1 WHATS NEW IN Samba 3.0.0 beta2
3 ==============================
5 This is the second beta release of Samba 3.0.0. This is a
6 non-production release intended for testing purposes. Use
9 The purpose of this beta release is to get wider testing of the major
10 new pieces of code in the current Samba 3.0 development tree. We have
11 officially ceased development on the 2.2.x release of Samba and are
12 concentrating on Samba 3.0. To reduce the time before the final
13 Samba 3.0 release we need as many people as possible to start testing
14 these beta releases, and to provide high quality feedback on what
17 Samba 3.0 is feature complete. However there is still some final
18 work to be done on certain pieces of functionality. Please refer to
19 the section on "Known Issues" for more details.
25 1) Active Directory support. This release is able to join a ADS realm
26 as a member server and authenticate users using LDAP/kerberos.
28 2) Unicode support. Samba will now negotiate UNICODE on the wire and
29 internally there is now a much better infrastructure for multi-byte
30 and UNICODE character sets.
32 3) New authentication system. The internal authentication system has
33 been almost completely rewritten. Most of the changes are internal,
34 but the new auth system is also very configurable.
36 4) New filename mangling system. The filename mangling system has been
37 completely rewritten. An internal database now stores mangling maps
38 persistently. This needs lots of testing.
40 5) New "net" command. A new "net" command has been added. It is
41 somewhat similar to the "net" command in windows. Eventually we
42 plan to replace a bunch of other utilities (such as smbpasswd)
43 with subcommands in "net", at the moment only a few things are
46 6) Samba now negotiates NT-style status32 codes on the wire. This
47 improves error handling a lot.
49 7) Better Windows 2000/XP/2003 printing support including publishing
50 printer attributes in active directory
52 8) New loadable RPC modules
54 9) New dual-daemon winbindd support (-B) for better performance
56 10) Support for migrating from a Windows NT 4.0 domain to a Samba
57 domain and maintaining user, group and domain SIDs
59 11) Support for establishing trust relationships with Windows NT 4.0
62 12) Initial support for a distributed Winbind architecture using
63 an LDAP directory for storing SID to uid/gid mappings
65 13) Major updates to the Samba documentation tree.
67 Plus lots of other improvements!
70 Additional Documentation
71 ------------------------
73 Please refer to Samba documentation tree (including in the docs/
74 subdirectory) for extensive explanations of installing, configuring
75 and maintaining Samba 3.0 servers and clients. It is advised to
76 begin with the Samba-HOWTO-Collection for overviews and specific
77 tasks (the current book is up to approximately 400 pages) and to
78 refer to the various man pages for information on individual options.
80 ######################################################################
81 Changes since 3.0beta1
82 ######################
84 Please refer to the CVS log for the SAMBA_3_0 branch for complete
87 1) Rework our smb signing code again, this factors out some of
88 the common MAC calcuation code, and now supports multiple
89 outstanding packets (bug #40)
90 2) Enforce 'client plaintext auth', 'client lanman auth' and 'client
92 3) Correct timestamp problem on 64-bit machines (bug #140)
93 4) Add extra debugging statements to winbindd for tracking down
95 5) Fix bug when aliased 'winbind uid/gid' parameters are used
96 'winbind uid/gid' are now replaced with 'idmap uid/gid'
97 6) Added an auth flag that indicates if we should be allowed
98 to fallback to NTLMSSP for SASL if krb5 fails
99 7) Fixed the bug that forced us not to use the winbindd cache when
100 we have a primary ADS domain and a secondary (trusted) NT4 domain.
101 8) Use lp_realm() to find the default realm for 'net ads password'
102 9) Removed editreg from standard build until it is portable.
103 10) Fix domain membership for servers not running winbindd
104 11) Correct race condition in determining the high water mark
105 in the idmap backend (bug #181)
106 12) Set the user's primary unix group from usrmgr.exe (partial
108 13) Show comments when doing 'net group -l' (bug #3)
109 14) Add trivial extension to 'net' to dump current local idmap
110 and restore mappings as well
111 15) Modify 'net rpc vampire' to add new and existing users to
112 both the idmap and the SAM. This code needs further testing.
113 16) Fix crash bug in ADS searches
114 17) Build libnss_wins.so as part of nsswitch target (bug #160)
115 18) Make net rpc vampire return an error if the sam sync RPC
117 19) Fail to join an NT 4 domain as a BDC if a workstation account
118 using our name exists
119 20) Fix various memory leaks in server and client code
120 21) Remove the short option to --set-auth-user for wbinfo (-A) to
121 prevent confusion with the -a option (bug #158)
122 22) Added new 'map acl inheritence' parameter
123 23) Removed unused 'privileges' code from group mapping database
124 24) Don't segfault on empty passdb backend list (bug #136)
125 25) Fixed acl sorting algorithm forWwindows 2000 clients
126 26) Replace universal group cache with netsamlogon_cache
127 from APPLIANCE_HEAD branch
128 27) Fix autoconf detection issues surrounding --with-ads=yes
129 but no Krb5 header files installed (bug #152)
130 28) Add LDAP lookup for domain sequence number in case we are
131 joined using NT4 protocols to a native mode AD domain
132 29) Fix backend method selection for trusted NT 4 (or 2k
134 30) Fixed bug that caused us to enumerate domain local groups
135 from native mode AD domains other than our own
136 31) Correct group enumeration for viewing in the Windows
137 security tab (bug #110)
138 32) Consolidate the DC location code
139 33) Moved 'ads server' functionality into 'password server' for
140 backwards compatibility
141 34) Fix winbindd_idmap tdb upgrades from a 2.2 installation
142 ( if you installed beta1, be sure to
143 'mv idmap.tdb winbindd_idmap.tdb' )
144 35) Fix pdb_ldap segfaults, and wrong default values for
146 36) Enable negative connection cache for winbindd's ADS backend
148 37) Enable address caching for active directory DC's so we don't
149 have to hit DNS so much
150 38) Fix bug in idmap code that caused mapping to randomly be
152 39) Add tdb locking code to prevent race condition when adding a
154 40) Fix 'map to guest = bad user' when acting as a PDC supporting
156 41) Prevent deadlock issues when running winbindd on a Samba PDC
157 to handle allocating uids & gids for trusted users and groups
158 42) added LOCALE patch from Steve Langasek (bug #122)
159 43) Add the 'guest' passdb backend automatically to the end of
160 the 'passdb backend' list if 'guest account' has a valid
162 44) Remove samstrict_dc auth method. Rework 'samstrict' to only
163 handle our local names (or domain name if we are a PDC).
164 Move existing permissive 'sam' method to 'sam_ignoredomain'
165 and make 'samstrict' the new default 'sam' auth method.
166 45) Match Windows NT4/2k behavior when authenticating a user with
167 and unknown domain (default to our domain if we are a DC or
168 domain member; default to our local name if we are a
170 46) Fix Get_Pwnam() to always fall back to lookup 'user' if the
171 'DOMAIN\user' lookup fails. This matches 2.2. behavior.
172 47) Fix the trustdom_cache code to update the list of trusted
173 domains when operating as a domain member and not using
175 48) Remove 'nisplussam' passdb backend since it has suffered for
176 too long without a maintainer
181 ######################################################################
182 Upgrading from Samba 2.2
183 ########################
185 This section is provided to help administrators understand the details
186 involved with upgrading a Samba 2.2 server to Samba 3.0
192 Many of the options to the GNU autoconf script have been modified
193 in the 3.0 release. The most noticeable are:
195 * removal of --with-tdbsam (is now included by default; see section
196 on passdb backends and authentication for more details)
198 * --with-ldapsam is now on used to provided backward compatible
199 parameters for LDAP enabled Samba 2.2 servers. Refer to the passdb
200 backend and authentication section for more details
202 * inclusion of non-standard passdb modules may be enabled using
203 --with-expsam. This includes an XML backend, a mysql backend,
206 * removal of --with-msdfs (is now enabled by default)
208 * removal of --with-ssl (no longer supported)
210 * --with-utmp now defaults to 'yes' on supported systems
212 * --with-sendfile-support is now enabled by default on supported
219 This section contains a brief listing of changes to smb.conf options
220 in the 3.0.0 release. Please refer to the smb.conf(5) man page for
221 complete descriptions of new or modified parameters.
223 Removed Parameters (order alphabetically):
226 * alternate permissions
229 * code page directory
233 * force unknown acl user
237 * printer driver file
238 * printer driver location
245 New Parameters (new parameters have been grouped by function):
249 * abort shutdown script
252 User and Group Account Management
253 ---------------------------------
256 * add user to group script
257 * algorithmic rid base
258 * delete group script
259 * delete user from group script
261 * set primary group script
277 * paranoid server security
286 * hide unwriteable files
288 * kernel change notify
298 * max reported print jobs
300 UNICODE and Character Sets
301 --------------------------
307 SID to uid/gid Mappings
308 -----------------------
319 * ldap machine suffix
324 General Configuration
325 ---------------------
329 Modified Parameters (changes in behavior):
331 * encrypt passwords (enabled by default)
332 * mangling method (set to 'hash2' by default)
335 * restrict anonymous (integer value)
336 * security (new 'ads' value)
337 * strict locking (enabled by default)
338 * winbind cache time (increased to 5 minutes)
339 * winbind uid (deprecated in favor of 'idmap uid')
340 * winbind gid (deprecated in favor of 'idmap gid')
346 This section contains brief descriptions of any new databases
347 introduced in Samba 3.0. Please remember to backup your existing
348 ${lock directory}/*tdb before upgrading to Samba 3.0. Samba will
349 upgrade databases as they are opened (if necessary), but downgrading
350 from 3.0 to 2.2 is an unsupported path.
352 Name Description Backup?
353 ---- ----------- -------
354 account_policy User policy settings yes
355 gencache Generic caching db no
356 group_mapping Mapping table from Windows yes
357 groups/SID to unix groups
358 idmap new ID map table from SIDS yes
360 namecache Name resolution cache entries no
361 netsamlogon_cache Cache of NET_USER_INFO_3 structure no
362 returned as part of a successful
363 net_sam_logon request
364 printing/*.tdb Cached output from 'lpq no
365 command' created on a per print
367 registry Read-only samba registry skeleton no
368 that provides support for exporting
369 various db tables via the winreg RPCs
375 The following issues are known changes in behavior between Samba 2.2 and
376 Samba 3.0 that may affect certain installations of Samba.
378 1) When operating as a member of a Windows domain, Samba 2.2 would
379 map any users authenticated by the remote DC to the 'guest account'
380 if a uid could not be obtained via the getpwnam() call. Samba 3.0
381 rejects the connection as NT_STATUS_LOGON_FAILURE. There is no
382 current work around to re-establish the 2.2 behavior.
384 2) When adding machines to a Samba 2.2 controlled domain, the
385 'add user script' was used to create the UNIX identity of the
386 machine trust account. Samba 3.0 introduces a new 'add machine
387 script' that must be specified for this purpose. Samba 3.0 will
388 not fall back to using the 'add user script' in the absence of
389 an 'add machine script'
392 ######################################################################
393 Passdb Backends and Authentication
394 ##################################
396 There have been a few new changes that Samba administrators should be
397 aware of when moving to Samba 3.0.
399 1) encrypted passwords have been enabled by default in order to
400 inter-operate better with out-of-the-box Windows client
401 installations. This does mean that either (a) a samba account
402 must be created for each user, or (b) 'encrypt passwords = no'
403 must be explicitly defined in smb.conf.
405 2) Inclusion of new 'security = ads' option for integration
406 with an Active Directory domain using the native Windows
407 Kerberos 5 and LDAP protocols.
409 Samba 3.0 also includes the possibility of setting up chains
410 of authentication methods (auth methods) and account storage
411 backends (passdb backend). Please refer to the smb.conf(5)
412 man page for details. While both parameters assume sane default
413 values, it is likely that you will need to understand what the
414 values actually mean in order to ensure Samba operates correctly.
416 The recommended passdb backends at this time are
418 * smbpasswd - 2.2 compatible flat file format
419 * tdbsam - attribute rich database intended as an smbpasswd
420 replacement for stand alone servers
421 * ldapsam - attribute rich account storage and retrieval
422 backend utilizing an LDAP directory.
423 * ldapsam_compat - a 2.2 backward compatible LDAP account
426 Certain functions of the smbpasswd(8) tool have been split between the
427 new smbpasswd(8) utility, the net(8) tool, and the new pdbedit(8)
428 utility. See the respective man pages for details.
431 ######################################################################
435 This section outlines the new features affecting Samba / LDAP integration.
440 A new object class (sambaSamAccount) has been introduced to replace
441 the old sambaAccount. This change aids us in the renaming of attributes
442 to prevent clashes with attributes from other vendors. There is a
443 conversion script (examples/LDAP/convertSambaAccount) to modify and LDIF
444 file to the new schema.
448 $ ldapsearch .... -b "ou=people,dc=..." > old.ldif
449 $ convertSambaAccount <DOM SID> old.ldif new.ldif
451 The <DOM SID> can be obtained by running 'net getlocalsid <DOMAINNAME>'
452 on the Samba PDC as root.
454 The old sambaAccount schema may still be used by specifying the
455 "ldapsam_compat" passdb backend. However, the sambaAccount and
456 associated attributes have been moved to the historical section of
457 the schema file and must be uncommented before use if needed.
458 The 2.2 object class declaration for a sambaAccount has not changed
459 in the 3.0 samba.schema file.
461 Other new object classes and their uses include:
463 * sambaDomain - domain information used to allocate rids
464 for users and groups as necessary. The attributes are added
465 in 'ldap suffix' directory entry automatically if
466 an idmap uid/gid range has been set and the 'ldapsam'
467 passdb backend has been selected.
469 * sambaGroupMapping - an object representing the
470 relationship between a posixGroup and a Windows
471 group/SID. These entries are stored in the 'ldap
472 group suffix' and managed by the 'net groupmap' command.
474 * sambaUnixIdPool - created in the 'ldap idmap suffix' entry
475 automatically and contains the next available 'idmap uid' and
478 * sambaIdmapEntry - object storing a mapping between a
479 SID and a UNIX uid/gid. These objects are created by the
480 idmap_ldap module as needed.
483 New Suffix for Searching
484 ------------------------
486 The following new smb.conf parameters have been added to aid in directing
487 certain LDAP queries when 'passdb backend = ldapsam://...' has been
490 * ldap suffix - used to search for user and computer accounts
491 * ldap user suffix - used to store user accounts
492 * ldap machine suffix - used to store machine trust accounts
493 * ldap group suffix - location of posixGroup/sambaGroupMapping entries
494 * ldap idmap suffix - location of sambaIdmapEntry objects
496 If an 'ldap suffix' is defined, it will be appended to all of the
497 remaining sub-suffix parameters. In this case, the order of the suffix
498 listings in smb.conf is important. Always place the 'ldap suffix' first
501 Due to a limitation in Samba's smb.conf parsing, you should not surround
502 the DN's with quotation marks.
508 Samba 3.0 supports an ldap backend for the idmap subsystem. The
509 following options would inform Samba that the idmap table should be
510 stored on the directory server onterose in the "ou=idmap,dc=plainjoe,
515 idmap backend = ldap:ldap://onterose/
516 ldap idmap suffix = ou=idmap,dc=plainjoe,dc=org
517 idmap uid = 40000-50000
518 idmap gid = 40000-50000
520 This configuration allows winbind installations on multiple servers to
521 share a uid/gid number space, thus avoiding the interoperability problems
522 with NFS that were present in Samba 2.2.
525 ######################################################################
529 * The smbldap perl scripts for managing user entries in an LDAP
530 directory have not be updated to function with the Samba 3.0
531 schema changes. This (or an equivalent solution) work is planned
532 to be completed prior to the stable 3.0.0 release.
534 Please refer to https://bugzilla.samba.org/ for a current list of bugs
535 filed against the Samba 3.0 codebase.
538 ######################################################################
539 Reporting bugs & Development Discussion
540 #######################################
542 Please discuss this release on the samba-technical mailing list or by
543 joining the #samba-technical IRC channel on irc.freenode.net.
545 If you do report problems then please try to send high quality
546 feedback. If you don't provide vital information to help us track down
547 the problem then you will probably be ignored.
549 A new bugzilla installation has been established to help support the
550 Samba 3.0 community of users. This server, located at
551 https://bugzilla.samba.org/, will replace the existing jitterbug server
552 and the old http://bugs.samba.org now points to the new bugzilla server.
git.samba.org / jra / samba / .git / blob