1 This file aims to document the major changes since the latest released version
2 of Samba, 3.0. Samba 4.0 contains rewrites of several subsystems
3 and uses a different internal format for most data. Since this
4 file is an initial draft, please update missing items.
6 One of the main goals of Samba 4 was Active Directory Domain Controller
7 support. This means Samba now implements several protocols that are required
8 by AD such as Kerberos and DNS.
10 An (experimental) upgrade script that performs a one-way upgrade
11 from Samba 3 is available in source/setup/upgrade.
13 Removal of nmbd and introduction of process models
14 ==================================================
15 smbd now implements several network protocols other then just CIFS and
16 DCE/RPC. nmbd's functionality has been merged into smbd. smbd supports
17 various 'process models' that specify how concurrent connections are
18 handled (when to fork, use threads, etc).
22 Samba now stores most of its persistent data in a LDAP-like database
23 called LDB (see ldb(7) for more info).
27 SWAT has had some rather large improvements and is now more then just a
28 direct editor for smb.conf. Its layout has been improved. SWAT can now also
29 be used for editing run-time data - maintaining user information, provisioning,
30 etc. TLS is supported out of the box.
34 Samba4 ships with an integrated KDC (Kerberos Key Distribution
35 Center). Backed directly onto our main internal database, and
36 integrated with custom code to handle the PAC, Samba4's KDC is an
37 integral part of our support for AD logon protocols.
41 Like the situation with the KDC, Samba4 ships with it's own LDAP
42 server, included to provide simple, built-in LDAP services in an AD
43 (rather than distinctly standards) matching manner. The database is
44 LDB, and it shares that in common with the rest of Samba.
46 Changed configuration options
47 =============================
48 Several configuration options have been removed in Samba4 while others have
49 been introduced. This section contains a summary of changes to smb.conf and
50 where these settings moved. Configuration options that have disappeared may be
51 re-added later when the functionality that uses them gets reimplemented in
54 The 'security' parameter has been split up. It is now only used to choose
55 between the 'user' and 'share' security levels (the latter is not supported
56 in Samba 4 yet). The other values of this option and the 'domain master' and
57 'domain logons' parameters have been merged into a 'server role' parameter
58 that can be either 'bdc', 'pdc', 'member server' or 'standalone'. Note that
59 member server support does not work yet.
61 The following parameters have been removed:
62 - passdb backend: accounts are now stored in a LDB-based SAM database,
63 see 'sam database' below.
69 - allow trusted domains
73 - algorithmic rid base
83 - check password script
103 - acl check permissions
105 - acl map full control
110 - force security mode
113 - force directory mode
114 - directory security mask
115 - force directory security mode
116 - force unknown acl user
117 - inherit permissions
126 - use kerberos keytab
132 - debug hires timestamp
135 - allocation roundup size
144 - defer sharing violations
156 - change notify timeout
160 - kernel change notify
173 - max reported print jobs
175 - printcap cache time
190 - queueresume command
193 - deleteprinter command
194 - show add printer wizard
205 - short preserve case
210 - hide unwriteable files
218 - max stat cache size
220 - store dos attributes
221 - machine password timeout
226 - delete group script
227 - add user to group script
228 - delete user from group script
229 - set primary group script
232 - abort shutdown script
233 - username map script
257 - oplock break wait time
258 - oplock contention limit
267 - ldap machine suffix
270 - ldap replication sleep
277 - change share command
278 - delete share command
295 - log nt token command
314 - dos filetime resolution
315 - fake directory create times
322 - enable rid algorithm
323 - passdb expand explicit
334 - winbind enum groups
335 - winbind use default domain
336 - winbind trusted domains only
337 - winbind nested groups
338 - winbind max idle children
341 The following parameters have been added:
343 Make Samba fake it is running on a bigendian machine when using DCE/RPC.
344 Useful for debugging.
348 + case insensitive filesystem (S)
349 Set to true if this share is located on a case-insensitive filesystem.
350 This disables looking for a filename by trying all possible combinations of
351 uppercase/lowercase characters and thus speeds up operations when a
352 file cannot be found.
357 Path to JavaScript library.
359 Default: Set at compile-time
362 Path to data used by provisioning script.
364 Default: Set at compile-time
367 Directory to use for UNIX sockets used by the 'ncalrpc' DCE/RPC transport.
369 Default: Set at compile-time
372 Backend to the NT VFS to use (more then one can be specified). Available
376 Maps POSIX FS semantics to NT semantics
379 Very simple backend (original testing backend).
382 Sets up user credentials based on POSIX gid/uid.
385 Proxies a remote CIFS FS. Mainly useful for testing.
388 Filter module that saves data useful to the nbench benchmark suite.
391 Allows using SMB for inter process communication. Only used for
395 Allows printing over SMB. This is LANMAN-style printing (?), not
396 the be confused with the spoolss DCE/RPC interface used by later
399 Default: unixuid default
404 + dcerpc endpoint servers
405 What DCE/RPC servers to start.
407 Default: epmapper srvsvc wkssvc rpcecho samr netlogon lsarpc spoolss drsuapi winreg dssetup
410 Services Samba should provide.
412 Default: smb rpc nbt wrepl ldap cldap web kdc
415 Location of the SAM (account database) database. This should be a
418 Default: set at compile-time
421 Spoolss (printer) DCE/RPC server database. This should be a LDB URL.
423 Default: set at compile-time
425 + wins config database
426 WINS configuration database location. This should be a LDB URL.
428 Default: set at compile-time
431 WINS database location. This should be a LDB URL.
433 Default: set at compile-time
435 + client use spnego principal
436 Tells the client to use the Kerberos service principal specified by the
437 server during the security protocol negotation rather then
438 looking up the principal itself (cifs/hostname).
443 TCP/IP Port used by the NetBIOS over TCP/IP (NBT) implementation.
448 UDP/IP port used by the NetBIOS over TCP/IP (NBT) implementation.
453 UDP/IP port used by the CLDAP protocol.
458 IP port used by the kerberos KDC.
463 IP port used by the kerberos password change protocol.
468 TCP/IP port SWAT should listen on.
473 Enable TLS support for SWAT
478 Path to TLS key file (PEM format) to be used by SWAT. If no
479 path is specified, Samba will create a key.
484 Path to TLS certificate file (PEM format) to be used by SWAT. If no
485 path is specified, Samba will create a certificate.
490 Path to CA authority file Samba will use to sign TLS keys it generates. If
491 no path is specified, Samba will create a self-signed CA certificate.
496 Path to TLS certificate revocation lists file.
503 Default: set at compile-time
506 Indicate the CIFS server is able to do large reads/writes.
511 Enable/disable unicode support in the protocol.