This file aims to document the major changes since the latest released version of Samba, 3.0. Samba 4.0 contains rewrites of several subsystems and uses a different internal format for most data. Since this file is an initial draft, please update missing items. One of the main goals of Samba 4 was Active Directory Domain Controller support. This means Samba now implements several protocols that are required by AD such as Kerberos and DNS. An (experimental) upgrade script that performs a one-way upgrade from Samba 3 is available in source/setup/upgrade. Removal of nmbd and introduction of process models ================================================== smbd now implements several network protocols other than just CIFS and DCE/RPC. nmbd's functionality has been merged into smbd. smbd supports various 'process models' that specify how concurrent connections are handled (when to fork, use threads, etc). Introduction of LDB =================== Samba now stores most of its persistent data in a LDAP-like database called LDB (see ldb(7) for more info). Removed SWAT ================== Unlike previous versions, Samba4 does not provide a web interface at this time. Built-in KDC ============ Samba4 ships with an integrated KDC (Kerberos Key Distribution Center). Backed directly onto our main internal database, and integrated with custom code to handle the PAC, Samba4's KDC is an integral part of our support for AD logon protocols. Built-in LDAP Server ==================== Like the situation with the KDC, Samba4 ships with it's own LDAP server, included to provide simple, built-in LDAP services in an AD (rather than distinctly standards) matching manner. The database is LDB, and it shares that in common with the rest of Samba. Changed configuration options ============================= Several configuration options have been removed in Samba4 while others have been introduced. This section contains a summary of changes to smb.conf and where these settings moved. Configuration options that have disappeared may be re-added later when the functionality that uses them gets reimplemented in Samba 4. The 'security' parameter has been split up. It is now only used to choose between the 'user' and 'share' security levels (the latter is not supported in Samba 4 yet). The other values of this option and the 'domain master' and 'domain logons' parameters have been merged into a 'server role' parameter that can be either 'domain controller', 'member server' or 'standalone'. Note that member server support does not work yet. The following parameters have been removed: - passdb backend: accounts are now stored in a LDB-based SAM database, see 'sam database' below. - update encrypted - public - guest ok - client schannel - server schannel - allow trusted domains - hosts equiv - map to guest - smb passwd file - algorithmic rid base - root directory - root dir - root - guest account - enable privileges - pam password change - passwd program - passwd chat debug - passwd chat timeout - check password script - username map - username level - unix password sync - restrict anonymous - username - user - users - invalid users - valid users - admin users - read list - write list - printer admin - force user - force group - group - write ok - writeable - writable - acl check permissions - acl group control - acl map full control - create mask - create mode - force create mode - security mask - force security mode - directory mask - directory mode - force directory mode - directory security mask - force directory security mode - force unknown acl user - inherit permissions - inherit acls - inherit owner - guest only - only guest - only user - allow hosts - deny hosts - preload modules - use kerberos keytab - syslog - syslog only - max log size - debug timestamp - timestamp logs - debug hires timestamp - debug pid - debug uid - allocation roundup size - aio read size - aio write size - aio write behind - large readwrite - protocol - read bmpx - reset on zero vc - acl compatibility - defer sharing violations - ea support - nt acl support - nt pipe support - profile acls - map acl inherit - afs share - max ttl - client use spnego - enable asu support - svcctl list - block size - change notify timeout - deadtime - getwd cache - keepalive - kernel change notify - lpq cache time - max smbd processes - max disk size - max open files - min print space - strict allocate - sync always - use mmap - use sendfile - hostname lookups - write cache size - name cache timeout - max reported print jobs - load printers - printcap cache time - printcap name - printcap - printing - cups options - cups server - iprint server - print command - disable spoolss - enable spoolss - lpq command - lprm command - lppause command - lpresume command - queuepause command - queueresume command - enumports command - addprinter command - deleteprinter command - show add printer wizard - os2 driver map - use client driver - default devmode - force printername - mangling method - mangle prefix - default case - case sensitive - casesignames - preserve case - short preserve case - mangling char - hide dot files - hide special files - hide unreadable - hide unwriteable files - delete veto files - veto files - hide files - veto oplock files - map readonly - mangled names - mangled map - max stat cache size - stat cache - store dos attributes - machine password timeout - add user script - rename user script - delete user script - add group script - delete group script - add user to group script - delete user from group script - set primary group script - add machine script - shutdown script - abort shutdown script - username map script - logon script - logon path - logon drive - logon home - domain logons - os level - lm announce - lm interval - domain master - browse list - enhanced browsing - wins proxy - wins hook - wins partners - blocking locks - fake oplocks - kernel oplocks - locking - lock spin count - lock spin time - level2 oplocks - oplock break wait time - oplock contention limit - posix locking - share modes - ldap server - ldap port - ldap admin dn - ldap delete dn - ldap group suffix - ldap idmap suffix - ldap machine suffix - ldap passwd sync - ldap password sync - ldap replication sleep - ldap suffix - ldap ssl - ldap timeout - ldap page size - ldap user suffix - add share command - change share command - delete share command - eventlog list - utmp directory - wtmp directory - utmp - default service - default - message command - dfree cache time - dfree command - get quota command - set quota command - remote announce - remote browse sync - homedir map - afs username map - afs token lifetime - log nt token command - time offset - NIS homedir - preexec - exec - preexec close - postexec - root preexec - root preexec close - root postexec - set directory - wide links - follow symlinks - dont descend - magic script - magic output - delete readonly - dos filemode - dos filetimes - dos filetime resolution - fake directory create times - panic action - vfs objects - vfs object - msdfs root - msdfs proxy - host msdfs - enable rid algorithm - passdb expand explicit - idmap backend - idmap uid - winbind uid - idmap gid - winbind gid - template homedir - template shell - winbind separator - winbind cache time - winbind enum users - winbind enum groups - winbind use default domain - winbind trusted domains only - winbind nested groups - winbind max idle children - winbind nss info The following parameters have been added: + rpc big endian (G) Make Samba fake it is running on a bigendian machine when using DCE/RPC. Useful for debugging. Default: no + case insensitive filesystem (S) Set to true if this share is located on a case-insensitive filesystem. This disables looking for a filename by trying all possible combinations of uppercase/lowercase characters and thus speeds up operations when a file cannot be found. Default: no + setup directory Path to data used by provisioning script. Default: Set at compile-time + ncalrpc dir Directory to use for UNIX sockets used by the 'ncalrpc' DCE/RPC transport. Default: Set at compile-time + ntvfs handler Backend to the NT VFS to use (more than one can be specified). Available backends include: - posix: Maps POSIX FS semantics to NT semantics - simple: Very simple backend (original testing backend). - unixuid: Sets up user credentials based on POSIX gid/uid. - cifs: Proxies a remote CIFS FS. Mainly useful for testing. - nbench: Filter module that saves data useful to the nbench benchmark suite. - ipc: Allows using SMB for inter process communication. Only used for the IPC$ share. - print: Allows printing over SMB. This is LANMAN-style printing (?), not the be confused with the spoolss DCE/RPC interface used by later versions of Windows. Default: unixuid default + ntptr providor FIXME + dcerpc endpoint servers What DCE/RPC servers to start. Default: epmapper srvsvc wkssvc rpcecho samr netlogon lsarpc spoolss drsuapi winreg dssetup + server services Services Samba should provide. Default: smb rpc nbt wrepl ldap cldap web kdc + sam database Location of the SAM (account database) database. This should be a LDB URL. Default: set at compile-time + spoolss database Spoolss (printer) DCE/RPC server database. This should be a LDB URL. Default: set at compile-time + wins config database WINS configuration database location. This should be a LDB URL. Default: set at compile-time + wins database WINS database location. This should be a LDB URL. Default: set at compile-time + client use spnego principal Tells the client to use the Kerberos service principal specified by the server during the security protocol negotation rather than looking up the principal itself (cifs/hostname). Default: false + nbt port TCP/IP Port used by the NetBIOS over TCP/IP (NBT) implementation. Default: 137 + dgram port UDP/IP port used by the NetBIOS over TCP/IP (NBT) implementation. Default: 138 + cldap port UDP/IP port used by the CLDAP protocol. Default: 389 + krb5 port IP port used by the kerberos KDC. Default: 88 + kpasswd port IP port used by the kerberos password change protocol. Default: 464 + web port TCP/IP port SWAT should listen on. Default: 901 + tls enabled Enable TLS support for SWAT Default: true + tls keyfile Path to TLS key file (PEM format) to be used by SWAT. If no path is specified, Samba will create a key. Default: none + tls certfile Path to TLS certificate file (PEM format) to be used by SWAT. If no path is specified, Samba will create a certificate. Default: none + tls cafile Path to CA authority file Samba will use to sign TLS keys it generates. If no path is specified, Samba will create a self-signed CA certificate. Default: none + tls crlfile Path to TLS certificate revocation lists file. Default: none + swat directory SWAT data directory. Default: set at compile-time + large readwrite Indicate the CIFS server is able to do large reads/writes. Default: true + unicode Enable/disable unicode support in the protocol. Default: true