1 WHATS NEW IN Samba 3.0.0 beta2
3 ==============================
5 This is the second beta release of Samba 3.0.0. This is a
6 non-production release intended for testing purposes. Use
9 The purpose of this beta release is to get wider testing of the major
10 new pieces of code in the current Samba 3.0 development tree. We have
11 officially ceased development on the 2.2.x release of Samba and are
12 concentrating on Samba 3.0. To reduce the time before the final
13 Samba 3.0 release we need as many people as possible to start testing
14 these beta releases, and to provide high quality feedback on what
17 Samba 3.0 is feature complete. However there is still some final
18 work to be done on certain pieces of functionality. Please refer to
19 the section on "Known Issues" for more details.
25 1) Active Directory support. Samba 3.0 is now able to
26 to join a ADS realm as a member server and authenticate
27 users using LDAP/Kerberos.
29 2) Unicode support. Samba will now negotiate UNICODE on the wire and
30 internally there is now a much better infrastructure for multi-byte
31 and UNICODE character sets.
33 3) New authentication system. The internal authentication system has
34 been almost completely rewritten. Most of the changes are internal,
35 but the new auth system is also very configurable.
37 4) New filename mangling system. The filename mangling system has been
38 completely rewritten. An internal database now stores mangling maps
39 persistently. This needs lots of testing.
41 5) A new "net" command has been added. It is somewhat similar to
42 the "net" command in windows. Eventually we plan to replace
43 numerous other utilities (such as smbpasswd) with subcommands
46 6) Samba now negotiates NT-style status32 codes on the wire. This
47 improves error handling a lot.
49 7) Better Windows 2000/XP/2003 printing support including publishing
50 printer attributes in active directory.
52 8) New loadable RPC modules.
54 9) New dual-daemon winbindd support (-B) for better performance.
56 10) Support for migrating from a Windows NT 4.0 domain to a Samba
57 domain and maintaining user, group and domain SIDs.
59 11) Support for establishing trust relationships with Windows NT 4.0
62 12) Initial support for a distributed Winbind architecture using
63 an LDAP directory for storing SID to uid/gid mappings.
65 13) Major updates to the Samba documentation tree.
67 Plus lots of other improvements!
70 Additional Documentation
71 ------------------------
73 Please refer to Samba documentation tree (including in the docs/
74 subdirectory) for extensive explanations of installing, configuring
75 and maintaining Samba 3.0 servers and clients. It is advised to
76 begin with the Samba-HOWTO-Collection for overviews and specific
77 tasks (the current book is up to approximately 400 pages) and to
78 refer to the various man pages for information on individual options.
80 ######################################################################
81 Changes since 3.0beta1
82 ######################
84 Please refer to the CVS log for the SAMBA_3_0 branch for complete
87 1) Rework our smb signing code again, this factors out some of
88 the common MAC calculation code, and now supports multiple
89 outstanding packets (bug #40).
90 2) Enforce 'client plaintext auth', 'client lanman auth' and 'client
92 3) Correct timestamp problem on 64-bit machines (bug #140).
93 4) Add extra debugging statements to winbindd for tracking down
95 5) Fix bug when aliased 'winbind uid/gid' parameters are used.
96 ('winbind uid/gid' are now replaced with 'idmap uid/gid').
97 6) Added an auth flag that indicates if we should be allowed
98 to fall back to NTLMSSP for SASL if krb5 fails.
99 7) Fixed the bug that forced us not to use the winbindd cache when
100 we have a primary ADS domain and a secondary (trusted) NT4
102 8) Use lp_realm() to find the default realm for 'net ads password'.
103 9) Removed editreg from standard build until it is portable..
104 10) Fix domain membership for servers not running winbindd.
105 11) Correct race condition in determining the high water mark
106 in the idmap backend (bug #181).
107 12) Set the user's primary unix group from usrmgr.exe (partial
109 13) Show comments when doing 'net group -l' (bug #3).
110 14) Add trivial extension to 'net' to dump current local idmap
111 and restore mappings as well.
112 15) Modify 'net rpc vampire' to add new and existing users to
113 both the idmap and the SAM. This code needs further testing.
114 16) Fix crash bug in ADS searches.
115 17) Build libnss_wins.so as part of nsswitch target (bug #160).
116 18) Make net rpc vampire return an error if the sam sync RPC
118 19) Fail to join an NT 4 domain as a BDC if a workstation account
119 using our name exists.
120 20) Fix various memory leaks in server and client code
121 21) Remove the short option to --set-auth-user for wbinfo (-A) to
122 prevent confusion with the -a option (bug #158).
123 22) Added new 'map acl inherit' parameter.
124 23) Removed unused 'privileges' code from group mapping database.
125 24) Don't segfault on empty passdb backend list (bug #136).
126 25) Fixed acl sorting algorithm for Windows 2000 clients.
127 26) Replace universal group cache with netsamlogon_cache
128 from APPLIANCE_HEAD branch.
129 27) Fix autoconf detection issues surrounding --with-ads=yes
130 but no Krb5 header files installed (bug #152).
131 28) Add LDAP lookup for domain sequence number in case we are
132 joined using NT4 protocols to a native mode AD domain.
133 29) Fix backend method selection for trusted NT 4 (or 2k
135 30) Fixed bug that caused us to enumerate domain local groups
136 from native mode AD domains other than our own.
137 31) Correct group enumeration for viewing in the Windows
138 security tab (bug #110).
139 32) Consolidate the DC location code.
140 33) Moved 'ads server' functionality into 'password server' for
141 backwards compatibility.
142 34) Fix winbindd_idmap tdb upgrades from a 2.2 installation.
143 ( if you installed beta1, be sure to
144 'mv idmap.tdb winbindd_idmap.tdb' ).
145 35) Fix pdb_ldap segfaults, and wrong default values for
147 36) Enable negative connection cache for winbindd's ADS backend
149 37) Enable address caching for active directory DC's so we don't
150 have to hit DNS so much.
151 38) Fix bug in idmap code that caused mapping to randomly be
153 39) Add tdb locking code to prevent race condition when adding a
154 new mapping to idmap.
155 40) Fix 'map to guest = bad user' when acting as a PDC supporting
157 41) Prevent deadlock issues when running winbindd on a Samba PDC
158 to handle allocating uids & gids for trusted users and groups
159 42) added LOCALE patch from Steve Langasek (bug #122).
160 43) Add the 'guest' passdb backend automatically to the end of
161 the 'passdb backend' list if 'guest account' has a valid
163 44) Remove samstrict_dc auth method. Rework 'samstrict' to only
164 handle our local names (or domain name if we are a PDC).
165 Move existing permissive 'sam' method to 'sam_ignoredomain'
166 and make 'samstrict' the new default 'sam' auth method.
167 45) Match Windows NT4/2k behavior when authenticating a user with
168 and unknown domain (default to our domain if we are a DC or
169 domain member; default to our local name if we are a
171 46) Fix Get_Pwnam() to always fall back to lookup 'user' if the
172 'DOMAIN\user' lookup fails. This matches 2.2. behavior.
173 47) Fix the trustdom_cache code to update the list of trusted
174 domains when operating as a domain member and not using
176 48) Remove 'nisplussam' passdb backend since it has suffered for
177 too long without a maintainer.
182 ######################################################################
183 Upgrading from Samba 2.2
184 ########################
186 This section is provided to help administrators understand the details
187 involved with upgrading a Samba 2.2 server to Samba 3.0.
193 Many of the options to the GNU autoconf script have been modified
194 in the 3.0 release. The most noticeable are:
196 * removal of --with-tdbsam (is now included by default; see section
197 on passdb backends and authentication for more details)
199 * --with-ldapsam is now on used to provided backward compatible
200 parameters for LDAP enabled Samba 2.2 servers. Refer to the passdb
201 backend and authentication section for more details
203 * inclusion of non-standard passdb modules may be enabled using
204 --with-expsam. This includes an XML backend and a mysql backend.
206 * removal of --with-msdfs (is now enabled by default)
208 * removal of --with-ssl (no longer supported)
210 * --with-utmp now defaults to 'yes' on supported systems
212 * --with-sendfile-support is now enabled by default on supported
219 This section contains a brief listing of changes to smb.conf options
220 in the 3.0.0 release. Please refer to the smb.conf(5) man page for
221 complete descriptions of new or modified parameters.
223 Removed Parameters (order alphabetically):
226 * alternate permissions
229 * code page directory
233 * force unknown acl user
237 * printer driver file
238 * printer driver location
245 New Parameters (new parameters have been grouped by function):
249 * abort shutdown script
252 User and Group Account Management
253 ---------------------------------
256 * add user to group script
257 * algorithmic rid base
258 * delete group script
259 * delete user from group script
261 * set primary group script
277 * paranoid server security
286 * hide unwriteable files
288 * kernel change notify
298 * max reported print jobs
300 UNICODE and Character Sets
301 --------------------------
307 SID to uid/gid Mappings
308 -----------------------
319 * ldap machine suffix
324 General Configuration
325 ---------------------
329 Modified Parameters (changes in behavior):
331 * encrypt passwords (enabled by default)
332 * mangling method (set to 'hash2' by default)
335 * restrict anonymous (integer value)
336 * security (new 'ads' value)
337 * strict locking (enabled by default)
338 * winbind cache time (increased to 5 minutes)
339 * winbind uid (deprecated in favor of 'idmap uid')
340 * winbind gid (deprecated in favor of 'idmap gid')
346 This section contains brief descriptions of any new databases
347 introduced in Samba 3.0. Please remember to backup your existing
348 ${lock directory}/*tdb before upgrading to Samba 3.0. Samba will
349 upgrade databases as they are opened (if necessary), but downgrading
350 from 3.0 to 2.2 is an unsupported path.
352 Name Description Backup?
353 ---- ----------- -------
354 account_policy User policy settings yes
355 gencache Generic caching db no
356 group_mapping Mapping table from Windows yes
357 groups/SID to unix groups
358 idmap new ID map table from SIDS yes
360 namecache Name resolution cache entries no
361 netsamlogon_cache Cache of NET_USER_INFO_3 structure no
362 returned as part of a successful
363 net_sam_logon request
364 printing/*.tdb Cached output from 'lpq no
365 command' created on a per print
367 registry Read-only samba registry skeleton no
368 that provides support for exporting
369 various db tables via the winreg RPCs
375 The following issues are known changes in behavior between Samba 2.2 and
376 Samba 3.0 that may affect certain installations of Samba.
378 1) When operating as a member of a Windows domain, Samba 2.2 would
379 map any users authenticated by the remote DC to the 'guest account'
380 if a uid could not be obtained via the getpwnam() call. Samba 3.0
381 rejects the connection as NT_STATUS_LOGON_FAILURE. There is no
382 current work around to re-establish the 2.2 behavior.
384 2) When adding machines to a Samba 2.2 controlled domain, the
385 'add user script' was used to create the UNIX identity of the
386 machine trust account. Samba 3.0 introduces a new 'add machine
387 script' that must be specified for this purpose. Samba 3.0 will
388 not fall back to using the 'add user script' in the absence of
389 an 'add machine script'
392 ######################################################################
393 Passdb Backends and Authentication
394 ##################################
396 There have been a few new changes that Samba administrators should be
397 aware of when moving to Samba 3.0.
399 1) encrypted passwords have been enabled by default in order to
400 inter-operate better with out-of-the-box Windows client
401 installations. This does mean that either (a) a samba account
402 must be created for each user, or (b) 'encrypt passwords = no'
403 must be explicitly defined in smb.conf.
405 2) Inclusion of new 'security = ads' option for integration
406 with an Active Directory domain using the native Windows
407 Kerberos 5 and LDAP protocols.
409 Samba 3.0 also includes the possibility of setting up chains
410 of authentication methods (auth methods) and account storage
411 backends (passdb backend). Please refer to the smb.conf(5)
412 man page for details. While both parameters assume sane default
413 values, it is likely that you will need to understand what the
414 values actually mean in order to ensure Samba operates correctly.
416 The recommended passdb backends at this time are
418 * smbpasswd - 2.2 compatible flat file format
419 * tdbsam - attribute rich database intended as an smbpasswd
420 replacement for stand alone servers
421 * ldapsam - attribute rich account storage and retrieval
422 backend utilizing an LDAP directory.
423 * ldapsam_compat - a 2.2 backward compatible LDAP account
426 Certain functions of the smbpasswd(8) tool have been split between the
427 new smbpasswd(8) utility, the net(8) tool, and the new pdbedit(8)
428 utility. See the respective man pages for details.
431 ######################################################################
435 This section outlines the new features affecting Samba / LDAP
441 A new object class (sambaSamAccount) has been introduced to replace
442 the old sambaAccount. This change aids us in the renaming of attributes
443 to prevent clashes with attributes from other vendors. There is a
444 conversion script (examples/LDAP/convertSambaAccount) to modify and LDIF
445 file to the new schema.
449 $ ldapsearch .... -b "ou=people,dc=..." > old.ldif
450 $ convertSambaAccount <DOM SID> old.ldif new.ldif
452 The <DOM SID> can be obtained by running 'net getlocalsid <DOMAINNAME>'
453 on the Samba PDC as root.
455 The old sambaAccount schema may still be used by specifying the
456 "ldapsam_compat" passdb backend. However, the sambaAccount and
457 associated attributes have been moved to the historical section of
458 the schema file and must be uncommented before use if needed.
459 The 2.2 object class declaration for a sambaAccount has not changed
460 in the 3.0 samba.schema file.
462 Other new object classes and their uses include:
464 * sambaDomain - domain information used to allocate rids
465 for users and groups as necessary. The attributes are added
466 in 'ldap suffix' directory entry automatically apon first
467 connection to the directory.
469 * sambaGroupMapping - an object representing the
470 relationship between a posixGroup and a Windows
471 group/SID. These entries are stored in the 'ldap
472 group suffix' and managed by the 'net groupmap' command.
474 * sambaUnixIdPool - created in the 'ldap idmap suffix' entry
475 automatically and contains the next available 'idmap uid' and
478 * sambaIdmapEntry - object storing a mapping between a
479 SID and a UNIX uid/gid. These objects are created by the
480 idmap_ldap module as needed.
482 * sambaSidEntry - object representing a SID alone, as a Structural
483 class on which to build the sambaIdmapEntry.
486 New Suffix for Searching
487 ------------------------
489 The following new smb.conf parameters have been added to aid in directing
490 certain LDAP queries when 'passdb backend = ldapsam://...' has been
493 * ldap suffix - used to search for user and computer accounts
494 * ldap user suffix - used to store user accounts
495 * ldap machine suffix - used to store machine trust accounts
496 * ldap group suffix - location of posixGroup/sambaGroupMapping entries
497 * ldap idmap suffix - location of sambaIdmapEntry objects
499 If an 'ldap suffix' is defined, it will be appended to all of the
500 remaining sub-suffix parameters. In this case, the order of the suffix
501 listings in smb.conf is important. Always place the 'ldap suffix' first
504 Due to a limitation in Samba's smb.conf parsing, you should not surround
505 the DN's with quotation marks.
511 Samba 3.0 supports an ldap backend for the idmap subsystem. The
512 following options would inform Samba that the idmap table should be
513 stored on the directory server onterose in the "ou=idmap,dc=plainjoe,
518 idmap backend = ldap:ldap://onterose/
519 ldap idmap suffix = ou=idmap,dc=plainjoe,dc=org
520 idmap uid = 40000-50000
521 idmap gid = 40000-50000
523 This configuration allows winbind installations on multiple servers to
524 share a uid/gid number space, thus avoiding the interoperability problems
525 with NFS that were present in Samba 2.2.
529 ######################################################################
530 Trust Relationships and a Samba Domain
531 ######################################
533 Samba 3.0.0beta2 is able to utilize winbindd as the means of
534 allocating uids and gids to trusted users and groups. More
535 information regarding Samba's support for establishing trust
536 relationships can be found in the Samba-HOWTO-Collection included
537 in the docs/ directory of this release.
539 First create your Samba PDC and ensure that everything is
540 working correctly before moving on the trusts.
542 To establish Samba as the trusting domain (named SAMBA) from a Windows NT
543 4.0 domain named WINDOWS:
545 1) create the trust account for SAMBA in "User Manager for Domains"
546 2) connect the trust from the Samba domain using
547 'net rpc trustdom establish GLASS'
549 To create a trustlationship with SAMBA as the trusted domain:
551 1) create the initial trust account for GLASS using
552 'smbpasswd -a -i GLASS'. You may need to create a UNIX
553 account for GLASS$ prior to this step (depending on your
554 local configuration).
555 2) connect the trust from a WINDOWS DC using "User Manager
558 Now join winbindd on the Samba PDC to the SAMBA domain using
559 the normal steps for adding a Samba server to an NT4 domain:
560 (note that smbd & nmbd must be running at this point)
562 root# net rpc join -U root
563 Password: <enter root password from smbpasswd file here>
565 Start winbindd and test the join with 'wbinfo -t'.
567 Now test the trust relationship by connecting to the SAMBA DC
568 (e.g. POGO) as a user from the WINDOWS domain:
570 $ smbclient //pogo/netlogon -U Administrator -W WINDOWS
573 Now connect to the WINDOWS DC (e.g. CRYSTAL) as a Samba user:
575 $ smbclient //crystal/netlogon -U root -W WINDOWS
579 ######################################################################
583 * The smbldap perl scripts for managing user entries in an LDAP
584 directory have not be updated to function with the Samba 3.0
585 schema changes. This (or an equivalent solution) work is planned
586 to be completed prior to the stable 3.0.0 release.
588 Please refer to https://bugzilla.samba.org/ for a current list of bugs
589 filed against the Samba 3.0 codebase.
592 ######################################################################
593 Reporting bugs & Development Discussion
594 #######################################
596 Please discuss this release on the samba-technical mailing list or by
597 joining the #samba-technical IRC channel on irc.freenode.net.
599 If you do report problems then please try to send high quality
600 feedback. If you don't provide vital information to help us track down
601 the problem then you will probably be ignored.
603 A new bugzilla installation has been established to help support the
604 Samba 3.0 community of users. This server, located at
605 https://bugzilla.samba.org/, will replace the existing jitterbug server
606 and the old http://bugs.samba.org now points to the new bugzilla server.