1 This file aims to document the major changes since the latest released version
2 of Samba, 3.0. Samba 4.0 contains rewrites of several subsystems
3 and uses a different internal format for most data. Since this
4 file is an initial draft, please update missing items.
6 One of the main goals of Samba 4 was Active Directory Domain Controller
7 support. This means Samba now implements several protocols that are required
8 by AD such as Kerberos and DNS.
10 An (experimental) upgrade script that performs a one-way upgrade
11 from Samba 3 is available in source/setup/upgrade.
13 Removal of nmbd and introduction of process models
14 ==================================================
15 smbd now implements several network protocols other then just CIFS and
16 DCE/RPC. nmbd's functionality has been merged into smbd. smbd supports
17 various 'process models' that specify how concurrent connections are
18 handled (when to fork, use threads, etc).
22 Samba now stores most of its persistent data in a LDAP-like database
23 called LDB (see ldb(7) for more info).
27 SWAT has had some rather large improvements and is now more then just a
28 direct editor for smb.conf. Its layout has been improved. SWAT can now also
29 be used for editing run-time data - maintaining user information, provisioning,
30 etc. TLS is supported out of the box.
36 Changed configuration options
37 =============================
38 Several configuration options have been removed in Samba4 while others have
39 been introduced. This section contains a summary of changes to smb.conf and
40 where these settings moved.
42 The 'security' parameter has been split up. It is now only used to choose
43 between the 'user' and 'share' security levels (the latter is not supported
44 in Samba 4 yet). The other values of this option and the 'domain master' and
45 'domain logons' parameters have been merged into a 'server role' parameter
46 that can be either 'bdc', 'pdc', 'member server' or 'standalone'. Note that
47 member server support does not work yet.
49 'password server' now takes a DCE/RPC binding string (see prog_guide.txt)
50 rather then simply a NetBIOS name.
52 The following parameters have been removed:
53 - passdb backend: accounts are now stored in a LDB-based SAM database,
54 see 'sam database' below.
60 - allow trusted domains
64 - algorithmic rid base
74 - check password script
94 - acl check permissions
96 - acl map full control
101 - force security mode
104 - force directory mode
105 - directory security mask
106 - force directory security mode
107 - force unknown acl user
108 - inherit permissions
117 - use kerberos keytab
123 - debug hires timestamp
126 - allocation roundup size
135 - defer sharing violations
147 - change notify timeout
151 - kernel change notify
164 - max reported print jobs
166 - printcap cache time
181 - queueresume command
184 - deleteprinter command
185 - show add printer wizard
196 - short preserve case
201 - hide unwriteable files
209 - max stat cache size
211 - store dos attributes
212 - machine password timeout
217 - delete group script
218 - add user to group script
219 - delete user from group script
220 - set primary group script
223 - abort shutdown script
224 - username map script
248 - oplock break wait time
249 - oplock contention limit
258 - ldap machine suffix
261 - ldap replication sleep
268 - change share command
269 - delete share command
286 - log nt token command
305 - dos filetime resolution
306 - fake directory create times
313 - enable rid algorithm
314 - passdb expand explicit
325 - winbind enum groups
326 - winbind use default domain
327 - winbind trusted domains only
328 - winbind nested groups
329 - winbind max idle children
332 The following parameters have been added:
334 Make Samba fake it is running on a bigendian machine when using DCE/RPC.
335 Useful for debugging.
339 + case insensitive filesystem (S)
340 Set to true if this share is located on a case-insensitive filesystem.
341 This disables looking for a filename by trying all possible combinations of
342 uppercase/lowercase characters and thus speeds up operations when a
343 file cannot be found.
348 Path to JavaScript library.
350 Default: Set at compile-time
353 Path to data used by provisioning script.
355 Default: Set at compile-time
358 Directory to use for UNIX sockets used by the 'ncalrpc' DCE/RPC transport.
360 Default: Set at compile-time
363 Backend to the NT VFS to use (more then one can be specified). Available
367 Maps POSIX FS semantics to NT semantics
370 Very simple backend (original testing backend).
373 Sets up user credentials based on POSIX gid/uid.
376 Proxies a remote CIFS FS. Mainly useful for testing.
379 Filter module that saves data useful to the nbench benchmark suite.
382 Allows using SMB for inter process communication. Only used for
386 Allows printing over SMB. This is LANMAN-style printing (?), not
387 the be confused with the spoolss DCE/RPC interface used by later
390 Default: unixuid default
395 + dcerpc endpoint servers
396 What DCE/RPC servers to start.
398 Default: epmapper srvsvc wkssvc rpcecho samr netlogon lsarpc spoolss drsuapi winreg dssetup
401 Services Samba should provide.
403 Default: smb rpc nbt wrepl ldap cldap web kdc
406 Location of the SAM (account database) database. This should be a
409 Default: set at compile-time
412 Spoolss (printer) DCE/RPC server database. This should be a LDB URL.
414 Default: set at compile-time
416 + wins config database
417 WINS configuration database location. This should be a LDB URL.
419 Default: set at compile-time
422 WINS database location. This should be a LDB URL.
424 Default: set at compile-time
426 + client use spnego principal
427 Tells the client to use the Kerberos service principal specified by the
428 server during the security protocol negotation rather then
429 looking up the principal itself (cifs/hostname).
434 TCP/IP Port used by the NetBIOS over TCP/IP (NBT) implementation.
439 UDP/IP port used by the NetBIOS over TCP/IP (NBT) implementation.
444 UDP/IP port used by the CLDAP protocol.
449 IP port used by the kerberos KDC.
454 IP port used by the kerberos password change protocol.
459 TCP/IP port SWAT should listen on.
464 Enable TLS support for SWAT
469 Path to TLS key file (PEM format) to be used by SWAT. If no
470 path is specified, Samba will create a key.
475 Path to TLS certificate file (PEM format) to be used by SWAT. If no
476 path is specified, Samba will create a certificate.
481 Path to CA authority file Samba will use to sign TLS keys it generates. If
482 no path is specified, Samba will create a self-signed CA certificate.
487 Path to TLS certificate revocation lists file.
494 Default: set at compile-time
497 Indicate the CIFS server is able to do large reads/writes.
502 Enable/disable unicode support in the protocol.