Preliminary 3.0.23c patch for testing and review

Gerald (Jerry) Carter jerry at samba.org
Wed Aug 23 16:49:23 GMT 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Folks,

I've upload the preliminary patch against 3.0.23b that will
become 3.0.23c so people can do full testing against what
we hope to be the release code.  Note that the reported version
in the patch is 3.0.23c-gwc-1 to prevent confusion from the
final 3.0.23c release.

You can download the gzipped patch file from
http://samba.org/~jerry/patches/patch-3.0.23b-3.0.23c-gwc-1.diffs.gz.
The uncompressed patch file has been signed using the
normal samba software release key (ID 157BC95E).

Please report *any* bugs that you find.  Don't assume
someone else will do it for you.  of course, we can't fix
all the bugs in this release, but if something is
broken that was working in a previous release, we need to
know.  Thanks.



cheers, jerry




Here's the relevant sections from the WHATSNEW.txt file:


- ------
Common bugs fixed in 3.0.23c include:

  o Authentication failures in pam_winbind when the AD domain
    policy is set to not expire passwords.
  o Authorization failures when using smb.conf options such
    as "valid users" with the smbpasswd passdb backend.


RID Algorithms & Passdb
=======================

Starting with the 3.0.23c release, the officially supported passdb
backends (smbpasswd, tdbsam, and ldapsam) now operate identically
with regards to the historical RID algorithm for unmapped users
and groups (i.e. accounts not in the passdb or group mapping table).
The resulting behavior is that all unmapped users are resolved
to a SID in the S-1-22-1 domain and all unmapped groups resolve
to a SID in the S-1-22-2 domain.  Previously, when using the
smbpasswd passdb, such users and groups would resolve to an
algorithmic SID in the machine's own domain (S-1-5-XX-XX-XX).
However, the smbpasswd backend still utilizes the RID algorithm
when creating new user accounts or allocating a RID for a new
group mapping entry.

With the changes in the 3.0.23c release, it is now possible to
resolve a uid/gid, name, or SID in any direction and always obtain
a symmetric mapping.  This is important so that values for smb.conf
parameters such as "valid users" resolve to the same SIDs as those
included  in the local user's initial token.

Most installations will notice no change.  However, because
an unmapped account's SID will now change even when using
smbpasswd it is possible that any security descriptors on files
previously copied from a Samba host to a Windows NTFS partition
may now fail to give access. The workaround is to either manually
map all affect groups (or add impacted users to the server's
passdb) or to manually reset the file's ACL.


######################################################################
Changes
#######

Changes since 3.0.23b
- ---------------------

commits
- -------
o   Jeremy Allison <jra at samba.org>
    * Various fixes for winbindd's offline mode.
    * OS/2 fixes for large Extended Attributes data.
    * Fix nmbd crashes caused by miscalculation in pushing
      announcements.


o   Gerald (Jerry) Carter <jerry at samba.org>
    * RHEL4  and Fedora packaging updates.
    * Remove RID algorithm support for unmapped users and groups
      when using an smbpasswd backend.
    * Extend the NT token for local users' with the S-1-22-2
      SID for each supplementary group
    * BUG 3969: Fix unsigned time comparison with expiration
      policy from AD DC.
    * Merge Guenther's fixes from the SuSE SLES10 tree to ensure
      that winbindd talks to the correct DC when servicing PAM
      authentication requests.


o   Guenther Deschner <gd at samba.org>
    * Fix msdfs RPC client and server management RPCs.
    * Align idmap_ad with the current idmap_methods interface.


o   Volker Lendecke <vl at samba.org>
    * Re-add support for "username level" when looking up the
      matching Unix user for an smbpasswd entry.


o   Simo Sorce <idra at samba.org>
    * Let innetgr() work without binding its use to a
      NIS domain to support netgroups in local files.


o   Ben Winslow <rain at bluecherry.net>
    * Allow client smb signing to be turned off correctly.

- ------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFE7IcTIR7qMdg1EfYRAk9YAJ0cnanW7ob+gGabvtfCrctgncwJHwCg4KIk
k3aWQ+qOS8HGdnAsT0Kad2s=
=bkTC
-----END PGP SIGNATURE-----


More information about the samba-technical mailing list