mirror of
https://github.com/samba-team/samba.git
synced 2024-12-29 11:21:54 +03:00
f1c81fdecd
(This used to be commit 6976f283fc
)
513 lines
11 KiB
Plaintext
513 lines
11 KiB
Plaintext
This file aims to document the major changes since the latest released version
|
|
of Samba, 3.0. Samba 4.0 contains rewrites of several subsystems
|
|
and uses a different internal format for most data. Since this
|
|
file is an initial draft, please update missing items.
|
|
|
|
One of the main goals of Samba 4 was Active Directory Domain Controller
|
|
support. This means Samba now implements several protocols that are required
|
|
by AD such as Kerberos and DNS.
|
|
|
|
An (experimental) upgrade script that performs a one-way upgrade
|
|
from Samba 3 is available in source/setup/upgrade.
|
|
|
|
Removal of nmbd and introduction of process models
|
|
==================================================
|
|
smbd now implements several network protocols other than just CIFS and
|
|
DCE/RPC. nmbd's functionality has been merged into smbd. smbd supports
|
|
various 'process models' that specify how concurrent connections are
|
|
handled (when to fork, use threads, etc).
|
|
|
|
Introduction of LDB
|
|
===================
|
|
Samba now stores most of its persistent data in a LDAP-like database
|
|
called LDB (see ldb(7) for more info).
|
|
|
|
Much improved SWAT
|
|
==================
|
|
SWAT has had some rather large improvements and is now more than just a
|
|
direct editor for smb.conf. Its layout has been improved. SWAT can now also
|
|
be used for editing run-time data - maintaining user information, provisioning,
|
|
etc. TLS is supported out of the box.
|
|
|
|
Built-in KDC
|
|
============
|
|
Samba4 ships with an integrated KDC (Kerberos Key Distribution
|
|
Center). Backed directly onto our main internal database, and
|
|
integrated with custom code to handle the PAC, Samba4's KDC is an
|
|
integral part of our support for AD logon protocols.
|
|
|
|
Built-in LDAP Server
|
|
====================
|
|
Like the situation with the KDC, Samba4 ships with it's own LDAP
|
|
server, included to provide simple, built-in LDAP services in an AD
|
|
(rather than distinctly standards) matching manner. The database is
|
|
LDB, and it shares that in common with the rest of Samba.
|
|
|
|
Changed configuration options
|
|
=============================
|
|
Several configuration options have been removed in Samba4 while others have
|
|
been introduced. This section contains a summary of changes to smb.conf and
|
|
where these settings moved. Configuration options that have disappeared may be
|
|
re-added later when the functionality that uses them gets reimplemented in
|
|
Samba 4.
|
|
|
|
The 'security' parameter has been split up. It is now only used to choose
|
|
between the 'user' and 'share' security levels (the latter is not supported
|
|
in Samba 4 yet). The other values of this option and the 'domain master' and
|
|
'domain logons' parameters have been merged into a 'server role' parameter
|
|
that can be either 'domain controller', 'member server' or 'standalone'. Note that
|
|
member server support does not work yet.
|
|
|
|
The following parameters have been removed:
|
|
- passdb backend: accounts are now stored in a LDB-based SAM database,
|
|
see 'sam database' below.
|
|
- update encrypted
|
|
- public
|
|
- guest ok
|
|
- client schannel
|
|
- server schannel
|
|
- allow trusted domains
|
|
- hosts equiv
|
|
- map to guest
|
|
- smb passwd file
|
|
- algorithmic rid base
|
|
- root directory
|
|
- root dir
|
|
- root
|
|
- guest account
|
|
- enable privileges
|
|
- pam password change
|
|
- passwd program
|
|
- passwd chat debug
|
|
- passwd chat timeout
|
|
- check password script
|
|
- username map
|
|
- username level
|
|
- unix password sync
|
|
- restrict anonymous
|
|
- username
|
|
- user
|
|
- users
|
|
- invalid users
|
|
- valid users
|
|
- admin users
|
|
- read list
|
|
- write list
|
|
- printer admin
|
|
- force user
|
|
- force group
|
|
- group
|
|
- write ok
|
|
- writeable
|
|
- writable
|
|
- acl check permissions
|
|
- acl group control
|
|
- acl map full control
|
|
- create mask
|
|
- create mode
|
|
- force create mode
|
|
- security mask
|
|
- force security mode
|
|
- directory mask
|
|
- directory mode
|
|
- force directory mode
|
|
- directory security mask
|
|
- force directory security mode
|
|
- force unknown acl user
|
|
- inherit permissions
|
|
- inherit acls
|
|
- inherit owner
|
|
- guest only
|
|
- only guest
|
|
- only user
|
|
- allow hosts
|
|
- deny hosts
|
|
- preload modules
|
|
- use kerberos keytab
|
|
- syslog
|
|
- syslog only
|
|
- max log size
|
|
- debug timestamp
|
|
- timestamp logs
|
|
- debug hires timestamp
|
|
- debug pid
|
|
- debug uid
|
|
- allocation roundup size
|
|
- aio read size
|
|
- aio write size
|
|
- aio write behind
|
|
- large readwrite
|
|
- protocol
|
|
- read bmpx
|
|
- reset on zero vc
|
|
- acl compatibility
|
|
- defer sharing violations
|
|
- ea support
|
|
- nt acl support
|
|
- nt pipe support
|
|
- profile acls
|
|
- map acl inherit
|
|
- afs share
|
|
- max ttl
|
|
- client use spnego
|
|
- enable asu support
|
|
- svcctl list
|
|
- block size
|
|
- change notify timeout
|
|
- deadtime
|
|
- getwd cache
|
|
- keepalive
|
|
- kernel change notify
|
|
- lpq cache time
|
|
- max smbd processes
|
|
- max disk size
|
|
- max open files
|
|
- min print space
|
|
- strict allocate
|
|
- sync always
|
|
- use mmap
|
|
- use sendfile
|
|
- hostname lookups
|
|
- write cache size
|
|
- name cache timeout
|
|
- max reported print jobs
|
|
- load printers
|
|
- printcap cache time
|
|
- printcap name
|
|
- printcap
|
|
- printing
|
|
- cups options
|
|
- cups server
|
|
- iprint server
|
|
- print command
|
|
- disable spoolss
|
|
- enable spoolss
|
|
- lpq command
|
|
- lprm command
|
|
- lppause command
|
|
- lpresume command
|
|
- queuepause command
|
|
- queueresume command
|
|
- enumports command
|
|
- addprinter command
|
|
- deleteprinter command
|
|
- show add printer wizard
|
|
- os2 driver map
|
|
- use client driver
|
|
- default devmode
|
|
- force printername
|
|
- mangling method
|
|
- mangle prefix
|
|
- default case
|
|
- case sensitive
|
|
- casesignames
|
|
- preserve case
|
|
- short preserve case
|
|
- mangling char
|
|
- hide dot files
|
|
- hide special files
|
|
- hide unreadable
|
|
- hide unwriteable files
|
|
- delete veto files
|
|
- veto files
|
|
- hide files
|
|
- veto oplock files
|
|
- map readonly
|
|
- mangled names
|
|
- mangled map
|
|
- max stat cache size
|
|
- stat cache
|
|
- store dos attributes
|
|
- machine password timeout
|
|
- add user script
|
|
- rename user script
|
|
- delete user script
|
|
- add group script
|
|
- delete group script
|
|
- add user to group script
|
|
- delete user from group script
|
|
- set primary group script
|
|
- add machine script
|
|
- shutdown script
|
|
- abort shutdown script
|
|
- username map script
|
|
- logon script
|
|
- logon path
|
|
- logon drive
|
|
- logon home
|
|
- domain logons
|
|
- os level
|
|
- lm announce
|
|
- lm interval
|
|
- domain master
|
|
- browse list
|
|
- enhanced browsing
|
|
- wins proxy
|
|
- wins hook
|
|
- wins partners
|
|
- blocking locks
|
|
- fake oplocks
|
|
- kernel oplocks
|
|
- locking
|
|
- lock spin count
|
|
- lock spin time
|
|
- oplocks
|
|
- level2 oplocks
|
|
- oplock break wait time
|
|
- oplock contention limit
|
|
- posix locking
|
|
- share modes
|
|
- ldap server
|
|
- ldap port
|
|
- ldap admin dn
|
|
- ldap delete dn
|
|
- ldap group suffix
|
|
- ldap idmap suffix
|
|
- ldap machine suffix
|
|
- ldap passwd sync
|
|
- ldap password sync
|
|
- ldap replication sleep
|
|
- ldap suffix
|
|
- ldap ssl
|
|
- ldap timeout
|
|
- ldap page size
|
|
- ldap user suffix
|
|
- add share command
|
|
- change share command
|
|
- delete share command
|
|
- eventlog list
|
|
- utmp directory
|
|
- wtmp directory
|
|
- utmp
|
|
- default service
|
|
- default
|
|
- message command
|
|
- dfree cache time
|
|
- dfree command
|
|
- get quota command
|
|
- set quota command
|
|
- remote announce
|
|
- remote browse sync
|
|
- homedir map
|
|
- afs username map
|
|
- afs token lifetime
|
|
- log nt token command
|
|
- time offset
|
|
- NIS homedir
|
|
- preexec
|
|
- exec
|
|
- preexec close
|
|
- postexec
|
|
- root preexec
|
|
- root preexec close
|
|
- root postexec
|
|
- set directory
|
|
- wide links
|
|
- follow symlinks
|
|
- dont descend
|
|
- magic script
|
|
- magic output
|
|
- delete readonly
|
|
- dos filemode
|
|
- dos filetimes
|
|
- dos filetime resolution
|
|
- fake directory create times
|
|
- panic action
|
|
- vfs objects
|
|
- vfs object
|
|
- msdfs root
|
|
- msdfs proxy
|
|
- host msdfs
|
|
- enable rid algorithm
|
|
- passdb expand explicit
|
|
- idmap backend
|
|
- idmap uid
|
|
- winbind uid
|
|
- idmap gid
|
|
- winbind gid
|
|
- template homedir
|
|
- template shell
|
|
- winbind separator
|
|
- winbind cache time
|
|
- winbind enum users
|
|
- winbind enum groups
|
|
- winbind use default domain
|
|
- winbind trusted domains only
|
|
- winbind nested groups
|
|
- winbind max idle children
|
|
- winbind nss info
|
|
|
|
The following parameters have been added:
|
|
+ rpc big endian (G)
|
|
Make Samba fake it is running on a bigendian machine when using DCE/RPC.
|
|
Useful for debugging.
|
|
|
|
Default: no
|
|
|
|
+ case insensitive filesystem (S)
|
|
Set to true if this share is located on a case-insensitive filesystem.
|
|
This disables looking for a filename by trying all possible combinations of
|
|
uppercase/lowercase characters and thus speeds up operations when a
|
|
file cannot be found.
|
|
|
|
Default: no
|
|
|
|
+ js include (G)
|
|
Path to JavaScript library.
|
|
|
|
Default: Set at compile-time
|
|
|
|
+ setup directory
|
|
Path to data used by provisioning script.
|
|
|
|
Default: Set at compile-time
|
|
|
|
+ ncalrpc dir
|
|
Directory to use for UNIX sockets used by the 'ncalrpc' DCE/RPC transport.
|
|
|
|
Default: Set at compile-time
|
|
|
|
+ ntvfs handler
|
|
Backend to the NT VFS to use (more than one can be specified). Available
|
|
backends include:
|
|
|
|
- posix:
|
|
Maps POSIX FS semantics to NT semantics
|
|
|
|
- simple:
|
|
Very simple backend (original testing backend).
|
|
|
|
- unixuid:
|
|
Sets up user credentials based on POSIX gid/uid.
|
|
|
|
- cifs:
|
|
Proxies a remote CIFS FS. Mainly useful for testing.
|
|
|
|
- nbench:
|
|
Filter module that saves data useful to the nbench benchmark suite.
|
|
|
|
- ipc:
|
|
Allows using SMB for inter process communication. Only used for
|
|
the IPC$ share.
|
|
|
|
- print:
|
|
Allows printing over SMB. This is LANMAN-style printing (?), not
|
|
the be confused with the spoolss DCE/RPC interface used by later
|
|
versions of Windows.
|
|
|
|
Default: unixuid default
|
|
|
|
+ ntptr providor
|
|
FIXME
|
|
|
|
+ dcerpc endpoint servers
|
|
What DCE/RPC servers to start.
|
|
|
|
Default: epmapper srvsvc wkssvc rpcecho samr netlogon lsarpc spoolss drsuapi winreg dssetup
|
|
|
|
+ server services
|
|
Services Samba should provide.
|
|
|
|
Default: smb rpc nbt wrepl ldap cldap web kdc
|
|
|
|
+ sam database
|
|
Location of the SAM (account database) database. This should be a
|
|
LDB URL.
|
|
|
|
Default: set at compile-time
|
|
|
|
+ spoolss database
|
|
Spoolss (printer) DCE/RPC server database. This should be a LDB URL.
|
|
|
|
Default: set at compile-time
|
|
|
|
+ wins config database
|
|
WINS configuration database location. This should be a LDB URL.
|
|
|
|
Default: set at compile-time
|
|
|
|
+ wins database
|
|
WINS database location. This should be a LDB URL.
|
|
|
|
Default: set at compile-time
|
|
|
|
+ client use spnego principal
|
|
Tells the client to use the Kerberos service principal specified by the
|
|
server during the security protocol negotation rather than
|
|
looking up the principal itself (cifs/hostname).
|
|
|
|
Default: false
|
|
|
|
+ nbt port
|
|
TCP/IP Port used by the NetBIOS over TCP/IP (NBT) implementation.
|
|
|
|
Default: 137
|
|
|
|
+ dgram port
|
|
UDP/IP port used by the NetBIOS over TCP/IP (NBT) implementation.
|
|
|
|
Default: 138
|
|
|
|
+ cldap port
|
|
UDP/IP port used by the CLDAP protocol.
|
|
|
|
Default: 389
|
|
|
|
+ krb5 port
|
|
IP port used by the kerberos KDC.
|
|
|
|
Default: 88
|
|
|
|
+ kpasswd port
|
|
IP port used by the kerberos password change protocol.
|
|
|
|
Default: 464
|
|
|
|
+ web port
|
|
TCP/IP port SWAT should listen on.
|
|
|
|
Default: 901
|
|
|
|
+ tls enabled
|
|
Enable TLS support for SWAT
|
|
|
|
Default: true
|
|
|
|
+ tls keyfile
|
|
Path to TLS key file (PEM format) to be used by SWAT. If no
|
|
path is specified, Samba will create a key.
|
|
|
|
Default: none
|
|
|
|
+ tls certfile
|
|
Path to TLS certificate file (PEM format) to be used by SWAT. If no
|
|
path is specified, Samba will create a certificate.
|
|
|
|
Default: none
|
|
|
|
+ tls cafile
|
|
Path to CA authority file Samba will use to sign TLS keys it generates. If
|
|
no path is specified, Samba will create a self-signed CA certificate.
|
|
|
|
Default: none
|
|
|
|
+ tls crlfile
|
|
Path to TLS certificate revocation lists file.
|
|
|
|
Default: none
|
|
|
|
+ swat directory
|
|
SWAT data directory.
|
|
|
|
Default: set at compile-time
|
|
|
|
+ large readwrite
|
|
Indicate the CIFS server is able to do large reads/writes.
|
|
|
|
Default: true
|
|
|
|
+ unicode
|
|
Enable/disable unicode support in the protocol.
|
|
|
|
Default: true
|