source: branches/samba-3.3.x/docs-xml/Samba3-HOWTO/TOSHARG-ChangeNotes.xml

Last change on this file was 342, checked in by Herwig Bauernfeind, 16 years ago

Update 3.3 to 3.3.9
File size: 10.7 KB
RevLine 
[342]1<?xml version="1.0" encoding="iso-8859-1"?>
2<!DOCTYPE chapter PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
3<chapter id="ChangeNotes">
4<chapterinfo>
5 &author.jht;
6 &author.jerry;
7</chapterinfo>
8
9<title>Important and Critical Change Notes for the Samba 3.x Series</title>
10<para>
11Please read this chapter carefully before update or upgrading Samba. You should expect to find only critical
12or very important information here. Comprehensive change notes and guidance information can be found in the
13section <link linkend="upgrading-to-3.0">Updating and Upgrading Samba</link>.
14</para>
15
16<sect1>
17
18<title>Important Samba-3.2.x Change Notes</title>
19<para>
20!!!!!!!!!!!!Add all critical update notes here!!!!!!!!!!!!!
21</para>
22
23</sect1>
24
25<sect1>
26
27<title>Important Samba-3.0.x Change Notes</title>
28<para>
29These following notes pertain in particular to Samba 3.0.23 through Samba 3.0.25c (or more recent 3.0.25
30update). Samba is a fluid and ever changing project. Changes throughout the 3.0.x series release are
31documented in this documention - See <link linkend="oldupdatenotes">Upgrading from Samba-2.x to Samba-3.0.25</link>.
32</para>
33
34<para>
35Sometimes it is difficult to figure out which part, or parts, of the HOWTO documentation should be updated to
36reflect the impact of new or modified features. At other times it becomes clear that the documentation is in
37need of being restructured.
38</para>
39
40<para>
41In recent times a group of Samba users has joined the thrust to create a new <ulink
42url="http://wiki.samba.org/">Samba Wiki</ulink> that is slated to become the all-singing and all-dancing
43new face of Samba documentation. Hopefully, the Wiki will benefit from greater community input and
44thus may be kept more up to date. Until that golden dream materializes and matures it is necessary to
45continue to maintain the HOWTO. This chapter will document major departures from earlier behavior until
46such time as the body of this HOWTO is restructured or modified.
47</para>
48
49<para>
50This chapter is new to the release of the HOWTO for Samba 3.0.23. It includes much of the notes provided
51in the <filename>WHATSNEW.txt</filename> file that is included with the Samba source code release tarball.
52</para>
53
54<sect2>
55<title>User and Group Changes</title>
56
57<para>
58The change documented here affects unmapped user and group accounts only.
59</para>
60
61<para>
62<indexterm><primary>user</primary></indexterm>
63<indexterm><primary>group</primary></indexterm>
64<indexterm><primary>Relative Identifiers</primary><see>RID</see></indexterm>
65<indexterm><primary>net</primary><secondary>groupmap</secondary></indexterm>
66<indexterm><primary>net</primary><secondary>rpc</secondary><tertiary>vampire</tertiary></indexterm>
67The user and group internal management routines have been rewritten to prevent overlaps of
68assigned Relative Identifiers (RIDs). In the past the has been a potential problem when
69either manually mapping Unix groups with the <command>net groupmap</command> command or
70when migrating a Windows domain to a Samba domain by executing:
71<command>net rpc vampire</command>.
72</para>
73
74<para>
75<indexterm><primary>SID</primary></indexterm>
76<indexterm><primary>SAM</primary></indexterm>
77<indexterm><primary>RID</primary></indexterm>
78<indexterm><primary>net</primary><secondary>getlocalsid</secondary></indexterm>
79Unmapped users are now assigned a SID in the <literal>S-1-22-1</literal> domain and unmapped
80groups are assigned a SID in the <literal>S-1-22-2</literal> domain. Previously they were
81assigned a RID within the SAM on the Samba server. For a domain controller this would have been under the
82authority of the domain SID where as on a member server or standalone server, this would have
83been under the authority of the local SAM (see the man page for <command>net getlocalsid</command>).
84</para>
85
86<para>
87<indexterm><primary>unmapped users</primary></indexterm>
88<indexterm><primary>unmapped groups</primary></indexterm>
89<indexterm><primary>SID</primary></indexterm>
90<indexterm><primary>NTFS</primary></indexterm>
91<indexterm><primary>GID</primary></indexterm>
92The result is that any unmapped users or groups on an upgraded Samba domain controller may
93be assigned a new SID. Because the SID rather than a name is stored in Windows security
94descriptors, this can cause a user to no longer have access to a resource for example if a
95file was copied from a Samba file server to a local Windows client NTFS partition. Any files
96stored on the Samba server itself will continue to be accessible because UNIX stores the UNIX
97GID and not the SID for authorization checks.
98</para>
99
100<para>
101An example helps to illustrate the change:
102</para>
103
104<para>
105<indexterm><primary>group mapping</primary></indexterm>
106<indexterm><primary>GID</primary></indexterm>
107<indexterm><primary>ACL</primary></indexterm>
108<indexterm><primary>SID</primary></indexterm>
109Assume that a group named <emphasis>developers</emphasis> exists with a UNIX GID of 782. In this
110case this group does not exist in Samba's group mapping table. It would be perfectly normal for
111this group to be appear in an ACL editor. Prior to Samba-3.0.23, the group SID might appear as
112<literal>S-1-5-21-647511796-4126122067-3123570092-2565</literal>.
113</para>
114
115<para>
116<indexterm><primary>SID</primary></indexterm>
117<indexterm><primary>NTFS</primary></indexterm>
118<indexterm><primary>access</primary></indexterm>
119<indexterm><primary>group permissions</primary></indexterm>
120With the release of Samba-3.0.23, the group SID would be reported as <literal>S-1-22-2-782</literal>. Any
121security descriptors associated with files stored on a Windows NTFS disk partition will not allow access based
122on the group permissions if the user was not a member of the
123<literal>S-1-5-21-647511796-4126122067-3123570092-2565</literal> group. Because this group SID is
124<literal>S-1-22-2-782</literal> and not reported in a user's token, Windows would fail the authorization check
125even though both SIDs in some respect refer to the same UNIX group.
126</para>
127
128<para>
129<indexterm><primary>group mapping</primary></indexterm>
130<indexterm><primary>SID</primary></indexterm>
131The workaround for versions of Samba prior to 3.0.23, is to create a manual domain group mapping
132entry for the group <emphasis>developers</emphasis> to point at the
133<literal>S-1-5-21-647511796-4126122067-3123570092-2565</literal> SID. With the release of Samba-3.0.23 this
134workaround is no longer needed.
135</para>
136</sect2>
137
138<sect2>
139<title>Essential Group Mappings</title>
140<para>
141Samba 3.0.x series releases before 3.0.23 automatically created group mappings for the essential Windows
142domain groups <literal>Domain Admins, Domain Users, Domain Guests</literal>. Commencing with Samba 3.0.23
143these mappings need to be created by the Samba administrator. Failure to do this may result in a failure to
144correctly authenticate and recoognize valid domain users. When this happens users will not be able to log onto
145the Windows client.
146</para>
147
148<note><para>
149Group mappings are essentail only if the Samba servers is running as a PDC/BDC. Stand-alone servers do not
150require these group mappings.
151</para></note>
152
153<para>
154The following mappings are required:
155</para>
156
157<table frame="all" id="TOSH-domgroups">
158 <title>Essential Domain Group Mappings</title>
159 <tgroup align="center" cols="3">
160 <thead>
161 <row><entry>Domain Group</entry><entry>RID</entry><entry>Example UNIX Group</entry></row>
162 </thead>
163 <tbody>
164 <row><entry>Domain Admins</entry><entry>512</entry><entry>root</entry></row>
165 <row><entry>Domain Users</entry><entry>513</entry><entry>users</entry></row>
166 <row><entry>Domain Guests</entry><entry>514</entry><entry>nobody</entry></row>
167 </tbody>
168 </tgroup>
169</table>
170
171<para>
172When the POSIX (UNIX) groups are stored in LDAP, it may be desirable to call these <literal>domadmins, domusers,
173domguests</literal> respectively.
174</para>
175
176<para>
177For further information regarding group mappings see <link linkend="groupmapping">Group Mapping: MS Windows
178and UNIX</link>.
179</para>
180
181</sect2>
182
183<sect2>
184<title>Passdb Changes</title>
185
186<para>
187<indexterm><primary>backends</primary></indexterm>
188<indexterm><primary>GID</primary></indexterm>
189<indexterm><primary>SQL</primary></indexterm>
190<indexterm><primary>XML</primary></indexterm>
191The <smbconfoption name="passdb backend"/> parameter no longer accepts multiple passdb backends in a
192chained configuration. Also be aware that the SQL and XML based passdb modules have been
193removed in the Samba-3.0.23 release. More information regarding external support for a SQL
194passdb module can be found on the <ulink url="http://pdbsql.sourceforge.net/">pdbsql</ulink> web site.
195</para>
196
197</sect2>
198
199<sect2>
200<title>Group Mapping Changes in Samba-3.0.23</title>
201
202<para>
203<indexterm><primary>default mapping</primary></indexterm>
204<indexterm><primary>Domain Admins</primary></indexterm>
205<indexterm><primary>smbpasswd</primary></indexterm>
206<indexterm><primary>tdbsam</primary></indexterm>
207<indexterm><primary>passdb backend</primary></indexterm>
208<indexterm><primary>group mappings</primary></indexterm>
209<indexterm><primary>GID</primary></indexterm>
210<indexterm><primary>SID</primary></indexterm>
211<indexterm><primary>IDMAP</primary></indexterm>
212<indexterm><primary>winbindd</primary></indexterm>
213<indexterm><primary>domain groups</primary></indexterm>
214The default mapping entries for groups such as <literal>Domain Admins</literal> are no longer
215created when using an <literal>smbpasswd</literal> file or a <literal>tdbsam</literal> passdb
216backend. This means that it is necessary to explicitly execute the <command>net groupmap add</command>
217to create group mappings, rather than use the <command>net groupmap modify</command> method to create the
218Windows group SID to UNIX GID mappings. This change has no effect on winbindd's IDMAP functionality
219for domain groups.
220</para>
221
222</sect2>
223
224<sect2>
225<title>LDAP Changes in Samba-3.0.23</title>
226
227<para>
228<indexterm><primary>LDAP schema</primary></indexterm>
229<indexterm><primary>sambaSID</primary></indexterm>
230<indexterm><primary>OpenLDAP</primary></indexterm>
231<indexterm><primary>slapindex</primary></indexterm>
232<indexterm><primary>slapd.conf</primary></indexterm>
233There has been a minor update the Samba LDAP schema file. A substring matching rule has been
234added to the <literal>sambaSID</literal> attribute definition. For OpenLDAP servers, this
235will require the addition of <literal>index sambaSID sub</literal> to the
236<filename>slapd.conf</filename> configuration file. It will be necessary to execute the
237<command>slapindex</command> command after making this change. There has been no change to the
238actual data storage schema.
239</para>
240
241</sect2>
242</sect1>
243
244</chapter>
Note: See TracBrowser for help on using the repository browser.