1 This file aims to document the major changes since the latest released version
2 of Samba, 3.0. Samba 4.0 contains rewrites of several subsystems
3 and uses a different internal format for most data. Since this
4 file is an initial draft, please update missing items.
6 One of the main goals of Samba 4 was Active Directory Domain Controller
7 support. This means Samba now implements several protocols that are required
8 by AD such as Kerberos and DNS.
10 An (experimental) upgrade script that performs a one-way upgrade
11 from Samba 3 is available in source/setup/upgrade.
13 Removal of nmbd and introduction of process models
14 ==================================================
15 smbd now implements several network protocols other than just CIFS and
16 DCE/RPC. nmbd's functionality has been merged into smbd. smbd supports
17 various 'process models' that specify how concurrent connections are
18 handled (when to fork, use threads, etc).
22 Samba now stores most of its persistent data in a LDAP-like database
23 called LDB (see ldb(7) for more info).
27 Unlike previous versions, Samba4 does not provide a web interface at this time.
31 Samba4 ships with an integrated KDC (Kerberos Key Distribution
32 Center). Backed directly onto our main internal database, and
33 integrated with custom code to handle the PAC, Samba4's KDC is an
34 integral part of our support for AD logon protocols.
38 Like the situation with the KDC, Samba4 ships with it's own LDAP
39 server, included to provide simple, built-in LDAP services in an AD
40 (rather than distinctly standards) matching manner. The database is
41 LDB, and it shares that in common with the rest of Samba.
43 Changed configuration options
44 =============================
45 Several configuration options have been removed in Samba4 while others have
46 been introduced. This section contains a summary of changes to smb.conf and
47 where these settings moved. Configuration options that have disappeared may be
48 re-added later when the functionality that uses them gets reimplemented in
51 The 'security' parameter has been split up. It is now only used to choose
52 between the 'user' and 'share' security levels (the latter is not supported
53 in Samba 4 yet). The other values of this option and the 'domain master' and
54 'domain logons' parameters have been merged into a 'server role' parameter
55 that can be either 'domain controller', 'member server' or 'standalone'. Note that
56 member server support does not work yet.
58 The following parameters have been removed:
59 - passdb backend: accounts are now stored in a LDB-based SAM database,
60 see 'sam database' below.
66 - allow trusted domains
70 - algorithmic rid base
80 - check password script
100 - acl check permissions
102 - acl map full control
107 - force security mode
110 - force directory mode
111 - directory security mask
112 - force directory security mode
113 - force unknown acl user
114 - inherit permissions
123 - use kerberos keytab
129 - debug hires timestamp
132 - allocation roundup size
141 - defer sharing violations
153 - change notify timeout
157 - kernel change notify
170 - max reported print jobs
172 - printcap cache time
187 - queueresume command
190 - deleteprinter command
191 - show add printer wizard
202 - short preserve case
207 - hide unwriteable files
215 - max stat cache size
217 - store dos attributes
218 - machine password timeout
223 - delete group script
224 - add user to group script
225 - delete user from group script
226 - set primary group script
229 - abort shutdown script
230 - username map script
252 - oplock break wait time
253 - oplock contention limit
262 - ldap machine suffix
265 - ldap replication sleep
272 - change share command
273 - delete share command
290 - log nt token command
309 - dos filetime resolution
310 - fake directory create times
317 - enable rid algorithm
318 - passdb expand explicit
329 - winbind enum groups
330 - winbind use default domain
331 - winbind trusted domains only
332 - winbind nested groups
333 - winbind max idle children
336 The following parameters have been added:
338 Make Samba fake it is running on a bigendian machine when using DCE/RPC.
339 Useful for debugging.
343 + case insensitive filesystem (S)
344 Set to true if this share is located on a case-insensitive filesystem.
345 This disables looking for a filename by trying all possible combinations of
346 uppercase/lowercase characters and thus speeds up operations when a
347 file cannot be found.
352 Path to JavaScript library.
354 Default: Set at compile-time
357 Path to data used by provisioning script.
359 Default: Set at compile-time
362 Directory to use for UNIX sockets used by the 'ncalrpc' DCE/RPC transport.
364 Default: Set at compile-time
367 Backend to the NT VFS to use (more than one can be specified). Available
371 Maps POSIX FS semantics to NT semantics
374 Very simple backend (original testing backend).
377 Sets up user credentials based on POSIX gid/uid.
380 Proxies a remote CIFS FS. Mainly useful for testing.
383 Filter module that saves data useful to the nbench benchmark suite.
386 Allows using SMB for inter process communication. Only used for
390 Allows printing over SMB. This is LANMAN-style printing (?), not
391 the be confused with the spoolss DCE/RPC interface used by later
394 Default: unixuid default
399 + dcerpc endpoint servers
400 What DCE/RPC servers to start.
402 Default: epmapper srvsvc wkssvc rpcecho samr netlogon lsarpc spoolss drsuapi winreg dssetup
405 Services Samba should provide.
407 Default: smb rpc nbt wrepl ldap cldap web kdc
410 Location of the SAM (account database) database. This should be a
413 Default: set at compile-time
416 Spoolss (printer) DCE/RPC server database. This should be a LDB URL.
418 Default: set at compile-time
420 + wins config database
421 WINS configuration database location. This should be a LDB URL.
423 Default: set at compile-time
426 WINS database location. This should be a LDB URL.
428 Default: set at compile-time
430 + client use spnego principal
431 Tells the client to use the Kerberos service principal specified by the
432 server during the security protocol negotation rather than
433 looking up the principal itself (cifs/hostname).
438 TCP/IP Port used by the NetBIOS over TCP/IP (NBT) implementation.
443 UDP/IP port used by the NetBIOS over TCP/IP (NBT) implementation.
448 UDP/IP port used by the CLDAP protocol.
453 IP port used by the kerberos KDC.
458 IP port used by the kerberos password change protocol.
463 TCP/IP port SWAT should listen on.
468 Enable TLS support for SWAT
473 Path to TLS key file (PEM format) to be used by SWAT. If no
474 path is specified, Samba will create a key.
479 Path to TLS certificate file (PEM format) to be used by SWAT. If no
480 path is specified, Samba will create a certificate.
485 Path to CA authority file Samba will use to sign TLS keys it generates. If
486 no path is specified, Samba will create a self-signed CA certificate.
491 Path to TLS certificate revocation lists file.
498 Default: set at compile-time
501 Indicate the CIFS server is able to do large reads/writes.
506 Enable/disable unicode support in the protocol.