When using Samba with the "password server" configuration setting and when the given name for that parameter was a hostname that resolved to multiple IP addresses, Samba did not correctly handle the returned addresses. Consequently, Samba failed to use one of the password servers and terminate unexpectedly. This update fixes Samba to correctly process multiple IP addresses when using a hostname with the "password server" parameter. Samba now works correctly with multiple IP addresses in the scenario described.
When Samba was configured to operate in an Active Directory (AD) environment it sometimes created invalid DNS SRV queries. This happened when an empty sitename was used to compose the SRV record search string. Consequently, Samba-generated log files contained many DNS related error messages. Samba has been fixed to always generate a correct DNS SRV query and the DNS-related error message no longer occur.
The smbclient tool sometimes failed to return the expected exit status code; it returned 0 instead of 1. Consequently, using smbclient in a script caused some scripts to fail. With this update, an upstream patch has been applied and smbclient now returns the correct exit status.
Previously, the Winbind IDMAP interface cache did not expire as specified in the smb.conf file. Consequently, the positive and negative entries in the cache would not expire until the opposite type of query was made. This update contains a backported fix for the problem. As a result, the idmap cache time and idmap negative cache time directives now work as expected.
When calling "getent passwd" for a user who had no UID, if winbind was joined to the domain with idmap_ad specified as the backend, enumerating users was enabled, and most of the users had UIDs, the enumeration stopped and the following error was displayed:
This update implements an upstream patch to correct the problem. As a result, if a user cannot be mapped, winbind no longer stops but continues enumerating users in the scenario described.
Samba sometimes generated many debug messages such as "Could not find child XXXX -- ignoring" that were written to syslog. Consequently, although these messages are not critical, syslog could be flooded by the large amount of these messages. Samba has been fixed to no longer issue this message to syslog automatically and syslog is no longer flooded by these samba debug messages.
The pam_winbind utility used an undocumented PAM_RADIO_TYPE message which has no documented semantics. This caused the login manager gdm to terminate unexpectedly when pam_winbind was used on the system. Consequently, users could not log in when using pam_winbind. Samba has been fixed to not use the PAM_RADIO_TYPE message. Users can now use pam_winbind for authentication in GDM.
Newer versions of Windows could not properly set Access Control Lists (ACLs) on a Samba share. The users were receiving an "access denied" warning. Consequently, administrators or users could not fully control ACLs on a Samba share. This update fixes the problem in Samba and ACLs can now be used as expected.
An update of the system Kerberos library to a recent version made Samba binaries and libraries suddenly unusable because Samba was using a private library symbol. Consequently, Samba was no longer usable after a Kerberos update. This update corrects Samba to no longer use that private symbol. Samba now continues to operate when the Kerberos library has been updated.