-What's new in Samba 4 alpha4
+What's new in Samba 4 alpha5
============================
Samba 4 is the ambitious next version of the Samba suite that is being
this branch is support for the Active Directory logon protocols used
by Windows 2000 and above.
-Samba4 alpha4 follows on from the alpha release series we have been
+Samba4 alpha5 follows on from the alpha release series we have been
publishing since September 2007
WARNINGS
========
-Samba4 alpha4 is not a final Samba release. That is more a reference
+Samba4 alpha5 is not a final Samba release. That is more a reference
to Samba4's lack of the features we expect you will need than a
statement of code quality, but clearly it hasn't seen a broad
deployment yet. If you were to upgrade Samba3 (or indeed Windows) to
In the time since Samba4 Alpha4 was released in June 2008, Samba has
continued to evolve, but you may particularly notice these areas:
-(TODO: update list when closer to a release)
+ LDAP backend support restored (issues preventing the use of the LDAP
+ backend in alpha4 have been addressed)
- Python Bindings: Bindings for Python are now used for all internal
- scripting, and the system python installation is used to run all
- Samba python scripts (in place of smbpython found in the previous
- alpha).
+ SMB2 Support: The SMB2 server, while still disabled, has improved,
+ and now supports SMB2 signing.
- As such Python is no longer optional, and configure will generate an
- error if it cannot locate an appropriate Python installation.
+ OpenChange support: Updates have been made since alpha4 to better
+ support OpenChange's use of Samba4's libraries.
+
+ Faster ldb loading: A fix to avoid calling 'init_module' (which was
+ not defined by Samba modules, but was by the C library) will fix
+ some of the slowness in authentication.
SWAT Remains Disabled: Due to a lack of developer time and without a
long-term web developer to maintain it, the SWAT web UI remains been
GNU Make: To try and simplfy our build system, we rely on GNU Make
to avoid autogenerating a massive single makefile.
- Registry: Samba4's registry library has continued to improve.
-
- ID mapping: Samba4 uses the internal ID mapping in winbind for all
- but a few core users. Samba users should not appear in /etc/passwd,
- as Samba will generate new user and group IDs regradless.
-
- NTP: Samba4 can act as a signing server for the ntp.org NTP deamon,
- allowing NTPd to reply using Microsoft's non-standard signing
- scheme. A patch to make NTPd talk to Samba for this purpose has
- been submitted to the ntp.org project.
-
- CLDAP: Users should experience less arbitary delays and more success with
- group policy, domain joins and logons due to an improved
- implementation of CLDAP and the 'netlogon' mailslot datagrams.
-
- SMB2: The Samba4 SMB2 server and testsuite have been greatly
- improved, but the SMB2 server remains off by default.
-
- Secure DNS update: Configuration for GSS-TSIG updates of DNS records
- is now generated by the provision script.
These are just some of the highlights of the work done in the past few
months. More details can be found in our GIT history.
- Clock Synchronisation is critical. Many 'wrong password' errors are
actually due to Kerberos objecting to a clock skew between client
- and server. (The NTP work is partly to assist with this problem).
+ and server. (The NTP work in the previous alpha is partly to assist
+ with this problem).
-- Samba4 alpha4 is currently only portable to recent Linux
+- Samba4 alpha5 is currently only portable to recent Linux
distributions. Work to return support for other Unix varients is
expected during the next alpha cycle
-- Samba4 alpha4 is incompatible with GnuTLS 2.0, found in Fedora 9 and
+- Samba4 alpha5 is incompatible with GnuTLS 2.0, found in Fedora 9 and
recent Ubuntu releases. GnuTLS use may be disabled using the
--disable-gnutls argument to ./configure. (otherwise 'make test' and
LDAPS operations will hang).
# used to provide SMB network services.
#
# pidfile: /var/run/samba4/smbd.pid
-# config: /etc/samba/smb.conf
+# config: /etc/samba4/smb.conf
SAMBA_NAME=samba4
--with-lockdir=/var/lib/%{name} \
--with-piddir=/var/run \
--with-privatedir=/var/lib/%{name}/private \
- --with-logfilebase=/var/log/samba \
+ --with-logfilebase=/var/log/%{name} \
--with-configdir=%{_sysconfdir}/%{name} \
--with-winbindd-socket-dir=/var/run/winbind \
--with-ntp-signd-socket-dir=/var/run/ntp_signd \
%{_datadir}/samba/setup/*
%dir /var/lib/%{name}/sysvol
%config(noreplace) %{_sysconfdir}/sysconfig/%{name}
-%dir %{_sysconfdir}/%{name}
%attr(0700,root,root) %dir /var/log/%{name}
%attr(0700,root,root) %dir /var/log/%{name}/old
%{_datadir}/samba/*.dat
%{_libdir}/*.so.*
%{_libdir}/samba
+%dir %{_sysconfdir}/%{name}
+#Need to mark this as being owned by Samba, but it is normally created
+#by the provision script, which runs best if there is no existing
+#smb.conf
+#%config(noreplace) %{_sysconfdir}/%{name}/smb.conf
%files winbind
%defattr(-,root,root)
piddir="${localstatedir}/run"
privatedir="\${prefix}/private"
modulesdir="\${prefix}/modules"
-winbindd_socket_dir="${localstatedir}/run/winbind_pipe"
+winbindd_socket_dir="${localstatedir}/run/winbindd"
+winbindd_privileged_socket_dir="${localstatedir}/lib/winbindd_privileged"
ntp_signd_socket_dir="${localstatedir}/run/ntp_signd"
AC_ARG_WITH(fhs,
datadir="${datadir}/samba"
includedir="${includedir}/samba-4.0"
ntp_signd_socket_dir="${localstatedir}/run/samba/ntp_signd"
- winbindd_socket_dir="${localstatedir}/run/samba/winbind_pipe"
+ winbindd_socket_dir="${localstatedir}/run/samba/winbindd"
+ winbindd_privileged_socket_dir="${localstatedir}/lib/samba/winbindd_privileged"
)
#################################################
#################################################
# set where the winbindd socket should be put
AC_ARG_WITH(winbindd-socket-dir,
+[ --with-winbindd-socket-dir=DIR Where to put the winbindd socket ($winbindd_socket_dir)],
+[ case "$withval" in
+ yes|no)
+ #
+ # Just in case anybody calls it without argument
+ #
+ AC_MSG_WARN([--with-winbind-socketdir called without argument - will use default])
+ ;;
+ * )
+ winbindd_socket_dir="$withval"
+ ;;
+ esac])
+
+#################################################
+# set where the winbindd privilaged socket should be put
+AC_ARG_WITH(winbindd-privileged-socket-dir,
+[ --with-winbindd-privileged-socket-dir=DIR Where to put the winbindd socket ($winbindd_privileged_socket_dir)],
+[ case "$withval" in
+ yes|no)
+ #
+ # Just in case anybody calls it without argument
+ #
+ AC_MSG_WARN([--with-winbind-privileged-socketdir called without argument - will use default])
+ ;;
+ * )
+ winbindd_privileged_socket_dir="$withval"
+ ;;
+ esac])
+
+#################################################
+# set where the winbindd privilaged socket should be put
+AC_ARG_WITH(winbindd-socket-dir,
[ --with-winbindd-socket-dir=DIR Where to put the winbindd socket ($ac_default_prefix/run/winbind_pipe)],
[ case "$withval" in
yes|no)
AC_SUBST(bindir)
AC_SUBST(sbindir)
AC_SUBST(winbindd_socket_dir)
+AC_SUBST(winbindd_privileged_socket_dir)
AC_SUBST(ntp_signd_socket_dir)
AC_SUBST(modulesdir)
-DPRIVATE_DIR=\"$(privatedir)\" \
-DMODULESDIR=\"$(modulesdir)\" -DJSDIR=\"$(JSDIR)\" \
-DTORTUREDIR=\"$(TORTUREDIR)\" \
- -DSETUPDIR=\"$(SETUPDIR)\" -DWINBINDD_SOCKET_DIR=\"$(winbindd_socket_dir)\" \
+ -DSETUPDIR=\"$(SETUPDIR)\" \
+ -DWINBINDD_PRIVILEGED_SOCKET_DIR=\"$(winbindd_privileged_socket_dir)\" \
+ -DWINBINDD_SOCKET_DIR=\"$(winbindd_socket_dir)\" \
-DNTP_SIGND_SOCKET_DIR=\"$(ntp_signd_socket_dir)\"
/** Where to find the winbindd socket */
_PUBLIC_ const char *dyn_WINBINDD_SOCKET_DIR = WINBINDD_SOCKET_DIR;
+/** Where to find the winbindd privileged socket */
+_PUBLIC_ const char *dyn_WINBINDD_PRIVILEGED_SOCKET_DIR = WINBINDD_PRIVILEGED_SOCKET_DIR;
+
/** Where to find the NTP signing deamon socket */
_PUBLIC_ const char *dyn_NTP_SIGND_SOCKET_DIR = NTP_SIGND_SOCKET_DIR;
extern const char *dyn_JSDIR;
extern const char *dyn_SETUPDIR;
extern const char *dyn_WINBINDD_SOCKET_DIR;
+extern const char *dyn_WINBINDD_PRIVILEGED_SOCKET_DIR;
extern const char *dyn_NTP_SIGND_SOCKET_DIR;
const char **server_services;
char *ntptr_providor;
char *szWinbindSeparator;
+ char *szWinbinddPrivilegedSocketDirectory;
char *szWinbinddSocketDirectory;
char *szTemplateShell;
char *szTemplateHomedir;
{"host msdfs", P_BOOL, P_GLOBAL, GLOBAL_VAR(bHostMSDfs), NULL, NULL},
{"winbind separator", P_STRING, P_GLOBAL, GLOBAL_VAR(szWinbindSeparator), NULL, NULL },
{"winbindd socket directory", P_STRING, P_GLOBAL, GLOBAL_VAR(szWinbinddSocketDirectory), NULL, NULL },
+ {"winbindd privileged socket directory", P_STRING, P_GLOBAL, GLOBAL_VAR(szWinbinddPrivilegedSocketDirectory), NULL, NULL },
{"winbind sealed pipes", P_BOOL, P_GLOBAL, GLOBAL_VAR(bWinbindSealedPipes), NULL, NULL },
{"template shell", P_STRING, P_GLOBAL, GLOBAL_VAR(szTemplateShell), NULL, NULL },
{"template homedir", P_STRING, P_GLOBAL, GLOBAL_VAR(szTemplateHomedir), NULL, NULL },
_PUBLIC_ FN_GLOBAL_STRING(lp_wins_url, szWINS_URL)
_PUBLIC_ FN_GLOBAL_CONST_STRING(lp_winbind_separator, szWinbindSeparator)
_PUBLIC_ FN_GLOBAL_CONST_STRING(lp_winbindd_socket_directory, szWinbinddSocketDirectory)
+_PUBLIC_ FN_GLOBAL_CONST_STRING(lp_winbindd_privileged_socket_directory, szWinbinddPrivilegedSocketDirectory)
_PUBLIC_ FN_GLOBAL_CONST_STRING(lp_template_shell, szTemplateShell)
_PUBLIC_ FN_GLOBAL_CONST_STRING(lp_template_homedir, szTemplateHomedir)
_PUBLIC_ FN_GLOBAL_BOOL(lp_winbind_sealed_pipes, bWinbindSealedPipes)
lp_do_global_parameter(lp_ctx, "winbind separator", "\\");
lp_do_global_parameter(lp_ctx, "winbind sealed pipes", "True");
lp_do_global_parameter(lp_ctx, "winbindd socket directory", dyn_WINBINDD_SOCKET_DIR);
+ lp_do_global_parameter(lp_ctx, "winbindd privileged socket directory", dyn_WINBINDD_PRIVILEGED_SOCKET_DIR);
lp_do_global_parameter(lp_ctx, "template shell", "/bin/false");
lp_do_global_parameter(lp_ctx, "template homedir", "/home/%WORKGROUP%/%ACCOUNTNAME%");
lp_do_global_parameter(lp_ctx, "idmap trusted only", "False");
const char *lp_wins_url(struct loadparm_context *);
const char *lp_winbind_separator(struct loadparm_context *);
const char *lp_winbindd_socket_directory(struct loadparm_context *);
+const char *lp_winbindd_privileged_socket_directory(struct loadparm_context *);
const char *lp_template_shell(struct loadparm_context *);
const char *lp_template_homedir(struct loadparm_context *);
bool lp_winbind_sealed_pipes(struct loadparm_context *);
#define SWIGTYPE_p_int swig_types[2]
#define SWIGTYPE_p_loadparm_context swig_types[3]
#define SWIGTYPE_p_loadparm_service swig_types[4]
-#define SWIGTYPE_p_long_long swig_types[5]
+#define SWIGTYPE_p_long swig_types[5]
#define SWIGTYPE_p_param_context swig_types[6]
#define SWIGTYPE_p_param_opt swig_types[7]
#define SWIGTYPE_p_param_section swig_types[8]
#define SWIGTYPE_p_signed_char swig_types[10]
#define SWIGTYPE_p_unsigned_char swig_types[11]
#define SWIGTYPE_p_unsigned_int swig_types[12]
-#define SWIGTYPE_p_unsigned_long_long swig_types[13]
+#define SWIGTYPE_p_unsigned_long swig_types[13]
#define SWIGTYPE_p_unsigned_short swig_types[14]
static swig_type_info *swig_types[16];
static swig_module_info swig_module = {swig_types, 15, 0, 0, 0, 0};
static swig_type_info _swigt__p_TALLOC_CTX = {"_p_TALLOC_CTX", "TALLOC_CTX *", 0, 0, (void*)0, 0};
static swig_type_info _swigt__p_char = {"_p_char", "char *", 0, 0, (void*)0, 0};
-static swig_type_info _swigt__p_int = {"_p_int", "intptr_t *|int *|int_least32_t *|int_fast32_t *|int32_t *|int_fast16_t *", 0, 0, (void*)0, 0};
+static swig_type_info _swigt__p_int = {"_p_int", "int *|int_least32_t *|int32_t *", 0, 0, (void*)0, 0};
static swig_type_info _swigt__p_loadparm_context = {"_p_loadparm_context", "struct loadparm_context *|loadparm_context *", 0, 0, (void*)0, 0};
static swig_type_info _swigt__p_loadparm_service = {"_p_loadparm_service", "struct loadparm_service *|loadparm_service *", 0, 0, (void*)0, 0};
-static swig_type_info _swigt__p_long_long = {"_p_long_long", "int_least64_t *|int_fast64_t *|int64_t *|long long *|intmax_t *", 0, 0, (void*)0, 0};
+static swig_type_info _swigt__p_long = {"_p_long", "intptr_t *|int_least64_t *|int_fast32_t *|int_fast64_t *|int64_t *|long *|int_fast16_t *|intmax_t *", 0, 0, (void*)0, 0};
static swig_type_info _swigt__p_param_context = {"_p_param_context", "struct param_context *|param *", 0, 0, (void*)0, 0};
static swig_type_info _swigt__p_param_opt = {"_p_param_opt", "struct param_opt *|param_opt *", 0, 0, (void*)0, 0};
static swig_type_info _swigt__p_param_section = {"_p_param_section", "struct param_section *|param_section *", 0, 0, (void*)0, 0};
static swig_type_info _swigt__p_short = {"_p_short", "short *|int_least16_t *|int16_t *", 0, 0, (void*)0, 0};
static swig_type_info _swigt__p_signed_char = {"_p_signed_char", "signed char *|int_least8_t *|int_fast8_t *|int8_t *", 0, 0, (void*)0, 0};
static swig_type_info _swigt__p_unsigned_char = {"_p_unsigned_char", "unsigned char *|uint_least8_t *|uint_fast8_t *|uint8_t *", 0, 0, (void*)0, 0};
-static swig_type_info _swigt__p_unsigned_int = {"_p_unsigned_int", "uintptr_t *|uint_least32_t *|uint_fast32_t *|uint32_t *|unsigned int *|uint_fast16_t *", 0, 0, (void*)0, 0};
-static swig_type_info _swigt__p_unsigned_long_long = {"_p_unsigned_long_long", "uint_least64_t *|uint_fast64_t *|uint64_t *|unsigned long long *|uintmax_t *", 0, 0, (void*)0, 0};
+static swig_type_info _swigt__p_unsigned_int = {"_p_unsigned_int", "uint_least32_t *|uint32_t *|unsigned int *", 0, 0, (void*)0, 0};
+static swig_type_info _swigt__p_unsigned_long = {"_p_unsigned_long", "uintptr_t *|uint_least64_t *|uint_fast32_t *|uint_fast64_t *|uint64_t *|unsigned long *|uint_fast16_t *|uintmax_t *", 0, 0, (void*)0, 0};
static swig_type_info _swigt__p_unsigned_short = {"_p_unsigned_short", "unsigned short *|uint_least16_t *|uint16_t *", 0, 0, (void*)0, 0};
static swig_type_info *swig_type_initial[] = {
&_swigt__p_int,
&_swigt__p_loadparm_context,
&_swigt__p_loadparm_service,
- &_swigt__p_long_long,
+ &_swigt__p_long,
&_swigt__p_param_context,
&_swigt__p_param_opt,
&_swigt__p_param_section,
&_swigt__p_signed_char,
&_swigt__p_unsigned_char,
&_swigt__p_unsigned_int,
- &_swigt__p_unsigned_long_long,
+ &_swigt__p_unsigned_long,
&_swigt__p_unsigned_short,
};
static swig_cast_info _swigc__p_int[] = { {&_swigt__p_int, 0, 0, 0},{0, 0, 0, 0}};
static swig_cast_info _swigc__p_loadparm_context[] = { {&_swigt__p_loadparm_context, 0, 0, 0},{0, 0, 0, 0}};
static swig_cast_info _swigc__p_loadparm_service[] = { {&_swigt__p_loadparm_service, 0, 0, 0},{0, 0, 0, 0}};
-static swig_cast_info _swigc__p_long_long[] = { {&_swigt__p_long_long, 0, 0, 0},{0, 0, 0, 0}};
+static swig_cast_info _swigc__p_long[] = { {&_swigt__p_long, 0, 0, 0},{0, 0, 0, 0}};
static swig_cast_info _swigc__p_param_context[] = { {&_swigt__p_param_context, 0, 0, 0},{0, 0, 0, 0}};
static swig_cast_info _swigc__p_param_opt[] = { {&_swigt__p_param_opt, 0, 0, 0},{0, 0, 0, 0}};
static swig_cast_info _swigc__p_param_section[] = { {&_swigt__p_param_section, 0, 0, 0},{0, 0, 0, 0}};
static swig_cast_info _swigc__p_signed_char[] = { {&_swigt__p_signed_char, 0, 0, 0},{0, 0, 0, 0}};
static swig_cast_info _swigc__p_unsigned_char[] = { {&_swigt__p_unsigned_char, 0, 0, 0},{0, 0, 0, 0}};
static swig_cast_info _swigc__p_unsigned_int[] = { {&_swigt__p_unsigned_int, 0, 0, 0},{0, 0, 0, 0}};
-static swig_cast_info _swigc__p_unsigned_long_long[] = { {&_swigt__p_unsigned_long_long, 0, 0, 0},{0, 0, 0, 0}};
+static swig_cast_info _swigc__p_unsigned_long[] = { {&_swigt__p_unsigned_long, 0, 0, 0},{0, 0, 0, 0}};
static swig_cast_info _swigc__p_unsigned_short[] = { {&_swigt__p_unsigned_short, 0, 0, 0},{0, 0, 0, 0}};
static swig_cast_info *swig_cast_initial[] = {
_swigc__p_int,
_swigc__p_loadparm_context,
_swigc__p_loadparm_service,
- _swigc__p_long_long,
+ _swigc__p_long,
_swigc__p_param_context,
_swigc__p_param_opt,
_swigc__p_param_section,
_swigc__p_signed_char,
_swigc__p_unsigned_char,
_swigc__p_unsigned_int,
- _swigc__p_unsigned_long_long,
+ _swigc__p_unsigned_long,
_swigc__p_unsigned_short,
};
my $privatedir = "$prefix_abs/private";
my $ncalrpcdir = "$prefix_abs/ncalrpc";
my $lockdir = "$prefix_abs/lockdir";
- my $winbindd_socket_dir = "$prefix_abs/winbind_socket";
+ my $winbindd_socket_dir = "$prefix_abs/winbindd_socket";
+ my $winbindd_privileged_socket_dir = "$prefix_abs/winbindd_privileged_socket";
my $ntp_signd_socket_dir = "$prefix_abs/ntp_signd_socket";
my $winbindd_priv_pipe_dir = "$privatedir/smbd.tmp/winbind_pipe";
my $nsswrap_passwd = "$etcdir/passwd";
modules dir = $self->{bindir}/modules
js include = $srcdir/scripting/libjs
winbindd socket directory = $winbindd_socket_dir
+ winbindd privileged socket directory = $winbindd_privileged_socket_dir
ntp signd socket directory = $ntp_signd_socket_dir
winbind separator = /
name resolve order = bcast
return;
}
+ /* Make sure the directory for the Samba3 socket exists, and is of the correct permissions */
+ if (!directory_create_or_exist(lp_winbindd_privileged_socket_directory(task->lp_ctx), geteuid(), 0750)) {
+ task_server_terminate(task,
+ "Cannot create winbindd privileged pipe directory");
+ return;
+ }
+
service = talloc_zero(task, struct wbsrv_service);
if (!service) goto nomem;
service->task = task;
/* setup the privileged samba3 socket */
listen_socket = talloc(service, struct wbsrv_listen_socket);
if (!listen_socket) goto nomem;
- listen_socket->socket_path =
- smbd_tmp_path(listen_socket, task->lp_ctx,
- WINBINDD_SAMBA3_PRIVILEGED_SOCKET);
+ listen_socket->socket_path = talloc_asprintf(listen_socket, "%s/%s",
+ lp_winbindd_privileged_socket_directory(task->lp_ctx),
+ WINBINDD_SAMBA3_SOCKET);
+ if (!listen_socket->socket_path) goto nomem;
if (!listen_socket->socket_path) goto nomem;
listen_socket->service = service;
listen_socket->privileged = true;