Samba 3.3.0 Available for Download

                   Release Notes for Samba 3.3.0
			  January, 27 2009

This is the first stable release of Samba 3.3.0.

Major enhancements in Samba 3.3.0 include:

 General changes:
 o The passdb tdbsam version has been raised.

 o Splitting of library directory into library directory and separate
   modules directory.
 o The default value of "ldap ssl" has been changed to "start tls".

 File Serving:
 o Extended Cluster support.
 o New experimental VFS modules "vfs_acl_xattr" and "vfs_acl_tdb"
   to store NTFS ACLs on Samba file servers.

 o Simplified idmap configuration.
 o New idmap backends "adex" and "hash".
 o Added new parameter "winbind reconnect delay".
 o Added support for user and group aliasing.
 o Added support for multiple domains to idmap_ad.

 Administrative tools:
 o The destination "all" of smbcontrol does now affect all running
   daemons including nmbd and winbindd.
 o New 'net rpc vampire keytab' and 'net rpc vampire ldif' commands.
 o The 'net' utility can now use kerberos for joining and authentication.
 o The 'wbinfo' utility can now add, modify and remove identity mapping entries.

 o NetApi library implements various new calls for User- and Group
   Account Management.
 o libsmbclient does now determine case sensitivity based on file system

General changes

The passdb tdbsam version has been raised as among other things the RID counter
has been moved from the winbindd_idmap.tdb to the passdb.tdb file to make
"passdb backend = tdbsam" working in clustered environments.

Please note that an updated passdb.tdb file is _not_ compatible with Samba
versions before 3.3.0! Please backup your passdb.tdb file if
you use "passdb backend = tdbsam". That can be achieved by running

'tdbbackup /etc/samba/passdb.tdb'

before the update.

Configure changes

The configure option "--with-libdir" has been removed. The library
directory can still be specified by using the existing "--libdir" option.
A new option "--with-modulesdir" has been added to allow the specification
of a separate directory for the shared modules.

Configuration changes

The default value of "ldap ssl" has been changed to "start tls". This means,
Samba will use the LDAPv3 StartTLS extended operation (RFC2830) for
communicating with directory servers by default. If your directory servers
do not support this extended operation, you will have to set
"ldap ssl = no". Otherwise, Samba could not contact the directory servers

Winbind idmap backend changes

The idmap configuration has changed with version 3.3 to something that
allows a smoother upgrade path from pre-3.0.25 configurations that use
"idmap backend". The reason for this change is that to many, also to Samba
developers, the 3.0.25 style configuration with "idmap config" turned out
to be very complex. Version 3.3 no longer deprecates the "idmap backend"
parameter, instead with "idmap backend" the default idmap backend is

Accordingly, the "idmap config  : default = yes" setting is no
longer being looked at.

The alloc backend defaults to the default backend, which should be able to
allocate IDs. In the default distribution the tdb and ldap backends can
allocate, the ad and rid backends can not. The idmap alloc range is now
being set with the "old" parameters "idmap uid" and "idmap gid".

The "idmap domains" parameter has been removed.

winbind reconnect delay

This is a new parameter which specifies the number of seconds the Winbind
daemon will wait between attempts to contact a Domain controller for a domain
that is determined to be down or not contactable.

Winbind's Name Aliasing

Name aliasing in Winbind is a feature that allows an administrator to
map a fully qualified user or group name from a Windows domain to a
convenient short name for Unix access.  This is similar to the username
map functionality supported by smbd but is primary intended for
clients and servers making use of Winbind's PAM and NSS libraries.

For example, the user "DOMAIN\fred" has been mapped to the Unix name

   $ getent passwd "DOMAIN\fred"
   freddie:x:1000:1001:Fred Jones:/home/freddie:/bin/bash

   $ getent passwd freddie
   freddie:x:1000:1001:Fred Jones:/home/freddie:/bin/bash

The name aliasing support is provided by individual nss_info plugins.
For example, the new "adex" plugin reads the uid attribute from Active
Directory to make a short login name to the fully qualified name.
While the new "hash" module utilizes a local file to map "short_name
= QUALIFIED\name".  Both user and group name mapping is supported.
Please refer to the "winbind nss info" option in smb.conf(5) and
to individual plugin man pages for further details.


The idmap_hash plugin provides similar support as the idmap_rid
module.  However, uids and gids are generated from the full domain
SID using a hashing algorithm that maps the lower 19 bits from the user
or group RID to bits 0 - 19 in the Unix id and hashes 96 bits from
the domain SID to bits 20 - 30 in the Unix id.  The result is a 31 bit
uid or gid that is consistent across machines and provides support for
trusted domains.

Please refer to the idmap_hash(8) man page for more details.


The adex idmap/nss_info plugin is an adaptation of the Likewise
Enterprise plugin with support for OU based cells removed
(since the Windows pieces to manage the cells are not available).

This plugin supports

      * The RFC2307 schema for users and groups.
      * Connections to trusted domains
      * Global catalog searches
      * Cross forest trusts
      * User and group aliases

Prerequisite: Add the following attributes to the Partial Attribute
Set in global catalog:

      * uidNumber
      * uid
      * gidNumber

A basic config using the current trunk code would look like:

	idmap backend = adex
	idmap uid = 10000 - 29999
	idmap gid = 10000 - 29999
	winbind nss info = adex

	winbind normalize names = yes
	winbind refresh tickets = yes
	template homedir = /home/%D/%U
	template shell = /bin/bash

Please refer to the idmap_adex(8) man page for more details.


libsmbclient will now treat file names case-sensitive by default if the filesystem
we are connecting to supports case sensitivity. This change of behavior is
considered a bug fix, as it was previously possible to accidentally overwrite a
file that had the same case-insensitive name but a different case-sensitive name
as a previously-existing file, while creating a new file.

If it is not possible to detect if the filesystem supports case sensitivity,
the user-specified option value will be used.


smb.conf changes

    Parameter Name                      Description     Default
    --------------                      -----------     -------
    cups connection timeout		New		30
    idmap config DOM:range		Removed
    idmap domains			Removed
    init logon delayed hosts		New		""
    init logon delay			New		100
    ldap ssl				Changed Default	start tls
    share modes				Deprecated
    winbind reconnect delay		New		30

Changes since 3.3.0rc2:

o   Jeremy Allison 
    * BUG 4308: Fix corrupting of file ACLs during Excel save operations.
    * BUG 5979: Fix level 2 oplocks being granted improperly.
    * BUG 5980: Race condition when granting level2 oplocks can cause break
      notify to be missed.
    * BUG 5986: Editing a stream is broken (rename problems).
    * BUG 5990: Strict allocate should be checked before ftruncate.
    * BUG 6009: Setting "min receivefile size = 1" breaks writes.
    * BUG 6016: Alternate Data Streams / Extended Attributes seem to conflict.
    * BUG 6017: Fix magic scripts.
    * BUG 6019: Fix file corruption in Clustered SMB/NFS environment managed via
    * BUG 6021: smbclient du command does not recuse properly.
    * BUG 6024: Deprecate the "share modes" parameter.
    * BUG 6030: Add missing  header in Status page.
    * BUG 6035: Fix possible race between fcntl F_SETLKW and alarm delivery.
    * BUG 6040: Calling Samba print server with an aliased DNS-name fails.
    * Fix gcc 4.3.2 warnings.
    * Fix more asprintf errors and error code paths.
    * Attempt to fix crash seen with new CUPS async printcap loading code.
    * Add winbindd_reinit_after_fork(), cleaning out all possible events
      in a forked child.
    * Make winbindd_cm.c use winbindd_reinit_after_fork().
    * Fix race condition in alarm lock processing.
    * Fixes crash bug in SWAT.

o   Michael Adam 
    * Fix build of on older Linux systems.
    * Packaging RHEL-CTDB: Fix build of [u]mount.cifs.
    * Prevent access to root filesystem when connecting with empty service name.
    * Fix distclean target and add realdistclean target in the docs build.
    * Add manpage for idmap_tdb2.
    * Clarify idmap manpages.

o   Kai Blin 
    * BUG 5953: Fix smbclient crashes.

o   Gerald (Jerry) Carter 
    * Fix "allow trusted domain" so it disables trusted domains.
    * Return immediately on a failed GC connection in ads_connect.

o   SATOH Fumiyasu 
    * Fix gmem->numgids and gmem->maxgids breakage on Solaris 64-bit.
    * Fix SIGBUS on non-x86 CPUs in libsmbclient.
    * Fix a compile-time warning.

o   Holger Hetterich 
    * Add a simple tdb integrity check to tdbtool.

o   Björn Jacke 
    * Correct the description of the "ldap timeout" parameter.

o   Volker Lendecke 
    * BUG 5913: Fix build error with at least GCC 4.2.2.
    * BUG 5933: Fix incrementing/decrementing of num_validated_vuids.
    * BUG 5953: Make cli_send_smb_direct_writeX use writev.
    * BUG 5965: Fix creation of the first share using SWAT.
    * BUG 5969: Optimize smbclient put command.
    * BUG 6012: Add "get_real_filename" to full_audit.
    * BUG 6014: Fix segfault when calling mget without arguments.
    * Fix a spinning smbd when printing.
    * Fix a memory leak in cups_pull_comment_location.
    * Fix a valgrind error.
    * Fix a "ignoring function call result" warning.
    * Fix some C++ warnings.
    * Fix an ancient uninitialized variable read.
    * Fix a bad memleak in vfs_full_audit.

o   Derrell Lipman 
    * BUG 6022: Make smbc_urlencode and smbc_urldecode in libsmbclient.
    * Determine case sensitivity based on file system attributes.

o   Stefan Metzmacher 
    * net_status: Use dbwrap to open sessionid.tdb.
    * Fix dbwrap_store_uint32() to match dbwrap_store_int32().
    * Make marshalling struct samu from and to a buffer more generic.
    * Store the next rid counter in passdb.tdb instead of winbind_idmap.tdb.
    * Register the client connection via CTDB_CONTROL_TCP_ADD.
    * Don't need to call messaging_reinit() twice.
    * Add manpage for vfs_fileid.
    * Rename 'fd_event' to 'winbindd_fd_event' to avoid confusion.
    * Recreate the per domain check_online_event without relying on global
    * Handle the smb signing states the same in the krb5 and ntlmssp cases.
    * Re-add 'fileid:algorithm' option to vfs_fileid.
    * Fix CTDB IPv6 support in cluster setups.
    * Reinit_after_fork() should reinit the event context before the
      messaging context.
    * Fix PCAP support in socket_wrapper.

o   Lars Müller 
    * Tweak with pam defines of older Linux versions.

o   Tim Prouty 
    * Fix stream marshalling to return the correct streaminfo status.
    * Allow renames of streams via NTRENAME and fix stream error codes on
    * Remove a few unnecessary checks from the streams xattr module.
    * Remove a few unnecessary checks from the streams depot module and fix to
      work with NTRENAME.

o   Andreas Schneider 
    * Fix a segfault if ? is there but the options are NULL.
    * Avoid flooding of syslog with failing pam_putenv messages.

o   Karolin Seeger 
    * BUG 6000: Avoid bashism in perfcount.init.
    * Change default value of "ldap ssl" to "start tls".
    * Update version number in the manpages.
    * Fix several small issues and typos in the manpages.
    * Check if Unix account exists before asking for the password in smbpasswd.

o   Todd Stecher 
    * Fix memory leaks and other fixes found by Coverity.

o   Bo Yang 
    * Clean event context after child is forked.
    * Fix broken krb5 refresh chain.
    * Set entry->refresh_time to make ccache_regain_all_now() work correctly.
    * Refresh sequence number as soon as possible.
    * Don't set child->requests to NULL in parent after fork.
    * Don't send message to any other child in child process.
    * Fix bug in get_dc_name_via_netlogon(), null pointer reference.

"Changes since" sections of 3.3 previews and release candidates follow:

Changes since 3.3.0rc1:

o   Jeremy Allison 
    * BUG 1254: Fix "write list" in setups using "security = share".
    * BUG 5937: Fix filenames with "*" char hiding other files.
    * BUG 5953: Fix segfaults in smbclient.
    * Fix usrmgr opening a user object as non-root.

o   Michael Adam 
    * BUG 3661: Add support for trusted domains to idmap_ad.
    * Fix default backend handling for ad backends.
    * Fix potential segfault in vfs_tsmsm.
    * Fix several RHEL CTDB packaging issues.

o   Guenther Deschner 
    * BUG 5957: Do not abort rename process on valid rename script.
    * Fix various potential memleaks in samr_SetUserInfo.
    * Fix access bits in netapi.

o   Steve French 
    * BUG 5934: Use USER environment in mount.cifs when no user is specified.
    * variable

o   SATOH Fumiyasu 
    * BUG 5688: LPQ process is orphaned if socket address parameter is invalid.
    * Vars for signals must be volatile sig_atomic_t.

o   Henning Henkel 
    * BUG 5929: Fix build of vfs_prealloc with option --with-cluster-support and

o   Tomasz Krasuski 
    * BUG 5928: Fix 'testparm --version'.

o   Jeff Layton 
    * Allow mounts to ipv6 capable servers in mount.cifs.

o   Volker Lendecke 
    * Fix crash bug when freeing a non-malloc'ed buffer if the client sends a
      non-encrypted packet with the crypto state set.
    * Fix error code when smbclient puts a file over an existing directory.
    * Pass the get_real_filename operation through the VFS.

o   Stefan Metzmacher 
    * BUG 5749: Re-set acctflags while joining.
    * Fix several issues concerning Alternate Data Streams.
    * Fix valgrind bug lp_parm_const_string().
    * Fix setting of trust passwords using 'net rpc trustdom add'.
    * Correctly detect if the current dc is the closest one.

o   Tim Prouty 
    * Fix a delete on close divergence from windows.

o   Dan Sledz 
    * Fix logging to syslog.

o   Yasuma Takeda 
    * BUG 5944: Fix starting of nmbd with "socket address" set to "".

o   Bo Yang 
    * Fix script when no .po file exists.


Changes since 3.3.0pre2:

o   Michael Adam 
    * Fix eventlog crash.
    * Make keytab filename argument mandatory to "net rpc vampire keytab".
    * Add domain prefix to username in lookup_groupmem().
    * Honour "winbind use default domain" in lookup_groupmem().
    * Sanely handle NULL domain in add_member().
    * Don't list the domain twice when expanding internal aliases.
    * Prevent negative GM/ cache entries due to broken connections.
    * Use the reconnect methods instead of the rpc methods directly.

o   Jeremy Allison 
    * BUG 5080: Fix access to cups-printers with cups 1.3.4.
    * BUG 5814: Fix Winbind crash bug while doing "rescan_trusted_domain".
    * BUG 5818: Sort ACEs in smbcacl output properly and honor inheritance.
    * BUG 5825: Fix account locking with an LDAP backend.
    * BUG 5826: Fix truncated filenames when accessing old servers.
    * BUG 5873: Fix ACL inheritance.
    * BUG 5889: Fix "delete veto files = no".
    * BUG 5891: Fix smbd crash when viewing the eventlog exported by "eventlog
    * BUG 5900: Fix vfs_readonly.
    * BUG 5903: Fix breaking of file contents in vfs_streams_xattr.
    * BUG 5904: Fix SIGABRT while servicing getaddrinfo() request caused by
    * BUG 5914: Fix redefinition of struct name_list.
    * Correctly fix smbclient to terminate on eof from server.
    * Fix client timeout when searching for a large number of cups printers.
    * Unify access checks for lsa server functions.
    * Remove the requirement for ldap call made as root.
    * Cope with MAXIMUM_ALLOWED_ACCESS requests when opening handles.
    * Fix net rpc vampire, based on an *amazing* piece of debugging work by
      "Cooper S. Blake" .
    * Fix memory leak in error path, spotted by Martin Zielinski .
    * Add vfs_acl_tdb.c module to do ACLs completely in userspace.
    * Use fxattr calls whenever possible (trying to work around the strange
      Linux kernel oplock bug).

o   Kai Blin 
    * BUG 5892: Fix net rap printq info documentation.
    * Add placeholder functions to libwbclient.

o   Gerald (Jerry) Carter 
    * Use the same prerequisite for DDNS update as Windows XP.
    * Make "lwinet ads dns register" honor the "interfaces" parameter.

o   Steven Danneman 
    * Add options to manage identity mapping entries to wbinfo and Winbind.
    * Fix to allow setting of NULL DACL/SACL.

o   Guenther Deschner 
    * BUG 5888: Fix remote rpc service management.
    * Ensure consistency when reporting password complexity.
    * Fix _lsa_GetUserName.
    * Fix access check in _samr_QuerySecurity().
    * _samr_DeleteUser needs to wipe out the user_handle on success.
    * NetGroupEnum_r needs to handle servers with no groups.
    * Fix numerous netapi issues.
    * Add support for partial and delta netlogon replication in
      "net rpc vampire".
    * Add automatic machine password update in Winbind for member servers.
    * Add German internalization for pam_winbind.
    * Add Winbind krb5 locator plugin manpage.
    * Add new wbclient wbcLookupDomainControllerEx call.
    * Use autogenerated DCE/RPC routines for one more call on SVCCTL
      named pipe.
    * Use autogenerated NBT routines from Samba4 for Mailslot/CLDAP
    * Fix Winbind password change code for Windows 2000 DCs.
    * Fix PNP_HwProfInfo NDR parsing.
    * Add wbclient wbcLogonUser and wbcLogoffUserEx functions.
    * Add automatic home directory creation for pam_winbind.

o   Mathias Dietz 
    * Search for gpfs functions in both an

o   Dina Fine 
    * BUG 5908: Fix internal change notify on share directories.

o   Nils Goroll 
    * BUG 5135: Prevent calling POSIX ACL vfs methods on zfs share.
    * BUG 5446: Prevent calling POSIX ACL vfs methods on zfs share.

o   Jeff Layton 
    * Have uppercase_string return success on NULL pointer in mount.cifs.
    * Make mount.cifs return codes match the return codes for /bin/mount.

o   Volker Lendecke 
    * BUG 5691: Fig smbd panic on Solaris.
    * BUG 5840: Fix segfault in "rpcclient lsaaddacctrights".
    * BUG 5860: safe_strcpy gives a nasty error message for overlong strings.
    * Fix the offset checks in the trans routines (CVE-2008-4314).
    * Fix a potential NULL deref in found by the IBM Checker.
    * Fix an uninitialized variable found by the IBM Checker.
    * Fix an unlikely memleak found by the IBM Checker.
    * Fix some missing error handlings.
    * Add workaround for domain joins using a netbios name which is different
      from the hostname.
    * Fix a valgrind error in idmap_ad_sids_to_unixids().
    * Make memcache_add_talloc NULL out the source pointer.
    * Fix memleak in memcache_add_talloc found by Martin Zielinski .
    * Fix memleak in calculate_next_machine_pwd_change.

o   Jeff Layton 
    * mount.cifs: use lock/unlock_mtab scheme from util-linux-ng mount prog.

o   Derrell Lipman 
    * BUG 5805: Don't close stdout when calling setup_logging multiple times.

o   Stefan Metzmacher 
    * Return an error instead of crashing when no realm is given.

o   TAKAHASHI Motonobu 
    * 5901: Fix default value for streams_depot location.

o   Tim Prouty 
    * Fix several build warnings.

o   Andreas Schneider 
    * Delete the krb5 ccname variable from the PAM environment if set.
    * Add a function out of pam_sm_close_session to delete the credentials.
    * Fix circular dependency error with autoconf 2.6.3.

o   Davide Sfriso 
    * BUG 5906: Fix Winbind crash bug during 'getent group' on PDC.

o   Dan Sledz 
    * Add FreeBSD configure check for backtrace_symbols.
    * Allow SYSLOG_FACILITY to be modified with a new configure option called

o   Joe Smith 
    * Fix typo in source/utils/net_rap.c.

o   Martin Schwenke 
    * Prevent make errors for picky makes when $(EXTRA_ALL_TARGETS) is empty.
    * Add @CIFSUPCALL_PROGS@ to "all" target so cifs.upcall gets built at
      compile time rather than install time.

o   Yasuma Takeda 
    * BUG 5909: Fix MS-DFS links containing multibyte characters on Vista.

o   Bo Yang 
    * Fix broken msgids in ntstatus_errors.
    * i18n/l10n pam_winbind


Changes since 3.3.0pre1:

o   Michael Adam 

    * BUG 5492: Fix RHEL SPEC file by removing libmsrpc stuff.
    * BUG 5507: Fix several issues in the RHEL SPEC file.

o   Jeremy Allison 
    * BUG 5729: Explicitly allow "-valid".
    * BUG 5737: Fix winbindd crash in an unusual failure mode.
    * BUG 5751: Fix showing of ACLs on DFS in (lib)smbclient.
    * BUG 5762: Fix opening of mangled directory name (resulted
      'is a stream name').
    * BUG 5783: Fix FindFirst where search pattern == mangled filename.
    * BUG 5790: Fix returning of STATUS_OBJECT_NAME_NOT_FOUND on set file
    * BUG 5797: Fix moving of readonly files.
    * Fix crashes when looking up a non-existant uid.
    * Fix getting/setting of NT ACLs on a file.
    * Add st_birthtime and friends for accurate create times on *BSD
      and MacOSX).
    * Fix the wcache_invalidate_samlogon calls.
    * Clarify usage of "force create mode".
    * Get smbd to look (read-only) into the winbindd cache for uid/gid <--> sid
    * Write times code update.
    * Add experimental version of VFS module acl_xattr.
    * Fix rename_open_files.
    * Make SMB traffic analyzer VFS module more efficient.

o   Gerald W. Carter 
    * Fix segfault when calling nss_get_info() with a NULL ads structure.
    * Add support for name aliasing in Winbind.
    * Add the idmap/nss-info provider from Likewise Open.
    * Allow an admin to define the "uid" attribute for a RFC2307
      user object in AD to be the username alias.
    * Add new idmap backend "adex" to support RFC2307 enabled AD forests.
    * Add new idmap backend "hash".

o   Steven Danneman 
    * Fix build warnings.
    * Cleanup of DC enumeration in get_dcs().

o   Guenther Deschner 
    * BUG 5710: Fix changing of machine account passwords.
    * BUG 5784: Fix pam_winbind build issue on Solaris.
    * Fix invalid sid copy (hit when enumerating sibling domains) in Winbind.
    * Fix double installation of cifs.upcall.
    * Add change-user-password command to wbinfo.
    * Fix segfault in _srvsvc_NetShareAdd.

o   James Ding 
    * BUG 5736: Fix Winbind crash bug with trusted domains.

o   Ephi Dror 
    * Correct the netsamlogon_clear_cached_user function.

o   Holger Hetterich 
    * Add new VFS module to analyze SMB traffic to record write and read
      operations on the Samba server.

o   Jeff Layton 
    * Fix build warnings in cifs.upcall.

o   Volker Lendecke 
    * BUG 5707: Do proper error handling if the socket is closed.
    * BUG 5778: Don't define 'strlcat' and 'strlcpy' if it's already defined.
    * Fix Coverity IDs 587 and 589.
    * Increase the default positive idmap cache time to a week.
    * Fix calculation of useable_space for trans2 and nttrans replies.
    * Add mapping of generic bits when setting an NFSv4 ACL.

o   Stefan Metzmacher 
    * Some write time fixes.

o   Karolin Seeger 
    * Add new parameter "cups connection timeout".

o   Simo Sorce 
    * Fix enumeration of nested group memberships in Winbind.
      This affected only setups using "security = ads".

o   Timur 
    * Fix cut and paste error in quota code.
    * Fix display of POSIX ACLs.
    * Fix aio on FreeBSD.

o   Andrew Tridgell 
    * Fix permissions of group_mapping.ldb (CVE-2008-3789).
    * Avoid a race condition in glibc between AIO and setresuid().
    * Add missing become root for AIO operations.
    * Fix an errno handling bug that could lead to an infinite loop.
    * Fix logic of tsmsm_sendfile().
    * Fix handling of arbitrary new PAC types.
    * Fix segfault on startup with trusted domains.
    * Fix segfault on the CTDB destructor code.
    * Fix memory leak.
    * Re-add "winbind:ignore domains".

o   Jelmer Vernooij 
    * Fix segfault (Debian bug #431696).

o   Qiao Yang 
    * Fix a memleak.