samba (2:3.5.6~dfsg-3squeeze13) squeeze-lts; urgency=high

  * Fix CVE-2015-5296: When creating an encrypted connection, samba did
    not ensure that signing was negotiated, making samba susceptible to
    a man-in-the-middle attack. To fix this, signing has been made
    mandatory when requiring an encrypted connection.

    You might need to adjust your smb.conf since the "server signing"
    option is disabled by default:

       server signing = auto

    Otherwise, clients (i.e. smbclient using the -e argument) will not
    be able to negotiate encrypted connections.

    Ref: https://www.samba.org/samba/security/CVE-2015-5296.html

 -- Santiago Ruano Rincón <santiagorr@riseup.net>  Wed, 30 Dec 2015 13:17:20 +0100

samba (2:3.5.6~dfsg-3squeeze4) stable-proposed-updates; urgency=low

  * Please note that upgrading to 3.5.* series, the "map untrusted to
    domain" configuration parameters was introduced and defaults to "No".
    It means that users originating from an untrusted domain are no
    longer mapped to the domain the samba server is member of.
    This could lead to behavioral changes if the pre-3.5 behavior of
    mapping these user to the domain was needed. See #623190 for
    details.

 -- Christian Perrier <bubulle@debian.org>  Thu, 12 May 2011 19:51:52 +0200

samba (2:3.4.0-1) unstable; urgency=low

  * Default passdb backend changed in samba 3.4.0 and above
  
    Beginning with samba 3.4.0, the default setting for "passdb
    backend" changed from "smbpasswd" to "tdbsam".
    
    If your smb.conf file does not have an explicit mention of
    "passdb backend" when upgrading from pre-3.4.0 versions of
    samba, it is likely that users will no longer be able to
    authenticate.
    
    As a consequence of all this, if you're upgrading from lenny
    and have no setting of "passdb backend" in smb.conf, you MUST
    add "passdb backend = smbpasswd" in order to keep your samba
    server's behaviour.
    
    As Debian packages of samba explicitly set "passdb backend = tdbsam"
    by default since etch, very few users should need to modify their
    settings.

 -- Christian Perrier <bubulle@debian.org>  Tue, 07 Jul 2009 20:42:19 +0200

samba (3.0.27a-2) unstable; urgency=low

  * Weak authentication methods are disabled by default

    Beginning with this version, plaintext authentication is disabled for
    clients and lanman authentication is disabled for both clients and
    servers.  Lanman authentication is not needed for Windows
    NT/2000/XP/Vista, Mac OS X or Samba, but if you still have Windows
    95/98/ME clients (or servers) you may need to set lanman auth (or client
    lanman auth) to yes in your smb.conf.

    The "lanman auth = no" setting will also cause lanman password hashes to
    be deleted from smbpasswd and prevent new ones from being written, so
    that these can't be subjected to brute-force password attacks.  This
    means that re-enabling lanman auth after it has been disabled is more
    difficult; it is therefore advisable that you re-enable the option as
    soon as possible if you think you will need to support Win9x clients.

    Client support for plaintext passwords is not needed for recent Windows
    servers, and in fact this behavior change makes the Samba client behave
    in a manner consistent with all Windows clients later than Windows 98.
    However, if you need to connect to a Samba server that does not have
    encrypted password support enabled, or to another server that does not
    support NTLM authentication, you will need to set
    "client plaintext auth = yes" and "client lanman auth = yes" in smb.conf.

 -- Steve Langasek <vorlon@debian.org>  Sat, 24 Nov 2007 00:23:37 -0800

samba (3.0.26a-2) unstable; urgency=low

  * Default printing system has changed from BSD to CUPS

    Previous versions of this package were configured to use BSD lpr as the
    default printing system.  With this version of Samba, the default has
    been changed to CUPS for consistency with the current default printer
    handling in the rest of the system.

    If you wish to continue using the BSD printing interface from Samba, you
    will need to set "printing = bsd" manually in /etc/samba/smb.conf.  If
    you wish to use CUPS printing but have previously set any of the
    "print command", "lpq command", or "lprm command" options in smb.conf,
    you will want to remove these settings from your config.  Otherwise, if
    you have the cupsys package installed, Samba should begin to use it
    automatically with no action on your part.

 -- Steve Langasek <vorlon@debian.org>  Wed, 14 Nov 2007 17:19:36 -0800