another round of syncs for HEAD that I forget

(This used to be commit 3aaf65d297d20320dc1f2c0ac0487feb47873609)

1 files changed, 311 insertions, 35 deletions

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index c264e6a3c7..4a3c3e1d0a 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,29 +1,22 @@
-                  WHATS NEW IN Samba 3.0.0 beta4
-                           July 16 2003
+                   WHATS NEW IN Samba 3.0.0 RC3
+                          September 8, 2003
                   ==============================
 
-This is the third beta release of Samba 3.0.0. This is a 
-non-production release intended for testing purposes.  Use 
-at your own risk. 
+This is the third release candidate snapshot of Samba 3.0.0. A release 
+candidate implies that the code is very close to a final release, remember 
+that this is still a non-production release intended for testing purposes.  
+Use at your own risk. 
 
-The purpose of this beta release is to get wider testing of the major
-new pieces of code in the current Samba 3.0 development tree. We have
-officially ceased development on the 2.2.x release of Samba and are
-concentrating on Samba 3.0. To reduce the time before the final 
-Samba 3.0 release we need as many people as possible to start testing 
-these beta releases, and to provide high quality feedback on what 
-needs fixing.
-
-Samba 3.0 is feature complete. However there is still some final 
-work to be done on certain pieces of functionality.  Please refer to 
-the section on "Known Issues" for more details.
+The purpose of this release candidate is to get wider testing of the major
+new pieces of code in the current Samba 3.0 development tree. 
+Please refer to the section on "Known Issues" for more details.
 
 
 Major new features:
 -------------------
 
 1)  Active Directory support.  Samba 3.0 is now able to  
-    to join a ADS realm as a member server and authenticate 
+    join a ADS realm as a member server and authenticate 
     users using LDAP/Kerberos.
 
 2)  Unicode support. Samba will now negotiate UNICODE on the wire and
@@ -34,9 +27,7 @@ Major new features:
     been almost completely rewritten. Most of the changes are internal,
     but the new auth system is also very configurable.
 
-4)  New filename mangling system. The filename mangling system has been
-    completely rewritten. An internal database now stores mangling maps
-    persistently. This needs lots of testing.
+4)  New default filename mangling system.
 
 5)  A new "net" command has been added. It is somewhat similar to 
     the "net" command in windows. Eventually we plan to replace 
@@ -49,9 +40,10 @@ Major new features:
 7)  Better Windows 2000/XP/2003 printing support including publishing 
     printer attributes in active directory.
 
-8)  New loadable RPC modules.
+8)  New loadable module support for passdb backends and 
+    character sets.
 
-9)  New dual-daemon winbindd support for better performance.
+9)  New default dual-daemon winbindd support for better performance.
 
 10) Support for migrating from a Windows NT 4.0 domain to a Samba 
     domain and maintaining user, group and domain SIDs.
@@ -64,25 +56,257 @@ Major new features:
   
 13) Major updates to the Samba documentation tree.
 
+14) Full support for client and server SMB signing to ensure
+    compatibility with default Windows 2003 security settings.
+
 Plus lots of other improvements!
 
 
 Additional Documentation
 ------------------------
 
-Please refer to Samba documentation tree (including in the docs/ 
+Please refer to Samba documentation tree (included in the docs/ 
 subdirectory) for extensive explanations of installing, configuring
 and maintaining Samba 3.0 servers and clients.  It is advised to 
 begin with the Samba-HOWTO-Collection for overviews and specific 
 tasks (the current book is up to approximately 400 pages) and to 
 refer to the various man pages for information on individual options.
 
+We are very glad to be able to include the second edition of
+"Using Samba" by Jay Ts, Robert Eckstein, and David Collier-Brown
+(O'Reilly & Associates) in this release.  The book is available
+on-line at http://samba.org/samba/docs/ and is included with 
+the Samba Web Administration Tool (SWAT).  Thanks to the authors and
+publisher for making "Using Samba" under the GNU Free Documentation 
+License.
+
+
 ######################################################################
-Changes since 3.0beta2
-######################
+Changes since 3.0rc2
+####################
 
 Please refer to the CVS log for the SAMBA_3_0 branch for complete 
-details
+details:
+
+1)  Remove Perl module dependencies in generated RedHat 8/9 RPMS.
+2)  Update mount helper to take synonyms for file_mode and 
+    dir_mode (fmask and dmask).
+3)  Fix portability bug with log2pcaphex.
+4)  Use different algorithm to generate codepages source code which 
+    allows to take gaps into account thus making unnecessary 
+    extended [index] = value, syntax in to_ucs2 array (bug 380).
+5)  Fix comment strings to 43 bytes as per spec.
+6)  Fix pam_winbind compile bug on FreeBSD (bug 261).
+7)  Support for in-memory keytabs, which are needed to make heimdal 
+    work properly.  MIT does not support them, so this check will be 
+    used to decide whether to use them.  (partial fix for bug 372).
+8)  Disable RC4-HMAC on broken heimdal setups.  (remainder of bug 
+    372).
+9)  Correct bug in smbclient that resulted in errors when untarring
+    long filenames (bug 308).
+10) Improve autoconf checks for PAM header files and libs.
+11) Added fast path to convert_string() when dealing with 
+    ASCII->ASCII, UCS2-LE->ASCII, and ASCII->UCS2-LE with 
+    values <= 0x7F. 
+12) Quiet debug messages when we don't find a module and it is not
+    a critical error (bug 375).
+13) Fix UNIX passwd sync properly.
+14) Fix more transitive trust issues in winbindd (bug 305).
+15) Ensure that winbindd functions with 'disable netbios = yes'
+16) Store the real short domain name in secrets.tdb as soon as we
+    know it.  Also display an error message when joining an AD
+    domain and the 'workgroup' parameter has not been specified.
+17) Return 0 DFS links instead of -1 when dfs support is not enabled.
+18) Update LDAP schema for Netscape DS 4.x and Novell eDirectory 8.7
+19) Ensure that name types can be specified using name#type notation
+    in the 'net' command (bug 73).
+20) Add retry looks to ADS sequence number and domain SID lookups 
+    (bug 364).
+21) use a variant of alloc_sub_basic() for string lists such as 
+    'valid users', 'write list', and 'read list' (bug 397).
+22) Fix seg fault when winbindd receives an error from the AD server
+    in response to an LDAP search (bug 282).
+23) Update findsmb to use the new syntax for smbclient and nmblookup.
+24) Fix bug that prevented variables from being used in explicitly 
+    defined path in [homes].
+25) Only set SIDs when they're returned by the MySQL query 
+    (pdb_mysql.so).
+26) Include support for NTLMv2 key exchange.
+27) Revert default for 'client ntlmv2 auth' to off (bug 359).
+28) Fix crash in winbindd when the trust account password gets 
+    changed underneath us via 'net rpc changetrustpw' (bug 382).
+29) Use djb-algorithm string hash - faster than the tdb one we 
+    used to use.  Does not change on disk format or hashing location.
+30) Implements some kind of improved AFS support for Samba on
+    Linux with OpenAFS 1.2.10. './configure --with-fake-kaserver'
+    assumes that you have OpenAFS on your machine.
+31) When enumerating dfs shares loop from 0 to lp_numservices() instead 
+    of relying on lp_servicename(n) to return an empty string for 
+    invalid service numbers (bug 403).
+32) Fix crash bug in 'net rpc samdump' (bug 334).
+33) Fix crash bug in WINS NSS module (bug 299).
+34) Fix a few minor compile errors on HP-UX.
+
+
+
+Changes since 3.0rc1
+####################
+
+1)  Add levels 261 and 262 to search. Found using Samba4 tester.
+2)  Correct bad error return code in session setup reply
+3)  Fix bug where smbd returned DOS error codes from SMBsearch
+    even when NT1 protocol was negotiated.
+4)  Implement SMBexit properly.
+5)  Return group lists from a Samba PDC to a Windows 9x/ME box
+    in implementing user level access control (bug 314).
+6)  Prevent SWAT from crashing when adding shares (bug 254)
+7)  Fix various documentation issues (bugs 304 & 214)
+8)  Fix wins server listing in SWAT (bug 197)
+9)  Fix problem in rpcclient that caused enumerating printer 
+    drivers to report failure (bug 294).
+10) Use kerberos 5 authentication in our client code whenever possible
+11) Fix schannel bug that caused Active Directory DC's to downgrade our
+    machine account to an NT member.
+12) Implement missing SAMR_REMOVE_USER_FOREIGN_DOMAIN call (bug 252).
+13) Implement automatic generation of include/version.h
+14) Include initial version of smbldap-tool scripts for the Samba 
+    3.0 schema.
+15) Implement numerous fixes for multi-byte character strings.
+16) Enable 'unix extensions' parameter by default.
+17) Make sure we set the SID type when falling back to the rid 
+    algorithm (bug 245).
+18) Correct linking problems with pam_smbpass (bug 327).
+19) Add SYSV defines for Irix and Solaris to ensure the 'printing'
+    parameter default to the correct value (bug 230)
+20) Fix recursion bug in alloc_string_sub() (bug 289, et. al.)
+21) Ensure that 'make install' includes the static and shared 
+    versions of the libsmbclient libraries.
+22) Add CP850 and CP437 internal character set support (bug 150).
+23) Add support to examples/LDAP/convertSambaAccount for generating
+    LDIF modify files instead of just add (303).
+24) Fix support for -W option in smbclient (bug 39)
+25) Remove 'ldap trust ids' parameter since it could not be supported
+    by the current architecture.
+26) Don't crash when no argument is given to -T in smbclient (bug 345).
+27) Ensure smbadduser contains the same paths for the smbpasswd file 
+    as the other Samba tools (bug 290).
+28) Port of 'available = no' fix for [homes] from SAMBA_2_2 cvs tree.
+29) Add sanity checks to DeletePrinterData[Ex]() and ensure that the
+    modified printer is written to disk.
+30) Force winbindd to periodically update the trusted domain cache.
+31) Remove outdated import/export script to convert an smbpasswd file
+    to and from and LDAP directory.  Use the pdbedit tool instead.
+32) Ensure that %U substitution is restored on next valid packet
+    if a logon fails.
+
+
+Changes since 3.0beta3
+######################
+
+1)  Various memory leak fixes.
+2)  Provide full support for SMB signing (server and client)
+3)  Check for broken getgrouplist() in glibc.
+4)  Don't get stuck in an infinite loop listing directories 
+    recursively if the server returns an empty directory name
+    (bug 222).
+5)  Idle LDAP connections after 150 seconds.
+6)  Patched make uninstallmodules (bug 236).
+7)  Fix bug that caused smbd to return incomplete directory listings
+    when UNIX files contained MS wildcard characters.
+8)  Quiet default debug messages in command line tools.
+9)  Fixes to avoid panics on invalid multi-byte strings.
+10) Fix error messages when creating a new smbpasswd file (bug 198).
+11) Implemented better detection routines in autoconf scripts for 
+    locating ads support on the host OS.
+12) Fix bug that caused libraries in /usr/local/lib to be ignored 
+    (bug 174).
+13) Ensure winbindd_ads uses the correct realm or domain name when 
+    connecting to trusted DC.
+14) Ensure a correct prototype is created for snprintf() (bug 187)
+15) Stop files being created on read-only shares in some circumstances.
+16) Fix wbinfo -p (bug 251)
+17) Support schannel on any tcp/ip connection if necessary
+18) Correct bug in user_in_list() so that it works with winbind groups 
+    again.
+19) Ensure the schannel bind credentials default to the domain 
+    of the destination host.
+20) Default password expiration time in account_pol.tdb to never 
+    expire.  Remove any existing account_pol.tdb file to reset
+    the new default policy (bug 184). 
+21) Add buttons to SWAT to change the view of smb.conf (bug 212)
+22) Fix incorrect checks that determine whether or not the 'add user 
+    script' has been set.
+23) More cleanup for internal character set conversions.
+24) Fixes for multi-byte strings in stat cache code.
+25) Ensure that the net command honors the 'workgroup' parameter 
+    in smb.conf when not overridden from the command line.
+26) Add gss-spnego support to the ntlm_auth tool.
+27) Add vfs_default_quota VFS module.
+28) Added server support for NT quota interfaces.
+29) Prevent Krb5 replay attacks by adding a replay_cache.
+30) Fix problems with winbindd and transitive trusts in AD domains.
+31) Added -S to client tools for setting SMB signing options on the 
+    command line.
+32) Fix bug causing the 'passwd change program' to be called as the 
+    connected user and not root.
+33) Fixed data corruption bug in byte-range locking (e.g. affected MS Excel).
+34) Support winbindd on FreeBSD is possible.
+35) Look at only the first OID in the security blob sent in the session 
+    setup request to determine the token type.
+36) Only push locks onto a blocking lock queue if the posix lock failed with 
+    EACCES or EAGAIN (this means another lock conflicts). Else return an 
+    error and don't queue the request.
+37) Fix command line argument processing for smbtar.
+38) Correct issue that caused smbd to return generic unix_user.<uid> 
+    for lookupsid().
+39) Default to algorithmic mapping when generating a rid for a group
+    mapping.
+40) Expand %g and %G in logon script, profile path, etc... during
+    a domain logon (bug 208).
+41) Make sure smbclient obeys '-s <config>'
+42) Added win2k3 shadow copy operations to VFS interface.
+43) Allow connections to samba domain member as SERVER\user (don't
+    always default to DOMAIN\user).
+44) Remove checks in winbindd that caused it to attempt to use 
+    non-transitive trust relationships.
+45) Remove delays in winbindd caused by invalid DNS lookups.
+46) Fix supplementary group memberships on systems with slightly 
+    broken NSS implementations (bug 267).
+47) Correct issue that prevented smbclient from viewing shares on 
+    a win2k server when using a non-anonymous connection (bug 284).
+48) Add --domain=DOMAIN_NAME to wbinfo for limiting operations like 
+    'wbinfo -u' to a single domain.  The '.' character represents 
+    our domain.
+49) Fix group enumeration bug when using an LDAP directory for 
+    storing group mappings.
+50) Default to use NTLMv2 if available.  Fallback to not use LM/NTLM
+    when the extended security capability bit is not set.
+51) Fix crash in 'wbinfo -a' when using extended characters in the 
+    username (bug 269).
+52) Fix multi-byte strupper() panics (bug 205).
+53) Add vfs_readonly VFS module.
+54) Make sure to initialize the sambaNextUserRid and sambaNextGroupRid
+    attributes when using 'idmap backend = ldap' (bug 280).
+55) Make sure that users shared between a Samba PDC and member 
+    samba server are seen as domain users and not local users on the 
+    domain member.
+56) Fix Query FS Info level 2.
+57) Allow enumeration of users and groups by win9x "file server" (bug 
+    286).
+58) Create symlinks during install for modules that support mutliple
+    functions (bug 91).
+59) More iconv detection fixes.
+60) Fix path length error in vfs_recycle module (bug 291).
+61) Added server support for the LSA_DS UUID on the \lsarpc pipe.
+    (server DsRoleGetPrimaryDomainInfo() is currently disabled).
+62) Fix SMBseek and get/set position calls.
+62) Fix SetFileInfo level 1.
+63) Added tool to convert smbd log file to a pcap file (log2pcaphex).
+
+
+
+Changes since 3.0beta2
+######################
 
 1)  Added fix for Japanese case names in statcache code; 
     these can change size on upper casing.
@@ -113,8 +337,8 @@ details
     groups (bug #109).
 13) Remove idmap_XX_to_XX calls from smbd.  Move back to the the
     winbind_XXX and local_XXX calls used in 2.2.
-14) All uid/gid allocation must involve winbindd now
-    (we no attempt to map unknown SIDs to a UNIX identify).
+14) All uid/gid allocation must involve winbindd now (we do not 
+    attempt to map unknown SIDs to a UNIX identify).
 15) Add 'winbind trusted domains only' parameter to force a domain
     member.  The server to use matching users names from /etc/passwd 
     for its domain   (needed for domain member of a Samba domain).
@@ -241,6 +465,49 @@ Changes since 3.0beta1
 
 
 ######################################################################
+Upgrading from a previous Samba 3.0 beta
+########################################
+
+Beginning with Samba 3.0.0beta3, the RID allocation functions
+have been moved into winbindd.  Previously these were handled
+by each passdb backend.  This means that winbindd must be running
+to automatically allocate RIDs for users and/or groups.  Otherwise,
+smbd will use the 2.2 algorithm for generating new RIDs.
+
+If you are using 'passdb backend = tdbsam' with a previous Samba 
+3.0 beta release (or possibly alpha), it may be necessary to 
+move the RID_COUNTER entry from /usr/local/samba/private/passdb.tdb
+to winbindd_idmap.tdb.  To do this:
+
+1)  Ensure that winbindd_idmap.tdb exists (launch winbindd at least 
+    once)
+2)  build tdbtool by executing 'make tdbtool' in the source/tdb/ 
+    directory
+3)  run: (note that 'tdb>' is the tool's prompt for input)
+
+       root# ./tdbtool /usr/local/samba/private/passdb.tdb
+       tdb> show RID_COUNTER
+       key 12 bytes
+       RID_COUNTER
+       data 4 bytes
+       [000] 0A 52 00 00                                       .R.
+
+       tdb> move RID_COUNTER /usr/local/samba/var/locks/winbindd_idmap.tdb
+       ....
+       record moved
+
+If you are using 'passdb backend = ldapsam', it will be necessary to 
+store idmap entries in the LDAP directory as well (i.e. idmap backend 
+= ldap).  Refer to the 'net idmap' command for more information on 
+migrating SID<->UNIX id mappings from one backend to another.
+
+If the RID_COUNTER record does not exist, then these instructions are
+unneccessary and the new RID_COUNTER record will be correctly generated
+if needed.  
+
+
+
+########################
 Upgrading from Samba 2.2
 ########################
 
@@ -337,6 +604,7 @@ New Parameters (new parameters have been grouped by function):
   * ntlm auth
   * paranoid server security
   * server schannel
+  * server signing
   * smb ports
   * use spnego
 
@@ -382,7 +650,6 @@ New Parameters (new parameters have been grouped by function):
   * ldap idmap suffix
   * ldap machine suffix
   * ldap passwd sync
-  * ldap trust ids
   * ldap user suffix
   
   General Configuration
@@ -399,6 +666,7 @@ Modified Parameters (changes in behavior):
   * restrict anonymous (integer value)
   * security (new 'ads' value)
   * strict locking (enabled by default)
+  * unix extensions (enabled by default)
   * winbind cache time (increased to 5 minutes)
   * winbind uid (deprecated in favor of 'idmap uid')
   * winbind gid (deprecated in favor of 'idmap gid')
@@ -470,6 +738,14 @@ aware of when moving to Samba 3.0.
      with an Active Directory domain using the native Windows
      Kerberos 5 and LDAP protocols.
 
+     MIT kerberos 1.3.1 supports the ARCFOUR-HMAC-MD5 encryption 
+     type which is neccessary for servers on which the 
+     administrator password has not been changed, or kerberos-enabled 
+     SMB connections to servers that require Kerberos SMB signing.
+     Besides this one difference, either MIT or Heimdal Kerberos
+     distributions are usable by Samba 3.0.
+     
+
 Samba 3.0 also includes the possibility of setting up chains
 of authentication methods (auth methods) and account storage 
 backends (passdb backend).  Please refer to the smb.conf(5) 
@@ -716,10 +992,10 @@ Examples
 Known Issues
 ############
 
-* The smbldap perl scripts for managing user entries in an LDAP
-  directory have not be updated to function with the Samba 3.0
-  schema changes.  This (or an equivalent solution) work is planned
-  to be completed prior to the stable 3.0.0 release.
+* There are several bugs currently logged against the 3.0 codebase
+  that affect the use of NT 4.0 GUI domain management tools when run
+  against a Samba 3.0 PDC.  This bugs should be released in an early 
+  3.0.x release.
 
 Please refer to https://bugzilla.samba.org/ for a current list of bugs 
 filed against the Samba 3.0 codebase.
@@ -738,6 +1014,6 @@ the problem then you will probably be ignored.
 
 A new bugzilla installation has been established to help support the 
 Samba 3.0 community of users.  This server, located at 
-https://bugzilla.samba.org/, will replace the existing jitterbug server 
-and the old http://bugs.samba.org now points to the new bugzilla server.
+https://bugzilla.samba.org/, has replaced the older jitterbug server 
+previously located at http://bugs.samba.org/.