249510 – Release Notes blocker for samba (clone of Update to 3.0.25 or later.)

Bug 249510 - Release Notes blocker for samba (clone of Update to 3.0.25 or later.)

Summary: Release Notes blocker for samba (clone of Update to 3.0.25 or later.)

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 4
Classification:	Red Hat
Component:	samba
Sub Component:
Version:	4.5
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	Don Domingo
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	240321
Blocks:	248673
TreeView+	depends on / blocked

Reported:	2007-07-25 10:05 UTC by Simo Sorce
Modified:	2008-01-16 00:00 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2008-01-16 00:00:27 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Comment 1 Don Domingo 2007-07-25 23:13:30 UTC

thanks Simo. added to RHEL4.6 release notes under "Other Updates":

<quote>
- samba has been updated to version 3.0.25.
</quote>

will be waiting for more details on implications of this update - added
features, notable resolved issues, outstanding known issues/caveats, and
references for more information. 

thanks!

Comment 2 Simo Sorce 2007-08-13 13:19:02 UTC

Release notes proposed text:

Important notice on the jupgraded Samba packages.
The Samba packages have been upgraded from version 3.0.10 to 3.0.25b

Justification:
Several critical bugs have been addressed and issues interoperating with
recent MS operating systems like MS Windows 2003 R2 or MS Windows Vista
have been resolved in recent releases upstream. Also some critical
features regarding scalability and stability have been developed or
improved. All the fixes and features required invasive code changes in
some critical code paths that make backporting to 3.0.10 unfeasable.
All these reasons warranted a rebase of the package to 3.0.25b

Warnings:
even if deemed absolutely necessary this package upgrade may require
manual intervention during the update phase. Some necessary changes in
the way some options are interpreted and some components now behave may
require some changes to the configuration file after the update.

The following changes need some special attention during the upgrade:

* stricter naming rules
  Stricter naming rules affect force user/force group/valid user and other
  directives that accpet user/group names. In 3.0.25b the user/group name
  must be fully qualified. If the machine is joined to a domain named
  DOMAIN, a user/group (foo) of that domain must be used in the form
  "DOMAIN\foo", using just "foo" will usually *not* grant permission to
  "DOMAIN\foo"

* removed multiple passdb backend support
  In 3.0.25b support for using multiple passdb backends has been removed.
  The multiple passdb backend support led to subtle problems in some cases
  and didn't add much to the usability of the server whild causing problems
  in some cases. In case multiple dbs are in use, they can be consolidated in
  one db and the accounts stored in the other dbs can be easily migrated over
  using the pdbedit utility.

* domain type autodetection for winbindd (domain vs ads security)
  In 3.0.25b winbindd autodetects the domain type and choose the right
  security method. Even setting security = domain may result in winbindd
  using kerberos/ldap to connect to a domain that has been recognized as
  an AD capable domain.

* ldap schema additions
  The ldap schema has been extended. If you are using the ldapsam backend you
  should upgrade the ldap schema. The upgrade is backward compatible as only
  additions were made. With the new schema it should be noted that indexing
  sambaSID to handle sub-matches is strongly adviced.

* winbindd NSS enumeration defaults to OFF now
  Enumeration of users and groups has been turned off by default. This is
  a performance tuning for big environments were multiple domain controllers
  trusts and remote locations are involved. If your environament depends on
  user/group enumeration you can easily turn it on using the "winbind enum
  users" and "winbind enum groups" options.

* removed and new options
  Some options like ldap filter, min password length has been removed. Also a
  number of new facilities and options has been added. Please consult the
  full list in the samba package errata and check if your setup depends on
  any removed option before upgrading.

We invite admins to carefully check their configurations to check if they
may be affected by the mentioned issues before updating and plan the samba
upgrade accordingly.

Refernces:
[add link to a RH kbase article]
[other external resources??]

Comment 3 Don Domingo 2007-08-14 01:13:54 UTC

thanks Simo. added to RHEL4.6 release notes under "Feature Updates => samba":

<quote>
samba

    samba has been updated to version 3.0.25b. This addresses several critical
issues affecting interoperability with Windows 2003™ and Windows Vista™
(resolved in recent upstream releases).

    All revisions to samba made for this update entailed invasive code changes
in some critical code paths. This made backporting to version 3.0.10
non-feasible. As such, all samba packages were rebased to version 3.0.25b instead.

    Because of the rebase, some option interpretation methods and components
behaviors have changed significantly. This means that after upgrading samba, the
configuration file will need to be manually edited accordingly.

    Some options like ldap filter and minimum password length are now
deprecated. Before upgrading to this new version of samba, consult the samba
package errata and check if your system is dependent on any removed option.

    This update of samba applies several feature updates, most notably:

        * Stricter naming rules are now enforced. These new rules affect force
user, force group, valid user and other directives that accept user or group
names. In this update, the user/group name must be fully qualified.

          For example, if a machine is joined to a domain named DOMAIN, a user
named foo of that domain must be used in the form DOMAIN\foo. Simply using foo
will normally deny permission to the machine.

        * Support for multiple passdb backends is now deprecated. Support for
multiple passdb led to subtle problems in some cases, while adding little to the
usability of the server.

          To use multiple databases, consolidate them in one database.
Afterwards, migrate the accounts stored in the other databases using the pdbebit
utility.

        * winbindd now detects the domain type of a server and automatically
chooses the right security method. Even setting security = domain may result in
winbindd using kerberos/ldap to connect to a domain recognized as AD-capable.

        * The ldap schema is now extended. If you are using the ldapsam backend,
upgrade to this extended ldap schema. The upgrade is backwards compatible.

          When you upgrade to the extended ldap schema, it is recommended that
you index sambaSID to handle sub-matches.

        * winbindd NSS enumeration now defaults to OFF. This benefits large
environments where multiple domain controllers, trusts, and remote locations are
involved. If your environment depends on user/group enumeration, you can turn it
on using the options winbind enum users and winbind enum groups.
</quote>

please advise if any revisions are in order. thanks!

Comment 4 Simo Sorce 2007-08-14 13:01:58 UTC

This is a diff from Guenther, mostly typos.

--- /text.orig  2007-08-13 15:22:06.000000000 +0200
+++ /text       2007-08-13 15:27:35.000000000 +0200
@@ -1,28 +1,28 @@
 Release notes proposed text:
 
-Important notice on the jupgraded Samba packages.
+Important notice on the upgraded Samba packages.
 The Samba packages have been upgraded from version 3.0.10 to 3.0.25b
 
 Justification:
 Several critical bugs have been addressed and issues interoperating with
 recent MS operating systems like MS Windows 2003 R2 or MS Windows Vista
-have been resolved in recent releases upstream. Also some critical
+have been resolved in recent upstream Samba releases. Also some critical
 features regarding scalability and stability have been developed or
 improved. All the fixes and features required invasive code changes in
 some critical code paths that make backporting to 3.0.10 unfeasable.
-All these reasons warranted a rebase of the package to 3.0.25b
+All these reasons warranted a rebase of the package to 3.0.25b.
 
 Warnings:
-even if deemed absolutely necessary this package upgrade may require
+Even if deemed absolutely necessary this package upgrade may require
 manual intervention during the update phase. Some necessary changes in
 the way some options are interpreted and some components now behave may
-require some changes to the configuration file after the update.
+require configuration file changes after the update.
 
 The following changes need some special attention during the upgrade:
 
 * stricter naming rules
-  Stricter naming rules affect force user/force group/valid user and other
-  directives that accpet user/group names. In 3.0.25b the user/group name
+  These affect force user/force group/valid user and other
+  directives that accept user/group names. In 3.0.25b the user/group name
   must be fully qualified. If the machine is joined to a domain named
   DOMAIN, a user/group (foo) of that domain must be used in the form
   "DOMAIN\foo", using just "foo" will usually *not* grant permission to
@@ -31,16 +31,17 @@
 * removed multiple passdb backend support
   In 3.0.25b support for using multiple passdb backends has been removed.
   The multiple passdb backend support led to subtle problems in some cases
-  and didn't add much to the usability of the server whild causing problems
-  in some cases. In case multiple dbs are in use, they can be consolidated in
-  one db and the accounts stored in the other dbs can be easily migrated over
+  and didn't add much to the usability of the server while causing problems
+  in some cases. In case multiple backends were in use, they can be consolidated in
+  one backend and the accounts stored in the other backends can be easily
migrated over
   using the pdbedit utility.
 
 * domain type autodetection for winbindd (domain vs ads security)
   In 3.0.25b winbindd autodetects the domain type and choose the right
   security method. Even setting security = domain may result in winbindd
   using kerberos/ldap to connect to a domain that has been recognized as
-  an AD capable domain.
+  an AD capable domain. When working in an Active Directory environment it
+  is important to use correct DNS settings.
 
 * ldap schema additions
   The ldap schema has been extended. If you are using the ldapsam backend you
@@ -50,14 +51,14 @@
 
 * winbindd NSS enumeration defaults to OFF now
   Enumeration of users and groups has been turned off by default. This is
-  a performance tuning for big environments were multiple domain controllers
-  trusts and remote locations are involved. If your environament depends on
+  a performance tuning for large environments were multiple domain controllers,
+  trusts and remote locations are involved. If your environment depends on
   user/group enumeration you can easily turn it on using the "winbind enum
   users" and "winbind enum groups" options.
 
 * removed and new options
-  Some options like ldap filter, min password length has been removed. Also a
-  number of new facilities and options has been added. Please consult the
+  Some options like ldap filter, min password length have been removed. Also a
+  number of new facilities and options have been added. Please consult the
   full list in the samba package errata and check if your setup depends on
   any removed option before upgrading.
 
@@ -65,6 +66,6 @@
 may be affected by the mentioned issues before updating and plan the samba
 upgrade accordingly.
 
-Refernces:
+References:
 [add link to a RH kbase article]
 [other external resources??]

Note You need to log in before you can comment on or make changes to this bug.