Context Navigation

← Previous Revision
Next Revision →
Blame
Revision Log

upgrading-to-3.0.html

Visit:

Last change on this file was 739, checked in by Silvan Scherrer, 13 years ago
Samba Server 3.5: update branche to 3.5.19
File size: 42.0 KB

Line
1	<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 35. Updating and Upgrading Samba</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="up" href="migration.html" title="Part IV. Migration and Updating"><link rel="prev" href="migration.html" title="Part IV. Migration and Updating"><link rel="next" href="NT4Migration.html" title="Chapter 36. Migration from NT4 PDC to Samba-3 PDC"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 35. Updating and Upgrading Samba</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="migration.html">Prev</a> </td><th width="60%" align="center">Part IV. Migration and Updating</th><td width="20%" align="right"> <a accesskey="n" href="NT4Migration.html">Next</a></td></tr></table><hr></div><div class="chapter" title="Chapter 35. Updating and Upgrading Samba"><div class="titlepage"><div><div><h2 class="title"><a name="upgrading-to-3.0"></a>Chapter 35. Updating and Upgrading Samba</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jelmer@samba.org">jelmer@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Gerald</span> <span class="othername">(Jerry)</span> <span class="surname">Carter</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jerry@samba.org">jerry@samba.org</a>></code></p></div></div></div></div><div><p class="pubdate">August 16, 2007</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="upgrading-to-3.0.html#id436625">Key Update Requirements</a></span></dt><dd><dl><dt><span class="sect2"><a href="upgrading-to-3.0.html#id436645">Upgrading from Samba-3.0.x to Samba-3.2.0</a></span></dt><dt><span class="sect2"><a href="upgrading-to-3.0.html#oldupdatenotes">Upgrading from Samba-2.x to Samba-3.0.25</a></span></dt><dt><span class="sect2"><a href="upgrading-to-3.0.html#id436692">Quick Migration Guide</a></span></dt></dl></dd><dt><span class="sect1"><a href="upgrading-to-3.0.html#id436830">New Features in Samba-3.x Series</a></span></dt><dd><dl><dt><span class="sect2"><a href="upgrading-to-3.0.html#id436838">New Features in Samba-3.2.x Series</a></span></dt><dt><span class="sect2"><a href="upgrading-to-3.0.html#id437079">New Features in Samba-3.0.x</a></span></dt><dt><span class="sect2"><a href="upgrading-to-3.0.html#id438230">New Functionality</a></span></dt></dl></dd></dl></div><p>
2	This chapter provides a detailed record of changes made during the 3.x series releases. At this time this
3	series consists of the 3.0.x series that is under the GNU GPL version 2 license, and the Samba 3.2.x series
4	that is being released under the terms of the GNU GPL version 3 license.
5	</p><div class="sect1" title="Key Update Requirements"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id436625"></a>Key Update Requirements</h2></div></div></div><p>
6	Samba is a fluid product in which there may be significant changes between releases. Some of these changes are
7	brought about as a result of changes in the protocols that are used by Microsoft Windows network clients as a
8	result of security or functionality updates through official Microsoft patches and updates. Samba must track
9	such changes, particularly where they affect the internal operation of Samba itself.
10	</p><p>
11	Please refer to any notes below that make explicit mention of the version of Samba you are using. In general,
12	all changes that apply to a new release will apply to follow-on releases also. For example, changes to Samba
13	3.0.23 affect all releases up to an including 3.0.25 and later. Samba 3.2.x was originaly cut from Samba
14	3.0.25 before 3.2.0-specific changes were applied. Unless a 3.0.x series feature is specifically revoked, the
15	behavior of the 3.2.x series can be expected to follow the earlier pattern.
16	</p><div class="sect2" title="Upgrading from Samba-3.0.x to Samba-3.2.0"><div class="titlepage"><div><div><h3 class="title"><a name="id436645"></a>Upgrading from Samba-3.0.x to Samba-3.2.0</h3></div></div></div><p>
17	</p></div><div class="sect2" title="Upgrading from Samba-2.x to Samba-3.0.25"><div class="titlepage"><div><div><h3 class="title"><a name="oldupdatenotes"></a>Upgrading from Samba-2.x to Samba-3.0.25</h3></div></div></div><p>
18	<a class="indexterm" name="id436667"></a>
19	<a class="indexterm" name="id436674"></a>
20	<a class="indexterm" name="id436681"></a>
21	This chapter deals exclusively with the differences between Samba-3.0.25 and Samba-2.2.8a.
22	It points out where configuration parameters have changed, and provides a simple guide for
23	the move from 2.2.x to 3.0.25.
24	</p></div><div class="sect2" title="Quick Migration Guide"><div class="titlepage"><div><div><h3 class="title"><a name="id436692"></a>Quick Migration Guide</h3></div></div></div><p>
25	Samba-3.0.25 default behavior should be approximately the same as Samba-2.2.x.
26	The default behavior when the new parameter <a class="link" href="smb.conf.5.html#PASSDBBACKEND" target="_top">passdb backend</a>
27	is not defined in the <code class="filename">smb.conf</code> file provides the same default behavior as Samba-2.2.x
28	with <a class="link" href="smb.conf.5.html#ENCRYPTPASSWORDS" target="_top">encrypt passwords = Yes</a> and
29	will use the <code class="filename">smbpasswd</code> database.
30	</p><p>
31	<a class="indexterm" name="id436738"></a>
32	<a class="indexterm" name="id436745"></a>
33	So why say that <span class="emphasis"><em>behavior should be approximately the same as Samba-2.2.x</em></span>? Because
34	Samba-3.0.25 can negotiate new protocols, such as support for native Unicode, that may result in
35	differing protocol code paths being taken. The new behavior under such circumstances is not
36	exactly the same as the old one. The good news is that the domain and machine SIDs will be
37	preserved across the upgrade.
38	</p><p>
39	<a class="indexterm" name="id436762"></a>
40	<a class="indexterm" name="id436769"></a>
41	<a class="indexterm" name="id436775"></a>
42	<a class="indexterm" name="id436782"></a>
43	If the Samba-2.2.x system is using an LDAP backend, and there is no time to update the LDAP
44	database, then make sure that <a class="link" href="smb.conf.5.html#PASSDBBACKEND" target="_top">passdb backend = ldapsam_compat</a>
45	is specified in the <code class="filename">smb.conf</code> file. For the rest, behavior should remain more or less the same.
46	At a later date, when there is time to implement a new Samba-3-compatible LDAP backend, it is possible
47	to migrate the old LDAP database to the new one through use of the <code class="literal">pdbedit</code>.
48	See <a class="link" href="passdb.html#pdbeditthing" title="The pdbedit Tool">The <span class="emphasis"><em>pdbedit</em></span> Command</a>.
49	</p></div></div><div class="sect1" title="New Features in Samba-3.x Series"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id436830"></a>New Features in Samba-3.x Series</h2></div></div></div><p>
50	</p><div class="sect2" title="New Features in Samba-3.2.x Series"><div class="titlepage"><div><div><h3 class="title"><a name="id436838"></a>New Features in Samba-3.2.x Series</h3></div></div></div><p>Samba is now distributed under the version 3
51	of the new GNU General Public License.
52	</p><p>
53	The major new features are:
54	</p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p>
55	<a class="indexterm" name="id436863"></a>
56	<a class="indexterm" name="id436870"></a>
57	Removal of the 1024 byte limit on pathnames and 256 byte limit on
58	filename components to honor the MAX_PATH setting from the host OS.
59	</p></li><li class="listitem"><p>
60	<a class="indexterm" name="id436882"></a>
61	<a class="indexterm" name="id436889"></a>
62	Introduction of a registry based configuration system.
63	</p></li><li class="listitem"><p>
64	<a class="indexterm" name="id436901"></a>
65	Experimental support for file serving clusters.
66	</p></li><li class="listitem"><p>
67	<a class="indexterm" name="id436912"></a>
68	Support for IPv6 in the server, and client tools and libraries.
69	</p></li><li class="listitem"><p>
70	<a class="indexterm" name="id436924"></a>
71	Support for storing alternate data streams in xattrs.
72	</p></li><li class="listitem"><p>
73	<a class="indexterm" name="id436936"></a>
74	Encrypted SMB transport in client tools and libraries, and server.
75	</p></li><li class="listitem"><p>
76	<a class="indexterm" name="id436948"></a>
77	Support for Vista clients authenticating via Kerberos.
78	</p></li><li class="listitem"><p>
79	<a class="indexterm" name="id436959"></a>
80	<a class="indexterm" name="id436966"></a>
81	Full support for Windows 2003 cross-forest, transitive trusts
82	and one-way domain trusts.
83	</p></li><li class="listitem"><p>
84	<a class="indexterm" name="id436978"></a>
85	Support for userPrincipalName logons via pam_winbind and NSS lookups.
86	</p></li><li class="listitem"><p>
87	<a class="indexterm" name="id436990"></a>
88	<a class="indexterm" name="id436997"></a>
89	<a class="indexterm" name="id437004"></a>
90	Support for Active Directory LDAP Signing policy.
91	</p></li><li class="listitem"><p>
92	<a class="indexterm" name="id437015"></a>
93	<a class="indexterm" name="id437022"></a>
94	New LGPL Winbind client library (libwbclient.so).
95	</p></li><li class="listitem"><p>
96	<a class="indexterm" name="id437033"></a>
97	<a class="indexterm" name="id437040"></a>
98	Support for establishing interdomain trust relationships with Windows 2008.
99	</p></li><li class="listitem"><p>
100	<a class="indexterm" name="id437052"></a>
101	New client and server support for remotely joining and unjoining Domains.
102	</p></li><li class="listitem"><p>
103	<a class="indexterm" name="id437064"></a>
104	Support for joining into Windows 2008 domains.
105	</p></li></ol></div><p>
106	Plus lots of other improvements!
107	</p></div><div class="sect2" title="New Features in Samba-3.0.x"><div class="titlepage"><div><div><h3 class="title"><a name="id437079"></a>New Features in Samba-3.0.x</h3></div></div></div><p>
108	The major new features are:
109	</p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p>
110	<a class="indexterm" name="id437100"></a>
111	<a class="indexterm" name="id437107"></a>
112	Active Directory support. This release is able to join an ADS realm
113	as a member server and authenticate users using LDAP/Kerberos.
114	</p></li><li class="listitem"><p>
115	<a class="indexterm" name="id437119"></a>
116	<a class="indexterm" name="id437126"></a>
117	Unicode support. Samba will now negotiate Unicode on the wire, and
118	internally there is a much better infrastructure for multibyte
119	and Unicode character sets.
120	</p></li><li class="listitem"><p>
121	<a class="indexterm" name="id437138"></a>
122	New authentication system. The internal authentication system has
123	been almost completely rewritten. Most of the changes are internal,
124	but the new authoring system is also very configurable.
125	</p></li><li class="listitem"><p>
126	<a class="indexterm" name="id437151"></a>
127	New filename mangling system. The filename mangling system has been
128	completely rewritten. An internal database now stores mangling maps
129	persistently.
130	</p></li><li class="listitem"><p>
131	<a class="indexterm" name="id437164"></a>
132	New <span class="quote">“<span class="quote">net</span>”</span> command. A new <span class="quote">“<span class="quote">net</span>”</span> command has been added. It is
133	somewhat similar to the <span class="quote">“<span class="quote">net</span>”</span> command in Windows. Eventually, we
134	plan to replace a bunch of other utilities (such as smbpasswd)
135	with subcommands in <span class="quote">“<span class="quote">net</span>”</span>.
136	</p></li><li class="listitem"><p>
137	<a class="indexterm" name="id437190"></a>
138	Samba now negotiates NT-style status32 codes on the wire. This
139	considerably improves error handling.
140	</p></li><li class="listitem"><p>
141	<a class="indexterm" name="id437202"></a>
142	Better Windows 200x/XP printing support, including publishing
143	printer attributes in Active Directory.
144	</p></li><li class="listitem"><p>
145	<a class="indexterm" name="id437214"></a>
146	<a class="indexterm" name="id437221"></a>
147	<a class="indexterm" name="id437228"></a>
148	New loadable RPC modules for passdb backends and character sets.
149	</p></li><li class="listitem"><p>
150	<a class="indexterm" name="id437240"></a>
151	New default dual-daemon winbindd support for better performance.
152	</p></li><li class="listitem"><p>
153	<a class="indexterm" name="id437251"></a>
154	<a class="indexterm" name="id437258"></a>
155	<a class="indexterm" name="id437265"></a>
156	Support for migrating from a Windows NT 4.0 domain to a Samba
157	domain and maintaining user, group, and domain SIDs.
158	</p></li><li class="listitem"><p>
159	<a class="indexterm" name="id437277"></a>
160	<a class="indexterm" name="id437284"></a>
161	Support for establishing trust relationships with Windows NT 4.0
162	domain controllers.
163	</p></li><li class="listitem"><p>
164	<a class="indexterm" name="id437296"></a>
165	<a class="indexterm" name="id437302"></a>
166	<a class="indexterm" name="id437309"></a>
167	Initial support for a distributed Winbind architecture using
168	an LDAP directory for storing SID to UID/GID mappings.
169	</p></li><li class="listitem"><p>
170	Major updates to the Samba documentation tree.
171	</p></li><li class="listitem"><p>
172	<a class="indexterm" name="id437326"></a>
173	<a class="indexterm" name="id437333"></a>
174	Full support for client and server SMB signing to ensure
175	compatibility with default Windows 2003 security settings.
176	</p></li></ol></div><p>
177	Plus lots of other improvements!
178	</p><div class="sect3" title="Configuration Parameter Changes"><div class="titlepage"><div><div><h4 class="title"><a name="id437347"></a>Configuration Parameter Changes</h4></div></div></div><p>
179	This section contains a brief listing of changes to <code class="filename">smb.conf</code> options since the Samba-2.2.x series up to and
180	including Samba-3.0.25.
181	</p><p>
182	Please refer to the smb.conf(5) man page for complete descriptions of new or modified
183	parameters.
184	</p><p>
185	Whenever a Samba update or upgrade is performed it is highly recommended to read the file called
186	<span class="emphasis"><em>WHATSNEW.txt</em></span> that is part of the Samba distribution tarball. This file may also
187	be obtain on-line from the Samba <a class="ulink" href="http://www.samba.org/samba/" target="_top">web site</a>, in
188	the right column, under Current Stable Release, by clicking on <span class="emphasis"><em>Release Notes</em></span>.
189	</p></div><div class="sect3" title="Removed Parameters"><div class="titlepage"><div><div><h4 class="title"><a name="id437387"></a>Removed Parameters</h4></div></div></div><a class="indexterm" name="id437392"></a><p>
190	In alphabetical order, these are the parameters eliminated from Samba-2.2.x through 3.0.25.
191	</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>admin log</p></li><li class="listitem"><p>alternate permissions</p></li><li class="listitem"><p>character set</p></li><li class="listitem"><p>client codepage</p></li><li class="listitem"><p>code page directory</p></li><li class="listitem"><p>coding system</p></li><li class="listitem"><p>domain admin group</p></li><li class="listitem"><p>domain guest group</p></li><li class="listitem"><p>enable rid algorithm</p></li><li class="listitem"><p>enable svcctl</p></li><li class="listitem"><p>force unknown acl user</p></li><li class="listitem"><p>hosts equiv</p></li><li class="listitem"><p>ldap filter</p></li><li class="listitem"><p>min password length</p></li><li class="listitem"><p>nt smb support</p></li><li class="listitem"><p>post script</p></li><li class="listitem"><p>printer admin</p></li><li class="listitem"><p>printer driver</p></li><li class="listitem"><p>printer driver file</p></li><li class="listitem"><p>printer driver location</p></li><li class="listitem"><p>read size</p></li><li class="listitem"><p>source environment</p></li><li class="listitem"><p>status </p></li><li class="listitem"><p>strip dot </p></li><li class="listitem"><p>total print jobs</p></li><li class="listitem"><p>unicode</p></li><li class="listitem"><p>use rhosts</p></li><li class="listitem"><p>valid chars</p></li><li class="listitem"><p>vfs options</p></li><li class="listitem"><p>winbind enable local accounts</p></li><li class="listitem"><p>winbind max idle children</p></li><li class="listitem"><p>wins partners</p></li></ul></div></div><div class="sect3" title="New Parameters"><div class="titlepage"><div><div><h4 class="title"><a name="id437553"></a>New Parameters</h4></div></div></div><p>The following new parameters have been released up to and including Samba 3.0.25 (grouped by function:)</p><p>Remote Management</p><a class="indexterm" name="id437566"></a><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>abort shutdown script</p></li><li class="listitem"><p>shutdown script</p></li></ul></div><p>User and Group Account Management</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>add group script</p></li><li class="listitem"><p>add machine script</p></li><li class="listitem"><p>add user to group script</p></li><li class="listitem"><p>algorithmic rid base</p></li><li class="listitem"><p>delete group script</p></li><li class="listitem"><p>delete user from group script</p></li><li class="listitem"><p>passdb backend</p></li><li class="listitem"><p>rename user script</p></li><li class="listitem"><p>set primary group script</p></li><li class="listitem"><p>username map script</p></li></ul></div><p>Authentication</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>auth methods</p></li><li class="listitem"><p>ldap password sync</p></li><li class="listitem"><p>passdb expand explicit</p></li><li class="listitem"><p>realm</p></li></ul></div><p>Protocol Options</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>add port command</p></li><li class="listitem"><p>afs token lifetime</p></li><li class="listitem"><p>client lanman auth</p></li><li class="listitem"><p>client NTLMv2 auth</p></li><li class="listitem"><p>client schannel</p></li><li class="listitem"><p>client signing</p></li><li class="listitem"><p>client use spnego</p></li><li class="listitem"><p>defer sharing violations</p></li><li class="listitem"><p>disable netbios</p></li><li class="listitem"><p>dmapi support</p></li><li class="listitem"><p>enable privileges</p></li><li class="listitem"><p>use kerberos keytab</p></li><li class="listitem"><p>log nt token command</p></li><li class="listitem"><p>ntlm auth</p></li><li class="listitem"><p>paranoid server security </p></li><li class="listitem"><p>sendfile</p></li><li class="listitem"><p>server schannel</p></li><li class="listitem"><p>server signing</p></li><li class="listitem"><p>smb ports</p></li><li class="listitem"><p>svcctl list</p></li><li class="listitem"><p>use spnego</p></li></ul></div><p>File Service</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>allocation roundup size</p></li><li class="listitem"><p>acl check permissions</p></li><li class="listitem"><p>acl group control</p></li><li class="listitem"><p>acl map full control</p></li><li class="listitem"><p>aio read size</p></li><li class="listitem"><p>aio write size</p></li><li class="listitem"><p>dfree cache time</p></li><li class="listitem"><p>dfree command</p></li><li class="listitem"><p>ea support</p></li><li class="listitem"><p>enable asu support</p></li><li class="listitem"><p>fam change notify</p></li><li class="listitem"><p>force unknown acl user</p></li><li class="listitem"><p>get quota command</p></li><li class="listitem"><p>hide special files</p></li><li class="listitem"><p>hide unwriteable files</p></li><li class="listitem"><p>inherit owner</p></li><li class="listitem"><p>hostname lookups</p></li><li class="listitem"><p>kernel change notify</p></li><li class="listitem"><p>mangle prefix</p></li><li class="listitem"><p>map acl inherit</p></li><li class="listitem"><p>map read only</p></li><li class="listitem"><p>max stat cache size</p></li><li class="listitem"><p>msdfs proxy</p></li><li class="listitem"><p>open files database hash size</p></li><li class="listitem"><p>set quota command</p></li><li class="listitem"><p>store dos attributes</p></li><li class="listitem"><p>use sendfile</p></li><li class="listitem"><p>usershare allow guests</p></li><li class="listitem"><p>usershare max shares</p></li><li class="listitem"><p>usershare owner only</p></li><li class="listitem"><p>usershare path</p></li><li class="listitem"><p>usershare prefix allow list</p></li><li class="listitem"><p>usershare prefix deny list</p></li><li class="listitem"><p>usershare template share</p></li><li class="listitem"><p>vfs objects</p></li></ul></div><p>Printing</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>cups options</p></li><li class="listitem"><p>cups server</p></li><li class="listitem"><p>force printername</p></li><li class="listitem"><p>iprint server</p></li><li class="listitem"><p>max reported print jobs</p></li><li class="listitem"><p>printcap cache time</p></li></ul></div><p>Unicode and Character Sets</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>display charset</p></li><li class="listitem"><p>dos charset</p></li><li class="listitem"><p>UNIX charset</p></li></ul></div><p>SID to UID/GID Mappings</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>idmap backend</p></li><li class="listitem"><p>idmap gid</p></li><li class="listitem"><p>idmap uid</p></li><li class="listitem"><p>username map script</p></li><li class="listitem"><p>winbind nss info</p></li><li class="listitem"><p>winbind offline logon</p></li><li class="listitem"><p>winbind refresh tickets</p></li><li class="listitem"><p>winbind trusted domains only</p></li><li class="listitem"><p>template primary group</p></li></ul></div><p>LDAP</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>ldap delete dn</p></li><li class="listitem"><p>ldap group suffix</p></li><li class="listitem"><p>ldap idmap suffix</p></li><li class="listitem"><p>ldap machine suffix</p></li><li class="listitem"><p>ldap passwd sync</p></li><li class="listitem"><p>ldap replication sleep</p></li><li class="listitem"><p>ldap timeout</p></li><li class="listitem"><p>ldap user suffix</p></li></ul></div><p>General Configuration</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>eventlog list</p></li><li class="listitem"><p>preload modules</p></li><li class="listitem"><p>reset on zero vc</p></li><li class="listitem"><p>privatedir</p></li></ul></div></div><div class="sect3" title="Modified Parameters (Changes in Behavior)"><div class="titlepage"><div><div><h4 class="title"><a name="id438101"></a>Modified Parameters (Changes in Behavior)</h4></div></div></div><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>acl group control (new default is No, deprecated parameter)</p></li><li class="listitem"><p>change notify timeout (scope changed)</p></li><li class="listitem"><p>dos filemode (disabled by default)</p></li><li class="listitem"><p>dos filetimes (enabled by default)</p></li><li class="listitem"><p>enable asu support (disabled by default)</p></li><li class="listitem"><p>enable privileges (enabled by default)</p></li><li class="listitem"><p>encrypt passwords (enabled by default) </p></li><li class="listitem"><p>host msdfs (enabled by default)</p></li><li class="listitem"><p>mangling method (set to hash2 by default) </p></li><li class="listitem"><p>map to guest</p></li><li class="listitem"><p>only user (deprecated)</p></li><li class="listitem"><p>passwd chat</p></li><li class="listitem"><p>passwd program</p></li><li class="listitem"><p>password server</p></li><li class="listitem"><p>restrict anonymous (integer value)</p></li><li class="listitem"><p>security (new ads value)</p></li><li class="listitem"><p>strict locking (auto by default)</p></li><li class="listitem"><p>winbind cache time (increased to 5 minutes)</p></li><li class="listitem"><p>winbind enum groups (disabled by default)</p></li><li class="listitem"><p>winbind enum users (disabled by default)</p></li><li class="listitem"><p>winbind nested groups (enabled by default)</p></li><li class="listitem"><p>winbind uid (deprecated in favor of idmap uid)</p></li><li class="listitem"><p>winbind gid (deprecated in favor of idmap gid)</p></li><li class="listitem"><p>winbindd nss info</p></li><li class="listitem"><p>write cache (deprecated)</p></li></ul></div></div></div><div class="sect2" title="New Functionality"><div class="titlepage"><div><div><h3 class="title"><a name="id438230"></a>New Functionality</h3></div></div></div><p>
192	<a class="indexterm" name="id438238"></a>
193	The major changes in behavior since that Samba-2.2.x series are documented in this section.
194	Please refer to the <code class="filename">WHATSNEW.txt</code> file that ships with every release of
195	Samba to obtain detailed information regarding the changes that have been made during the
196	life of the current Samba release.
197	</p><div class="sect3" title="TDB Data Files"><div class="titlepage"><div><div><h4 class="title"><a name="id438254"></a>TDB Data Files</h4></div></div></div><a class="indexterm" name="id438259"></a><p>
198	Refer to <a class="link" href="install.html" title="Chapter 1. How to Install and Test SAMBA">Installation, Chapter 1</a>, <a class="link" href="install.html#tdbdocs" title="TDB Database File Information">Chapter 1</a>
199	for information pertaining to the Samba-3 data files, their location and the information that must be
200	preserved across server migrations, updates and upgrades.
201	</p><p>
202	<a class="indexterm" name="id438288"></a>
203	Please remember to back up your existing ${lock directory}/*tdb before upgrading to Samba-3. If necessary,
204	Samba will upgrade databases as they are opened. Downgrading from Samba-3 to 2.2, or reversion to an earlier
205	version of Samba-3 from a later release, is an unsupported path.
206	</p><p>
207	<a class="indexterm" name="id438300"></a>
208	The old Samba-2.2.x tdb files are described in <a class="link" href="upgrading-to-3.0.html#oldtdbfiledesc" title="Table 35.1. Samba-2.2.x TDB File Descriptions">the next table</a>.
209	</p><div class="table"><a name="oldtdbfiledesc"></a><p class="title"><b>Table 35.1. Samba-2.2.x TDB File Descriptions</b></p><div class="table-contents"><table summary="Samba-2.2.x TDB File Descriptions" border="1"><colgroup><col align="left"><col align="justify"><col align="left"></colgroup><thead><tr><th align="left">Name</th><th align="justify">Description</th><th align="center">Backup?</th></tr></thead><tbody><tr><td align="left">account_policy</td><td align="justify">User policy settings</td><td align="left">yes</td></tr><tr><td align="left">brlock</td><td align="justify">Byte-range file locking information.</td><td align="left">no</td></tr><tr><td align="left">connections</td><td align="justify"><p>Client connection information</p></td><td align="left">no</td></tr><tr><td align="left">locking</td><td align="justify">Temporary file locking data.</td><td align="left">no</td></tr><tr><td align="left">messages</td><td align="justify"><p>Temporary storage of messages being processed by smbd.</p></td><td align="left">no</td></tr><tr><td align="left">ntdrivers</td><td align="justify"><p>Stores per-printer driver information.</p></td><td align="left">yes</td></tr><tr><td align="left">ntforms</td><td align="justify"><p>Stores per-printer forms information.</p></td><td align="left">yes</td></tr><tr><td align="left">ntprinters</td><td align="justify"><p>Stores the per-printer devmode configuration settings.</p></td><td align="left">yes</td></tr><tr><td align="left">printing/*.tdb</td><td align="justify"><p>Cached output from lpq command created on a per-print-service basis.</p></td><td align="left">no</td></tr><tr><td align="left">registry</td><td align="justify"><p>Read-only Samba registry skeleton that provides support for
210	exporting various database tables via the winreg RPCs.</p></td><td align="left">no</td></tr><tr><td align="left">sessionid</td><td align="justify"><p>Temporary cache for miscellaneous session information.</p></td><td align="left">no</td></tr><tr><td align="left">share_info</td><td align="justify">Share ACL settings.</td><td align="left">yes</td></tr><tr><td align="left">unexpected</td><td align="justify"><p>Packets received for which no process was listening.</p></td><td align="left">no</td></tr><tr><td align="left">winbindd_cache</td><td align="justify"><p>Cache of identity information received from an NT4 or an ADS domain.</p></td><td align="left">yes</td></tr><tr><td align="left">winbindd_idmap</td><td align="justify"><p>New ID map table from SIDS to UNIX UIDs/GIDs.</p></td><td align="left">yes</td></tr></tbody></table></div></div><br class="table-break"></div><div class="sect3" title="Changes in Behavior"><div class="titlepage"><div><div><h4 class="title"><a name="id438591"></a>Changes in Behavior</h4></div></div></div><p>
211	The following issues are known changes in behavior between Samba-2.2 and
212	Samba-3 that may affect certain installations of Samba.
213	</p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p>
214	<a class="indexterm" name="id438611"></a>
215	<a class="indexterm" name="id438618"></a>
216	<a class="indexterm" name="id438624"></a>
217	When operating as a member of a Windows domain, Samba-2.2 would map any users authenticated by the remote DC
218	to the <span class="quote">“<span class="quote">guest account</span>”</span> if a UID could not be obtained via the getpwnam() call. Samba-3 rejects
219	the connection with the error message <span class="quote">“<span class="quote">NT_STATUS_LOGON_FAILURE.</span>”</span> There is no current workaround
220	to re-establish the Samba-2.2 behavior.
221	</p></li><li class="listitem"><p>
222	<a class="indexterm" name="id438646"></a>
223	<a class="indexterm" name="id438652"></a>
224	When adding machines to a Samba-2.2 controlled domain, the
225	<span class="quote">“<span class="quote">add user script</span>”</span> was used to create the UNIX identity of the
226	machine trust account. Samba-3 introduces a new <span class="quote">“<span class="quote">add machine
227	script</span>”</span> that must be specified for this purpose. Samba-3 will
228	not fall back to using the <span class="quote">“<span class="quote">add user script</span>”</span> in the absence of
229	an <span class="quote">“<span class="quote">add machine script</span>”</span>.
230	</p></li></ol></div></div><div class="sect3" title="Passdb Backends and Authentication"><div class="titlepage"><div><div><h4 class="title"><a name="id438679"></a>Passdb Backends and Authentication</h4></div></div></div><p>
231	There have been a few new changes that Samba administrators should be
232	aware of when moving to Samba-3.
233	</p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p>
234	<a class="indexterm" name="id438699"></a>
235	Encrypted passwords have been enabled by default in order to
236	interoperate better with out-of-the-box Windows client
237	installations. This does mean that either (a) a Samba account
238	must be created for each user, or (b) <span class="quote">“<span class="quote">encrypt passwords = no</span>”</span>
239	must be explicitly defined in <code class="filename">smb.conf</code>.
240	</p></li><li class="listitem"><p>
241	<a class="indexterm" name="id438722"></a>
242	<a class="indexterm" name="id438729"></a>
243	<a class="indexterm" name="id438736"></a>
244	Inclusion of new <a class="link" href="smb.conf.5.html#SECURITY" target="_top">security = ads</a> option for integration
245	with an Active Directory domain using the native Windows Kerberos 5 and LDAP protocols.
246	</p></li></ol></div><p>
247	<a class="indexterm" name="id438759"></a>
248	Samba-3 also includes the possibility of setting up chains of authentication methods (<a class="link" href="smb.conf.5.html#AUTHMETHODS" target="_top">auth methods</a>) and account storage backends (<a class="link" href="smb.conf.5.html#PASSDBBACKEND" target="_top">passdb backend</a>). Please refer to
249	the <code class="filename">smb.conf</code> man page and <a class="link" href="passdb.html" title="Chapter 11. Account Information Databases">Account Information Databases</a>, for
250	details. While both parameters assume sane default values, it is likely that you will need to understand what
251	the values actually mean in order to ensure Samba operates correctly.
252	</p><p>
253	<a class="indexterm" name="id438806"></a>
254	<a class="indexterm" name="id438813"></a>
255	<a class="indexterm" name="id438820"></a>
256	Certain functions of the <code class="literal">smbpasswd</code> tool have been split between the
257	new <code class="literal">smbpasswd</code> utility, the <code class="literal">net</code> tool, and the new <code class="literal">pdbedit</code>
258	utility. See the respective man pages for details.
259	</p></div><div class="sect3" title="LDAP"><div class="titlepage"><div><div><h4 class="title"><a name="id438853"></a>LDAP</h4></div></div></div><p>
260	This section outlines the new features effecting Samba/LDAP integration.
261	</p><div class="sect4" title="New Schema"><div class="titlepage"><div><div><h5 class="title"><a name="id438862"></a>New Schema</h5></div></div></div><p>
262	<a class="indexterm" name="id438870"></a>
263	<a class="indexterm" name="id438876"></a>
264	<a class="indexterm" name="id438883"></a>
265	<a class="indexterm" name="id438890"></a>
266	A new object class (sambaSamAccount) has been introduced to replace
267	the old sambaAccount. This change aids in the renaming of attributes
268	to prevent clashes with attributes from other vendors. There is a
269	conversion script (examples/LDAP/convertSambaAccount) to modify an LDIF
270	file to the new schema.
271	</p><p>
272	Example:
273	<a class="indexterm" name="id438903"></a>
274	</p><pre class="screen">
275	<code class="prompt">$ </code>ldapsearch .... -LLL -b "ou=people,dc=..." > old.ldif
276	<code class="prompt">$ </code>convertSambaAccount --sid <DOM SID> --input old.ldif --output new.ldif
277	</pre><p>
278	<a class="indexterm" name="id438933"></a>
279	The <DOM SID> can be obtained by running
280	</p><pre class="screen">
281	<code class="prompt">$ </code><strong class="userinput"><code>net getlocalsid <DOMAINNAME></code></strong>
282	</pre><p>
283	<a class="indexterm" name="id438959"></a>
284	on the Samba PDC as root.
285	</p><p>
286	Under Samba-2.x the domain SID can be obtained by executing:
287	<a class="indexterm" name="id438970"></a>
288	</p><pre class="screen">
289	<code class="prompt">$ </code><strong class="userinput"><code>smbpasswd -S <DOMAINNAME></code></strong>
290	</pre><p>
291	</p><p>
292	<a class="indexterm" name="id438995"></a>
293	<a class="indexterm" name="id439002"></a>
294	<a class="indexterm" name="id439009"></a>
295	<a class="indexterm" name="id439016"></a>
296	The old <code class="literal">sambaAccount</code> schema may still be used by specifying the
297	<em class="parameter"><code>ldapsam_compat</code></em> passdb backend. However, the sambaAccount and
298	associated attributes have been moved to the historical section of
299	the schema file and must be uncommented before use if needed.
300	The Samba-2.2 object class declaration for a <code class="literal">sambaAccount</code> has not changed
301	in the Samba-3 <code class="filename">samba.schema</code> file.
302	</p><p>
303	Other new object classes and their uses include:
304	</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>
305	<a class="indexterm" name="id439059"></a>
306	<a class="indexterm" name="id439066"></a>
307	<a class="indexterm" name="id439073"></a>
308	<a class="indexterm" name="id439079"></a>
309	<a class="indexterm" name="id439086"></a>
310	<a class="indexterm" name="id439093"></a>
311	<code class="literal">sambaDomain</code> domain information used to allocate RIDs
312	for users and groups as necessary. The attributes are added
313	in <span class="quote">“<span class="quote">ldap suffix</span>”</span> directory entry automatically if
314	an idmap UID/GID range has been set and the <span class="quote">“<span class="quote">ldapsam</span>”</span>
315	passdb backend has been selected.
316	</p></li><li class="listitem"><p>
317	<a class="indexterm" name="id439122"></a>
318	<a class="indexterm" name="id439128"></a>
319	<a class="indexterm" name="id439135"></a>
320	sambaGroupMapping an object representing the
321	relationship between a posixGroup and a Windows
322	group/SID. These entries are stored in the <span class="quote">“<span class="quote">ldap
323	group suffix</span>”</span> and managed by the <span class="quote">“<span class="quote">net groupmap</span>”</span> command.
324	</p></li><li class="listitem"><p>
325	<a class="indexterm" name="id439158"></a>
326	<a class="indexterm" name="id439164"></a>
327	<a class="indexterm" name="id439171"></a>
328	<a class="indexterm" name="id439178"></a>
329	<code class="literal">sambaUNIXIdPool</code> created in the <span class="quote">“<span class="quote">ldap idmap suffix</span>”</span> entry
330	automatically and contains the next available <span class="quote">“<span class="quote">idmap UID</span>”</span> and
331	<span class="quote">“<span class="quote">idmap GID</span>”</span>.
332	</p></li><li class="listitem"><p>
333	<a class="indexterm" name="id439210"></a>
334	<a class="indexterm" name="id439216"></a>
335	<code class="literal">sambaIdmapEntry</code> object storing a mapping between a
336	SID and a UNIX UID/GID. These objects are created by the
337	idmap_ldap module as needed.
338	</p></li></ul></div></div><div class="sect4" title="New Suffix for Searching"><div class="titlepage"><div><div><h5 class="title"><a name="id439236"></a>New Suffix for Searching</h5></div></div></div><p>
339	<a class="indexterm" name="id439244"></a>
340	<a class="indexterm" name="id439250"></a>
341	<a class="indexterm" name="id439256"></a>
342	<a class="indexterm" name="id439263"></a>
343	<a class="indexterm" name="id439270"></a>
344	<a class="indexterm" name="id439277"></a>
345	<a class="indexterm" name="id439284"></a>
346	The following new <code class="filename">smb.conf</code> parameters have been added to aid in directing
347	certain LDAP queries when <em class="parameter"><code>passdb backend = ldapsam://...</code></em> has been
348	specified.
349	</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>ldap suffix used to search for user and computer accounts.</p></li><li class="listitem"><p>ldap user suffix used to store user accounts.</p></li><li class="listitem"><p>ldap machine suffix used to store machine trust accounts.</p></li><li class="listitem"><p>ldap group suffix location of posixGroup/sambaGroupMapping entries.</p></li><li class="listitem"><p>ldap idmap suffix location of sambaIdmapEntry objects.</p></li></ul></div><p>
350	<a class="indexterm" name="id439348"></a>
351	<a class="indexterm" name="id439354"></a>
352	If an <em class="parameter"><code>ldap suffix</code></em> is defined, it will be appended to all of the
353	remaining subsuffix parameters. In this case, the order of the suffix
354	listings in <code class="filename">smb.conf</code> is important. Always place the <em class="parameter"><code>ldap suffix</code></em> first
355	in the list.
356	</p><p>
357	Due to a limitation in Samba's <code class="filename">smb.conf</code> parsing, you should not surround
358	the domain names with quotation marks.
359	</p></div><div class="sect4" title="IdMap LDAP Support"><div class="titlepage"><div><div><h5 class="title"><a name="id439392"></a>IdMap LDAP Support</h5></div></div></div><p>
360	<a class="indexterm" name="id439400"></a>
361	Samba-3 supports an LDAP backend for the idmap subsystem. The
362	following options inform Samba that the idmap table should be
363	stored on the directory server <span class="emphasis"><em>onterose</em></span> in the ou=Idmap,dc=quenya,dc=org partition.
364	</p><table border="0" summary="Simple list" class="simplelist"><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td>...</td></tr><tr><td><a class="indexterm" name="id439431"></a><em class="parameter"><code>idmap backend = ldap:ldap://onterose/</code></em></td></tr><tr><td><a class="indexterm" name="id439443"></a><em class="parameter"><code>ldap idmap suffix = ou=Idmap</code></em></td></tr><tr><td><a class="indexterm" name="id439454"></a><em class="parameter"><code>idmap uid = 40000-50000</code></em></td></tr><tr><td><a class="indexterm" name="id439466"></a><em class="parameter"><code>idmap gid = 40000-50000</code></em></td></tr></table><p>
365	<a class="indexterm" name="id439480"></a>
366	This configuration allows Winbind installations on multiple servers to
367	share a UID/GID number space, thus avoiding the interoperability problems
368	with NFS that were present in Samba-2.2.
369	</p></div></div></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="migration.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="migration.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="NT4Migration.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Part IV. Migration and Updating </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 36. Migration from NT4 PDC to Samba-3 PDC</td></tr></table></div></body></html>

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: branches/samba-3.5.x/docs/htmldocs/Samba3-HOWTO/upgrading-to-3.0.html

Download in other formats: