Context Navigation

source: trunk-3.0/docs/htmldocs/Samba3-HOWTO/ChangeNotes.html@ 101

Visit:

Last change on this file since 101 was 44, checked in by Paul Smedley, 18 years ago
Update source to 3.0.25b
File size: 11.0 KB

Line
1	<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 9. Important Samba-3.0.23 Change Notes</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.71.0"><link rel="start" href="index.html" title="The Official Samba-3 HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="prev" href="optional.html" title="Part III. Advanced Configuration"><link rel="next" href="NetworkBrowsing.html" title="Chapter 10. Network Browsing"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 9. Important Samba-3.0.23 Change Notes</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="optional.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="NetworkBrowsing.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="ChangeNotes"></a>Chapter 9. Important Samba-3.0.23 Change Notes</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Gerald</span> <span class="othername">(Jerry)</span> <span class="surname">Carter</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jerry@samba.org">jerry@samba.org</a>></code></p></div></div></div></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="ChangeNotes.html#id343765">User and Group Changes</a></span></dt><dt><span class="sect1"><a href="ChangeNotes.html#id344054">Passdb Changes</a></span></dt><dt><span class="sect1"><a href="ChangeNotes.html#id344106">Group Mapping Changes in Samba-3.0.23</a></span></dt><dt><span class="sect1"><a href="ChangeNotes.html#id344223">LDAP Changes in Samba-3.0.23</a></span></dt></dl></div><p>
2	Samba is a fluid and ever changing project. Sometimes it is difficult to figure out which part,
3	or parts, of the HOWTO documentation should be updated tio reflect the impact of new or modified
4	features. At other times it becomes clear that the documentation is in need of being restructured.
5	</p><p>
6	In recent times a group of Samba users has joined the thrust to create a new <a href="http://wiki.samba.org/" target="_top">Samba Wiki</a> that is slated to become the all-singing and all-dancing
7	new face of Samba documentation. Hopefully, the Wiki will benefit from greater community input and
8	thus may be kept more up to date. Until that golden dream materializes and matures it is necessary to
9	continue to maintain the HOWTO. This chapter will document major departures from earlier behavior until
10	such time as the body of this HOWTO is restructured or modified.
11	</p><p>
12	This chapter is new to the release of the HOWTO for Samba 3.0.23. It includes much of the notes provided
13	in the <code class="filename">WHATSNEW.txt</code> file that is included with the Samba source code release tarball.
14	</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id343765"></a>User and Group Changes</h2></div></div></div><p>
15	The change documented here affects unmapped user and group accounts only.
16	</p><p>
17	<a class="indexterm" name="id343777"></a>
18	<a class="indexterm" name="id343784"></a>
19	<a class="indexterm" name="id343790"></a>
20	<a class="indexterm" name="id343799"></a>
21	<a class="indexterm" name="id343808"></a>
22	The user and group internal management routines have been rewritten to prevent overlaps of
23	assigned Relative Identifiers (RIDs). In the past the has been a potential problem when
24	either manually mapping Unix groups with the <code class="literal">net groupmap</code> command or
25	when migrating a Windows domain to a Samba domain by executing:
26	<code class="literal">net rpc vampire</code>.
27	</p><p>
28	<a class="indexterm" name="id343837"></a>
29	<a class="indexterm" name="id343843"></a>
30	<a class="indexterm" name="id343850"></a>
31	<a class="indexterm" name="id343856"></a>
32	Unmapped users are now assigned a SID in the <code class="literal">S-1-22-1</code> domain and unmapped
33	groups are assigned a SID in the <code class="literal">S-1-22-2</code> domain. Previously they were
34	assign a RID within the SAM on the Samba server. For a domain controller this would have been under the
35	authority of the domain SID where as on a member server or standalone server, this would have
36	been under the authority of the local SAM (see the man page for <code class="literal">net getlocalsid</code>).
37	</p><p>
38	<a class="indexterm" name="id343889"></a>
39	<a class="indexterm" name="id343896"></a>
40	<a class="indexterm" name="id343903"></a>
41	<a class="indexterm" name="id343909"></a>
42	<a class="indexterm" name="id343916"></a>
43	The result is that any unmapped users or groups on an upgraded Samba domain controller may
44	be assigned a new SID. Because the SID rather than a name is stored in Windows security
45	descriptors, this can cause a user to no longer have access to a resource for example if a
46	file was copied from a Samba file server to a local Windows client NTFS partition. Any files
47	stored on the Samba server itself will continue to be accessible because UNIX stores the UNIX
48	GID and not the SID for authorization checks.
49	</p><p>
50	An example helps to illustrate the change:
51	</p><p>
52	<a class="indexterm" name="id343934"></a>
53	<a class="indexterm" name="id343941"></a>
54	<a class="indexterm" name="id343947"></a>
55	<a class="indexterm" name="id343954"></a>
56	Assume that a group named <span class="emphasis"><em>developers</em></span> exists with a UNIX GID of 782. In this
57	case this user does not exist in Samba's group mapping table. It would be perfectly normal for
58	this group to be appear in an ACL editor. Prior to Samba-3.0.23, the group SID might appear as
59	<code class="literal">S-1-5-21-647511796-4126122067-3123570092-2565</code>.
60	</p><p>
61	<a class="indexterm" name="id343976"></a>
62	<a class="indexterm" name="id343982"></a>
63	<a class="indexterm" name="id343989"></a>
64	<a class="indexterm" name="id343996"></a>
65	With the release of Samba-3.0.23, the group SID would be reported as <code class="literal">S-1-22-2-782</code>.
66	Any security descriptors associated with files stored on a Windows NTFS disk partition will not allow
67	access based on the group permissions if the user was not a member of the
68	<code class="literal">S-1-5-21-647511796-4126122067-3123570092-2565</code> group.
69	Because this group SID is <code class="literal">S-1-22-2-782</code> and not reported in a user's token,
70	Windows would fail the authorization check even though both SIDs in some respect refer to the
71	same UNIX group.
72	</p><p>
73	<a class="indexterm" name="id344027"></a>
74	<a class="indexterm" name="id344034"></a>
75	The workaround for versions of Samba prior to 3.0.23, is to create a manual domain group mapping
76	entry for the group <span class="emphasis"><em>developers</em></span> to point at the
77	<code class="literal">S-1-5-21-647511796-4126122067-3123570092-2565</code> SID. With the release of Samba-3.0.23 this
78	workaround is no longer needed.
79	</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id344054"></a>Passdb Changes</h2></div></div></div><p>
80	<a class="indexterm" name="id344062"></a>
81	<a class="indexterm" name="id344069"></a>
82	<a class="indexterm" name="id344075"></a>
83	<a class="indexterm" name="id344082"></a>
84	The <a class="indexterm" name="id344089"></a>passdb backend parameter no long accepts multiple passdb backends in a
85	chained configuration. Also be aware that the SQL and XML based passdb modules have been
86	removed in the Samba-3.0.23 release. More information regarding external support for a SQL
87	passdb module can be found on the <a href="http://pdbsql.sourceforge.net/" target="_top">pdbsql</a> web site.
88	</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id344106"></a>Group Mapping Changes in Samba-3.0.23</h2></div></div></div><p>
89	<a class="indexterm" name="id344114"></a>
90	<a class="indexterm" name="id344121"></a>
91	<a class="indexterm" name="id344128"></a>
92	<a class="indexterm" name="id344135"></a>
93	<a class="indexterm" name="id344142"></a>
94	<a class="indexterm" name="id344148"></a>
95	<a class="indexterm" name="id344155"></a>
96	<a class="indexterm" name="id344162"></a>
97	<a class="indexterm" name="id344168"></a>
98	<a class="indexterm" name="id344175"></a>
99	<a class="indexterm" name="id344182"></a>
100	The default mapping entries for groups such as <code class="literal">Domain Admins</code> are no longer
101	created when using an <code class="literal">smbpasswd</code> file or a <code class="literal">tdbsam</code> passdb
102	backend. This means that it is necessary to explicitly execute the <code class="literal">net groupmap add</code>
103	to create group mappings, rather than use the <code class="literal">net groupmap modify</code> method to create the
104	Windows group SID to UNIX GID mappings. This change has no effect on winbindd's IDMAP functionality
105	for domain groups.
106	</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id344223"></a>LDAP Changes in Samba-3.0.23</h2></div></div></div><p>
107	<a class="indexterm" name="id344231"></a>
108	<a class="indexterm" name="id344238"></a>
109	<a class="indexterm" name="id344245"></a>
110	<a class="indexterm" name="id344252"></a>
111	<a class="indexterm" name="id344258"></a>
112	There has been a minor update the Samba LDAP schema file. A substring matching rule has been
113	added to the <code class="literal">sambaSID</code> attribute definition. For OpenLDAP servers, this
114	will require the addition of <code class="literal">index sambaSID sub</code> to the
115	<code class="filename">slapd.conf</code> configuration file. It will be necessary to execute the
116	<code class="literal">slapindex</code> command after making this change. There has been no change to the
117	actual data storage schema.
118	</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="optional.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="NetworkBrowsing.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Part III. Advanced Configuration </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 10. Network Browsing</td></tr></table></div></body></html>

Note: See TracBrowser for help on using the repository browser.

Download in other formats: