Samba 3.0.23pre1 Available for Download
Gerald (Jerry) Carter
jerry at samba.org
Sun Apr 23 08:49:00 GMT 2006
-----BEGIN PGP SIGNED MESSAGE-----
A revolution without dancing...
is a revolution not worth having!
This is a preview release of the Samba 3.0.23 code base and
is provided for testing only. This release is *not* intended
for production servers. There has been a substantial amount
of development since the 3.0.21 series of stable releases.
We would like to ask the Samba community for help in testing
these changes as we work towards the next significant production
upgrade Samba 3.0 release.
There has been a substantial amount of cleanup work done
during this development cycle. Two weeks of development time
was dedicated to fixing bugs reported by the Coverity source
code scans. Details can be found at in the following two
New features introduced in 3.0.23pre1 include:
o New offline mode in winbindd.
o New kerberos support for pam_winbind.so.
o New handling of unmapped users and groups.
o New non-root share management tools.
o Improved support for local and BUILTIN groups.
User and Group changes
The user and group internal management routines have been
rewritten to prevent overlaps of assigned Relative Identifiers
(RIDs). In the past the has been a potential problem when
either manually mapping Unix groups with the 'net groupmap'
command or when migrating a Windows domain to a Samba domain
using 'net rpc vampire'.
Unmapped users are now assigned a SID in the S-1-22-1 domain and
unmapped groups are assigned a SID in the S-1-22-2 domain.
Previously they were assign a RID within the SAM on the Samba
server. For a DC this would have been under the authority of
the domain SID where as on a member server or standalone host,
this would have been under the authority of the local SAM
(hint: net getlocalsid).
The result is that any unmapped users or groups on an upgraded
Samba domain controller may be assigned a new SID. Because the
SID rather than a name is stored in Windows security descriptors,
this can cause a user to no longer have access to a resource
for example if a file was copied from a Samba file server to
a local NTFS partition. Any files stored on the Samba server
itself will continue to be accessible because Unix stores the
Unix gid and not the SID for authorization checks.
A further example will help illustrate the change. Assume
that a group named 'developers' exists with a Unix gid of
782 but this user does not exist in Samba's group mapping
table. it would be perfectly normal for this group to be
appear in an ACL editor. Prior to 3.0.23, the group SID might
appear as S-1-5-21-647511796-4126122067-3123570092-2565.
With 3.0.23, the group SID would be reported as S-1-22-2-782.
Any security descriptors associated with files stored on
an NTFS disk partition would not allow access based on the
group permissions if the user was not a member of the
Because this group SID not reported in a user's token is
S-1-22-2-782, Windows would fail the authorization check
even though both SIDs in some respect referred to the same
The current workaround is to create a manual domain group
mapping entry for the group 'developers' to point at the
There has also been a minor update the Samba LDAP schema file.
A substring matching rule has been added to the sambaSID attribute
definition. For OpenLDAP servers, this will require the addition
of 'index sambaSID sub' to the slapd.conf configuration file. It
will be necessary to run slapindex after making this change.
There has been no change to actual data storage schema.
The uncompressed tarballs and patch files have been signed
using GnuPG (ID 157BC95E). The source code can be
The release notes are available online at:
Binary packages are available at
Our Code, Our Bugs, Our Responsibility.
The Samba Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the samba-announce