r12685: Add comments on builtin LDAP and KDC.

[ira/wip.git] / NEWS

This file aims to document the major changes since the latest released version 
of Samba, 3.0. Samba 4.0 contains rewrites of several subsystems 
and uses a different internal format for most data. Since this 
file is an initial draft, please update missing items.

One of the main goals of Samba 4 was Active Directory Domain Controller 
support. This means Samba now implements several protocols that are required 
by AD such as Kerberos and DNS.

An (experimental) upgrade script that performs a one-way upgrade 
from Samba 3 is available in source/setup/upgrade.

Removal of nmbd and introduction of process models
==================================================
smbd now implements several network protocols other then just CIFS and 
DCE/RPC. nmbd's functionality has been merged into smbd. smbd supports 
various 'process models' that specify how concurrent connections are 
handled (when to fork, use threads, etc). 

Introduction of LDB
===================
Samba now stores most of its persistent data in a LDAP-like database 
called LDB (see ldb(7) for more info). 

Built-in LDAP server
====================
FIXME

Much improved SWAT
==================
SWAT has had some rather large improvements and is now more then just a 
direct editor for smb.conf. Its layout has been improved. SWAT can now also 
be used for editing run-time data - maintaining user information, provisioning,
etc. TLS is supported out of the box.

Built-in KDC
============
Samba4 ships with an integrated KDC (Kerberos Key Distribution
Center).  Backed directly onto our main internal database, and
integrated with custom code to handle the PAC, Samba4's KDC is an
integral part of our support for AD logon protocols.

Built-in LDAP Server
====================
Like the situation with the KDC, Samba4 ships with it's own LDAP
server, included to provide simple, built-in LDAP services in an AD
(rather than distinctly standards) matching manner.  The database is
LDB, and it shares that in common with the rest of Samba.

Changed configuration options
=============================
Several configuration options have been removed in Samba4 while others have 
been introduced. This section contains a summary of changes to smb.conf and 
where these settings moved. Configuration options that have disappeared may be 
re-added later when the functionality that uses them gets reimplemented in 
Samba 4.

The 'security' parameter has been split up. It is now only used to choose 
between the 'user' and 'share' security levels (the latter is not supported 
in Samba 4 yet). The other values of this option and the 'domain master' and 
'domain logons' parameters have been merged into a 'server role' parameter 
that can be either 'bdc', 'pdc', 'member server' or 'standalone'. Note that 
member server support does not work yet.

'password server' now takes a DCE/RPC binding string (see prog_guide.txt) 
rather then simply a NetBIOS name.

The following parameters have been removed:
- passdb backend: accounts are now stored in a LDB-based SAM database, 
        see 'sam database' below.
- update encrypted
- public
- guest ok
- client schannel
- server schannel
- allow trusted domains
- hosts equiv
- map to guest
- smb passwd file
- algorithmic rid base
- root directory
- root dir
- root
- guest account
- enable privileges
- pam password change
- passwd program
- passwd chat debug
- passwd chat timeout
- check password script
- username map
- username level
- unix password sync
- restrict anonymous
- username
- user
- users
- invalid users
- valid users
- admin users
- read list
- write list
- printer admin
- force user
- force group
- group
- write ok
- writeable
- writable
- acl check permissions
- acl group control
- acl map full control
- create mask
- create mode
- force create mode
- security mask
- force security mode
- directory mask
- directory mode
- force directory mode
- directory security mask
- force directory security mode
- force unknown acl user
- inherit permissions
- inherit acls
- inherit owner
- guest only
- only guest
- only user
- allow hosts
- deny hosts
- preload modules
- use kerberos keytab
- syslog
- syslog only
- max log size
- debug timestamp
- timestamp logs
- debug hires timestamp
- debug pid
- debug uid
- allocation roundup size
- aio read size
- aio write size
- aio write behind
- large readwrite
- protocol
- read bmpx
- reset on zero vc
- acl compatibility
- defer sharing violations
- ea support
- nt acl support
- nt pipe support
- profile acls
- map acl inherit
- afs share
- max ttl
- client use spnego
- enable asu support
- svcctl list
- block size
- change notify timeout
- deadtime
- getwd cache
- keepalive
- kernel change notify
- lpq cache time
- max smbd processes
- max disk size
- max open files
- min print space
- strict allocate
- sync always
- use mmap
- use sendfile
- hostname lookups
- write cache size
- name cache timeout
- max reported print jobs
- load printers
- printcap cache time
- printcap name
- printcap
- printing
- cups options
- cups server
- iprint server
- print command
- disable spoolss
- enable spoolss
- lpq command
- lprm command
- lppause command
- lpresume command
- queuepause command
- queueresume command
- enumports command
- addprinter command
- deleteprinter command
- show add printer wizard
- os2 driver map
- use client driver
- default devmode
- force printername
- mangling method
- mangle prefix
- default case
- case sensitive
- casesignames
- preserve case
- short preserve case
- mangling char
- hide dot files
- hide special files
- hide unreadable
- hide unwriteable files
- delete veto files
- veto files
- hide files
- veto oplock files
- map readonly
- mangled names
- mangled map
- max stat cache size
- stat cache
- store dos attributes
- machine password timeout
- add user script
- rename user script
- delete user script
- add group script
- delete group script
- add user to group script
- delete user from group script
- set primary group script
- add machine script
- shutdown script
- abort shutdown script
- username map script
- logon script
- logon path
- logon drive
- logon home
- domain logons
- os level
- lm announce
- lm interval
- domain master
- browse list
- enhanced browsing
- dns proxy
- wins proxy
- wins hook
- wins partners
- blocking locks
- fake oplocks
- kernel oplocks
- locking
- lock spin count
- lock spin time
- oplocks
- level2 oplocks
- oplock break wait time
- oplock contention limit
- posix locking
- share modes
- ldap server
- ldap port
- ldap admin dn
- ldap delete dn
- ldap group suffix
- ldap idmap suffix
- ldap machine suffix
- ldap passwd sync
- ldap password sync
- ldap replication sleep
- ldap suffix
- ldap ssl
- ldap timeout
- ldap page size
- ldap user suffix
- add share command
- change share command
- delete share command
- eventlog list
- utmp directory
- wtmp directory
- utmp
- default service
- default
- message command
- dfree cache time
- dfree command
- get quota command
- set quota command
- remote announce
- remote browse sync
- homedir map
- afs username map
- afs token lifetime
- log nt token command
- time offset
- NIS homedir
- preexec
- exec
- preexec close
- postexec
- root preexec
- root preexec close
- root postexec
- set directory
- wide links
- follow symlinks
- dont descend
- magic script
- magic output
- delete readonly
- dos filemode
- dos filetimes
- dos filetime resolution
- fake directory create times
- panic action
- vfs objects
- vfs object
- msdfs root
- msdfs proxy
- host msdfs
- enable rid algorithm
- passdb expand explicit
- idmap backend
- idmap uid
- winbind uid
- idmap gid
- winbind gid
- template homedir
- template shell
- winbind separator
- winbind cache time
- winbind enum users
- winbind enum groups
- winbind use default domain
- winbind trusted domains only
- winbind nested groups
- winbind max idle children
- winbind nss info
 
The following parameters have been added:
+ rpc big endian (G)
        Make Samba fake it is running on a bigendian machine when using DCE/RPC. 
        Useful for debugging.

        Default: no

+ case insensitive filesystem (S)
        Set to true if this share is located on a case-insensitive filesystem.
        This disables looking for a filename by trying all possible combinations of 
        uppercase/lowercase characters and thus speeds up operations when a 
        file cannot be found. 

        Default: no
        
+ js include (G)
        Path to JavaScript library. 

        Default: Set at compile-time
        
+ setup directory
        Path to data used by provisioning script.

        Default: Set at compile-time
        
+ ncalrpc dir
        Directory to use for UNIX sockets used by the 'ncalrpc' DCE/RPC transport.

        Default: Set at compile-time
        
+ ntvfs handler
        Backend to the NT VFS to use (more then one can be specified). Available
        backends include: 
        
        - posix:
                Maps POSIX FS semantics to NT semantics

        - simple:
                Very simple backend (original testing backend).

        - unixuid:
                Sets up user credentials based on POSIX gid/uid.

        - cifs:
                Proxies a remote CIFS FS. Mainly useful for testing.

        - nbench:
                Filter module that saves data useful to the nbench benchmark suite.

        - ipc:
                Allows using SMB for inter process communication. Only used for 
                the IPC$ share.

        - print:
                Allows printing over SMB. This is LANMAN-style printing (?), not 
                the be confused with the spoolss DCE/RPC interface used by later 
                versions of Windows.
        
        Default: unixuid default

+ ntptr providor
        FIXME

+ dcerpc endpoint servers
        What DCE/RPC servers to start.

        Default: epmapper srvsvc wkssvc rpcecho samr netlogon lsarpc spoolss drsuapi winreg dssetup

+ server services
        Services Samba should provide.

        Default: smb rpc nbt wrepl ldap cldap web kdc

+ sam database
        Location of the SAM (account database) database. This should be a 
        LDB URL.

        Default: set at compile-time

+ spoolss database
        Spoolss (printer) DCE/RPC server database. This should be a LDB URL.

        Default: set at compile-time

+ wins config database
        WINS configuration database location. This should be a LDB URL.

        Default: set at compile-time
        
+ wins database
        WINS database location. This should be a LDB URL.

        Default: set at compile-time
        
+ client use spnego principal
        Tells the client to use the Kerberos service principal specified by the 
        server during the security protocol negotation rather then 
        looking up the principal itself (cifs/hostname).

        Default: false

+ nbt port
        TCP/IP Port used by the NetBIOS over TCP/IP (NBT) implementation.
 
        Default: 137

+ dgram port
        UDP/IP port used by the NetBIOS over TCP/IP (NBT) implementation.
        
        Default: 138

+ cldap port
        UDP/IP port used by the CLDAP protocol.

        Default: 389

+ krb5 port
        IP port used by the kerberos KDC.       
        
        Default: 88
        
+ kpasswd port
        IP port used by the kerberos password change protocol.

        Default: 464
        
+ web port
        TCP/IP port SWAT should listen on.

        Default: 901

+ tls enabled
        Enable TLS support for SWAT
        
        Default: true
        
+ tls keyfile
        Path to TLS key file (PEM format) to be used by SWAT. If no 
        path is specified, Samba will create a key.

        Default: none

+ tls certfile
        Path to TLS certificate file (PEM format) to be used by SWAT. If no 
        path is specified, Samba will create a certificate.

        Default: none
        
+ tls cafile
        Path to CA authority file Samba will use to sign TLS keys it generates. If 
        no path is specified, Samba will create a self-signed CA certificate.

        Default: none

+ tls crlfile
        Path to TLS certificate revocation lists file.

        Default: none

+ swat directory
        SWAT data directory.

        Default: set at compile-time

+ large readwrite
        Indicate the CIFS server is able to do large reads/writes.

        Default: true
        
+ unicode
        Enable/disable unicode support in the protocol.

        Default: true