- WHATS NEW IN Samba 3.0.0 beta2
- July 1 2003
- ==============================
+ WHATS NEW IN Samba 3 SVN
+ ========================
-This is the second beta release of Samba 3.0.0. This is a
-non-production release intended for testing purposes. Use
-at your own risk.
-
-The purpose of this beta release is to get wider testing of the major
-new pieces of code in the current Samba 3.0 development tree. We have
-officially ceased development on the 2.2.x release of Samba and are
-concentrating on Samba 3.0. To reduce the time before the final
-Samba 3.0 release we need as many people as possible to start testing
-these beta releases, and to provide high quality feedback on what
-needs fixing.
-
-Samba 3.0 is feature complete. However there is still some final
-work to be done on certain pieces of functionality. Please refer to
-the section on "Known Issues" for more details.
-
-
-Major new features:
--------------------
-
-1) Active Directory support. This release is able to join a ADS realm
- as a member server and authenticate users using LDAP/kerberos.
-
-2) Unicode support. Samba will now negotiate UNICODE on the wire and
- internally there is now a much better infrastructure for multi-byte
- and UNICODE character sets.
-
-3) New authentication system. The internal authentication system has
- been almost completely rewritten. Most of the changes are internal,
- but the new auth system is also very configurable.
-
-4) New filename mangling system. The filename mangling system has been
- completely rewritten. An internal database now stores mangling maps
- persistently. This needs lots of testing.
-
-5) New "net" command. A new "net" command has been added. It is
- somewhat similar to the "net" command in windows. Eventually we
- plan to replace a bunch of other utilities (such as smbpasswd)
- with subcommands in "net", at the moment only a few things are
- implemented.
-
-6) Samba now negotiates NT-style status32 codes on the wire. This
- improves error handling a lot.
-
-7) Better Windows 2000/XP/2003 printing support including publishing
- printer attributes in active directory
-
-8) New loadable RPC modules
-
-9) New dual-daemon winbindd support (-B) for better performance
-
-10) Support for migrating from a Windows NT 4.0 domain to a Samba
- domain and maintaining user, group and domain SIDs
-
-11) Support for establishing trust relationships with Windows NT 4.0
- domain controllers
-
-12) Initial support for a distributed Winbind architecture using
- an LDAP directory for storing SID to uid/gid mappings
-
-13) Major updates to the Samba documentation tree.
-
-Plus lots of other improvements!
-
-
-Additional Documentation
-------------------------
-
-Please refer to Samba documentation tree (including in the docs/
-subdirectory) for extensive explanations of installing, configuring
-and maintaining Samba 3.0 servers and clients. It is advised to
-begin with the Samba-HOWTO-Collection for overviews and specific
-tasks (the current book is up to approximately 400 pages) and to
-refer to the various man pages for information on individual options.
-
-######################################################################
-Changes since 3.0beta1
-######################
-
-Please refer to the CVS log for the SAMBA_3_0 branch for complete
-details
-
-1) Rework our smb signing code again, this factors out some of
- the common MAC calcuation code, and now supports multiple
- outstanding packets (bug #40)
-2) Enforce 'client plaintext auth', 'client lanman auth' and 'client
- ntlmv2 auth'
-3) Correct timestamp problem on 64-bit machines (bug #140)
-4) Add extra debugging staements to winbindd for tracking down
- failures
-5) Fix bug when aliased 'winbind uid/gid' parameters
-6) Added an auth flag that indicates if we should be allowed
- to fallback to NTLMSSP for SASL if krb5 fails
-7) Fixed the bug that forced us not to use the winbindd cache when
- we have a primary ADS domain and a secondary (trusted) NT4 domain.
-8) Use lp_realm() to find the default realm for 'net ads password'
-9) Removed editreg from standard build until it is portable.
-10) Fix domain membership for servers not running winbindd
-11) Correct race condition in determining the high water make
- in the idmap backend (bug #181)
-12) Set the user's primary unix group from usrmgr.exe (partial
- fix for bug #45)
-13) Show comments when doing 'net group -l' (bug #3)
-14) Add trivial extension to 'net' to dump current local idmap
- and restore mappings as well
-15) Modify 'net rpc vampire' to add new and existing users to
- both the idmap and the SAM.
-16) Fix crash bug in ADS searches
-17) Build libnss_wins.so as part of nsswitch target (bug #160)
-18) Make net rpc vampire return an error if the sam sync RPC
- returns an error
-19) Fail to join an NT 4 domain as a BDC if an workstation account
- using our name exists
-20) Fix various memory leaks in server and client code
-21) Remove the short option to --set-auth-user for wbinfo (-A) to
- prevent confusion with the -a option (bug #158)
-22) Added new 'map acl inheritence' parameter
-23) Removed unused 'privileges' code from group mapping database
-24) Don't segfault on empty passdb backend list (bug #136)
-25) Fixed acl sorting algorithm forWwindows 2000 clients
-26) Replace universal group cache with netsamlogon_cache
- from APPLIANCE_HEAD branch
-27) Fix autoconf detection issues surrounding --with-ads=yes
- but no Krb5 header files installed (bug #152)
-28) Add LDAP lookup for domain sequence number in case we are
- joined using NT4 protocols to a native mode AD domain
-29) Fix backend method selection for trusted NT 4 (or 2k
- mixed mode) domains
-30) Fixed bug that caused us to enuemrate dmain local groups
- from native mode AD domains other than our own
-31) Correct group enumeration for viewing in the Windows
- security tab (bug #110)
-32) Consolidate the DC location code
-33) Moved 'ads server' functionality into 'password server' for
- backwards compatibility
-34) Fix winbindd_idmap tdb upgrades from a 2.2 installation
- ( if you installed beta1, be sure to
- 'mv idmap.tdb winbindd_idamap.tdb' )
-35) Fix pdb_ldap segfaults, and wrong default values for
- ldapsam_compat
-36) Enable negative connection cache for winbindd's ADS backend
- functions
-37) Enable address caching for active directory DC's so we don't
- have to hit DNS so much
-38) Fix bug in idmap code that caused mapping to randomly be
- redefined
-39) Add tdb locking code to prevent race condition when adding a
- new mapping to idmap
-40) Fix 'map to guest = bad user' when acting as a PDC supporting
- trust relationships
-41) Prevent deadlock issues when running winbindd on a Samba PDC
- to handle allocating uids & gids for trusted users and groups
-42) added LOCALE patch from Steve Langasek (bug #122)
-43) Add the 'guest' passdb backend automatically to the end of
- the 'passdb backend' list if 'guest account' has a valid
- username.
-44) Remove samstrict_dc auth method. Rework 'samstrict' to only
- handle our local names (or domain name if we are a PDC).
- Move existing permissive 'sam' method to 'sam_ignoredomain'
- and make 'samstrict' the new default 'sam' auth method.
-45) Match Windows NT4/2k behavior when authenticating a user with
- and unknown domain (default to our domain if we are a DC or
- domain member; default to our local name if we are a
- standalone server)
-46) Fix Get_Pwnam() to always fall back to lookup 'user' if the
- 'DOMAIN\user' lookup fails. This matches 2.2. behavior.
-47) Fix the trustdom_cache code to update the list of trusted
- domains when operating as a domain member and not using
- winbindd
-48) Remove 'nisplussam' passdb backend since it has suffered for
- too long without a maintainer
-
-
-
-
-######################################################################
-Upgrading from Samba 2.2
-########################
-
-This section is provided to help administrators understand the details
-involved with upgrading a Samba 2.2 server to Samba 3.0
-
-
-Building
---------
-
-Many of the options to the GNU autoconf script have been modified
-in the 3.0 release. The most noticeable are
-
- * removal of --with-tdbsam (is now included by default; see section
- on passdb backends and authentication for more details)
-
- * --with-ldapsam is now on used to provided backward compatible
- parameters for LDAP enabled Samba 2.2 servers. Refer to the passdb
- backend and authentication section for more details
-
- * inclusion of non-standard passdb modules may be enabled using
- --with-expsam. This includes an XML backend, a mysql backend,
- and a NIS backend.
-
- * removal of --with-msdfs (is now enabled by default)
-
- * removal of --with-ssl (no longer supported)
-
- * --with-utmp now defaults to 'yes' on supported systems
-
- * --with-sendfile-support is now enabled by default on supported
- systems
-
-
-Parameters
-----------
-
-This section contains a brief listing of changes to smb.conf options
-in the 3.0.0 release. Please refer to the smb.conf(5) man page for
-complete descriptions of new or modified parameters.
-
-Removed Parameters (order alphabetically):
-
- * admin log
- * alternate permissions
- * character set
- * client codepage
- * code page directory
- * coding system
- * domain admin group
- * domain guest group
- * force unknown acl user
- * nt smb support
- * post script
- * printer driver
- * printer driver file
- * printer driver location
- * status
- * total print jobs
- * use rhosts
- * valid chars
- * vfs options
-
-New Parameters (new parameters have been grouped by function):
-
- Remote management
- -----------------
- * abort shutdown script
- * shutdown script
-
- User and Group Account Management
- ---------------------------------
- * add group script
- * add machine script
- * add user to group script
- * algorithmic rid base
- * delete group script
- * delete user from group script
- * passdb backend
- * set primary group script
-
- Authentication
- --------------
- * auth methods
- * realm
-
- Protocol Options
- ----------------
- * client lanman auth
- * client NTLMv2 auth
- * client schannel
- * client signing
- * client use spnego
- * disable netbios
- * ntlm auth
- * paranoid server security
- * server schannel
- * smb ports
- * use spnego
-
- File Service
- ------------
- * get quota command
- * hide special files
- * hide unwriteable files
- * hostname lookups
- * kernel change notify
- * mangle prefix
- * map acl inheritence
- * msdfs proxy
- * set quota command
- * use sendfile
- * vfs objects
-
- Printing
- --------
- * max reported print jobs
-
- UNICODE and Character Sets
- --------------------------
- * display charset
- * dos charset
- * unicode
- * unix charset
-
- SID to uid/gid Mappings
- -----------------------
- * idmap backend
- * idmap gid
- * idmap only
- * idmap uid
-
- LDAP
- ----
- * ldap delete dn
- * ldap group suffix
- * ldap idmap suffix
- * ldap machine suffix
- * ldap passwd sync
- * ldap trust ids
- * ldap user suffix
-
- General Configuration
- ---------------------
- * preload modules
- * privatedir
-
-Modified Parameters (changes in behavior):
-
- * encrypt passwords (enabled by default)
- * mangling method (set to 'hash2' by default)
- * passwd chat
- * passwd program
- * restrict anonymous (integer value)
- * security (new 'ads' value)
- * strict locking (enabled by default)
- * winbind cache time (increased to 5 minutes)
- * winbind uid (deprecated in favor of 'idmap uid')
- * winbind gid (deprecated in favor of 'idmap gid')
-
-
-Databases
----------
-
-This section contains brief descriptions of any new databases
-introduced in Samba 3.0. Please remember to backup your existing
-${lock directory}/*tdb before upgrading to Samba 3.0. Samba will
-upgrade databases as they are opened (if necessary), but downgrading
-from 3.0 to 2.2 is an unsupported path.
-
-Name Description Backup?
----- ----------- -------
-account_policy User policy settings yes
-gencache Generic caching db no
-group_mapping Mapping table from Windows yes
- groups/SID to unix groups
-idmap new ID map table from SIDS yes
- to UNIX uids/gids.
-namecache Name resolution cache entries no
-netsamlogon_cache Cache of NET_USER_INFO_3 structure no
- returned as part of a successful
- net_sam_logon request
-printing/*.tdb Cached output from 'lpq no
- command' created on a per print
- service basis
-registry Read-only samba registry skeleton no
- that provides support for exporting
- various db tables via the winreg RPCs
-
-
-Changes in Behavior
--------------------
-
-The following issues are known changes in behavior between Samba 2.2 and
-Samba 3.0 that may affect certain installations of Samba.
-
- 1) When operating as a member of a Windows domain, Samba 2.2 would
- map any users authenticated by the remote DC to the 'guest account'
- if a uid could not be obtained via the getpwnam() call. Samba 3.0
- rejects the connection as NT_STATUS_LOGON_FAILURE. There is no
- current work around to re-establish the 2.2 behavior.
-
- 2) When adding machines to a Samba 2.2 controlled domain, the
- 'add user script' was used to create the UNIX identity of the
- machine trust account. Samba 3.0 introduces a new 'add machine
- script' that must be specified for this purpose. Samba 3.0 will
- not fall back to using the 'add user script' in the absence of
- an 'add machine script'
-
-
-######################################################################
-Passdb Backends and Authentication
-##################################
-
-There have been a few new changes that Samba administrators should be
-aware of when moving to Samba 3.0.
-
- 1) encrypted passwords have been enabled by default in order to
- inter-operate better with out-of-the-box Windows client
- installations. This does mean that either (a) a samba account
- must be created for each user, or (b) 'encrypt passwords = no'
- must be explicitly defined in smb.conf.
-
- 2) Inclusion of new 'security = ads' option for integration
- with an Active Directory domain using the native Windows
- Kerberos 5 and LDAP protocols.
-
-Samba 3.0 also includes the possibility of setting up chains
-of authentication methods (auth methods) and account storage
-backends (passdb backend). Please refer to the smb.conf(5)
-man page for details. While both parameters assume sane default
-values, it is likely that you will need to understand what the
-values actually mean in order to ensure Samba operates correctly.
-
-The recommended passdb backends at this time are
-
- * smbpasswd - 2.2 compatible flat file format
- * tdbsam - attribute rich database intended as an smbpasswd
- replacement for stand alone servers
- * ldapsam - attribute rich account storage and retrieval
- backend utilizing an LDAP directory.
- * ldapsam_compat - a 2.2 backward compatible LDAP account
- backend
-
-Certain functions of the smbpasswd(8) tool have been split between the
-new smbpasswd(8) utility, the net(8) tool, and the new pdbedit(8)
-utility. See the respective man pages for details.
-
-
-######################################################################
-LDAP
-####
-
-This section outlines the new features affecting Samba / LDAP integration.
-
-New Schema
-----------
-
-A new object class (sambaSamAccount) has been introduced to replace
-the old sambaAccount. This change aids us in the renaming of attributes
-to prevent clashes with attributes from other vendors. There is a
-conversion script (examples/LDAP/convertSambaAccount) to modify and LDIF
-file to the new schema.
-
-Example:
-
- $ ldapsearch .... -b "ou=people,dc=..." > old.ldif
- $ convertSambaAccount <DOM SID> old.ldif new.ldif
-
-The <DOM SID> can be obtained by running 'net getlocalsid <DOMAINNAME>'
-on the Samba PDC as root.
-
-The old sambaAccount schema may still be used by specifying the
-"ldapsam_compat" passdb backend. However, the sambaAccount and
-associated attributes have been moved to the historical section of
-the schema file and must be uncommented before use if needed.
-The 2.2 object class declaration for a sambaAccount has not changed
-in the 3.0 samba.schema file.
-
-Other new object classes and their uses include:
-
- * sambaDomain - domain information used to allocate rids
- for users and groups as necessary. The attributes are added
- in 'ldap suffix' directory entry automatically if
- an idmap uid/gid range has been set and the 'ldapsam'
- passdb backend has been selected.
-
- * sambaGroupMapping - an object representing the
- relationship between a posixGroup and a Windows
- group/SID. These entries are stored in the 'ldap
- group suffix' and managed by the 'net groupmap' command.
-
- * sambaUnixIdPool - created in the 'ldap idmap suffix' entry
- automatically and contains the next available 'idmap uid' and
- 'idmap gid'
-
- * sambaIdmapEntry - object storing a mapping between a
- SID and a UNIX uid/gid. These objects are created by the
- idmap_ldap module as needed.
-
-
-New Suffix for Searching
-------------------------
-
-The following new smb.conf parameters have been added to aid in directing
-certain LDAP queries when 'passdb backend = ldapsam://...' has been
-specified.
-
- * ldap suffix - used to search for user and computer accounts
- * ldap user suffix - used to store user accounts
- * ldap machine suffix - used to store machine trust accounts
- * ldap group suffix - location of posixGroup/sambaGroupMapping entries
- * ldap idmap suffix - location of sambaIdmapEntry objects
-
-If an 'ldap suffix' is defined, it will be appended to all of the
-remaining sub-suffix parameters. In this case, the order of the suffix
-listings in smb.conf is important. Always place the 'ldap suffix' first
-in the list.
-
-Due to a limitation in Samba's smb.conf parsing, you should not surround
-the DN's with quotation marks.
-
-
-IdMap LDAP support
-------------------
-
-Samba 3.0 supports an ldap backend for the idmap subsystem. The
-following options would inform Samba that the idmap table should be
-stored on the directory server onterose in the "ou=idmap,dc=plainjoe,
-dc=org" partition.
-
- [global]
- ...
- idmap backend = ldap:ldap://onterose/
- ldap idmap suffix = ou=idmap,dc=plainjoe,dc=org
- idmap uid = 40000-50000
- idmap gid = 40000-50000
-
-This configuration allows winbind installations on multiple servers to
-share a uid/gid number space, thus avoiding the interoperability problems
-with NFS that were present in Samba 2.2.
-
-
-######################################################################
-Known Issues
-############
-
-* The smbldap perl scripts for managing user entries in an LDAP
- directory have not be updated to function with the Samba 3.0
- schema changes. This (or an equivalent solution) work is planned
- to be completed prior to the stable 3.0.0 release.
-
-Please refer to https://bugzilla.samba.org/ for a current list of bugs
-filed against the Samba 3.0 codebase.
-
-
-######################################################################
-Reporting bugs & Development Discussion
-#######################################
-
-Please discuss this release on the samba-technical mailing list or by
-joining the #samba-technical IRC channel on irc.freenode.net.
-
-If you do report problems then please try to send high quality
-feedback. If you don't provide vital information to help us track down
-the problem then you will probably be ignored.
-
-A new bugzilla installation has been established to help support the
-Samba 3.0 community of users. This server, located at
-https://bugzilla.samba.org/, will replace the existing jitterbug server
-and the old http://bugs.samba.org now points to the new bugzilla server.
+This file is NOT maintained but will be created during releases.
+See the SAMBA_3_0_RELEASE branch for the current WHATSNEW.
git.samba.org / ira / wip.git / blobdiff