1 WHATS NEW IN Samba 3.0.0 beta2
3 ==============================
5 This is the second beta release of Samba 3.0.0. This is a
6 non-production release intended for testing purposes. Use
9 The purpose of this beta release is to get wider testing of the major
10 new pieces of code in the current Samba 3.0 development tree. We have
11 officially ceased development on the 2.2.x release of Samba and are
12 concentrating on Samba 3.0. To reduce the time before the final
13 Samba 3.0 release we need as many people as possible to start testing
14 these beta releases, and to provide high quality feedback on what
17 Samba 3.0 is feature complete. However there is still some final
18 work to be done on certain pieces of functionality. Please refer to
19 the section on "Known Issues" for more details.
25 1) Active Directory support. This release is able to join a ADS realm
26 as a member server and authenticate users using LDAP/kerberos.
28 2) Unicode support. Samba will now negotiate UNICODE on the wire and
29 internally there is now a much better infrastructure for multi-byte
30 and UNICODE character sets.
32 3) New authentication system. The internal authentication system has
33 been almost completely rewritten. Most of the changes are internal,
34 but the new auth system is also very configurable.
36 4) New filename mangling system. The filename mangling system has been
37 completely rewritten. An internal database now stores mangling maps
38 persistently. This needs lots of testing.
40 5) New "net" command. A new "net" command has been added. It is
41 somewhat similar to the "net" command in windows. Eventually we
42 plan to replace a bunch of other utilities (such as smbpasswd)
43 with subcommands in "net", at the moment only a few things are
46 6) Samba now negotiates NT-style status32 codes on the wire. This
47 improves error handling a lot.
49 7) Better Windows 2000/XP/2003 printing support including publishing
50 printer attributes in active directory
52 8) New loadable RPC modules
54 9) New dual-daemon winbindd support (-B) for better performance
56 10) Support for migrating from a Windows NT 4.0 domain to a Samba
57 domain and maintaining user, group and domain SIDs
59 11) Support for establishing trust relationships with Windows NT 4.0
62 12) Initial support for a distributed Winbind architecture using
63 an LDAP directory for storing SID to uid/gid mappings
65 13) Major updates to the Samba documentation tree.
67 Plus lots of other improvements!
70 Additional Documentation
71 ------------------------
73 Please refer to Samba documentation tree (including in the docs/
74 subdirectory) for extensive explanations of installing, configuring
75 and maintaining Samba 3.0 servers and clients. It is advised to
76 begin with the Samba-HOWTO-Collection for overviews and specific
77 tasks (the current book is up to approximately 400 pages) and to
78 refer to the various man pages for information on individual options.
80 ######################################################################
81 Changes since 3.0beta1
82 ######################
84 Please refer to the CVS log for the SAMBA_3_0 branch for complete
87 1) Rework our smb signing code again, this factors out some of
88 the common MAC calculation code, and now supports multiple
89 outstanding packets (bug #40)
90 2) Enforce 'client plaintext auth', 'client lanman auth' and 'client
92 3) Correct timestamp problem on 64-bit machines (bug #140)
93 4) Add extra debugging statements to winbindd for tracking down
95 5) Fix bug when aliased 'winbind uid/gid' parameters are used
96 ('winbind uid/gid' are now replaced with 'idmap uid/gid')
97 6) Added an auth flag that indicates if we should be allowed
98 to fall back to NTLMSSP for SASL if krb5 fails
99 7) Fixed the bug that forced us not to use the winbindd cache when
100 we have a primary ADS domain and a secondary (trusted) NT4 domain.
101 8) Use lp_realm() to find the default realm for 'net ads password'
102 9) Removed editreg from standard build until it is portable.
103 10) Fix domain membership for servers not running winbindd
104 11) Correct race condition in determining the high water mark
105 in the idmap backend (bug #181)
106 12) Set the user's primary unix group from usrmgr.exe (partial
108 13) Show comments when doing 'net group -l' (bug #3)
109 14) Add trivial extension to 'net' to dump current local idmap
110 and restore mappings as well
111 15) Modify 'net rpc vampire' to add new and existing users to
112 both the idmap and the SAM. This code needs further testing.
113 16) Fix crash bug in ADS searches
114 17) Build libnss_wins.so as part of nsswitch target (bug #160)
115 18) Make net rpc vampire return an error if the sam sync RPC
117 19) Fail to join an NT 4 domain as a BDC if a workstation account
118 using our name exists
119 20) Fix various memory leaks in server and client code
120 21) Remove the short option to --set-auth-user for wbinfo (-A) to
121 prevent confusion with the -a option (bug #158)
122 22) Added new 'map acl inherit' parameter
123 23) Removed unused 'privileges' code from group mapping database
124 24) Don't segfault on empty passdb backend list (bug #136)
125 25) Fixed acl sorting algorithm for Windows 2000 clients
126 26) Replace universal group cache with netsamlogon_cache
127 from APPLIANCE_HEAD branch
128 27) Fix autoconf detection issues surrounding --with-ads=yes
129 but no Krb5 header files installed (bug #152)
130 28) Add LDAP lookup for domain sequence number in case we are
131 joined using NT4 protocols to a native mode AD domain
132 29) Fix backend method selection for trusted NT 4 (or 2k
134 30) Fixed bug that caused us to enumerate domain local groups
135 from native mode AD domains other than our own
136 31) Correct group enumeration for viewing in the Windows
137 security tab (bug #110)
138 32) Consolidate the DC location code
139 33) Moved 'ads server' functionality into 'password server' for
140 backwards compatibility
141 34) Fix winbindd_idmap tdb upgrades from a 2.2 installation
142 ( if you installed beta1, be sure to
143 'mv idmap.tdb winbindd_idmap.tdb' )
144 35) Fix pdb_ldap segfaults, and wrong default values for
146 36) Enable negative connection cache for winbindd's ADS backend
148 37) Enable address caching for active directory DC's so we don't
149 have to hit DNS so much
150 38) Fix bug in idmap code that caused mapping to randomly be
152 39) Add tdb locking code to prevent race condition when adding a
154 40) Fix 'map to guest = bad user' when acting as a PDC supporting
156 41) Prevent deadlock issues when running winbindd on a Samba PDC
157 to handle allocating uids & gids for trusted users and groups
158 42) added LOCALE patch from Steve Langasek (bug #122)
159 43) Add the 'guest' passdb backend automatically to the end of
160 the 'passdb backend' list if 'guest account' has a valid
162 44) Remove samstrict_dc auth method. Rework 'samstrict' to only
163 handle our local names (or domain name if we are a PDC).
164 Move existing permissive 'sam' method to 'sam_ignoredomain'
165 and make 'samstrict' the new default 'sam' auth method.
166 45) Match Windows NT4/2k behavior when authenticating a user with
167 and unknown domain (default to our domain if we are a DC or
168 domain member; default to our local name if we are a
170 46) Fix Get_Pwnam() to always fall back to lookup 'user' if the
171 'DOMAIN\user' lookup fails. This matches 2.2. behavior.
172 47) Fix the trustdom_cache code to update the list of trusted
173 domains when operating as a domain member and not using
175 48) Remove 'nisplussam' passdb backend since it has suffered for
176 too long without a maintainer
181 ######################################################################
182 Upgrading from Samba 2.2
183 ########################
185 This section is provided to help administrators understand the details
186 involved with upgrading a Samba 2.2 server to Samba 3.0
192 Many of the options to the GNU autoconf script have been modified
193 in the 3.0 release. The most noticeable are:
195 * removal of --with-tdbsam (is now included by default; see section
196 on passdb backends and authentication for more details)
198 * --with-ldapsam is now on used to provided backward compatible
199 parameters for LDAP enabled Samba 2.2 servers. Refer to the passdb
200 backend and authentication section for more details
202 * inclusion of non-standard passdb modules may be enabled using
203 --with-expsam. This includes an XML backend and a mysql backend.
205 * removal of --with-msdfs (is now enabled by default)
207 * removal of --with-ssl (no longer supported)
209 * --with-utmp now defaults to 'yes' on supported systems
211 * --with-sendfile-support is now enabled by default on supported
218 This section contains a brief listing of changes to smb.conf options
219 in the 3.0.0 release. Please refer to the smb.conf(5) man page for
220 complete descriptions of new or modified parameters.
222 Removed Parameters (order alphabetically):
225 * alternate permissions
228 * code page directory
232 * force unknown acl user
236 * printer driver file
237 * printer driver location
244 New Parameters (new parameters have been grouped by function):
248 * abort shutdown script
251 User and Group Account Management
252 ---------------------------------
255 * add user to group script
256 * algorithmic rid base
257 * delete group script
258 * delete user from group script
260 * set primary group script
276 * paranoid server security
285 * hide unwriteable files
287 * kernel change notify
297 * max reported print jobs
299 UNICODE and Character Sets
300 --------------------------
306 SID to uid/gid Mappings
307 -----------------------
318 * ldap machine suffix
323 General Configuration
324 ---------------------
328 Modified Parameters (changes in behavior):
330 * encrypt passwords (enabled by default)
331 * mangling method (set to 'hash2' by default)
334 * restrict anonymous (integer value)
335 * security (new 'ads' value)
336 * strict locking (enabled by default)
337 * winbind cache time (increased to 5 minutes)
338 * winbind uid (deprecated in favor of 'idmap uid')
339 * winbind gid (deprecated in favor of 'idmap gid')
345 This section contains brief descriptions of any new databases
346 introduced in Samba 3.0. Please remember to backup your existing
347 ${lock directory}/*tdb before upgrading to Samba 3.0. Samba will
348 upgrade databases as they are opened (if necessary), but downgrading
349 from 3.0 to 2.2 is an unsupported path.
351 Name Description Backup?
352 ---- ----------- -------
353 account_policy User policy settings yes
354 gencache Generic caching db no
355 group_mapping Mapping table from Windows yes
356 groups/SID to unix groups
357 idmap new ID map table from SIDS yes
359 namecache Name resolution cache entries no
360 netsamlogon_cache Cache of NET_USER_INFO_3 structure no
361 returned as part of a successful
362 net_sam_logon request
363 printing/*.tdb Cached output from 'lpq no
364 command' created on a per print
366 registry Read-only samba registry skeleton no
367 that provides support for exporting
368 various db tables via the winreg RPCs
374 The following issues are known changes in behavior between Samba 2.2 and
375 Samba 3.0 that may affect certain installations of Samba.
377 1) When operating as a member of a Windows domain, Samba 2.2 would
378 map any users authenticated by the remote DC to the 'guest account'
379 if a uid could not be obtained via the getpwnam() call. Samba 3.0
380 rejects the connection as NT_STATUS_LOGON_FAILURE. There is no
381 current work around to re-establish the 2.2 behavior.
383 2) When adding machines to a Samba 2.2 controlled domain, the
384 'add user script' was used to create the UNIX identity of the
385 machine trust account. Samba 3.0 introduces a new 'add machine
386 script' that must be specified for this purpose. Samba 3.0 will
387 not fall back to using the 'add user script' in the absence of
388 an 'add machine script'
391 ######################################################################
392 Passdb Backends and Authentication
393 ##################################
395 There have been a few new changes that Samba administrators should be
396 aware of when moving to Samba 3.0.
398 1) encrypted passwords have been enabled by default in order to
399 inter-operate better with out-of-the-box Windows client
400 installations. This does mean that either (a) a samba account
401 must be created for each user, or (b) 'encrypt passwords = no'
402 must be explicitly defined in smb.conf.
404 2) Inclusion of new 'security = ads' option for integration
405 with an Active Directory domain using the native Windows
406 Kerberos 5 and LDAP protocols.
408 Samba 3.0 also includes the possibility of setting up chains
409 of authentication methods (auth methods) and account storage
410 backends (passdb backend). Please refer to the smb.conf(5)
411 man page for details. While both parameters assume sane default
412 values, it is likely that you will need to understand what the
413 values actually mean in order to ensure Samba operates correctly.
415 The recommended passdb backends at this time are
417 * smbpasswd - 2.2 compatible flat file format
418 * tdbsam - attribute rich database intended as an smbpasswd
419 replacement for stand alone servers
420 * ldapsam - attribute rich account storage and retrieval
421 backend utilizing an LDAP directory.
422 * ldapsam_compat - a 2.2 backward compatible LDAP account
425 Certain functions of the smbpasswd(8) tool have been split between the
426 new smbpasswd(8) utility, the net(8) tool, and the new pdbedit(8)
427 utility. See the respective man pages for details.
430 ######################################################################
434 This section outlines the new features affecting Samba / LDAP
440 A new object class (sambaSamAccount) has been introduced to replace
441 the old sambaAccount. This change aids us in the renaming of attributes
442 to prevent clashes with attributes from other vendors. There is a
443 conversion script (examples/LDAP/convertSambaAccount) to modify and LDIF
444 file to the new schema.
448 $ ldapsearch .... -b "ou=people,dc=..." > old.ldif
449 $ convertSambaAccount <DOM SID> old.ldif new.ldif
451 The <DOM SID> can be obtained by running 'net getlocalsid <DOMAINNAME>'
452 on the Samba PDC as root.
454 The old sambaAccount schema may still be used by specifying the
455 "ldapsam_compat" passdb backend. However, the sambaAccount and
456 associated attributes have been moved to the historical section of
457 the schema file and must be uncommented before use if needed.
458 The 2.2 object class declaration for a sambaAccount has not changed
459 in the 3.0 samba.schema file.
461 Other new object classes and their uses include:
463 * sambaDomain - domain information used to allocate rids
464 for users and groups as necessary. The attributes are added
465 in 'ldap suffix' directory entry automatically if
466 an idmap uid/gid range has been set and the 'ldapsam'
467 passdb backend has been selected.
469 * sambaGroupMapping - an object representing the
470 relationship between a posixGroup and a Windows
471 group/SID. These entries are stored in the 'ldap
472 group suffix' and managed by the 'net groupmap' command.
474 * sambaUnixIdPool - created in the 'ldap idmap suffix' entry
475 automatically and contains the next available 'idmap uid' and
478 * sambaIdmapEntry - object storing a mapping between a
479 SID and a UNIX uid/gid. These objects are created by the
480 idmap_ldap module as needed.
483 New Suffix for Searching
484 ------------------------
486 The following new smb.conf parameters have been added to aid in directing
487 certain LDAP queries when 'passdb backend = ldapsam://...' has been
490 * ldap suffix - used to search for user and computer accounts
491 * ldap user suffix - used to store user accounts
492 * ldap machine suffix - used to store machine trust accounts
493 * ldap group suffix - location of posixGroup/sambaGroupMapping entries
494 * ldap idmap suffix - location of sambaIdmapEntry objects
496 If an 'ldap suffix' is defined, it will be appended to all of the
497 remaining sub-suffix parameters. In this case, the order of the suffix
498 listings in smb.conf is important. Always place the 'ldap suffix' first
501 Due to a limitation in Samba's smb.conf parsing, you should not surround
502 the DN's with quotation marks.
508 Samba 3.0 supports an ldap backend for the idmap subsystem. The
509 following options would inform Samba that the idmap table should be
510 stored on the directory server onterose in the "ou=idmap,dc=plainjoe,
515 idmap backend = ldap:ldap://onterose/
516 ldap idmap suffix = ou=idmap,dc=plainjoe,dc=org
517 idmap uid = 40000-50000
518 idmap gid = 40000-50000
520 This configuration allows winbind installations on multiple servers to
521 share a uid/gid number space, thus avoiding the interoperability problems
522 with NFS that were present in Samba 2.2.
526 ######################################################################
527 Trust Relationships and a Samba Domain
528 ######################################
530 Samba 3.0.0beta2 is able to utilize winbindd as the means of
531 allocating uids and gids to trusted users and groups. More
532 information regarding Samba's support for establishing trust
533 relationships can be found in the Samba-HOWTO-Collection included
534 in the docs/ directory of this release.
536 First create your Samba PDC and ensure that everything is
537 working correctly before moving on the trusts.
539 To establish Samba as the trusting domain (named SAMBA) from a Windows NT
540 4.0 domain named WINDOWS:
542 1) create the trust account for SAMBA in "User Manager for Domains"
543 2) connect the trust from the Samba domain using
544 'net rpc trustdom establish GLASS'
546 To create a trustlationship with SAMBA as the trusted domain:
548 1) create the initial trust account for GLASS using
549 'smbpasswd -a -i GLASS'. You may need to create a UNIX
550 account for GLASS$ prior to this step (depending on your
551 local configuration).
552 2) connect the trust from a WINDOWS DC using "User Manager
555 Now join winbindd on the Samba PDC to the SAMBA domain using
556 the normal steps for adding a Samba server to an NT4 domain:
557 (note that smbd & nmbd must be running at this point)
559 root# net rpc join -U root
560 Password: <enter root password from smbpasswd file here>
562 Start winbindd and test the join with 'wbinfo -t'.
564 Now test the trust relationship by connecting to the SAMBA DC
565 (e.g. POGO) as a user from the WINDOWS domain:
567 $ smbclient //pogo/netlogon -U Administrator -W WINDOWS
570 Now connect to the WINDOWS DC (e.g. CRYSTAL) as a Samba user:
572 $ smbclient //crystal/netlogon -U root -W WINDOWS
576 ######################################################################
580 * The smbldap perl scripts for managing user entries in an LDAP
581 directory have not be updated to function with the Samba 3.0
582 schema changes. This (or an equivalent solution) work is planned
583 to be completed prior to the stable 3.0.0 release.
585 Please refer to https://bugzilla.samba.org/ for a current list of bugs
586 filed against the Samba 3.0 codebase.
589 ######################################################################
590 Reporting bugs & Development Discussion
591 #######################################
593 Please discuss this release on the samba-technical mailing list or by
594 joining the #samba-technical IRC channel on irc.freenode.net.
596 If you do report problems then please try to send high quality
597 feedback. If you don't provide vital information to help us track down
598 the problem then you will probably be ignored.
600 A new bugzilla installation has been established to help support the
601 Samba 3.0 community of users. This server, located at
602 https://bugzilla.samba.org/, will replace the existing jitterbug server
603 and the old http://bugs.samba.org now points to the new bugzilla server.