1 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
2 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3 <html xmlns="http://www.w3.org/1999/xhtml">
6 <title>Samba - Release Notes Archive</title>
11 <h2>The Samba Team announces the first official release of Samba 3.0</h2>
15 The Samba Team is proud to announce the availability of the
16 first official, stable release of the Samba 3.0.0 code base.
18 The source code can be downloaded from :
20 <a href="http://download.samba.org/samba/ftp/">http://download.samba.org/samba/ftp/</a>
22 The uncompressed tarball and patch file have been signed
23 using GnuPG. The Samba public key is available at
25 <a href="http://download.samba.org/samba/ftp/samba-pubkey.asc">http://download.samba.org/samba/ftp/samba-pubkey.asc</a>
27 Binary packages are available at
29 <a href="http://download.samba.org/samba/ftp/Binary_Packages/">http://download.samba.org/samba/ftp/Binary_Packages/</a>
31 A simplified version of the CVS log of updates since 3.0.0rc4
32 can be found in the the download directory under the name
33 ChangeLog-3.0.0rc4-3.0.0.
35 Please file any bugs you find in this release at
37 <a href="https://bugzilla.samba.org/">https://bugzilla.samba.org/</a>
39 As always, all bugs are our responsibility.
45 #######################################################################
46 WHATS NEW IN Samba 3.0.0
48 ==============================
50 This is the first official release of Samba 3.0.0 code base. Work
51 on the SAMBA_3_0 CVS branch continues. Please refer to the section
52 on "Known Issues" for more details.
58 1) Active Directory support. Samba 3.0 is now able to
59 join a ADS realm as a member server and authenticate
60 users using LDAP/Kerberos.
62 2) Unicode support. Samba will now negotiate UNICODE on the wire
63 and internally there is now a much better infrastructure for
64 multi-byte and UNICODE character sets.
66 3) New authentication system. The internal authentication system
67 has been almost completely rewritten. Most of the changes are
68 internal, but the new auth system is also very configurable.
70 4) New default filename mangling system.
72 5) A new "net" command has been added. It is somewhat similar to
73 the "net" command in windows. Eventually we plan to replace
74 numerous other utilities (such as smbpasswd) with subcommands
77 6) Samba now negotiates NT-style status32 codes on the wire. This
78 improves error handling a lot.
80 7) Better Windows 2000/XP/2003 printing support including publishing
81 printer attributes in active directory.
83 8) New loadable module support for passdb backends and character
86 9) New default dual-daemon winbindd support for better performance.
88 10) Support for migrating from a Windows NT 4.0 domain to a Samba
89 domain and maintaining user, group and domain SIDs.
91 11) Support for establishing trust relationships with Windows NT 4.0
94 12) Initial support for a distributed Winbind architecture using
95 an LDAP directory for storing SID to uid/gid mappings.
97 13) Major updates to the Samba documentation tree.
99 14) Full support for client and server SMB signing to ensure
100 compatibility with default Windows 2003 security settings.
102 15) Improvement of ACL mapping features based on code donated by
106 Plus lots of other improvements!
109 Additional Documentation
110 ------------------------
112 Please refer to Samba documentation tree (included in the docs/
113 subdirectory) for extensive explanations of installing, configuring
114 and maintaining Samba 3.0 servers and clients. It is advised to
115 begin with the Samba-HOWTO-Collection for overviews and specific
116 tasks (the current book is up to approximately 400 pages) and to
117 refer to the various man pages for information on individual options.
119 We are very glad to be able to include the second edition of
120 "Using Samba" by Jay Ts, Robert Eckstein, and David Collier-Brown
121 (O'Reilly & Associates) in this release. The book is available
122 on-line at http://samba.org/samba/docs/ and is included with
123 the Samba Web Administration Tool (SWAT). Thanks to the authors and
124 publisher for making "Using Samba" under the GNU Free Documentation
128 ######################################################################
132 Please refer to the CVS log for the SAMBA_3_0 branch for complete
135 1) Fix bug that prevented filenames of length >100 characters
136 from being restored using smbclient's tar functionality.
137 2) Fix bug that prevented fast path code in strchr_m()
139 3) Make sure we store the desired access flag on incoming
141 4) Fix smbd crash when dealing with mangled file names.
142 5) Ensure that the group comment field is not overwritten
143 if it already exists.
144 6) Fix bug that prevented 'net rpc join' from working
145 with mixed mode AD domains (bug 442).
146 7) Fix crash in smbd when a Samba PDC is not able to
147 enumerate trusted domains (bug 450).
148 8) Fix crash bug found by the Samba4 testsuite.
149 9) Fix bug that prevented smbd from returning an ACL list
150 if one of the SIDs could not be resolved (bug 470).
151 10) Remove -P option from smbclient printing scripts since it
152 has a different meaning in Samba 3.0 (bug 473).
153 11) Sync smbldap-tools with latest version from idealx cvs tree.
154 12) Cleanup some warnings produced by the Sun C compiler.
155 13) Several fixes for SWAT relating to international character
162 1) Fix incorrect error message in testparm.c regarding 'map system'.
163 2) Protect against core dump if ioctl for print job sends invalid
165 3) Fix bug in generic hash cacluation.
166 4) Remove references to unused 'strip dot' parameter
167 5) Fix CPU burn bug in multi-byte character conversion.
168 6) Use opt_target_workgroup instead of lp_workgroup() in vampire
169 code so we can override the value in smb.conf with the -w option.
170 7) Display an error if we can't create a posix account for the
171 user when running 'net rpc vampire' (bug 323).
172 8) Fix UTF8 conversion bugs in LDAP passdb and idmap code (bug 296).
173 9) Fix smbd crash when changing the machine trust account password
175 10) Remove getpwnam() calls from init_sam_from_xxx(). This means
176 that %u & %g will no longer expand in the "login ..." set of
177 smb.conf options, but %U and %G still do. The payback is that
178 winbindd local accounts for users work with 'wbinfo -u'
179 when winbind is running on a Samba PDC.
180 11) Fix unitiailized timestamp where merging print_jobs and
182 12) Fix bug in debian packaging files affecting non-i386 platforms.
188 1) Remove Perl module dependencies in generated RedHat 8/9 RPMS.
189 2) Update mount helper to take synonyms for file_mode and
190 dir_mode (fmask and dmask).
191 3) Fix portability bug with log2pcaphex.
192 4) Use different algorithm to generate codepages source code which
193 allows to take gaps into account thus making unnecessary
194 extended [index] = value, syntax in to_ucs2 array (bug 380).
195 5) Fix comment strings to 43 bytes as per spec.
196 6) Fix pam_winbind compile bug on FreeBSD (bug 261).
197 7) Support for in-memory keytabs, which are needed to make heimdal
198 work properly. MIT does not support them, so this check will be
199 used to decide whether to use them. (partial fix for bug 372).
200 8) Disable RC4-HMAC on broken heimdal setups. (remainder of bug
202 9) Correct bug in smbclient that resulted in errors when untarring
203 long filenames (bug 308).
204 10) Improve autoconf checks for PAM header files and libs.
205 11) Added fast path to convert_string() when dealing with
206 ASCII->ASCII, UCS2-LE->ASCII, and ASCII->UCS2-LE with
208 12) Quiet debug messages when we don't find a module and it is not
209 a critical error (bug 375).
210 13) Fix UNIX passwd sync properly.
211 14) Fix more transitive trust issues in winbindd (bug 305).
212 15) Ensure that winbindd functions with 'disable netbios = yes'
213 16) Store the real short domain name in secrets.tdb as soon as we
214 know it. Also display an error message when joining an AD
215 domain and the 'workgroup' parameter has not been specified.
216 17) Return 0 DFS links instead of -1 when dfs support is not enabled.
217 18) Update LDAP schema for Netscape DS 4.x and Novell eDirectory 8.7
218 19) Ensure that name types can be specified using name#type notation
219 in the 'net' command (bug 73).
220 20) Add retry looks to ADS sequence number and domain SID lookups
222 21) use a variant of alloc_sub_basic() for string lists such as
223 'valid users', 'write list', and 'read list' (bug 397).
224 22) Fix seg fault when winbindd receives an error from the AD server
225 in response to an LDAP search (bug 282).
226 23) Update findsmb to use the new syntax for smbclient and nmblookup.
227 24) Fix bug that prevented variables from being used in explicitly
228 defined path in [homes].
229 25) Only set SIDs when they're returned by the MySQL query
231 26) Include support for NTLMv2 key exchange.
232 27) Revert default for 'client ntlmv2 auth' to off (bug 359).
233 28) Fix crash in winbindd when the trust account password gets
234 changed underneath us via 'net rpc changetrustpw' (bug 382).
235 29) Use djb-algorithm string hash - faster than the tdb one we
236 used to use. Does not change on disk format or hashing location.
237 30) Implements some kind of improved AFS support for Samba on
238 Linux with OpenAFS 1.2.10. './configure --with-fake-kaserver'
239 assumes that you have OpenAFS on your machine.
240 31) When enumerating dfs shares loop from 0 to lp_numservices() instead
241 of relying on lp_servicename(n) to return an empty string for
242 invalid service numbers (bug 403).
243 32) Fix crash bug in 'net rpc samdump' (bug 334).
244 33) Fix crash bug in WINS NSS module (bug 299).
245 34) Fix a few minor compile errors on HP-UX.
252 1) Add levels 261 and 262 to search. Found using Samba4 tester.
253 2) Correct bad error return code in session setup reply
254 3) Fix bug where smbd returned DOS error codes from SMBsearch
255 even when NT1 protocol was negotiated.
256 4) Implement SMBexit properly.
257 5) Return group lists from a Samba PDC to a Windows 9x/ME box
258 in implementing user level access control (bug 314).
259 6) Prevent SWAT from crashing when adding shares (bug 254)
260 7) Fix various documentation issues (bugs 304 & 214)
261 8) Fix wins server listing in SWAT (bug 197)
262 9) Fix problem in rpcclient that caused enumerating printer
263 drivers to report failure (bug 294).
264 10) Use kerberos 5 authentication in our client code whenever possible
265 11) Fix schannel bug that caused Active Directory DC's to downgrade our
266 machine account to an NT member.
267 12) Implement missing SAMR_REMOVE_USER_FOREIGN_DOMAIN call (bug 252).
268 13) Implement automatic generation of include/version.h
269 14) Include initial version of smbldap-tool scripts for the Samba
271 15) Implement numerous fixes for multi-byte character strings.
272 16) Enable 'unix extensions' parameter by default.
273 17) Make sure we set the SID type when falling back to the rid
275 18) Correct linking problems with pam_smbpass (bug 327).
276 19) Add SYSV defines for Irix and Solaris to ensure the 'printing'
277 parameter default to the correct value (bug 230)
278 20) Fix recursion bug in alloc_string_sub() (bug 289, et. al.)
279 21) Ensure that 'make install' includes the static and shared
280 versions of the libsmbclient libraries.
281 22) Add CP850 and CP437 internal character set support (bug 150).
282 23) Add support to examples/LDAP/convertSambaAccount for generating
283 LDIF modify files instead of just add (303).
284 24) Fix support for -W option in smbclient (bug 39)
285 25) Remove 'ldap trust ids' parameter since it could not be supported
286 by the current architecture.
287 26) Don't crash when no argument is given to -T in smbclient (bug 345).
288 27) Ensure smbadduser contains the same paths for the smbpasswd file
289 as the other Samba tools (bug 290).
290 28) Port of 'available = no' fix for [homes] from SAMBA_2_2 cvs tree.
291 29) Add sanity checks to DeletePrinterData[Ex]() and ensure that the
292 modified printer is written to disk.
293 30) Force winbindd to periodically update the trusted domain cache.
294 31) Remove outdated import/export script to convert an smbpasswd file
295 to and from and LDAP directory. Use the pdbedit tool instead.
296 32) Ensure that %U substitution is restored on next valid packet
300 Changes since 3.0beta3
301 ######################
303 1) Various memory leak fixes.
304 2) Provide full support for SMB signing (server and client)
305 3) Check for broken getgrouplist() in glibc.
306 4) Don't get stuck in an infinite loop listing directories
307 recursively if the server returns an empty directory name
309 5) Idle LDAP connections after 150 seconds.
310 6) Patched make uninstallmodules (bug 236).
311 7) Fix bug that caused smbd to return incomplete directory listings
312 when UNIX files contained MS wildcard characters.
313 8) Quiet default debug messages in command line tools.
314 9) Fixes to avoid panics on invalid multi-byte strings.
315 10) Fix error messages when creating a new smbpasswd file (bug 198).
316 11) Implemented better detection routines in autoconf scripts for
317 locating ads support on the host OS.
318 12) Fix bug that caused libraries in /usr/local/lib to be ignored
320 13) Ensure winbindd_ads uses the correct realm or domain name when
321 connecting to trusted DC.
322 14) Ensure a correct prototype is created for snprintf() (bug 187)
323 15) Stop files being created on read-only shares in some circumstances.
324 16) Fix wbinfo -p (bug 251)
325 17) Support schannel on any tcp/ip connection if necessary
326 18) Correct bug in user_in_list() so that it works with winbind groups
328 19) Ensure the schannel bind credentials default to the domain
329 of the destination host.
330 20) Default password expiration time in account_pol.tdb to never
331 expire. Remove any existing account_pol.tdb file to reset
332 the new default policy (bug 184).
333 21) Add buttons to SWAT to change the view of smb.conf (bug 212)
334 22) Fix incorrect checks that determine whether or not the 'add user
335 script' has been set.
336 23) More cleanup for internal character set conversions.
337 24) Fixes for multi-byte strings in stat cache code.
338 25) Ensure that the net command honors the 'workgroup' parameter
339 in smb.conf when not overridden from the command line.
340 26) Add gss-spnego support to the ntlm_auth tool.
341 27) Add vfs_default_quota VFS module.
342 28) Added server support for NT quota interfaces.
343 29) Prevent Krb5 replay attacks by adding a replay_cache.
344 30) Fix problems with winbindd and transitive trusts in AD domains.
345 31) Added -S to client tools for setting SMB signing options on the
347 32) Fix bug causing the 'passwd change program' to be called as the
348 connected user and not root.
349 33) Fixed data corruption bug in byte-range locking (e.g. affected MS Excel).
350 34) Support winbindd on FreeBSD is possible.
351 35) Look at only the first OID in the security blob sent in the session
352 setup request to determine the token type.
353 36) Only push locks onto a blocking lock queue if the posix lock failed with
354 EACCES or EAGAIN (this means another lock conflicts). Else return an
355 error and don't queue the request.
356 37) Fix command line argument processing for smbtar.
357 38) Correct issue that caused smbd to return generic unix_user.<uid>
359 39) Default to algorithmic mapping when generating a rid for a group
361 40) Expand %g and %G in logon script, profile path, etc... during
362 a domain logon (bug 208).
363 41) Make sure smbclient obeys '-s <config>'
364 42) Added win2k3 shadow copy operations to VFS interface.
365 43) Allow connections to samba domain member as SERVER\user (don't
366 always default to DOMAIN\user).
367 44) Remove checks in winbindd that caused it to attempt to use
368 non-transitive trust relationships.
369 45) Remove delays in winbindd caused by invalid DNS lookups.
370 46) Fix supplementary group memberships on systems with slightly
371 broken NSS implementations (bug 267).
372 47) Correct issue that prevented smbclient from viewing shares on
373 a win2k server when using a non-anonymous connection (bug 284).
374 48) Add --domain=DOMAIN_NAME to wbinfo for limiting operations like
375 'wbinfo -u' to a single domain. The '.' character represents
377 49) Fix group enumeration bug when using an LDAP directory for
378 storing group mappings.
379 50) Default to use NTLMv2 if available. Fallback to not use LM/NTLM
380 when the extended security capability bit is not set.
381 51) Fix crash in 'wbinfo -a' when using extended characters in the
383 52) Fix multi-byte strupper() panics (bug 205).
384 53) Add vfs_readonly VFS module.
385 54) Make sure to initialize the sambaNextUserRid and sambaNextGroupRid
386 attributes when using 'idmap backend = ldap' (bug 280).
387 55) Make sure that users shared between a Samba PDC and member
388 samba server are seen as domain users and not local users on the
390 56) Fix Query FS Info level 2.
391 57) Allow enumeration of users and groups by win9x "file server" (bug
393 58) Create symlinks during install for modules that support mutliple
395 59) More iconv detection fixes.
396 60) Fix path length error in vfs_recycle module (bug 291).
397 61) Added server support for the LSA_DS UUID on the \lsarpc pipe.
398 (server DsRoleGetPrimaryDomainInfo() is currently disabled).
399 62) Fix SMBseek and get/set position calls.
400 62) Fix SetFileInfo level 1.
401 63) Added tool to convert smbd log file to a pcap file (log2pcaphex).
405 Changes since 3.0beta2
406 ######################
408 1) Added fix for Japanese case names in statcache code;
409 these can change size on upper casing.
410 2) Correct issues with iconv detection in configure script
411 (support needed to find iconv libraries on FreeBSD).
412 3) Fix bug that caused a WINS server to be marked as dead
413 incorrectly (bug #190).
414 4) Removing additional deadlocks conditions that prevented
415 winbindd from running on a Samba PDC (used for trust
417 5) Add support for searching for Active Directory for
418 published printers (net ads printer search).
419 6) Separate UNIX username from DOMAIN\username in pipe
421 7) Auth modules now support returning NT_STATUS_NOT_IMPLEMENTED
422 for cases that they cannot handle.
423 8) Flush winbindd connection cache when the machine trust account
424 password is changed while a connection is open (bug #200).
425 9) Add support for 'OSVersion' server printer data string
426 (corrects problem with uploading printer drivers from
428 10) Numerous memory leak fixes.
429 11) LDAP fixes ("passdb backend = ldapsam" & "idmap backend = ldap"):
430 - Store domain SID in LDAP directory.
431 - store idmap information in existing entries (use sambaSID=...
432 if adding a new entry).
433 12) Fix incorrect usage of primary group SID when looking up user
435 13) Remove idmap_XX_to_XX calls from smbd. Move back to the the
436 winbind_XXX and local_XXX calls used in 2.2.
437 14) All uid/gid allocation must involve winbindd now (we do not
438 attempt to map unknown SIDs to a UNIX identify).
439 15) Add 'winbind trusted domains only' parameter to force a domain
440 member. The server to use matching users names from /etc/passwd
441 for its domain (needed for domain member of a Samba domain).
442 16) Rename 'idmap only' to 'enable rid algorithm' for better clarity
444 17) Add support for multi-byte statcache code (bug #185)
445 18) Fix open mode race condition.
446 19) Implement winbindd local account management functions. Refer to
447 the "Winbind Changes" section for details.
448 20) Move RID allocation functions into idmap backend.
449 21) Fix parsing error that prevented publishing printers from a
450 Samba server in an AD domain.
451 22) Revive NTLMSSP support for named pipes.
452 23) More SCHANNEL fixes.
453 24) Correct SMB signing with NTLMSSP.
454 25) Fix coherency bug in print handle/printer object caching code
455 that could cause XP clients to infinitely loop while updating
456 their local printer cache.
457 26) Make winbindd use its dual-daemon mode by default (use -Y to
458 start as a single process).
459 27) Add support to nmbd and winbindd for 'smbcontrol <pid>
461 28) Correct problem with smbtar when dealing with files > 8Gb
466 Changes since 3.0beta1
467 ######################
469 1) Rework our smb signing code again, this factors out some of
470 the common MAC calculation code, and now supports multiple
471 outstanding packets (bug #40).
472 2) Enforce 'client plaintext auth', 'client lanman auth' and 'client
474 3) Correct timestamp problem on 64-bit machines (bug #140).
475 4) Add extra debugging statements to winbindd for tracking down
477 5) Fix bug when aliased 'winbind uid/gid' parameters are used.
478 ('winbind uid/gid' are now replaced with 'idmap uid/gid').
479 6) Added an auth flag that indicates if we should be allowed
480 to fall back to NTLMSSP for SASL if krb5 fails.
481 7) Fixed the bug that forced us not to use the winbindd cache when
482 we have a primary ADS domain and a secondary (trusted) NT4
484 8) Use lp_realm() to find the default realm for 'net ads password'.
485 9) Removed editreg from standard build until it is portable..
486 10) Fix domain membership for servers not running winbindd.
487 11) Correct race condition in determining the high water mark
488 in the idmap backend (bug #181).
489 12) Set the user's primary unix group from usrmgr.exe (partial
491 13) Show comments when doing 'net group -l' (bug #3).
492 14) Add trivial extension to 'net' to dump current local idmap
493 and restore mappings as well.
494 15) Modify 'net rpc vampire' to add new and existing users to
495 both the idmap and the SAM. This code needs further testing.
496 16) Fix crash bug in ADS searches.
497 17) Build libnss_wins.so as part of nsswitch target (bug #160).
498 18) Make net rpc vampire return an error if the sam sync RPC
500 19) Fail to join an NT 4 domain as a BDC if a workstation account
501 using our name exists.
502 20) Fix various memory leaks in server and client code
503 21) Remove the short option to --set-auth-user for wbinfo (-A) to
504 prevent confusion with the -a option (bug #158).
505 22) Added new 'map acl inherit' parameter.
506 23) Removed unused 'privileges' code from group mapping database.
507 24) Don't segfault on empty passdb backend list (bug #136).
508 25) Fixed acl sorting algorithm for Windows 2000 clients.
509 26) Replace universal group cache with netsamlogon_cache
510 from APPLIANCE_HEAD branch.
511 27) Fix autoconf detection issues surrounding --with-ads=yes
512 but no Krb5 header files installed (bug #152).
513 28) Add LDAP lookup for domain sequence number in case we are
514 joined using NT4 protocols to a native mode AD domain.
515 29) Fix backend method selection for trusted NT 4 (or 2k
517 30) Fixed bug that caused us to enumerate domain local groups
518 from native mode AD domains other than our own.
519 31) Correct group enumeration for viewing in the Windows
520 security tab (bug #110).
521 32) Consolidate the DC location code.
522 33) Moved 'ads server' functionality into 'password server' for
523 backwards compatibility.
524 34) Fix winbindd_idmap tdb upgrades from a 2.2 installation.
525 ( if you installed beta1, be sure to
526 'mv idmap.tdb winbindd_idmap.tdb' ).
527 35) Fix pdb_ldap segfaults, and wrong default values for
529 36) Enable negative connection cache for winbindd's ADS backend
531 37) Enable address caching for active directory DC's so we don't
532 have to hit DNS so much.
533 38) Fix bug in idmap code that caused mapping to randomly be
535 39) Add tdb locking code to prevent race condition when adding a
536 new mapping to idmap.
537 40) Fix 'map to guest = bad user' when acting as a PDC supporting
539 41) Prevent deadlock issues when running winbindd on a Samba PDC
540 to handle allocating uids & gids for trusted users and groups
541 42) added LOCALE patch from Steve Langasek (bug #122).
542 43) Add the 'guest' passdb backend automatically to the end of
543 the 'passdb backend' list if 'guest account' has a valid
545 44) Remove samstrict_dc auth method. Rework 'samstrict' to only
546 handle our local names (or domain name if we are a PDC).
547 Move existing permissive 'sam' method to 'sam_ignoredomain'
548 and make 'samstrict' the new default 'sam' auth method.
549 45) Match Windows NT4/2k behavior when authenticating a user with
550 and unknown domain (default to our domain if we are a DC or
551 domain member; default to our local name if we are a
553 46) Fix Get_Pwnam() to always fall back to lookup 'user' if the
554 'DOMAIN\user' lookup fails. This matches 2.2. behavior.
555 47) Fix the trustdom_cache code to update the list of trusted
556 domains when operating as a domain member and not using
558 48) Remove 'nisplussam' passdb backend since it has suffered for
559 too long without a maintainer.
564 ######################################################################
565 Upgrading from a previous Samba 3.0 beta
566 ########################################
568 Beginning with Samba 3.0.0beta3, the RID allocation functions
569 have been moved into winbindd. Previously these were handled
570 by each passdb backend. This means that winbindd must be running
571 to automatically allocate RIDs for users and/or groups. Otherwise,
572 smbd will use the 2.2 algorithm for generating new RIDs.
574 If you are using 'passdb backend = tdbsam' with a previous Samba
575 3.0 beta release (or possibly alpha), it may be necessary to
576 move the RID_COUNTER entry from /usr/local/samba/private/passdb.tdb
577 to winbindd_idmap.tdb. To do this:
579 1) Ensure that winbindd_idmap.tdb exists (launch winbindd at least
581 2) build tdbtool by executing 'make tdbtool' in the source/tdb/
583 3) run: (note that 'tdb>' is the tool's prompt for input)
585 root# ./tdbtool /usr/local/samba/private/passdb.tdb
586 tdb> show RID_COUNTER
590 [000] 0A 52 00 00 .R.
592 tdb> move RID_COUNTER /usr/local/samba/var/locks/winbindd_idmap.tdb
596 If you are using 'passdb backend = ldapsam', it will be necessary to
597 store idmap entries in the LDAP directory as well (i.e. idmap backend
598 = ldap). Refer to the 'net idmap' command for more information on
599 migrating SID<->UNIX id mappings from one backend to another.
601 If the RID_COUNTER record does not exist, then these instructions are
602 unneccessary and the new RID_COUNTER record will be correctly generated
607 ########################
608 Upgrading from Samba 2.2
609 ########################
611 This section is provided to help administrators understand the details
612 involved with upgrading a Samba 2.2 server to Samba 3.0.
618 Many of the options to the GNU autoconf script have been modified
619 in the 3.0 release. The most noticeable are:
621 * removal of --with-tdbsam (is now included by default; see section
622 on passdb backends and authentication for more details)
624 * --with-ldapsam is now on used to provided backward compatible
625 parameters for LDAP enabled Samba 2.2 servers. Refer to the passdb
626 backend and authentication section for more details
628 * inclusion of non-standard passdb modules may be enabled using
629 --with-expsam. This includes an XML backend and a mysql backend.
631 * removal of --with-msdfs (is now enabled by default)
633 * removal of --with-ssl (no longer supported)
635 * --with-utmp now defaults to 'yes' on supported systems
637 * --with-sendfile-support is now enabled by default on supported
644 This section contains a brief listing of changes to smb.conf options
645 in the 3.0.0 release. Please refer to the smb.conf(5) man page for
646 complete descriptions of new or modified parameters.
648 Removed Parameters (order alphabetically):
651 * alternate permissions
654 * code page directory
658 * force unknown acl user
662 * printer driver file
663 * printer driver location
671 New Parameters (new parameters have been grouped by function):
675 * abort shutdown script
678 User and Group Account Management
679 ---------------------------------
682 * add user to group script
683 * algorithmic rid base
684 * delete group script
685 * delete user from group script
687 * set primary group script
703 * paranoid server security
713 * hide unwriteable files
715 * kernel change notify
725 * max reported print jobs
727 UNICODE and Character Sets
728 --------------------------
734 SID to uid/gid Mappings
735 -----------------------
739 * winbind enable local accounts
740 * winbind trusted domains only
741 * template primary group
742 * enable rid algorithm
749 * ldap machine suffix
753 General Configuration
754 ---------------------
758 Modified Parameters (changes in behavior):
760 * encrypt passwords (enabled by default)
761 * mangling method (set to 'hash2' by default)
764 * restrict anonymous (integer value)
765 * security (new 'ads' value)
766 * strict locking (enabled by default)
767 * unix extensions (enabled by default)
768 * winbind cache time (increased to 5 minutes)
769 * winbind uid (deprecated in favor of 'idmap uid')
770 * winbind gid (deprecated in favor of 'idmap gid')
776 This section contains brief descriptions of any new databases
777 introduced in Samba 3.0. Please remember to backup your existing
778 ${lock directory}/*tdb before upgrading to Samba 3.0. Samba will
779 upgrade databases as they are opened (if necessary), but downgrading
780 from 3.0 to 2.2 is an unsupported path.
782 Name Description Backup?
783 ---- ----------- -------
784 account_policy User policy settings yes
785 gencache Generic caching db no
786 group_mapping Mapping table from Windows yes
787 groups/SID to unix groups
788 winbindd_idmap ID map table from SIDS to UNIX yes
790 namecache Name resolution cache entries no
791 netsamlogon_cache Cache of NET_USER_INFO_3 structure no
792 returned as part of a successful
793 net_sam_logon request
794 printing/*.tdb Cached output from 'lpq no
795 command' created on a per print
797 registry Read-only samba registry skeleton no
798 that provides support for exporting
799 various db tables via the winreg RPCs
805 The following issues are known changes in behavior between Samba 2.2 and
806 Samba 3.0 that may affect certain installations of Samba.
808 1) When operating as a member of a Windows domain, Samba 2.2 would
809 map any users authenticated by the remote DC to the 'guest account'
810 if a uid could not be obtained via the getpwnam() call. Samba 3.0
811 rejects the connection as NT_STATUS_LOGON_FAILURE. There is no
812 current work around to re-establish the 2.2 behavior.
814 2) When adding machines to a Samba 2.2 controlled domain, the
815 'add user script' was used to create the UNIX identity of the
816 machine trust account. Samba 3.0 introduces a new 'add machine
817 script' that must be specified for this purpose. Samba 3.0 will
818 not fall back to using the 'add user script' in the absence of
819 an 'add machine script'
822 ######################################################################
823 Passdb Backends and Authentication
824 ##################################
826 There have been a few new changes that Samba administrators should be
827 aware of when moving to Samba 3.0.
829 1) encrypted passwords have been enabled by default in order to
830 inter-operate better with out-of-the-box Windows client
831 installations. This does mean that either (a) a samba account
832 must be created for each user, or (b) 'encrypt passwords = no'
833 must be explicitly defined in smb.conf.
835 2) Inclusion of new 'security = ads' option for integration
836 with an Active Directory domain using the native Windows
837 Kerberos 5 and LDAP protocols.
839 MIT kerberos 1.3.1 supports the ARCFOUR-HMAC-MD5 encryption
840 type which is neccessary for servers on which the
841 administrator password has not been changed, or kerberos-enabled
842 SMB connections to servers that require Kerberos SMB signing.
843 Besides this one difference, either MIT or Heimdal Kerberos
844 distributions are usable by Samba 3.0.
847 Samba 3.0 also includes the possibility of setting up chains
848 of authentication methods (auth methods) and account storage
849 backends (passdb backend). Please refer to the smb.conf(5)
850 man page for details. While both parameters assume sane default
851 values, it is likely that you will need to understand what the
852 values actually mean in order to ensure Samba operates correctly.
854 The recommended passdb backends at this time are
856 * smbpasswd - 2.2 compatible flat file format
857 * tdbsam - attribute rich database intended as an smbpasswd
858 replacement for stand alone servers
859 * ldapsam - attribute rich account storage and retrieval
860 backend utilizing an LDAP directory.
861 * ldapsam_compat - a 2.2 backward compatible LDAP account
864 Certain functions of the smbpasswd(8) tool have been split between the
865 new smbpasswd(8) utility, the net(8) tool, and the new pdbedit(8)
866 utility. See the respective man pages for details.
869 ######################################################################
873 This section outlines the new features affecting Samba / LDAP
879 A new object class (sambaSamAccount) has been introduced to replace
880 the old sambaAccount. This change aids us in the renaming of attributes
881 to prevent clashes with attributes from other vendors. There is a
882 conversion script (examples/LDAP/convertSambaAccount) to modify and LDIF
883 file to the new schema.
887 $ ldapsearch .... -b "ou=people,dc=..." > old.ldif
888 $ convertSambaAccount <DOM SID> old.ldif new.ldif
890 The <DOM SID> can be obtained by running 'net getlocalsid <DOMAINNAME>'
891 on the Samba PDC as root.
893 The old sambaAccount schema may still be used by specifying the
894 "ldapsam_compat" passdb backend. However, the sambaAccount and
895 associated attributes have been moved to the historical section of
896 the schema file and must be uncommented before use if needed.
897 The 2.2 object class declaration for a sambaAccount has not changed
898 in the 3.0 samba.schema file.
900 Other new object classes and their uses include:
902 * sambaDomain - domain information used to allocate rids
903 for users and groups as necessary. The attributes are added
904 in 'ldap suffix' directory entry automatically if
905 an idmap uid/gid range has been set and the 'ldapsam'
906 passdb backend has been selected.
908 * sambaGroupMapping - an object representing the
909 relationship between a posixGroup and a Windows
910 group/SID. These entries are stored in the 'ldap
911 group suffix' and managed by the 'net groupmap' command.
913 * sambaUnixIdPool - created in the 'ldap idmap suffix' entry
914 automatically and contains the next available 'idmap uid' and
917 * sambaIdmapEntry - object storing a mapping between a
918 SID and a UNIX uid/gid. These objects are created by the
919 idmap_ldap module as needed.
921 * sambaSidEntry - object representing a SID alone, as a Structural
922 class on which to build the sambaIdmapEntry.
925 New Suffix for Searching
926 ------------------------
928 The following new smb.conf parameters have been added to aid in directing
929 certain LDAP queries when 'passdb backend = ldapsam://...' has been
932 * ldap suffix - used to search for user and computer accounts
933 * ldap user suffix - used to store user accounts
934 * ldap machine suffix - used to store machine trust accounts
935 * ldap group suffix - location of posixGroup/sambaGroupMapping entries
936 * ldap idmap suffix - location of sambaIdmapEntry objects
938 If an 'ldap suffix' is defined, it will be appended to all of the
939 remaining sub-suffix parameters. In this case, the order of the suffix
940 listings in smb.conf is important. Always place the 'ldap suffix' first
943 Due to a limitation in Samba's smb.conf parsing, you should not surround
944 the DN's with quotation marks.
950 Samba 3.0 supports an ldap backend for the idmap subsystem. The
951 following options would inform Samba that the idmap table should be
952 stored on the directory server onterose in the "ou=idmap,dc=plainjoe,
957 idmap backend = ldap:ldap://onterose/
958 ldap idmap suffix = ou=idmap,dc=plainjoe,dc=org
959 idmap uid = 40000-50000
960 idmap gid = 40000-50000
962 This configuration allows winbind installations on multiple servers to
963 share a uid/gid number space, thus avoiding the interoperability problems
964 with NFS that were present in Samba 2.2.
968 ######################################################################
969 Trust Relationships and a Samba Domain
970 ######################################
972 Samba 3.0.0beta2 is able to utilize winbindd as the means of
973 allocating uids and gids to trusted users and groups. More
974 information regarding Samba's support for establishing trust
975 relationships can be found in the Samba-HOWTO-Collection included
976 in the docs/ directory of this release.
978 First create your Samba PDC and ensure that everything is
979 working correctly before moving on the trusts.
981 To establish Samba as the trusting domain (named SAMBA) from a Windows NT
982 4.0 domain named WINDOWS:
984 1) create the trust account for SAMBA in "User Manager for Domains"
985 2) connect the trust from the Samba domain using
986 'net rpc trustdom establish GLASS'
988 To create a trustlationship with SAMBA as the trusted domain:
990 1) create the initial trust account for GLASS using
991 'smbpasswd -a -i GLASS'. You may need to create a UNIX
992 account for GLASS$ prior to this step (depending on your
993 local configuration).
994 2) connect the trust from a WINDOWS DC using "User Manager
997 Now join winbindd on the Samba PDC to the SAMBA domain using
998 the normal steps for adding a Samba server to an NT4 domain:
999 (note that smbd & nmbd must be running at this point)
1001 root# net rpc join -U root
1002 Password: <enter root password from smbpasswd file here>
1004 Start winbindd and test the join with 'wbinfo -t'.
1006 Now test the trust relationship by connecting to the SAMBA DC
1007 (e.g. POGO) as a user from the WINDOWS domain:
1009 $ smbclient //pogo/netlogon -U Administrator -W WINDOWS
1012 Now connect to the WINDOWS DC (e.g. CRYSTAL) as a Samba user:
1014 $ smbclient //crystal/netlogon -U root -W WINDOWS
1017 ######################################################################
1021 Beginning with Samba3.0.0beta3, winbindd has been given new account
1022 manage functionality equivalent to the 'add user script' family of
1023 smb.conf parameters. The idmap design has also been changed to
1024 centralize control of foreign SID lookups and matching to UNIX
1028 Brief Description of Changes
1029 ----------------------------
1031 1) The sid_to_uid() family of functions (smbd/uid.c) have been
1032 reverted to the 2.2.x design. This means that when resolving a
1033 SID to a UID or similar mapping:
1035 a) First consult winbindd
1036 b) perform a local lookup only if winbindd fails to
1037 return a successful answer
1039 There are some variations to this, but these two rules generally
1042 2) All idmap lookups have been moved into winbindd. This means that
1043 a server must run winbindd (and support NSS) in order to achieve
1044 any mappings of SID to dynamically allocated UNIX ids. This was
1045 a conscious design choice.
1047 3) New functions have been added to winbindd to emulate the 'add user
1048 script' family of smbd functions without requiring that external
1049 scripts be defined. This functionality is controlled by the 'winbind
1050 enable local accounts' smb.conf parameter (enabled by default).
1052 However, this account management functionality is only supported
1053 in a local tdb (winbindd_idmap.tdb). If these new UNIX accounts
1054 must be shared among multiple Samba servers (such as a PDC and BDCs),
1055 it will be necessary to define your own 'add user script', et. al.
1056 programs that place the accounts/groups in some form of directory
1057 such as NIS or LDAP. This requirement was deemed beyond the scope
1058 of winbind's account management functions. Solutions for
1059 distributing UNIX system information have been deployed and tested
1060 for many years. We saw no need to reinvent the wheel.
1062 4) A member of a Samba controlled domain running winbindd is now able
1063 to map domain users directly onto existing UNIX accounts while still
1064 automatically creating accounts for trusted users and groups. This
1065 behavior is controlled by the 'winbind trusted domains only' smb.conf
1066 parameter (disabled by default to provide 2.2.x winbind behavior).
1068 5) Group mapping support is wrapped in the local_XX_to_XX() functions
1069 in smbd/uid.c. The reason that group mappings are not included
1070 in winbindd is because the purpose of Samba's group map is to
1071 match any Windows SID with an existing UNIX group. These UNIX
1072 groups can be created by winbindd (see next section), but the
1073 SID<->gid mapping is retreived by smbd, not winbindd.
1079 * security = server running winbindd to allocate accounts on demand
1081 * Samba PDC running winbindd to handle the automatic creation of UNIX
1082 identities for machine trust accounts
1084 * Automtically creating UNIX user and groups when migrating a Windows NT
1085 4.0 PDC to a Samba PDC. Winbindd must be running when executing
1086 'net rpc vampire' for this to work.
1089 ######################################################################
1093 * There are several bugs currently logged against the 3.0 codebase
1094 that affect the use of NT 4.0 GUI domain management tools when run
1095 against a Samba 3.0 PDC. This bugs should be released in an early
1098 Please refer to https://bugzilla.samba.org/ for a current list of bugs
1099 filed against the Samba 3.0 codebase.
1102 ######################################################################
1103 Reporting bugs & Development Discussion
1104 #######################################
1106 Please discuss this release on the samba-technical mailing list or by
1107 joining the #samba-technical IRC channel on irc.freenode.net.
1109 If you do report problems then please try to send high quality
1110 feedback. If you don't provide vital information to help us track down
1111 the problem then you will probably be ignored.
1113 A new bugzilla installation has been established to help support the
1114 Samba 3.0 community of users. This server, located at
1115 https://bugzilla.samba.org/, has replaced the older jitterbug server
1116 previously located at http://bugs.samba.org/.