<title>Upgrading from Samba-2.x to Samba-3.0.20</title>
<para>
+<indexterm><primary>Samba differences</primary></indexterm>
+<indexterm><primary>changed parameters</primary></indexterm>
+<indexterm><primary>simple guide</primary></indexterm>
This chapter deals exclusively with the differences between Samba-3.0.20 and Samba-2.2.8a.
It points out where configuration parameters have changed, and provides a simple guide for
the move from 2.2.x to 3.0.20.
</para>
<para>
+<indexterm><primary>behavior approximately same</primary></indexterm>
+<indexterm><primary>differing protocol</primary></indexterm>
So why say that <emphasis>behavior should be approximately the same as Samba-2.2.x</emphasis>? Because
Samba-3.0.20 can negotiate new protocols, such as support for native Unicode, that may result in
differing protocol code paths being taken. The new behavior under such circumstances is not
</para>
<para>
+<indexterm><primary>LDAP backend</primary></indexterm>
+<indexterm><primary>database</primary></indexterm>
+<indexterm><primary>pdbedit</primary></indexterm>
+<indexterm><primary>Samba-3-compatible LDAP backend</primary></indexterm>
If the Samba-2.2.x system is using an LDAP backend, and there is no time to update the LDAP
database, then make sure that <smbconfoption name="passdb backend">ldapsam_compat</smbconfoption>
is specified in the &smb.conf; file. For the rest, behavior should remain more or less the same.
</para>
<orderedlist numeration="arabic">
- <listitem><para>
+ <listitem><para>
+<indexterm><primary>ADS</primary></indexterm>
+<indexterm><primary>LDAP/Kerberos</primary></indexterm>
Active Directory support. This release is able to join an ADS realm
as a member server and authenticate users using LDAP/Kerberos.
</para></listitem>
<listitem><para>
+<indexterm><primary>Unicode</primary></indexterm>
+<indexterm><primary>multibyte character sets</primary></indexterm>
Unicode support. Samba will now negotiate Unicode on the wire, and
internally there is a much better infrastructure for multibyte
and Unicode character sets.
</para></listitem>
<listitem><para>
+<indexterm><primary>authentication system</primary></indexterm>
New authentication system. The internal authentication system has
been almost completely rewritten. Most of the changes are internal,
but the new authoring system is also very configurable.
</para></listitem>
<listitem><para>
+<indexterm><primary>filename mangling</primary></indexterm>
New filename mangling system. The filename mangling system has been
completely rewritten. An internal database now stores mangling maps
persistently.
</para></listitem>
<listitem><para>
+<indexterm><primary>net command</primary></indexterm>
New <quote>net</quote> command. A new <quote>net</quote> command has been added. It is
somewhat similar to the <quote>net</quote> command in Windows. Eventually, we
plan to replace a bunch of other utilities (such as smbpasswd)
</para></listitem>
<listitem><para>
+<indexterm><primary>status32 codes</primary></indexterm>
Samba now negotiates NT-style status32 codes on the wire. This
considerably improves error handling.
</para></listitem>
<listitem><para>
+<indexterm><primary>printer attributes publishing</primary></indexterm>
Better Windows 200x/XP printing support, including publishing
printer attributes in Active Directory.
</para></listitem>
<listitem><para>
+<indexterm><primary>RPC modules</primary></indexterm>
+<indexterm><primary>passdb backends</primary></indexterm>
+<indexterm><primary>character sets</primary></indexterm>
New loadable RPC modules for passdb backends and character sets.
</para></listitem>
<listitem><para>
+<indexterm><primary>dual-daemon winbindd</primary></indexterm>
New default dual-daemon winbindd support for better performance.
</para></listitem>
<listitem><para>
+<indexterm><primary>migrating</primary></indexterm>
+<indexterm><primary>maintaining ids</primary></indexterm>
+<indexterm><primary>SID</primary></indexterm>
Support for migrating from a Windows NT 4.0 domain to a Samba
domain and maintaining user, group, and domain SIDs.
</para></listitem>
<listitem><para>
+<indexterm><primary>trust relationships</primary></indexterm>
+<indexterm><primary>domain controllers</primary></indexterm>
Support for establishing trust relationships with Windows NT 4.0
domain controllers.
</para></listitem>
<listitem><para>
+<indexterm><primary>Winbind architecture</primary></indexterm>
+<indexterm><primary>LDAP directory</primary></indexterm>
+<indexterm><primary>ID mapping</primary></indexterm>
Initial support for a distributed Winbind architecture using
an LDAP directory for storing SID to UID/GID mappings.
</para></listitem>
</para></listitem>
<listitem><para>
+<indexterm><primary>SMB signing</primary></indexterm>
+<indexterm><primary>security settings</primary></indexterm>
Full support for client and server SMB signing to ensure
compatibility with default Windows 2003 security settings.
</para></listitem>
<sect2>
<title>Removed Parameters</title>
+<indexterm><primary>deleted parameters</primary></indexterm>
<para>In alphabetical order, these are the parameters eliminated for Samba 3.0.20.</para>
<itemizedlist>
<para>Remote Management</para>
+<indexterm><primary>new parameters</primary></indexterm>
+
<itemizedlist>
<listitem><para>abort shutdown script </para></listitem>
<listitem><para>shutdown script </para></listitem>
<orderedlist>
<listitem><para>
+<indexterm><primary>Windows domain</primary></indexterm>
+<indexterm><primary>getpwnam() call</primary></indexterm>
+<indexterm><primary>NT_STATUS_LOGON_FAILURE</primary></indexterm>
When operating as a member of a Windows domain, Samba-2.2 would
map any users authenticated by the remote DC to the <quote>guest account</quote>
if a UID could not be obtained via the getpwnam() call. Samba-3
- rejects the connection as <?latex \linebreak ?>NT_STATUS_LOGON_FAILURE. There is no
+ rejects the connection as NT_STATUS_LOGON_FAILURE. There is no
current workaround to re-establish the Samba-2.2 behavior.
</para></listitem>
<listitem><para>
+<indexterm><primary>add user script</primary></indexterm>
+<indexterm><primary>add machine script</primary></indexterm>
When adding machines to a Samba-2.2 controlled domain, the
<quote>add user script</quote> was used to create the UNIX identity of the
machine trust account. Samba-3 introduces a new <quote>add machine
<orderedlist>
<listitem><para>
+<indexterm><primary>encrypted passwords</primary></indexterm>
Encrypted passwords have been enabled by default in order to
interoperate better with out-of-the-box Windows client
installations. This does mean that either (a) a Samba account
</para></listitem>
<listitem><para>
+<indexterm><primary>ADS</primary></indexterm>
+<indexterm><primary>Kerberos</primary></indexterm>
+<indexterm><primary>LDAP</primary></indexterm>
Inclusion of new <smbconfoption name="security">ads</smbconfoption> option for integration
with an Active Directory domain using the native Windows Kerberos 5 and LDAP protocols.
</para></listitem>
</orderedlist>
<para>
- Samba-3 also includes the possibility of setting up chains
- of authentication methods
- (<smbconfoption name="auth methods"/>) and account
- storage backends
- (<smbconfoption name="passdb backend"/>).
- Please refer to the &smb.conf;
- man page and Chapter 10, <link linkend="passdb">Account Information Databases</link>, for details. While both parameters assume sane default
- values, it is likely that you will need to understand what the
- values actually mean in order to ensure Samba operates correctly.
+<indexterm><primary>account storage backends</primary></indexterm>
+ Samba-3 also includes the possibility of setting up chains of authentication methods (<smbconfoption
+ name="auth methods"/>) and account storage backends (<smbconfoption name="passdb backend"/>). Please refer to
+ the &smb.conf; man page and <link linkend="passdb">Account Information Databases</link>, for
+ details. While both parameters assume sane default values, it is likely that you will need to understand what
+ the values actually mean in order to ensure Samba operates correctly.
</para>
<para>
<indexterm><primary>pdbedit</primary></indexterm>
+<indexterm><primary>smbpasswd</primary></indexterm>
+<indexterm><primary>net tool</primary></indexterm>
Certain functions of the <command>smbpasswd</command> tool have been split between the
new <command>smbpasswd</command> utility, the <command>net</command> tool, and the new <command>pdbedit</command>
utility. See the respective man pages for details.
<title>New Schema</title>
<para>
+<indexterm><primary>object class</primary></indexterm>
+<indexterm><primary>sambaSamAccount</primary></indexterm>
+<indexterm><primary>LDIF</primary></indexterm>
+<indexterm><primary>attributes</primary></indexterm>
A new object class (sambaSamAccount) has been introduced to replace
the old sambaAccount. This change aids in the renaming of attributes
to prevent clashes with attributes from other vendors. There is a
<para>
Example:
+<indexterm><primary>ldapsearch</primary></indexterm>
</para>
<para><screen>
&prompt;ldapsearch .... -LLL -b "ou=people,dc=..." > old.ldif
</screen></para>
<para>
+<indexterm><primary>net</primary><secondary>getlocalsid</secondary></indexterm>
The <DOM SID> can be obtained by running
<screen>
&prompt;<userinput>net getlocalsid <DOMAINNAME></userinput>
</screen>
+<indexterm><primary>PDC</primary></indexterm>
on the Samba PDC as root.
</para>
<para>
Under Samba-2.x the domain SID can be obtained by executing:
+<indexterm><primary>smbpasswd</primary></indexterm>
<screen>
&prompt;<userinput>smbpasswd -S <DOMAINNAME></userinput>
</screen>
</para>
<para>
- The old sambaAccount schema may still be used by specifying the
+<indexterm><primary>old sambaAccount</primary></indexterm>
+<indexterm><primary>ldapsam_compat</primary></indexterm>
+<indexterm><primary>object class declaration</primary></indexterm>
+<indexterm><primary>samba.schema</primary></indexterm>
+ The old <literal>sambaAccount</literal> schema may still be used by specifying the
<parameter>ldapsam_compat</parameter> passdb backend. However, the sambaAccount and
associated attributes have been moved to the historical section of
the schema file and must be uncommented before use if needed.
- The Samba-2.2 object class declaration for a sambaAccount has not changed
- in the Samba-3 samba.schema file.
+ The Samba-2.2 object class declaration for a <literal>sambaAccount</literal> has not changed
+ in the Samba-3 <filename>samba.schema</filename> file.
</para>
<para>
<itemizedlist>
<listitem><para>
- sambaDomain &smbmdash; domain information used to allocate RIDs
+<indexterm><primary>sambaDomain</primary></indexterm>
+<indexterm><primary>domain information</primary></indexterm>
+<indexterm><primary>RID</primary></indexterm>
+<indexterm><primary>ldap suffix</primary></indexterm>
+<indexterm><primary>ldapsam</primary></indexterm>
+<indexterm><primary>idmap</primary></indexterm>
+ <literal>sambaDomain</literal> &smbmdash; domain information used to allocate RIDs
for users and groups as necessary. The attributes are added
in <quote>ldap suffix</quote> directory entry automatically if
an idmap UID/GID range has been set and the <quote>ldapsam</quote>
</para></listitem>
<listitem><para>
+<indexterm><primary>sambaGroupMapping</primary></indexterm>
+<indexterm><primary>ldap group suffix</primary></indexterm>
+<indexterm><primary>net groupmap</primary></indexterm>
sambaGroupMapping &smbmdash; an object representing the
relationship between a posixGroup and a Windows
group/SID. These entries are stored in the <quote>ldap
</para></listitem>
<listitem><para>
- sambaUNIXIdPool &smbmdash; created in the <quote>ldap idmap suffix</quote> entry
+<indexterm><primary>sambaUNIXIdPool</primary></indexterm>
+<indexterm><primary>ldap idmap suffix</primary></indexterm>
+<indexterm><primary>idmap UID</primary></indexterm>
+<indexterm><primary>idmap GID</primary></indexterm>
+ <literal>sambaUNIXIdPool</literal> &smbmdash; created in the <quote>ldap idmap suffix</quote> entry
automatically and contains the next available <quote>idmap UID</quote> and
<quote>idmap GID</quote>.
</para></listitem>
<listitem><para>
- sambaIdmapEntry &smbmdash; object storing a mapping between a
+<indexterm><primary>sambaIdmapEntry</primary></indexterm>
+<indexterm><primary>idmap_ldap module</primary></indexterm>
+ <literal>sambaIdmapEntry</literal> &smbmdash; object storing a mapping between a
SID and a UNIX UID/GID. These objects are created by the
idmap_ldap module as needed.
</para></listitem>
<title>New Suffix for Searching</title>
<para>
- The following new smb.conf parameters have been added to aid in directing
+<indexterm><primary>LDAP queries</primary></indexterm>
+<indexterm><primary>passdb backend</primary></indexterm>
+<indexterm><primary>ldap suffix</primary></indexterm>
+<indexterm><primary>ldap user suffix</primary></indexterm>
+<indexterm><primary>ldap machine suffix</primary></indexterm>
+<indexterm><primary>ldap group suffix</primary></indexterm>
+<indexterm><primary>ldap idmap suffix</primary></indexterm>
+ The following new &smb.conf; parameters have been added to aid in directing
certain LDAP queries when <parameter>passdb backend = ldapsam://...</parameter> has been
specified.
</para>
</itemizedlist>
<para>
+<indexterm><primary>ldap suffix</primary></indexterm>
+<indexterm><primary>subsuffix parameters</primary></indexterm>
If an <parameter>ldap suffix</parameter> is defined, it will be appended to all of the
remaining subsuffix parameters. In this case, the order of the suffix
- listings in
smb.conf is important. Always place the <parameter>ldap suffix</parameter> first
+ listings in
&smb.conf; is important. Always place the <parameter>ldap suffix</parameter> first
in the list.
</para>
</smbconfblock>
<para>
+<indexterm><primary>NFS</primary></indexterm>
This configuration allows Winbind installations on multiple servers to
share a UID/GID number space, thus avoiding the interoperability problems
with NFS that were present in Samba-2.2.
projects / thirdparty / samba.git / commitdiff
