1 This file aims to document the major changes since the latest released version
2 of Samba, 3.0. Samba 4.0 contains rewrites of several subsystems
3 and uses a different internal format for most data. Since this
4 file is an initial draft, please update missing items.
6 One of the main goals of Samba 4 was Active Directory Domain Controller
7 support. This means Samba now implements several protocols that are required
8 by AD such as Kerberos and DNS.
10 An (experimental) upgrade script that performs a one-way upgrade
11 from Samba 3 is available in source/setup/upgrade.
13 Removal of nmbd and introduction of process models
14 ==================================================
15 smbd now implements several network protocols other then just CIFS and
16 DCE/RPC. nmbd's functionality has been merged into smbd. smbd supports
17 various 'process models' that specify how concurrent connections are
18 handled (when to fork, use threads, etc).
22 Samba now stores most of its persistent data in a LDAP-like database
23 called LDB (see ldb(7) for more info).
31 SWAT has had some rather large improvements and is now more then just a
32 direct editor for smb.conf. Its layout has been improved. SWAT can now also
33 be used for editing run-time data - maintaining user information, provisioning,
34 etc. TLS is supported out of the box.
38 Samba4 ships with an integrated KDC (Kerberos Key Distribution
39 Center). Backed directly onto our main internal database, and
40 integrated with custom code to handle the PAC, Samba4's KDC is an
41 integral part of our support for AD logon protocols.
45 Like the situation with the KDC, Samba4 ships with it's own LDAP
46 server, included to provide simple, built-in LDAP services in an AD
47 (rather than distinctly standards) matching manner. The database is
48 LDB, and it shares that in common with the rest of Samba.
50 Changed configuration options
51 =============================
52 Several configuration options have been removed in Samba4 while others have
53 been introduced. This section contains a summary of changes to smb.conf and
54 where these settings moved. Configuration options that have disappeared may be
55 re-added later when the functionality that uses them gets reimplemented in
58 The 'security' parameter has been split up. It is now only used to choose
59 between the 'user' and 'share' security levels (the latter is not supported
60 in Samba 4 yet). The other values of this option and the 'domain master' and
61 'domain logons' parameters have been merged into a 'server role' parameter
62 that can be either 'bdc', 'pdc', 'member server' or 'standalone'. Note that
63 member server support does not work yet.
65 'password server' now takes a DCE/RPC binding string (see prog_guide.txt)
66 rather then simply a NetBIOS name.
68 The following parameters have been removed:
69 - passdb backend: accounts are now stored in a LDB-based SAM database,
70 see 'sam database' below.
76 - allow trusted domains
80 - algorithmic rid base
90 - check password script
110 - acl check permissions
112 - acl map full control
117 - force security mode
120 - force directory mode
121 - directory security mask
122 - force directory security mode
123 - force unknown acl user
124 - inherit permissions
133 - use kerberos keytab
139 - debug hires timestamp
142 - allocation roundup size
151 - defer sharing violations
163 - change notify timeout
167 - kernel change notify
180 - max reported print jobs
182 - printcap cache time
197 - queueresume command
200 - deleteprinter command
201 - show add printer wizard
212 - short preserve case
217 - hide unwriteable files
225 - max stat cache size
227 - store dos attributes
228 - machine password timeout
233 - delete group script
234 - add user to group script
235 - delete user from group script
236 - set primary group script
239 - abort shutdown script
240 - username map script
264 - oplock break wait time
265 - oplock contention limit
274 - ldap machine suffix
277 - ldap replication sleep
284 - change share command
285 - delete share command
302 - log nt token command
321 - dos filetime resolution
322 - fake directory create times
329 - enable rid algorithm
330 - passdb expand explicit
341 - winbind enum groups
342 - winbind use default domain
343 - winbind trusted domains only
344 - winbind nested groups
345 - winbind max idle children
348 The following parameters have been added:
350 Make Samba fake it is running on a bigendian machine when using DCE/RPC.
351 Useful for debugging.
355 + case insensitive filesystem (S)
356 Set to true if this share is located on a case-insensitive filesystem.
357 This disables looking for a filename by trying all possible combinations of
358 uppercase/lowercase characters and thus speeds up operations when a
359 file cannot be found.
364 Path to JavaScript library.
366 Default: Set at compile-time
369 Path to data used by provisioning script.
371 Default: Set at compile-time
374 Directory to use for UNIX sockets used by the 'ncalrpc' DCE/RPC transport.
376 Default: Set at compile-time
379 Backend to the NT VFS to use (more then one can be specified). Available
383 Maps POSIX FS semantics to NT semantics
386 Very simple backend (original testing backend).
389 Sets up user credentials based on POSIX gid/uid.
392 Proxies a remote CIFS FS. Mainly useful for testing.
395 Filter module that saves data useful to the nbench benchmark suite.
398 Allows using SMB for inter process communication. Only used for
402 Allows printing over SMB. This is LANMAN-style printing (?), not
403 the be confused with the spoolss DCE/RPC interface used by later
406 Default: unixuid default
411 + dcerpc endpoint servers
412 What DCE/RPC servers to start.
414 Default: epmapper srvsvc wkssvc rpcecho samr netlogon lsarpc spoolss drsuapi winreg dssetup
417 Services Samba should provide.
419 Default: smb rpc nbt wrepl ldap cldap web kdc
422 Location of the SAM (account database) database. This should be a
425 Default: set at compile-time
428 Spoolss (printer) DCE/RPC server database. This should be a LDB URL.
430 Default: set at compile-time
432 + wins config database
433 WINS configuration database location. This should be a LDB URL.
435 Default: set at compile-time
438 WINS database location. This should be a LDB URL.
440 Default: set at compile-time
442 + client use spnego principal
443 Tells the client to use the Kerberos service principal specified by the
444 server during the security protocol negotation rather then
445 looking up the principal itself (cifs/hostname).
450 TCP/IP Port used by the NetBIOS over TCP/IP (NBT) implementation.
455 UDP/IP port used by the NetBIOS over TCP/IP (NBT) implementation.
460 UDP/IP port used by the CLDAP protocol.
465 IP port used by the kerberos KDC.
470 IP port used by the kerberos password change protocol.
475 TCP/IP port SWAT should listen on.
480 Enable TLS support for SWAT
485 Path to TLS key file (PEM format) to be used by SWAT. If no
486 path is specified, Samba will create a key.
491 Path to TLS certificate file (PEM format) to be used by SWAT. If no
492 path is specified, Samba will create a certificate.
497 Path to CA authority file Samba will use to sign TLS keys it generates. If
498 no path is specified, Samba will create a self-signed CA certificate.
503 Path to TLS certificate revocation lists file.
510 Default: set at compile-time
513 Indicate the CIFS server is able to do large reads/writes.
518 Enable/disable unicode support in the protocol.