--- /dev/null
+This file aims to document the major changes since the latest released version
+of Samba, 3.0. Samba 4.0 contains rewrites of several subsystems
+and uses a different internal format for most data. Since this
+file is an initial draft, please update missing items.
+
+One of the main goals of Samba 4 was Active Directory Domain Controller
+support. This means Samba now implements several protocols that are required
+by AD such as Kerberos and DNS.
+
+An (experimental) upgrade script that performs a one-way upgrade
+from Samba 3 is available in source/setup/upgrade.
+
+Removal of nmbd and introduction of process models
+==================================================
+smbd now implements several network protocols other then just CIFS and
+DCE/RPC. nmbd's functionality has been merged into smbd. smbd supports
+various 'process models' that specify how concurrent connections are
+handled (when to fork, use threads, etc).
+
+Introduction of LDB
+===================
+Samba now stores most of its persistent data in a LDAP-like database
+called LDB (see ldb(7) for more info).
+
+Much improved SWAT
+===============
+SWAT has had some rather large improvements and is now more then just a
+direct editor for smb.conf. Its layout has been improved. SWAT can now also
+be used for editing run-time data - maintaining user information, provisioning,
+etc. TLS is supported out of the box.
+
+Built-in KDC
+============
+FIXME
+
+Changed configuration options
+=============================
+Several configuration options have been removed in Samba4 while others have
+been introduced. This section contains a summary of changes to smb.conf and
+where these settings moved.
+
+The 'security' parameter has been split up. It is now only used to choose
+between the 'user' and 'share' security levels (the latter is not supported
+in Samba 4 yet). The other values of this option and the 'domain master' and
+'domain logons' parameters have been merged into a 'server role' parameter
+that can be either 'bdc', 'pdc', 'member server' or 'standalone'. Note that
+member server support does not work yet.
+
+'password server' now takes a DCE/RPC binding string (see prog_guide.txt)
+rather then simply a NetBIOS name.
+
+The following parameters have been removed:
+- passdb backend: accounts are now stored in a LDB-based SAM database,
+ see 'sam database' below.
+- update encrypted
+- public
+- guest ok
+- client schannel
+- server schannel
+- allow trusted domains
+- hosts equiv
+- map to guest
+- smb passwd file
+- algorithmic rid base
+- root directory
+- root dir
+- root
+- guest account
+- enable privileges
+- pam password change
+- passwd program
+- passwd chat debug
+- passwd chat timeout
+- check password script
+- username map
+- username level
+- unix password sync
+- restrict anonymous
+- username
+- user
+- users
+- invalid users
+- valid users
+- admin users
+- read list
+- write list
+- printer admin
+- force user
+- force group
+- group
+- write ok
+- writeable
+- writable
+- acl check permissions
+- acl group control
+- acl map full control
+- create mask
+- create mode
+- force create mode
+- security mask
+- force security mode
+- directory mask
+- directory mode
+- force directory mode
+- directory security mask
+- force directory security mode
+- force unknown acl user
+- inherit permissions
+- inherit acls
+- inherit owner
+- guest only
+- only guest
+- only user
+- allow hosts
+- deny hosts
+- preload modules
+- use kerberos keytab
+- syslog
+- syslog only
+- max log size
+- debug timestamp
+- timestamp logs
+- debug hires timestamp
+- debug pid
+- debug uid
+- allocation roundup size
+- aio read size
+- aio write size
+- aio write behind
+- large readwrite
+- protocol
+- read bmpx
+- reset on zero vc
+- acl compatibility
+- defer sharing violations
+- ea support
+- nt acl support
+- nt pipe support
+- profile acls
+- map acl inherit
+- afs share
+- max ttl
+- client use spnego
+- enable asu support
+- svcctl list
+- block size
+- change notify timeout
+- deadtime
+- getwd cache
+- keepalive
+- kernel change notify
+- lpq cache time
+- max smbd processes
+- max disk size
+- max open files
+- min print space
+- strict allocate
+- sync always
+- use mmap
+- use sendfile
+- hostname lookups
+- write cache size
+- name cache timeout
+- max reported print jobs
+- load printers
+- printcap cache time
+- printcap name
+- printcap
+- printing
+- cups options
+- cups server
+- iprint server
+- print command
+- disable spoolss
+- enable spoolss
+- lpq command
+- lprm command
+- lppause command
+- lpresume command
+- queuepause command
+- queueresume command
+- enumports command
+- addprinter command
+- deleteprinter command
+- show add printer wizard
+- os2 driver map
+- use client driver
+- default devmode
+- force printername
+- mangling method
+- mangle prefix
+- default case
+- case sensitive
+- casesignames
+- preserve case
+- short preserve case
+- mangling char
+- hide dot files
+- hide special files
+- hide unreadable
+- hide unwriteable files
+- delete veto files
+- veto files
+- hide files
+- veto oplock files
+- map readonly
+- mangled names
+- mangled map
+- max stat cache size
+- stat cache
+- store dos attributes
+- machine password timeout
+- add user script
+- rename user script
+- delete user script
+- add group script
+- delete group script
+- add user to group script
+- delete user from group script
+- set primary group script
+- add machine script
+- shutdown script
+- abort shutdown script
+- username map script
+- logon script
+- logon path
+- logon drive
+- logon home
+- domain logons
+- os level
+- lm announce
+- lm interval
+- domain master
+- browse list
+- enhanced browsing
+- dns proxy
+- wins proxy
+- wins hook
+- wins partners
+- blocking locks
+- fake oplocks
+- kernel oplocks
+- locking
+- lock spin count
+- lock spin time
+- oplocks
+- level2 oplocks
+- oplock break wait time
+- oplock contention limit
+- posix locking
+- share modes
+- ldap server
+- ldap port
+- ldap admin dn
+- ldap delete dn
+- ldap group suffix
+- ldap idmap suffix
+- ldap machine suffix
+- ldap passwd sync
+- ldap password sync
+- ldap replication sleep
+- ldap suffix
+- ldap ssl
+- ldap timeout
+- ldap page size
+- ldap user suffix
+- add share command
+- change share command
+- delete share command
+- eventlog list
+- utmp directory
+- wtmp directory
+- utmp
+- default service
+- default
+- message command
+- dfree cache time
+- dfree command
+- get quota command
+- set quota command
+- remote announce
+- remote browse sync
+- homedir map
+- afs username map
+- afs token lifetime
+- log nt token command
+- time offset
+- NIS homedir
+- preexec
+- exec
+- preexec close
+- postexec
+- root preexec
+- root preexec close
+- root postexec
+- set directory
+- wide links
+- follow symlinks
+- dont descend
+- magic script
+- magic output
+- delete readonly
+- dos filemode
+- dos filetimes
+- dos filetime resolution
+- fake directory create times
+- panic action
+- vfs objects
+- vfs object
+- msdfs root
+- msdfs proxy
+- host msdfs
+- enable rid algorithm
+- passdb expand explicit
+- idmap backend
+- idmap uid
+- winbind uid
+- idmap gid
+- winbind gid
+- template homedir
+- template shell
+- winbind separator
+- winbind cache time
+- winbind enum users
+- winbind enum groups
+- winbind use default domain
+- winbind trusted domains only
+- winbind nested groups
+- winbind max idle children
+- winbind nss info
+
+The following parameters have been added:
++ rpc big endian (G)
+ Make Samba fake it is running on a bigendian machine when using DCE/RPC.
+ Useful for debugging.
+
+ Default: no
+
++ case insensitive filesystem (S)
+ Set to true if this share is located on a case-insensitive filesystem.
+ This disables looking for a filename by trying all possible combinations of
+ uppercase/lowercase characters and thus speeds up operations when a
+ file cannot be found.
+
+ Default: no
+
++ js include (G)
+ Path to JavaScript library.
+
+ Default: Set at compile-time
+
++ setup directory
+ Path to data used by provisioning script.
+
+ Default: Set at compile-time
+
++ ncalrpc dir
+ Directory to use for UNIX sockets used by the 'ncalrpc' DCE/RPC transport.
+
+ Default: Set at compile-time
+
++ ntvfs handler
+ Backend to the NT VFS to use (more then one can be specified). Available
+ backends include:
+
+ - posix:
+ Maps POSIX FS semantics to NT semantics
+
+ - simple:
+ Very simple backend (original testing backend).
+
+ - unixuid:
+ Sets up user credentials based on POSIX gid/uid.
+
+ - cifs:
+ Proxies a remote CIFS FS. Mainly useful for testing.
+
+ - nbench:
+ Filter module that saves data useful to the nbench benchmark suite.
+
+ - ipc:
+ Allows using SMB for inter process communication. Only used for
+ the IPC$ share.
+
+ - print:
+ Allows printing over SMB. This is LANMAN-style printing (?), not
+ the be confused with the spoolss DCE/RPC interface used by later
+ versions of Windows.
+
+ Default: unixuid default
+
++ ntptr providor
+ FIXME
+
++ dcerpc endpoint servers
+ What DCE/RPC servers to start.
+
+ Default: epmapper srvsvc wkssvc rpcecho samr netlogon lsarpc spoolss drsuapi winreg dssetup
+
++ server services
+ Services Samba should provide.
+
+ Default: smb rpc nbt wrepl ldap cldap web kdc
+
++ sam database
+ Location of the SAM (account database) database. This should be a
+ LDB URL.
+
+ Default: set at compile-time
+
++ spoolss database
+ Spoolss (printer) DCE/RPC server database. This should be a LDB URL.
+
+ Default: set at compile-time
+
++ wins config database
+ WINS configuration database location. This should be a LDB URL.
+
+ Default: set at compile-time
+
++ wins database
+ WINS database location. This should be a LDB URL.
+
+ Default: set at compile-time
+
++ client use spnego principal
+ Tells the client to use the Kerberos service principal specified by the
+ server during the security protocol negotation rather then
+ looking up the principal itself (cifs/hostname).
+
+ Default: false
+
++ nbt port
+ TCP/IP Port used by the NetBIOS over TCP/IP (NBT) implementation.
+
+ Default: 137
+
++ dgram port
+ UDP/IP port used by the NetBIOS over TCP/IP (NBT) implementation.
+
+ Default: 138
+
++ cldap port
+ UDP/IP port used by the CLDAP protocol.
+
+ Default: 389
+
++ krb5 port
+ IP port used by the kerberos KDC.
+
+ Default: 88
+
++ kpasswd port
+ IP port used by the kerberos password change protocol.
+
+ Default: 464
+
++ web port
+ TCP/IP port SWAT should listen on.
+
+ Default: 901
+
++ tls enabled
+ Enable TLS support for SWAT
+
+ Default: true
+
++ tls keyfile
+ Path to TLS key file (PEM format) to be used by SWAT. If no
+ path is specified, Samba will create a key.
+
+ Default: none
+
++ tls certfile
+ Path to TLS certificate file (PEM format) to be used by SWAT. If no
+ path is specified, Samba will create a certificate.
+
+ Default: none
+
++ tls cafile
+ Path to CA authority file Samba will use to sign TLS keys it generates. If
+ no path is specified, Samba will create a self-signed CA certificate.
+
+ Default: none
+
++ tls crlfile
+ Path to TLS certificate revocation lists file.
+
+ Default: none
+
++ swat directory
+ SWAT data directory.
+
+ Default: set at compile-time
+
++ large readwrite
+ Indicate the CIFS server is able to do large reads/writes.
+
+ Default: true
+
++ unicode
+ Enable/disable unicode support in the protocol.
+
+ Default: true
git.samba.org / jelmer / samba4-debian.git / blobdiff