1 WHATS NEW IN Samba 3.0.0 beta2
3 ==============================
5 This is the second beta release of Samba 3.0.0. This is a
6 non-production release intended for testing purposes. Use
9 The purpose of this beta release is to get wider testing of the major
10 new pieces of code in the current Samba 3.0 development tree. We have
11 officially ceased development on the 2.2.x release of Samba and are
12 concentrating on Samba 3.0. To reduce the time before the final
13 Samba 3.0 release we need as many people as possible to start testing
14 these beta releases, and to provide high quality feedback on what
17 Samba 3.0 is feature complete. However there is still some final
18 work to be done on certain pieces of functionality. Please refer to
19 the section on "Known Issues" for more details.
25 1) Active Directory support. This release is able to join a ADS realm
26 as a member server and authenticate users using LDAP/kerberos.
28 2) Unicode support. Samba will now negotiate UNICODE on the wire and
29 internally there is now a much better infrastructure for multi-byte
30 and UNICODE character sets.
32 3) New authentication system. The internal authentication system has
33 been almost completely rewritten. Most of the changes are internal,
34 but the new auth system is also very configurable.
36 4) New filename mangling system. The filename mangling system has been
37 completely rewritten. An internal database now stores mangling maps
38 persistently. This needs lots of testing.
40 5) New "net" command. A new "net" command has been added. It is
41 somewhat similar to the "net" command in windows. Eventually we
42 plan to replace a bunch of other utilities (such as smbpasswd)
43 with subcommands in "net", at the moment only a few things are
46 6) Samba now negotiates NT-style status32 codes on the wire. This
47 improves error handling a lot.
49 7) Better Windows 2000/XP/2003 printing support including publishing
50 printer attributes in active directory
52 8) New loadable RPC modules
54 9) New dual-daemon winbindd support (-B) for better performance
56 10) Support for migrating from a Windows NT 4.0 domain to a Samba
57 domain and maintaining user, group and domain SIDs
59 11) Support for establishing trust relationships with Windows NT 4.0
62 12) Initial support for a distributed Winbind architecture using
63 an LDAP directory for storing SID to uid/gid mappings
65 13) Major updates to the Samba documentation tree.
67 Plus lots of other improvements!
70 Additional Documentation
71 ------------------------
73 Please refer to Samba documentation tree (including in the docs/
74 subdirectory) for extensive explanations of installing, configuring
75 and maintaining Samba 3.0 servers and clients. It is advised to
76 begin with the Samba-HOWTO-Collection for overviews and specific
77 tasks (the current book is up to approximately 400 pages) and to
78 refer to the various man pages for information on individual options.
80 ######################################################################
81 Changes since 3.0beta1
82 ######################
84 Please refer to the CVS log for the SAMBA_3_0 branch for complete
87 1) Rework our smb signing code again, this factors out some of
88 the common MAC calcuation code, and now supports multiple
89 outstanding packets (bug #40)
90 2) Enforce 'client plaintext auth', 'client lanman auth' and 'client
92 3) Correct timestamp problem on 64-bit machines (bug #140)
93 4) Add extra debugging staements to winbindd for tracking down
95 5) Fix bug when aliased 'winbind uid/gid' parameters
96 6) Added an auth flag that indicates if we should be allowed
97 to fallback to NTLMSSP for SASL if krb5 fails
98 7) Fixed the bug that forced us not to use the winbindd cache when
99 we have a primary ADS domain and a secondary (trusted) NT4 domain.
100 8) Use lp_realm() to find the default realm for 'net ads password'
101 9) Removed editreg from standard build until it is portable.
102 10) Fix domain membership for servers not running winbindd
103 11) Correct race condition in determining the high water make
104 in the idmap backend (bug #181)
105 12) Set the user's primary unix group from usrmgr.exe (partial
107 13) Show comments when doing 'net group -l' (bug #3)
108 14) Add trivial extension to 'net' to dump current local idmap
109 and restore mappings as well
110 15) Modify 'net rpc vampire' to add new and existing users to
111 both the idmap and the SAM.
112 16) Fix crash bug in ADS searches
113 17) Build libnss_wins.so as part of nsswitch target (bug #160)
114 18) Make net rpc vampire return an error if the sam sync RPC
116 19) Fail to join an NT 4 domain as a BDC if an workstation account
117 using our name exists
118 20) Fix various memory leaks in server and client code
119 21) Remove the short option to --set-auth-user for wbinfo (-A) to
120 prevent confusion with the -a option (bug #158)
121 22) Added new 'map acl inheritence' parameter
122 23) Removed unused 'privileges' code from group mapping database
123 24) Don't segfault on empty passdb backend list (bug #136)
124 25) Fixed acl sorting algorithm forWwindows 2000 clients
125 26) Replace universal group cache with netsamlogon_cache
126 from APPLIANCE_HEAD branch
127 27) Fix autoconf detection issues surrounding --with-ads=yes
128 but no Krb5 header files installed (bug #152)
129 28) Add LDAP lookup for domain sequence number in case we are
130 joined using NT4 protocols to a native mode AD domain
131 29) Fix backend method selection for trusted NT 4 (or 2k
133 30) Fixed bug that caused us to enuemrate dmain local groups
134 from native mode AD domains other than our own
135 31) Correct group enumeration for viewing in the Windows
136 security tab (bug #110)
137 32) Consolidate the DC location code
138 33) Moved 'ads server' functionality into 'password server' for
139 backwards compatibility
140 34) Fix winbindd_idmap tdb upgrades from a 2.2 installation
141 ( if you installed beta1, be sure to
142 'mv idmap.tdb winbindd_idamap.tdb' )
143 35) Fix pdb_ldap segfaults, and wrong default values for
145 36) Enable negative connection cache for winbindd's ADS backend
147 37) Enable address caching for active directory DC's so we don't
148 have to hit DNS so much
149 38) Fix bug in idmap code that caused mapping to randomly be
151 39) Add tdb locking code to prevent race condition when adding a
153 40) Fix 'map to guest = bad user' when acting as a PDC supporting
155 41) Prevent deadlock issues when running winbindd on a Samba PDC
156 to handle allocating uids & gids for trusted users and groups
157 42) added LOCALE patch from Steve Langasek (bug #122)
158 43) Add the 'guest' passdb backend automatically to the end of
159 the 'passdb backend' list if 'guest account' has a valid
161 44) Remove samstrict_dc auth method. Rework 'samstrict' to only
162 handle our local names (or domain name if we are a PDC).
163 Move existing permissive 'sam' method to 'sam_ignoredomain'
164 and make 'samstrict' the new default 'sam' auth method.
165 45) Match Windows NT4/2k behavior when authenticating a user with
166 and unknown domain (default to our domain if we are a DC or
167 domain member; default to our local name if we are a
169 46) Fix Get_Pwnam() to always fall back to lookup 'user' if the
170 'DOMAIN\user' lookup fails. This matches 2.2. behavior.
171 47) Fix the trustdom_cache code to update the list of trusted
172 domains when operating as a domain member and not using
174 48) Remove 'nisplussam' passdb backend since it has suffered for
175 too long without a maintainer
180 ######################################################################
181 Upgrading from Samba 2.2
182 ########################
184 This section is provided to help administrators understand the details
185 involved with upgrading a Samba 2.2 server to Samba 3.0
191 Many of the options to the GNU autoconf script have been modified
192 in the 3.0 release. The most noticeable are
194 * removal of --with-tdbsam (is now included by default; see section
195 on passdb backends and authentication for more details)
197 * --with-ldapsam is now on used to provided backward compatible
198 parameters for LDAP enabled Samba 2.2 servers. Refer to the passdb
199 backend and authentication section for more details
201 * inclusion of non-standard passdb modules may be enabled using
202 --with-expsam. This includes an XML backend, a mysql backend,
205 * removal of --with-msdfs (is now enabled by default)
207 * removal of --with-ssl (no longer supported)
209 * --with-utmp now defaults to 'yes' on supported systems
211 * --with-sendfile-support is now enabled by default on supported
218 This section contains a brief listing of changes to smb.conf options
219 in the 3.0.0 release. Please refer to the smb.conf(5) man page for
220 complete descriptions of new or modified parameters.
222 Removed Parameters (order alphabetically):
225 * alternate permissions
228 * code page directory
232 * force unknown acl user
236 * printer driver file
237 * printer driver location
244 New Parameters (new parameters have been grouped by function):
248 * abort shutdown script
251 User and Group Account Management
252 ---------------------------------
255 * add user to group script
256 * algorithmic rid base
257 * delete group script
258 * delete user from group script
260 * set primary group script
276 * paranoid server security
285 * hide unwriteable files
287 * kernel change notify
289 * map acl inheritence
297 * max reported print jobs
299 UNICODE and Character Sets
300 --------------------------
306 SID to uid/gid Mappings
307 -----------------------
318 * ldap machine suffix
323 General Configuration
324 ---------------------
328 Modified Parameters (changes in behavior):
330 * encrypt passwords (enabled by default)
331 * mangling method (set to 'hash2' by default)
334 * restrict anonymous (integer value)
335 * security (new 'ads' value)
336 * strict locking (enabled by default)
337 * winbind cache time (increased to 5 minutes)
338 * winbind uid (deprecated in favor of 'idmap uid')
339 * winbind gid (deprecated in favor of 'idmap gid')
345 This section contains brief descriptions of any new databases
346 introduced in Samba 3.0. Please remember to backup your existing
347 ${lock directory}/*tdb before upgrading to Samba 3.0. Samba will
348 upgrade databases as they are opened (if necessary), but downgrading
349 from 3.0 to 2.2 is an unsupported path.
351 Name Description Backup?
352 ---- ----------- -------
353 account_policy User policy settings yes
354 gencache Generic caching db no
355 group_mapping Mapping table from Windows yes
356 groups/SID to unix groups
357 idmap new ID map table from SIDS yes
359 namecache Name resolution cache entries no
360 netsamlogon_cache Cache of NET_USER_INFO_3 structure no
361 returned as part of a successful
362 net_sam_logon request
363 printing/*.tdb Cached output from 'lpq no
364 command' created on a per print
366 registry Read-only samba registry skeleton no
367 that provides support for exporting
368 various db tables via the winreg RPCs
374 The following issues are known changes in behavior between Samba 2.2 and
375 Samba 3.0 that may affect certain installations of Samba.
377 1) When operating as a member of a Windows domain, Samba 2.2 would
378 map any users authenticated by the remote DC to the 'guest account'
379 if a uid could not be obtained via the getpwnam() call. Samba 3.0
380 rejects the connection as NT_STATUS_LOGON_FAILURE. There is no
381 current work around to re-establish the 2.2 behavior.
383 2) When adding machines to a Samba 2.2 controlled domain, the
384 'add user script' was used to create the UNIX identity of the
385 machine trust account. Samba 3.0 introduces a new 'add machine
386 script' that must be specified for this purpose. Samba 3.0 will
387 not fall back to using the 'add user script' in the absence of
388 an 'add machine script'
391 ######################################################################
392 Passdb Backends and Authentication
393 ##################################
395 There have been a few new changes that Samba administrators should be
396 aware of when moving to Samba 3.0.
398 1) encrypted passwords have been enabled by default in order to
399 inter-operate better with out-of-the-box Windows client
400 installations. This does mean that either (a) a samba account
401 must be created for each user, or (b) 'encrypt passwords = no'
402 must be explicitly defined in smb.conf.
404 2) Inclusion of new 'security = ads' option for integration
405 with an Active Directory domain using the native Windows
406 Kerberos 5 and LDAP protocols.
408 Samba 3.0 also includes the possibility of setting up chains
409 of authentication methods (auth methods) and account storage
410 backends (passdb backend). Please refer to the smb.conf(5)
411 man page for details. While both parameters assume sane default
412 values, it is likely that you will need to understand what the
413 values actually mean in order to ensure Samba operates correctly.
415 The recommended passdb backends at this time are
417 * smbpasswd - 2.2 compatible flat file format
418 * tdbsam - attribute rich database intended as an smbpasswd
419 replacement for stand alone servers
420 * ldapsam - attribute rich account storage and retrieval
421 backend utilizing an LDAP directory.
422 * ldapsam_compat - a 2.2 backward compatible LDAP account
425 Certain functions of the smbpasswd(8) tool have been split between the
426 new smbpasswd(8) utility, the net(8) tool, and the new pdbedit(8)
427 utility. See the respective man pages for details.
430 ######################################################################
434 This section outlines the new features affecting Samba / LDAP integration.
439 A new object class (sambaSamAccount) has been introduced to replace
440 the old sambaAccount. This change aids us in the renaming of attributes
441 to prevent clashes with attributes from other vendors. There is a
442 conversion script (examples/LDAP/convertSambaAccount) to modify and LDIF
443 file to the new schema.
447 $ ldapsearch .... -b "ou=people,dc=..." > old.ldif
448 $ convertSambaAccount <DOM SID> old.ldif new.ldif
450 The <DOM SID> can be obtained by running 'net getlocalsid <DOMAINNAME>'
451 on the Samba PDC as root.
453 The old sambaAccount schema may still be used by specifying the
454 "ldapsam_compat" passdb backend. However, the sambaAccount and
455 associated attributes have been moved to the historical section of
456 the schema file and must be uncommented before use if needed.
457 The 2.2 object class declaration for a sambaAccount has not changed
458 in the 3.0 samba.schema file.
460 Other new object classes and their uses include:
462 * sambaDomain - domain information used to allocate rids
463 for users and groups as necessary. The attributes are added
464 in 'ldap suffix' directory entry automatically if
465 an idmap uid/gid range has been set and the 'ldapsam'
466 passdb backend has been selected.
468 * sambaGroupMapping - an object representing the
469 relationship between a posixGroup and a Windows
470 group/SID. These entries are stored in the 'ldap
471 group suffix' and managed by the 'net groupmap' command.
473 * sambaUnixIdPool - created in the 'ldap idmap suffix' entry
474 automatically and contains the next available 'idmap uid' and
477 * sambaIdmapEntry - object storing a mapping between a
478 SID and a UNIX uid/gid. These objects are created by the
479 idmap_ldap module as needed.
482 New Suffix for Searching
483 ------------------------
485 The following new smb.conf parameters have been added to aid in directing
486 certain LDAP queries when 'passdb backend = ldapsam://...' has been
489 * ldap suffix - used to search for user and computer accounts
490 * ldap user suffix - used to store user accounts
491 * ldap machine suffix - used to store machine trust accounts
492 * ldap group suffix - location of posixGroup/sambaGroupMapping entries
493 * ldap idmap suffix - location of sambaIdmapEntry objects
495 If an 'ldap suffix' is defined, it will be appended to all of the
496 remaining sub-suffix parameters. In this case, the order of the suffix
497 listings in smb.conf is important. Always place the 'ldap suffix' first
500 Due to a limitation in Samba's smb.conf parsing, you should not surround
501 the DN's with quotation marks.
507 Samba 3.0 supports an ldap backend for the idmap subsystem. The
508 following options would inform Samba that the idmap table should be
509 stored on the directory server onterose in the "ou=idmap,dc=plainjoe,
514 idmap backend = ldap:ldap://onterose/
515 ldap idmap suffix = ou=idmap,dc=plainjoe,dc=org
516 idmap uid = 40000-50000
517 idmap gid = 40000-50000
519 This configuration allows winbind installations on multiple servers to
520 share a uid/gid number space, thus avoiding the interoperability problems
521 with NFS that were present in Samba 2.2.
524 ######################################################################
528 * The smbldap perl scripts for managing user entries in an LDAP
529 directory have not be updated to function with the Samba 3.0
530 schema changes. This (or an equivalent solution) work is planned
531 to be completed prior to the stable 3.0.0 release.
533 Please refer to https://bugzilla.samba.org/ for a current list of bugs
534 filed against the Samba 3.0 codebase.
537 ######################################################################
538 Reporting bugs & Development Discussion
539 #######################################
541 Please discuss this release on the samba-technical mailing list or by
542 joining the #samba-technical IRC channel on irc.freenode.net.
544 If you do report problems then please try to send high quality
545 feedback. If you don't provide vital information to help us track down
546 the problem then you will probably be ignored.
548 A new bugzilla installation has been established to help support the
549 Samba 3.0 community of users. This server, located at
550 https://bugzilla.samba.org/, will replace the existing jitterbug server
551 and the old http://bugs.samba.org now points to the new bugzilla server.