1 WHATS NEW IN Samba 3.0.0 RC1
3 ==============================
5 This is the first release candidate snapshot of Samba 3.0.0. A release
6 candidate implies that the code is very close to a final release, remember
7 that this is still a non-production release intended for testing purposes.
10 The purpose of this release candidate is to get wider testing of the major
11 new pieces of code in the current Samba 3.0 development tree.
12 Please refer to the section on "Known Issues" for more details.
18 1) Active Directory support. Samba 3.0 is now able to
19 to join a ADS realm as a member server and authenticate
20 users using LDAP/Kerberos.
22 2) Unicode support. Samba will now negotiate UNICODE on the wire and
23 internally there is now a much better infrastructure for multi-byte
24 and UNICODE character sets.
26 3) New authentication system. The internal authentication system has
27 been almost completely rewritten. Most of the changes are internal,
28 but the new auth system is also very configurable.
30 4) New filename mangling system. The filename mangling system has been
31 completely rewritten. An internal database now stores mangling maps
32 persistently. This needs lots of testing.
34 5) A new "net" command has been added. It is somewhat similar to
35 the "net" command in windows. Eventually we plan to replace
36 numerous other utilities (such as smbpasswd) with subcommands
39 6) Samba now negotiates NT-style status32 codes on the wire. This
40 improves error handling a lot.
42 7) Better Windows 2000/XP/2003 printing support including publishing
43 printer attributes in active directory.
45 8) New loadable RPC modules.
47 9) New default dual-daemon winbindd support for better performance.
49 10) Support for migrating from a Windows NT 4.0 domain to a Samba
50 domain and maintaining user, group and domain SIDs.
52 11) Support for establishing trust relationships with Windows NT 4.0
55 12) Initial support for a distributed Winbind architecture using
56 an LDAP directory for storing SID to uid/gid mappings.
58 13) Major updates to the Samba documentation tree.
60 14) Full support for client and server SMB signing to ensure
61 compatibility with default Windows 2003 security settings.
63 Plus lots of other improvements!
66 Additional Documentation
67 ------------------------
69 Please refer to Samba documentation tree (including in the docs/
70 subdirectory) for extensive explanations of installing, configuring
71 and maintaining Samba 3.0 servers and clients. It is advised to
72 begin with the Samba-HOWTO-Collection for overviews and specific
73 tasks (the current book is up to approximately 400 pages) and to
74 refer to the various man pages for information on individual options.
77 ######################################################################
78 Changes since 3.0beta3
79 ######################
81 Please refer to the CVS log for the SAMBA_3_0 branch for complete
84 1) Various memory leak fixes.
85 2) Provide full support SMB signing (server and client)
86 3) Check for broken getgrouplist() in glibc.
87 4) Don't get stuck in an infinite loop listing directories
88 recursively if the server returns an empty directory name
90 5) Idle LDAP connections after 150 seconds.
91 6) Patched make uninstallmodules (bug 236).
92 7) Fix bug that caused smbd to return incomplete directory listings
93 when UNIX files contained MS wildcards characters.
94 8) Quiet default debug messages in command line tools.
95 9) Fixes to avoid panics on invalid multi-byte strings.
96 10) Fix error messages when creating a new smbpasswd file (bug 198).
97 11) Implemented better detection routines in autoconf scripts for
98 locating ads support on the host OS.
99 12) Fix bug that caused libraries in /usr/local/lib to be ignored
101 13) Ensure winbindd_ads uses the correct realm or domain name when
102 connecting to trusted DC.
103 14) Ensure a correct prototype is created for snprintf() (bug 187)
104 15) Stop files being created on read-only shares in some circumstances.
105 16) Fix wbinfo -p (bug 251)
106 17) Support schannel on any tcp/ip connection if necessary
107 18) Correct bug in user_in_list() so that it works with winbind groups
109 19) Ensure the schannel bind credentials default to the domain
110 of the destination host.
111 20) Default password expiration time in account_pol.tdb to never
112 expire. Remove any existing account_pol.tdb file to reset
113 the new default policy (bug 184).
114 21) Add buttons to SWAT to change the view of smb.conf (bug 212)
115 22) Fix incorrect checks that determine whether or not the 'add user
116 script' has been set.
117 23) More cleanup for internal character set conversions.
118 24) Fixes for multi-byte strings in stat cache code.
119 25) Ensure that the net command honors the 'workgroup' parameter
120 in smb.conf when not overridden from the command line.
121 26) Add gss-spnego support to the ntlm_auth tool.
122 27) Add vfs_default_quota VFS module.
123 28) Added server support for NT quota interfaces.
124 29) Prevent Krb5 replay attacks by adding a replay_cache.
125 30) Fix problems with winbindd and transitive trusts in AD domains.
126 31) Added -S to client tools for setting SMB signing options on the
128 32) Fix bug causing the 'passwd change program' to be called as the
129 connected user and not root.
130 33) Fixed data corruption bug in byte-range locking (e.g. affected MS Excel).
131 34) Support winbindd on FreeBSD is possible.
132 35) Look at the only first OID in the security blob sent in the session
133 setup request to determine the token type.
134 36) Only push locks onto a blocking lock queue if the posix lock failed with
135 EACCES or EAGAIN (this means another lock conflicts). Else return an
136 error and don't queue the request.
137 37) Fix command line argument processing for smbtar.
138 38) Correct issue that caused smbd to return generic unix_user.<uid>
140 39) Default to algorithmic mapping when generating a rid for a group
142 40) Expand %g and %G in logon script, profile path, etc... during
143 a domain logon (bug 208).
144 41) Make sure smbclient client obeys '-s <config>'
145 42) Added win2k3 shadow copy operations to VFS interface.
146 43) Allow connections to samba domain member as SERVER\user (don't
147 always default to DOMAIN\user).
148 44) Remove checks in winbindd that caused it to attempt to use
149 non-transitive trust relationships.
150 45) Remove delays in winbindd caused by invalid DNS lookups.
151 46) Fix supplementary group memberships on systems with slightly
152 broken NSS implementations (bug 267).
153 47) Correct issue that prevented smbclient from view shares on
154 a win2k server when using a non-anonymous connection (bug 284).
155 48) Add --domain=DOMAIN_NAME to wbinfo for limiting operations like
156 'wbinfo -u' to a single domain. The '.' character represents
158 49) Fix group enumeration bug when using an LDAP directory for
159 storing group mappings.
160 50) Fallback to not using NTLMv2 when the extended security
161 capability bit is not set.
162 51) Fix crash in 'wbinfo -a' when using extended characters in the username
164 52) Fix multi-byte strupper() panics (bug 205).
165 53) Add vfs_readonly VFS module.
166 54) Make sure to initialize the sambaNextUserRid and sambaNextGroupRid
167 attributes when using 'idmap backend = ldap' (bug 280).
168 55) Make sure that UNIX users shared between a Samba PDC and member
169 samba server are seen as domain users and not local users on the
171 56) Fix Query FS Info level 2.
172 57) Allow enumeration of users and groups by win9x "file server" (bug
174 58) Create symlinks during instal for modules that support mutliple
176 59) More iconv detection fixes.
177 60) Fix path length error in vfs_recycle module (bug 291).
178 61) Added server support for the LSA_DS UUID on the \lsarpc pipe.
179 (server DsRoleGetPrimaryDomainInfo() is currently disabled).
180 62) Fix SMBseek and get/set position calls.
181 62) Fix SetFileInfo level 1.
182 63) Added tool to convert smbd log file to a pcap file (log2pcaphex).
186 Changes since 3.0beta3
187 ######################
189 1) Added fix for Japanese case names in statcache code;
190 these can change size on upper casing.
191 2) Correct issues with iconv detection in configure script
192 (support needed to find iconv libraries on FreeBSD).
193 3) Fix bug that caused a WINS server to be marked as dead
194 incorrectly (bug #190).
195 4) Removing additional deadlocks conditions that prevented
196 winbindd from running on a Samba PDC (used for trust
198 5) Add support for searching for Active Directory for
199 published printers (net ads printer search).
200 6) Separate UNIX username from DOMAIN\username in pipe
202 7) Auth modules now support returning NT_STATUS_NOT_IMPLEMENTED
203 for cases that they cannot handle.
204 8) Flush winbindd connection cache when the machine trust account
205 password is changed while a connection is open (bug #200).
206 9) Add support for 'OSVersion' server printer data string
207 (corrects problem with uploading printer drivers from
209 10) Numerous memory leak fixes.
210 11) LDAP fixes ("passdb backend = ldapsam" & "idmap backend = ldap"):
211 - Store domain SID in LDAP directory.
212 - store idmap information in existing entries (use sambaSID=...
213 if adding a new entry).
214 12) Fix incorrect usage of primary group SID when looking up user
216 13) Remove idmap_XX_to_XX calls from smbd. Move back to the the
217 winbind_XXX and local_XXX calls used in 2.2.
218 14) All uid/gid allocation must involve winbindd now (we do not
219 attempt to map unknown SIDs to a UNIX identify).
220 15) Add 'winbind trusted domains only' parameter to force a domain
221 member. The server to use matching users names from /etc/passwd
222 for its domain (needed for domain member of a Samba domain).
223 16) Rename 'idmap only' to 'enable rid algorithm' for better clarity
225 17) Add support for multi-byte statcache code (bug #185)
226 18) Fix open mode race condition.
227 19) Implement winbindd local account management functions. Refer to
228 the "Winbind Changes" section for details.
229 20) Move RID allocation functions into idmap backend.
230 21) Fix parsing error that prevented publishing printers from a
231 Samba server in an AD domain.
232 22) Revive NTLMSSP support for named pipes.
233 23) More SCHANNEL fixes.
234 24) Correct SMB signing with NTLMSSP.
235 25) Fix coherency bug in print handle/printer object caching code
236 that could cause XP clients to infinitely loop while updating
237 their local printer cache.
238 26) Make winbindd use its dual-daemon mode by default (use -Y to
239 start as a single process).
240 27) Add support to nmbd and winbindd for 'smbcontrol <pid>
242 28) Correct problem with smbtar when dealing with files > 8Gb
247 Changes since 3.0beta1
248 ######################
250 1) Rework our smb signing code again, this factors out some of
251 the common MAC calculation code, and now supports multiple
252 outstanding packets (bug #40).
253 2) Enforce 'client plaintext auth', 'client lanman auth' and 'client
255 3) Correct timestamp problem on 64-bit machines (bug #140).
256 4) Add extra debugging statements to winbindd for tracking down
258 5) Fix bug when aliased 'winbind uid/gid' parameters are used.
259 ('winbind uid/gid' are now replaced with 'idmap uid/gid').
260 6) Added an auth flag that indicates if we should be allowed
261 to fall back to NTLMSSP for SASL if krb5 fails.
262 7) Fixed the bug that forced us not to use the winbindd cache when
263 we have a primary ADS domain and a secondary (trusted) NT4
265 8) Use lp_realm() to find the default realm for 'net ads password'.
266 9) Removed editreg from standard build until it is portable..
267 10) Fix domain membership for servers not running winbindd.
268 11) Correct race condition in determining the high water mark
269 in the idmap backend (bug #181).
270 12) Set the user's primary unix group from usrmgr.exe (partial
272 13) Show comments when doing 'net group -l' (bug #3).
273 14) Add trivial extension to 'net' to dump current local idmap
274 and restore mappings as well.
275 15) Modify 'net rpc vampire' to add new and existing users to
276 both the idmap and the SAM. This code needs further testing.
277 16) Fix crash bug in ADS searches.
278 17) Build libnss_wins.so as part of nsswitch target (bug #160).
279 18) Make net rpc vampire return an error if the sam sync RPC
281 19) Fail to join an NT 4 domain as a BDC if a workstation account
282 using our name exists.
283 20) Fix various memory leaks in server and client code
284 21) Remove the short option to --set-auth-user for wbinfo (-A) to
285 prevent confusion with the -a option (bug #158).
286 22) Added new 'map acl inherit' parameter.
287 23) Removed unused 'privileges' code from group mapping database.
288 24) Don't segfault on empty passdb backend list (bug #136).
289 25) Fixed acl sorting algorithm for Windows 2000 clients.
290 26) Replace universal group cache with netsamlogon_cache
291 from APPLIANCE_HEAD branch.
292 27) Fix autoconf detection issues surrounding --with-ads=yes
293 but no Krb5 header files installed (bug #152).
294 28) Add LDAP lookup for domain sequence number in case we are
295 joined using NT4 protocols to a native mode AD domain.
296 29) Fix backend method selection for trusted NT 4 (or 2k
298 30) Fixed bug that caused us to enumerate domain local groups
299 from native mode AD domains other than our own.
300 31) Correct group enumeration for viewing in the Windows
301 security tab (bug #110).
302 32) Consolidate the DC location code.
303 33) Moved 'ads server' functionality into 'password server' for
304 backwards compatibility.
305 34) Fix winbindd_idmap tdb upgrades from a 2.2 installation.
306 ( if you installed beta1, be sure to
307 'mv idmap.tdb winbindd_idmap.tdb' ).
308 35) Fix pdb_ldap segfaults, and wrong default values for
310 36) Enable negative connection cache for winbindd's ADS backend
312 37) Enable address caching for active directory DC's so we don't
313 have to hit DNS so much.
314 38) Fix bug in idmap code that caused mapping to randomly be
316 39) Add tdb locking code to prevent race condition when adding a
317 new mapping to idmap.
318 40) Fix 'map to guest = bad user' when acting as a PDC supporting
320 41) Prevent deadlock issues when running winbindd on a Samba PDC
321 to handle allocating uids & gids for trusted users and groups
322 42) added LOCALE patch from Steve Langasek (bug #122).
323 43) Add the 'guest' passdb backend automatically to the end of
324 the 'passdb backend' list if 'guest account' has a valid
326 44) Remove samstrict_dc auth method. Rework 'samstrict' to only
327 handle our local names (or domain name if we are a PDC).
328 Move existing permissive 'sam' method to 'sam_ignoredomain'
329 and make 'samstrict' the new default 'sam' auth method.
330 45) Match Windows NT4/2k behavior when authenticating a user with
331 and unknown domain (default to our domain if we are a DC or
332 domain member; default to our local name if we are a
334 46) Fix Get_Pwnam() to always fall back to lookup 'user' if the
335 'DOMAIN\user' lookup fails. This matches 2.2. behavior.
336 47) Fix the trustdom_cache code to update the list of trusted
337 domains when operating as a domain member and not using
339 48) Remove 'nisplussam' passdb backend since it has suffered for
340 too long without a maintainer.
345 ######################################################################
346 Upgrading from a previous Samba 3.0 beta
347 ########################################
349 Beginning with Samba 3.0.0beta3, the RID allocation functions
350 have been moved into winbindd. Previously these were handled
351 by each passdb backend. This means that winbindd must be running
352 to automatically allocate RIDs for users and/or groups. Otherwise,
353 smbd will use the 2.2 algorithm for generating new RIDs.
355 If you are using 'passdb backend = tdbsam' with a previous Samba
356 3.0 beta release (or possibly alpha), it may be necessary to
357 move the RID_COUNTER entry from /usr/local/samba/private/passdb.tdb
358 to winbindd_idmap.tdb. To do this:
360 1) Ensure that winbindd_idmap.tdb exists (launch winbindd at least
362 2) build tdbtool by executing 'make tdbtool' in the source/tdb/
364 3) run: (note that 'tdb>' is the tool's prompt for input)
366 root# ./tdbtool /usr/local/samba/private/passdb.tdb
367 tdb> show RID_COUNTER
371 [000] 0A 52 00 00 .R.
373 tdb> move RID_COUNTER /usr/local/samba/var/locks/winbindd_idmap.tdb
377 If you are using 'passdb backend = ldapsam', it will be necessary to
378 store idmap entries in the LDAP directory as well (i.e. idmap backend
379 = ldap). Refer to the 'net idmap' command for more information on
380 migrating SID<->UNIX id mappings from one backend to another.
382 If the RID_COUNTER record does not exist, then these instructions are
383 unneccessary and the new RID_COUNTER record will be correctly generated
388 ########################
389 Upgrading from Samba 2.2
390 ########################
392 This section is provided to help administrators understand the details
393 involved with upgrading a Samba 2.2 server to Samba 3.0.
399 Many of the options to the GNU autoconf script have been modified
400 in the 3.0 release. The most noticeable are:
402 * removal of --with-tdbsam (is now included by default; see section
403 on passdb backends and authentication for more details)
405 * --with-ldapsam is now on used to provided backward compatible
406 parameters for LDAP enabled Samba 2.2 servers. Refer to the passdb
407 backend and authentication section for more details
409 * inclusion of non-standard passdb modules may be enabled using
410 --with-expsam. This includes an XML backend and a mysql backend.
412 * removal of --with-msdfs (is now enabled by default)
414 * removal of --with-ssl (no longer supported)
416 * --with-utmp now defaults to 'yes' on supported systems
418 * --with-sendfile-support is now enabled by default on supported
425 This section contains a brief listing of changes to smb.conf options
426 in the 3.0.0 release. Please refer to the smb.conf(5) man page for
427 complete descriptions of new or modified parameters.
429 Removed Parameters (order alphabetically):
432 * alternate permissions
435 * code page directory
439 * force unknown acl user
443 * printer driver file
444 * printer driver location
451 New Parameters (new parameters have been grouped by function):
455 * abort shutdown script
458 User and Group Account Management
459 ---------------------------------
462 * add user to group script
463 * algorithmic rid base
464 * delete group script
465 * delete user from group script
467 * set primary group script
483 * paranoid server security
492 * hide unwriteable files
494 * kernel change notify
504 * max reported print jobs
506 UNICODE and Character Sets
507 --------------------------
513 SID to uid/gid Mappings
514 -----------------------
518 * winbind enable local accounts
519 * winbind trusted domains only
520 * template primary group
521 * enable rid algorithm
528 * ldap machine suffix
533 General Configuration
534 ---------------------
538 Modified Parameters (changes in behavior):
540 * encrypt passwords (enabled by default)
541 * mangling method (set to 'hash2' by default)
544 * restrict anonymous (integer value)
545 * security (new 'ads' value)
546 * strict locking (enabled by default)
547 * winbind cache time (increased to 5 minutes)
548 * winbind uid (deprecated in favor of 'idmap uid')
549 * winbind gid (deprecated in favor of 'idmap gid')
555 This section contains brief descriptions of any new databases
556 introduced in Samba 3.0. Please remember to backup your existing
557 ${lock directory}/*tdb before upgrading to Samba 3.0. Samba will
558 upgrade databases as they are opened (if necessary), but downgrading
559 from 3.0 to 2.2 is an unsupported path.
561 Name Description Backup?
562 ---- ----------- -------
563 account_policy User policy settings yes
564 gencache Generic caching db no
565 group_mapping Mapping table from Windows yes
566 groups/SID to unix groups
567 winbindd_idmap ID map table from SIDS to UNIX yes
569 namecache Name resolution cache entries no
570 netsamlogon_cache Cache of NET_USER_INFO_3 structure no
571 returned as part of a successful
572 net_sam_logon request
573 printing/*.tdb Cached output from 'lpq no
574 command' created on a per print
576 registry Read-only samba registry skeleton no
577 that provides support for exporting
578 various db tables via the winreg RPCs
584 The following issues are known changes in behavior between Samba 2.2 and
585 Samba 3.0 that may affect certain installations of Samba.
587 1) When operating as a member of a Windows domain, Samba 2.2 would
588 map any users authenticated by the remote DC to the 'guest account'
589 if a uid could not be obtained via the getpwnam() call. Samba 3.0
590 rejects the connection as NT_STATUS_LOGON_FAILURE. There is no
591 current work around to re-establish the 2.2 behavior.
593 2) When adding machines to a Samba 2.2 controlled domain, the
594 'add user script' was used to create the UNIX identity of the
595 machine trust account. Samba 3.0 introduces a new 'add machine
596 script' that must be specified for this purpose. Samba 3.0 will
597 not fall back to using the 'add user script' in the absence of
598 an 'add machine script'
601 ######################################################################
602 Passdb Backends and Authentication
603 ##################################
605 There have been a few new changes that Samba administrators should be
606 aware of when moving to Samba 3.0.
608 1) encrypted passwords have been enabled by default in order to
609 inter-operate better with out-of-the-box Windows client
610 installations. This does mean that either (a) a samba account
611 must be created for each user, or (b) 'encrypt passwords = no'
612 must be explicitly defined in smb.conf.
614 2) Inclusion of new 'security = ads' option for integration
615 with an Active Directory domain using the native Windows
616 Kerberos 5 and LDAP protocols.
618 Samba 3.0 also includes the possibility of setting up chains
619 of authentication methods (auth methods) and account storage
620 backends (passdb backend). Please refer to the smb.conf(5)
621 man page for details. While both parameters assume sane default
622 values, it is likely that you will need to understand what the
623 values actually mean in order to ensure Samba operates correctly.
625 The recommended passdb backends at this time are
627 * smbpasswd - 2.2 compatible flat file format
628 * tdbsam - attribute rich database intended as an smbpasswd
629 replacement for stand alone servers
630 * ldapsam - attribute rich account storage and retrieval
631 backend utilizing an LDAP directory.
632 * ldapsam_compat - a 2.2 backward compatible LDAP account
635 Certain functions of the smbpasswd(8) tool have been split between the
636 new smbpasswd(8) utility, the net(8) tool, and the new pdbedit(8)
637 utility. See the respective man pages for details.
640 ######################################################################
644 This section outlines the new features affecting Samba / LDAP
650 A new object class (sambaSamAccount) has been introduced to replace
651 the old sambaAccount. This change aids us in the renaming of attributes
652 to prevent clashes with attributes from other vendors. There is a
653 conversion script (examples/LDAP/convertSambaAccount) to modify and LDIF
654 file to the new schema.
658 $ ldapsearch .... -b "ou=people,dc=..." > old.ldif
659 $ convertSambaAccount <DOM SID> old.ldif new.ldif
661 The <DOM SID> can be obtained by running 'net getlocalsid <DOMAINNAME>'
662 on the Samba PDC as root.
664 The old sambaAccount schema may still be used by specifying the
665 "ldapsam_compat" passdb backend. However, the sambaAccount and
666 associated attributes have been moved to the historical section of
667 the schema file and must be uncommented before use if needed.
668 The 2.2 object class declaration for a sambaAccount has not changed
669 in the 3.0 samba.schema file.
671 Other new object classes and their uses include:
673 * sambaDomain - domain information used to allocate rids
674 for users and groups as necessary. The attributes are added
675 in 'ldap suffix' directory entry automatically if
676 an idmap uid/gid range has been set and the 'ldapsam'
677 passdb backend has been selected.
679 * sambaGroupMapping - an object representing the
680 relationship between a posixGroup and a Windows
681 group/SID. These entries are stored in the 'ldap
682 group suffix' and managed by the 'net groupmap' command.
684 * sambaUnixIdPool - created in the 'ldap idmap suffix' entry
685 automatically and contains the next available 'idmap uid' and
688 * sambaIdmapEntry - object storing a mapping between a
689 SID and a UNIX uid/gid. These objects are created by the
690 idmap_ldap module as needed.
692 * sambaSidEntry - object representing a SID alone, as a Structural
693 class on which to build the sambaIdmapEntry.
696 New Suffix for Searching
697 ------------------------
699 The following new smb.conf parameters have been added to aid in directing
700 certain LDAP queries when 'passdb backend = ldapsam://...' has been
703 * ldap suffix - used to search for user and computer accounts
704 * ldap user suffix - used to store user accounts
705 * ldap machine suffix - used to store machine trust accounts
706 * ldap group suffix - location of posixGroup/sambaGroupMapping entries
707 * ldap idmap suffix - location of sambaIdmapEntry objects
709 If an 'ldap suffix' is defined, it will be appended to all of the
710 remaining sub-suffix parameters. In this case, the order of the suffix
711 listings in smb.conf is important. Always place the 'ldap suffix' first
714 Due to a limitation in Samba's smb.conf parsing, you should not surround
715 the DN's with quotation marks.
721 Samba 3.0 supports an ldap backend for the idmap subsystem. The
722 following options would inform Samba that the idmap table should be
723 stored on the directory server onterose in the "ou=idmap,dc=plainjoe,
728 idmap backend = ldap:ldap://onterose/
729 ldap idmap suffix = ou=idmap,dc=plainjoe,dc=org
730 idmap uid = 40000-50000
731 idmap gid = 40000-50000
733 This configuration allows winbind installations on multiple servers to
734 share a uid/gid number space, thus avoiding the interoperability problems
735 with NFS that were present in Samba 2.2.
739 ######################################################################
740 Trust Relationships and a Samba Domain
741 ######################################
743 Samba 3.0.0beta2 is able to utilize winbindd as the means of
744 allocating uids and gids to trusted users and groups. More
745 information regarding Samba's support for establishing trust
746 relationships can be found in the Samba-HOWTO-Collection included
747 in the docs/ directory of this release.
749 First create your Samba PDC and ensure that everything is
750 working correctly before moving on the trusts.
752 To establish Samba as the trusting domain (named SAMBA) from a Windows NT
753 4.0 domain named WINDOWS:
755 1) create the trust account for SAMBA in "User Manager for Domains"
756 2) connect the trust from the Samba domain using
757 'net rpc trustdom establish GLASS'
759 To create a trustlationship with SAMBA as the trusted domain:
761 1) create the initial trust account for GLASS using
762 'smbpasswd -a -i GLASS'. You may need to create a UNIX
763 account for GLASS$ prior to this step (depending on your
764 local configuration).
765 2) connect the trust from a WINDOWS DC using "User Manager
768 Now join winbindd on the Samba PDC to the SAMBA domain using
769 the normal steps for adding a Samba server to an NT4 domain:
770 (note that smbd & nmbd must be running at this point)
772 root# net rpc join -U root
773 Password: <enter root password from smbpasswd file here>
775 Start winbindd and test the join with 'wbinfo -t'.
777 Now test the trust relationship by connecting to the SAMBA DC
778 (e.g. POGO) as a user from the WINDOWS domain:
780 $ smbclient //pogo/netlogon -U Administrator -W WINDOWS
783 Now connect to the WINDOWS DC (e.g. CRYSTAL) as a Samba user:
785 $ smbclient //crystal/netlogon -U root -W WINDOWS
788 ######################################################################
792 Beginning with Samba3.0.0beta3, winbindd has been given new account
793 manage functionality equivalent to the 'add user script' family of
794 smb.conf parameters. The idmap design has also been changed to
795 centralize control of foreign SID lookups and matching to UNIX
799 Brief Description of Changes
800 ----------------------------
802 1) The sid_to_uid() family of functions (smbd/uid.c) have been
803 reverted to the 2.2.x design. This means that when resolving a
804 SID to a UID or similar mapping:
806 a) First consult winbindd
807 b) perform a local lookup only if winbindd fails to
808 return a successful answer
810 There are some variations to this, but these two rules generally
813 2) All idmap lookups have been moved into winbindd. This means that
814 a server must run winbindd (and support NSS) in order to achieve
815 any mappings of SID to dynamically allocated UNIX ids. This was
816 a conscious design choice.
818 3) New functions have been added to winbindd to emulate the 'add user
819 script' family of smbd functions without requiring that external
820 scripts be defined. This functionality is controlled by the 'winbind
821 enable local accounts' smb.conf parameter (enabled by default).
823 However, this account management functionality is only supported
824 in a local tdb (winbindd_idmap.tdb). If these new UNIX accounts
825 must be shared among multiple Samba servers (such as a PDC and BDCs),
826 it will be necessary to define your own 'add user script', et. al.
827 programs that place the accounts/groups in some form of directory
828 such as NIS or LDAP. This requirement was deemed beyond the scope
829 of winbind's account management functions. Solutions for
830 distributing UNIX system information have been deployed and tested
831 for many years. We saw no need to reinvent the wheel.
833 4) A member of a Samba controlled domain running winbindd is now able
834 to map domain users directly onto existing UNIX accounts while still
835 automatically creating accounts for trusted users and groups. This
836 behavior is controlled by the 'winbind trusted domains only' smb.conf
837 parameter (disabled by default to provide 2.2.x winbind behavior).
839 5) Group mapping support is wrapped in the local_XX_to_XX() functions
840 in smbd/uid.c. The reason that group mappings are not included
841 in winbindd is because the purpose of Samba's group map is to
842 match any Windows SID with an existing UNIX group. These UNIX
843 groups can be created by winbindd (see next section), but the
844 SID<->gid mapping is retreived by smbd, not winbindd.
850 * security = server running winbindd to allocate accounts on demand
852 * Samba PDC running winbindd to handle the automatic creation of UNIX
853 identities for machine trust accounts
855 * Automtically creating UNIX user and groups when migrating a Windows NT
856 4.0 PDC to a Samba PDC. Winbindd must be running when executing
857 'net rpc vampire' for this to work.
860 ######################################################################
864 * The smbldap perl scripts for managing user entries in an LDAP
865 directory have not be updated to function with the Samba 3.0
866 schema changes. This (or an equivalent solution) work is planned
867 to be completed prior to the stable 3.0.0 release.
869 Please refer to https://bugzilla.samba.org/ for a current list of bugs
870 filed against the Samba 3.0 codebase.
873 ######################################################################
874 Reporting bugs & Development Discussion
875 #######################################
877 Please discuss this release on the samba-technical mailing list or by
878 joining the #samba-technical IRC channel on irc.freenode.net.
880 If you do report problems then please try to send high quality
881 feedback. If you don't provide vital information to help us track down
882 the problem then you will probably be ignored.
884 A new bugzilla installation has been established to help support the
885 Samba 3.0 community of users. This server, located at
886 https://bugzilla.samba.org/, will replace the existing jitterbug server
887 and the old http://bugs.samba.org now points to the new bugzilla server.