Samba 2.2.5 has been released
Charlie ROOT
root at soc.lg.gov.ua
Thu Jun 20 06:33:20 GMT 2002
On Wed, 19 Jun 2002, Gerald Carter wrote:
> The Samba Team is proud to announce the release of Samba 2.2.5. This is
> the latest stable release of Samba. This is the version that all
> production Samba servers should be running for all current bug-fixes. See
> the Release notes that follow.
>
> Binary packages for various platforms are available (or soon will be)
> from samba.org in /pub/samba/Binary_Packages/
>
> One item that got left out of the 2.2.4 release notes (and 2.2.5 sadly)
> is the support of both Ukrainian KOI8-U and CP1251 encodings. Both use
> the "client code = 1125". However, KOI8-U uses "character set = KOI8-U"
> and CP1251 uses "character set = 1251".
>
> Thanks again to every who helped out on this release.
>
> If you think you have found a bug please email a report to :
>
> samba at samba.org
>
> As always, all bugs are our responsibility.
>
>
> Cheers,
> The Samba Team
>
>
>
>
> WHAT'S NEW IN Samba 2.2.5 - 18th June 2002
> ===========================================
>
>
> This is the latest stable release of Samba. This is the version that all
> production Samba servers should be running for all current bug-fixes.
>
> There have been several fixes and internal enhancements which include:
>
> * Several compile fixes for Solaris and HP-UX
> * More printing fixes for Windows NT/2k/XP clients
> * New options for the VFS recycle bin library
> * New internal signal handling semantics relating to directory change
> notification and oplocks
>
> New/Changed parameters in 2.2.5
> --------------------------------
>
> For more information on these parameters, see the man pages for
> smb.conf(5).
>
> Added/changed parameters
> ------------------------
>
> * block size = <INTEGER>
> * force unknown acl user = <boolean>
> * mangling method = [hash|hash2]
>
>
> Deprecated Parameters
> ---------------------
>
> The following parameters have been marked as deprecated and will be removed
> in Samba 3.0
>
> * strip dot
> * status
>
>
> Removed Parameters
> ------------------
>
> none
>
>
> Changes in 2.2.5
> ----------------
>
> See the cvs log for SAMBA_2_2 for more details
>
> 1) Removal of several compiler warnings, incorrect Makefile dependencies,
> and wrong autoconf tests on various platforms--Solaris & HP-UX 10.20
> being the predominantly reported platforms
> 2) Fixed winbindd crash bug on the IBM s390 running Linux
> 3) Inclusion of enhanced Linux quota support
> 4) Correctly link against Sun LDAP libraries on Solaris 8 (even through
> there is no apparent SSL support there)
> 5) POSIX conformance patches
> 6) Include new configure --enable-cups option (can also be disabled even
> if CUPS libraries are installed on the system)
> 7) Set reasonable default for the "passwd program" parameter using an
> autoconf test
> 8) Added --with-winbind-auth for enabling winbindd_pam_auth_crap() code
> 9) fixed bug to prevent root account from being deleted by the
> "delete user script"
> 10) Inclusion of autoconf script for building VFS modules
> 11) Add new run time options to the VFS recycle bin library (see
> examples/VFS/recycle/README for details)
> 12) Include findsmb perl script as part of the "make install" process
> 13) Return correct error code for EnumPrinters(PRINTER_ENUM_REMOTE, InfoLevel1)
> to fix a bug where printers appear at the workgroup level in the Windows
> NT/2k APW browse list
> 14) Added support to nmblookup to return NMB flags (See nmblookup(8) for
> details)
> 15) Fix length bug that caused password changes from Windows NT/2k clients to
> occasionally fail
> 16) Correct false password expiration when using --with-ldapsam caused by
> missing attributes in the directory
> 17) added -S option to smbpasswd for storing the SID of a domain controller
> as the local machine SID in secrets.tdb. See the smbpasswd(8) man page
> for details.
> 18) Various fixes for UNIX CIFS extensions commands
> 19) Fixed CIDR notation in "hosts allow/deny"
> 20) Change semantics of an idle connection to mean "no open files and no
> open handles". We cannot idle a connection if there are open named
> pipe handles. This fixes scalability problem on Samba print servers
> and NT/2k clients introduced in 2.2.4
> 21) Fix germam umlaut problem when returning ACL entries
> 22) Return NT_STATUS_OBJECT_NAME_NOT_FOUND for ENOENT. This fixes the bug
> of running the Microsoft Access executable (msaccess.exe) and database
> files from a Samba share documented in the 2.2.4 release
> 23) Corrected signal handling relating to directory change notification and
> kernel oplocks
> 24) Fix bug in unix_to_nt_time() that appeared on files dated close to Daylight
> Savings Time
> 25) Corrected alignment bug in spoolss parsing code which caused Win2k/XP
> clients not to be able to view printer properties from a Samba host
> 26) Fixed spoolss parsing bug causing printing from ACT! 2000 running on
> Windows 2k/XP clients to fail
> 27) Fixed incorrect error check in mod_share_entry()
> 28) Allow %S variable in MS-DFS root paths
> 29) Correct a bug regarding the use of 'wbinfo -A'
> 30) Fixed libnss_wins.so to correctly work on RedHat 7.3 systems
> 31) Store the key for a name-to-sid cache entry in upper case rather than
> whatever case the request was made in. This gets rid of duplicate
> cache entries.
> 32) Fix bug causing the pid stored in winbindd's pid file to be the wrong id
> 33) Enhanced error reporting messages of wbinfo
> 34) Parameterize block size on disk size return
> 35) Added new parameter to allow incoming ACLs to have owner and group forced
> to the currently logged in user. This fixes the XCOPY /O problem
> 36) Fixed bug in local_change_password() caused by reusing a struct
> passwd* pointer
> 37) Change default value for "ldap port" to 389 if "ldap ssl = no"
> 38) Updated HOWTO's, manpages, and general documentation....
> 39) Allow root as well as domain admins to open an LDAP connection
> 40) Fixed veto files bug with ".*"
> 41) Fixed uninitialized variable bug in smbpasswd that was causing a random
> IP address to be used in the connection when joining a domain
> 42) Fix for joining a domain with a netbios name of 15 characters and
> pre-creating the account on the DC
> 43) Added links to new documentation on SWAT welcome page
>
>
> =========================================
>
> Older releases notes for 2.2.x distributions follow
>
> -----------------------------------------------------------------------------
> The release notes for 2.2.4 follow :
>
> There have been several fixes and internal enhancements which include:
>
> * More/better SPOOLSS printing functionality for Windows
> NT/2k/XP clients.
> * Several fixes relating to serving PC database files such
> as (Access and FoxPro) from a Samba file share.
> * Several improves in Samba's VFS layer which can be seen
> in the inclusion of a "Recycle Bin" vfs module. See
> examples/VFS/README for more details on this.
> * Addition of a tool (tdbbackup) for backup/restore of Samba's
> tdb's
> * Continued improvements to winbind for greater scalability
> and stability
> * Several fixes related to Samba's MS-DFS support
> * Rpcclient's various printer commands now work (again)
>
>
> New/Changed parameters in 2.2.4
> --------------------------------
>
> For more information on these parameters, see the man pages for
> smb.conf(5).
>
> Added/changed parameters
> ------------------------
>
> * csc policy
> * inherit acls
> * nt status support
> * lock spin count
> * lock spin time
> * pid directory
> * winbind use default domain
>
>
> Deprecated parameters
> ---------------------
>
> The following parameters have been marked as deprecated
> and will be removed in Samba 3.0
>
> * postscript
> * printer driver
> * printer driver file
> * printer driver location
>
>
> Removed Parameters
> ------------------
>
> none
>
>
> Changes in 2.2.4
> ----------------
>
> See the cvs log for SAMBA_2_2 for more details
>
> 1) added -c option to smbpasswd
> 2) reworked smbpasswd internal command line option parsing
> 3) small various bug fixes to experimental pdb_tdb.c
> 4) Enforce spoolss RPCs based on the access granted at PrinterOpen()
> 5) Added missing access checks to [add/delete/set]form
> 6) Compile fixes for pam_smbpass
> 7) fix smbd crash when netbios session request fails from
> spoolss_connect_to_client().
> 8) fixed logic bug that prevent SetPrinter() from storing devmode
> 9) Removed extra get_printer_snum() calls from set_printer_hnd_name()
> 10) fix joining domain on big endian machine when using -U to smbpasswd
> 11) allow command line arg to override smb.conf log level
> 12) continue to retry to register 1b name with wins server if there is an old IP there
> 13) fix smbclient print crash bug
> 14) 9x pnp fix when the config file and driver file are different
> 15) force testparm to print the correct value for log level
> 16) fix swat to show full log level info
> 17) fix server GetPrinterData() fields to be more sensible
> 18) fix logic error in SetPrinterDataEx()
> 19) Only set smb_read_error if not already set
> 20) Fix string returns that require unicode
> 21) Merge of printing performance fixes from appliance
> 22) lpq parsing fixes
> 23) Back port tridge's xcopy /o fix from HEAD
> 24) Fix the printer change notify code (unfinished)
> 25) Patch for Domain users not showing up
> 26) Fixed SetPrinterData(magic key) to support zero length DEVMODE
> 27) Ensure that all methods of looking up and connecting to DC's work
> using identical logic.
> 28) Merge in the mutex code to stop multiple domain logon failure
> 29) Ignore 0/0 lock
> 30) Fix winbindd to respect command line debuglevel as nmbd/smbd
> 31) Update with tdbbackup from HEAD
> 32) Fix for typo on solaris nss
> 33) Merge in the locking changes from HEAD
> 34) Added POSIX ACL layer into the vfs
> 35) Fix the returning of domain enum
> 36) Fix the generation of the MACHINE.SID file into the secrets.tdb.
> 37) Enable test for -rdynamic when building binaries
> 38) Remove the "stat open" code - make it inline
> 39) Fix the mp3 rename bug
> 40) Fix for Explorer DFS problems on older Windows 9X machines
> 41) implement OpenPrinter() opnum == 0x01
> 42) Matched W2K *insane* open semantics....
> 43) small fix that will prevent the "failed to marshall
> R_NET_SAMLOGON" message in the logs
> 42) don't do checking of local passdb in smbpasswd if using -r option
> 43) fix "smbpasswd -j DOMAIN -r * -U Admin%XXXX" so that it doesn't
> try to connect to a server named '*'
> 44) merge rpcclient code from HEAD
> 45) Ensure MACHINE.SID update done before child spawns
> 46) Fix the bad path errors for mkdir so mkdir \a\b\c\d works
> 47) Removed --with-vfs - always built if available
> 48) Fixed psec for 2.2
> 49) Fixed the handle leak in the connection management code
> 50) fix disable spoolss after the switch to nt status codes
> 51) Added Shirish's client side caching policy change
> 52) Honor the specversion when parsing the the DEVICEMODE
> 53) fix parsing bug when DEVICEMODE's private data does not end
> on a 4 byte boundary
> 54) do not idle an smbd when there is an open pipe
> 55) when a new driver is added to a Samba server, cycle through
> all printers and bump the change_id for each one bound to the driver
> 56) allow smbclient to work with a FIFO as well (needed for KDE
> ioslave)
> 57) various updates to pdb_nisplus.c
> 58) many small documentation updates
> 59) removed many compiler warnings
>
>
> -----------------------------------------------------------------------------
> The release notes for 2.2.3a follow :
>
> This is a minor bugfix release for the 2.2.3 release. The 2.2.3
> release had a problem that was visible to Windows 2000 Explorer
> users in that copying files into a share that already existed
> failed with "Access Denied" rather than asking the user if an
> overwrite was required. This was due to an incorrect error mapping
> between the UNIX EXIST error code and the NT status error.
>
> As Windows Explorer is a highly visible end user application a quick
> bugfix release was required, hence 2.2.3a.
>
> Compilation on HPUX versions earlier than HPUX 11 has also been
> corrected.
>
> The cvs.log file is no longer included with this release, as it adds
> 13Mb to the size of the release, and is easily available on the Web.
>
> -----------------------------------------------------------------------------
> The release notes for 2.2.3 follow :
>
> There are several important scaling bugs that have been fixed in this release
> for large server systems so an upgrade is recommended.
>
> LDAP update
> -----------
>
> Much work has been done on the LDAP backend code. The configure
> option --with-ldapsam is now considered to be stable. The schema
> used has changed, see the file examples/LDAP/samba.schema for the
> new schema.
>
> New documentation explaining how to set up a Samba only PDC/BDC
> setup has been added in the files Samba-LDAP-HOWTO and Samba-BDC-HOWTO
> in the documentation tree.
>
> winbindd daemon extended
> ------------------------
>
> Samba 2.2.2 was the first release to include the winbind daemon.
> This code allows UNIX systems that implement the name service
> switch (nss) to be entered into a Windows NT/2000 domain and
> use the Domain controller for all user and group enumeration.
>
> Samba 2.2.3 fixes the known memory leaks in winbindd and has
> been extended to work with SGI IRIX and HPUX (11.x) in addition
> to the earlier targets of Linux and Solaris.
>
> For more information on using winbind, see the man pages for
> winbindd and wbinfo.
>
> Note that winbindd is not installed by default.
>
> New/Changed parameters in 2.2.3
> --------------------------------
>
> For more information on these parameters, see the man pages for
> smb.conf.
>
> Added/changed parameters.
> -------------------------
>
> unix extensions
>
> Enables the experimental UNIX CIFS extensions in smbd. See the manpage
> for more details.
>
> default devmode
>
> Some printer drivers will crash the Windows NT/2000 spooler service
> if they are given a default devmode, some require it. This parameter
> allows the administrator a choice of whether smbd returns such a
> default devmode for a driver.
>
> share modes
>
> This parameter has been restored to allow people who wish smbd to ignore
> client share modes. This is *very dangerous* and should not be set without
> full knowledge of what this is designed for.
>
> Changes in 2.2.3
> -----------------
>
> 1). Fixed shared library compile for Solaris with native compiler.
> 2). UNIX CIFS extensions code added (donated by HP).
> 3). Changed to using NT status codes on the wire if the client can support
> this.
> 4). altname command to show 8.3 name added to smbclient.
> 5). const-safe endian macros now used.
> 6). client code now uses UNICODE on the wire.
> 7). Correctly return fault PDU's on bad handle.
> 8). Improved NT error code mapping table.
> 9). Many new point and print RPC calls added.
> 10). Win9x clients can now see full user list.
> 11). field added to identify simultaneous open files (no longer
> use dev/inode/time as unique value).
> 12). HPUX ACL code added (donated by HP).
> 13). vfs interfaces updated (again !).
> 14). MSDOS Code Page 866 -> 1251 mapping added.
> 15). winbindd now processes quit/hup signals correctly.
> 16). No tdb traversal done on startup/shutdown - ensures scalability.
> 17). Fix bug with paths for homes share.
> 18). Fixed copyfile for OS/2.
> 19). Fix group membership when groups are on more than one line.
> 20). Fixed core dumps in posix ACL mapping code.
> 21). Tidyup of UNICODE functions (put/get).
> 22). Move rpcclient to the new libsmb code.
> 23). Add missing Windows 2000 passthough trans2 calls.
> 24). Return check all tdb calls.
> 25). Make local name lookup work even if wins server is down.
> 26). pam session code added to winbind.
> 27). Added winbindd cache to all lookups.
> 28). Fix allocate bugs that caused file sizes to be incorrect.
> 29). Fixed write cache code - now safe to use.
> 30). Fixed winbindd memory leaks.
> 31). winbindd will now do name lookups (to allow non Open Source
> systems to do the nsswitch WINS lookup). Fixed by SGI.
> 32). passdb memory leaks fixed.
> 33). LDAP code updates and now properly maintained.
> 34). Finally figured out how changeid is meant to work.
> 35). Downlevel printing now looks as NT does in print monitor window.
> 36). Many fixups in spoolss printing RPC parsing.
> 37). Speed up password enumeration as a PDC.
> 38). Fix printer changed notify messages (work from HP).
> 39). Fix modify timestamp on close code.
> 40). Fix long standing mangled names bug.
> 41). Fix delete on close semantics.
> 42). Stop opening all files with O_NONBLOCK !
> 43). Use O_NOFOLLOW for systems that have it and don't want symlinks.
> 44). Ensure NT supplementary groups get added to user token.
> 45). Try and mitigate effects of DNS timeout (do less lookups).
> 46). Added current user connection context stack.
> 47). Fixes to utmp code.
> 48). smbw code tidyups.
> 49). Added tdb open log code. Several tdb fixes.
>
> -----------------------------------------------------------------------------
> The release notes for 2.2.2 follow :
>
> New daemon included - winbindd
> ------------------------------
>
> Samba 2.2.2 is the first release to include the winbind daemon.
> This code allows UNIX systems that implement the name service
> switch (nss) to be entered into a Windows NT/2000 domain and
> use the Domain controller for all user and group enumeration.
>
> This allows a Samba server added to a Windows domain to serve
> file and print services with *NO* local users needed in /etc/passwd
> and /etc/group - all users and groups are read directly from the
> Windows domain controller. In addition with pam_winbind which allows
> a PAM enabled UNIX system to use a Windows domain for authentication
> service this allows single sign on and account control across
> UNIX and Windows systems.
>
> The current version of winbindd shipped in 2.2.2 does have some
> memory leaks, which will be addressed for the next Samba release,
> so it is advisable to monitor the winbind process. This code is
> being used in production by several vendors, so the leaks are
> manageable. In addition, this version of winbind does not work
> correctly against a Samba PDC, due to some missing calls on the
> PDC side. These problems are being addressed for the next Samba
> release, but it was thought better to release the code now rather
> than delay the main Samba code to match the winbind release schedule.
>
> For more information on using winbind, see the man pages for
> winbindd and wbinfo.
>
> Note that winbindd is not installed by default.
>
> New/Changed parameters in 2.2.2
> -------------------------------
>
> For more information on these parameters, see the man pages for
> smb.conf.
>
> Added/changed parameters.
> -------------------------
>
> strict allocate
>
> Causes Samba not to create UNIX 'sparse' files, but to follow the
> Windows behavior of always allocating on-disk space.
>
> use mmap
>
> Set to 'on' by default, only set to 'off' on HPUX 11.x or below or other
> UNIX systems that don't have coherent mmap/read-write internal caches.
> You should not need to set this parameter.
>
> nt acl support
>
> This parameter has been changed to a per-share option, and is very
> useful in enabling Windows 2000 SP2 to load/save profiles from a
> Samba share.
>
> New printing parameters.
> ------------------------
>
> disable spoolss
>
> Setting this parameter causes Samba to go back to the old 2.0.x
> LANMAN printing behavior, for people who wish to disable the
> new SPOOLSS pipe.
>
> use client driver
>
> Causes Windows NT/2000 clients to need have a local printer driver
> installed and to treat the printer as local.
>
> New LDAP parameters.
> --------------------
>
> Samba 2.2.2 contains new code to maintain a Samba SAM database
> on a remote LDAP server. These parameters have been added as
> part of this code. These parameters are only available when Samba
> has been compiled with the --with-ldapsam option.
>
> ldap admin dn
> ldap ssl
>
> New SSL parameters.
> -------------------
>
> The SSL support in Samba has been fixed. These new parameters
> are part of the changes added. These parameters are only available
> when Samba has been compiled with the --with-ssl option.
> Please see the smb.conf man page for details.
>
> ssl egd socket
> ssl entropy file
> ssl entropy bytes
>
> New winbindd parameters.
> ------------------------
>
> These parameters are used by winbindd. See the man page for
> winbindd for details.
>
> winbind separator
> winbind uid
> winbind gid
> winbind cache time
> winbind enum users
> winbind enum groups
> template homedir
> template shell
>
> Removed parameters.
> -------------------
>
> share modes
> ldap root
> ldap root passwd
>
> New Documentation.
> ------------------
>
> Some new README's have been added in the docs/ directory. These cover
> using roving profiles with Windows 2000 SP2 (docs/README.Win2kSP2),
> and how to use Samba to help prevent Windows virus spread
> (docs/README.Win32-Viruses).
>
> Quota problems on a Linux 2.4 kernel.
> -------------------------------------
>
> Currently the quota interfaces have diverged between the Linus
> 2.4.x kernels and the Alan Cox 2.4.x kernels (the Alan Cox variants
> are shipped with RedHat). Running quota-enabled Samba compiled on
> an Alan Cox kernel works correctly on an Alan Cox kernel (the one
> shipped by default with RedHat 7.x) but fails on a Linus kernel.
>
> This is a mess, and hopefully Alan and Linus will sort it out soon.
> In the meantime we need to ship.....
>
> Changes in 2.2.2
> -----------------
>
> 1). mmap tdb code disabled on HPUX. This should prevent the reports of
> tdb corruption on HUPX.
> 2). Large file support set to off in Solaris 5.5 and below.
> 3). Better CUPS detection.
> 4). New SAM (password database) backends - smbpasswd (traditional),
> LDAP, NIS+ and Samba TDB.
> 5). Quota fixups on Linux.
> 6). libsmbclient stand-alone code added. Can be built as a shared library
> under Linux.
> 7). Tru64 ACL support added.
> 8). winbindd option added.
> 9). Realloc fail tidyup fixes all over the code.
> 10). Large improvement in hash table code efficiency - would be found with
> large stat caches.
> 11). Error code consistency improved (still needs more work).
> 12). Profile shared memory support added to nmbd.
> 13). New Windows 2000/NT passthrough info levels added.
> 14). readraw/writeraw code rewritten - many bugs fixed.
> 15). UNIX password sync (non pam) code fixed, use correct wildcard matcher.
> 16). Reverse DNS lookup avoided on socket open.
> 17). Bug preventing nmbd re-registering names on WINS server timeout fixed.
> 18). Zero length byte range lock code added. Much closer to Windows semantics.
> 19). Alignment fault fixes for Linux/Alpha.
> 20). Error checking on tdb returns vastly improved.
> 21). Handling of delete on close fixed. No longer possible to leave 'dead'
> file entries.
> 22). Handling of oplock break failure cleanups improved. Should not be
> able to leave 'dead' entries.
> 23). Fix handling of errors trying to set 64 bit locks on 32 bit NFS mounts.
> 24). Misc. MS-DFS code fixes.
> 25). Ignore logon packets if not a PDC (needed for PDC/BDC failover).
> 26). winbind pam module added.
> 27). Order N^^2 enumeration of printers problem fixed.
> 28). Password backend database code re-ordered to allow different password
> backends (at compile time currently).
> 29). Improved print driver version detection for Windows 2000.
> 30). Driver DEVMODE initialization fixes.
> 31). Improved SYSV print parse code.
> 32). Fixed enumeration of large numbers of users/groups from Windows clients.
> Code still too slow.
> 33). Fix for buggy NetApp RPC pipe clients.
> 34). Fix for NT sending multiple SetPrinterDataEx calls.
> 35). Fix for logic bug where smbd could delay oplock break request messages
> from other smbd daemons whilst client kept us busy.
> 36). Fix deadlock problem with connections tdb on enumeration.
> 37). Fixes for setting/getting NT ACLs - improved POSIX mapping both ways.
> 38). Removed unused readbmpx/writebmpx code.
> 39). Attempt to fix Linux 2.4.x quota mess.
> 40). Improved ctemp code for Windows 2000 compatibility.
> 41). Finally understood difference between set EOF and set allocation requests.
> Added strict allocate parameter to help.
> 42). Correctly return name types on name to SID lookups.
> 43). tdb spinlock code update.
> 44). Use pread/pwrite on systems that have it to fix race condition in tdb code.
>
> -----------------------------------------------------------------------------
> The release notes for 2.2.1a follow :
>
> This is a minor bugfix release for 2.2.1, *NOT* security related.
>
> 1). 2.2.1 had a bug where using smbpasswd -m to add a Windows NT or
> Windows2000 machine into a Samba hosted PDC would fail due to our
> stricter user name checking. We were disallowing user names
> containing '$', which is needed when using smbpasswd to add a
> machine into a domain. Automatically adding machines (using the
> native Windows tools) into a Samba domain worked correctly.
>
> 2.2.1a fixes this single problem.
>
> -----------------------------------------------------------------------------
> The release notes for 2.2.1 follow :
>
> New/Changed parameters in 2.2.1
> -------------------------------
>
> Added parameters.
> -----------------
>
> obey pam restrictions
>
> When Samba is configured to use PAM, turns on or off Samba checking
> the PAM account restrictions. Defaults to off.
>
> pam password change
>
> When Samba is configured to use PAM, turns on or off Samba passing
> the password changes to PAM. Defaults to off.
>
> large readwrite
>
> New option to allow new Windows 2000 large file (64k) streaming
> read/write options. Needs a 64 bit underlying operating system
> (for Linux use kernel 2.4 with glibc 2.2 or above). Can improve performance
> by 10% with Windows 2000 clients. Defaults to off. Not as tested
> as some other Samba code paths.
>
> hide unreadable
>
> Prevents clients from seeing the existence of files that cannot
> be read. Off by default.
>
> enhanced browsing
>
> Turn on/off the enhanced Samba browsing functionality (*1B names).
> Default is "on". Can prevent eternal machines in workgroups when
> WINS servers are not synchronized.
>
> Removed parameters.
> -------------------
>
> domain groups
> domain admin users
> domain guest users
>
> Changes in 2.2.1
> -----------------
>
> 1). "find" command removed for smbclient. Internal code now used.
> 2). smbspool updates to retry connections from Michael Sweet.
> 3). Fix for mapping 8859-15 characters to UNICODE.
> 4). Changed "security=server" to try with invalid username to prevent
> account lockouts.
> 5). Fixes to allow Windows 2000 SP2 clients to join a Samba PDC.
> 6). Support for Windows 9x Nexus tools to allow security changes from Win9x.
> 7). Two locking fixes added. Samba 2.2.1 now passes the Clarion network
> lock tester tool for distributed databases.
> 8). Preliminary support added for Windows 2000 large file read/write SMBs.
> 9). Changed random number generator in Samba to prevent guess attacks.
> 10). Fixes for tdb corruption in connections.tdb and file locking brlock.tdb.
> smbd's clean the tdb files on startup and shutdown.
> 11). Fixes for default ACLs on Solaris.
> 12). Tidyup of password entry caching code.
> 13). Correct shutdowns added for send fails. Helps tdb cleanup code.
> 14). Prevent invalid '/' characters in workgroup names.
> 15). Removed more static arrays in SAMR code.
> 16). Client code is now UNICODE on the wire.
> 17). Fix 2 second timestamp resolution everywhere if dos timestamp set to yes.
> 18). All tdb opens now going through logging function.
> 19). Add pam password changing and pam restrictions code.
> 20). Printer driver management improvements (delete driver).
> 21). Fix difference between NULL security descriptors and empty
> security descriptors.
> 22). Fix SID returns for server roles.
> 23). Allow Windows 2000 mmc to view and set Samba share security descriptors.
> 24). Allow smbcontrol to forcibly disconnect a share.
> 25). tdb fixes for HPUX, OpenBSD and other OS's that don't have a coherent
> mmap/file read/write cache.
> 26). Fix race condition in returning create disposition for file create/open.
> 27). Fix NT rewriting of security descriptors to their canonical form for
> ACLs.
> 28). Fix for Samba running on top of Linux VFAT ftruncate bug.
> 29). Swat fixes for being run with xinetd that doesn't set the umask.
> 30). Fix for slow writes with Win9x Explorer clients. Emulates Microsoft
> TCP stack early ack specification error.
> 31). Changed lock & persistent tdb directory to /var/cache/samba by default on
> RedHat and Mandrake as they clear the /var/lock/samba directory on reboot.
>
> -----------------------------------------------------------------------------
> The release notes for 2.2.0a follow :
>
> SECURITY FIX
> ============
>
> This is a security bugfix release for Samba 2.2.0. This release provides the
> following two changes *ONLY* from the 2.2.0 release.
>
> 1). Fix for the security hole discovered by Michal Zalewski (lcamtuf at bos.bindview.com)
> and described in the security advisory below.
> 2). Fix for the hosts allow/hosts deny parameters not being honoured.
>
> No other changes are being made for this release to ensure a security fix only.
> For new functionality (including these security fixes) download Samba 2.2.1
> when it is available.
>
> The security advisory follows :
>
>
> IMPORTANT: Security bugfix for Samba
> ------------------------------------
>
> June 23rd 2001
>
>
> Summary
> -------
>
> A serious security hole has been discovered in all versions of Samba
> that allows an attacker to gain root access on the target machine for
> certain types of common Samba configuration.
>
> The immediate fix is to edit your smb.conf configuration file and
> remove all occurances of the macro "%m". Replacing occurances of %m
> with %I is probably the best solution for most sites.
>
> Details
> -------
>
> A remote attacker can use a netbios name containing unix path
> characters which will then be substituted into the %m macro wherever
> it occurs in smb.conf. This can be used to cause Samba to create a log
> file on top of an important system file, which in turn can be used to
> compromise security on the server.
>
> The most commonly used configuration option that can be vulnerable to
> this attack is the "log file" option. The default value for this
> option is VARDIR/log.smbd. If the default is used then Samba is not
> vulnerable to this attack.
>
> The security hole occurs when a log file option like the following is
> used:
>
> log file = /var/log/samba/%m.log
>
> In that case the attacker can use a locally created symbolic link to
> overwrite any file on the system. This requires local access to the
> server.
>
> If your Samba configuration has something like the following:
>
> log file = /var/log/samba/%m
>
> Then the attacker could successfully compromise your server remotely
> as no symbolic link is required. This type of configuration is very
> rare.
>
> The most commonly used log file configuration containing %m is the
> distributed in the sample configuration file that comes with Samba:
>
> log file = /var/log/samba/log.%m
>
> in that case your machine is not vulnerable to this attack unless you
> happen to have a subdirectory in /var/log/samba/ which starts with the
> prefix "log."
>
> Credit
> ------
>
> Thanks to Michal Zalewski (lcamtuf at bos.bindview.com) for finding this
> vulnerability.
>
>
> New Release
> -----------
>
> While we recommend that vulnerable sites immediately change their
> smb.conf configuration file to prevent the attack we will also be
> making new releases of Samba within the next 24 hours to properly fix
> the problem. Please see http://www.samba.org/ for the new releases.
>
> Please report any attacks to the appropriate authority.
>
> The Samba Team
> security at samba.org
>
> ---------------------------------------------------------------------------
>
> The release notes for 2.2.0 follow :
>
> This is the official Samba 2.2.0 release. This version of Samba provides
> the following new features and enhancements.
>
> Integration between Windows oplocks and NFS file opens (IRIX and Linux
> 2.4 kernel only). This gives complete data and locking integrity between
> Windows and UNIX file access to the same data files.
>
> Ability to act as an authentication source for Windows 2000 clients as
> well as for NT4.x clients.
>
> Integration with the winbind daemon that provides a single
> sign on facility for UNIX servers in Windows 2000/NT4 networks
> driven by a Windows 2000/NT4 PDC. winbind is not included in
> this release, it currently must be obtained separately. We are
> committed to including winbind in a future Samba 2.2.x release.
>
> Support for native Windows 2000/NT4 printing RPCs. This includes
> support for automatic printer driver download.
>
> Support for server supported Access Control Lists (ACLs).
> This release contains support for the following filesystems:
>
> Solaris 2.6+
> SGI Irix
> Linux Kernel with ACL patch from http://acl.bestbits.at
> Linux Kernel with XFS ACL support.
> Caldera/SCO UnixWare
> IBM AIX
> FreeBSD (with external patch)
>
> Other platforms will be supported as resources are
> available to test and implement the necessary modules. If
> you are interested in writing the support for a particular
> ACL filesystem, please join the samba-technical mailing
> list and coordinate your efforts.
>
> On PAM (Pluggable Authentication Module) based systems - better debugging
> messages and encrypted password users now have access control verified via
> PAM - Note: Authentication still uses the encrypted password database.
>
> Rewritten internal locking semantics for more robustness.
> This release supports full 64 bit locking semantics on all
> (even 32 bit) platforms. SMB locks are mapped onto POSIX
> locks (32 bit or 64 bit) as the underlying system allows.
>
> Conversion of various internal flat data structures to use
> database records for increased performance and
> flexibility.
>
> Support for acting as a MS-DFS (Distributed File System) server.
>
> Support for manipulating Samba shares using Windows client tools
> (server manager). Per share security can be set using these tools
> and Samba will obey the access restrictions applied.
>
> Samba profiling support (see below).
>
> Compile time option for enabling a (Virtual file system) VFS layer
> to allow non-disk resources to be exported as Windows filesystems
> (such as databases etc.).
>
> The documentation in this release has been updated and converted
> from Yodl to DocBook 4.1. There are many new parameters since 2.0.7
> and some defaults have changed.
>
> Profiling support.
> ------------------
> Support for collection of profile information. A shared
> memory area has been created which contains counters for
> the number of calls to and the amount of time spent in
> various system calls, smb transactions and nmbd activity. See
> the file profile.h for a complete listing of the information
> collected. Sample code for a samba pmda (collection agent
> for Performance Co-Pilot) has been included in the pcp
> directory.
>
> To enable the profile data collection code in samba, you must
> compile samba with profile data support (run configure with
> the --with-profiling-data option). On startup, collection of
> data is disabled. To begin collecting data use the smbcontrol
> program to turn on profiling (see the smbcontrol man page).
> Profile information collection can be enabled for nmbd, all smbd
> processes or one or more selected processes. The profiling
> data collected is the aggregate for all processes that have
> profiling enabled.
>
> With samba compiled for profile data collection, you may see
> a very slight degradation in performance even with profiling
> collection turned off. On initial tests with NetBench on an
> SGI Origin 200 server, this degradation was not measurable
> with profile collection off compared to no profile collection
> compiled into samba.
>
> With count profile collection enabled on all clients, the
> degradation was less than 2%. With full profile collection
> enabled on all clients, the degradation was about 8.5%.
>
> =====================================================================
>
>
>
>
>
>
More information about the samba-technical
mailing list