1 WHATS NEW IN Samba 3.0.0 RC2
3 ==============================
5 This is the second release candidate snapshot of Samba 3.0.0. A release
6 candidate implies that the code is very close to a final release, remember
7 that this is still a non-production release intended for testing purposes.
10 The purpose of this release candidate is to get wider testing of the major
11 new pieces of code in the current Samba 3.0 development tree.
12 Please refer to the section on "Known Issues" for more details.
18 1) Active Directory support. Samba 3.0 is now able to
19 join a ADS realm as a member server and authenticate
20 users using LDAP/Kerberos.
22 2) Unicode support. Samba will now negotiate UNICODE on the wire and
23 internally there is now a much better infrastructure for multi-byte
24 and UNICODE character sets.
26 3) New authentication system. The internal authentication system has
27 been almost completely rewritten. Most of the changes are internal,
28 but the new auth system is also very configurable.
30 4) New default filename mangling system.
32 5) A new "net" command has been added. It is somewhat similar to
33 the "net" command in windows. Eventually we plan to replace
34 numerous other utilities (such as smbpasswd) with subcommands
37 6) Samba now negotiates NT-style status32 codes on the wire. This
38 improves error handling a lot.
40 7) Better Windows 2000/XP/2003 printing support including publishing
41 printer attributes in active directory.
43 8) New loadable RPC modules.
45 9) New default dual-daemon winbindd support for better performance.
47 10) Support for migrating from a Windows NT 4.0 domain to a Samba
48 domain and maintaining user, group and domain SIDs.
50 11) Support for establishing trust relationships with Windows NT 4.0
53 12) Initial support for a distributed Winbind architecture using
54 an LDAP directory for storing SID to uid/gid mappings.
56 13) Major updates to the Samba documentation tree.
58 14) Full support for client and server SMB signing to ensure
59 compatibility with default Windows 2003 security settings.
61 Plus lots of other improvements!
64 Additional Documentation
65 ------------------------
67 Please refer to Samba documentation tree (included in the docs/
68 subdirectory) for extensive explanations of installing, configuring
69 and maintaining Samba 3.0 servers and clients. It is advised to
70 begin with the Samba-HOWTO-Collection for overviews and specific
71 tasks (the current book is up to approximately 400 pages) and to
72 refer to the various man pages for information on individual options.
75 ######################################################################
79 Please refer to the CVS log for the SAMBA_3_0 branch for complete
82 1) Add levels 261 and 262 to search. Found using Samba4 tester.
83 2) Correct bad errot return code in session setup reply
84 3) Fix bug where smbd returned DOS error codes from SMBsearch
85 even when NT1 protocol was negotiated.
86 4) Implement SMBxit properly.
87 5) Return group lists from a Samba PDC to a Windows 9x/ME box
88 in implementing user level access control (bug 314).
89 6) Prevent SWAT from crashing when adding shares (bug 254)
90 7) Fix various documentation issues (bugs 304 & 214)
91 8) Fix wins server listing in SWAT (bug 197)
92 9) Fix problem in rpcclient that caused enumerating printer
93 drivers to report failure (bug 294).
94 10) Use kerberos 5 authentication in our client code whenever possible
95 11) Fix schannel bug that caused Active Directory DC's to downgrade our
96 machine account to an NT member.
97 12) Implement missing SAMR_REMOVE_USER_FOREIGN_DOMAIN call (bug 252).
98 13) Implement automatic generation of include/version.h
99 14) Include initial version of smbldap-tool scripts for the Samba
101 15) Implement numerous fixes for multi-byte character strings.
102 16) Enable unix extensions by default.
103 17) Make sure we set the sid type when falling back to the rid
105 18) Correct linking problems with pam_smbpass (bug 327).
106 19) Add SYSV defines for Irix and Solaris to ensure the 'printing'
107 parameter default to the correct value (bug 230)
108 20) Fix recusion bug in alloc_string+sub() (bug 289, et. al.)
109 21) Ensure that 'make install' includes the static and shared
110 versions of the libsmbclient libraries.
111 22) Add CP850 and CP437 internal character set support (bug 150).
112 23) Add support to examples/LDAP/convertSambaAccuont for generating
113 LDIF modify files instaed of just add (303).
114 24) Fix support for -W option in smbclient (bug 39)
115 25) Remove 'ldap trust ids' parameter since it could not be supported
116 by the current architecture.
117 26) Don't crash when no argument is given to -T in smbclient (bug 345).
118 27) Ensure smbadduser contains the same paths for the smbpasswd file
119 as the other Samba tools (bug 290).
120 28) Port of 'avalable = no' fix for [homes] from SAMBA_2_2 cvs tree.
121 29) Add sanity checks to DeletePrinterData[Ex]() and ensure that the
122 modified printer is written to disk.
123 30) Force winbindd to preiodically update the trusted domain cache.
124 31) Remove outdate import/export script to convert an smbpasswd file
125 to and from and LDAP directory. Use the pdbedit tool instead.
130 Changes since 3.0beta3
131 ######################
133 1) Various memory leak fixes.
134 2) Provide full support for SMB signing (server and client)
135 3) Check for broken getgrouplist() in glibc.
136 4) Don't get stuck in an infinite loop listing directories
137 recursively if the server returns an empty directory name
139 5) Idle LDAP connections after 150 seconds.
140 6) Patched make uninstallmodules (bug 236).
141 7) Fix bug that caused smbd to return incomplete directory listings
142 when UNIX files contained MS wildcard characters.
143 8) Quiet default debug messages in command line tools.
144 9) Fixes to avoid panics on invalid multi-byte strings.
145 10) Fix error messages when creating a new smbpasswd file (bug 198).
146 11) Implemented better detection routines in autoconf scripts for
147 locating ads support on the host OS.
148 12) Fix bug that caused libraries in /usr/local/lib to be ignored
150 13) Ensure winbindd_ads uses the correct realm or domain name when
151 connecting to trusted DC.
152 14) Ensure a correct prototype is created for snprintf() (bug 187)
153 15) Stop files being created on read-only shares in some circumstances.
154 16) Fix wbinfo -p (bug 251)
155 17) Support schannel on any tcp/ip connection if necessary
156 18) Correct bug in user_in_list() so that it works with winbind groups
158 19) Ensure the schannel bind credentials default to the domain
159 of the destination host.
160 20) Default password expiration time in account_pol.tdb to never
161 expire. Remove any existing account_pol.tdb file to reset
162 the new default policy (bug 184).
163 21) Add buttons to SWAT to change the view of smb.conf (bug 212)
164 22) Fix incorrect checks that determine whether or not the 'add user
165 script' has been set.
166 23) More cleanup for internal character set conversions.
167 24) Fixes for multi-byte strings in stat cache code.
168 25) Ensure that the net command honors the 'workgroup' parameter
169 in smb.conf when not overridden from the command line.
170 26) Add gss-spnego support to the ntlm_auth tool.
171 27) Add vfs_default_quota VFS module.
172 28) Added server support for NT quota interfaces.
173 29) Prevent Krb5 replay attacks by adding a replay_cache.
174 30) Fix problems with winbindd and transitive trusts in AD domains.
175 31) Added -S to client tools for setting SMB signing options on the
177 32) Fix bug causing the 'passwd change program' to be called as the
178 connected user and not root.
179 33) Fixed data corruption bug in byte-range locking (e.g. affected MS Excel).
180 34) Support winbindd on FreeBSD is possible.
181 35) Look at only the first OID in the security blob sent in the session
182 setup request to determine the token type.
183 36) Only push locks onto a blocking lock queue if the posix lock failed with
184 EACCES or EAGAIN (this means another lock conflicts). Else return an
185 error and don't queue the request.
186 37) Fix command line argument processing for smbtar.
187 38) Correct issue that caused smbd to return generic unix_user.<uid>
189 39) Default to algorithmic mapping when generating a rid for a group
191 40) Expand %g and %G in logon script, profile path, etc... during
192 a domain logon (bug 208).
193 41) Make sure smbclient obeys '-s <config>'
194 42) Added win2k3 shadow copy operations to VFS interface.
195 43) Allow connections to samba domain member as SERVER\user (don't
196 always default to DOMAIN\user).
197 44) Remove checks in winbindd that caused it to attempt to use
198 non-transitive trust relationships.
199 45) Remove delays in winbindd caused by invalid DNS lookups.
200 46) Fix supplementary group memberships on systems with slightly
201 broken NSS implementations (bug 267).
202 47) Correct issue that prevented smbclient from viewing shares on
203 a win2k server when using a non-anonymous connection (bug 284).
204 48) Add --domain=DOMAIN_NAME to wbinfo for limiting operations like
205 'wbinfo -u' to a single domain. The '.' character represents
207 49) Fix group enumeration bug when using an LDAP directory for
208 storing group mappings.
209 50) Default to use NTLMv2 if available. Fallback to not use LM/NTLM
210 when the extended security capability bit is not set.
211 51) Fix crash in 'wbinfo -a' when using extended characters in the
213 52) Fix multi-byte strupper() panics (bug 205).
214 53) Add vfs_readonly VFS module.
215 54) Make sure to initialize the sambaNextUserRid and sambaNextGroupRid
216 attributes when using 'idmap backend = ldap' (bug 280).
217 55) Make sure that UNIX users shared between a Samba PDC and member
218 samba server are seen as domain users and not local users on the
220 56) Fix Query FS Info level 2.
221 57) Allow enumeration of users and groups by win9x "file server" (bug
223 58) Create symlinks during install for modules that support mutliple
225 59) More iconv detection fixes.
226 60) Fix path length error in vfs_recycle module (bug 291).
227 61) Added server support for the LSA_DS UUID on the \lsarpc pipe.
228 (server DsRoleGetPrimaryDomainInfo() is currently disabled).
229 62) Fix SMBseek and get/set position calls.
230 62) Fix SetFileInfo level 1.
231 63) Added tool to convert smbd log file to a pcap file (log2pcaphex).
235 Changes since 3.0beta2
236 ######################
238 1) Added fix for Japanese case names in statcache code;
239 these can change size on upper casing.
240 2) Correct issues with iconv detection in configure script
241 (support needed to find iconv libraries on FreeBSD).
242 3) Fix bug that caused a WINS server to be marked as dead
243 incorrectly (bug #190).
244 4) Removing additional deadlocks conditions that prevented
245 winbindd from running on a Samba PDC (used for trust
247 5) Add support for searching for Active Directory for
248 published printers (net ads printer search).
249 6) Separate UNIX username from DOMAIN\username in pipe
251 7) Auth modules now support returning NT_STATUS_NOT_IMPLEMENTED
252 for cases that they cannot handle.
253 8) Flush winbindd connection cache when the machine trust account
254 password is changed while a connection is open (bug #200).
255 9) Add support for 'OSVersion' server printer data string
256 (corrects problem with uploading printer drivers from
258 10) Numerous memory leak fixes.
259 11) LDAP fixes ("passdb backend = ldapsam" & "idmap backend = ldap"):
260 - Store domain SID in LDAP directory.
261 - store idmap information in existing entries (use sambaSID=...
262 if adding a new entry).
263 12) Fix incorrect usage of primary group SID when looking up user
265 13) Remove idmap_XX_to_XX calls from smbd. Move back to the the
266 winbind_XXX and local_XXX calls used in 2.2.
267 14) All uid/gid allocation must involve winbindd now (we do not
268 attempt to map unknown SIDs to a UNIX identify).
269 15) Add 'winbind trusted domains only' parameter to force a domain
270 member. The server to use matching users names from /etc/passwd
271 for its domain (needed for domain member of a Samba domain).
272 16) Rename 'idmap only' to 'enable rid algorithm' for better clarity
274 17) Add support for multi-byte statcache code (bug #185)
275 18) Fix open mode race condition.
276 19) Implement winbindd local account management functions. Refer to
277 the "Winbind Changes" section for details.
278 20) Move RID allocation functions into idmap backend.
279 21) Fix parsing error that prevented publishing printers from a
280 Samba server in an AD domain.
281 22) Revive NTLMSSP support for named pipes.
282 23) More SCHANNEL fixes.
283 24) Correct SMB signing with NTLMSSP.
284 25) Fix coherency bug in print handle/printer object caching code
285 that could cause XP clients to infinitely loop while updating
286 their local printer cache.
287 26) Make winbindd use its dual-daemon mode by default (use -Y to
288 start as a single process).
289 27) Add support to nmbd and winbindd for 'smbcontrol <pid>
291 28) Correct problem with smbtar when dealing with files > 8Gb
296 Changes since 3.0beta1
297 ######################
299 1) Rework our smb signing code again, this factors out some of
300 the common MAC calculation code, and now supports multiple
301 outstanding packets (bug #40).
302 2) Enforce 'client plaintext auth', 'client lanman auth' and 'client
304 3) Correct timestamp problem on 64-bit machines (bug #140).
305 4) Add extra debugging statements to winbindd for tracking down
307 5) Fix bug when aliased 'winbind uid/gid' parameters are used.
308 ('winbind uid/gid' are now replaced with 'idmap uid/gid').
309 6) Added an auth flag that indicates if we should be allowed
310 to fall back to NTLMSSP for SASL if krb5 fails.
311 7) Fixed the bug that forced us not to use the winbindd cache when
312 we have a primary ADS domain and a secondary (trusted) NT4
314 8) Use lp_realm() to find the default realm for 'net ads password'.
315 9) Removed editreg from standard build until it is portable..
316 10) Fix domain membership for servers not running winbindd.
317 11) Correct race condition in determining the high water mark
318 in the idmap backend (bug #181).
319 12) Set the user's primary unix group from usrmgr.exe (partial
321 13) Show comments when doing 'net group -l' (bug #3).
322 14) Add trivial extension to 'net' to dump current local idmap
323 and restore mappings as well.
324 15) Modify 'net rpc vampire' to add new and existing users to
325 both the idmap and the SAM. This code needs further testing.
326 16) Fix crash bug in ADS searches.
327 17) Build libnss_wins.so as part of nsswitch target (bug #160).
328 18) Make net rpc vampire return an error if the sam sync RPC
330 19) Fail to join an NT 4 domain as a BDC if a workstation account
331 using our name exists.
332 20) Fix various memory leaks in server and client code
333 21) Remove the short option to --set-auth-user for wbinfo (-A) to
334 prevent confusion with the -a option (bug #158).
335 22) Added new 'map acl inherit' parameter.
336 23) Removed unused 'privileges' code from group mapping database.
337 24) Don't segfault on empty passdb backend list (bug #136).
338 25) Fixed acl sorting algorithm for Windows 2000 clients.
339 26) Replace universal group cache with netsamlogon_cache
340 from APPLIANCE_HEAD branch.
341 27) Fix autoconf detection issues surrounding --with-ads=yes
342 but no Krb5 header files installed (bug #152).
343 28) Add LDAP lookup for domain sequence number in case we are
344 joined using NT4 protocols to a native mode AD domain.
345 29) Fix backend method selection for trusted NT 4 (or 2k
347 30) Fixed bug that caused us to enumerate domain local groups
348 from native mode AD domains other than our own.
349 31) Correct group enumeration for viewing in the Windows
350 security tab (bug #110).
351 32) Consolidate the DC location code.
352 33) Moved 'ads server' functionality into 'password server' for
353 backwards compatibility.
354 34) Fix winbindd_idmap tdb upgrades from a 2.2 installation.
355 ( if you installed beta1, be sure to
356 'mv idmap.tdb winbindd_idmap.tdb' ).
357 35) Fix pdb_ldap segfaults, and wrong default values for
359 36) Enable negative connection cache for winbindd's ADS backend
361 37) Enable address caching for active directory DC's so we don't
362 have to hit DNS so much.
363 38) Fix bug in idmap code that caused mapping to randomly be
365 39) Add tdb locking code to prevent race condition when adding a
366 new mapping to idmap.
367 40) Fix 'map to guest = bad user' when acting as a PDC supporting
369 41) Prevent deadlock issues when running winbindd on a Samba PDC
370 to handle allocating uids & gids for trusted users and groups
371 42) added LOCALE patch from Steve Langasek (bug #122).
372 43) Add the 'guest' passdb backend automatically to the end of
373 the 'passdb backend' list if 'guest account' has a valid
375 44) Remove samstrict_dc auth method. Rework 'samstrict' to only
376 handle our local names (or domain name if we are a PDC).
377 Move existing permissive 'sam' method to 'sam_ignoredomain'
378 and make 'samstrict' the new default 'sam' auth method.
379 45) Match Windows NT4/2k behavior when authenticating a user with
380 and unknown domain (default to our domain if we are a DC or
381 domain member; default to our local name if we are a
383 46) Fix Get_Pwnam() to always fall back to lookup 'user' if the
384 'DOMAIN\user' lookup fails. This matches 2.2. behavior.
385 47) Fix the trustdom_cache code to update the list of trusted
386 domains when operating as a domain member and not using
388 48) Remove 'nisplussam' passdb backend since it has suffered for
389 too long without a maintainer.
394 ######################################################################
395 Upgrading from a previous Samba 3.0 beta
396 ########################################
398 Beginning with Samba 3.0.0beta3, the RID allocation functions
399 have been moved into winbindd. Previously these were handled
400 by each passdb backend. This means that winbindd must be running
401 to automatically allocate RIDs for users and/or groups. Otherwise,
402 smbd will use the 2.2 algorithm for generating new RIDs.
404 If you are using 'passdb backend = tdbsam' with a previous Samba
405 3.0 beta release (or possibly alpha), it may be necessary to
406 move the RID_COUNTER entry from /usr/local/samba/private/passdb.tdb
407 to winbindd_idmap.tdb. To do this:
409 1) Ensure that winbindd_idmap.tdb exists (launch winbindd at least
411 2) build tdbtool by executing 'make tdbtool' in the source/tdb/
413 3) run: (note that 'tdb>' is the tool's prompt for input)
415 root# ./tdbtool /usr/local/samba/private/passdb.tdb
416 tdb> show RID_COUNTER
420 [000] 0A 52 00 00 .R.
422 tdb> move RID_COUNTER /usr/local/samba/var/locks/winbindd_idmap.tdb
426 If you are using 'passdb backend = ldapsam', it will be necessary to
427 store idmap entries in the LDAP directory as well (i.e. idmap backend
428 = ldap). Refer to the 'net idmap' command for more information on
429 migrating SID<->UNIX id mappings from one backend to another.
431 If the RID_COUNTER record does not exist, then these instructions are
432 unneccessary and the new RID_COUNTER record will be correctly generated
437 ########################
438 Upgrading from Samba 2.2
439 ########################
441 This section is provided to help administrators understand the details
442 involved with upgrading a Samba 2.2 server to Samba 3.0.
448 Many of the options to the GNU autoconf script have been modified
449 in the 3.0 release. The most noticeable are:
451 * removal of --with-tdbsam (is now included by default; see section
452 on passdb backends and authentication for more details)
454 * --with-ldapsam is now on used to provided backward compatible
455 parameters for LDAP enabled Samba 2.2 servers. Refer to the passdb
456 backend and authentication section for more details
458 * inclusion of non-standard passdb modules may be enabled using
459 --with-expsam. This includes an XML backend and a mysql backend.
461 * removal of --with-msdfs (is now enabled by default)
463 * removal of --with-ssl (no longer supported)
465 * --with-utmp now defaults to 'yes' on supported systems
467 * --with-sendfile-support is now enabled by default on supported
474 This section contains a brief listing of changes to smb.conf options
475 in the 3.0.0 release. Please refer to the smb.conf(5) man page for
476 complete descriptions of new or modified parameters.
478 Removed Parameters (order alphabetically):
481 * alternate permissions
484 * code page directory
488 * force unknown acl user
492 * printer driver file
493 * printer driver location
500 New Parameters (new parameters have been grouped by function):
504 * abort shutdown script
507 User and Group Account Management
508 ---------------------------------
511 * add user to group script
512 * algorithmic rid base
513 * delete group script
514 * delete user from group script
516 * set primary group script
532 * paranoid server security
542 * hide unwriteable files
544 * kernel change notify
554 * max reported print jobs
556 UNICODE and Character Sets
557 --------------------------
563 SID to uid/gid Mappings
564 -----------------------
568 * winbind enable local accounts
569 * winbind trusted domains only
570 * template primary group
571 * enable rid algorithm
578 * ldap machine suffix
582 General Configuration
583 ---------------------
587 Modified Parameters (changes in behavior):
589 * encrypt passwords (enabled by default)
590 * mangling method (set to 'hash2' by default)
593 * restrict anonymous (integer value)
594 * security (new 'ads' value)
595 * strict locking (enabled by default)
596 * unix extensions (enabled by default)
597 * winbind cache time (increased to 5 minutes)
598 * winbind uid (deprecated in favor of 'idmap uid')
599 * winbind gid (deprecated in favor of 'idmap gid')
605 This section contains brief descriptions of any new databases
606 introduced in Samba 3.0. Please remember to backup your existing
607 ${lock directory}/*tdb before upgrading to Samba 3.0. Samba will
608 upgrade databases as they are opened (if necessary), but downgrading
609 from 3.0 to 2.2 is an unsupported path.
611 Name Description Backup?
612 ---- ----------- -------
613 account_policy User policy settings yes
614 gencache Generic caching db no
615 group_mapping Mapping table from Windows yes
616 groups/SID to unix groups
617 winbindd_idmap ID map table from SIDS to UNIX yes
619 namecache Name resolution cache entries no
620 netsamlogon_cache Cache of NET_USER_INFO_3 structure no
621 returned as part of a successful
622 net_sam_logon request
623 printing/*.tdb Cached output from 'lpq no
624 command' created on a per print
626 registry Read-only samba registry skeleton no
627 that provides support for exporting
628 various db tables via the winreg RPCs
634 The following issues are known changes in behavior between Samba 2.2 and
635 Samba 3.0 that may affect certain installations of Samba.
637 1) When operating as a member of a Windows domain, Samba 2.2 would
638 map any users authenticated by the remote DC to the 'guest account'
639 if a uid could not be obtained via the getpwnam() call. Samba 3.0
640 rejects the connection as NT_STATUS_LOGON_FAILURE. There is no
641 current work around to re-establish the 2.2 behavior.
643 2) When adding machines to a Samba 2.2 controlled domain, the
644 'add user script' was used to create the UNIX identity of the
645 machine trust account. Samba 3.0 introduces a new 'add machine
646 script' that must be specified for this purpose. Samba 3.0 will
647 not fall back to using the 'add user script' in the absence of
648 an 'add machine script'
651 ######################################################################
652 Passdb Backends and Authentication
653 ##################################
655 There have been a few new changes that Samba administrators should be
656 aware of when moving to Samba 3.0.
658 1) encrypted passwords have been enabled by default in order to
659 inter-operate better with out-of-the-box Windows client
660 installations. This does mean that either (a) a samba account
661 must be created for each user, or (b) 'encrypt passwords = no'
662 must be explicitly defined in smb.conf.
664 2) Inclusion of new 'security = ads' option for integration
665 with an Active Directory domain using the native Windows
666 Kerberos 5 and LDAP protocols.
668 MIT kerberos 1.3.1 supports the ARCFOUR-HMAC-MD5 encryption
669 type which is neccessary for servers on which the
670 administrator password has not been changed, or kerberos-enabled
671 SMB connections to servers that require Kerberos SMB signing.
672 Besides this one difference, either MIT or Heimdal Kerberos
673 distributions are usable by Samba 3.0.
676 Samba 3.0 also includes the possibility of setting up chains
677 of authentication methods (auth methods) and account storage
678 backends (passdb backend). Please refer to the smb.conf(5)
679 man page for details. While both parameters assume sane default
680 values, it is likely that you will need to understand what the
681 values actually mean in order to ensure Samba operates correctly.
683 The recommended passdb backends at this time are
685 * smbpasswd - 2.2 compatible flat file format
686 * tdbsam - attribute rich database intended as an smbpasswd
687 replacement for stand alone servers
688 * ldapsam - attribute rich account storage and retrieval
689 backend utilizing an LDAP directory.
690 * ldapsam_compat - a 2.2 backward compatible LDAP account
693 Certain functions of the smbpasswd(8) tool have been split between the
694 new smbpasswd(8) utility, the net(8) tool, and the new pdbedit(8)
695 utility. See the respective man pages for details.
698 ######################################################################
702 This section outlines the new features affecting Samba / LDAP
708 A new object class (sambaSamAccount) has been introduced to replace
709 the old sambaAccount. This change aids us in the renaming of attributes
710 to prevent clashes with attributes from other vendors. There is a
711 conversion script (examples/LDAP/convertSambaAccount) to modify and LDIF
712 file to the new schema.
716 $ ldapsearch .... -b "ou=people,dc=..." > old.ldif
717 $ convertSambaAccount <DOM SID> old.ldif new.ldif
719 The <DOM SID> can be obtained by running 'net getlocalsid <DOMAINNAME>'
720 on the Samba PDC as root.
722 The old sambaAccount schema may still be used by specifying the
723 "ldapsam_compat" passdb backend. However, the sambaAccount and
724 associated attributes have been moved to the historical section of
725 the schema file and must be uncommented before use if needed.
726 The 2.2 object class declaration for a sambaAccount has not changed
727 in the 3.0 samba.schema file.
729 Other new object classes and their uses include:
731 * sambaDomain - domain information used to allocate rids
732 for users and groups as necessary. The attributes are added
733 in 'ldap suffix' directory entry automatically if
734 an idmap uid/gid range has been set and the 'ldapsam'
735 passdb backend has been selected.
737 * sambaGroupMapping - an object representing the
738 relationship between a posixGroup and a Windows
739 group/SID. These entries are stored in the 'ldap
740 group suffix' and managed by the 'net groupmap' command.
742 * sambaUnixIdPool - created in the 'ldap idmap suffix' entry
743 automatically and contains the next available 'idmap uid' and
746 * sambaIdmapEntry - object storing a mapping between a
747 SID and a UNIX uid/gid. These objects are created by the
748 idmap_ldap module as needed.
750 * sambaSidEntry - object representing a SID alone, as a Structural
751 class on which to build the sambaIdmapEntry.
754 New Suffix for Searching
755 ------------------------
757 The following new smb.conf parameters have been added to aid in directing
758 certain LDAP queries when 'passdb backend = ldapsam://...' has been
761 * ldap suffix - used to search for user and computer accounts
762 * ldap user suffix - used to store user accounts
763 * ldap machine suffix - used to store machine trust accounts
764 * ldap group suffix - location of posixGroup/sambaGroupMapping entries
765 * ldap idmap suffix - location of sambaIdmapEntry objects
767 If an 'ldap suffix' is defined, it will be appended to all of the
768 remaining sub-suffix parameters. In this case, the order of the suffix
769 listings in smb.conf is important. Always place the 'ldap suffix' first
772 Due to a limitation in Samba's smb.conf parsing, you should not surround
773 the DN's with quotation marks.
779 Samba 3.0 supports an ldap backend for the idmap subsystem. The
780 following options would inform Samba that the idmap table should be
781 stored on the directory server onterose in the "ou=idmap,dc=plainjoe,
786 idmap backend = ldap:ldap://onterose/
787 ldap idmap suffix = ou=idmap,dc=plainjoe,dc=org
788 idmap uid = 40000-50000
789 idmap gid = 40000-50000
791 This configuration allows winbind installations on multiple servers to
792 share a uid/gid number space, thus avoiding the interoperability problems
793 with NFS that were present in Samba 2.2.
797 ######################################################################
798 Trust Relationships and a Samba Domain
799 ######################################
801 Samba 3.0.0beta2 is able to utilize winbindd as the means of
802 allocating uids and gids to trusted users and groups. More
803 information regarding Samba's support for establishing trust
804 relationships can be found in the Samba-HOWTO-Collection included
805 in the docs/ directory of this release.
807 First create your Samba PDC and ensure that everything is
808 working correctly before moving on the trusts.
810 To establish Samba as the trusting domain (named SAMBA) from a Windows NT
811 4.0 domain named WINDOWS:
813 1) create the trust account for SAMBA in "User Manager for Domains"
814 2) connect the trust from the Samba domain using
815 'net rpc trustdom establish GLASS'
817 To create a trustlationship with SAMBA as the trusted domain:
819 1) create the initial trust account for GLASS using
820 'smbpasswd -a -i GLASS'. You may need to create a UNIX
821 account for GLASS$ prior to this step (depending on your
822 local configuration).
823 2) connect the trust from a WINDOWS DC using "User Manager
826 Now join winbindd on the Samba PDC to the SAMBA domain using
827 the normal steps for adding a Samba server to an NT4 domain:
828 (note that smbd & nmbd must be running at this point)
830 root# net rpc join -U root
831 Password: <enter root password from smbpasswd file here>
833 Start winbindd and test the join with 'wbinfo -t'.
835 Now test the trust relationship by connecting to the SAMBA DC
836 (e.g. POGO) as a user from the WINDOWS domain:
838 $ smbclient //pogo/netlogon -U Administrator -W WINDOWS
841 Now connect to the WINDOWS DC (e.g. CRYSTAL) as a Samba user:
843 $ smbclient //crystal/netlogon -U root -W WINDOWS
846 ######################################################################
850 Beginning with Samba3.0.0beta3, winbindd has been given new account
851 manage functionality equivalent to the 'add user script' family of
852 smb.conf parameters. The idmap design has also been changed to
853 centralize control of foreign SID lookups and matching to UNIX
857 Brief Description of Changes
858 ----------------------------
860 1) The sid_to_uid() family of functions (smbd/uid.c) have been
861 reverted to the 2.2.x design. This means that when resolving a
862 SID to a UID or similar mapping:
864 a) First consult winbindd
865 b) perform a local lookup only if winbindd fails to
866 return a successful answer
868 There are some variations to this, but these two rules generally
871 2) All idmap lookups have been moved into winbindd. This means that
872 a server must run winbindd (and support NSS) in order to achieve
873 any mappings of SID to dynamically allocated UNIX ids. This was
874 a conscious design choice.
876 3) New functions have been added to winbindd to emulate the 'add user
877 script' family of smbd functions without requiring that external
878 scripts be defined. This functionality is controlled by the 'winbind
879 enable local accounts' smb.conf parameter (enabled by default).
881 However, this account management functionality is only supported
882 in a local tdb (winbindd_idmap.tdb). If these new UNIX accounts
883 must be shared among multiple Samba servers (such as a PDC and BDCs),
884 it will be necessary to define your own 'add user script', et. al.
885 programs that place the accounts/groups in some form of directory
886 such as NIS or LDAP. This requirement was deemed beyond the scope
887 of winbind's account management functions. Solutions for
888 distributing UNIX system information have been deployed and tested
889 for many years. We saw no need to reinvent the wheel.
891 4) A member of a Samba controlled domain running winbindd is now able
892 to map domain users directly onto existing UNIX accounts while still
893 automatically creating accounts for trusted users and groups. This
894 behavior is controlled by the 'winbind trusted domains only' smb.conf
895 parameter (disabled by default to provide 2.2.x winbind behavior).
897 5) Group mapping support is wrapped in the local_XX_to_XX() functions
898 in smbd/uid.c. The reason that group mappings are not included
899 in winbindd is because the purpose of Samba's group map is to
900 match any Windows SID with an existing UNIX group. These UNIX
901 groups can be created by winbindd (see next section), but the
902 SID<->gid mapping is retreived by smbd, not winbindd.
908 * security = server running winbindd to allocate accounts on demand
910 * Samba PDC running winbindd to handle the automatic creation of UNIX
911 identities for machine trust accounts
913 * Automtically creating UNIX user and groups when migrating a Windows NT
914 4.0 PDC to a Samba PDC. Winbindd must be running when executing
915 'net rpc vampire' for this to work.
918 ######################################################################
922 * The smbldap perl scripts for managing user entries in an LDAP
923 directory have not be updated to function with the Samba 3.0
924 schema changes. This (or an equivalent solution) work is planned
925 to be completed prior to the stable 3.0.0 release.
927 Please refer to https://bugzilla.samba.org/ for a current list of bugs
928 filed against the Samba 3.0 codebase.
931 ######################################################################
932 Reporting bugs & Development Discussion
933 #######################################
935 Please discuss this release on the samba-technical mailing list or by
936 joining the #samba-technical IRC channel on irc.freenode.net.
938 If you do report problems then please try to send high quality
939 feedback. If you don't provide vital information to help us track down
940 the problem then you will probably be ignored.
942 A new bugzilla installation has been established to help support the
943 Samba 3.0 community of users. This server, located at
944 https://bugzilla.samba.org/, will replace the existing jitterbug server
945 and the old http://bugs.samba.org now points to the new bugzilla server.