From: John Terpstra Date: Tue, 4 Jul 2006 18:41:34 +0000 (+0000) Subject: Updating documentation for 3.0.23. Jerry, please check these changes. X-Git-Tag: release-3-0-23~5 X-Git-Url: http://git.samba.org/?a=commitdiff_plain;h=9acdf8405eeef83c8919f8e4e5d272cb181611fb;p=import%2Fsamba-docs-svnimport.git Updating documentation for 3.0.23. Jerry, please check these changes. --- diff --git a/Samba3-HOWTO/TOSHARG-ChangeNotes.xml b/Samba3-HOWTO/TOSHARG-ChangeNotes.xml new file mode 100644 index 0000000..ec7b751 --- /dev/null +++ b/Samba3-HOWTO/TOSHARG-ChangeNotes.xml @@ -0,0 +1,177 @@ + + + + + &author.jht; + &author.jerry; + + +Important Samba-3.0.23 Change Notes + + +Samba is a fluid and ever changing project. Sometimes it is difficult to figure out which part, +or parts, of the HOWTO documentation should be updated tio reflect the impact of new or modified +features. At other times it becomes clear that the documentation is in need of being restructured. + + + +In recent times a group of Samba users has joined the thrust to create a new Samba Wiki that is slated to become the all-singing and all-dancing +new face of Samba documentation. Hopefully, the Wiki will benefit from greater community input and +thus may be kept more up to date. Until that golden dream materializes and matures it is necessary to +continue to maintain the HOWTO. This chapter will document major departures from earlier behavior until +such time as the body of this HOWTO is restructured or modified. + + + +This chapter is new to the release of the HOWTO for Samba 3.0.23. It includes much of the notes provided +in the WHATSNEW.txt file that is included with the Samba source code release tarball. + + + +User and Group Changes + + +The change documented here affects unmapped user and group accounts only. + + + +user +group +Relative IdentifiersRID +netgroupmap +netrpcvampire +The user and group internal management routines have been rewritten to prevent overlaps of +assigned Relative Identifiers (RIDs). In the past the has been a potential problem when +either manually mapping Unix groups with the net groupmap command or +when migrating a Windows domain to a Samba domain by executing: +net rpc vampire. + + + +SID +SAM +RID +netgetlocalsid +Unmapped users are now assigned a SID in the S-1-22-1 domain and unmapped +groups are assigned a SID in the S-1-22-2 domain. Previously they were +assign a RID within the SAM on the Samba server. For a domain controller this would have been under the +authority of the domain SID where as on a member server or standalone server, this would have +been under the authority of the local SAM (see the man page for net getlocalsid). + + + +unmapped users +unmapped groups +SID +NTFS +GID +The result is that any unmapped users or groups on an upgraded Samba domain controller may +be assigned a new SID. Because the SID rather than a name is stored in Windows security +descriptors, this can cause a user to no longer have access to a resource for example if a +file was copied from a Samba file server to a local Windows client NTFS partition. Any files +stored on the Samba server itself will continue to be accessible because UNIX stores the UNIX +GID and not the SID for authorization checks. + + + +An example helps to illustrate the change: + + + +group mapping +GID +ACL +SID +Assume that a group named developers exists with a UNIX GID of 782. In this +case this user does not exist in Samba's group mapping table. It would be perfectly normal for +this group to be appear in an ACL editor. Prior to Samba-3.0.23, the group SID might appear as +S-1-5-21-647511796-4126122067-3123570092-2565. + + + +SID +NTFS +access +group permissions +With the release of Samba-3.0.23, the group SID would be reported as S-1-22-2-782. +Any security descriptors associated with files stored on a Windows NTFS disk partition will not allow +access based on the group permissions if the user was not a member of the +S-1-5-21-647511796-4126122067-3123570092-2565 group. +Because this group SID is S-1-22-2-782 and not reported in a user's token, +Windows would fail the authorization check even though both SIDs in some respect refer to the +same UNIX group. + + + +group mapping +SID +The workaround for versions of Samba prior to 3.0.23, is to create a manual domain group mapping +entry for the group developers to point at the +S-1-5-21-647511796-4126122067-3123570092-2565 SID. With the release of Samba-3.0.23 this +workaround is no longer needed. + + + + + +Passdb Changes + + +backends +GID +SQL +XML +The parameter no long accepts multiple passdb backends in a +chained configuration. Also be aware that the SQL and XML based passdb modules have been +removed in the Samba-3.0.23 release. More information regarding external support for a SQL +passdb module can be found on the pdbsql + + + + +Group Mapping Changes in Samba-3.0.23 + + +default mapping +Domain Admins +smbpasswd +tdbsam +passdb backend +group mappings +GID +SID +IDMAP +winbindd +domain groups +The default mapping entries for groups such as Domain Admins are no longer +created when using an smbpasswd file or a tdbsam passdb +backend. This means that it is necessary to explicitly execute the net groupmap add +to create group mappings, rather than use the net groupmap modify method to create the +Windows group SID to UNIX GID mappings. This change has no effect on winbindd's IDMAP functionality +for domain groups. + + + + + +LDAP Changes in Samba-3.0.23 + + +LDAP schema +sambaSID +OpenLDAP +slapindex +slapd.conf +There has been a minor update the Samba LDAP schema file. A substring matching rule has been +added to the sambaSID attribute definition. For OpenLDAP servers, this +will require the addition of index sambaSID sub to the +slapd.conf configuration file. It will be necessary to execute the +slapindex command after making this change. There has been no change to the +actual data storage schema. + + + + + diff --git a/Samba3-HOWTO/TOSHARG-FastStart.xml b/Samba3-HOWTO/TOSHARG-FastStart.xml index 25924b9..ff25525 100644 --- a/Samba3-HOWTO/TOSHARG-FastStart.xml +++ b/Samba3-HOWTO/TOSHARG-FastStart.xml @@ -1022,9 +1022,9 @@ maryo:x:15000:15003:Mary Orville:/home/MIDEARTH/maryo:/bin/false #### Keep this as a shell script for future re-use # First assign well known groups -net groupmap modify ntgroup="Domain Admins" unixgroup=ntadmins -net groupmap modify ntgroup="Domain Users" unixgroup=users -net groupmap modify ntgroup="Domain Guests" unixgroup=nobody +net groupmap add ntgroup="Domain Admins" unixgroup=ntadmins rid=512 type=d +net groupmap add ntgroup="Domain Users" unixgroup=users rid=513 type= +net groupmap add ntgroup="Domain Guests" unixgroup=nobody rid=514 type=d # Now for our added Domain Groups net groupmap add ntgroup="Designers" unixgroup=designers type=d diff --git a/Samba3-HOWTO/TOSHARG-Group-Mapping.xml b/Samba3-HOWTO/TOSHARG-Group-Mapping.xml index 984a17e..337ae3d 100644 --- a/Samba3-HOWTO/TOSHARG-Group-Mapping.xml +++ b/Samba3-HOWTO/TOSHARG-Group-Mapping.xml @@ -19,7 +19,7 @@ groupmap net Starting with Samba-3, new group mapping functionality is available to create associations - between Windows group SIDs and UNIX groups. The groupmap subcommand + between Windows group SIDs and UNIX group GIDs. The groupmap subcommand included with the &net; tool can be used to manage these associations. @@ -183,12 +183,12 @@ - Map this domadm group to the Domain Admins group by running the command: + Map this domadm group to the Domain Admins group by executing the command: -&rootprompt;net groupmap add ntgroup="Domain Admins" unixgroup=domadm +&rootprompt;net groupmap add ntgroup="Domain Admins" unixgroup=domadm rid=512 type=d @@ -213,7 +213,7 @@ -&rootprompt;net groupmap add rid=1000 ntgroup="Accounting" unixgroup=acct +&rootprompt;net groupmap add rid=1000 ntgroup="Accounting" unixgroup=acct type=d The ntgroup value must be in quotes if it contains space characters to prevent the space from being interpreted as a command delimiter. @@ -350,7 +350,7 @@ alias group In effect, Samba supplements the /etc/group data via the dynamic libnss_winbind mechanism. Beginning with Samba-3.0.3, this facility is used to provide - local groups in the same manner as Windows does it. It works by expanding the local groups on the + local groups in the same manner as Windows. It works by expanding the local groups on the fly as they are accessed. For example, the Domain Users group of the domain is made a member of the local group demo. Whenever Samba needs to resolve membership of the demo local (alias) group, winbind asks the domain controller for demo members of the Domain Users @@ -509,8 +509,8 @@ ldapsam domain groups RID - When the passdb backend uses LDAP (ldapsam), it is the - administrator's responsibility to create the essential domain groups and to assign each its default RID. + It is the administrator's responsibility to create the essential domain groups and to assign each + its default RID. @@ -785,9 +785,9 @@ exit 0 #!/bin/bash -net groupmap modify ntgroup="Domain Admins" unixgroup=ntadmin -net groupmap modify ntgroup="Domain Users" unixgroup=users -net groupmap modify ntgroup="Domain Guests" unixgroup=nobody +net groupmap add ntgroup="Domain Admins" unixgroup=ntadmin rid=512 type=d +net groupmap add ntgroup="Domain Users" unixgroup=users rid=513 type=d +net groupmap add ntgroup="Domain Guests" unixgroup=nobody rid=514 type=d groupadd Orks groupadd Elves @@ -806,6 +806,15 @@ net groupmap add ntgroup="Gnomes" unixgroup=Gnomes type=d refer to the man page. + + Versions of Samba-3 prior to 3.0.23 automatically create default group mapping for the + Domain Admins, Domain Users and Domain Guests Windows + groups, but do not map them to UNIX GIDs. This was a cause of administrative confusion and + trouble. Commencing with Samba-3.0.23 this annomaly has been fixed - thus all Windows groups + must now be manually and explicitly created and mapped to a valid UNIX GID by the Samba + administrator. + + diff --git a/Samba3-HOWTO/TOSHARG-NT4Migration.xml b/Samba3-HOWTO/TOSHARG-NT4Migration.xml index 1729111..2688e06 100644 --- a/Samba3-HOWTO/TOSHARG-NT4Migration.xml +++ b/Samba3-HOWTO/TOSHARG-NT4Migration.xml @@ -362,9 +362,9 @@ The approximate migration process is described below. #### Keep this as a shell script for future re-use # First assign well known domain global groups -net groupmap modify ntgroup="Domain Admins" unixgroup=root -net groupmap modify ntgroup="Domain Users" unixgroup=users -net groupmap modify ntgroup="Domain Guests" unixgroup=nobody +net groupmap add ntgroup="Domain Admins" unixgroup=root rid=512 type=d +net groupmap add ntgroup="Domain Users" unixgroup=users rid=513 type=d +net groupmap add ntgroup="Domain Guests" unixgroup=nobody rid=514 type=d # Now for our added domain global groups net groupmap add ntgroup="Designers" unixgroup=designers type=d diff --git a/Samba3-HOWTO/TOSHARG-TheNetCommand.xml b/Samba3-HOWTO/TOSHARG-TheNetCommand.xml index a7cd9d4..b2b3ebd 100644 --- a/Samba3-HOWTO/TOSHARG-TheNetCommand.xml +++ b/Samba3-HOWTO/TOSHARG-TheNetCommand.xml @@ -340,6 +340,11 @@ SupportEngrs (S-1-5-21-72630-4128915-11681869-3007) -> SupportEngrs and delete. An example of each operation is shown here. + + Commencing with Samba-3.0.23 Windows Domain Groups must be explicitly created. By default, all + UNIX groups are exposed to Windows networking as Windows local groups. + + An existing UNIX group may be mapped to an existing Windows group by this example: diff --git a/Samba3-HOWTO/TOSHARG-upgrading-to-3.0.xml b/Samba3-HOWTO/TOSHARG-upgrading-to-3.0.xml index 55743a7..74d39c3 100644 --- a/Samba3-HOWTO/TOSHARG-upgrading-to-3.0.xml +++ b/Samba3-HOWTO/TOSHARG-upgrading-to-3.0.xml @@ -181,8 +181,8 @@ parameters. Whenever a Samba update or upgrade is performed it is highly recommended to read the file called WHATSNEW.txt that is part of the Samba distribution tarball. This file may also -be obtain on-line from Samba web site, in the right column, under -Current Stable Release, by clicking on Release Notes. +be obtain on-line from the Samba web site, in +the right column, under Current Stable Release, by clicking on Release Notes. diff --git a/Samba3-HOWTO/index.xml b/Samba3-HOWTO/index.xml index 7bbc7dc..3ac9740 100644 --- a/Samba3-HOWTO/index.xml +++ b/Samba3-HOWTO/index.xml @@ -114,6 +114,8 @@ The chapters in this part each cover specific Samba features. + +