X-Git-Url: http://git.samba.org/samba.git/?p=jra%2Fsamba%2F.git;a=blobdiff_plain;f=WHATSNEW.txt;h=f01dc7456d4a21f9893045745412acdf006ab002;hp=5a0828d18d101b43b1e602bed54f63e46a7e9b50;hb=3d929b1ce67d945979552fe1ea2c70f6d3925326;hpb=e8ac5004b0ef131106e8d931bc75d9dd2814dff5 diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 5a0828d18d1..f01dc7456d4 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,318 +1,847 @@ - WHATS NEW IN Samba 3.0 alphaX - ============================= -This is a pre-release of Samba 3.0. This is NOT a stable release. -Use at your own risk. - -The purpose of this alpha release is to get wider testing of the major -new pieces of code in the current Samba 3.0 development tree. We have -officially ceased development on the 2.2.x release of Samba and are -concentrating on Samba 3.0. To reduce the time before the final Samba 3.0 -release we need as many poeple as possible to start testing these alpha -releases, and hopefully giving us some high quality feedback on what needs -fixing. - -Note that Samba 3.0 is not feature complete yet. There is a more -coding we have planned, but unless we get what we have done already more -widely tested we will have a hard time doing a stable release in a -reasonable time frame. + WHATS NEW IN Samba 3.0.1pre3 + November 14, 2003 + ============================== + +This is a preview release of the Samba 3.0.1 code base and is +provided for testing only. This release is *not* intended for +production servers. Use at your own risk. + +There have been several bug fixes since the 3.0.0 release that +we feel are important to make available to the Samba community +for wider testings. See the "Changes" section for details on +exact updates. + + +###################################################################### +Changes +####### +Changes since 3.0.1pre2 +----------------------- + +Please refer to the CVS log for the SAMBA_3_0 branch for complete +details: + +1) Skip over the winbind separator when looking up a user. + This fixes the bug that prevented local users from + matching an AD user when not running winbindd (bug 698). +2) Fix a problem with configure on *BSD systems. Make sure + we add -liconv etc to LDFLAGS. +3) Fix core dump bug when "security = server" and the authentication + server goes away. +4) Correct crash bug due to an empty munged dial string. +5) Show files locked by a specific user (smbstatus -u 'user') + (bug 590). +6) Fix bug preventing print jobs from display in the queue + monitor used by Windows NT and later clients (bug 660). +7) Fix several reported problems with point-n-print from + Windows 2000/XP clients due to a bug in the EnumPrinterDataEx() + reply (bug 338, 527 & 643). +8) Fix a handful of potential memory leaks in the LDAP code used + by ldapsam[_compat] and the LDAP idmap backend. + + +Changes since 3.0.1pre1 +----------------------- + +1) Match Samba 2.2 behavior; make ACB_NORMAL the default ACB value. +2) Updated Japanese welcome file in SWAT. +3) Fix to nt-time <-> unix-time functions reversible. +4) Ensure that winbindd uses the the escaped DN when querying + an AD ldap server. +5) Fix portability issues when compiling (bug 505, 550) +6) Compile fix for tdbbackup when Samba needs to override + non-C99 compliant implementations of snprintf(). +7) Use @PICSUFFIX@ instead of .po in Makefile.in (bug 574). +8) Make sure we break out of samsync loop on error. +9) Ensure error code path doesn't free unmalloc()'d memory + (bug 628). +10) Add configure test for krb5_keytab_entry keyblock vs key + member (bug 636). +11) Fixed spinlocks. +12) Modified testparm so that all output so all debug output goes + to stderr, and all file processing goes to stdout. +13) Fix error return code for BUFFER_TOO_SMALL in smbcacls + and smbcquotas. +14) Fix "NULL dest in safe_strcpy()" log message by ensuring that + we have a devmode before copying a string to the devicename. +15) Support mapping REALM.COM\user to a local user account (without + running winbindd) for compatibility with 2.2.x release. +16) Ensure we don't use mmap() on blacklisted systems. +17) fixed a number of bugs and memory leaks in the AIX + winbindd shim +18) Call initgroups() in SWAT before becomming the user so that + secondary group permissions can be used when writing to + smb.conf. +19) Fix signing problems when reverse connecting back to a + client for printer notify +20) Fix signing problems caused by a miss-sequence bug. +21) Missing map in errormap for ERROR_MORE_DATA -> ERRDOS, ERRmoredata. + Fixes NEXUS tools running on Win9x clients (bug 64). +22) Don't leave the domain field uninitialized in cli_lsa.c if some + SID could not be mapped. +23) Fix segfault in mount.cifs helper when there is no options + specified during mount. +24) Change the \n after the password prompt to go to tty instead + of stdout (bug 668). +25) Stop net -P from prompting for machine account password (bug 451). +26) Change in behavior to Not only change the effective uid but also + the real uid when becoming unprivileged. +27) Cope with Exchange 5.5 cleartext pop password auth. +28) New files for support of initshutdown pipe. Win2k doesn't + respond properly to all requests on the winreg pipe, so we need + to handle this new pipe (bug 534). +29) Added more va_copy() checks in configure.in. +30) Include fixes for libsmbclient build problems. +31) Missing UNIX -> DOS codepage conversion in lanman.c. +32) Allow DFMS-S filenames can now have arbitrary case (bug 667). +33) Parameterize the listen backlog in smbd and make it larger by + default. A backlog of 5 is way too small these days. +34) Check for an invalid fid before dereferencing the fsp pointer + (bug 696). +35) Remove invalid memory frees and return codes in pdb_ldap.c. +36) Prompt for password when invoking --set-auth-user and no + password is given. +37) Bind the nmbd sending socket to the 'socket address'. +38) Re-order link command for smbd, rpcclient and smbpasswd to ensure + $LDFLAGS occurs before any library specification (bug 661). +39) Fix large number of printf() calls for 64-bit size_t. +40) Fix AC_CHECK_MEMBER so that SLES8 does correctly finds the + keyblock in the krb5 structs. +41) Remove #include in hopes to avoid problems with + apache header files. +42) COrrect winbindd build problems on HP-UX 11 +43) Lowercase netgroups lookups (bug 703). +44) Use the actual size of the buffer in strftime instead of a made + up value which just happens to be less than sizeof(fstring). + (bug 713). +45) Add ldaplibs to pdbedit link line (bug 651). +46) Fix crash bug in smbclient completion (bug 659). +47) Fix packet length for browse list reply (bug 771). +48) Fix coredump in cli_get_backup_list(). +49) Make sure that we expand %N (bug 612). +50) Allow rpcclient adddriver command to specify printer driver + version (bug 514). +51) Compile tdbdump by default. +52) Apply patches to fix iconv detection for FreeBSD. +53) Do not allow the 'guest account' to be added to a passdb backend + using smbpasswd or pdbedit (bug 624). +54) Save LDFLAGS during iconv detection (bug 57). +55) Run krb5 logins through the username map if the winbindd + lookup fails (bug 698). +56) Add const for lp_set_name_resolve_order() to avoid compiler + warnings (bug 471). +57) Add support for the %i macro in smb.conf to stand in for the for + the local IP address to which a client connected. +58) Allow winbindd to match local accounts to domain SID when + 'winbind trusted domains only = yes' (bug 680). +59) Remove code in idmap_ldap that searches the user suffix and group + suffix. It's not needed and provides inconsistent functionality + from the tdb backend. +60) Patch to handle munged dial string for Windows 200 TSE. +61) Correct the "smbldap_open: cannot access when not root error" + messages when looking up group information (bug 281). + + + +Changes since 3.0.0 +------------------- + +Modified parameters + * mangled map (deprecated) + +Removed Parameters + * mangled stack (unused) + + +1) Change the interface for init_unistr2 to not take a length + but a flags field. We were assuming that + 2*strlen(mb_string) == length of ucs2-le string. (bug 480). +2) Allow d_printf() to handle strings with escaped quotation + marks since the msg file includes the escape character (bug 489). +3) Fix bad html table row termination in SWAT wizard code (bug 413). +4) Fix to parse the level-2 strings. +5) Fix for "valid users = %S" in [homes]. Fix read/write + list as well. +6) Change AC_CHECK_LIB_EXT to prepend libraries instead of append. + This is the same way AC_CHECK_LIB works (bug 508). +7) Testparm output fixes for clarity. +8) Fix broken wins hook functionality -- i18n bug (bug 528). +9) Take care of condition where DOS and NT error codes must differ. +10) Default to using only built-in charsets when a working iconv + implementation cannot be located. +11) Wrap internals of sys_setgroups() so the sys_XX() call can + be done unconditionally (bug 550). +12) Remove duplicate smbspool link on SWAT's front page (bug 541). +13) Save and restore CFLAGS before/after AC_PROG_CC. Ensures that + --enable-debug=[yes|no] works correctly. +14) Allow ^C to interrupt smbpasswd if using our getpass + (e.g. smbpasswd command). +15) Support signing only on RPC's (bug 167). +16) Correct bug that prevented Excel 2000 clients from opening + files marked as read-only. +17) Portability fix bugs 546 - 549). +18) Explicitly initialize the value of AR for vendor makes that don't + do this (e.g. HPUX 11). (bug 552). +19) More i18n fixes for SWAT (bug 413). +20) Change the cwd before the postexec script to ensure that a + umount will succeed. +21) Correct double free that caused winbindd to crash when a DC + is rebooted (bug 437). +22) Fix incorrect mode sum (bug 562). +23) Canonicalize SMB_INFO_ALLOCATION in the same was as + SMB_FS_FULL_SIZE_INFORMATION (bug 564). +24) Add script to generate *msg files. +25) Add Dutch SWAT translation file. +26) Make sure to call get_user_groups() with the full winbindd + name for a user if he/she has one (bug 406). +27) Fix up error code returns from Samba4 tester. Ensure invalid + paths are validated the same way. +28) Allow Samba3 to pass the Samba4 RAW-READ tests. +29) Refuse to configure if --with-expsam=$BACKEND was used but no + libraries were found for $BACKEND. +30) Move sysquotas autoconf tests to a separate file. +31) Match W2K w.r.t. writelock and writeclose. Samba4 torture + tester +32) Make sure that the files that contain the static_init_$subsystem; + macro get recompiled after configure by removing the object + files. +33) Ensure canceling a blocking lock returns the correct error + message. +34) Match Samba 2.2, and make ACB_NORMAL the default ACB value. + + + +###################################################################### + + ======================================= + The original 3.0.0 release notes follow + ======================================= + Major new features: ------------------- -- Active Directory support. This release is able to join a ADS realm - as a member server and authenticate users using - LDAP/kerberos. Please read ADS-HOWTO.txt in the release for a very - rough guide on how to set this up. +1) Active Directory support. Samba 3.0 is now able to + join a ADS realm as a member server and authenticate + users using LDAP/Kerberos. + +2) Unicode support. Samba will now negotiate UNICODE on the wire + and internally there is now a much better infrastructure for + multi-byte and UNICODE character sets. + +3) New authentication system. The internal authentication system + has been almost completely rewritten. Most of the changes are + internal, but the new auth system is also very configurable. + +4) New default filename mangling system. + +5) A new "net" command has been added. It is somewhat similar to + the "net" command in windows. Eventually we plan to replace + numerous other utilities (such as smbpasswd) with subcommands + in "net". + +6) Samba now negotiates NT-style status32 codes on the wire. This + improves error handling a lot. + +7) Better Windows 2000/XP/2003 printing support including publishing + printer attributes in active directory. + +8) New loadable module support for passdb backends and character + sets. + +9) New default dual-daemon winbindd support for better performance. + +10) Support for migrating from a Windows NT 4.0 domain to a Samba + domain and maintaining user, group and domain SIDs. + +11) Support for establishing trust relationships with Windows NT 4.0 + domain controllers. + +12) Initial support for a distributed Winbind architecture using + an LDAP directory for storing SID to uid/gid mappings. + +13) Major updates to the Samba documentation tree. + +14) Full support for client and server SMB signing to ensure + compatibility with default Windows 2003 security settings. + +15) Improvement of ACL mapping features based on code donated by + Andreas Grünbacher. + + +Plus lots of other improvements! + + +Additional Documentation +------------------------ + +Please refer to Samba documentation tree (included in the docs/ +subdirectory) for extensive explanations of installing, configuring +and maintaining Samba 3.0 servers and clients. It is advised to +begin with the Samba-HOWTO-Collection for overviews and specific +tasks (the current book is up to approximately 400 pages) and to +refer to the various man pages for information on individual options. + +We are very glad to be able to include the second edition of +"Using Samba" by Jay Ts, Robert Eckstein, and David Collier-Brown +(O'Reilly & Associates) in this release. The book is available +on-line at http://samba.org/samba/docs/ and is included with +the Samba Web Administration Tool (SWAT). Thanks to the authors and +publisher for making "Using Samba" under the GNU Free Documentation +License. + + +###################################################################### +Upgrading from a previous Samba 3.0 beta +######################################## + +Beginning with Samba 3.0.0beta3, the RID allocation functions +have been moved into winbindd. Previously these were handled +by each passdb backend. This means that winbindd must be running +to automatically allocate RIDs for users and/or groups. Otherwise, +smbd will use the 2.2 algorithm for generating new RIDs. + +If you are using 'passdb backend = tdbsam' with a previous Samba +3.0 beta release (or possibly alpha), it may be necessary to +move the RID_COUNTER entry from /usr/local/samba/private/passdb.tdb +to winbindd_idmap.tdb. To do this: + +1) Ensure that winbindd_idmap.tdb exists (launch winbindd at least + once) +2) build tdbtool by executing 'make tdbtool' in the source/tdb/ + directory +3) run: (note that 'tdb>' is the tool's prompt for input) + + root# ./tdbtool /usr/local/samba/private/passdb.tdb + tdb> show RID_COUNTER + key 12 bytes + RID_COUNTER + data 4 bytes + [000] 0A 52 00 00 .R. + + tdb> move RID_COUNTER /usr/local/samba/var/locks/winbindd_idmap.tdb + .... + record moved + +If you are using 'passdb backend = ldapsam', it will be necessary to +store idmap entries in the LDAP directory as well (i.e. idmap backend += ldap). Refer to the 'net idmap' command for more information on +migrating SID<->UNIX id mappings from one backend to another. + +If the RID_COUNTER record does not exist, then these instructions are +unneccessary and the new RID_COUNTER record will be correctly generated +if needed. + + + +######################## +Upgrading from Samba 2.2 +######################## + +This section is provided to help administrators understand the details +involved with upgrading a Samba 2.2 server to Samba 3.0. + + +Building +-------- + +Many of the options to the GNU autoconf script have been modified +in the 3.0 release. The most noticeable are: + + * removal of --with-tdbsam (is now included by default; see section + on passdb backends and authentication for more details) + + * --with-ldapsam is now on used to provided backward compatible + parameters for LDAP enabled Samba 2.2 servers. Refer to the passdb + backend and authentication section for more details + + * inclusion of non-standard passdb modules may be enabled using + --with-expsam. This includes an XML backend and a mysql backend. + + * removal of --with-msdfs (is now enabled by default) + + * removal of --with-ssl (no longer supported) + + * --with-utmp now defaults to 'yes' on supported systems + + * --with-sendfile-support is now enabled by default on supported + systems + + +Parameters +---------- + +This section contains a brief listing of changes to smb.conf options +in the 3.0.0 release. Please refer to the smb.conf(5) man page for +complete descriptions of new or modified parameters. + +Removed Parameters (order alphabetically): + + * admin log + * alternate permissions + * character set + * client codepage + * code page directory + * coding system + * domain admin group + * domain guest group + * force unknown acl user + * nt smb support + * postscript + * printer driver + * printer driver file + * printer driver location + * status + * strip dot + * total print jobs + * use rhosts + * valid chars + * vfs options + +New Parameters (new parameters have been grouped by function): + + Remote management + ----------------- + * abort shutdown script + * shutdown script + + User and Group Account Management + --------------------------------- + * add group script + * add machine script + * add user to group script + * algorithmic rid base + * delete group script + * delete user from group script + * passdb backend + * set primary group script + + Authentication + -------------- + * auth methods + * realm + + Protocol Options + ---------------- + * client lanman auth + * client NTLMv2 auth + * client schannel + * client signing + * client use spnego + * disable netbios + * ntlm auth + * paranoid server security + * server schannel + * server signing + * smb ports + * use spnego + + File Service + ------------ + * get quota command + * hide special files + * hide unwriteable files + * hostname lookups + * kernel change notify + * mangle prefix + * map acl inherit + * msdfs proxy + * set quota command + * use sendfile + * vfs objects + + Printing + -------- + * max reported print jobs + + UNICODE and Character Sets + -------------------------- + * display charset + * dos charset + * unicode + * unix charset + + SID to uid/gid Mappings + ----------------------- + * idmap backend + * idmap gid + * idmap uid + * winbind enable local accounts + * winbind trusted domains only + * template primary group + * enable rid algorithm + + LDAP + ---- + * ldap delete dn + * ldap group suffix + * ldap idmap suffix + * ldap machine suffix + * ldap passwd sync + * ldap user suffix + + General Configuration + --------------------- + * preload modules + * private dir + +Modified Parameters (changes in behavior): + + * encrypt passwords (enabled by default) + * mangling method (set to 'hash2' by default) + * passwd chat + * passwd program + * restrict anonymous (integer value) + * security (new 'ads' value) + * strict locking (enabled by default) + * unix extensions (enabled by default) + * winbind cache time (increased to 5 minutes) + * winbind uid (deprecated in favor of 'idmap uid') + * winbind gid (deprecated in favor of 'idmap gid') + + +Databases +--------- + +This section contains brief descriptions of any new databases +introduced in Samba 3.0. Please remember to backup your existing +${lock directory}/*tdb before upgrading to Samba 3.0. Samba will +upgrade databases as they are opened (if necessary), but downgrading +from 3.0 to 2.2 is an unsupported path. + +Name Description Backup? +---- ----------- ------- +account_policy User policy settings yes +gencache Generic caching db no +group_mapping Mapping table from Windows yes + groups/SID to unix groups +winbindd_idmap ID map table from SIDS to UNIX yes + uids/gids. +namecache Name resolution cache entries no +netsamlogon_cache Cache of NET_USER_INFO_3 structure no + returned as part of a successful + net_sam_logon request +printing/*.tdb Cached output from 'lpq no + command' created on a per print + service basis +registry Read-only samba registry skeleton no + that provides support for exporting + various db tables via the winreg RPCs + + +Changes in Behavior +------------------- + +The following issues are known changes in behavior between Samba 2.2 and +Samba 3.0 that may affect certain installations of Samba. + + 1) When operating as a member of a Windows domain, Samba 2.2 would + map any users authenticated by the remote DC to the 'guest account' + if a uid could not be obtained via the getpwnam() call. Samba 3.0 + rejects the connection as NT_STATUS_LOGON_FAILURE. There is no + current work around to re-establish the 2.2 behavior. + + 2) When adding machines to a Samba 2.2 controlled domain, the + 'add user script' was used to create the UNIX identity of the + machine trust account. Samba 3.0 introduces a new 'add machine + script' that must be specified for this purpose. Samba 3.0 will + not fall back to using the 'add user script' in the absence of + an 'add machine script' + + +###################################################################### +Passdb Backends and Authentication +################################## + +There have been a few new changes that Samba administrators should be +aware of when moving to Samba 3.0. + + 1) encrypted passwords have been enabled by default in order to + inter-operate better with out-of-the-box Windows client + installations. This does mean that either (a) a samba account + must be created for each user, or (b) 'encrypt passwords = no' + must be explicitly defined in smb.conf. + + 2) Inclusion of new 'security = ads' option for integration + with an Active Directory domain using the native Windows + Kerberos 5 and LDAP protocols. + + MIT kerberos 1.3.1 supports the ARCFOUR-HMAC-MD5 encryption + type which is neccessary for servers on which the + administrator password has not been changed, or kerberos-enabled + SMB connections to servers that require Kerberos SMB signing. + Besides this one difference, either MIT or Heimdal Kerberos + distributions are usable by Samba 3.0. + + +Samba 3.0 also includes the possibility of setting up chains +of authentication methods (auth methods) and account storage +backends (passdb backend). Please refer to the smb.conf(5) +man page for details. While both parameters assume sane default +values, it is likely that you will need to understand what the +values actually mean in order to ensure Samba operates correctly. + +The recommended passdb backends at this time are + + * smbpasswd - 2.2 compatible flat file format + * tdbsam - attribute rich database intended as an smbpasswd + replacement for stand alone servers + * ldapsam - attribute rich account storage and retrieval + backend utilizing an LDAP directory. + * ldapsam_compat - a 2.2 backward compatible LDAP account + backend + +Certain functions of the smbpasswd(8) tool have been split between the +new smbpasswd(8) utility, the net(8) tool, and the new pdbedit(8) +utility. See the respective man pages for details. + + +###################################################################### +LDAP +#### + +This section outlines the new features affecting Samba / LDAP +integration. + +New Schema +---------- + +A new object class (sambaSamAccount) has been introduced to replace +the old sambaAccount. This change aids us in the renaming of attributes +to prevent clashes with attributes from other vendors. There is a +conversion script (examples/LDAP/convertSambaAccount) to modify and LDIF +file to the new schema. + +Example: + + $ ldapsearch .... -b "ou=people,dc=..." > old.ldif + $ convertSambaAccount old.ldif new.ldif + +The can be obtained by running 'net getlocalsid ' +on the Samba PDC as root. + +The old sambaAccount schema may still be used by specifying the +"ldapsam_compat" passdb backend. However, the sambaAccount and +associated attributes have been moved to the historical section of +the schema file and must be uncommented before use if needed. +The 2.2 object class declaration for a sambaAccount has not changed +in the 3.0 samba.schema file. + +Other new object classes and their uses include: + + * sambaDomain - domain information used to allocate rids + for users and groups as necessary. The attributes are added + in 'ldap suffix' directory entry automatically if + an idmap uid/gid range has been set and the 'ldapsam' + passdb backend has been selected. + + * sambaGroupMapping - an object representing the + relationship between a posixGroup and a Windows + group/SID. These entries are stored in the 'ldap + group suffix' and managed by the 'net groupmap' command. + + * sambaUnixIdPool - created in the 'ldap idmap suffix' entry + automatically and contains the next available 'idmap uid' and + 'idmap gid' + + * sambaIdmapEntry - object storing a mapping between a + SID and a UNIX uid/gid. These objects are created by the + idmap_ldap module as needed. + + * sambaSidEntry - object representing a SID alone, as a Structural + class on which to build the sambaIdmapEntry. + + +New Suffix for Searching +------------------------ + +The following new smb.conf parameters have been added to aid in directing +certain LDAP queries when 'passdb backend = ldapsam://...' has been +specified. + + * ldap suffix - used to search for user and computer accounts + * ldap user suffix - used to store user accounts + * ldap machine suffix - used to store machine trust accounts + * ldap group suffix - location of posixGroup/sambaGroupMapping entries + * ldap idmap suffix - location of sambaIdmapEntry objects + +If an 'ldap suffix' is defined, it will be appended to all of the +remaining sub-suffix parameters. In this case, the order of the suffix +listings in smb.conf is important. Always place the 'ldap suffix' first +in the list. + +Due to a limitation in Samba's smb.conf parsing, you should not surround +the DN's with quotation marks. + + +IdMap LDAP support +------------------ + +Samba 3.0 supports an ldap backend for the idmap subsystem. The +following options would inform Samba that the idmap table should be +stored on the directory server onterose in the "ou=idmap,dc=plainjoe, +dc=org" partition. + + [global] + ... + idmap backend = ldap:ldap://onterose/ + ldap idmap suffix = ou=idmap,dc=plainjoe,dc=org + idmap uid = 40000-50000 + idmap gid = 40000-50000 -- Unicode support. Samba will now negotiate unicode on the wire and - interally there is now a much better infrastructure for multi-byte - and unicode character sets. You may need the "dos charset", "unix - charset" and "display charset" options. The unicode support is not - yet documented. +This configuration allows winbind installations on multiple servers to +share a uid/gid number space, thus avoiding the interoperability problems +with NFS that were present in Samba 2.2. + -- New authentication system. The internal authentication system has - been almost completely rewritten. Most of the changes are internal, - but the new auth system is also very configurable. Not documented - yet. -- new filename mangling system. The filename mangling system has been - completely rewritten. An internal database now stores mangling maps - persistantly. This needs lots of testing. +###################################################################### +Trust Relationships and a Samba Domain +###################################### -- new "net" command. A new "net" command has been added. It is - somewhat similar to the "net" command in windows. Eventually we plan - to replace a bunch of other utilities (such as smbpasswd) with - subcommands in "net", at the moment only a few things are - implemented. +Samba 3.0.0beta2 is able to utilize winbindd as the means of +allocating uids and gids to trusted users and groups. More +information regarding Samba's support for establishing trust +relationships can be found in the Samba-HOWTO-Collection included +in the docs/ directory of this release. -- Samba now negotiates NT-style status32 codes on the wire. This - improves error handling a lot. +First create your Samba PDC and ensure that everything is +working correctly before moving on the trusts. -- better w2k printing support. The support for printing from win2000 - clients has improved greatly. +To establish Samba as the trusting domain (named SAMBA) from a Windows NT +4.0 domain named WINDOWS: -Plus lots of other changes! + 1) create the trust account for SAMBA in "User Manager for Domains" + 2) connect the trust from the Samba domain using + 'net rpc trustdom establish GLASS' +To create a trustlationship with SAMBA as the trusted domain: + 1) create the initial trust account for GLASS using + 'smbpasswd -a -i GLASS'. You may need to create a UNIX + account for GLASS$ prior to this step (depending on your + local configuration). + 2) connect the trust from a WINDOWS DC using "User Manager + for Domains" + +Now join winbindd on the Samba PDC to the SAMBA domain using +the normal steps for adding a Samba server to an NT4 domain: +(note that smbd & nmbd must be running at this point) + + root# net rpc join -U root + Password: + +Start winbindd and test the join with 'wbinfo -t'. + +Now test the trust relationship by connecting to the SAMBA DC +(e.g. POGO) as a user from the WINDOWS domain: + + $ smbclient //pogo/netlogon -U Administrator -W WINDOWS + Password: + +Now connect to the WINDOWS DC (e.g. CRYSTAL) as a Samba user: + + $ smbclient //crystal/netlogon -U root -W WINDOWS + Password: + +###################################################################### +Changes in Winbind +################## + +Beginning with Samba3.0.0beta3, winbindd has been given new account +manage functionality equivalent to the 'add user script' family of +smb.conf parameters. The idmap design has also been changed to +centralize control of foreign SID lookups and matching to UNIX +uids and gids. + + +Brief Description of Changes +---------------------------- + +1) The sid_to_uid() family of functions (smbd/uid.c) have been + reverted to the 2.2.x design. This means that when resolving a + SID to a UID or similar mapping: + + a) First consult winbindd + b) perform a local lookup only if winbindd fails to + return a successful answer + + There are some variations to this, but these two rules generally + apply. + +2) All idmap lookups have been moved into winbindd. This means that + a server must run winbindd (and support NSS) in order to achieve + any mappings of SID to dynamically allocated UNIX ids. This was + a conscious design choice. + +3) New functions have been added to winbindd to emulate the 'add user + script' family of smbd functions without requiring that external + scripts be defined. This functionality is controlled by the 'winbind + enable local accounts' smb.conf parameter (enabled by default). + + However, this account management functionality is only supported + in a local tdb (winbindd_idmap.tdb). If these new UNIX accounts + must be shared among multiple Samba servers (such as a PDC and BDCs), + it will be necessary to define your own 'add user script', et. al. + programs that place the accounts/groups in some form of directory + such as NIS or LDAP. This requirement was deemed beyond the scope + of winbind's account management functions. Solutions for + distributing UNIX system information have been deployed and tested + for many years. We saw no need to reinvent the wheel. + +4) A member of a Samba controlled domain running winbindd is now able + to map domain users directly onto existing UNIX accounts while still + automatically creating accounts for trusted users and groups. This + behavior is controlled by the 'winbind trusted domains only' smb.conf + parameter (disabled by default to provide 2.2.x winbind behavior). + +5) Group mapping support is wrapped in the local_XX_to_XX() functions + in smbd/uid.c. The reason that group mappings are not included + in winbindd is because the purpose of Samba's group map is to + match any Windows SID with an existing UNIX group. These UNIX + groups can be created by winbindd (see next section), but the + SID<->gid mapping is retreived by smbd, not winbindd. + + +Examples +-------- + +* security = server running winbindd to allocate accounts on demand + +* Samba PDC running winbindd to handle the automatic creation of UNIX + identities for machine trust accounts + +* Automtically creating UNIX user and groups when migrating a Windows NT + 4.0 PDC to a Samba PDC. Winbindd must be running when executing + 'net rpc vampire' for this to work. + + +###################################################################### +Known Issues +############ + +* There are several bugs currently logged against the 3.0 codebase + that affect the use of NT 4.0 GUI domain management tools when run + against a Samba 3.0 PDC. This bugs should be released in an early + 3.0.x release. + +Please refer to https://bugzilla.samba.org/ for a current list of bugs +filed against the Samba 3.0 codebase. + + +###################################################################### Reporting bugs & Development Discussion ---------------------------------------- +####################################### Please discuss this release on the samba-technical mailing list or by -joining the #samba-technical IRC channel on irc.openprojects.net +joining the #samba-technical IRC channel on irc.freenode.net. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down -the problem then you will probably be ignored. - - -Changes in alpha21: - -1) - - - -Changes in alpha20: - -1) Rework the 'guest account gets RID 501' code again... -2) Change to use NT-based session key negotiated for Win2k SPNEGO -3) Support printer data registry keys other than the default - PrinterDriverData -4) Moved internal printerdata to REGISTRY_VALUE object -5) Corrected bug in dependentfiles list of DRIVER_INFO_3 -6) fixed logic bug in blocking locks code -7) Updated registry api code to work with new printer data key - support -8) Added vfstest tool -9) round lock timeouts in lockingX upwards to multiples of 1 second -10) Fixed bugs in Printer Change Notify code -11) added a 'net ads lookup' command that does a CLDAP NetLogon - query to a win2000 server -12) Added script to find undocumented smb.conf parameters -13) Added missing parameters to smb.conf(5) -14) receive & parse main CLDAP reply from win2k server -15) removed "admin log" & "alternate permissions" parameters from smb.conf -16) added a generic print_guid utility, and get the byte order handing -17) fixed memory corruption in cli_full_connection() -18) remove unused 'max packet' and 'packet size' options -19) add support for the "value,OID" format described in MSDN for Printer - Data values -20) moves NT_TOKEN generation into our authentication code -21) Update documentation build system -22) Several fixes for IRIX compiler -23) Correctly handle "max data count" value in smb transacts -24) Fix for permissions error when adding/modifying using a Print - server handle -25) Fix pam_smbpass to always check the return value of pdb_getsampwnam() -26) Use the 'init' flag to determine if the UID is set, rather than testing - the uid for -1 -27) Cope with non-unix accounts ) we just won't get the groups for those users -28) Add 'net rpc getsid' to fetch the PDC's SID into the local secrets.tdb. - Print domain SID on 'net rpc info' -29) don't use lp_passwd_file() to retrieve NIS domain name, but use location - instead -30) Various POSIX compatibility fixes -31) Show only non-default values in testparm -32) Fix longstanding bug in Win2k clients by clearing the shortname - buffer before returning ascii short name. -33) Add example backtrace script -34) Added NETLOGON NetServerAuthenticate3 include and parser file -35) fix for difference in strsep and strtok semantics in nmbd -36) Ensure we don't change to a user that we can't get an NT_TOKEN for -37) Put back in BDC support in set_server_role() -38) added a 'net rpc samdump' command for dumping the whole sam via - samsync operations (as a BDC) -39) don't use spnego in the client unless enabled in smb.conf -40) Added some new delta types discovered by Ronnie from ethereal -41) Cope with negative cache dns entries better -42) do not expose special files, only files, directories and links -43) attempts to simplify Samba's external lib dependencies -44) support non-root-mode systems without getgrouplist() -45) Some fixes for SMB signing -46) Pass the object name down to the enum_printers client rpc -47) add the netatalk VFS module -48) Ensure we have at least smb_size bytes before processing a packet -49) Allow us to "lock" printer tdb entries in memory to stop them being - re-used as cache -50) fix 2 byte alignment/offset bug that prevented Win2k/XP clients - from receiving all the printer data in EnumPrinterDataEx() -51) Add option to compile new sam system can be enabled with the - configure option --with-sam -52) Added SGML/DocBook version of developer oriented docs to build process -53) Return correct FILE_SUPERSEDED response -54) Added example sam module (skeleton) -55) Add plugin support for the sam system (based on passdb code) -56) show builtin groups in samdump -57) Adding samtest utility used to test sam backends -58) fix connecting to a BDC when the PDC is down but in WINS and no bcast - can be used to find a BDC -58) convert the LDAP/SASL code to use GSS-SPNEGO if possible -59) added cli_net_auth_3 client code -60) merge of phant0m key fix from APP_HEAD -61) allow rpcclient's samlogon command to use cli_net_3() -62) Added attribute specific OPEN tests -63) Fix bug with stat mode open being done on read-only open with - truncate -64) Add lots of const casts to function parameters -65) Implemented some more client side spoolss functions -66) usrmgr expects unicode as ProductType -67) Change JOB_INFO_CTR to return a pointer to an array rather than array of - pointers in client code -68) Various NTLMSSP fixes -69) fixed crash bug in cli_connection code -70) DeletePrinterDriver[Ex]() fixes from APP_HEAD -71) remove some inet_aton() calls for portability -72) Set default ACB attributes on 'unixsam' accounts -73) Add bcast_msg_flags to connection struct -74) aggregate change notify events in the smbd sender and when transmitting -75) Added better error code on out of space in printer spool directory -76) Removed total jobs check ) not applicable any more -77) fixed bug in share enumeration RPC code -78) extend the ADS_STATUS system to include NTSTATUS -79) commit trusted domain patch n+3 -80) remove block VFS module -81) restrict readline headers to readline.c -82) merge of various recycle bin VFS patches -83) Winbind client-side cleanups -84) change parametric option name to vfs_recycle_bin it is more - sane and do not pollute standard options namespace too much -85) added --enable-python configure option for building the samba-python - unit tests -86) correct trans2 bugs in client for enumerating files/directories -87) Re-add OS/2 EA error codes -88) Added patch for required attributes in directory listings to reply code -89) Fix browse synchronization bug by noticing that W2K DMB's return empty - NetServerEnum2 on port 445, but not on port 139 -90) Fix semantics of AbortPrinter() spoolss call in server code -91) Ensure we've failed a lock with a lock denied message before automatically - pushing it onto the blocking queue -92) Added experimental sendfile code -93) Initialize user_rid value in WINBIND_USERINFO structure returned by - the rpc version of query_user() -94) added gencache implementation -95) Merge the cli_shutdown change from 2_2 -96) Fixes for DeletePrinterDriverEx() -97) Fixed alignment error in spoolss code -98) Changed Major/Minor version info reported to Server Manager to 4.9 -99) Applied new display mode FLAGS for SWAT -100) Update to add DEVELOPER option to more parameters -101) Added --with-ads option, defaults to yes -102) Added --with-ldap option to configure -103) Add clock skew handling to our kerberos code -104) correct race condition in password change code for out machine account - when a member of a domain -105) First implementation for 'net rpc vampire' -106) store current handle's Device Mode with print job -107) Move functionality to check whether entries for lp_workgroup() and - "BUILTIN" exist and add them if necessary from check_correct_backend_entries - into sam_context_check_default_backends -108) allow --with-krb5 to override the location of the kerberos libs on - redhat -109) unlink spool file after submitting print job when using CUPS api -110) Add framework for samtest commands -111) Add the ability to view/set the current local domain SIDs to net command -112) When creating a group you have to take care of the fact that the - underlying unix might not like the group name -113) Don't uppercase the username and domain in a session setup -114) Merge of "profile acls" code from SAMBA_2_2 -115) Check for existing of security descriptor in PRINTER_INFO_2 structure - in rpc client code -116) Move to common user token debugging, and ensure we always print both the - NT_TOKEN and the unix credentials -117) If adding a user to ldap, make sure we have the 'account' structural class, - or else we can't add to OpenLDAP 2.1 -118) Kill of Get_Pwnam_Modify and smb_getpwnam() -119) add a 'ldap passwd sync' option to smb.conf -120) Whenever we deal with adding machine/trusted domain accounts, always reset - the flag to what we expect -121) Fix the circular dependency that was preventing 'domain master = auto' (the - default) from working -122) move all the passdb internal interface to NTSTATUS -123) to expand % values (ie we go \\%L\%U -> \\server\user, we don't want to - store \\server\user back) and to correctly notice 'not set' compared to 'null - string' etc. -124) get some more of our access control bits right on the SAMR pipe -125) Add -r parameter to smbgroupedit. With -r you can manually choose - a rid - -Changes in alpha19 -1) Virtual registry framework with printing hooks (jerry) -2) Heavy registry updates (jerry) -3) Use 850 as the default DOS character set in smb.conf (tpot) -4) printer fixes ) removed encoding of queueid in job number (jra) -5) A lot of small fixes (jra) -6) Don't crash on setfileinfo on printer fsp(jra) -7) fixed line buffer mode in XFILE(jra) -8) update samba.schema from 2.2 (jerry,idra) -9) Fix problem with oplock breaks and win2k ) - noticed by Lev Iserovich (jra) -10) Update smbgroupedit to document -d ) thanks to metze (abartlet) -11) Support weird behaviour used by win9x pass-through auth (abartlet,tpot) -12) Support for duplicating stderr in log files (abartlet) -13) Move startup time initialisation to server.c (abartlet) -14) *A lot* of fixes and cleanups (abartlet) -15) Fix up compiler warnings (abartlet) -16) Few small fixes (tpot) -17) Renamed new_cli_netlogon_* -> cli_netlogon_* (tpot) -18) Fixed segfault in net time when host is unavailable (tridge) -19) Ensure to be root when opening printer backend tdb (jra) -20) Merges from APPLIANCE_HEAD (tpot,jerry) -21) configure updates (tridge) -22) getgrouplist() updates (tridge) -23) Support for pdbedit to query account policy values (abartlet) -24) Allow one to create trusting domain account using smbpasswd (mimir,abartlet) -25) 'Net rpc trustdom list' (mimir, abartlet) -26) Fix fallback to anonymous connection (mimir, abartlet) -27) Fix for pdb_ldap and OpenLDAP 2.1 -28) Added support in swat to determine whether winbind is running (idra) -29) Add 'hide unwritable' option (idra) -30) Correct pickup of [homes] share after subsequent session setups (abartlet) -31) Update rebind code in pdb_ldap (abartlet) -32) Add some info levels to RPC srvsvc code ) - thanks to Nigel Williams" (abartlet) -33) Small doc fixes (tridge) -34) good security patch from Timothy.Sell@unisys.com (tridge) -35) fix minor nits in nmbd from adtam@cup.hp.com (tridge) -36) make sure async dns nmbd child dies (tridge) -37) interim fix for nmbd not registering DOMAIN#1b (tridge) -38) fix for smbtar filename matching (tridge) -39) Better quote handling in smb.conf (abartlet) -40) Support browsers setting multiple languages in swat (idra) -41) Changed str_list_make to be able to use a different separator string (idra) -42) Samsync support to insert account info into the pdb (tpot) -43) Don't hide unwritable dirs when 'hide unwritable' is enabled ) - suggested by Alexander Oswald (idra) -44) Fix for handling sparse files in smbd (tridge) -45) Merges from 2_2 (jerry) -46) Minor printer fixes (jerry) -47) Add some checks to SID lookup code (abartlet) -48) Cascaded VFS (Alexander Bokovoy, idra) -49) Some netbios-less connections support in ADS mode (tridge) -50) ADS tweaks (tridge) -51) Fix plaintext passwords with win2k (tridge) -52) 'net ads info' reports IP of LDAP server (tridge) -53) Add some more RPC functions (jmcd) -54) Add 'smb ports = ' option (tridge) -55) Various small fixes (tridge) -56) Passdb security checks (abartlet) -57) Large winbind updates (abartlet) -58) Moved rpc client routines from libsmb to rpc_client (tpot) -59) Few nmbd fixes (jmcd) -60) Fix swat to handle new debug level code (idra) -61) Fix name length bug in namequeries (tridge) -62) Don't have client binaries depend on libs they don't use ) - patch from Steve Langasek (abartlet) -63) Printing change notification (merged from HEAD_APPLIANCE) (jerry) -64) fix delete printer driver (from HEAD_APPLIANCE) (jerry) -65) Added pdb_xml and pdb_mysql (jelmer) -66) Update pdb_test (jelmer) -67) Fix security issues with %m (abartlet) -68) Support for service joins from win2k AND use SPNEGO (jmcd) -69) pdbedit -i and -e fix, add -b (idra) -70) textdocs converted to sgml (jelmer, jerry) -71) Merge netbios namecache code from APPLIANCE_HEAD (tpot) -72) Fix segs in new NTLMSSP code (abartlet) -73) Always make guest rid 501 (abartlet) - - +the problem then you will probably be ignored. +A new bugzilla installation has been established to help support the +Samba 3.0 community of users. This server, located at +https://bugzilla.samba.org/, has replaced the older jitterbug server +previously located at http://bugs.samba.org/.