm interval"\r
+\r
+ "logon drive"\r
+ "logon home"\r
+\r
+ "min wins ttl"\r
+ "max wins ttl"\r
+\r
+ "username level"\r
+\r
+New Share level parameters.\r
+---------------------------\r
+\r
+Documented in the smb.conf man pages :\r
+\r
+ "delete veto files"\r
+ "oplocks"\r
+\r
+Nascent web interface for configuration.\r
+----------------------------------------\r
+\r
+source/wsmbconf.c is a cgi-bin program for editing smb.conf. It can\r
+also be run standalone. This is in a very early stage of development.\r
+\r
+Debugging support.\r
+------------------\r
+\r
+smbd and nmbd will now modify their debug log level when\r
+they receive a USR1 signal (increase debug level by one)\r
+and USR2 signal (decrease debug level by one). This has\r
+been added to aid administrators track down faults that\r
+only occur after long periods of time, or transiently.\r
+\r
+Reporting bugs.\r
+---------------\r
+\r
+If you have problems, or think you have found a\r
+bug please email a report to :\r
+\r
+ <a href="mailto:samba-bugs@samba.org">samba-bugs@samba.org</a>\r
+\r
+Please state the version number of Samba that\r
+you are running, and *full details* of the steps\r
+we need to reproduce the problem.\r
+\r
+As always, all bugs are our responsibility.\r
+\r
+Regards,\r
+\r
+ The Samba Team.\r
+</pre>\r
+\r
+</body>\r
+</html>\r
--- /dev/null
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Release Notes Archive</title>
+</head>
+
+<body>
+
+<h3>The Samba Team are pleased to announce Samba 1.9.18p5.</h3>
+
+<pre>
+It may be fetched via ftp from :
+
+<a href="ftp://samba.org/pub/samba/samba-1.9.18p5.tar.gz">ftp://samba.org/pub/samba/samba-1.9.18p5.tar.gz</a>
+
+This is a bugfix release, designed to address issues
+that users have reported with the 1.9.18p4 release.
+It is intended that the next Samba release will be an
+alpha of Samba 1.9.19, which will contain significant
+new functionality for integrating Samba into a Windows
+NT Domain environment.
+
+There is some new functionality in this release,
+described below.
+
+Encrypted Password Migration Support.
+-------------------------------------
+
+This code, donated by Bruce Tenison, allows sites that
+currently are using plaintext password authentication
+against a UNIX password database to migrate to encrypted
+SMB authentication by collecting users passwords as they
+log in, and updating a smbpasswd file with passwords
+deemed correct when checked against the UNIX password
+database. This allows a Samba administrator to set up
+a smbpasswd file and allow it to be updated as users
+log in, until all users encrypted passwords have been
+collected, and then turn Samba over to encrypted password
+support without disruption to the users or forcing them
+to re-enter all their passwords at changeover time.
+Details on this are in the release notes below.
+
+Improved smbtar support.
+------------------------
+
+The changes to smbtar by Richard Sharpe of the Samba Team
+were funded by Canon Information Systems Research Australia
+(CISRA). The Samba Team would like to thank Canon Information
+Systems Research Australia for their funding this effort, as
+such sponsorship advances the Samba project significantly.
+
+Simplified Chinese Character support added.
+-------------------------------------------
+
+Samba now supports the Simplified Chinese codepage (936)
+as well as Japanese, Korean, and Traditional Chinese
+codepages.
+
+Binary Packages
+---------------
+
+Binary packages are being prepared and will be available
+under the following ftp address by the end of the day,
+Monday May 11th 1998.
+
+<a href="ftp://samba.org/pub/samba/Binary_Packages/">ftp://samba.org/pub/samba/Binary_Packages/</a>
+
+Here are the release notes. Remember, all bugs
+are our responsibility - please report them
+to <a href="mailto:samba-bugs@samba.org">samba-bugs@samba.org</a>.
+
+Regards,
+
+ The Samba Team.
+
+-------------------------------------------------------------
+ WHATS NEW IN 1.9.18p5 - May 8th 1998.
+ =====================================
+
+This is the latest stable release of Samba. This is the
+version that all production Samba servers should be running
+for all current bug-fixes.
+
+Note that most Samba Team effort is now going into working on the
+next major release which should contain some Windows NT Domain
+features. It is intended that any future work on the 1.9.18 series
+be maintenance only fixes.
+
+An announcement will be made when the first alpha release of the next
+Samba series is available.
+
+Added features in 1.9.18p5
+--------------------------
+
+New parameters
+--------------
+
+passwd chat debug
+
+This parameter is to allow Samba administrators to debug their password
+chat scripts more easily when they have "unix password sync" set. It is
+provided as a debugging convenience only and should be enabled only when
+debugging. Full documentation is in the smb.conf man page.
+
+update encrypted
+
+The code for this parameter was kindly donated by Bruce Tenison.
+If this parameter is set to "yes" (it defaults to "no") and an smbpasswd
+file exists containing all the valid users of a Samba system but
+no encrypted passwords (ie. the Lanman hash and NT hash entries in
+the file are set to "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"), then as
+users log in with plaintext passwords that are matched against
+their UNIX password entries, their plaintext passwords will be
+hashed and entered into the smbpasswd file. After all the users
+have successfully logged in using unencrypted passwords, the
+smbpasswd file will have the Lanman and NT hashes of these users
+UNIX passwords correctly stored. At that point the administrator
+can convert Samba to use encrypted passwords (and configure the
+Windows 95 and NT clients to send only encrypted passwords) and
+migrate to an encrypted setup without having to ask users to re-enter
+all their passwords explicitly. Note that to use this option the
+"encrypt passwords" parameter must be set to "no" when this option
+is set to "yes". See the smb.conf man page for up to date information
+on this parameter.
+
+Updates to smbtar
+-----------------
+
+The following changes were developed by Richard Sharpe for Canon
+Information
+Systems Research Australia (CISRA). The Samba Team would like to thank
+Canon Information Systems Research Australia for their funding this
+effort, as such sponsorship advances the Samba project significantly.
+
+ 1. Restore can now restore files with long file names
+ 2. Save now saves directory information so that we can restore
+ directory creation times
+ 3. tar now accepts both UNIX path names and DOS path names.
+
+New document in docs/ directory
+-------------------------------
+
+A new document, PROFILES.txt has been added to the docs/ directory.
+This is still a work in progress (currently consisting of a series
+of email exchanges) and will be updated over the coming releases.
+The document covers the task of getting roving profiles to work with
+a Samba server with Windows 95 and Windows NT clients.
+
+Bugfixes added since 1.9.18p4
+-----------------------------
+
+1). Samba should now compile cleanly with the gcc -Wstrict-prototypes
+option.
+2). New code page 852 tranlation table created by Petr Hubeny.
+3). New "update encrypted" parameter (described above).
+4). New "passwd chat debug" parameter (described above).
+5). Updates to smbtar (described above).
+6). Fix to do correct null session connections from nmbd and smbd.
+7). Synchronous open flag is now honoured.
+8). security=server now logs out correctly.
+9). Fix to stop long printer job listings causing Win95 and smbd to
+spin the CPU & network.
+10). Multibyte character fix that prevented the "character set"
+parameter
+working in 1.9.18p4.
+11). Fix for problems with security=share and the [homes] share.
+12). NIS+ patch to get home directory info.
+13). Added FTRUNCATE_NEEDS_ROOT define for systems with broken
+ftruncate()
+call.
+14). Fix for nmbd not allowing log append mode.
+15). Fix for nmbd as a WINS server doing a name query after a WACK with
+the 'recursion desired' bit set - this would cause problems if directed
+at a machine running a WINS server.
+16). Correctly ignore "become backup browser" requests, rather than
+logging them as a problem.
+17). Use compressed names correctly as requested by RFC1002.
+18). Workaround for bug where NT allows a guest logon and
+doesn't set the guest bit (in security=server mode).
+19). Added SOFTQ print type.
+20). Free filename on file close (long standing small memory leak fix).
+21). Fix for lp_defaultservice() getting overwritten by rotating string
+buffers.
+22). Print time in international, rather than USA, format.
+23). Fix to queue a trans2 open request when oplock break pending.
+24). Added Simplified Chinese codepage (936).
+25). Fixed expansion bug with %U, %G when multiple sessionsetups done
+in security > SHARE mode.
+26). Change to DEC enhanced mode security code to allow the same
+binary to work when in enhanced and basic security mode. This change
+affects
+all systems that define OSF1_ENH_SEC at compile time.
+
+Previous release notes for 1.9.18p4 follow.
+=========================================================================
+
+Added features in 1.9.18p4
+--------------------------
+
+Changing passwords now supported
+--------------------------------
+
+Samba now supports changing the SMB password from a Windows 95 client,
+using the standard Windows 95 password changing dialog. Note that by
+default this changes the SMB password, not the UNIX password (Samba
+must be set up with encrypted passwords in order to support this).
+
+The smbpasswd program has been re-written to take advantage of this
+feature, and now has no need to be a setuid root program, thus
+eliminating
+a potential security hole. As a side effect of this change smbpasswd
+can now be used on a UNIX machine to change users passwords on an NT
+machine.
+
+The new password changing code can also synchronize a users UNIX
+password at the same time a SMB password is being changed, if Samba
+is compiled with password changing enabled, and the new parameter
+'unix password sync' is set to True. By default this is off, as
+it allows the password change program to be called as root, which
+may be considered a security problem at some sites.
+
+Name resolution order now user selectable
+-----------------------------------------
+
+The resolution of NetBIOS names into IP addresses can be done in
+several different ways (broadcast, lmhosts, DNS lookup, WINS).
+Previous versions of Samba were inconsistant in which commands
+used which methods to look up IP addresses from a name. New in
+this version is a parameter (name resolve order, mentioned in
+the new parameters list below) that allows administrators to
+select the methods of name resolution, and the order in which
+such methods are applied. All Samba utilities have been changed
+to use the new name to IP address name resolution code and
+so this can be controlled from a central place.
+
+Expanded multi-byte character support
+-------------------------------------
+
+In previous versions of Samba, Kanji (Japanese) character
+support was treated as a special case, making it the only
+multi-byte character set natively supported in Samba. New
+code has been added to generalize the multi-byte codepage
+support, with the effect that other multibyte codepage support
+can be easily added. The new codepages that this version
+ships with are Korean Hangul and Traditional Chinese.
+
+New Parameters in 1.9.18p4
+--------------------------
+
+name resolve order = lmhosts wins hosts bcast
+
+This parameter allows control over the order in which netbios name to
+IP Address resolution is attempted. Any method NOT specified will be
+excluded from the name resolution process. If this parameter is not
+specified then the above default order will be observed - this is
+consistent with prior releases. See the smb.conf and smbclient man
+pages for full details. See the above text for the announcement on
+this feature.
+
+fake directory create times
+
+This parameter is a compatibility option for software developers
+using Microsoft NMAKE make tool, saving files onto a Samba share.
+Setting this parameter to true causes Samba to lie to the client
+about the creation time of a directory, so NMAKE commands don't
+re-compile every file.
+
+unix password sync
+
+This parameter is set to False by default. When set to True, it
+causes Samba to attempt to synchronize the users UNIX password
+when a user is changing their SMB password. This causes the
+password change program to be run as root (as the new password
+change code has no access to the plaintext of the old password).
+Because of this, it is set off by default to allow sites to
+set their own security policy regarding UNIX and SMB password
+synchronization.
+
+This parameter has no effect if Samba has been compiled without
+password changing enabled.
+
+Changed compile-time default in 1.9.18p4
+----------------------------------------
+
+The maximum length of a printer share name has now been increased to 15
+characters - the same as file share names. Any one who needs to revert
+back
+to 8 character printer share name support can do so by adjusting the
+#define
+in local.h.
+
+Bugfixes added since 1.9.18p3
+-----------------------------
+
+1). Fix for nmbd leaving the child nmbd running when doing DNS
+lookups as a WINS server.
+2). Fix core dump in smbd when acting as a logon server with
+security=share.
+3). Workaround for a bug in FTP OnNet software NBT implementation.
+It does a broadcast name release for WORKGROUP<0> and WORKGROUP<1e>
+names and don't set the group bit.
+4). Ensure all the NetBIOS aliases are added to all the known
+interfaces on nmbd initialization.
+5). Fix bug in multiple query name responses print code.
+6). Fix to send out mailslot reply on correct interface.
+7). Fix retranmission queue to scan WINS server subnet so
+nmbd retransmits queries needed when acting as a WINS server.
+Thanks to Andrey Alekseyev <<a href="mailto:fetch@muffin.arcadia.spb.ru">fetch@muffin.arcadia.spb.ru</a>> for
+spotting this one.
+8). Send host announcement to correct 0x1d name rather than
+0x1e name.
+9). Fix for WINS server when returning multi-homed record,
+was returning one garbage IP address.
+10). Fix for Thursby Software's 'Dave' client - ensure
+that a vuid of zero is always returned for them when in
+share level security (the spec say's it shouldn't matter,
+but it was causing them grief).
+11). Added KRB4 authentication code.
+12). Fix to allow max printer name to be 15 characters (see above).
+13). Fix for name mangling cache bug - cache wasn't being
+used in some cases.
+14). Fix for RH5.0 broken system V shared memory include
+files.
+15). Fix for broken redirector use of resume keys between
+deletes in a directory. Samba now returns zero as resume
+keys (as does NT) and uses the resume filename instead.
+16). Fix for systems that have a broken implementation
+of isalnum() - was causing gethostbyname to fail.
+17). Fix for 'hide files' bug not working correctly (bug
+in is_in_path function - fix from Steven Hartland
+<<a href="mailto:steven_hartland@pa.press.net">steven_hartland@pa.press.net</a>>.
+18). Fixed bug in smbclient where debug log level on the
+command line was being overridden by the log level in smb.conf.
+19). Fixed bug in USE_MMAP code where client sending
+a silly offset to readraw could cause a smbd core dump.
+
+Bugfixes added since 1.9.18p2
+-----------------------------
+
+1). Fix to cause oplocked files to be broken when open
+file table is full before giving up and reporting 'too
+many open files'. This fix seems to help many applications
+on Win95.
+2). Fix to stop extra files being closed in user logoff
+code.
+3). Fix to stop padded packet being returned on
+trans2 call. This bug could cause Windows 95 to freeze
+on some (rare) occasions.
+4). Added fix for Visual C++ filetime changes (see above).
+5). Made security check code an option (see above).
+6). Fixed printer job enumeration in smbclient.
+7). Re-added code into smbclient that causes it to do NetBIOS
+broadcast name lookups (as it used to in 1.9.17).
+8). Fixed code dump bug in smbtar.
+9). Fixed mapping code between Appletalk and Kanji filenames.
+10). Tuned shared memory size based on open file table size.
+11). Made nmbd log file names consistant with smbd.
+12). Fixed nmbd problem where packet queues could grow
+without bound when connection to WINS server was down.
+13). Fix for DCE login code.
+14). Fix for system V printing to remove extra space
+in printer name.
+15). Patch to add a new substitution paramter (%p) in
+a service patchname. Adds NIS home path (see the man page
+on smb.conf for details). Patch from Julian Field.
+16). Fix to stop smbpassword code from failing when
+parsing invalid uid fields.
+17). Made volume serial number constant based on machine
+and service name.
+18). Added expand environment variables code from Branko
+Cibej. See the man page on smb.conf for details.
+19). Fixed warnings in change_lanman_password code.
+
+
+Bugfixes added since 1.9.18p1
+-----------------------------
+
+1). A deadlock condition in the oplock code has been found
+and fixed. This occured under heavy load at large sites. Several
+of the sites who reported the original problem have now been
+testing the code in this (1.9.18p2) release for a week now with
+no problems (previously the problem occurred within 3-6 hours).
+(Thanks to Peter Crawshaw of Mount Allison University for
+his great help in tracking down this bug).
+2). Fix for a share level security problem that caused
+'valid users' not to work correctly.
+3). Addition of Russian code page support.
+4). Fix to the password changing code (thanks to Randy Boring
+at Thursby Software Systems for this).
+5). More fixes to the Windows 95 printer driver support
+code from Herb Lewis at SGI.
+6). Two NetBIOS over TCP source name type fixes in nmbd.
+7). Memory leak in the dynamic loading of services in an
+smb.conf file fixed.
+8). LPRng parsing code fix.
+9). Fix to try and return a 'best guess' of create time
+under UNIX (which doens't store such a file attribute).
+10). Added parameters to samba/examples/smb.conf.default file :
+Remote announce, Remote browse sync, username map, filename
+case preservation and sensitivity options.
+11). Reply to trans2 calls now aligns all parameters and
+data on 4 byte boundary.
+12). Fixed SIGTERM bug where nmbd would hang on exit.
+13). Fixed WINS server bug to allow spaces in WINS names.
+
+Bugfixes added since 1.9.18
+---------------------------
+
+1). Fix for oplock-break problem. If an open crossed
+with an oplock break on the wire it was possible for the
+same fnum to be re-used. This caused a rare but fatal
+problem.
+2). Fix for adding printers to Windows NT 4.x. Now
+return correct "no space error" when buffer of zero
+given.
+3). Fix for nmbd core dumps when running on architectures
+that cannot access structures on non-aligned boundaries
+(sparc, alpha etc).
+4). Compiler warnings in nmbd fixed.
+5). Makefile updated for Linux 2.0 versions (new smbmount
+commands should only be compiled for 2.1.x kernels).
+6). Addition of a timestamp to attack warning messages.
+
+Changes in 1.9.18.
+------------------
+
+This release contains several major changes and much re-written
+code.
+
+The main changes are :
+
+1). Oplock support now operational.
+-----------------------------------
+
+Samba now supports 'exclusive' and 'batch' oplocks.
+These are an advanced networked file system feature
+that allows clients to obtain a exclusive use of a
+file. This allows a client to cache any changes it
+makes locally, and greatly improves performance.
+
+Windows NT has this feature and prior to this
+release this was one of the reasons Windows NT
+could be faster in some situations. Samba has
+now been benchmarked as out performing Windows
+NT on equivalently priced hardware.
+
+The oplock code in Samba has been extensively
+tested and is believed to be completely stable.
+
+Please report any problems to the samba-bugs alias.
+
+2). NetBIOS name daemon re-written.
+-----------------------------------
+
+The old nmbd that has caused some users problems
+has now been completely re-written and now is
+much easier to maintain and add changes to.
+
+Changes include support for multi-homed hosts
+in the same way as an NT Server with multiple
+IP interfaces behaves (registers with the WINS
+server as a multi-homed name type), and also
+support for multi-homed name registration in
+the Samba WINS server. Another added feature
+is robustness in the face of WINS server failure,
+nmbd will now keep trying to contact the WINS
+server until it is successful, in the same
+way as an NT Server.
+
+Also in this release is an implementation
+of the Lanman announce protocol used by
+OS/2 clients. Thanks to Jacco de Leeuw for
+this code.
+
+3). New Internationalization support.
+-------------------------------------
+
+With this release Samba no longer needs to be
+separately compiled for Japanese (Kanji) support,
+the same binary will serve both Kanji and non-Kanji
+clients.
+
+A new method of dynamically loading client code pages
+has been added to allow the case insensitivity to
+be done dependent on the code page of the client.
+
+Note that Samba still will only handle one client
+code page at a time. This will be fixed when
+Samba is fully UNICODE enabled.
+
+Please see the new man page for make_smbcodepage
+for details on adding additional client code page
+support.
+
+4). New Printing support.
+-------------------------
+
+An implementation of the Windows 95 automatic printer
+driver installation has been added to smbd. To use this
+new feature please read the document:
+
+docs/PRINTER_DRIVER.txt
+
+Thanks to Jean-Francois Micouleau, and also Herb Lewis
+of Silicon Graphics for this new code.
+
+Printer support on System V systems (notably Solaris)
+has been improved with the addition of code generously
+donated by Norm Jacobs of Sun Microsystems. Sun have
+also made a Solaris SPARC workstation available to the
+Samba Team to aid in their porting efforts.
+
+
+Changed code.
+-------------
+
+Samba no longer needs the libdes library to support
+encrypted passwords. Samba now contains a restricted
+version of DES that can only be used for authentication
+purposes (to comply with the USA export encryption
+regulations and to allow USA Mirror sites to carry
+Samba source code). The 'encrypt passwords' parameter
+may now be used without recompiling.
+
+Much of the internals of Samba has been re-structured
+to support the oplock and Domain controller changes.
+
+Samba now contains an implementation of share modes
+using System V shared memory as well as the mmap()
+based code. This was done to allow the 'FAST_SHARE_MODES'
+to be used on more systems (especially HPUX 9.x) that
+have System V shared memory, but not the mmap() call.
+
+The System V shared memory code is used by default on
+many systems as it has benchmarked as faster on many
+systems.
+
+The Automount code has been slightly re-shuffled, such
+that the home directory (and profile location) can be
+specified by \\%N\homes and \\%N\homes\profiles
+respectively, which are the defaults for these values.
+If -DAUTOMOUNT is enabled, then %N is the server
+component of the user's NIS auto.home entry. Obviously,
+you will need to be running Samba on the user's home
+server as well as the one they just logged in on.
+
+The RPC Domain code has been moved into a separate directory
+rpc_pipe/, and a LGPL License issued specifically for code
+in this directory. This is so that people can use this
+code in other projects.
+
+Missing feature.
+----------------
+
+One feature that we wanted to get into this release
+that was not possible due to the re-write of the nmbd
+code was the scalability features in the Samba WINS server.
+This feature is now tentatively scheduled for the next
+release (1.9.19). Apologies to anyone who was hoping
+for this feature to be included. The nmbd re-write
+will make it much easier to add such things in future.
+
+New parameters in smb.conf.
+---------------------------
+
+New Global parameters.
+----------------------
+
+Documented in the smb.conf man pages :
+
+ "bind interfaces only"
+
+ "lm announce"
+ "lm interval"
+
+ "logon drive"
+ "logon home"
+
+ "min wins ttl"
+ "max wins ttl"
+
+ "username level"
+
+New Share level parameters.
+---------------------------
+
+Documented in the smb.conf man pages :
+
+ "delete veto files"
+ "oplocks"
+
+Nascent web interface for configuration.
+----------------------------------------
+
+source/wsmbconf.c is a cgi-bin program for editing smb.conf. It can
+also be run standalone. This is in a very early stage of development.
+
+Debugging support.
+------------------
+
+smbd and nmbd will now modify their debug log level when
+they receive a USR1 signal (increase debug level by one)
+and USR2 signal (decrease debug level by one). This has
+been added to aid administrators track down faults that
+only occur after long periods of time, or transiently.
+
+Reporting bugs.
+---------------
+
+If you have problems, or think you have found a
+bug please email a report to :
+
+ <a href="mailto:samba-bugs@samba.org">samba-bugs@samba.org</a>
+
+Please state the version number of Samba that
+you are running, and *full details* of the steps
+we need to reproduce the problem.
+
+As always, all bugs are our responsibility.
+
+Regards,
+
+ The Samba Team.
+</pre>
+
+</body>
+</html>
--- /dev/null
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Release Notes Archive</title>
+</head>
+
+<body>
+
+<h3>Announcing Samba1.9.18p6 and more :^)</h3>
+
+<pre>
+<b>[A message from Andrew Tridgell]</b>
+I've just released version 1.9.18p6 of Samba.
+
+This release is in response to a potential security hole pointed out
+by Drago on BugTraq. The security hole involed a buffer overflow in
+the filename handling in reply_*()
+
+It is not at all clear that the security hole is actually
+exploitable. The existing code that checks for buffer overflows in
+Samba does catch the proposed exploit as posted to BugTraq but we
+considered it a grave enough risk that an immediate patch release is
+warranted. Note that if the hole is exploitable then it will only be
+possible to exploit it if the attacker already has write access to the
+exported filesystem.
+
+It is highly recommended that everyone upgrade to version 1.9.18p6 of
+Samba to avoid any possible exposure to this security hole.
+
+The new release is available from <a href="ftp://samba.org/pub/samba/">ftp://samba.org/pub/samba/</a>
+
+Cheers, Andrew
+
+<b>[And a message from Jerrimy Allison]</b>
+Hi all,
+
+ Over the weekend (isn't it always :-), someone
+on the BugTraq list posted an analysis (not exploit code)
+of a potential buffer overrun in Samba, that has been
+present in all versions (including 1.9.18p5). As Andrew
+Tridgell was working over the weekend he quickly produced
+a fix for this (it was a problem with code using sprintf)
+and released it as 1.9.18p6 on Sunday, May 11th.
+
+Please note that there is no published root exploit for this
+problem, other than a denial of service (which is still very
+serious).
+
+Unfortunately, in the haste to fix the problem he used
+a non-POSIX api, memalign(), in code to simulate the
+snprintf() call that sprintf was replaced with. This and
+some of the fix code has caused compile problems on some
+UNIX systems.
+
+In order to fix these compile problems on as wide a
+range of systems as possible, I'd appreciate it if
+people could send me the man pages for the following
+functions on their systems.
+
+These functions are :
+
+vsnprintf
+getpagesize
+sysconf
+memalign
+mprotect
+valloc
+
+People with the following systems need not send man
+pages, as the Samba Team already has access to these
+and we will check ourselves :
+
+SGI IRIX (all versions).
+Sun Solaris (versions 2.4 or above).
+Linux (all versions)
+FreeBSD (all versions)
+
+When sending the man pages please remember to mention
+what system these pages are for : eg. HPUX 10.x, HPUX 9.x
+SunOS 4.x etc.
+
+Please send the man pages to <a href="mailto:samba-bugs@samba.org">samba-bugs@samba.org</a>
+
+Thanks in advance,
+
+ Jeremy Allison,
+ Samba Team.
+
+</pre>
+
+</body>
+</html>
\ No newline at end of file
--- /dev/null
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Release Notes Archive</title>
+</head>
+
+<body>
+
+<pre>
+It may be fetched via ftp from :
+
+<a href="ftp://samba.org/pub/samba/samba-1.9.18p7.tar.gz">ftp://samba.org/pub/samba/samba-1.9.18p7.tar.gz</a>
+
+This release is a security patch fix for a security hole
+reported on BugTraq by Drago. No exploit code was
+published with the report, so no immediate 'canned'
+exploit was available to an attacker
+
+The security hole may have allowed authenticated users to
+subvert security on the server by overflowing a buffer in
+a filename rename operation.
+
+It is as yet undetermined whether the security hole is
+actually exploitable because of existing buffer overflow
+checks in Samba and the limitations on available characters
+in filenames on UNIX systems but the Samba Team considered the
+threat of a possible security hole enough to warrant a patch
+release.
+
+The previous release 1.9.18p6, which was intended to fix the
+security hole, has compile problems on several platforms, and
+should not be used.
+
+It is recommended that all sites assume that the security hole
+is exploitable and upgrade to version 1.9.18p7 of Samba.
+
+An extensive security review has taken place on the code
+in this release, and all code that has potential for a
+buffer overflow attack has been replaced with bounds checking
+equivalent code. As always, extra checking over the code
+for potential security problems is very welcome.
+
+Binary packages will be made available for this release,
+once feedback has shown this release fixes the exploit.
+Offets of binary Samba packages for various systems are
+welcome and should be sent to <a href="mailto:samba-bugs@samba.org">samba-bugs@samba.org</a>.
+
+Without further ado, here are the release notes.
+
+Regards,
+
+ The Samba Team.
+
+---------------------------------------------------------------------
+
+ WHATS NEW IN 1.9.18p7 - May 12th 1998.
+ ======================================
+
+This is the latest stable release of Samba. This is the
+version that all production Samba servers should be running
+for all current bug-fixes.
+
+This release is a security hole patch fix for a security hole reported
+on BugTraq by Drago. The security hole may have allowed authenticated
+users to subvert security on the server by overflowing a buffer in a
+filename rename operation. It is as yet undetermined whether the
+security hole is actually exploitable because of existing buffer
+overflow checks in Samba and the limitations on available characters
+in filenames but the Samba Team considered the threat of a possible
+security hole enough to warrant an immediate patch release.
+
+It is highly recommended that all sites assume that the security hole
+is exploitable and upgrade to version 1.9.18p7 of Samba.
+
+The previous release 1.9.18p6, which was intended to fix the
+security hole, has compile problems on several platforms, and
+should not be used.
+
+If you have problems, or think you have found a bug please email
+a report to :
+
+ <a href="mailto:samba-bugs@samba.org">samba-bugs@samba.org</a>
+
+As always, all bugs are our responsibility.
+
+Regards,
+
+ The Samba Team.
+</pre>
+
+</body>
+</html>
--- /dev/null
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Release Notes Archive</title>
+</head>
+
+<body>
+
+<pre>
+It may be fetched via ftp from :
+
+<a href="ftp://samba.org/pub/samba/samba-1.9.18p8.tar.gz">ftp://samba.org/pub/samba/samba-1.9.18p8.tar.gz</a>
+
+Binary packages will be made available for this release
+within a short time. A separate announcement will be made
+for the release of these packages.
+
+Offers of binary Samba packages for various systems are
+welcome and should be sent to <a
+href="mailto:samba-bugs@samba.org">samba-bugs@samba.org</a>
+
+If you have problems, or think you have found a bug please email
+a report to :
+
+
+<a href="mailto:samba-bugs@samba.org">samba-bugs@samba.org</a>
+
+
+As always, all bugs are our responsibility.
+Without further ado, here are the release notes.
+
+
+Regards,
+
+The Samba Team.
+
+
+---------------------------------------------------------------------
+WHATS NEW IN 1.9.18p8 - June 12th 1998.
+======================================
+
+
+This is the latest stable release of Samba. This is the
+version that all production Samba servers should be running
+for all current bug-fixes.
+
+
+Note that most Samba Team effort is now going into working on the
+next major release which should contain some Windows NT Domain
+features. It is intended that any future work on the 1.9.18 series
+be maintenance only fixes.
+
+
+An announcement will be made when the first alpha release of the next
+Samba series is available.
+
+
+Bugfixes added since 1.9.18p7
+-----------------------------
+<ol>
+<li>Fixed bug so Samba returns ERROR_MORE_DATA for long share
+lists that won't fit in the data buffer given by the client.
+<li>Made mapping of Windows to UNIX usernames only occur once per
+name.
+<li>Cause changing of SMB password to fail if UNIX pasword change
+fails and unix password sync is set.
+<li>Ensure the Samba names are added to the remote broadcast subnet
+to allow NT workstations to do a directed broadcast node status
+query (they seem to want to do this for some reason).
+<li>Fixed HPUX10 Trusted systems bigcrypt password authentication
+call.
+<li>Ensure smbd doesn't crash if 'account disabled' set in smbpasswd
+file.
+<li>Ensured 'revalidate' parameter is only checked if we're in share
+level security.
+<li>Ensure that password lengths are sanity checked even if in server
+level security.
+<li>Fix bug with multi-user NT systems where a file currently open by
+one user could always be opened by another.
+<li>Ensure we save the current user info and restore it correctly
+whilst in the oplock break state.
+<li>Added some simple sanity checks to testparam.
+<li>Added timezone sanity checks.
+<li>Re-wrote wildcard handling for trans2 calls. Wildcard matching
+now seems to be *identical* to NT (as far as I can tell).
+<li>Added facility for user list code to be explicit about checking
+UNIX group database or NIS netgroup list. Updated smb.conf
+detailing this.
+<li>Fixed bug in multibyte character handling when parsing a pathname.
+<li>Fixed file descriptor leak in client code.
+<li>Fixed QSORT_CAST compile bugs on many systems.
+<li>Added codepages 737 (Greek) and 861 (Icelandic).
+</ol>
+
+If you have problems, or think you have found a bug please email
+a report to :
+
+
+<a href="mailto:samba-bugs@samba.org">samba-bugs@samba.org</a>
+
+
+As always, all bugs are our responsibility.
+
+Regards,
+
+The Samba Team.
+</pre>
+
+</body>
+</html>
<h2>News</h2>
- <ul>
+ <ul class="news">
<li>10 August 2004 <a href="/samba/news/#accepting">news.samba.org Open For Story Submissions</a></li>
<li>8 August 2004 <a href="/samba/news/#redesign">samba.org Has Been Redesigned</a></li>
</ul>
<p>The Samba news site is, like the Samba community itself, dependent on contributors.
Whether or not news.samba.org grows and proves useful is completely up
-to you, the dedicated users and developers of Samba. <a href="/samba/news/submit.html">Submit A Story</a>
+to you, the dedicated users and developers of Samba. <a href="http://news.samba.org/submit.html">Submit A Story</a>
</div>
+++ /dev/null
-<!--#include virtual="/samba/header.html" -->
-
- <h2 align="center">Security</h2>
-
- <p>Security releases for Samba are listed below by their release
-date. The previously affected versions of Samba are listed alongside
-the appropriate security concern. For complete information, follow the
-link to full release notes for each release.</p>
-
-</table>
-
- <table align="center" cellpadding="5" cellspacing="5">
- <th colspan="6">Samba Security Releases</th>
- <tr align="center" valign="bottom">
- <td><em>Date Issued</em></td>
- <td><em>Download (Gzipped)</em></td>
- <td><em>Known Issue(s)</em></td>
- <td><em>Affected Releases</em></td>
- <td><em>CVE ID #</em></td>
- <td><em>Complete Release Notes</em></td>
- </tr>
-
- <tr align="center" valign="top">
- <td>22 Jul 2004</td>
- <td><a href="/samba/ftp/samba-3.0.5.tar.gz">3.0.5</a></td>
- <td align="left">Two potential buffer overruns</td>
- <td>>=3.0.2</td>
- <td><a href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0600">CAN-2004-0600</a>,
- <a href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0686">CAN-2004-0686</a>
- </td>
- <td><a href="/samba/whatsnew/samba-3.0.5.html">release notes</a></td>
- </tr>
-
- <tr align="center" valign="top">
- <td>22 Jul 2004</td>
- <td><a href="/samba/ftp/samba-2.2.10.tar.gz">2.2.10</a></td>
- <td align="left">Buffer overrun in hash mangling method</td>
- <td>all 2.2 releases</td>
- <td><a href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0686">CAN-2004-0686</a>
- </td>
- <td><a href="/samba/whatsnew/samba-2.2.10.html">release notes</a></td>
- </tr>
-
- <tr align="center" valign="top">
- <td>9 Feb 2004</td>
- <td><a href="/samba/ftp/old-versions/samba-3.0.2a.tar.gz">3.0.2a</a></td>
- <td align="left">Password initialization bug that could grant
- an attacker unauthorized
- access to a user account created by the mksmbpasswd.sh shell script.</td>
- <td>>=3.0.0</td>
- <td><a
- href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0082">CAN-2004-0082</a></td>
- <td><a href="/samba/whatsnew/samba-3.0.2a.html">release notes</a></td>
- </tr>
-
- <tr align="center" valign="top">
- <td>7 Apr 2003</td>
- <td><a href="/samba/ftp/old-versions/samba-2.2.8a.tar.gz">2.2.8a</a></td>
- <td align="left">Buffer overrun condition in the SMB/CIFS packet fragment
- re-assembly code.</td>
- <td>all 2.0 releases and <= 2.2.8</td>
- <td><a
- href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0201">CAN-2003-0201</a></td>
- <td><a href="/samba/whatsnew/samba-2.2.8a.html">release notes</a></td>
- </tr>
-
- <tr align="center" valign="top">
- <td>10 Dec 2002</td>
- <td><a href="/samba/ftp/old-versions/samba-2.2.7a.tar.gz">2.2.7a</a></td>
- <td align="left">Bug in the length checking for encrypted password change
- requests from clients.</td>
- <td>2.2.2 - 2.2.6</td>
- <td><a
- href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0201">CAN-2003-0201</a> , <a
- href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0085">CAN-2003-0085</a></td>
- <td><a href="/samba/whatsnew/samba-2.2.7a.html">release notes</a></td>
- </tr>
-
- <tr align="center" valign="top">
- <td>23 Jun 2001</td>
- <td><a href="/samba/ftp/old-versions/samba-2.2.0a.tar.gz">2.2.0a</a></td>
- <td align="left">Bug in expansion of certain smb.conf variables such as
- %m that could grant an attacker the capaibility to overwrite arbitrary
- files on the server. Bug that causes smbd not to honor the hosts allow
- and deny smb.conf directives.</td>
- <td>2.2.0</td>
- <td> </td>
- <td><a href="/samba/whatsnew/samba-2.2.0a.html">release notes</a></td>
- </tr>
-
- <tr align="center" valign="top">
- <td>23 Jun 2001</td>
- <td><a href="/samba/ftp/old-versions/samba-2.0.10.tar.gz">2.0.10</a></td>
- <td align="left">Bug in the handling of temporary files that allows local
- users to destroy data on local devices.</td>
- <td>>= 2.0.0</td>
- <td> </td>
- <td><a href="/samba/whatsnew/samba-2.0.10.html">release notes</a></td>
- </tr>
-
- </table>
-<br>
-
-<table border=0 width="75%" align="center">
- <tr><td></td><td align="left">
-
-
- <p><em>If you suspect you have discovered a serious security hole in a
-Samba
-release, please send an email to <a
-href="mailto:security@samba.org">security@samba.org</a>.</em></p>
-
-<!--#include virtual="/samba/footer.html" -->
+++ /dev/null
-<!--#include virtual="/samba/header.html" -->
- <title>Samba - Sitemap</title>
-<!--#include virtual="/samba/header2.html" -->
-
-<h2 align="center">Samba.org Site Map</h2>
-
-<h3>Home</h3>
-
-<p><a href="http://www.samba.org">Samba.org</a> -- Mirror listing on front page.</p>
-
-<ul>
-<li><a href="/samba/samba.html">Samba Welcome Page</a> -- Contains release announcements and general updates about Samba.</li>
-</ul>
-
-<h3>What's New</h3>
-
-<p>Labeled "announcements" in the navigation, this section contains archived announcements from the welcome page, which date back to 1997.</p>
-
-<ul>
-<li><a href="/samba/whatsnew/award_photo_i3.jpg">Award Photo</a> (jra?)</li>
-<li><a href="/samba/whatsnew/domain_name.html">Domain Name announcement</a></li>
-<li><a href="/samba/whatsnew/macroexploit.html">Security Exploit announcement</a> (23 June 2001)</li>
-<li><a href="/samba/whatsnew/sgi-sponsor.html">SGI Sponsor announcement</a></li>
-<li><a href="/samba/whatsnew/sunbench.html">Samba on Sun announcement</a></li>
-<li>Release Notes -- Too numerous to list now</li>
-</ul>
-
-<h3>Mailing Lists</h3>
-
-<ul>
-<li><a href="/samba/archives.html">Mailing List Overview</a> -- with links to each list's archive</li>
- <ul>
- <li>Various Archive Pages, for each list</li>
- </ul>
-<li><a href="http://lists.samba.org/">lists.samba.org/</a> -- complete list of public Samba lists</li>
- <ul>
- <li><a href="http://lists.samba.org/cgi-bin/mailman/admin">List Administrators Overview Page</a></li>
- <li><a href="http://lists.samba.org/cgi-bin/mailman/create">Create New List<a> -- for admins</li>
- <li>Subscribe/Unsubscribe Pages -- too numerous to list now</li>
- </ul>
-<li><a href="/samba/ml-etiquette.html">Mailing List Etiquette</a></li>
-<li><a href="/samba/archive-policy.html">Archiving Policy</a></li>
-</ul>
-
-<h3>Documentation</h3>
-
-<p>Docs "welcome" page accessed <a href="/samba/docs/">here</a>. This page serves as portal to the various documentation resources on samba.org.</p>
-
-<ul>
-<li>Official Samba-HOWTO Book</li>
- <ul>
- <li>in <a href="/samba/docs/Samba-HOWTO-Collection.pdf">PDF</a></li>
- <li>in <a href="/samba/docs/man/howto/">HTML</a></li>
- </ul>
-<li>Samba-3 by Example</li>
- <ul>
- <li>in <a href="/samba/docs/Samba-Guide.pdf">PDF</a></li>
- <li>in <a href="/samba/docs//man/guide/">HTML</a></li>
- </ul>
-<li>Links to Man Pages -- too numerous to list</li>
-<li>Links to external books/docs -- too numerous to list</li>
-<li><a href="/samba/docs/SambaIntro.html">Intro to Samba</a></li>
-<li><a href="/cifs/docs/what-is-smb.html">What is SMB?</a></li>
-<li><a href="/cifs/">What is CIFS?</a>
-<li><a href="/samba/docs/security.html">Info on Win95/WfWg Security</a>
-<li><a href="/samba/smbfs">Info on smbfs filesystems</a>
-<li><a href="/samba/docs/sambay2k.html">Samba Year 2000 (Y2K) issues</a>
-<li>Listing of published <a href="/samba/books.html">Samba books</a></li>
-<li><a href="/samba/docs/10years.html">10 Years</a> anniversary announcement -- plus outline of Samba releases</li>
-<li><a href="/samba/docs/anecdotes.html">Anecdotes</a> about Samba and Linux</li>
-<li><a href="/samba/docs/CVS-Access.html">CVS Access Instructions</a></li>
-<li><a href="/samba/docs/GPL.html">GPL</a> -- a blank page; I assume it's outdated.</li>
-<li><a href="/samba/docs/pl">pl directory</a></li>
-<li><a href="/samba/docs/swat_ssl.html">Swat with SSL instructions</a></li>
-</ul>
-
-<h3>Download</h3>
-
-<ul>
-<li>Download <a href="/samba/download.html">Main page</a><li>
-<li><a href="/samba/ftp/">FTP Section</a> -- also see <a href="/samba/">mirrors page</a></li>
-<li><a href="/samba/subversion.html">Subversion instructions</a></li>
-<li><a href="/samba/cvs.html">CVS instructions</a></li>
-<li><a href="/samba/GUI/">GUI managers</a> for Samba</li>
-</ul>
-
-<h3>Development</h3>
-
-<ul>
-<li><a href="/samba/devel/">Development Overview</a></li>
-<li><a href="/samba/devel/TODO.html">TODO List of Projects</a></li>
-<li><a href="/samba/bugreports.html">Bug Report Information</a></li>
-<li>Short <a href="/samba/devel/roadmap-3.html">Samba3 roadmap</a></li>
-<li><a href="/samba/devel/roadmap-4.0.html">Samba4 roadmap</a></li>
-<li>could also list Subversion and CVS pages here</li>
-</ul>
-
-<h3>Contact</h3>
-
-<ul>
-<li><a href="/samba/contacts.html">Main Contacts Page</a> -- links to mailing list, irc, bug reports, etc.</li>
-<li><a href="/samba/team.html">Samba Team page</a> -- includes contact info for team members</li>
-</ul>
-
-<h3>Misc</h3>
-
-<ul>
-<li><a href="/samba/support/">Providers of Commercial Samba Support</a></li>
-<li><a href="/samba/vendors/">List of Vendors Using Samba</a></li>
-<li><a href="/samba/thanks.html">Thank You's to Contributors</a></li>
-<li><a href="/samba/donations.html">Donation Information</a></li>
-<li><a href="http://samba-survey.sernet.de/">Samba Survey</a></li>
-<li><a href="/samba/tshirt.html">Merchandise</a></li>
-</ul>
-
-<p align="center"><em>Not a complete list of pages on samba.org</em></p>
-
-<!--#include virtual="/samba/footer.html" -->
-
font-style:italic;
font-size:small;
}
+.news {
+ font-size:small;
+}
<ul>
<li><a href="/samba/docs/man/Samba-HOWTO-Collection/">Official HOWTO</a></li>
<li><a href="/samba/docs/man/Samba-Guide/">By Example</a></li>
- <li><a href="/samba/docs/">All The Docs</a></li>
+ <li><a href="/samba/docs/">Docs and Books</a></li>
</ul>
<img src="/samba/images/talk.png" alt="talk samba" />
<ul>
<li><a href="/samba/docs/man/Samba-HOWTO-Collection/">Official HOWTO</a></li>
<li><a href="/samba/docs/man/Samba-Guide/">By Example</a></li>
- <li><a href="/samba/docs/">All The Docs</a></li>
+ <li><a href="/samba/docs/">Docs and Books</a></li>
</ul>
<img src="/samba/images/talk.png" alt="talk samba" />