max protocol = SMB2
smbd) version. You cannot downgrade to an older Samba version unless you have backups of the TDB files. (BZ#649479)
smb.confman page and the individual IDMAP backend man pages.
- Previously, the pam_winbind utility returned an incorrect PAM error code if the Winbind module was not reachable. Consequently, users were not able to log in even if another PAM Module authenticated the user successfully. With this update, the error
PAM_USER_UNKNOWNis always returned in case Winbind fails to authenticate a user. As a result, users successfully authenticated by another PAM module can log in as expected.
- Samba 3.6 failed to migrate existing printers from the Trivial Database (TDB) to the registry due to a Network Data Representation (NDR) alignment problem. Consequently, printers from 3.5 could not be migrated and the Samba server daemon (
smbd) stopped with an error. The NDR parser has been fixed to correctly parse printing entries from Samba 3.5. As a result, printers are correctly migrated from 3.5 TDB to the 3.6 registry.
- Due to a regression, the previous release changed the behavior of resolving domain local groups and the Winbind daemon (
winbindd) could not find them. The original behavior for resolving the domain local groups has been restored. As a result, the
IDcommand resolves domain local groups in its own domain correctly again.
- The net utility improperly displayed the realm which it had joined in all lowercase letters. Consequently, a user might misunderstand the domain join and might use the lowercase format of the realm name. This update corrects the case and improves the wording of the message printed about a domain join. As a result, the user is correctly informed as to which
DNSdomain the system has joined.
- If a Domain Controller (DC) was rebuilding the System Volume (Sysvol) shared directory and turned off netlogon, users were not able to log in until it was finished, even if another working DC was available. Consequently, users could not log in and got strange errors if netlogon was available and then was turned off. With this update, Samba retries twice to open the netlogon connection and if it still does not work the DC is added to the negative connection cache and Samba will failover to the next DC. As a result, the user no longer sees any error messages in this scenario and can log in using another DC as expected.
- When joining an Active Directory domain and using Samba's support for using Kerberos keytabs, AES Kerberos keys were not added into the generated keytab. Consequently, Samba did not support the new AES encryption type for Kerberos. This update adds support for AES Kerberos keys to Samba and AES Kerberos Keys are now created in the keytab during the Domain join.