X-Git-Url: http://git.samba.org/samba.git/?p=gd%2Fsamba%2F.git;a=blobdiff_plain;f=WHATSNEW.txt;h=69036fae3c635d6c3c25c9180fa2d16f5ad91937;hp=af29ed4a5cba7604292070024984f79e4d80fab4;hb=b167f0989d004ba0940196c242c782ac698d1212;hpb=2f09b68e52a3af712d86732ed674e1e616768d65 diff --git a/WHATSNEW.txt b/WHATSNEW.txt index af29ed4a5cb..69036fae3c6 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,72 +1,1072 @@ - WHATS NEW IN 2.0.0 ALPHA SERIES - =============================== + WHATS NEW IN Samba 3.0.0 + September 24, 2003 + ============================== -This is an alpha release of Samba. Releases in this series are done -automatically every week based on the latest code in the Samba CVS -tree. +This is the first official release of Samba 3.0.0 code base. Work +on the SAMBA_3_0 CVS branch continues. Please refer to the section +on "Known Issues" for more details. -THIS RELEASE IS NOT PRODUCTION QUALITY. IT MAY NOT EVEN COMPILE. -If you use this release then be aware of the following: +Major new features: +------------------- -- only use these releases if you can't use CVS for some - reason. Getting the code via anonymous cvs is preferable. See - http://samba.anu.edu.au/cvs.html +1) Active Directory support. Samba 3.0 is now able to + join a ADS realm as a member server and authenticate + users using LDAP/Kerberos. -- don't use this code if you are not an experienced programmer. We are - doing these releases so that users who cannot access the CVS tree - directly for some reason can report/fix bugs. If you find bugs in - this release and you want to help fix them then please join the - samba-technical mailing list (see http://samba.anu.edu.au/listproc/) - and discuss it there. +2) Unicode support. Samba will now negotiate UNICODE on the wire + and internally there is now a much better infrastructure for + multi-byte and UNICODE character sets. -- the docs are not uptodate. If you find documentation errors then - please send patches to fix them. Out of date documentation is one of - the main things holding back a Samba 2.0 release. +3) New authentication system. The internal authentication system + has been almost completely rewritten. Most of the changes are + internal, but the new auth system is also very configurable. -Major changes in Samba 2.0 --------------------------- +4) New default filename mangling system. -There have been several major changes in Samba for version 2.0. Here -are some of them: +5) A new "net" command has been added. It is somewhat similar to + the "net" command in windows. Eventually we plan to replace + numerous other utilities (such as smbpasswd) with subcommands + in "net". -1). autoconf ------------- +6) Samba now negotiates NT-style status32 codes on the wire. This + improves error handling a lot. -You now configure Samba by running "./configure" then make. See -docs/UNIX_INSTALL.txt +7) Better Windows 2000/XP/2003 printing support including publishing + printer attributes in active directory. -2) domain control ------------------ +8) New loadable module support for passdb backends and character + sets. -Samba can now (mostly) act as a NT primary domain controller and -domain logon server. Unfortunately this is largely undocumented at the -moment, but to get you started you want smb.conf entries like this: +9) New default dual-daemon winbindd support for better performance. - domain controller = Yes - domain logons = Yes - preferred master = Yes - domain master = Yes +10) Support for migrating from a Windows NT 4.0 domain to a Samba + domain and maintaining user, group and domain SIDs. -[netlogon] - path = /data/netlogon - read only = No +11) Support for establishing trust relationships with Windows NT 4.0 + domain controllers. + +12) Initial support for a distributed Winbind architecture using + an LDAP directory for storing SID to uid/gid mappings. + +13) Major updates to the Samba documentation tree. -further documentation on this still needs to be written :) +14) Full support for client and server SMB signing to ensure + compatibility with default Windows 2003 security settings. -3) option defaults changed --------------------------- +15) Improvement of ACL mapping features based on code donated by + Andreas Grünbacher. -several parameters have changed their default values. The most -important of these is that the default security mode is now user level -security rather than share level security. -4) web based GUI configuration ------------------------------- +Plus lots of other improvements! -Samba now comes with SWAT, a web based GUI config system. See -swat/README for how to set it up. +Additional Documentation +------------------------ + +Please refer to Samba documentation tree (included in the docs/ +subdirectory) for extensive explanations of installing, configuring +and maintaining Samba 3.0 servers and clients. It is advised to +begin with the Samba-HOWTO-Collection for overviews and specific +tasks (the current book is up to approximately 400 pages) and to +refer to the various man pages for information on individual options. + +We are very glad to be able to include the second edition of +"Using Samba" by Jay Ts, Robert Eckstein, and David Collier-Brown +(O'Reilly & Associates) in this release. The book is available +on-line at http://samba.org/samba/docs/ and is included with +the Samba Web Administration Tool (SWAT). Thanks to the authors and +publisher for making "Using Samba" under the GNU Free Documentation +License. + + +###################################################################### +Changes since 3.0rc4 +#################### + +Please refer to the CVS log for the SAMBA_3_0 branch for complete +details: + +1) Fix bug that prevented restoring filenames of length + >100 characters. +2) Fix bug that prevented fast path code in strchr_m + from being used. +3) Make sure we store the desired access flag on incoming + SAMR rpc calls. +4) Fix smbd crash when dealing with mangled file names. +5) Ensure that the group comment field is not overwritten + if it already exists. +6) Fix bug that prevented 'net rpc join' from working + with mixed mode AD domains (bug 442). +7) Fix crash in smbd when a Samba PDC is not able to + enumerate trusted domains (bug 450). +8) Fix crash bug found by the Samba4 testsuite. +9) Fix bug that prevented smbd from returning an ACL list + if one of the SIDs could not be resolved (bug 470). +10) Remove -P option from smbclient printing scripts since it + has a different meaning in Samba 3.0 (bug 473). +11) Sync smbldap-tools with latest version +12) Cleanup some warnings produced by the Sun C compiler. +13) Several fixes for SWAT relating to international character + sets. + + +Changes since 3.0rc3 +#################### + +1) Fix incorrect error message in testparm.c regarding 'map system'. +2) Protect against core dump if ioctl for print job sends invalid + fid. +3) Fix bug in generic hash cacluation. +4) Remove references to unused 'strip dot' parameter +5) Fix CPU burn bug in multi-byte character conversion. +6) Use opt_target_workgroup instead of lp_workgroup() in vampire + code so we can override the value in smb.conf with the -w option. +7) Display an error if we can't create a posix account for the + user when running 'net rpc vampire' (bug 323). +8) Fix UTF8 conversion bugs in LDAP passdb and idmap code (bug 296). +9) Fix smbd crash when changing the machine trust account password + (bug 273). +10) Remove getpwnam() calls from init_sam_from_xxx(). This means + that %u & %g will no longer expand in the "login ..." set of + smb.conf options, but %U and %G still do. The payback is that + winbindd local accounts for users work with 'wbinfo -u' + when winbind is running on a Samba PDC. +11) Fix unitiailized timestamp where merging print_jobs and + lpq listing. +12) Fix bug in debian packaging files affecting non-i386 platforms. + + +Changes since 3.0rc2 +#################### + +1) Remove Perl module dependencies in generated RedHat 8/9 RPMS. +2) Update mount helper to take synonyms for file_mode and + dir_mode (fmask and dmask). +3) Fix portability bug with log2pcaphex. +4) Use different algorithm to generate codepages source code which + allows to take gaps into account thus making unnecessary + extended [index] = value, syntax in to_ucs2 array (bug 380). +5) Fix comment strings to 43 bytes as per spec. +6) Fix pam_winbind compile bug on FreeBSD (bug 261). +7) Support for in-memory keytabs, which are needed to make heimdal + work properly. MIT does not support them, so this check will be + used to decide whether to use them. (partial fix for bug 372). +8) Disable RC4-HMAC on broken heimdal setups. (remainder of bug + 372). +9) Correct bug in smbclient that resulted in errors when untarring + long filenames (bug 308). +10) Improve autoconf checks for PAM header files and libs. +11) Added fast path to convert_string() when dealing with + ASCII->ASCII, UCS2-LE->ASCII, and ASCII->UCS2-LE with + values <= 0x7F. +12) Quiet debug messages when we don't find a module and it is not + a critical error (bug 375). +13) Fix UNIX passwd sync properly. +14) Fix more transitive trust issues in winbindd (bug 305). +15) Ensure that winbindd functions with 'disable netbios = yes' +16) Store the real short domain name in secrets.tdb as soon as we + know it. Also display an error message when joining an AD + domain and the 'workgroup' parameter has not been specified. +17) Return 0 DFS links instead of -1 when dfs support is not enabled. +18) Update LDAP schema for Netscape DS 4.x and Novell eDirectory 8.7 +19) Ensure that name types can be specified using name#type notation + in the 'net' command (bug 73). +20) Add retry looks to ADS sequence number and domain SID lookups + (bug 364). +21) use a variant of alloc_sub_basic() for string lists such as + 'valid users', 'write list', and 'read list' (bug 397). +22) Fix seg fault when winbindd receives an error from the AD server + in response to an LDAP search (bug 282). +23) Update findsmb to use the new syntax for smbclient and nmblookup. +24) Fix bug that prevented variables from being used in explicitly + defined path in [homes]. +25) Only set SIDs when they're returned by the MySQL query + (pdb_mysql.so). +26) Include support for NTLMv2 key exchange. +27) Revert default for 'client ntlmv2 auth' to off (bug 359). +28) Fix crash in winbindd when the trust account password gets + changed underneath us via 'net rpc changetrustpw' (bug 382). +29) Use djb-algorithm string hash - faster than the tdb one we + used to use. Does not change on disk format or hashing location. +30) Implements some kind of improved AFS support for Samba on + Linux with OpenAFS 1.2.10. './configure --with-fake-kaserver' + assumes that you have OpenAFS on your machine. +31) When enumerating dfs shares loop from 0 to lp_numservices() instead + of relying on lp_servicename(n) to return an empty string for + invalid service numbers (bug 403). +32) Fix crash bug in 'net rpc samdump' (bug 334). +33) Fix crash bug in WINS NSS module (bug 299). +34) Fix a few minor compile errors on HP-UX. + + + +Changes since 3.0rc1 +#################### + +1) Add levels 261 and 262 to search. Found using Samba4 tester. +2) Correct bad error return code in session setup reply +3) Fix bug where smbd returned DOS error codes from SMBsearch + even when NT1 protocol was negotiated. +4) Implement SMBexit properly. +5) Return group lists from a Samba PDC to a Windows 9x/ME box + in implementing user level access control (bug 314). +6) Prevent SWAT from crashing when adding shares (bug 254) +7) Fix various documentation issues (bugs 304 & 214) +8) Fix wins server listing in SWAT (bug 197) +9) Fix problem in rpcclient that caused enumerating printer + drivers to report failure (bug 294). +10) Use kerberos 5 authentication in our client code whenever possible +11) Fix schannel bug that caused Active Directory DC's to downgrade our + machine account to an NT member. +12) Implement missing SAMR_REMOVE_USER_FOREIGN_DOMAIN call (bug 252). +13) Implement automatic generation of include/version.h +14) Include initial version of smbldap-tool scripts for the Samba + 3.0 schema. +15) Implement numerous fixes for multi-byte character strings. +16) Enable 'unix extensions' parameter by default. +17) Make sure we set the SID type when falling back to the rid + algorithm (bug 245). +18) Correct linking problems with pam_smbpass (bug 327). +19) Add SYSV defines for Irix and Solaris to ensure the 'printing' + parameter default to the correct value (bug 230) +20) Fix recursion bug in alloc_string_sub() (bug 289, et. al.) +21) Ensure that 'make install' includes the static and shared + versions of the libsmbclient libraries. +22) Add CP850 and CP437 internal character set support (bug 150). +23) Add support to examples/LDAP/convertSambaAccount for generating + LDIF modify files instead of just add (303). +24) Fix support for -W option in smbclient (bug 39) +25) Remove 'ldap trust ids' parameter since it could not be supported + by the current architecture. +26) Don't crash when no argument is given to -T in smbclient (bug 345). +27) Ensure smbadduser contains the same paths for the smbpasswd file + as the other Samba tools (bug 290). +28) Port of 'available = no' fix for [homes] from SAMBA_2_2 cvs tree. +29) Add sanity checks to DeletePrinterData[Ex]() and ensure that the + modified printer is written to disk. +30) Force winbindd to periodically update the trusted domain cache. +31) Remove outdated import/export script to convert an smbpasswd file + to and from and LDAP directory. Use the pdbedit tool instead. +32) Ensure that %U substitution is restored on next valid packet + if a logon fails. + + +Changes since 3.0beta3 +###################### + +1) Various memory leak fixes. +2) Provide full support for SMB signing (server and client) +3) Check for broken getgrouplist() in glibc. +4) Don't get stuck in an infinite loop listing directories + recursively if the server returns an empty directory name + (bug 222). +5) Idle LDAP connections after 150 seconds. +6) Patched make uninstallmodules (bug 236). +7) Fix bug that caused smbd to return incomplete directory listings + when UNIX files contained MS wildcard characters. +8) Quiet default debug messages in command line tools. +9) Fixes to avoid panics on invalid multi-byte strings. +10) Fix error messages when creating a new smbpasswd file (bug 198). +11) Implemented better detection routines in autoconf scripts for + locating ads support on the host OS. +12) Fix bug that caused libraries in /usr/local/lib to be ignored + (bug 174). +13) Ensure winbindd_ads uses the correct realm or domain name when + connecting to trusted DC. +14) Ensure a correct prototype is created for snprintf() (bug 187) +15) Stop files being created on read-only shares in some circumstances. +16) Fix wbinfo -p (bug 251) +17) Support schannel on any tcp/ip connection if necessary +18) Correct bug in user_in_list() so that it works with winbind groups + again. +19) Ensure the schannel bind credentials default to the domain + of the destination host. +20) Default password expiration time in account_pol.tdb to never + expire. Remove any existing account_pol.tdb file to reset + the new default policy (bug 184). +21) Add buttons to SWAT to change the view of smb.conf (bug 212) +22) Fix incorrect checks that determine whether or not the 'add user + script' has been set. +23) More cleanup for internal character set conversions. +24) Fixes for multi-byte strings in stat cache code. +25) Ensure that the net command honors the 'workgroup' parameter + in smb.conf when not overridden from the command line. +26) Add gss-spnego support to the ntlm_auth tool. +27) Add vfs_default_quota VFS module. +28) Added server support for NT quota interfaces. +29) Prevent Krb5 replay attacks by adding a replay_cache. +30) Fix problems with winbindd and transitive trusts in AD domains. +31) Added -S to client tools for setting SMB signing options on the + command line. +32) Fix bug causing the 'passwd change program' to be called as the + connected user and not root. +33) Fixed data corruption bug in byte-range locking (e.g. affected MS Excel). +34) Support winbindd on FreeBSD is possible. +35) Look at only the first OID in the security blob sent in the session + setup request to determine the token type. +36) Only push locks onto a blocking lock queue if the posix lock failed with + EACCES or EAGAIN (this means another lock conflicts). Else return an + error and don't queue the request. +37) Fix command line argument processing for smbtar. +38) Correct issue that caused smbd to return generic unix_user. + for lookupsid(). +39) Default to algorithmic mapping when generating a rid for a group + mapping. +40) Expand %g and %G in logon script, profile path, etc... during + a domain logon (bug 208). +41) Make sure smbclient obeys '-s ' +42) Added win2k3 shadow copy operations to VFS interface. +43) Allow connections to samba domain member as SERVER\user (don't + always default to DOMAIN\user). +44) Remove checks in winbindd that caused it to attempt to use + non-transitive trust relationships. +45) Remove delays in winbindd caused by invalid DNS lookups. +46) Fix supplementary group memberships on systems with slightly + broken NSS implementations (bug 267). +47) Correct issue that prevented smbclient from viewing shares on + a win2k server when using a non-anonymous connection (bug 284). +48) Add --domain=DOMAIN_NAME to wbinfo for limiting operations like + 'wbinfo -u' to a single domain. The '.' character represents + our domain. +49) Fix group enumeration bug when using an LDAP directory for + storing group mappings. +50) Default to use NTLMv2 if available. Fallback to not use LM/NTLM + when the extended security capability bit is not set. +51) Fix crash in 'wbinfo -a' when using extended characters in the + username (bug 269). +52) Fix multi-byte strupper() panics (bug 205). +53) Add vfs_readonly VFS module. +54) Make sure to initialize the sambaNextUserRid and sambaNextGroupRid + attributes when using 'idmap backend = ldap' (bug 280). +55) Make sure that users shared between a Samba PDC and member + samba server are seen as domain users and not local users on the + domain member. +56) Fix Query FS Info level 2. +57) Allow enumeration of users and groups by win9x "file server" (bug + 286). +58) Create symlinks during install for modules that support mutliple + functions (bug 91). +59) More iconv detection fixes. +60) Fix path length error in vfs_recycle module (bug 291). +61) Added server support for the LSA_DS UUID on the \lsarpc pipe. + (server DsRoleGetPrimaryDomainInfo() is currently disabled). +62) Fix SMBseek and get/set position calls. +62) Fix SetFileInfo level 1. +63) Added tool to convert smbd log file to a pcap file (log2pcaphex). + + + +Changes since 3.0beta2 +###################### + +1) Added fix for Japanese case names in statcache code; + these can change size on upper casing. +2) Correct issues with iconv detection in configure script + (support needed to find iconv libraries on FreeBSD). +3) Fix bug that caused a WINS server to be marked as dead + incorrectly (bug #190). +4) Removing additional deadlocks conditions that prevented + winbindd from running on a Samba PDC (used for trust + relationships). +5) Add support for searching for Active Directory for + published printers (net ads printer search). +6) Separate UNIX username from DOMAIN\username in pipe + credentials. +7) Auth modules now support returning NT_STATUS_NOT_IMPLEMENTED + for cases that they cannot handle. +8) Flush winbindd connection cache when the machine trust account + password is changed while a connection is open (bug #200). +9) Add support for 'OSVersion' server printer data string + (corrects problem with uploading printer drivers from + WinXP clients). +10) Numerous memory leak fixes. +11) LDAP fixes ("passdb backend = ldapsam" & "idmap backend = ldap"): + - Store domain SID in LDAP directory. + - store idmap information in existing entries (use sambaSID=... + if adding a new entry). +12) Fix incorrect usage of primary group SID when looking up user + groups (bug #109). +13) Remove idmap_XX_to_XX calls from smbd. Move back to the the + winbind_XXX and local_XXX calls used in 2.2. +14) All uid/gid allocation must involve winbindd now (we do not + attempt to map unknown SIDs to a UNIX identify). +15) Add 'winbind trusted domains only' parameter to force a domain + member. The server to use matching users names from /etc/passwd + for its domain (needed for domain member of a Samba domain). +16) Rename 'idmap only' to 'enable rid algorithm' for better clarity + (defaults to "yes"). +17) Add support for multi-byte statcache code (bug #185) +18) Fix open mode race condition. +19) Implement winbindd local account management functions. Refer to + the "Winbind Changes" section for details. +20) Move RID allocation functions into idmap backend. +21) Fix parsing error that prevented publishing printers from a + Samba server in an AD domain. +22) Revive NTLMSSP support for named pipes. +23) More SCHANNEL fixes. +24) Correct SMB signing with NTLMSSP. +25) Fix coherency bug in print handle/printer object caching code + that could cause XP clients to infinitely loop while updating + their local printer cache. +26) Make winbindd use its dual-daemon mode by default (use -Y to + start as a single process). +27) Add support to nmbd and winbindd for 'smbcontrol + reload-config'. +28) Correct problem with smbtar when dealing with files > 8Gb + (bug #102). + + + +Changes since 3.0beta1 +###################### + +1) Rework our smb signing code again, this factors out some of + the common MAC calculation code, and now supports multiple + outstanding packets (bug #40). +2) Enforce 'client plaintext auth', 'client lanman auth' and 'client + ntlmv2 auth'. +3) Correct timestamp problem on 64-bit machines (bug #140). +4) Add extra debugging statements to winbindd for tracking down + failures. +5) Fix bug when aliased 'winbind uid/gid' parameters are used. + ('winbind uid/gid' are now replaced with 'idmap uid/gid'). +6) Added an auth flag that indicates if we should be allowed + to fall back to NTLMSSP for SASL if krb5 fails. +7) Fixed the bug that forced us not to use the winbindd cache when + we have a primary ADS domain and a secondary (trusted) NT4 + domain. +8) Use lp_realm() to find the default realm for 'net ads password'. +9) Removed editreg from standard build until it is portable.. +10) Fix domain membership for servers not running winbindd. +11) Correct race condition in determining the high water mark + in the idmap backend (bug #181). +12) Set the user's primary unix group from usrmgr.exe (partial + fix for bug #45). +13) Show comments when doing 'net group -l' (bug #3). +14) Add trivial extension to 'net' to dump current local idmap + and restore mappings as well. +15) Modify 'net rpc vampire' to add new and existing users to + both the idmap and the SAM. This code needs further testing. +16) Fix crash bug in ADS searches. +17) Build libnss_wins.so as part of nsswitch target (bug #160). +18) Make net rpc vampire return an error if the sam sync RPC + returns an error. +19) Fail to join an NT 4 domain as a BDC if a workstation account + using our name exists. +20) Fix various memory leaks in server and client code +21) Remove the short option to --set-auth-user for wbinfo (-A) to + prevent confusion with the -a option (bug #158). +22) Added new 'map acl inherit' parameter. +23) Removed unused 'privileges' code from group mapping database. +24) Don't segfault on empty passdb backend list (bug #136). +25) Fixed acl sorting algorithm for Windows 2000 clients. +26) Replace universal group cache with netsamlogon_cache + from APPLIANCE_HEAD branch. +27) Fix autoconf detection issues surrounding --with-ads=yes + but no Krb5 header files installed (bug #152). +28) Add LDAP lookup for domain sequence number in case we are + joined using NT4 protocols to a native mode AD domain. +29) Fix backend method selection for trusted NT 4 (or 2k + mixed mode) domains. +30) Fixed bug that caused us to enumerate domain local groups + from native mode AD domains other than our own. +31) Correct group enumeration for viewing in the Windows + security tab (bug #110). +32) Consolidate the DC location code. +33) Moved 'ads server' functionality into 'password server' for + backwards compatibility. +34) Fix winbindd_idmap tdb upgrades from a 2.2 installation. + ( if you installed beta1, be sure to + 'mv idmap.tdb winbindd_idmap.tdb' ). +35) Fix pdb_ldap segfaults, and wrong default values for + ldapsam_compat. +36) Enable negative connection cache for winbindd's ADS backend + functions. +37) Enable address caching for active directory DC's so we don't + have to hit DNS so much. +38) Fix bug in idmap code that caused mapping to randomly be + redefined. +39) Add tdb locking code to prevent race condition when adding a + new mapping to idmap. +40) Fix 'map to guest = bad user' when acting as a PDC supporting + trust relationships. +41) Prevent deadlock issues when running winbindd on a Samba PDC + to handle allocating uids & gids for trusted users and groups +42) added LOCALE patch from Steve Langasek (bug #122). +43) Add the 'guest' passdb backend automatically to the end of + the 'passdb backend' list if 'guest account' has a valid + username. +44) Remove samstrict_dc auth method. Rework 'samstrict' to only + handle our local names (or domain name if we are a PDC). + Move existing permissive 'sam' method to 'sam_ignoredomain' + and make 'samstrict' the new default 'sam' auth method. +45) Match Windows NT4/2k behavior when authenticating a user with + and unknown domain (default to our domain if we are a DC or + domain member; default to our local name if we are a + standalone server). +46) Fix Get_Pwnam() to always fall back to lookup 'user' if the + 'DOMAIN\user' lookup fails. This matches 2.2. behavior. +47) Fix the trustdom_cache code to update the list of trusted + domains when operating as a domain member and not using + winbindd. +48) Remove 'nisplussam' passdb backend since it has suffered for + too long without a maintainer. + + + + +###################################################################### +Upgrading from a previous Samba 3.0 beta +######################################## + +Beginning with Samba 3.0.0beta3, the RID allocation functions +have been moved into winbindd. Previously these were handled +by each passdb backend. This means that winbindd must be running +to automatically allocate RIDs for users and/or groups. Otherwise, +smbd will use the 2.2 algorithm for generating new RIDs. + +If you are using 'passdb backend = tdbsam' with a previous Samba +3.0 beta release (or possibly alpha), it may be necessary to +move the RID_COUNTER entry from /usr/local/samba/private/passdb.tdb +to winbindd_idmap.tdb. To do this: + +1) Ensure that winbindd_idmap.tdb exists (launch winbindd at least + once) +2) build tdbtool by executing 'make tdbtool' in the source/tdb/ + directory +3) run: (note that 'tdb>' is the tool's prompt for input) + + root# ./tdbtool /usr/local/samba/private/passdb.tdb + tdb> show RID_COUNTER + key 12 bytes + RID_COUNTER + data 4 bytes + [000] 0A 52 00 00 .R. + + tdb> move RID_COUNTER /usr/local/samba/var/locks/winbindd_idmap.tdb + .... + record moved + +If you are using 'passdb backend = ldapsam', it will be necessary to +store idmap entries in the LDAP directory as well (i.e. idmap backend += ldap). Refer to the 'net idmap' command for more information on +migrating SID<->UNIX id mappings from one backend to another. + +If the RID_COUNTER record does not exist, then these instructions are +unneccessary and the new RID_COUNTER record will be correctly generated +if needed. + + + +######################## +Upgrading from Samba 2.2 +######################## + +This section is provided to help administrators understand the details +involved with upgrading a Samba 2.2 server to Samba 3.0. + + +Building +-------- + +Many of the options to the GNU autoconf script have been modified +in the 3.0 release. The most noticeable are: + + * removal of --with-tdbsam (is now included by default; see section + on passdb backends and authentication for more details) + + * --with-ldapsam is now on used to provided backward compatible + parameters for LDAP enabled Samba 2.2 servers. Refer to the passdb + backend and authentication section for more details + + * inclusion of non-standard passdb modules may be enabled using + --with-expsam. This includes an XML backend and a mysql backend. + + * removal of --with-msdfs (is now enabled by default) + + * removal of --with-ssl (no longer supported) + + * --with-utmp now defaults to 'yes' on supported systems + + * --with-sendfile-support is now enabled by default on supported + systems + + +Parameters +---------- + +This section contains a brief listing of changes to smb.conf options +in the 3.0.0 release. Please refer to the smb.conf(5) man page for +complete descriptions of new or modified parameters. + +Removed Parameters (order alphabetically): + + * admin log + * alternate permissions + * character set + * client codepage + * code page directory + * coding system + * domain admin group + * domain guest group + * force unknown acl user + * nt smb support + * postscript + * printer driver + * printer driver file + * printer driver location + * status + * strip dot + * total print jobs + * use rhosts + * valid chars + * vfs options + +New Parameters (new parameters have been grouped by function): + + Remote management + ----------------- + * abort shutdown script + * shutdown script + + User and Group Account Management + --------------------------------- + * add group script + * add machine script + * add user to group script + * algorithmic rid base + * delete group script + * delete user from group script + * passdb backend + * set primary group script + + Authentication + -------------- + * auth methods + * realm + + Protocol Options + ---------------- + * client lanman auth + * client NTLMv2 auth + * client schannel + * client signing + * client use spnego + * disable netbios + * ntlm auth + * paranoid server security + * server schannel + * server signing + * smb ports + * use spnego + + File Service + ------------ + * get quota command + * hide special files + * hide unwriteable files + * hostname lookups + * kernel change notify + * mangle prefix + * map acl inherit + * msdfs proxy + * set quota command + * use sendfile + * vfs objects + + Printing + -------- + * max reported print jobs + + UNICODE and Character Sets + -------------------------- + * display charset + * dos charset + * unicode + * unix charset + + SID to uid/gid Mappings + ----------------------- + * idmap backend + * idmap gid + * idmap uid + * winbind enable local accounts + * winbind trusted domains only + * template primary group + * enable rid algorithm + + LDAP + ---- + * ldap delete dn + * ldap group suffix + * ldap idmap suffix + * ldap machine suffix + * ldap passwd sync + * ldap user suffix + + General Configuration + --------------------- + * preload modules + * private dir + +Modified Parameters (changes in behavior): + + * encrypt passwords (enabled by default) + * mangling method (set to 'hash2' by default) + * passwd chat + * passwd program + * restrict anonymous (integer value) + * security (new 'ads' value) + * strict locking (enabled by default) + * unix extensions (enabled by default) + * winbind cache time (increased to 5 minutes) + * winbind uid (deprecated in favor of 'idmap uid') + * winbind gid (deprecated in favor of 'idmap gid') + + +Databases +--------- + +This section contains brief descriptions of any new databases +introduced in Samba 3.0. Please remember to backup your existing +${lock directory}/*tdb before upgrading to Samba 3.0. Samba will +upgrade databases as they are opened (if necessary), but downgrading +from 3.0 to 2.2 is an unsupported path. + +Name Description Backup? +---- ----------- ------- +account_policy User policy settings yes +gencache Generic caching db no +group_mapping Mapping table from Windows yes + groups/SID to unix groups +winbindd_idmap ID map table from SIDS to UNIX yes + uids/gids. +namecache Name resolution cache entries no +netsamlogon_cache Cache of NET_USER_INFO_3 structure no + returned as part of a successful + net_sam_logon request +printing/*.tdb Cached output from 'lpq no + command' created on a per print + service basis +registry Read-only samba registry skeleton no + that provides support for exporting + various db tables via the winreg RPCs + + +Changes in Behavior +------------------- + +The following issues are known changes in behavior between Samba 2.2 and +Samba 3.0 that may affect certain installations of Samba. + + 1) When operating as a member of a Windows domain, Samba 2.2 would + map any users authenticated by the remote DC to the 'guest account' + if a uid could not be obtained via the getpwnam() call. Samba 3.0 + rejects the connection as NT_STATUS_LOGON_FAILURE. There is no + current work around to re-establish the 2.2 behavior. + + 2) When adding machines to a Samba 2.2 controlled domain, the + 'add user script' was used to create the UNIX identity of the + machine trust account. Samba 3.0 introduces a new 'add machine + script' that must be specified for this purpose. Samba 3.0 will + not fall back to using the 'add user script' in the absence of + an 'add machine script' + + +###################################################################### +Passdb Backends and Authentication +################################## + +There have been a few new changes that Samba administrators should be +aware of when moving to Samba 3.0. + + 1) encrypted passwords have been enabled by default in order to + inter-operate better with out-of-the-box Windows client + installations. This does mean that either (a) a samba account + must be created for each user, or (b) 'encrypt passwords = no' + must be explicitly defined in smb.conf. + + 2) Inclusion of new 'security = ads' option for integration + with an Active Directory domain using the native Windows + Kerberos 5 and LDAP protocols. + + MIT kerberos 1.3.1 supports the ARCFOUR-HMAC-MD5 encryption + type which is neccessary for servers on which the + administrator password has not been changed, or kerberos-enabled + SMB connections to servers that require Kerberos SMB signing. + Besides this one difference, either MIT or Heimdal Kerberos + distributions are usable by Samba 3.0. + + +Samba 3.0 also includes the possibility of setting up chains +of authentication methods (auth methods) and account storage +backends (passdb backend). Please refer to the smb.conf(5) +man page for details. While both parameters assume sane default +values, it is likely that you will need to understand what the +values actually mean in order to ensure Samba operates correctly. + +The recommended passdb backends at this time are + + * smbpasswd - 2.2 compatible flat file format + * tdbsam - attribute rich database intended as an smbpasswd + replacement for stand alone servers + * ldapsam - attribute rich account storage and retrieval + backend utilizing an LDAP directory. + * ldapsam_compat - a 2.2 backward compatible LDAP account + backend + +Certain functions of the smbpasswd(8) tool have been split between the +new smbpasswd(8) utility, the net(8) tool, and the new pdbedit(8) +utility. See the respective man pages for details. + + +###################################################################### +LDAP +#### + +This section outlines the new features affecting Samba / LDAP +integration. + +New Schema +---------- + +A new object class (sambaSamAccount) has been introduced to replace +the old sambaAccount. This change aids us in the renaming of attributes +to prevent clashes with attributes from other vendors. There is a +conversion script (examples/LDAP/convertSambaAccount) to modify and LDIF +file to the new schema. + +Example: + + $ ldapsearch .... -b "ou=people,dc=..." > old.ldif + $ convertSambaAccount old.ldif new.ldif + +The can be obtained by running 'net getlocalsid ' +on the Samba PDC as root. + +The old sambaAccount schema may still be used by specifying the +"ldapsam_compat" passdb backend. However, the sambaAccount and +associated attributes have been moved to the historical section of +the schema file and must be uncommented before use if needed. +The 2.2 object class declaration for a sambaAccount has not changed +in the 3.0 samba.schema file. + +Other new object classes and their uses include: + + * sambaDomain - domain information used to allocate rids + for users and groups as necessary. The attributes are added + in 'ldap suffix' directory entry automatically if + an idmap uid/gid range has been set and the 'ldapsam' + passdb backend has been selected. + + * sambaGroupMapping - an object representing the + relationship between a posixGroup and a Windows + group/SID. These entries are stored in the 'ldap + group suffix' and managed by the 'net groupmap' command. + + * sambaUnixIdPool - created in the 'ldap idmap suffix' entry + automatically and contains the next available 'idmap uid' and + 'idmap gid' + + * sambaIdmapEntry - object storing a mapping between a + SID and a UNIX uid/gid. These objects are created by the + idmap_ldap module as needed. + + * sambaSidEntry - object representing a SID alone, as a Structural + class on which to build the sambaIdmapEntry. + + +New Suffix for Searching +------------------------ + +The following new smb.conf parameters have been added to aid in directing +certain LDAP queries when 'passdb backend = ldapsam://...' has been +specified. + + * ldap suffix - used to search for user and computer accounts + * ldap user suffix - used to store user accounts + * ldap machine suffix - used to store machine trust accounts + * ldap group suffix - location of posixGroup/sambaGroupMapping entries + * ldap idmap suffix - location of sambaIdmapEntry objects + +If an 'ldap suffix' is defined, it will be appended to all of the +remaining sub-suffix parameters. In this case, the order of the suffix +listings in smb.conf is important. Always place the 'ldap suffix' first +in the list. + +Due to a limitation in Samba's smb.conf parsing, you should not surround +the DN's with quotation marks. + + +IdMap LDAP support +------------------ + +Samba 3.0 supports an ldap backend for the idmap subsystem. The +following options would inform Samba that the idmap table should be +stored on the directory server onterose in the "ou=idmap,dc=plainjoe, +dc=org" partition. + + [global] + ... + idmap backend = ldap:ldap://onterose/ + ldap idmap suffix = ou=idmap,dc=plainjoe,dc=org + idmap uid = 40000-50000 + idmap gid = 40000-50000 + +This configuration allows winbind installations on multiple servers to +share a uid/gid number space, thus avoiding the interoperability problems +with NFS that were present in Samba 2.2. + + + +###################################################################### +Trust Relationships and a Samba Domain +###################################### + +Samba 3.0.0beta2 is able to utilize winbindd as the means of +allocating uids and gids to trusted users and groups. More +information regarding Samba's support for establishing trust +relationships can be found in the Samba-HOWTO-Collection included +in the docs/ directory of this release. + +First create your Samba PDC and ensure that everything is +working correctly before moving on the trusts. + +To establish Samba as the trusting domain (named SAMBA) from a Windows NT +4.0 domain named WINDOWS: + + 1) create the trust account for SAMBA in "User Manager for Domains" + 2) connect the trust from the Samba domain using + 'net rpc trustdom establish GLASS' + +To create a trustlationship with SAMBA as the trusted domain: + + 1) create the initial trust account for GLASS using + 'smbpasswd -a -i GLASS'. You may need to create a UNIX + account for GLASS$ prior to this step (depending on your + local configuration). + 2) connect the trust from a WINDOWS DC using "User Manager + for Domains" + +Now join winbindd on the Samba PDC to the SAMBA domain using +the normal steps for adding a Samba server to an NT4 domain: +(note that smbd & nmbd must be running at this point) + + root# net rpc join -U root + Password: + +Start winbindd and test the join with 'wbinfo -t'. + +Now test the trust relationship by connecting to the SAMBA DC +(e.g. POGO) as a user from the WINDOWS domain: + + $ smbclient //pogo/netlogon -U Administrator -W WINDOWS + Password: + +Now connect to the WINDOWS DC (e.g. CRYSTAL) as a Samba user: + + $ smbclient //crystal/netlogon -U root -W WINDOWS + Password: + +###################################################################### +Changes in Winbind +################## + +Beginning with Samba3.0.0beta3, winbindd has been given new account +manage functionality equivalent to the 'add user script' family of +smb.conf parameters. The idmap design has also been changed to +centralize control of foreign SID lookups and matching to UNIX +uids and gids. + + +Brief Description of Changes +---------------------------- + +1) The sid_to_uid() family of functions (smbd/uid.c) have been + reverted to the 2.2.x design. This means that when resolving a + SID to a UID or similar mapping: + + a) First consult winbindd + b) perform a local lookup only if winbindd fails to + return a successful answer + + There are some variations to this, but these two rules generally + apply. + +2) All idmap lookups have been moved into winbindd. This means that + a server must run winbindd (and support NSS) in order to achieve + any mappings of SID to dynamically allocated UNIX ids. This was + a conscious design choice. + +3) New functions have been added to winbindd to emulate the 'add user + script' family of smbd functions without requiring that external + scripts be defined. This functionality is controlled by the 'winbind + enable local accounts' smb.conf parameter (enabled by default). + + However, this account management functionality is only supported + in a local tdb (winbindd_idmap.tdb). If these new UNIX accounts + must be shared among multiple Samba servers (such as a PDC and BDCs), + it will be necessary to define your own 'add user script', et. al. + programs that place the accounts/groups in some form of directory + such as NIS or LDAP. This requirement was deemed beyond the scope + of winbind's account management functions. Solutions for + distributing UNIX system information have been deployed and tested + for many years. We saw no need to reinvent the wheel. + +4) A member of a Samba controlled domain running winbindd is now able + to map domain users directly onto existing UNIX accounts while still + automatically creating accounts for trusted users and groups. This + behavior is controlled by the 'winbind trusted domains only' smb.conf + parameter (disabled by default to provide 2.2.x winbind behavior). + +5) Group mapping support is wrapped in the local_XX_to_XX() functions + in smbd/uid.c. The reason that group mappings are not included + in winbindd is because the purpose of Samba's group map is to + match any Windows SID with an existing UNIX group. These UNIX + groups can be created by winbindd (see next section), but the + SID<->gid mapping is retreived by smbd, not winbindd. + + +Examples +-------- + +* security = server running winbindd to allocate accounts on demand + +* Samba PDC running winbindd to handle the automatic creation of UNIX + identities for machine trust accounts + +* Automtically creating UNIX user and groups when migrating a Windows NT + 4.0 PDC to a Samba PDC. Winbindd must be running when executing + 'net rpc vampire' for this to work. + + +###################################################################### +Known Issues +############ + +* There are several bugs currently logged against the 3.0 codebase + that affect the use of NT 4.0 GUI domain management tools when run + against a Samba 3.0 PDC. This bugs should be released in an early + 3.0.x release. + +Please refer to https://bugzilla.samba.org/ for a current list of bugs +filed against the Samba 3.0 codebase. + + +###################################################################### +Reporting bugs & Development Discussion +####################################### + +Please discuss this release on the samba-technical mailing list or by +joining the #samba-technical IRC channel on irc.freenode.net. + +If you do report problems then please try to send high quality +feedback. If you don't provide vital information to help us track down +the problem then you will probably be ignored. + +A new bugzilla installation has been established to help support the +Samba 3.0 community of users. This server, located at +https://bugzilla.samba.org/, has replaced the older jitterbug server +previously located at http://bugs.samba.org/. -There have been lots of other changes as well. We'll add them here as -we remember them :)