The Samba Team is proud to announce the release of Samba 2.2.1. This is the latest stable release of Samba. This is the version that all production Samba servers should be running for all current bug-fixes. Samba 2.2.1 is available in source form from samba.org and all of our mirror sites at the url /samba/ftp/samba-2.2.1a.tar.gz The release notes follow. If you think you have found a bug please email a report to : samba@samba.org As always, all bugs are our responsibility. Regards, The Samba Team. ---------------------------------------------------------------------- WHATS NEW IN Samba 2.2.1: 10th July 2001 ========================================= This is the latest stable release of Samba. This is the version that all production Samba servers should be running for all current bug-fixes. New/Changed parameters in 2.2.1 ------------------------------- Added parameters. ----------------- obey pam restrictions When Samba is configured to use PAM, turns on or off Samba checking the PAM account restrictions. Defaults to off. pam password change When Samba is configured to use PAM, turns on or off Samba passing the password changes to PAM. Defaults to off. large readwrite New option to allow new Windows 2000 large file (64k) streaming read/write options. Needs a 64 bit underlying operating system (for Linux use kernel 2.4 with glibc 2.2 or above). Can improve performance by 10% with Windows 2000 clients. Defaults to off. Not as tested as some other Samba code paths. hide unreadable Prevents clients from seeing the existance of files that cannot be read. Off by default. enhanced browsing Turn on/off the enhanced Samba browing functionality (*1B names). Default is "on". Can prevent eternal machines in workgroups when WINS servers are not synchronised. Removed parameters. ------------------- domain groups domain admin users domain guest users Changes in 2.2.1 ----------------- 1). "find" command removed for smbclient. Internal code now used. 2). smbspool updates to retry connections from Michael Sweet. 3). Fix for mapping 8859-15 characters to UNICODE. 4). Changed "security=server" to try with invalid username to prevent account lockouts. 5). Fixes to allow Windows 2000 SP2 clients to join a Samba PDC. 6). Support for Windows 9x Nexus tools to allow security changes from Win9x. 7). Two locking fixes added. Samba 2.2.1 now passes the Clarion network lock tester tool for distributed databases. 8). Preliminary support added for Windows 2000 large file read/write SMBs. 9). Changed random number generator in Samba to prevent guess attacks. 10). Fixes for tdb corruption in connections.tdb and file locking brlock.tdb. smbd's clean the tdb files on startup and shutdown. 11). Fixes for default ACLs on Solaris. 12). Tidyup of password entry caching code. 13). Correct shutdowns added for send fails. Helps tdb cleanup code. 14). Prevent invalid '/' characters in workgroup names. 15). Removed more static arrays in SAMR code. 16). Client code is now UNICODE on the wire. 17). Fix 2 second timstamp resolution everywhere if dos timestamp set to yes. 18). All tdb opens now going through logging function. 19). Add pam password changing and pam restrictions code. 20). Printer driver management improvements (delete driver). 21). Fix difference between NULL security descriptors and empty security descriptors. 22). Fix SID returns for server roles. 23). Allow Windows 2000 mmc to view and set Samba share security descriptors. 24). Allow smbcontrol to forcibly disconnect a share. 25). tdb fixes for HPUX, OpenBSD and other OS's that don't have a coherent mmap/file read/write cache. 26). Fix race condition in returning create disposition for file create/open. 27). Fix NT rewriting of security descriptors to their canonical form for ACLs. 28). Fix for Samba running on top of Linux VFAT ftruncate bug. 29). Swat fixes for being run with xinetd that doesn't set the umask. 30). Fix for slow writes with Win9x Explorer clients. Emulates Microsoft TCP stack early ack specification error. 31). Changed lock & persistant tdb directory to /var/cache/samba by default on RedHat and Mandrake as they clear the /var/lock/samba directory on reboot. Older release notes for Samba 2.2.x follow. ----------------------------------------------------------------------------- The release notes for 2.2.0a follow : SECURITY FIX ============ This is a security bugfix release for Samba 2.2.0. This release provides the following two changes *ONLY* from the 2.2.0 release. 1). Fix for the security hole discovered by Michal Zalewski (lcamtuf@bos.bindview.com) and described in the security advisory below. 2). Fix for the hosts allow/hosts deny parameters not being honoured. No other changes are being made for this release to ensure a security fix only. For new functionality (including these security fixes) download Samba 2.2.1 when it is available. The security advisory follows : IMPORTANT: Security bugfix for Samba ------------------------------------ June 23rd 2001 Summary ------- A serious security hole has been discovered in all versions of Samba that allows an attacker to gain root access on the target machine for certain types of common Samba configuration. The immediate fix is to edit your smb.conf configuration file and remove all occurances of the macro "%m". Replacing occurances of %m with %I is probably the best solution for most sites. Details ------- A remote attacker can use a netbios name containing unix path characters which will then be substituted into the %m macro wherever it occurs in smb.conf. This can be used to cause Samba to create a log file on top of an important system file, which in turn can be used to compromise security on the server. The most commonly used configuration option that can be vulnerable to this attack is the "log file" option. The default value for this option is VARDIR/log.smbd. If the default is used then Samba is not vulnerable to this attack. The security hole occurs when a log file option like the following is used: log file = /var/log/samba/%m.log In that case the attacker can use a locally created symbolic link to overwrite any file on the system. This requires local access to the server. If your Samba configuration has something like the following: log file = /var/log/samba/%m Then the attacker could successfully compromise your server remotely as no symbolic link is required. This type of configuration is very rare. The most commonly used log file configuration containing %m is the distributed in the sample configuration file that comes with Samba: log file = /var/log/samba/log.%m in that case your machine is not vulnerable to this attack unless you happen to have a subdirectory in /var/log/samba/ which starts with the prefix "log." Credit ------ Thanks to Michal Zalewski (lcamtuf@bos.bindview.com) for finding this vulnerability. New Release ----------- While we recommend that vulnerable sites immediately change their smb.conf configuration file to prevent the attack we will also be making new releases of Samba within the next 24 hours to properly fix the problem. Please see http://www.samba.org/ for the new releases. Please report any attacks to the appropriate authority. The Samba Team security@samba.org --------------------------------------------------------------------------- The release notes for 2.2.0 follow : This is the official Samba 2.2.0 release. This version of Samba provides the following new features and enhancements. Integration between Windows oplocks and NFS file opens (IRIX and Linux 2.4 kernel only). This gives complete data and locking integrity between Windows and UNIX file access to the same data files. Ability to act as an authentication source for Windows 2000 clients as well as for NT4.x clients. Integration with the winbind daemon that provides a single sign on facility for UNIX servers in Windows 2000/NT4 networks driven by a Windows 2000/NT4 PDC. winbind is not included in this release, it currently must be obtained separately. We are committed to including winbind in a future Samba 2.2.x release. Support for native Windows 2000/NT4 printing RPCs. This includes support for automatic printer driver download. Support for server supported Access Control Lists (ACLs). This release contains support for the following filesystems: Solaris 2.6+ SGI Irix Linux Kernel with ACL patch from http://acl.bestbits.at Linux Kernel with XFS ACL support. Caldera/SCO UnixWare IBM AIX FreeBSD (with external patch) Other platforms will be supported as resources are available to test and implement the encessary modules. If you are interested in writing the support for a particular ACL filesystem, please join the samba-technical mailing list and coordinate your efforts. On PAM (Pluggable Authentication Module) based systems - better debugging messages and encrypted password users now have access control verified via PAM - Note: Authentication still uses the encrypted password database. Rewritten internal locking semantics for more robustness. This release supports full 64 bit locking semantics on all (even 32 bit) platforms. SMB locks are mapped onto POSIX locks (32 bit or 64 bit) as the underlying system allows. Conversion of various internal flat data structures to use database records for increased performance and flexibility. Support for acting as a MS-DFS (Distributed File System) server. Support for manipulating Samba shares using Windows client tools (server manager). Per share security can be set using these tools and Samba will obey the access restrictions applied. Samba profiling support (see below). Compile time option for enabling a (Virtual file system) VFS layer to allow non-disk resources to be exported as Windows filesystems (such as databases etc.). The documentation in this release has been updated and converted from Yodl to DocBook 4.1. There are many new parameters since 2.0.7 and some defaults have changed. Profiling support. ------------------ Support for collection of profile information. A shared memory area has been created which contains counters for the number of calls to and the amount of time spent in various system calls and smb transactions. See the file profile.h for a complete listing of the information collected. Sample code for a samba pmda (collection agent for Performance Co-Pilot) has been included in the pcp directory. To enable the profile data collection code in samba, you must compile samba with profile support (run configure with the --with-profile option). On startup, collection of data is disabled. To begin collecting data use the smbcontrol program to turn on profiling (see the smbcontrol man page). Profile information collection can be enabled for all smbd processes or one or more selected processes. The profiling data collected is the aggragate for all processes that have profiling enabled. With samba compiled for profile data collection, you may see a very slight degradation in performance even with profiling collection turned off. On initial tests with NetBench on an SGI Origin 200 server, this degradation was not measureable with profile collection off compared to no profile collection compiled into samba. With count profile collection enabled on all clients, the degradation was less than 2%. With full profile collection enabled on all clients, the degradation was about 8.5%. ===================================================================== If you think you have found a bug please email a report to : samba@samba.org As always, all bugs are our responsibility. Regards, The Samba Team.