1 This file aims to document the major changes since the latest released version
2 of Samba, 3.0. Samba 4.0 contains rewrites of several subsystems
3 and uses a different internal format for most data. Since this
4 file is an initial draft, please update missing items.
6 One of the main goals of Samba 4 was Active Directory Domain Controller
7 support. This means Samba now implements several protocols that are required
8 by AD such as Kerberos and DNS.
10 An (experimental) upgrade script that performs a one-way upgrade
11 from Samba 3 is available in source/setup/upgrade.
13 Removal of nmbd and introduction of process models
14 ==================================================
15 smbd now implements several network protocols other then just CIFS and
16 DCE/RPC. nmbd's functionality has been merged into smbd. smbd supports
17 various 'process models' that specify how concurrent connections are
18 handled (when to fork, use threads, etc).
22 Samba now stores most of its persistent data in a LDAP-like database
23 called LDB (see ldb(7) for more info).
31 SWAT has had some rather large improvements and is now more then just a
32 direct editor for smb.conf. Its layout has been improved. SWAT can now also
33 be used for editing run-time data - maintaining user information, provisioning,
34 etc. TLS is supported out of the box.
40 Changed configuration options
41 =============================
42 Several configuration options have been removed in Samba4 while others have
43 been introduced. This section contains a summary of changes to smb.conf and
44 where these settings moved. Configuration options that have disappeared may be
45 re-added later when the functionality that uses them gets reimplemented in
48 The 'security' parameter has been split up. It is now only used to choose
49 between the 'user' and 'share' security levels (the latter is not supported
50 in Samba 4 yet). The other values of this option and the 'domain master' and
51 'domain logons' parameters have been merged into a 'server role' parameter
52 that can be either 'bdc', 'pdc', 'member server' or 'standalone'. Note that
53 member server support does not work yet.
55 'password server' now takes a DCE/RPC binding string (see prog_guide.txt)
56 rather then simply a NetBIOS name.
58 The following parameters have been removed:
59 - passdb backend: accounts are now stored in a LDB-based SAM database,
60 see 'sam database' below.
66 - allow trusted domains
70 - algorithmic rid base
80 - check password script
100 - acl check permissions
102 - acl map full control
107 - force security mode
110 - force directory mode
111 - directory security mask
112 - force directory security mode
113 - force unknown acl user
114 - inherit permissions
123 - use kerberos keytab
129 - debug hires timestamp
132 - allocation roundup size
141 - defer sharing violations
153 - change notify timeout
157 - kernel change notify
170 - max reported print jobs
172 - printcap cache time
187 - queueresume command
190 - deleteprinter command
191 - show add printer wizard
202 - short preserve case
207 - hide unwriteable files
215 - max stat cache size
217 - store dos attributes
218 - machine password timeout
223 - delete group script
224 - add user to group script
225 - delete user from group script
226 - set primary group script
229 - abort shutdown script
230 - username map script
254 - oplock break wait time
255 - oplock contention limit
264 - ldap machine suffix
267 - ldap replication sleep
274 - change share command
275 - delete share command
292 - log nt token command
311 - dos filetime resolution
312 - fake directory create times
319 - enable rid algorithm
320 - passdb expand explicit
331 - winbind enum groups
332 - winbind use default domain
333 - winbind trusted domains only
334 - winbind nested groups
335 - winbind max idle children
338 The following parameters have been added:
340 Make Samba fake it is running on a bigendian machine when using DCE/RPC.
341 Useful for debugging.
345 + case insensitive filesystem (S)
346 Set to true if this share is located on a case-insensitive filesystem.
347 This disables looking for a filename by trying all possible combinations of
348 uppercase/lowercase characters and thus speeds up operations when a
349 file cannot be found.
354 Path to JavaScript library.
356 Default: Set at compile-time
359 Path to data used by provisioning script.
361 Default: Set at compile-time
364 Directory to use for UNIX sockets used by the 'ncalrpc' DCE/RPC transport.
366 Default: Set at compile-time
369 Backend to the NT VFS to use (more then one can be specified). Available
373 Maps POSIX FS semantics to NT semantics
376 Very simple backend (original testing backend).
379 Sets up user credentials based on POSIX gid/uid.
382 Proxies a remote CIFS FS. Mainly useful for testing.
385 Filter module that saves data useful to the nbench benchmark suite.
388 Allows using SMB for inter process communication. Only used for
392 Allows printing over SMB. This is LANMAN-style printing (?), not
393 the be confused with the spoolss DCE/RPC interface used by later
396 Default: unixuid default
401 + dcerpc endpoint servers
402 What DCE/RPC servers to start.
404 Default: epmapper srvsvc wkssvc rpcecho samr netlogon lsarpc spoolss drsuapi winreg dssetup
407 Services Samba should provide.
409 Default: smb rpc nbt wrepl ldap cldap web kdc
412 Location of the SAM (account database) database. This should be a
415 Default: set at compile-time
418 Spoolss (printer) DCE/RPC server database. This should be a LDB URL.
420 Default: set at compile-time
422 + wins config database
423 WINS configuration database location. This should be a LDB URL.
425 Default: set at compile-time
428 WINS database location. This should be a LDB URL.
430 Default: set at compile-time
432 + client use spnego principal
433 Tells the client to use the Kerberos service principal specified by the
434 server during the security protocol negotation rather then
435 looking up the principal itself (cifs/hostname).
440 TCP/IP Port used by the NetBIOS over TCP/IP (NBT) implementation.
445 UDP/IP port used by the NetBIOS over TCP/IP (NBT) implementation.
450 UDP/IP port used by the CLDAP protocol.
455 IP port used by the kerberos KDC.
460 IP port used by the kerberos password change protocol.
465 TCP/IP port SWAT should listen on.
470 Enable TLS support for SWAT
475 Path to TLS key file (PEM format) to be used by SWAT. If no
476 path is specified, Samba will create a key.
481 Path to TLS certificate file (PEM format) to be used by SWAT. If no
482 path is specified, Samba will create a certificate.
487 Path to CA authority file Samba will use to sign TLS keys it generates. If
488 no path is specified, Samba will create a self-signed CA certificate.
493 Path to TLS certificate revocation lists file.
500 Default: set at compile-time
503 Indicate the CIFS server is able to do large reads/writes.
508 Enable/disable unicode support in the protocol.