- WHATS NEW IN Samba 3.0.1pre3
- November 14, 2003
- ==============================
+ =================================
+ Release Notes for Samba 3.4.0pre1
-This is a preview release of the Samba 3.0.1 code base and is
-provided for testing only. This release is *not* intended for
-production servers. Use at your own risk.
+ =================================
-There have been several bug fixes since the 3.0.0 releaser that
-we feel are important to make available to the Samba community
-for wider testings. See the "Changes" section for details on
-exact updates.
+This is the first preview release of Samba 3.4. This is *not*
+intended for production environments and is designed for testing
+purposes only. Please report any defects via the Samba bug reporting
+system at https://bugzilla.samba.org/.
+Major enhancements in Samba 3.4.0 include:
-######################################################################
-Changes
-#######
-Changes since 3.0.1pre2
------------------------
-
-Please refer to the CVS log for the SAMBA_3_0 branch for complete
-details:
-
-1) Skip over the winbind separator when looking up a user.
- This fixes the bug that prevented local users from
- matching an AD user when not running winbindd (bug 698).
-2) Fix a problem with configure on *BSD systems. Make sure
- we add -liconv etc to LDFLAGS.
-3) Fix core dump bug when security=server and the server goes
- away.
-4) Correct crash bug due to an empty munged dial string.
-5) Show locked files for -u <user> (bug 590).
-6) Fix bug preventing print jobs from display in the queue
- monitor used by Windows NT and later clients (bug 660).
-7) Fix several reported problems with point-n-print from
- Windows 2000/XP clients due to a bug in the EnumPrinterDataEx()
- reply (bug 338, 527 & 643).
-8) Fix a handful of potential memory leaks in the LDAP code used
- by ldapsam[_compat] and the LDAP idmap backend.
-
-
-Changes since 3.0.1pre1
------------------------
-
-1) Match Samba 2.2 behavior; make ACB_NORMAL the default ACB value.
-2) Updated Japanese welcome file in SWAT.
-3) Fix to nt-time <-> unix-time functions reversible.
-4) Ensure that winbindd uses the the escaped DN when querying
- an AD ldap server.
-5) Fix portability issues when compiling (bug 505, 550)
-6) Compile fix for tdbbackup when Samba needs to override
- non-C99 compliant implementations of snprintf().
-7) Use @PICSUFFIX@ instead of .po in Makefile.in (bug 574).
-8) Make sure we break out of samsync loop on error.
-9) Ensure error code path doesn't free unmalloc()'d memory
- (bug 628).
-10) Add configure test for krb5_keytab_entry keyblock vs key
- member (bug 636).
-11) Fixed spinlocks.
-12) Modified testparm so that all output so all debug output goes
- to stderr, and all file processing goes to stdout.
-13) Fix error return code for BUFFER_TOO_SMALL in smbcacls
- and smbcquotas.
-14) Fix "NULL dest in safe_strcpy()" log message by ensuring that
- we have a devmode before copying a string to the devicename.
-15) Support mapping REALM.COM\user to a local user account (without
- running winbindd) for compatibility with 2.2.x release.
-16) Ensure we don't use mmap() on blacklisted systems.
-17) fixed a number of bugs and memory leaks in the AIX
- winbindd shim
-18) Call initgroups() in SWAT before becomming the user so that
- secondary group permissions can be used when writing to
- smb.conf.
-19) Fix signing problems when reverse connecting back to a
- client for printer notify
-20) Fix signing problems caused by a miss-sequence bug.
-21) Missing map in errormap for ERROR_MORE_DATA -> ERRDOS, ERRmoredata.
- Fixes NEXUS tools running on Win9x clients (bug 64).
-22) Don't leave the domain field uninitialized in cli_lsa.c if some
- SID could not be mapped.
-23) Fix segfault in mount.cifs helper when there is no options
- specified during mount.
-24) Change the \n after the password prompt to go to tty instead
- of stdout (bug 668).
-25) Stop net -P from prompting for machine account password (bug 451).
-26) Change in behavior to Not only change the effective uid but also
- the real uid when becoming unprivileged.
-27) Cope with Exchange 5.5 cleartext pop password auth.
-28) New files for support of initshutdown pipe. Win2k doesn't
- respond properly to all requests on the winreg pipe, so we need
- to handle this new pipe (bug 534).
-29) Added more va_copy() checks in configure.in.
-30) Include fixes for libsmbclient build problems.
-31) Missing UNIX -> DOS codepage conversion in lanman.c.
-32) Allow DFMS-S filenames can now have arbitrary case (bug 667).
-33) Parameterize the listen backlog in smbd and make it larger by
- default. A backlog of 5 is way too small these days.
-34) Check for an invalid fid before dereferencing the fsp pointer
- (bug 696).
-35) Remove invalid memory frees and return codes in pdb_ldap.c.
-36) Prompt for password when invoking --set-auth-user and no
- password is given.
-37) Bind the nmbd sending socket to the 'socket address'.
-38) Re-order link command for smbd, rpcclient and smbpasswd to ensure
- $LDFLAGS occurs before any library specification (bug 661).
-39) Fix large number of printf() calls for 64-bit size_t.
-40) Fix AC_CHECK_MEMBER so that SLES8 does correctly finds the
- keyblock in the krb5 structs.
-41) Remove #include <compat.h> in hopes to avoid problems with
- apache header files.
-42) COrrect winbindd build problems on HP-UX 11
-43) Lowercase netgroups lookups (bug 703).
-44) Use the actual size of the buffer in strftime instead of a made
- up value which just happens to be less than sizeof(fstring).
- (bug 713).
-45) Add ldaplibs to pdbedit link line (bug 651).
-46) Fix crash bug in smbclient completion (bug 659).
-47) Fix packet length for browse list reply (bug 771).
-48) Fix coredump in cli_get_backup_list().
-49) Make sure that we expand %N (bug 612).
-50) Allow rpcclient adddriver command to specify printer driver
- version (bug 514).
-51) Compile tdbdump by default.
-52) Apply patches to fix iconv detection for FreeBSD.
-53) Do not allow the 'guest account' to be added to a passdb backend
- using smbpasswd or pdbedit (bug 624).
-54) Save LDFLAGS during iconv detection (bug 57).
-55) Run krb5 logins through the username map if the winbindd
- lookup fails (bug 698).
-56) Add const for lp_set_name_resolve_order() to avoid compiler
- warnings (bug 471).
-57) Add support for the %i macro in smb.conf to stand in for the for
- the local IP address to which a client connected.
-58) Allow winbindd to match local accounts to domain SID when
- 'winbind trusted domains only = yes' (bug 680).
-59) Remove code in idmap_ldap that searches the user suffix and group
- suffix. It's not needed and provides inconsistent functionality
- from the tdb backend.
-60) Patch to handle munged dial string for Windows 200 TSE.
-61) Correct the "smbldap_open: cannot access when not root error"
- messages when looking up group information (bug 281).
-
-
-
-Changes since 3.0.0
--------------------
-
-Modified parameters
- * mangled map (deprecated)
-
-Removed Parameters
- * mangled stack (unused)
-
-
-1) Change the interface for init_unistr2 to not take a length
- but a flags field. We were assuming that
- 2*strlen(mb_string) == length of ucs2-le string. (bug 480).
-2) Allow d_printf() to handle strings with escaped quotation
- marks since the msg file includes the escape character (bug 489).
-3) Fix bad html table row termination in SWAT wizard code (bug 413).
-4) Fix to parse the level-2 strings.
-5) Fix for "valid users = %S" in [homes]. Fix read/write
- list as well.
-6) Change AC_CHECK_LIB_EXT to prepend libraries instead of append.
- This is the same way AC_CHECK_LIB works (bug 508).
-7) Testparm output fixes for clarity.
-8) Fix broken wins hook functionality -- i18n bug (bug 528).
-9) Take care of condition where DOS and NT error codes must differ.
-10) Default to using only built-in charsets when a working iconv
- implementation cannot be located.
-11) Wrap internals of sys_setgroups() so the sys_XX() call can
- be done unconditionally (bug 550).
-12) Remove duplicate smbspool link on SWAT's front page (bug 541).
-13) Save and restore CFLAGS before/after AC_PROG_CC. Ensures that
- --enable-debug=[yes|no] works correctly.
-14) Allow ^C to interrupt smbpasswd if using our getpass
- (e.g. smbpasswd command).
-15) Support signing only on RPC's (bug 167).
-16) Correct bug that prevented Excel 2000 clients from opening
- files marked as read-only.
-17) Portability fix bugs 546 - 549).
-18) Explicitly initialize the value of AR for vendor makes that don't
- do this (e.g. HPUX 11). (bug 552).
-19) More i18n fixes for SWAT (bug 413).
-20) Change the cwd before the postexec script to ensure that a
- umount will succeed.
-21) Correct double free that caused winbindd to crash when a DC
- is rebooted (bug 437).
-22) Fix incorrect mode sum (bug 562).
-23) Canonicalize SMB_INFO_ALLOCATION in the same was as
- SMB_FS_FULL_SIZE_INFORMATION (bug 564).
-24) Add script to generate *msg files.
-25) Add Dutch SWAT translation file.
-26) Make sure to call get_user_groups() with the full winbindd
- name for a user if he/she has one (bug 406).
-27) Fix up error code returns from Samba4 tester. Ensure invalid
- paths are validated the same way.
-28) Allow Samba3 to pass the Samba4 RAW-READ tests.
-29) Refuse to configure if --with-expsam=$BACKEND was used but no
- libraries were found for $BACKEND.
-30) Move sysquotas autoconf tests to a separate file.
-31) Match W2K w.r.t. writelock and writeclose. Samba4 torture
- tester
-32) Make sure that the files that contain the static_init_$subsystem;
- macro get recompiled after configure by removing the object
- files.
-33) Ensure canceling a blocking lock returns the correct error
- message.
-34) Match Samba 2.2, and make ACB_NORMAL the default ACB value.
-
-
-
-######################################################################
-
- =======================================
- The original 3.0.0 release notes follow
- =======================================
-
-
-Major new features:
--------------------
-
-1) Active Directory support. Samba 3.0 is now able to
- join a ADS realm as a member server and authenticate
- users using LDAP/Kerberos.
-
-2) Unicode support. Samba will now negotiate UNICODE on the wire
- and internally there is now a much better infrastructure for
- multi-byte and UNICODE character sets.
-
-3) New authentication system. The internal authentication system
- has been almost completely rewritten. Most of the changes are
- internal, but the new auth system is also very configurable.
-
-4) New default filename mangling system.
-
-5) A new "net" command has been added. It is somewhat similar to
- the "net" command in windows. Eventually we plan to replace
- numerous other utilities (such as smbpasswd) with subcommands
- in "net".
-
-6) Samba now negotiates NT-style status32 codes on the wire. This
- improves error handling a lot.
-
-7) Better Windows 2000/XP/2003 printing support including publishing
- printer attributes in active directory.
-
-8) New loadable module support for passdb backends and character
- sets.
-
-9) New default dual-daemon winbindd support for better performance.
-
-10) Support for migrating from a Windows NT 4.0 domain to a Samba
- domain and maintaining user, group and domain SIDs.
-
-11) Support for establishing trust relationships with Windows NT 4.0
- domain controllers.
-
-12) Initial support for a distributed Winbind architecture using
- an LDAP directory for storing SID to uid/gid mappings.
-
-13) Major updates to the Samba documentation tree.
-
-14) Full support for client and server SMB signing to ensure
- compatibility with default Windows 2003 security settings.
-
-15) Improvement of ACL mapping features based on code donated by
- Andreas Grünbacher.
-
-
-Plus lots of other improvements!
-
-
-Additional Documentation
-------------------------
-
-Please refer to Samba documentation tree (included in the docs/
-subdirectory) for extensive explanations of installing, configuring
-and maintaining Samba 3.0 servers and clients. It is advised to
-begin with the Samba-HOWTO-Collection for overviews and specific
-tasks (the current book is up to approximately 400 pages) and to
-refer to the various man pages for information on individual options.
-
-We are very glad to be able to include the second edition of
-"Using Samba" by Jay Ts, Robert Eckstein, and David Collier-Brown
-(O'Reilly & Associates) in this release. The book is available
-on-line at http://samba.org/samba/docs/ and is included with
-the Samba Web Administration Tool (SWAT). Thanks to the authors and
-publisher for making "Using Samba" under the GNU Free Documentation
-License.
-
-
-######################################################################
-Upgrading from a previous Samba 3.0 beta
-########################################
-
-Beginning with Samba 3.0.0beta3, the RID allocation functions
-have been moved into winbindd. Previously these were handled
-by each passdb backend. This means that winbindd must be running
-to automatically allocate RIDs for users and/or groups. Otherwise,
-smbd will use the 2.2 algorithm for generating new RIDs.
-
-If you are using 'passdb backend = tdbsam' with a previous Samba
-3.0 beta release (or possibly alpha), it may be necessary to
-move the RID_COUNTER entry from /usr/local/samba/private/passdb.tdb
-to winbindd_idmap.tdb. To do this:
-
-1) Ensure that winbindd_idmap.tdb exists (launch winbindd at least
- once)
-2) build tdbtool by executing 'make tdbtool' in the source/tdb/
- directory
-3) run: (note that 'tdb>' is the tool's prompt for input)
-
- root# ./tdbtool /usr/local/samba/private/passdb.tdb
- tdb> show RID_COUNTER
- key 12 bytes
- RID_COUNTER
- data 4 bytes
- [000] 0A 52 00 00 .R.
-
- tdb> move RID_COUNTER /usr/local/samba/var/locks/winbindd_idmap.tdb
- ....
- record moved
-
-If you are using 'passdb backend = ldapsam', it will be necessary to
-store idmap entries in the LDAP directory as well (i.e. idmap backend
-= ldap). Refer to the 'net idmap' command for more information on
-migrating SID<->UNIX id mappings from one backend to another.
-
-If the RID_COUNTER record does not exist, then these instructions are
-unneccessary and the new RID_COUNTER record will be correctly generated
-if needed.
-
-
-
-########################
-Upgrading from Samba 2.2
-########################
-
-This section is provided to help administrators understand the details
-involved with upgrading a Samba 2.2 server to Samba 3.0.
-
-
-Building
---------
-
-Many of the options to the GNU autoconf script have been modified
-in the 3.0 release. The most noticeable are:
-
- * removal of --with-tdbsam (is now included by default; see section
- on passdb backends and authentication for more details)
-
- * --with-ldapsam is now on used to provided backward compatible
- parameters for LDAP enabled Samba 2.2 servers. Refer to the passdb
- backend and authentication section for more details
-
- * inclusion of non-standard passdb modules may be enabled using
- --with-expsam. This includes an XML backend and a mysql backend.
-
- * removal of --with-msdfs (is now enabled by default)
-
- * removal of --with-ssl (no longer supported)
-
- * --with-utmp now defaults to 'yes' on supported systems
-
- * --with-sendfile-support is now enabled by default on supported
- systems
-
-
-Parameters
-----------
-
-This section contains a brief listing of changes to smb.conf options
-in the 3.0.0 release. Please refer to the smb.conf(5) man page for
-complete descriptions of new or modified parameters.
-
-Removed Parameters (order alphabetically):
-
- * admin log
- * alternate permissions
- * character set
- * client codepage
- * code page directory
- * coding system
- * domain admin group
- * domain guest group
- * force unknown acl user
- * nt smb support
- * postscript
- * printer driver
- * printer driver file
- * printer driver location
- * status
- * strip dot
- * total print jobs
- * use rhosts
- * valid chars
- * vfs options
-
-New Parameters (new parameters have been grouped by function):
-
- Remote management
- -----------------
- * abort shutdown script
- * shutdown script
-
- User and Group Account Management
- ---------------------------------
- * add group script
- * add machine script
- * add user to group script
- * algorithmic rid base
- * delete group script
- * delete user from group script
- * passdb backend
- * set primary group script
-
- Authentication
- --------------
- * auth methods
- * realm
-
- Protocol Options
- ----------------
- * client lanman auth
- * client NTLMv2 auth
- * client schannel
- * client signing
- * client use spnego
- * disable netbios
- * ntlm auth
- * paranoid server security
- * server schannel
- * server signing
- * smb ports
- * use spnego
-
- File Service
- ------------
- * get quota command
- * hide special files
- * hide unwriteable files
- * hostname lookups
- * kernel change notify
- * mangle prefix
- * map acl inherit
- * msdfs proxy
- * set quota command
- * use sendfile
- * vfs objects
-
- Printing
- --------
- * max reported print jobs
-
- UNICODE and Character Sets
- --------------------------
- * display charset
- * dos charset
- * unicode
- * unix charset
-
- SID to uid/gid Mappings
- -----------------------
- * idmap backend
- * idmap gid
- * idmap uid
- * winbind enable local accounts
- * winbind trusted domains only
- * template primary group
- * enable rid algorithm
-
- LDAP
- ----
- * ldap delete dn
- * ldap group suffix
- * ldap idmap suffix
- * ldap machine suffix
- * ldap passwd sync
- * ldap user suffix
-
- General Configuration
- ---------------------
- * preload modules
- * private dir
-
-Modified Parameters (changes in behavior):
-
- * encrypt passwords (enabled by default)
- * mangling method (set to 'hash2' by default)
- * passwd chat
- * passwd program
- * restrict anonymous (integer value)
- * security (new 'ads' value)
- * strict locking (enabled by default)
- * unix extensions (enabled by default)
- * winbind cache time (increased to 5 minutes)
- * winbind uid (deprecated in favor of 'idmap uid')
- * winbind gid (deprecated in favor of 'idmap gid')
-
-
-Databases
----------
-
-This section contains brief descriptions of any new databases
-introduced in Samba 3.0. Please remember to backup your existing
-${lock directory}/*tdb before upgrading to Samba 3.0. Samba will
-upgrade databases as they are opened (if necessary), but downgrading
-from 3.0 to 2.2 is an unsupported path.
-
-Name Description Backup?
----- ----------- -------
-account_policy User policy settings yes
-gencache Generic caching db no
-group_mapping Mapping table from Windows yes
- groups/SID to unix groups
-winbindd_idmap ID map table from SIDS to UNIX yes
- uids/gids.
-namecache Name resolution cache entries no
-netsamlogon_cache Cache of NET_USER_INFO_3 structure no
- returned as part of a successful
- net_sam_logon request
-printing/*.tdb Cached output from 'lpq no
- command' created on a per print
- service basis
-registry Read-only samba registry skeleton no
- that provides support for exporting
- various db tables via the winreg RPCs
-
-
-Changes in Behavior
--------------------
-
-The following issues are known changes in behavior between Samba 2.2 and
-Samba 3.0 that may affect certain installations of Samba.
-
- 1) When operating as a member of a Windows domain, Samba 2.2 would
- map any users authenticated by the remote DC to the 'guest account'
- if a uid could not be obtained via the getpwnam() call. Samba 3.0
- rejects the connection as NT_STATUS_LOGON_FAILURE. There is no
- current work around to re-establish the 2.2 behavior.
-
- 2) When adding machines to a Samba 2.2 controlled domain, the
- 'add user script' was used to create the UNIX identity of the
- machine trust account. Samba 3.0 introduces a new 'add machine
- script' that must be specified for this purpose. Samba 3.0 will
- not fall back to using the 'add user script' in the absence of
- an 'add machine script'
-
-
-######################################################################
-Passdb Backends and Authentication
-##################################
-
-There have been a few new changes that Samba administrators should be
-aware of when moving to Samba 3.0.
-
- 1) encrypted passwords have been enabled by default in order to
- inter-operate better with out-of-the-box Windows client
- installations. This does mean that either (a) a samba account
- must be created for each user, or (b) 'encrypt passwords = no'
- must be explicitly defined in smb.conf.
-
- 2) Inclusion of new 'security = ads' option for integration
- with an Active Directory domain using the native Windows
- Kerberos 5 and LDAP protocols.
-
- MIT kerberos 1.3.1 supports the ARCFOUR-HMAC-MD5 encryption
- type which is neccessary for servers on which the
- administrator password has not been changed, or kerberos-enabled
- SMB connections to servers that require Kerberos SMB signing.
- Besides this one difference, either MIT or Heimdal Kerberos
- distributions are usable by Samba 3.0.
-
-
-Samba 3.0 also includes the possibility of setting up chains
-of authentication methods (auth methods) and account storage
-backends (passdb backend). Please refer to the smb.conf(5)
-man page for details. While both parameters assume sane default
-values, it is likely that you will need to understand what the
-values actually mean in order to ensure Samba operates correctly.
-
-The recommended passdb backends at this time are
-
- * smbpasswd - 2.2 compatible flat file format
- * tdbsam - attribute rich database intended as an smbpasswd
- replacement for stand alone servers
- * ldapsam - attribute rich account storage and retrieval
- backend utilizing an LDAP directory.
- * ldapsam_compat - a 2.2 backward compatible LDAP account
- backend
-
-Certain functions of the smbpasswd(8) tool have been split between the
-new smbpasswd(8) utility, the net(8) tool, and the new pdbedit(8)
-utility. See the respective man pages for details.
-
-
-######################################################################
-LDAP
-####
-
-This section outlines the new features affecting Samba / LDAP
-integration.
-
-New Schema
-----------
-
-A new object class (sambaSamAccount) has been introduced to replace
-the old sambaAccount. This change aids us in the renaming of attributes
-to prevent clashes with attributes from other vendors. There is a
-conversion script (examples/LDAP/convertSambaAccount) to modify and LDIF
-file to the new schema.
-
-Example:
-
- $ ldapsearch .... -b "ou=people,dc=..." > old.ldif
- $ convertSambaAccount <DOM SID> old.ldif new.ldif
-
-The <DOM SID> can be obtained by running 'net getlocalsid <DOMAINNAME>'
-on the Samba PDC as root.
-
-The old sambaAccount schema may still be used by specifying the
-"ldapsam_compat" passdb backend. However, the sambaAccount and
-associated attributes have been moved to the historical section of
-the schema file and must be uncommented before use if needed.
-The 2.2 object class declaration for a sambaAccount has not changed
-in the 3.0 samba.schema file.
-
-Other new object classes and their uses include:
-
- * sambaDomain - domain information used to allocate rids
- for users and groups as necessary. The attributes are added
- in 'ldap suffix' directory entry automatically if
- an idmap uid/gid range has been set and the 'ldapsam'
- passdb backend has been selected.
-
- * sambaGroupMapping - an object representing the
- relationship between a posixGroup and a Windows
- group/SID. These entries are stored in the 'ldap
- group suffix' and managed by the 'net groupmap' command.
-
- * sambaUnixIdPool - created in the 'ldap idmap suffix' entry
- automatically and contains the next available 'idmap uid' and
- 'idmap gid'
-
- * sambaIdmapEntry - object storing a mapping between a
- SID and a UNIX uid/gid. These objects are created by the
- idmap_ldap module as needed.
-
- * sambaSidEntry - object representing a SID alone, as a Structural
- class on which to build the sambaIdmapEntry.
-
-
-New Suffix for Searching
-------------------------
-
-The following new smb.conf parameters have been added to aid in directing
-certain LDAP queries when 'passdb backend = ldapsam://...' has been
-specified.
-
- * ldap suffix - used to search for user and computer accounts
- * ldap user suffix - used to store user accounts
- * ldap machine suffix - used to store machine trust accounts
- * ldap group suffix - location of posixGroup/sambaGroupMapping entries
- * ldap idmap suffix - location of sambaIdmapEntry objects
-
-If an 'ldap suffix' is defined, it will be appended to all of the
-remaining sub-suffix parameters. In this case, the order of the suffix
-listings in smb.conf is important. Always place the 'ldap suffix' first
-in the list.
-
-Due to a limitation in Samba's smb.conf parsing, you should not surround
-the DN's with quotation marks.
-
-
-IdMap LDAP support
-------------------
-
-Samba 3.0 supports an ldap backend for the idmap subsystem. The
-following options would inform Samba that the idmap table should be
-stored on the directory server onterose in the "ou=idmap,dc=plainjoe,
-dc=org" partition.
-
- [global]
- ...
- idmap backend = ldap:ldap://onterose/
- ldap idmap suffix = ou=idmap,dc=plainjoe,dc=org
- idmap uid = 40000-50000
- idmap gid = 40000-50000
-
-This configuration allows winbind installations on multiple servers to
-share a uid/gid number space, thus avoiding the interoperability problems
-with NFS that were present in Samba 2.2.
-
-
-
-######################################################################
-Trust Relationships and a Samba Domain
-######################################
-
-Samba 3.0.0beta2 is able to utilize winbindd as the means of
-allocating uids and gids to trusted users and groups. More
-information regarding Samba's support for establishing trust
-relationships can be found in the Samba-HOWTO-Collection included
-in the docs/ directory of this release.
-
-First create your Samba PDC and ensure that everything is
-working correctly before moving on the trusts.
-
-To establish Samba as the trusting domain (named SAMBA) from a Windows NT
-4.0 domain named WINDOWS:
-
- 1) create the trust account for SAMBA in "User Manager for Domains"
- 2) connect the trust from the Samba domain using
- 'net rpc trustdom establish GLASS'
-
-To create a trustlationship with SAMBA as the trusted domain:
-
- 1) create the initial trust account for GLASS using
- 'smbpasswd -a -i GLASS'. You may need to create a UNIX
- account for GLASS$ prior to this step (depending on your
- local configuration).
- 2) connect the trust from a WINDOWS DC using "User Manager
- for Domains"
-
-Now join winbindd on the Samba PDC to the SAMBA domain using
-the normal steps for adding a Samba server to an NT4 domain:
-(note that smbd & nmbd must be running at this point)
-
- root# net rpc join -U root
- Password: <enter root password from smbpasswd file here>
-
-Start winbindd and test the join with 'wbinfo -t'.
-
-Now test the trust relationship by connecting to the SAMBA DC
-(e.g. POGO) as a user from the WINDOWS domain:
-
- $ smbclient //pogo/netlogon -U Administrator -W WINDOWS
- Password:
-
-Now connect to the WINDOWS DC (e.g. CRYSTAL) as a Samba user:
-
- $ smbclient //crystal/netlogon -U root -W WINDOWS
- Password:
-
-######################################################################
-Changes in Winbind
-##################
-
-Beginning with Samba3.0.0beta3, winbindd has been given new account
-manage functionality equivalent to the 'add user script' family of
-smb.conf parameters. The idmap design has also been changed to
-centralize control of foreign SID lookups and matching to UNIX
-uids and gids.
-
-
-Brief Description of Changes
-----------------------------
-
-1) The sid_to_uid() family of functions (smbd/uid.c) have been
- reverted to the 2.2.x design. This means that when resolving a
- SID to a UID or similar mapping:
-
- a) First consult winbindd
- b) perform a local lookup only if winbindd fails to
- return a successful answer
-
- There are some variations to this, but these two rules generally
- apply.
-
-2) All idmap lookups have been moved into winbindd. This means that
- a server must run winbindd (and support NSS) in order to achieve
- any mappings of SID to dynamically allocated UNIX ids. This was
- a conscious design choice.
-
-3) New functions have been added to winbindd to emulate the 'add user
- script' family of smbd functions without requiring that external
- scripts be defined. This functionality is controlled by the 'winbind
- enable local accounts' smb.conf parameter (enabled by default).
-
- However, this account management functionality is only supported
- in a local tdb (winbindd_idmap.tdb). If these new UNIX accounts
- must be shared among multiple Samba servers (such as a PDC and BDCs),
- it will be necessary to define your own 'add user script', et. al.
- programs that place the accounts/groups in some form of directory
- such as NIS or LDAP. This requirement was deemed beyond the scope
- of winbind's account management functions. Solutions for
- distributing UNIX system information have been deployed and tested
- for many years. We saw no need to reinvent the wheel.
-
-4) A member of a Samba controlled domain running winbindd is now able
- to map domain users directly onto existing UNIX accounts while still
- automatically creating accounts for trusted users and groups. This
- behavior is controlled by the 'winbind trusted domains only' smb.conf
- parameter (disabled by default to provide 2.2.x winbind behavior).
-
-5) Group mapping support is wrapped in the local_XX_to_XX() functions
- in smbd/uid.c. The reason that group mappings are not included
- in winbindd is because the purpose of Samba's group map is to
- match any Windows SID with an existing UNIX group. These UNIX
- groups can be created by winbindd (see next section), but the
- SID<->gid mapping is retreived by smbd, not winbindd.
-
-
-Examples
---------
-
-* security = server running winbindd to allocate accounts on demand
-
-* Samba PDC running winbindd to handle the automatic creation of UNIX
- identities for machine trust accounts
-
-* Automtically creating UNIX user and groups when migrating a Windows NT
- 4.0 PDC to a Samba PDC. Winbindd must be running when executing
- 'net rpc vampire' for this to work.
-
-
-######################################################################
-Known Issues
-############
-
-* There are several bugs currently logged against the 3.0 codebase
- that affect the use of NT 4.0 GUI domain management tools when run
- against a Samba 3.0 PDC. This bugs should be released in an early
- 3.0.x release.
-
-Please refer to https://bugzilla.samba.org/ for a current list of bugs
-filed against the Samba 3.0 codebase.
+o
######################################################################
If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
-the problem then you will probably be ignored.
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 3.4 product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
-A new bugzilla installation has been established to help support the
-Samba 3.0 community of users. This server, located at
-https://bugzilla.samba.org/, has replaced the older jitterbug server
-previously located at http://bugs.samba.org/.
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================