This chapter deals exclusively with the differences between Samba-3.0.23 and Samba-2.2.8a.
It points out where configuration parameters have changed, and provides a simple guide for
the move from 2.2.x to 3.0.23.
Quick Migration Guide
Samba-3.0.23 default behavior should be approximately the same as Samba-2.2.x.
The default behavior when the new parameter passdb backend
is not defined in the smb.conf file provides the same default behavior as Samba-2.2.x
with encrypt passwords = Yes and
will use the smbpasswd database.
So why say that behavior should be approximately the same as Samba-2.2.x? Because
Samba-3.0.23 can negotiate new protocols, such as support for native Unicode, that may result in
differing protocol code paths being taken. The new behavior under such circumstances is not
exactly the same as the old one. The good news is that the domain and machine SIDs will be
preserved across the upgrade.
If the Samba-2.2.x system is using an LDAP backend, and there is no time to update the LDAP
database, then make sure that passdb backend = ldapsam_compat
is specified in the smb.conf file. For the rest, behavior should remain more or less the same.
At a later date, when there is time to implement a new Samba-3-compatible LDAP backend, it is possible
to migrate the old LDAP database to the new one through use of the pdbedit.
See The pdbedit Command.
New Features in Samba-3
The major new features are:
Active Directory support. This release is able to join an ADS realm
as a member server and authenticate users using LDAP/Kerberos.
Unicode support. Samba will now negotiate Unicode on the wire, and
internally there is a much better infrastructure for multibyte
and Unicode character sets.
New authentication system. The internal authentication system has
been almost completely rewritten. Most of the changes are internal,
but the new authoring system is also very configurable.
New filename mangling system. The filename mangling system has been
completely rewritten. An internal database now stores mangling maps
persistently.
New “net” command. A new “net” command has been added. It is
somewhat similar to the “net” command in Windows. Eventually, we
plan to replace a bunch of other utilities (such as smbpasswd)
with subcommands in “net”.
Samba now negotiates NT-style status32 codes on the wire. This
considerably improves error handling.
Better Windows 200x/XP printing support, including publishing
printer attributes in Active Directory.
New loadable RPC modules for passdb backends and character sets.
New default dual-daemon winbindd support for better performance.
Support for migrating from a Windows NT 4.0 domain to a Samba
domain and maintaining user, group, and domain SIDs.
Support for establishing trust relationships with Windows NT 4.0
domain controllers.
Initial support for a distributed Winbind architecture using
an LDAP directory for storing SID to UID/GID mappings.
Major updates to the Samba documentation tree.
Full support for client and server SMB signing to ensure
compatibility with default Windows 2003 security settings.
Plus lots of other improvements!
Configuration Parameter Changes
This section contains a brief listing of changes to smb.conf options since the Samba-2.2.x series up to and
including Samba-3.0.23.
Please refer to the smb.conf(5) man page for complete descriptions of new or modified
parameters.
Whenever a Samba update or upgrade is performed it is highly recommended to read the file called
WHATSNEW.txt that is part of the Samba distribution tarball. This file may also
be obtain on-line from the Samba web site, in
the right column, under Current Stable Release, by clicking on Release Notes.
Removed Parameters
In alphabetical order, these are the parameters eliminated from Samba-2.2.x through 3.0.23.
admin log
alternate permissions
character set
client codepage
code page directory
coding system
domain admin group
domain guest group
enable rid algorithm
enable svcctl
force unknown acl user
hosts equiv
ldap filter
min password length
nt smb support
post script
printer admin
printer driver
printer driver file
printer driver location
read size
source environment
status
strip dot
total print jobs
unicode
use rhosts
valid chars
vfs options
winbind enable local accounts
winbind max idle children
wins partners
New Parameters
The following new parameters have been released up to and including Samba 3.0.23 (grouped by function:)
Remote Management
abort shutdown script
shutdown script
User and Group Account Management
add group script
add machine script
add user to group script
algorithmic rid base
delete group script
delete user from group script
passdb backend
rename user script
set primary group script
username map script
Authentication
auth methods
ldap password sync
passdb expand explicit
realm
Protocol Options
add port command
afs token lifetime
client lanman auth
client NTLMv2 auth
client schannel
client signing
client use spnego
defer sharing violations
disable netbios
dmapi support
enable privileges
use kerberos keytab
log nt token command
ntlm auth
paranoid server security
sendfile
server schannel
server signing
smb ports
svcctl list
use spnego
File Service
allocation roundup size
acl check permissions
acl group control
acl map full control
aio read size
aio write size
dfree cache time
dfree command
ea support
enable asu support
fam change notify
force unknown acl user
get quota command
hide special files
hide unwriteable files
inherit owner
hostname lookups
kernel change notify
mangle prefix
map acl inherit
map read only
max stat cache size
msdfs proxy
open files database hash size
set quota command
store dos attributes
use sendfile
usershare allow guests
usershare max shares
usershare owner only
usershare path
usershare prefix allow list
usershare prefix deny list
usershare template share
vfs objects
Printing
cups options
cups server
force printername
iprint server
max reported print jobs
printcap cache time
Unicode and Character Sets
display charset
dos charset
UNIX charset
SID to UID/GID Mappings
idmap backend
idmap gid
idmap uid
username map script
winbind nss info
winbind offline logon
winbind refresh tickets
winbind trusted domains only
template primary group
LDAP
ldap delete dn
ldap group suffix
ldap idmap suffix
ldap machine suffix
ldap passwd sync
ldap replication sleep
ldap timeout
ldap user suffix
General Configuration
eventlog list
preload modules
reset on zero vc
privatedir
Modified Parameters (Changes in Behavior)
acl group control (new default is No, deprecated parameter)
change notify timeout (scope changed)
dos filemode (disabled by default)
dos filetimes (enabled by default)
enable asu support (disabled by default)
enable privileges (enabled by default)
encrypt passwords (enabled by default)
host msdfs (enabled by default)
mangling method (set to hash2 by default)
map to guest
only user (deprecated)
passwd chat
passwd program
password server
restrict anonymous (integer value)
security (new ads value)
strict locking (auto by default)
winbind cache time (increased to 5 minutes)
winbind enum groups (disabled by default)
winbind enum users (disabled by default)
winbind nested groups (enabled by default)
winbind uid (deprecated in favor of idmap uid)
winbind gid (deprecated in favor of idmap gid)
winbindd nss info
write cache (deprecated)
New Functionality
The major changes in behavior since that Samba-2.2.x series are documented in this section.
Please refer to the WHATSNEW.txt file that ships with every release of
Samba to obtain detailed information regarding the changes that have been made during the
life of the current Samba release.
TDB Data Files
Refer to Installation, Chapter 1, Chapter 1
for information pertaining to the Samba-3 data files, their location and the information that must be
preserved across server migrations, updates and upgrades.
Please remember to back up your existing ${lock directory}/*tdb before upgrading to Samba-3. If necessary, Samba will
upgrade databases as they are opened. Downgrading from Samba-3 to 2.2, or reversion to an earlier version
of Samba-3 from a later release, is an unsupported path.
The old Samba-2.2.x tdb files are described in the next table.
Table 35.1. Samba-2.2.x TDB File Descriptions
Name
Description
Backup?
account_policy
User policy settings
yes
brlock
Byte-range file locking information.
no
connections
Client connection information
no
locking
Temporary file locking data.
no
messages
Temporary storage of messages being processed by smbd.
no
ntdrivers
Stores per-printer driver information.
yes
ntforms
Stores per-printer forms information.
yes
ntprinters
Stores the per-printer devmode configuration settings.
yes
printing/*.tdb
Cached output from lpq command created on a per-print-service basis.
no
registry
Read-only Samba registry skeleton that provides support for
exporting various database tables via the winreg RPCs.
no
sessionid
Temporary cache for miscellaneous session information.
no
share_info
Share ACL settings.
yes
unexpected
Packets received for which no process was listening.
no
winbindd_cache
Cache of identity information received from an NT4 or an ADS domain.
yes
winbindd_idmap
New ID map table from SIDS to UNIX UIDs/GIDs.
yes
Changes in Behavior
The following issues are known changes in behavior between Samba-2.2 and
Samba-3 that may affect certain installations of Samba.
When operating as a member of a Windows domain, Samba-2.2 would map any users authenticated by the remote DC
to the “guest account” if a UID could not be obtained via the getpwnam() call. Samba-3 rejects
the connection with the error message “NT_STATUS_LOGON_FAILURE.” There is no current workaround
to re-establish the Samba-2.2 behavior.
When adding machines to a Samba-2.2 controlled domain, the
“add user script” was used to create the UNIX identity of the
machine trust account. Samba-3 introduces a new “add machine
script” that must be specified for this purpose. Samba-3 will
not fall back to using the “add user script” in the absence of
an “add machine script”.
Passdb Backends and Authentication
There have been a few new changes that Samba administrators should be
aware of when moving to Samba-3.
Encrypted passwords have been enabled by default in order to
interoperate better with out-of-the-box Windows client
installations. This does mean that either (a) a Samba account
must be created for each user, or (b) “encrypt passwords = no”
must be explicitly defined in smb.conf.
Inclusion of new security = ads option for integration
with an Active Directory domain using the native Windows Kerberos 5 and LDAP protocols.
Samba-3 also includes the possibility of setting up chains of authentication methods (auth methods) and account storage backends (passdb backend). Please refer to
the smb.conf man page and Account Information Databases, for
details. While both parameters assume sane default values, it is likely that you will need to understand what
the values actually mean in order to ensure Samba operates correctly.
Certain functions of the smbpasswd tool have been split between the
new smbpasswd utility, the net tool, and the new pdbedit
utility. See the respective man pages for details.
LDAP
This section outlines the new features effecting Samba/LDAP integration.
New Schema
A new object class (sambaSamAccount) has been introduced to replace
the old sambaAccount. This change aids in the renaming of attributes
to prevent clashes with attributes from other vendors. There is a
conversion script (examples/LDAP/convertSambaAccount) to modify an LDIF
file to the new schema.
Under Samba-2.x the domain SID can be obtained by executing:
$ smbpasswd -S <DOMAINNAME>
The old sambaAccount schema may still be used by specifying the
ldapsam_compat passdb backend. However, the sambaAccount and
associated attributes have been moved to the historical section of
the schema file and must be uncommented before use if needed.
The Samba-2.2 object class declaration for a sambaAccount has not changed
in the Samba-3 samba.schema file.
Other new object classes and their uses include:
sambaDomain domain information used to allocate RIDs
for users and groups as necessary. The attributes are added
in “ldap suffix” directory entry automatically if
an idmap UID/GID range has been set and the “ldapsam”
passdb backend has been selected.
sambaGroupMapping an object representing the
relationship between a posixGroup and a Windows
group/SID. These entries are stored in the “ldap
group suffix” and managed by the “net groupmap” command.
sambaUNIXIdPool created in the “ldap idmap suffix” entry
automatically and contains the next available “idmap UID” and
“idmap GID”.
sambaIdmapEntry object storing a mapping between a
SID and a UNIX UID/GID. These objects are created by the
idmap_ldap module as needed.
New Suffix for Searching
The following new smb.conf parameters have been added to aid in directing
certain LDAP queries when passdb backend = ldapsam://... has been
specified.
ldap suffix used to search for user and computer accounts.
ldap user suffix used to store user accounts.
ldap machine suffix used to store machine trust accounts.
ldap group suffix location of posixGroup/sambaGroupMapping entries.
ldap idmap suffix location of sambaIdmapEntry objects.
If an ldap suffix is defined, it will be appended to all of the
remaining subsuffix parameters. In this case, the order of the suffix
listings in smb.conf is important. Always place the ldap suffix first
in the list.
Due to a limitation in Samba's smb.conf parsing, you should not surround
the domain names with quotation marks.
IdMap LDAP Support
Samba-3 supports an LDAP backend for the idmap subsystem. The
following options inform Samba that the idmap table should be
stored on the directory server onterose in the ou=Idmap,dc=quenya,dc=org partition.
[global]
...
idmap backend = ldap:ldap://onterose/
ldap idmap suffix = ou=Idmap
idmap uid = 40000-50000
idmap gid = 40000-50000
This configuration allows Winbind installations on multiple servers to
share a UID/GID number space, thus avoiding the interoperability problems
with NFS that were present in Samba-2.2.