- WHATS NEW IN Samba 2.0.4b
- =========================
-
-This is the latest stable release of Samba. This is the
-version that all production Samba servers should be running
-for all current bug-fixes.
-
-New/Changed parameters in 2.0.4
--------------------------------
-
-There are 5 new parameters and one modified parameter in
-the smb.conf file.
-
-allow trusted domains
-restrict anonymous
-mangle locks
-oplock break wait time
-oplock contention limit
+ WHATS NEW IN Samba 3.0.0
+ September XX, 2003
+ ==============================
+
+This is the third release candidate snapshot of Samba 3.0.0. A release
+candidate implies that the code is very close to a final release, remember
+that this is still a non-production release intended for testing purposes.
+Use at your own risk.
+
+The purpose of this release candidate is to get wider testing of the major
+new pieces of code in the current Samba 3.0 development tree.
+Please refer to the section on "Known Issues" for more details.
+
+
+Major new features:
+-------------------
+
+1) Active Directory support. Samba 3.0 is now able to
+ join a ADS realm as a member server and authenticate
+ users using LDAP/Kerberos.
+
+2) Unicode support. Samba will now negotiate UNICODE on the wire and
+ internally there is now a much better infrastructure for multi-byte
+ and UNICODE character sets.
+
+3) New authentication system. The internal authentication system has
+ been almost completely rewritten. Most of the changes are internal,
+ but the new auth system is also very configurable.
+
+4) New default filename mangling system.
+
+5) A new "net" command has been added. It is somewhat similar to
+ the "net" command in windows. Eventually we plan to replace
+ numerous other utilities (such as smbpasswd) with subcommands
+ in "net".
+
+6) Samba now negotiates NT-style status32 codes on the wire. This
+ improves error handling a lot.
+
+7) Better Windows 2000/XP/2003 printing support including publishing
+ printer attributes in active directory.
+
+8) New loadable module support for passdb backends and
+ character sets.
+
+9) New default dual-daemon winbindd support for better performance.
+
+10) Support for migrating from a Windows NT 4.0 domain to a Samba
+ domain and maintaining user, group and domain SIDs.
+
+11) Support for establishing trust relationships with Windows NT 4.0
+ domain controllers.
+
+12) Initial support for a distributed Winbind architecture using
+ an LDAP directory for storing SID to uid/gid mappings.
+
+13) Major updates to the Samba documentation tree.
+
+14) Full support for client and server SMB signing to ensure
+ compatibility with default Windows 2003 security settings.
+
+Plus lots of other improvements!
+
+
+Additional Documentation
+------------------------
+
+Please refer to Samba documentation tree (included in the docs/
+subdirectory) for extensive explanations of installing, configuring
+and maintaining Samba 3.0 servers and clients. It is advised to
+begin with the Samba-HOWTO-Collection for overviews and specific
+tasks (the current book is up to approximately 400 pages) and to
+refer to the various man pages for information on individual options.
+
+We are very glad to be able to include the second edition of
+"Using Samba" by Jay Ts, Robert Eckstein, and David Collier-Brown
+(O'Reilly & Associates) in this release. The book is available
+on-line at http://samba.org/samba/docs/ and is included with
+the Samba Web Administration Tool (SWAT). Thanks to the authors and
+publisher for making "Using Samba" under the GNU Free Documentation
+License.
+
+
+######################################################################
+Changes since 3.0rc2
+####################
+
+Please refer to the CVS log for the SAMBA_3_0 branch for complete
+details:
+
+1) Remove Perl module dependencies in generated RedHat 8/9 RPMS.
+2) Update mount helper to take synonyms for file_mode and
+ dir_mode (fmask and dmask).
+3) Fix portability bug with log2pcaphex.
+4) Use different algorithm to generate codepages source code which
+ allows to take gaps into account thus making unnecessary
+ extended [index] = value, syntax in to_ucs2 array (bug 380).
+5) Fix comment strings to 43 bytes as per spec.
+6) Fix pam_winbind compile bug on FreeBSD (bug 261).
+7) Support for in-memory keytabs, which are needed to make heimdal
+ work properly. MIT does not support them, so this check will be
+ used to decide whether to use them. (partial fix for bug 372).
+8) Disable RC4-HMAC on broken heimdal setups. (remainder of bug
+ 372).
+9) Correct bug in smbclient that resulted in errors when untarring
+ long filenames (bug 308).
+10) Improve autoconf checks for PAM header files and libs.
+11) Added fast path to convert_string() when dealing with
+ ASCII->ASCII, UCS2-LE->ASCII, and ASCII->UCS2-LE with
+ values <= 0x7F.
+12) Quiet debug messages when we don't find a module and it is not
+ a critical error (bug 375).
+13) Fix UNIX passwd sync properly.
+14) Fix more transitive trust issues in winbindd (bug 305).
+15) Ensure that winbindd functions with 'disable netbios = yes'
+16) Store the real short domain name in secrets.tdb as soon as we
+ know it. Also display an error message when joining an AD
+ domain and the 'workgroup' parameter has not been specified.
+17) Return 0 DFS links instead of -1 when dfs support is not enabled.
+18) Update LDAP schema for Netscape DS 4.x and Novell eDirectory 8.7
+19) Ensure that name types can be specified using name#type notation
+ in the 'net' command (bug 73).
+20) Add retry looks to ADS sequence number and domain SID lookups
+ (bug 364).
+21) use a variant of alloc_sub_basic() for string lists such as
+ 'valid users', 'write list', and 'read list' (bug 397).
+22) Fix seg fault when winbindd receives an error from the AD server
+ in response to an LDAP search (bug 282).
+23) Update findsmb to use the new syntax for smbclient and nmblookup.
+24) Fix bug that prevented variables from being used in explicitly
+ defined path in [homes].
+25) Only set SIDs when they're returned by the MySQL query
+ (pdb_mysql.so).
+26) Include support for NTLMv2 key exchange.
+27) Revert default for 'client ntlmv2 auth' to off (bug 359).
+28) Fix crash in winbindd when the trust account password gets
+ changed underneath us via 'net rpc changetrustpw' (bug 382).
+29) Use djb-algorithm string hash - faster than the tdb one we
+ used to use. Does not change on disk format or hashing location.
+30) Implements some kind of improved AFS support for Samba on
+ Linux with OpenAFS 1.2.10. './configure --with-fake-kaserver'
+ assumes that you have OpenAFS on your machine.
+31) When enumerating dfs shares loop from 0 to lp_numservices() instead
+ of relying on lp_servicename(n) to return an empty string for
+ invalid service numbers (bug 403).
+32) Fix crash bug in 'net rpc samdump' (bug 334).
+33) Fix crash bug in WINS NSS module (bug 299).
+34) Fix a few minor compile errors on HP-UX.
+
+
+
+Changes since 3.0rc1
+####################
+
+1) Add levels 261 and 262 to search. Found using Samba4 tester.
+2) Correct bad error return code in session setup reply
+3) Fix bug where smbd returned DOS error codes from SMBsearch
+ even when NT1 protocol was negotiated.
+4) Implement SMBexit properly.
+5) Return group lists from a Samba PDC to a Windows 9x/ME box
+ in implementing user level access control (bug 314).
+6) Prevent SWAT from crashing when adding shares (bug 254)
+7) Fix various documentation issues (bugs 304 & 214)
+8) Fix wins server listing in SWAT (bug 197)
+9) Fix problem in rpcclient that caused enumerating printer
+ drivers to report failure (bug 294).
+10) Use kerberos 5 authentication in our client code whenever possible
+11) Fix schannel bug that caused Active Directory DC's to downgrade our
+ machine account to an NT member.
+12) Implement missing SAMR_REMOVE_USER_FOREIGN_DOMAIN call (bug 252).
+13) Implement automatic generation of include/version.h
+14) Include initial version of smbldap-tool scripts for the Samba
+ 3.0 schema.
+15) Implement numerous fixes for multi-byte character strings.
+16) Enable 'unix extensions' parameter by default.
+17) Make sure we set the SID type when falling back to the rid
+ algorithm (bug 245).
+18) Correct linking problems with pam_smbpass (bug 327).
+19) Add SYSV defines for Irix and Solaris to ensure the 'printing'
+ parameter default to the correct value (bug 230)
+20) Fix recursion bug in alloc_string_sub() (bug 289, et. al.)
+21) Ensure that 'make install' includes the static and shared
+ versions of the libsmbclient libraries.
+22) Add CP850 and CP437 internal character set support (bug 150).
+23) Add support to examples/LDAP/convertSambaAccount for generating
+ LDIF modify files instead of just add (303).
+24) Fix support for -W option in smbclient (bug 39)
+25) Remove 'ldap trust ids' parameter since it could not be supported
+ by the current architecture.
+26) Don't crash when no argument is given to -T in smbclient (bug 345).
+27) Ensure smbadduser contains the same paths for the smbpasswd file
+ as the other Samba tools (bug 290).
+28) Port of 'available = no' fix for [homes] from SAMBA_2_2 cvs tree.
+29) Add sanity checks to DeletePrinterData[Ex]() and ensure that the
+ modified printer is written to disk.
+30) Force winbindd to periodically update the trusted domain cache.
+31) Remove outdated import/export script to convert an smbpasswd file
+ to and from and LDAP directory. Use the pdbedit tool instead.
+32) Ensure that %U substitution is restored on next valid packet
+ if a logon fails.
+
+
+Changes since 3.0beta3
+######################
+
+1) Various memory leak fixes.
+2) Provide full support for SMB signing (server and client)
+3) Check for broken getgrouplist() in glibc.
+4) Don't get stuck in an infinite loop listing directories
+ recursively if the server returns an empty directory name
+ (bug 222).
+5) Idle LDAP connections after 150 seconds.
+6) Patched make uninstallmodules (bug 236).
+7) Fix bug that caused smbd to return incomplete directory listings
+ when UNIX files contained MS wildcard characters.
+8) Quiet default debug messages in command line tools.
+9) Fixes to avoid panics on invalid multi-byte strings.
+10) Fix error messages when creating a new smbpasswd file (bug 198).
+11) Implemented better detection routines in autoconf scripts for
+ locating ads support on the host OS.
+12) Fix bug that caused libraries in /usr/local/lib to be ignored
+ (bug 174).
+13) Ensure winbindd_ads uses the correct realm or domain name when
+ connecting to trusted DC.
+14) Ensure a correct prototype is created for snprintf() (bug 187)
+15) Stop files being created on read-only shares in some circumstances.
+16) Fix wbinfo -p (bug 251)
+17) Support schannel on any tcp/ip connection if necessary
+18) Correct bug in user_in_list() so that it works with winbind groups
+ again.
+19) Ensure the schannel bind credentials default to the domain
+ of the destination host.
+20) Default password expiration time in account_pol.tdb to never
+ expire. Remove any existing account_pol.tdb file to reset
+ the new default policy (bug 184).
+21) Add buttons to SWAT to change the view of smb.conf (bug 212)
+22) Fix incorrect checks that determine whether or not the 'add user
+ script' has been set.
+23) More cleanup for internal character set conversions.
+24) Fixes for multi-byte strings in stat cache code.
+25) Ensure that the net command honors the 'workgroup' parameter
+ in smb.conf when not overridden from the command line.
+26) Add gss-spnego support to the ntlm_auth tool.
+27) Add vfs_default_quota VFS module.
+28) Added server support for NT quota interfaces.
+29) Prevent Krb5 replay attacks by adding a replay_cache.
+30) Fix problems with winbindd and transitive trusts in AD domains.
+31) Added -S to client tools for setting SMB signing options on the
+ command line.
+32) Fix bug causing the 'passwd change program' to be called as the
+ connected user and not root.
+33) Fixed data corruption bug in byte-range locking (e.g. affected MS Excel).
+34) Support winbindd on FreeBSD is possible.
+35) Look at only the first OID in the security blob sent in the session
+ setup request to determine the token type.
+36) Only push locks onto a blocking lock queue if the posix lock failed with
+ EACCES or EAGAIN (this means another lock conflicts). Else return an
+ error and don't queue the request.
+37) Fix command line argument processing for smbtar.
+38) Correct issue that caused smbd to return generic unix_user.<uid>
+ for lookupsid().
+39) Default to algorithmic mapping when generating a rid for a group
+ mapping.
+40) Expand %g and %G in logon script, profile path, etc... during
+ a domain logon (bug 208).
+41) Make sure smbclient obeys '-s <config>'
+42) Added win2k3 shadow copy operations to VFS interface.
+43) Allow connections to samba domain member as SERVER\user (don't
+ always default to DOMAIN\user).
+44) Remove checks in winbindd that caused it to attempt to use
+ non-transitive trust relationships.
+45) Remove delays in winbindd caused by invalid DNS lookups.
+46) Fix supplementary group memberships on systems with slightly
+ broken NSS implementations (bug 267).
+47) Correct issue that prevented smbclient from viewing shares on
+ a win2k server when using a non-anonymous connection (bug 284).
+48) Add --domain=DOMAIN_NAME to wbinfo for limiting operations like
+ 'wbinfo -u' to a single domain. The '.' character represents
+ our domain.
+49) Fix group enumeration bug when using an LDAP directory for
+ storing group mappings.
+50) Default to use NTLMv2 if available. Fallback to not use LM/NTLM
+ when the extended security capability bit is not set.
+51) Fix crash in 'wbinfo -a' when using extended characters in the
+ username (bug 269).
+52) Fix multi-byte strupper() panics (bug 205).
+53) Add vfs_readonly VFS module.
+54) Make sure to initialize the sambaNextUserRid and sambaNextGroupRid
+ attributes when using 'idmap backend = ldap' (bug 280).
+55) Make sure that users shared between a Samba PDC and member
+ samba server are seen as domain users and not local users on the
+ domain member.
+56) Fix Query FS Info level 2.
+57) Allow enumeration of users and groups by win9x "file server" (bug
+ 286).
+58) Create symlinks during install for modules that support mutliple
+ functions (bug 91).
+59) More iconv detection fixes.
+60) Fix path length error in vfs_recycle module (bug 291).
+61) Added server support for the LSA_DS UUID on the \lsarpc pipe.
+ (server DsRoleGetPrimaryDomainInfo() is currently disabled).
+62) Fix SMBseek and get/set position calls.
+62) Fix SetFileInfo level 1.
+63) Added tool to convert smbd log file to a pcap file (log2pcaphex).
+
+
+
+Changes since 3.0beta2
+######################
+
+1) Added fix for Japanese case names in statcache code;
+ these can change size on upper casing.
+2) Correct issues with iconv detection in configure script
+ (support needed to find iconv libraries on FreeBSD).
+3) Fix bug that caused a WINS server to be marked as dead
+ incorrectly (bug #190).
+4) Removing additional deadlocks conditions that prevented
+ winbindd from running on a Samba PDC (used for trust
+ relationships).
+5) Add support for searching for Active Directory for
+ published printers (net ads printer search).
+6) Separate UNIX username from DOMAIN\username in pipe
+ credentials.
+7) Auth modules now support returning NT_STATUS_NOT_IMPLEMENTED
+ for cases that they cannot handle.
+8) Flush winbindd connection cache when the machine trust account
+ password is changed while a connection is open (bug #200).
+9) Add support for 'OSVersion' server printer data string
+ (corrects problem with uploading printer drivers from
+ WinXP clients).
+10) Numerous memory leak fixes.
+11) LDAP fixes ("passdb backend = ldapsam" & "idmap backend = ldap"):
+ - Store domain SID in LDAP directory.
+ - store idmap information in existing entries (use sambaSID=...
+ if adding a new entry).
+12) Fix incorrect usage of primary group SID when looking up user
+ groups (bug #109).
+13) Remove idmap_XX_to_XX calls from smbd. Move back to the the
+ winbind_XXX and local_XXX calls used in 2.2.
+14) All uid/gid allocation must involve winbindd now (we do not
+ attempt to map unknown SIDs to a UNIX identify).
+15) Add 'winbind trusted domains only' parameter to force a domain
+ member. The server to use matching users names from /etc/passwd
+ for its domain (needed for domain member of a Samba domain).
+16) Rename 'idmap only' to 'enable rid algorithm' for better clarity
+ (defaults to "yes").
+17) Add support for multi-byte statcache code (bug #185)
+18) Fix open mode race condition.
+19) Implement winbindd local account management functions. Refer to
+ the "Winbind Changes" section for details.
+20) Move RID allocation functions into idmap backend.
+21) Fix parsing error that prevented publishing printers from a
+ Samba server in an AD domain.
+22) Revive NTLMSSP support for named pipes.
+23) More SCHANNEL fixes.
+24) Correct SMB signing with NTLMSSP.
+25) Fix coherency bug in print handle/printer object caching code
+ that could cause XP clients to infinitely loop while updating
+ their local printer cache.
+26) Make winbindd use its dual-daemon mode by default (use -Y to
+ start as a single process).
+27) Add support to nmbd and winbindd for 'smbcontrol <pid>
+ reload-config'.
+28) Correct problem with smbtar when dealing with files > 8Gb
+ (bug #102).
+
+
+
+Changes since 3.0beta1
+######################
+
+1) Rework our smb signing code again, this factors out some of
+ the common MAC calculation code, and now supports multiple
+ outstanding packets (bug #40).
+2) Enforce 'client plaintext auth', 'client lanman auth' and 'client
+ ntlmv2 auth'.
+3) Correct timestamp problem on 64-bit machines (bug #140).
+4) Add extra debugging statements to winbindd for tracking down
+ failures.
+5) Fix bug when aliased 'winbind uid/gid' parameters are used.
+ ('winbind uid/gid' are now replaced with 'idmap uid/gid').
+6) Added an auth flag that indicates if we should be allowed
+ to fall back to NTLMSSP for SASL if krb5 fails.
+7) Fixed the bug that forced us not to use the winbindd cache when
+ we have a primary ADS domain and a secondary (trusted) NT4
+ domain.
+8) Use lp_realm() to find the default realm for 'net ads password'.
+9) Removed editreg from standard build until it is portable..
+10) Fix domain membership for servers not running winbindd.
+11) Correct race condition in determining the high water mark
+ in the idmap backend (bug #181).
+12) Set the user's primary unix group from usrmgr.exe (partial
+ fix for bug #45).
+13) Show comments when doing 'net group -l' (bug #3).
+14) Add trivial extension to 'net' to dump current local idmap
+ and restore mappings as well.
+15) Modify 'net rpc vampire' to add new and existing users to
+ both the idmap and the SAM. This code needs further testing.
+16) Fix crash bug in ADS searches.
+17) Build libnss_wins.so as part of nsswitch target (bug #160).
+18) Make net rpc vampire return an error if the sam sync RPC
+ returns an error.
+19) Fail to join an NT 4 domain as a BDC if a workstation account
+ using our name exists.
+20) Fix various memory leaks in server and client code
+21) Remove the short option to --set-auth-user for wbinfo (-A) to
+ prevent confusion with the -a option (bug #158).
+22) Added new 'map acl inherit' parameter.
+23) Removed unused 'privileges' code from group mapping database.
+24) Don't segfault on empty passdb backend list (bug #136).
+25) Fixed acl sorting algorithm for Windows 2000 clients.
+26) Replace universal group cache with netsamlogon_cache
+ from APPLIANCE_HEAD branch.
+27) Fix autoconf detection issues surrounding --with-ads=yes
+ but no Krb5 header files installed (bug #152).
+28) Add LDAP lookup for domain sequence number in case we are
+ joined using NT4 protocols to a native mode AD domain.
+29) Fix backend method selection for trusted NT 4 (or 2k
+ mixed mode) domains.
+30) Fixed bug that caused us to enumerate domain local groups
+ from native mode AD domains other than our own.
+31) Correct group enumeration for viewing in the Windows
+ security tab (bug #110).
+32) Consolidate the DC location code.
+33) Moved 'ads server' functionality into 'password server' for
+ backwards compatibility.
+34) Fix winbindd_idmap tdb upgrades from a 2.2 installation.
+ ( if you installed beta1, be sure to
+ 'mv idmap.tdb winbindd_idmap.tdb' ).
+35) Fix pdb_ldap segfaults, and wrong default values for
+ ldapsam_compat.
+36) Enable negative connection cache for winbindd's ADS backend
+ functions.
+37) Enable address caching for active directory DC's so we don't
+ have to hit DNS so much.
+38) Fix bug in idmap code that caused mapping to randomly be
+ redefined.
+39) Add tdb locking code to prevent race condition when adding a
+ new mapping to idmap.
+40) Fix 'map to guest = bad user' when acting as a PDC supporting
+ trust relationships.
+41) Prevent deadlock issues when running winbindd on a Samba PDC
+ to handle allocating uids & gids for trusted users and groups
+42) added LOCALE patch from Steve Langasek (bug #122).
+43) Add the 'guest' passdb backend automatically to the end of
+ the 'passdb backend' list if 'guest account' has a valid
+ username.
+44) Remove samstrict_dc auth method. Rework 'samstrict' to only
+ handle our local names (or domain name if we are a PDC).
+ Move existing permissive 'sam' method to 'sam_ignoredomain'
+ and make 'samstrict' the new default 'sam' auth method.
+45) Match Windows NT4/2k behavior when authenticating a user with
+ and unknown domain (default to our domain if we are a DC or
+ domain member; default to our local name if we are a
+ standalone server).
+46) Fix Get_Pwnam() to always fall back to lookup 'user' if the
+ 'DOMAIN\user' lookup fails. This matches 2.2. behavior.
+47) Fix the trustdom_cache code to update the list of trusted
+ domains when operating as a domain member and not using
+ winbindd.
+48) Remove 'nisplussam' passdb backend since it has suffered for
+ too long without a maintainer.
+
+
+
+
+######################################################################
+Upgrading from a previous Samba 3.0 beta
+########################################
+
+Beginning with Samba 3.0.0beta3, the RID allocation functions
+have been moved into winbindd. Previously these were handled
+by each passdb backend. This means that winbindd must be running
+to automatically allocate RIDs for users and/or groups. Otherwise,
+smbd will use the 2.2 algorithm for generating new RIDs.
+
+If you are using 'passdb backend = tdbsam' with a previous Samba
+3.0 beta release (or possibly alpha), it may be necessary to
+move the RID_COUNTER entry from /usr/local/samba/private/passdb.tdb
+to winbindd_idmap.tdb. To do this:
+
+1) Ensure that winbindd_idmap.tdb exists (launch winbindd at least
+ once)
+2) build tdbtool by executing 'make tdbtool' in the source/tdb/
+ directory
+3) run: (note that 'tdb>' is the tool's prompt for input)
+
+ root# ./tdbtool /usr/local/samba/private/passdb.tdb
+ tdb> show RID_COUNTER
+ key 12 bytes
+ RID_COUNTER
+ data 4 bytes
+ [000] 0A 52 00 00 .R.
+
+ tdb> move RID_COUNTER /usr/local/samba/var/locks/winbindd_idmap.tdb
+ ....
+ record moved
+
+If you are using 'passdb backend = ldapsam', it will be necessary to
+store idmap entries in the LDAP directory as well (i.e. idmap backend
+= ldap). Refer to the 'net idmap' command for more information on
+migrating SID<->UNIX id mappings from one backend to another.
+
+If the RID_COUNTER record does not exist, then these instructions are
+unneccessary and the new RID_COUNTER record will be correctly generated
+if needed.
+
+
+
+########################
+Upgrading from Samba 2.2
+########################
+
+This section is provided to help administrators understand the details
+involved with upgrading a Samba 2.2 server to Samba 3.0.
+
+
+Building
+--------
+
+Many of the options to the GNU autoconf script have been modified
+in the 3.0 release. The most noticeable are:
+
+ * removal of --with-tdbsam (is now included by default; see section
+ on passdb backends and authentication for more details)
+
+ * --with-ldapsam is now on used to provided backward compatible
+ parameters for LDAP enabled Samba 2.2 servers. Refer to the passdb
+ backend and authentication section for more details
+
+ * inclusion of non-standard passdb modules may be enabled using
+ --with-expsam. This includes an XML backend and a mysql backend.
+
+ * removal of --with-msdfs (is now enabled by default)
+
+ * removal of --with-ssl (no longer supported)
+
+ * --with-utmp now defaults to 'yes' on supported systems
+
+ * --with-sendfile-support is now enabled by default on supported
+ systems
+
+
+Parameters
+----------
+
+This section contains a brief listing of changes to smb.conf options
+in the 3.0.0 release. Please refer to the smb.conf(5) man page for
+complete descriptions of new or modified parameters.
+
+Removed Parameters (order alphabetically):
+
+ * admin log
+ * alternate permissions
+ * character set
+ * client codepage
+ * code page directory
+ * coding system
+ * domain admin group
+ * domain guest group
+ * force unknown acl user
+ * nt smb support
+ * postscript
+ * printer driver
+ * printer driver file
+ * printer driver location
+ * status
+ * strip dot
+ * total print jobs
+ * use rhosts
+ * valid chars
+ * vfs options
+
+New Parameters (new parameters have been grouped by function):
+
+ Remote management
+ -----------------
+ * abort shutdown script
+ * shutdown script
+
+ User and Group Account Management
+ ---------------------------------
+ * add group script
+ * add machine script
+ * add user to group script
+ * algorithmic rid base
+ * delete group script
+ * delete user from group script
+ * passdb backend
+ * set primary group script
+
+ Authentication
+ --------------
+ * auth methods
+ * realm
+
+ Protocol Options
+ ----------------
+ * client lanman auth
+ * client NTLMv2 auth
+ * client schannel
+ * client signing
+ * client use spnego
+ * disable netbios
+ * ntlm auth
+ * paranoid server security
+ * server schannel
+ * server signing
+ * smb ports
+ * use spnego
+
+ File Service
+ ------------
+ * get quota command
+ * hide special files
+ * hide unwriteable files
+ * hostname lookups
+ * kernel change notify
+ * mangle prefix
+ * map acl inherit
+ * msdfs proxy
+ * set quota command
+ * use sendfile
+ * vfs objects
+
+ Printing
+ --------
+ * max reported print jobs
+
+ UNICODE and Character Sets
+ --------------------------
+ * display charset
+ * dos charset
+ * unicode
+ * unix charset
+
+ SID to uid/gid Mappings
+ -----------------------
+ * idmap backend
+ * idmap gid
+ * idmap uid
+ * winbind enable local accounts
+ * winbind trusted domains only
+ * template primary group
+ * enable rid algorithm
+
+ LDAP
+ ----
+ * ldap delete dn
+ * ldap group suffix
+ * ldap idmap suffix
+ * ldap machine suffix
+ * ldap passwd sync
+ * ldap user suffix
+
+ General Configuration
+ ---------------------
+ * preload modules
+ * private dir
+
+Modified Parameters (changes in behavior):
+
+ * encrypt passwords (enabled by default)
+ * mangling method (set to 'hash2' by default)
+ * passwd chat
+ * passwd program
+ * restrict anonymous (integer value)
+ * security (new 'ads' value)
+ * strict locking (enabled by default)
+ * unix extensions (enabled by default)
+ * winbind cache time (increased to 5 minutes)
+ * winbind uid (deprecated in favor of 'idmap uid')
+ * winbind gid (deprecated in favor of 'idmap gid')
+
+
+Databases
+---------
-The new parameters are :
+This section contains brief descriptions of any new databases
+introduced in Samba 3.0. Please remember to backup your existing
+${lock directory}/*tdb before upgrading to Samba 3.0. Samba will
+upgrade databases as they are opened (if necessary), but downgrading
+from 3.0 to 2.2 is an unsupported path.
+
+Name Description Backup?
+---- ----------- -------
+account_policy User policy settings yes
+gencache Generic caching db no
+group_mapping Mapping table from Windows yes
+ groups/SID to unix groups
+winbindd_idmap ID map table from SIDS to UNIX yes
+ uids/gids.
+namecache Name resolution cache entries no
+netsamlogon_cache Cache of NET_USER_INFO_3 structure no
+ returned as part of a successful
+ net_sam_logon request
+printing/*.tdb Cached output from 'lpq no
+ command' created on a per print
+ service basis
+registry Read-only samba registry skeleton no
+ that provides support for exporting
+ various db tables via the winreg RPCs
+
+
+Changes in Behavior
+-------------------
+
+The following issues are known changes in behavior between Samba 2.2 and
+Samba 3.0 that may affect certain installations of Samba.
+
+ 1) When operating as a member of a Windows domain, Samba 2.2 would
+ map any users authenticated by the remote DC to the 'guest account'
+ if a uid could not be obtained via the getpwnam() call. Samba 3.0
+ rejects the connection as NT_STATUS_LOGON_FAILURE. There is no
+ current work around to re-establish the 2.2 behavior.
+
+ 2) When adding machines to a Samba 2.2 controlled domain, the
+ 'add user script' was used to create the UNIX identity of the
+ machine trust account. Samba 3.0 introduces a new 'add machine
+ script' that must be specified for this purpose. Samba 3.0 will
+ not fall back to using the 'add user script' in the absence of
+ an 'add machine script'
+
+
+######################################################################
+Passdb Backends and Authentication
+##################################
+
+There have been a few new changes that Samba administrators should be
+aware of when moving to Samba 3.0.
+
+ 1) encrypted passwords have been enabled by default in order to
+ inter-operate better with out-of-the-box Windows client
+ installations. This does mean that either (a) a samba account
+ must be created for each user, or (b) 'encrypt passwords = no'
+ must be explicitly defined in smb.conf.
+
+ 2) Inclusion of new 'security = ads' option for integration
+ with an Active Directory domain using the native Windows
+ Kerberos 5 and LDAP protocols.
+
+ MIT kerberos 1.3.1 supports the ARCFOUR-HMAC-MD5 encryption
+ type which is neccessary for servers on which the
+ administrator password has not been changed, or kerberos-enabled
+ SMB connections to servers that require Kerberos SMB signing.
+ Besides this one difference, either MIT or Heimdal Kerberos
+ distributions are usable by Samba 3.0.
+
+
+Samba 3.0 also includes the possibility of setting up chains
+of authentication methods (auth methods) and account storage
+backends (passdb backend). Please refer to the smb.conf(5)
+man page for details. While both parameters assume sane default
+values, it is likely that you will need to understand what the
+values actually mean in order to ensure Samba operates correctly.
+
+The recommended passdb backends at this time are
+
+ * smbpasswd - 2.2 compatible flat file format
+ * tdbsam - attribute rich database intended as an smbpasswd
+ replacement for stand alone servers
+ * ldapsam - attribute rich account storage and retrieval
+ backend utilizing an LDAP directory.
+ * ldapsam_compat - a 2.2 backward compatible LDAP account
+ backend
+
+Certain functions of the smbpasswd(8) tool have been split between the
+new smbpasswd(8) utility, the net(8) tool, and the new pdbedit(8)
+utility. See the respective man pages for details.
+
+
+######################################################################
+LDAP
+####
+
+This section outlines the new features affecting Samba / LDAP
+integration.
+
+New Schema
+----------
+
+A new object class (sambaSamAccount) has been introduced to replace
+the old sambaAccount. This change aids us in the renaming of attributes
+to prevent clashes with attributes from other vendors. There is a
+conversion script (examples/LDAP/convertSambaAccount) to modify and LDIF
+file to the new schema.
+
+Example:
+
+ $ ldapsearch .... -b "ou=people,dc=..." > old.ldif
+ $ convertSambaAccount <DOM SID> old.ldif new.ldif
+
+The <DOM SID> can be obtained by running 'net getlocalsid <DOMAINNAME>'
+on the Samba PDC as root.
+
+The old sambaAccount schema may still be used by specifying the
+"ldapsam_compat" passdb backend. However, the sambaAccount and
+associated attributes have been moved to the historical section of
+the schema file and must be uncommented before use if needed.
+The 2.2 object class declaration for a sambaAccount has not changed
+in the 3.0 samba.schema file.
+
+Other new object classes and their uses include:
+
+ * sambaDomain - domain information used to allocate rids
+ for users and groups as necessary. The attributes are added
+ in 'ldap suffix' directory entry automatically if
+ an idmap uid/gid range has been set and the 'ldapsam'
+ passdb backend has been selected.
+
+ * sambaGroupMapping - an object representing the
+ relationship between a posixGroup and a Windows
+ group/SID. These entries are stored in the 'ldap
+ group suffix' and managed by the 'net groupmap' command.
+
+ * sambaUnixIdPool - created in the 'ldap idmap suffix' entry
+ automatically and contains the next available 'idmap uid' and
+ 'idmap gid'
+
+ * sambaIdmapEntry - object storing a mapping between a
+ SID and a UNIX uid/gid. These objects are created by the
+ idmap_ldap module as needed.
+
+ * sambaSidEntry - object representing a SID alone, as a Structural
+ class on which to build the sambaIdmapEntry.
+
+
+New Suffix for Searching
+------------------------
+
+The following new smb.conf parameters have been added to aid in directing
+certain LDAP queries when 'passdb backend = ldapsam://...' has been
+specified.
+
+ * ldap suffix - used to search for user and computer accounts
+ * ldap user suffix - used to store user accounts
+ * ldap machine suffix - used to store machine trust accounts
+ * ldap group suffix - location of posixGroup/sambaGroupMapping entries
+ * ldap idmap suffix - location of sambaIdmapEntry objects
+
+If an 'ldap suffix' is defined, it will be appended to all of the
+remaining sub-suffix parameters. In this case, the order of the suffix
+listings in smb.conf is important. Always place the 'ldap suffix' first
+in the list.
+
+Due to a limitation in Samba's smb.conf parsing, you should not surround
+the DN's with quotation marks.
+
+
+IdMap LDAP support
+------------------
-allow trusted domains
----------------------
+Samba 3.0 supports an ldap backend for the idmap subsystem. The
+following options would inform Samba that the idmap table should be
+stored on the directory server onterose in the "ou=idmap,dc=plainjoe,
+dc=org" partition.
-This option is used in "security=domain" settings and allows
-the Samba admin to restrict access to users within the domain
-the the Samba server is in.
+ [global]
+ ...
+ idmap backend = ldap:ldap://onterose/
+ ldap idmap suffix = ou=idmap,dc=plainjoe,dc=org
+ idmap uid = 40000-50000
+ idmap gid = 40000-50000
-restrict anonymous
-------------------
+This configuration allows winbind installations on multiple servers to
+share a uid/gid number space, thus avoiding the interoperability problems
+with NFS that were present in Samba 2.2.
+
-This parameter allows the Samba admin to cause Samba to
-refuse access to anonymous users. Use of this parameter
-is only recommened for homogenous NT client environments.
-
-mangle locks
-------------
-
-This parameter was added to get around a bug in Windows NT
-when dealing with Samba running on 32-bit systems (such
-as Linux x86). This bug causes NT to send 64 bit locking
-requests to 32-bit systems even though Samba correctly
-tells the NT client not to do so. This option causes Samba
-to map the lock requests from 64 bits to 32 bits on these
-systems.
-
-oplock break wait time
-----------------------
-
-This tuning parameter, added to help with clients that don't
-respond to oplock break requests, causes Samba to deley for
-this number of milliseconds before sending an oplock break
-request to a client that caused the break to be sent. The
-default is 10ms. This is an advanced tuning parameter and
-should not be changed lightly.
-
-oplock contention limit
------------------------
-
-This tuning parameter causes Samba not to grant oplocks
-when an smbd daemon notices that there have been this
-many concurrent requests for an oplock on a file. This
-prevents the "baton passing" oplock problem where many
-clients accessing one file pass the oplock between themselves
-like a baton. The default is 2. This is an advanced tuning
-parameter and should not be changed lightly.
-
-The modified parameter is :
-
-nt acl support
---------------
-
-This is a global parameter that defaulted to False in
-the previous release (2.0.3) and now defaults to True
-as the RPC code has been added to Samba to allow it to
-map UNIX permissions to NT ACLs.
-
-All of these new parameters and changes are documented in the
-smb.conf man pages and html pages.
-
-Updated and New documentation
------------------------------
-
-A new document describing the manipulation of UNIX permissions
-via the Windows NT security dialogs and their interaction with
-Samba 2.0.4 is provided as :
-
-docs/textdocs/NT_Security.txt
-docs/htmldocs/NT_Security.html
-
-Changes in 2.0.4b
------------------
-
-A bug with MS-Word 97 saving files with zero UNIX permissions
-was fixed. Even though a workaround is available (set force
-create mode = 644 on the share) Word is such an important
-application that a point fix was neccessary.
-
-Changes in 2.0.4a
------------------
-
-The text and html versions of NT_Security were missing from
-the shipping tarball. Also a compile bug for platforms that
-don't have usleep was fixed.
-
-Bugfixes added since 2.0.3
---------------------------
-
-1). Fix for 8 character password problem when using HPUX and
-plaintext passwords.
-2). --with-pam option added to ./configure.
-3). Client fixes for memory leak and display of 64 bit values.
-4). Fixes for -E and -s option with smbclient.
-5). smbclient now allows -L //server or -L \\server
-6). smbtar fix for display of 64 bit values.
-7). Endian independence added to DCE/RPC code.
-8). DCE/RPC marshalling/unmarshalling code re-written to provide
-overflow reporting and sign and seal support.
-9). Bind NAK reply packet added to DCE/RPC code, used to correctly
-refuse bind requests (prevents NT system event log messages).
-10). Mapping of UNIX permissions into NT ACL's for get and set
-added.
-11). DCE/RPC enumeration of numbers of shares made dynamic.
-Samba now has no limit on the number of exported shares seen.
-12). Fix to speed up random number seed generation on /dev/urandom
-being unavailable.
-13). Several memory fixes added by running Purify on the code.
-14). Read from client error messages improved.
-15). Fixed endianness used in UNICODE strings.
-16). Cope with ERRORmoredata in an RPC pipe client call.
-17). Check for malformed responses in nmbd register name.
-18). NT Encrypted password changing from the NT password dialog box
-now fully implmented.
-19). Mangle 64-bit lock ranges into 32-bits (NT bug!) on a 32-bit
-Samba platform.
-20). Allow file to be pseudo-openend in order to read security only.
-21). Improve filename mangling to reduce chance of collisions.
-22). Added code to prevent granting of oplocks when a file is under
-contention.
-23). Added tunable wait time before sending an oplock break request
-to a client if the client caused the break request. Helps with clients
-not responding to oplock breaks.
-24). Always respond negatively to queued local oplock break messages
-before shutdown. This can prevent "freezes" on an oplock error.
-25). Allow admin to restrict logons to correct domain when in domain
-level security.
-26). Added "restrict anonymous" patch from Andy (thwartedefforts@wonky.org)
-to prevent parameter substitution problems with anonymous connections.
-27). Fix SMBseek where seeking to a negative number sets the offset
-to zero.
-28). Fixed problem with mode getting corrupted in trans2 request
-(setting to zero means please ignore it).
-29). Correctly become the authenticated user on an authenticated
-DCE/RPC pipe request.
-30). Correctly reset debug level in nmbd if someone set it on the
-command line.
-31). Added more checking into testparm
-32). NetBench simulator added to smbtorture by Andrew.
-33). Fixed NIS+ option compile (was broken in 2.0.3).
-34). Recursive smbclient directory listing fix. Patch from E. Jay Berkenbilt
-(ejb@ql.org)
-
-Bugfixes added since 2.0.2
---------------------------
-
-1). --with-ssl configure now include ssl include directory. Fix
-from Richard Sharpe.
-2). Patch for configure for glibc2.1 support (large files etc.).
-3). Several bugfixes for smbclient tar mode from Bob Boehmer
-(boehmer@worldnet.att.net) to fix smbclient aborting problems
-when restoring tar files.
-4). Some automount fixes for smbmount.
-5). Attempt to fix the AIX 4.1.x/3.x problems where smbd runs as
-root. As no-one has given us root access to such a server this
-cannot be tested fully, but should work.
-6). Crash bug fix in debug code where *real* uid rather than
-*effective* uid was being checked before attempting to rotate
-log files. This fix should help a *lot* of people who were
-reporting smbd aborting in the middle of a copy operation.
-7). SIGALRM bugfix to ensure infinate file locks time out.
-8). New code to implement NT ACL reporting for cacls.exe program.
-9). UDP loopback socket rebind fix for Solaris.
-10). Ensure all UNICODE strings are correctly in little-endian
-format.
-11). smbpasswd file locking fix.
-12). Fixes for strncpy problems with glibc2.1.
-13). Ensure smbd correctly reports major and minor version number
-and server type when queried via NT rpc calls.
-14). Bugfix for short mangled names not being pulled off the
-mangled stack correctly.
-15). Fix for mapping of rwx bits being incorrectly overwritten
-when doing ATTRIB.EXE
-16). Fix for returning multiple PDU packets in NT rpc code. Should
-allow multiple shares to be returned correctly).
-17). Improved mapping of NT open access requests into UNIX open
-modes.
-18). Fix for copying files from an NTFS volume that contain
-multiple data forks. Added 'magic' error code NT needs.
-19). Fixed crash bug when primary NT authentication server
-is down, rolls over to secondaries correctly now.
-20). Fixed timeout processing to be timer based. Now will
-always occur even if smbd is under load.
-21). Fixed signed/unsigned problem in quotas code.
-22). Fixed bug where setting the password of a completely fresh
-user would end up setting the account disabled flag.
-23). Improved user logon messages to help admins having
-trouble with user authentication.
-
-Bugfixes added since 2.0.1
---------------------------
-
-Note that due to a critical signal handling bug in 2.0.1,
-this release has been removed and replaced immediately with
-2.0.2. The Samba Team would like to apologise for any problem
-this may have caused.
-
-1). Fixed smbd looping on SIGCLD problem. This was
- caused by a missing break statement in a critical
- piece of code.
-
-Bugfixes added since 2.0.0
---------------------------
-
-1). Autoconf changes for gcc2.7.x and Solaris 2.5/2.6
-2). Autoconf changes to help HPUX configure correctly.
-3). Autoconf changes to allow lock directory to be set.
-4). Client fix to allow port to be set.
-5). clitar fix to send debug messages to stderr.
-6). smbmount race condition fix.
-7). Fix for bug where trying to browse large numbers of shares
- generated an error from an NT client.
-8). Wrapper for setgroups for SunOS 4.x
-9). Fix for directory deleting failing from multiuser NT.
-10). Fix for crash bug if bitmap was full.
-11). Fix for Linux genrand where /dev/random could cause
- clients to timeout on connect if the entropy pool was
- empty.
-12). The default PASSWD_CHAT may now be overridden in local.h
-13). HPUX printing fixes for default programs.
-14). Reverted (erroneous) code in MACHINE.SID generation that
- was setting the sid to 0x21 - should be *decimal* 21.
-15). Fix for printing to remote machine under SVR4.
-16). Fix for chgpasswd wait being interrupted with EINTR.
-17). Fix for disk free routine. NT and Win98 now correctly
- show greater than 2GB disks.
-18). Fix for crash bug in stat cache statistics printing.
-19). Fix for filenames ending in .~xx.
-20). Fix for access check code wait being interrupted with EINTR.
-21). Fix for password changes from "invalid password" to a valid
- one setting the account disabled bit.
-22). Fix for smbd crash bug in SMBreadraw cache prime code.
-23). Fix for overly zealous lock range overflow reporting.
-24). Fix for large disk disk free reporting (NT SMB code).
-25). Fix for NT failing to truncate files correctly.
-26). Fix for smbd crash bug with SMBcancel calls.
-27). Additional -T flag to nmblookup to do reverse DNS on addresses.
-28). SWAT fix to start/stop smbd/nmbd correctly.
-
-Major changes in Samba 2.0
---------------------------
-
-This is a MAJOR new release of Samba, the UNIX based SMB/CIFS file
-and print server for Windows systems.
-
-There have been many changes in Samba since the last major release,
-1.9.18. These have mainly been in the areas of performance and
-SMB protocol correctness. In addition, a Web based GUI interface
-for configuring Samba has been added.
-
-In addition, Samba has been re-written to help portability to
-other POSIX-based systems, based on the GNU autoconf tool.
-
-There are many major changes in Samba for version 2.0. Here are
-some of them:
-
-=====================================================================
-
-1). Speed
----------
-Samba has been benchmarked on high-end UNIX hardware as out-performing
-all other SMB/CIFS servers using the Ziff-Davis NetBench benchmark.
-Many changes to the code to optimise high-end performance have been made.
+######################################################################
+Trust Relationships and a Samba Domain
+######################################
-2). Correctness
----------------
+Samba 3.0.0beta2 is able to utilize winbindd as the means of
+allocating uids and gids to trusted users and groups. More
+information regarding Samba's support for establishing trust
+relationships can be found in the Samba-HOWTO-Collection included
+in the docs/ directory of this release.
-Samba now supports the Windows NT specific SMB requests. This
-means that on platforms that are capable Samba now presents a
-64 bit view of the filesystem to Windows NT clients and is
-capable of handling very large files.
+First create your Samba PDC and ensure that everything is
+working correctly before moving on the trusts.
-3). Portability
----------------
+To establish Samba as the trusting domain (named SAMBA) from a Windows NT
+4.0 domain named WINDOWS:
-Samba is now self-configuring using GNU autoconf, removing
-the need for people installing Samba to have to hand configure
-Makefiles, as was needed in previous versions.
+ 1) create the trust account for SAMBA in "User Manager for Domains"
+ 2) connect the trust from the Samba domain using
+ 'net rpc trustdom establish GLASS'
-You now configure Samba by running "./configure" then "make". See
-docs/textdocs/UNIX_INSTALL.txt for details.
+To create a trustlationship with SAMBA as the trusted domain:
-4). Web based GUI configuration
--------------------------------
+ 1) create the initial trust account for GLASS using
+ 'smbpasswd -a -i GLASS'. You may need to create a UNIX
+ account for GLASS$ prior to this step (depending on your
+ local configuration).
+ 2) connect the trust from a WINDOWS DC using "User Manager
+ for Domains"
-Samba now comes with SWAT, a web based GUI config system. See
-the swat man page for details on how to set it up.
+Now join winbindd on the Samba PDC to the SAMBA domain using
+the normal steps for adding a Samba server to an NT4 domain:
+(note that smbd & nmbd must be running at this point)
-5). Cross protocol data integrity
----------------------------------
+ root# net rpc join -U root
+ Password: <enter root password from smbpasswd file here>
-An open function interface has been defined to allow
-"opportunistic locks" (oplocks for short) granted by Samba
-to be seen by other UNIX processes. This allows complete
-cross protocol (NFS and SMB) data integrety using Samba
-with platforms that support this feature.
+Start winbindd and test the join with 'wbinfo -t'.
-6). Domain client capability
-----------------------------
+Now test the trust relationship by connecting to the SAMBA DC
+(e.g. POGO) as a user from the WINDOWS domain:
-Samba is now capable of using a Windows NT PDC for user
-authentication in exactly the same way that a Windows NT
-workstation does, i.e. it can be a member of a Domain. See
-docs/textdocs/DOMAIN_MEMBER.txt for details.
+ $ smbclient //pogo/netlogon -U Administrator -W WINDOWS
+ Password:
-7). Documentation Updates
--------------------------
+Now connect to the WINDOWS DC (e.g. CRYSTAL) as a Samba user:
-All the reference parts of the Samba documentation (the
-manual pages) have been updated and converted to a document
-format that allows automatic generation of HTML, SGML, and
-text formats. These documents now ship as standard in HTML
-and manpage format.
+ $ smbclient //crystal/netlogon -U root -W WINDOWS
+ Password:
-=====================================================================
+######################################################################
+Changes in Winbind
+##################
-NOTE - Some important option defaults changed
----------------------------------------------
+Beginning with Samba3.0.0beta3, winbindd has been given new account
+manage functionality equivalent to the 'add user script' family of
+smb.conf parameters. The idmap design has also been changed to
+centralize control of foreign SID lookups and matching to UNIX
+uids and gids.
-Several parameters have changed their default values. The most
-important of these is that the default security mode is now user
-level security rather than share level security.
-This (incompatible) change was made to ease new Samba installs
-as user level security is easier to use for Windows 95/98 and
-Windows NT clients.
+Brief Description of Changes
+----------------------------
-********IMPORTANT NOTE****************
+1) The sid_to_uid() family of functions (smbd/uid.c) have been
+ reverted to the 2.2.x design. This means that when resolving a
+ SID to a UID or similar mapping:
-If you have no "security=" line in the [global] section of
-your current smb.conf and you update to Samba 2.0 you will
-need to add the line :
+ a) First consult winbindd
+ b) perform a local lookup only if winbindd fails to
+ return a successful answer
-security=share
+ There are some variations to this, but these two rules generally
+ apply.
-to get exactly the same behaviour with Samba 2.0 as you
-did with previous versions of Samba.
+2) All idmap lookups have been moved into winbindd. This means that
+ a server must run winbindd (and support NSS) in order to achieve
+ any mappings of SID to dynamically allocated UNIX ids. This was
+ a conscious design choice.
-********END IMPORTANT NOTE*************
+3) New functions have been added to winbindd to emulate the 'add user
+ script' family of smbd functions without requiring that external
+ scripts be defined. This functionality is controlled by the 'winbind
+ enable local accounts' smb.conf parameter (enabled by default).
-In addition, Samba now defaults to case sensitivity options that
-match a Windows NT server precisely, that is, case insensitive
-but case preserving.
+ However, this account management functionality is only supported
+ in a local tdb (winbindd_idmap.tdb). If these new UNIX accounts
+ must be shared among multiple Samba servers (such as a PDC and BDCs),
+ it will be necessary to define your own 'add user script', et. al.
+ programs that place the accounts/groups in some form of directory
+ such as NIS or LDAP. This requirement was deemed beyond the scope
+ of winbind's account management functions. Solutions for
+ distributing UNIX system information have been deployed and tested
+ for many years. We saw no need to reinvent the wheel.
-The default format of the smbpasswd file has also been
-changed for this release, although the new tools will read
-and write the old format, for backwards compatibility.
+4) A member of a Samba controlled domain running winbindd is now able
+ to map domain users directly onto existing UNIX accounts while still
+ automatically creating accounts for trusted users and groups. This
+ behavior is controlled by the 'winbind trusted domains only' smb.conf
+ parameter (disabled by default to provide 2.2.x winbind behavior).
-=====================================================================
+5) Group mapping support is wrapped in the local_XX_to_XX() functions
+ in smbd/uid.c. The reason that group mappings are not included
+ in winbindd is because the purpose of Samba's group map is to
+ match any Windows SID with an existing UNIX group. These UNIX
+ groups can be created by winbindd (see next section), but the
+ SID<->gid mapping is retreived by smbd, not winbindd.
-NOTE - Primary Domain Controller Functionality
-----------------------------------------------
-This version of Samba contains code that correctly implements
-the undocumented Primary Domain Controller authentication
-protocols. However, there is much more to being a Primary
-Domain Controller than serving Windows NT logon requests.
+Examples
+--------
-A useful version of a Primary Domain Controller contains
-many remote procedure calls to do things like enumerate users,
-groups, and security information, only some of which Samba currently
-implements. In addition, there are outstanding (known) bugs with
-using Samba as a PDC in this release that the Samba Team are actively
-working on. For this reason we have chosen not to advertise and
-actively support Primary Domain Controller functionality with this
-release.
+* security = server running winbindd to allocate accounts on demand
-This work is being done in the CVS (developer) versions of Samba,
-development of which continues at a fast pace. If you are
-interested in participating in or helping with this development
-please join the Samba-NTDOM mailing list. Details on joining
-are available at :
+* Samba PDC running winbindd to handle the automatic creation of UNIX
+ identities for machine trust accounts
-http://samba.org/listproc/
+* Automtically creating UNIX user and groups when migrating a Windows NT
+ 4.0 PDC to a Samba PDC. Winbindd must be running when executing
+ 'net rpc vampire' for this to work.
-Details on obtaining CVS (developer) versions of Samba
-are available at:
+
+######################################################################
+Known Issues
+############
-http://samba.org/cvs.html
+* There are several bugs currently logged against the 3.0 codebase
+ that affect the use of NT 4.0 GUI domain management tools when run
+ against a Samba 3.0 PDC. This bugs should be released in an early
+ 3.0.x release.
-=====================================================================
+Please refer to https://bugzilla.samba.org/ for a current list of bugs
+filed against the Samba 3.0 codebase.
-If you have problems, or think you have found a bug please email
-a report to :
- samba-bugs@samba.org
+######################################################################
+Reporting bugs & Development Discussion
+#######################################
-As always, all bugs are our responsibility.
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
-Regards,
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored.
- The Samba Team.
+A new bugzilla installation has been established to help support the
+Samba 3.0 community of users. This server, located at
+https://bugzilla.samba.org/, has replaced the older jitterbug server
+previously located at http://bugs.samba.org/.
git.samba.org / bbaumbach / samba-autobuild / .git / blobdiff