-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=============================================================
You are standing in an open field west
of a white house, with a board front door.
There is a small mailbox here.
=============================================================Release
Announcements
====================
This is the latest stable release of Samba. This is the version
that production Samba servers should be running for all current
bug-fixes. Please read the changes in this section for details on
new features and difference in behavior from previous releases.
There has been a substantial amount of cleanup work done during
this development cycle. We would like to thank both Coverity
(http://www.coverity.com/) and Klocwork (http://www.klocwork.com/)
for analyzing the Samba source code. As a result, this release
includes fixes for over 400 defects. The coverage was approximately
even with over 200 defects reported by each tool.
Thanks very much to those people who spent time testing the
release candidates and reported their findings. We would like to
especially thank Thomas Bork for his numerous reports. We believe
that the final release is in much better shape in large part due
to his efforts.
New features in 3.0.23 include:
o Improved 'make test'
o New offline mode in winbindd.
o New Kerberos support for pam_winbind.so.
o New handling of unmapped users and groups.
o New non-root share management tools.
o Improved support for local and BUILTIN groups.
o Winbind IDMAP integration with RFC2307 schema objects supported
by Windows 2003 R2.
o Rewritten 'net ads join' to mimic Windows XP without requiring
administrative rights to join a domain.
User and Group changes
=====================
The user and group internal management routines have been
rewritten to prevent overlaps of assigned Relative Identifiers
(RIDs). In the past the has been a potential problem when either
manually mapping Unix groups with the 'net groupmap' command or
when migrating a Windows domain to a Samba domain using 'net rpc
vampire'.
Unmapped users are now assigned a SID in the S-1-22-1 domain and
unmapped groups are assigned a SID in the S-1-22-2 domain.
Previously they were assign a RID within the SAM on the Samba
server. For a DC this would have been under the authority of the
domain SID where as on a member server or standalone host, this
would have been under the authority of the local SAM (hint: net
getlocalsid).
The result is that any unmapped users or groups on an upgraded
Samba domain controller may be assigned a new SID. Because the
SID rather than a name is stored in Windows security descriptors,
this can cause a user to no longer have access to a resource for
example if a file was copied from a Samba file server to a local
NTFS partition. Any files stored on the Samba server itself will
continue to be accessible because Unix stores the Unix gid and not
the SID for authorization checks.
A further example will help illustrate the change. Assume that a
group named 'developers' exists with a Unix gid of 782 but this
user does not exist in Samba's group mapping table. it would be
perfectly normal for this group to be appear in an ACL editor.
Prior to 3.0.23, the group SID might appear as
S-1-5-21-647511796-4126122067-3123570092-2565. With 3.0.23, the
group SID would be reported as S-1-22-2-782. Any security
descriptors associated with files stored on an NTFS disk partition
would not allow access based on the group permissions if the user
was not a member of the
S-1-5-21-647511796-4126122067-3123570092-2565 group. Because this
group SID not reported in a user's token is S-1-22-2-782, Windows
would fail the authorization check even though both SIDs in some
respect referred to the same Unix group.
The current workaround is to create a manual domain group mapping
entry for the group 'developers' to point at the
S-1-5-21-647511796-4126122067-3123570092-2565 SID.
Passdb Changes
=============
The "passdb backend" parameter no long accepts multiple backends
in a chaining configuration. Also be aware that the SQL and XML
based passdb modules have been removed in this release. More
information of external support for a SQL passdb module can be
found at http://pdbsql.sourceforge.net/.
Group Mapping Changes
====================
The default mapping entries for groups such as "Domain Admins" are
no longer created when using an smbpasswd file or a tdbsam passdb
backend. This means that it is necessary to use 'net groupmap
add' rather than 'net groupmap modify' to set these entries.
This change has no effect on winbindd's IDmap functionality for
domain groups.
LDAP Changes
===========
There has also been a minor update the Samba LDAP schema file. A
substring matching rule has been added to the sambaSID attribute
definition. For OpenLDAP servers, this will require the addition
of 'index sambaSID sub' to the slapd.conf configuration file. It
will be necessary to run slapindex after making this change. There
has been no change to actual data storage schema.
===============Download Details
===============
The uncompressed tarballs and patch files have been signed
using GnuPG (ID 157BC95E). The source code can be
downloaded from:
http://download.samba.org/samba/ftp/
The release notes are available online at:
http://www.samba.org/samba/history/samba-3.0.23.html
Binary packages are available at
http://download.samba.org/samba/ftp/Binary_Packages/
Our Code, Our Bugs, Our Responsibility.
(https://bugzilla.samba.org/)
--Enjoy
The Samba Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org
iD8DBQFEsrT5IR7qMdg1EfYRAghLAKCu0rFshLIAOder4W1NTCwZFdMZKQCffK1Y
ZnTF8DTarBMamrxpPFP0EfA=NMSZ
-----END PGP SIGNATURE-----
Lars Müller
2006-Jul-10 21:57 UTC
Samba 3.0.23 RPM packages for all SUSE Linux products (was: [Samba] Samba 3.0.23 Available for Download)
On Mon, Jul 10, 2006 at 03:13:45PM -0500, Gerald Carter wrote: [snip]> Binary packages are available at > > http://download.samba.org/samba/ftp/Binary_Packages/RPM packages of Samba 3.0.23 for all SUSE Linux products are available at ftp://ftp.suse.com/pub/projects/samba/3.0/ or http://ftp.suse.com/pub/projects/samba/3.0/ Supported SUSE Linux based products are at the moment SUSE Linux 9.1, 9.2, 9.3, 10.0, 10.1, UnitedLinux 1/ SUSE Linux Enterprise Server (SLES) 8, SLES 9 and 10, and factory (= the currently developed product). For some architectures - like ia64, ppc, s390(x) - you find a limited releases subset. The same packages are also available at http://download.Samba.org/samba/ftp/Binary_Packages/SuSE/3.0/ Please use a mirror close to your site. A list of Samba.org mirrors is available at http://Samba.org/ There choose a mirror at the right top of the page. There are also a bunch of SUSE mirrors. A list of international mirror sites is at http://www.novell.com/products/suselinux/downloads/ftp/int_mirrors.html A list of mirrors in Germany is at http://www.novell.com/products/suselinux/downloads/ftp/germ_mirrors.html If you encounter any problem with these packages please don't blame the Samba Team. Instead file a bug to https://bugzilla.Samba.org/, pick product Samba 3.0, then select 'component' Packaging and set 'assign to' to samba-maintainers at suse dot de. Or use http://bugzilla.Novell.com with the same assignee instead. For additional information - how to report bugs and which log files are required - see http://en.openSUSE.org/Samba Our customers, our products, our responsibility. Have a lot of fun... Lars - for the Novell Samba Team -- Lars M?ller [?la?(r)z ?m?l?] Samba Team SUSE Linux, Maxfeldstra?e 5, 90409 N?rnberg, Germany -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.samba.org/archive/samba/attachments/20060710/f06f944c/attachment.bin
Gerald (Jerry) Carter wrote:> o Winbind IDMAP integration with RFC2307 schema objects supported > by Windows 2003 R2.Is there any documentation on this feature. I currently use Sun's ISW sync to sync my LDAP source with my ADS source outside of the scope of Samba. So my all my users are already mapped one-to-one uid<->sid. I just need to know which attributes samba is looking for so I can sync those as well. Also what the relevant smb.conf settings are. Thanks, Neal
Gerald (Jerry) Carter wrote:> o Winbind IDMAP integration with RFC2307 schema objects supported > by Windows 2003 R2.Is there any documentation on this feature. I currently use Sun's ISW sync to sync my LDAP source with my ADS source outside of the scope of Samba. So my all my users are already mapped one-to-one uid<->sid. I just need to know which attributes samba is looking for so I can sync those as well. Also what the relevant smb.conf settings are. Thanks, Neal
Gerald (Jerry) Carter wrote:> o Winbind IDMAP integration with RFC2307 schema objects supported > by Windows 2003 R2.Is there any documentation on this feature. I currently use Sun's ISW sync to sync my LDAP source with my ADS source outside of the scope of Samba. So my all my users are already mapped one-to-one uid<->sid. I just need to know which attributes samba is looking for so I can sync those as well. Also what the relevant smb.conf settings are. Thanks, Neal