- A flaw in the Samba suite's Perl-based DCE/RPC IDL (PIDL) compiler, used to generate code to handle RPC calls, resulted in multiple buffer overflows in Samba. A remote, unauthenticated attacker could send a specially-crafted RPC request that would cause the Samba daemon (smbd) to crash or, possibly, execute arbitrary code with the privileges of the root user.
- A flaw was found in the way Samba handled certain Local Security Authority (LSA) Remote Procedure Calls (RPC). An authenticated user could use this flaw to issue an RPC call that would modify the privileges database on the Samba server, allowing them to steal the ownership of files and directories that are being shared by the Samba server, and create, delete, and modify user accounts, as well as other Samba server administration tasks.
- Previously, Samba did not correctly create user principal names for trusted domain users. As a result, joining Samba to a Windows domain using an account from a trusted domain did not work. With this update, composing the user principal name for Kerberos authentication has been fixed so that the bug no longer occurs.
- Previously, printers controlled by the Common Unix Printing System (CUPS) and shared by a Samba server did not display the information on "location", which was controlled by the CUPS server, on Windows clients. With this update, the bug has been fixed so that the information on "location" is now correctly displayed on Windows clients.
- Previously, Samba did not correctly support clients with plain text passwords. As a result, Windows clients were unable to connect to Samba with plain text passwords. With this update, Samba support for plain text passwords has been fixed.
- Previously, when a paper format on a Samba shared printer was selected from a Windows client, this selection was not saved properly on the Samba server. As a result, changing printer properties had no effect. With this update, the bug has been fixed so that the printer properties are now saved, as expected.
- Previously, in certain environments with many users, the
pam_winbindmodule stopped operating. As a result, there were failures encountered if users attempted to log in. With this update, the bug has been fixed so that
pam_winbindnow works, as expected.
- Previously, Winbind did not recover from network connection failures after an unsuccessful user authentication. As a result, Winbind had to be restarted for users to be able to retry the authentication process. With this update, the bug has been fixed so that users are now able to retry the authentication process without restarting Winbind.
- Previously, there were performance problems with print servers that served a large number of printers. As a result, clients had to wait a long time to be able to use printers shared on a Samba server. With this update, the performance problems with print servers have been fixed.
- If Linux clients used the Common Internet File System (CIFS) client in the kernel to mount a Samba share, the
force create modeparameter was not honored properly. As a result, files created on a mounted Samba share did not properly follow the
umaskparameter, and files with undesired permissions were created. With this update, the bug has been fixed and no longer occurs.
- Previously, Windows Internet Explorer 9 running on Microsoft Windows 7 was unable to download files onto a Samba share. With this update, the bug has been fixed and no longer occurs
- Previously, Winbind was not able to correctly retrieve user and group information from a Windows server. As a result, Winbind was unable to expose users and groups on the local system. This bug has been fixed in this update.
- Previously, if Winbind was used to provide MS-CHAPv2 authentication for FreeRadius, an invalid session key was used. As a result, users with MS-CHAPv2 authentication were unable to authenticate. With this update, this bug has been fixed so that MS-CHAPv2 authentication for FreeRadius now works as expected.
- Previously, certain Samba components logged a large number of unimportant internal messages to the system log. This bug has been fixed in this update by increasing the log level for the log messages.
- Previously, the net(8) man page did not document Kerberos authentication. This bug has been fixed by adding the missing documentation to the man page.
- If a printer driver was installed on a Samba server, there was a failure encountered on the Windows client. As a result, driver settings were not properly initialized and the printer did not work properly. With this update, the bug has been fixed so that the printer driver installation now works as expected.
- Previously, the net utility used for joining the Windows domains did not use the existing Kerberos credential cache. As a result, users were unable to reuse their existing tickets to join the Windows domains with Kerberos. With this update, the net utility has been fixed so that it now uses existing tickets from the default credential cache.
- When registering the Domain Name System (DNS) names, certain Samba utilities aborted the DNS registration if Samba tried to contact a disconnected DNS name server. With this update, Samba has been fixed so that it skips those DNS name servers that are not available on the network.
- Previously, the man pages for certain Samba components did not document that if the Windows Services for UNIX (SFU) are enabled, or if the standard RFC 2307 LDAP attributes in the Active Directory (AD) are used, primary group membership is not calculated based on the
gidNumberLDAP attribute. Instead, Winbind uses the
primaryGroupIDLDAP attribute. As a result, setting the
gidNumberattribute in AD has no effect for accounts if Winbind is used. With this update, the man pages have been updated accordingly to reflect the aforementioned limitation.
- Previously, extracting files from a ZIP archive failed on the Distributed File System (DFS) shares if the
follow symlinks = yesparameter was not set. This bug has been fixed in this update so that extracting files from the ZIP archive now works as expected.