1 This file aims to document the major changes since the latest released version
2 of Samba, 3.0. Samba 4.0 contains rewrites of several subsystems
3 and uses a different internal format for most data. Since this
4 file is an initial draft, please update missing items.
6 One of the main goals of Samba 4 was Active Directory Domain Controller
7 support. This means Samba now implements several protocols that are required
8 by AD such as Kerberos and DNS.
10 An (experimental) upgrade script that performs a one-way upgrade
11 from Samba 3 is available in source/setup/upgrade.
13 Removal of nmbd and introduction of process models
14 ==================================================
15 smbd now implements several network protocols other then just CIFS and
16 DCE/RPC. nmbd's functionality has been merged into smbd. smbd supports
17 various 'process models' that specify how concurrent connections are
18 handled (when to fork, use threads, etc).
22 Samba now stores most of its persistent data in a LDAP-like database
23 called LDB (see ldb(7) for more info).
27 SWAT has had some rather large improvements and is now more then just a
28 direct editor for smb.conf. Its layout has been improved. SWAT can now also
29 be used for editing run-time data - maintaining user information, provisioning,
30 etc. TLS is supported out of the box.
34 Samba4 ships with an integrated KDC (Kerberos Key Distribution
35 Center). Backed directly onto our main internal database, and
36 integrated with custom code to handle the PAC, Samba4's KDC is an
37 integral part of our support for AD logon protocols.
41 Like the situation with the KDC, Samba4 ships with it's own LDAP
42 server, included to provide simple, built-in LDAP services in an AD
43 (rather than distinctly standards) matching manner. The database is
44 LDB, and it shares that in common with the rest of Samba.
46 Changed configuration options
47 =============================
48 Several configuration options have been removed in Samba4 while others have
49 been introduced. This section contains a summary of changes to smb.conf and
50 where these settings moved. Configuration options that have disappeared may be
51 re-added later when the functionality that uses them gets reimplemented in
54 The 'security' parameter has been split up. It is now only used to choose
55 between the 'user' and 'share' security levels (the latter is not supported
56 in Samba 4 yet). The other values of this option and the 'domain master' and
57 'domain logons' parameters have been merged into a 'server role' parameter
58 that can be either 'bdc', 'pdc', 'member server' or 'standalone'. Note that
59 member server support does not work yet.
61 'password server' now takes a DCE/RPC binding string (see prog_guide.txt)
62 rather then simply a NetBIOS name.
64 The following parameters have been removed:
65 - passdb backend: accounts are now stored in a LDB-based SAM database,
66 see 'sam database' below.
72 - allow trusted domains
76 - algorithmic rid base
86 - check password script
106 - acl check permissions
108 - acl map full control
113 - force security mode
116 - force directory mode
117 - directory security mask
118 - force directory security mode
119 - force unknown acl user
120 - inherit permissions
129 - use kerberos keytab
135 - debug hires timestamp
138 - allocation roundup size
147 - defer sharing violations
159 - change notify timeout
163 - kernel change notify
176 - max reported print jobs
178 - printcap cache time
193 - queueresume command
196 - deleteprinter command
197 - show add printer wizard
208 - short preserve case
213 - hide unwriteable files
221 - max stat cache size
223 - store dos attributes
224 - machine password timeout
229 - delete group script
230 - add user to group script
231 - delete user from group script
232 - set primary group script
235 - abort shutdown script
236 - username map script
260 - oplock break wait time
261 - oplock contention limit
270 - ldap machine suffix
273 - ldap replication sleep
280 - change share command
281 - delete share command
298 - log nt token command
317 - dos filetime resolution
318 - fake directory create times
325 - enable rid algorithm
326 - passdb expand explicit
337 - winbind enum groups
338 - winbind use default domain
339 - winbind trusted domains only
340 - winbind nested groups
341 - winbind max idle children
344 The following parameters have been added:
346 Make Samba fake it is running on a bigendian machine when using DCE/RPC.
347 Useful for debugging.
351 + case insensitive filesystem (S)
352 Set to true if this share is located on a case-insensitive filesystem.
353 This disables looking for a filename by trying all possible combinations of
354 uppercase/lowercase characters and thus speeds up operations when a
355 file cannot be found.
360 Path to JavaScript library.
362 Default: Set at compile-time
365 Path to data used by provisioning script.
367 Default: Set at compile-time
370 Directory to use for UNIX sockets used by the 'ncalrpc' DCE/RPC transport.
372 Default: Set at compile-time
375 Backend to the NT VFS to use (more then one can be specified). Available
379 Maps POSIX FS semantics to NT semantics
382 Very simple backend (original testing backend).
385 Sets up user credentials based on POSIX gid/uid.
388 Proxies a remote CIFS FS. Mainly useful for testing.
391 Filter module that saves data useful to the nbench benchmark suite.
394 Allows using SMB for inter process communication. Only used for
398 Allows printing over SMB. This is LANMAN-style printing (?), not
399 the be confused with the spoolss DCE/RPC interface used by later
402 Default: unixuid default
407 + dcerpc endpoint servers
408 What DCE/RPC servers to start.
410 Default: epmapper srvsvc wkssvc rpcecho samr netlogon lsarpc spoolss drsuapi winreg dssetup
413 Services Samba should provide.
415 Default: smb rpc nbt wrepl ldap cldap web kdc
418 Location of the SAM (account database) database. This should be a
421 Default: set at compile-time
424 Spoolss (printer) DCE/RPC server database. This should be a LDB URL.
426 Default: set at compile-time
428 + wins config database
429 WINS configuration database location. This should be a LDB URL.
431 Default: set at compile-time
434 WINS database location. This should be a LDB URL.
436 Default: set at compile-time
438 + client use spnego principal
439 Tells the client to use the Kerberos service principal specified by the
440 server during the security protocol negotation rather then
441 looking up the principal itself (cifs/hostname).
446 TCP/IP Port used by the NetBIOS over TCP/IP (NBT) implementation.
451 UDP/IP port used by the NetBIOS over TCP/IP (NBT) implementation.
456 UDP/IP port used by the CLDAP protocol.
461 IP port used by the kerberos KDC.
466 IP port used by the kerberos password change protocol.
471 TCP/IP port SWAT should listen on.
476 Enable TLS support for SWAT
481 Path to TLS key file (PEM format) to be used by SWAT. If no
482 path is specified, Samba will create a key.
487 Path to TLS certificate file (PEM format) to be used by SWAT. If no
488 path is specified, Samba will create a certificate.
493 Path to CA authority file Samba will use to sign TLS keys it generates. If
494 no path is specified, Samba will create a self-signed CA certificate.
499 Path to TLS certificate revocation lists file.
506 Default: set at compile-time
509 Indicate the CIFS server is able to do large reads/writes.
514 Enable/disable unicode support in the protocol.