summaryrefslogtreecommitdiff
path: root/docs/htmldocs/upgrading-to-3.0.html
diff options
context:
space:
mode:
authorGerald Carter <jerry@samba.org>2003-09-09 02:58:53 +0000
committerGerald Carter <jerry@samba.org>2003-09-09 02:58:53 +0000
commit99bde6889d3d8b7a9e950c86c30e82662e1dacdd (patch)
treebb7d34722e3b2b98ae7e36c11f4e7e4d4538b6fb /docs/htmldocs/upgrading-to-3.0.html
parenta50367ee119d0acf1bcaaf93f8c6fcc8fa68c999 (diff)
downloadsamba-99bde6889d3d8b7a9e950c86c30e82662e1dacdd.tar.gz
samba-99bde6889d3d8b7a9e950c86c30e82662e1dacdd.tar.bz2
samba-99bde6889d3d8b7a9e950c86c30e82662e1dacdd.zip
syncing files from 3.0 into HEAD again
(This used to be commit bca0bba209255d0effbae6a3d3b6d298f0952c3a)
Diffstat (limited to 'docs/htmldocs/upgrading-to-3.0.html')
-rw-r--r--docs/htmldocs/upgrading-to-3.0.html195
1 files changed, 176 insertions, 19 deletions
diff --git a/docs/htmldocs/upgrading-to-3.0.html b/docs/htmldocs/upgrading-to-3.0.html
index ac559fa129..e7c1c61234 100644
--- a/docs/htmldocs/upgrading-to-3.0.html
+++ b/docs/htmldocs/upgrading-to-3.0.html
@@ -1,19 +1,176 @@
-<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 30. Upgrading from Samba-2.x to Samba-3.0.0</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="migration.html" title="Part IV. Migration and Updating"><link rel="previous" href="migration.html" title="Part IV. Migration and Updating"><link rel="next" href="NT4Migration.html" title="Chapter 31. Migration from NT4 PDC to Samba-3 PDC"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 30. Upgrading from Samba-2.x to Samba-3.0.0</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="migration.html">Prev</a> </td><th width="60%" align="center">Part IV. Migration and Updating</th><td width="20%" align="right"> <a accesskey="n" href="NT4Migration.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="upgrading-to-3.0"></a>Chapter 30. Upgrading from Samba-2.x to Samba-3.0.0</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>&gt;</tt></p></div></div></div></div><div><p class="pubdate">25 October 2002</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="upgrading-to-3.0.html#id3001684">Charsets</a></dt><dt><a href="upgrading-to-3.0.html#id3001709">Obsolete configuration options</a></dt><dt><a href="upgrading-to-3.0.html#id3003319">Password Backend</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3001684"></a>Charsets</h2></div></div><div></div></div><p>You might experience problems with special characters
-when communicating with old DOS clients. Codepage
-support has changed in samba 3.0. Read the chapter
-<a href="unicode.html" title="Chapter 27. Unicode/Charsets">Unicode support</a> for details.
-</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3001709"></a>Obsolete configuration options</h2></div></div><div></div></div><p>
-In 3.0, the following configuration options have been removed.
-</p><table class="simplelist" border="0" summary="Simple list"><tr><td>printer driver (replaced by new driver procedures) </td></tr><tr><td>printer driver file (replaced by new driver procedures)</td></tr><tr><td>printer driver location (replaced by new driver procedures)</td></tr><tr><td>use rhosts</td></tr><tr><td>postscript</td></tr><tr><td>client code page (replaced by dos charset)</td></tr><tr><td>vfs path</td></tr><tr><td>vfs options</td></tr></table></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3003319"></a>Password Backend</h2></div></div><div></div></div><p>
-Effective with the release of samba-3 it is now imperative that the password backend
-be correctly defined in smb.conf.
-</p><p>
-Those migrating from samba-2.x with plaintext password support need the following:
-<span class="emphasis"><em>passdb backend = guest</em></span>.
-</p><p>
-Those migrating from samba-2.x with encrypted password support should add to smb.conf
-<span class="emphasis"><em>passdb backend = smbpasswd, guest</em></span>.
-</p><p>
-LDAP using Samba-2.x systems can continue to operate with the following entry
-<span class="emphasis"><em>passdb backend = ldapsam_compat, guest</em></span>.
-</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="migration.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="migration.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="NT4Migration.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Part IV. Migration and Updating </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 31. Migration from NT4 PDC to Samba-3 PDC</td></tr></table></div></body></html>
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 30. Upgrading from Samba-2.x to Samba-3.0.0</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="samba-doc.html" title="SAMBA Project Documentation"><link rel="up" href="migration.html" title="Part IV. Migration and Updating"><link rel="previous" href="migration.html" title="Part IV. Migration and Updating"><link rel="next" href="NT4Migration.html" title="Chapter 31. Migration from NT4 PDC to Samba-3 PDC"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 30. Upgrading from Samba-2.x to Samba-3.0.0</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="migration.html">Prev</a> </td><th width="60%" align="center">Part IV. Migration and Updating</th><td width="20%" align="right"> <a accesskey="n" href="NT4Migration.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="upgrading-to-3.0"></a>Chapter 30. Upgrading from Samba-2.x to Samba-3.0.0</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Gerald</span> <span class="othername">(Jerry)</span> <span class="surname">Carter</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jerry@samba.org">jerry@samba.org</a>&gt;</tt></p></div></div></div></div><div><p class="pubdate">June 30, 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="upgrading-to-3.0.html#id2954094">New Features in Samba-3</a></dt><dt><a href="upgrading-to-3.0.html#id2954229">Configuration Parameter Changes</a></dt><dd><dl><dt><a href="upgrading-to-3.0.html#id2954244">Removed Parameters</a></dt><dt><a href="upgrading-to-3.0.html#id2954370">New Parameters</a></dt><dt><a href="upgrading-to-3.0.html#id2954767">Modified Parameters (changes in behavior):</a></dt></dl></dd><dt><a href="upgrading-to-3.0.html#id2954842">New Functionality</a></dt><dd><dl><dt><a href="upgrading-to-3.0.html#id2954849">Databases</a></dt><dt><a href="upgrading-to-3.0.html#id2955083">Changes in Behavior</a></dt><dt><a href="upgrading-to-3.0.html#id2955133">Charsets</a></dt><dt><a href="upgrading-to-3.0.html#id2955156">Passdb Backends and Authentication</a></dt><dt><a href="upgrading-to-3.0.html#id2955274">Charsets</a></dt><dt><a href="upgrading-to-3.0.html#id2955299">LDAP</a></dt></dl></dd></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2954094"></a>New Features in Samba-3</h2></div></div><div></div></div><p>
+Major new features:
+</p><div class="orderedlist"><ol type="1"><li><p>
+ Active Directory support. This release is able to join a ADS realm
+ as a member server and authenticate users using LDAP/kerberos.
+ </p></li><li><p>
+ Unicode support. Samba will now negotiate UNICODE on the wire and
+ internally there is now a much better infrastructure for multi-byte
+ and UNICODE character sets.
+ </p></li><li><p>
+ New authentication system. The internal authentication system has
+ been almost completely rewritten. Most of the changes are internal,
+ but the new auth system is also very configurable.
+ </p></li><li><p>
+ New filename mangling system. The filename mangling system has been
+ completely rewritten. An internal database now stores mangling maps
+ persistently. This needs lots of testing.
+ </p></li><li><p>
+ New &quot;net&quot; command. A new &quot;net&quot; command has been added. It is
+ somewhat similar to the &quot;net&quot; command in windows. Eventually we
+ plan to replace a bunch of other utilities (such as smbpasswd)
+ with subcommands in &quot;net&quot;, at the moment only a few things are
+ implemented.
+ </p></li><li><p>
+ Samba now negotiates NT-style status32 codes on the wire. This
+ improves error handling a lot.
+ </p></li><li><p>
+ Better Windows 2000/XP/2003 printing support including publishing
+ printer attributes in active directory
+ </p></li><li><p>
+ New loadable RPC modules
+ </p></li><li><p>
+ New dual-daemon winbindd support (-B) for better performance
+ </p></li><li><p>
+ Support for migrating from a Windows NT 4.0 domain to a Samba
+ domain and maintaining user, group and domain SIDs
+ </p></li><li><p>
+ Support for establishing trust relationships with Windows NT 4.0
+ domain controllers
+ </p></li><li><p>
+ Initial support for a distributed Winbind architecture using
+ an LDAP directory for storing SID to uid/gid mappings
+ </p></li><li><p>
+ Major updates to the Samba documentation tree.
+ </p></li></ol></div><p>
+Plus lots of other improvements!
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2954229"></a>Configuration Parameter Changes</h2></div></div><div></div></div><p>
+This section contains a brief listing of changes to smb.conf options
+in the 3.0.0 release. Please refer to the smb.conf(5) man page for
+complete descriptions of new or modified parameters.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2954244"></a>Removed Parameters</h3></div></div><div></div></div><p>(order alphabetically):</p><div class="itemizedlist"><ul type="disc"><li><p>admin log </p></li><li><p>alternate permissions </p></li><li><p>character set </p></li><li><p>client codepage </p></li><li><p>code page directory </p></li><li><p>coding system </p></li><li><p>domain admin group </p></li><li><p>domain guest group </p></li><li><p>force unknown acl user </p></li><li><p>nt smb support </p></li><li><p>post script </p></li><li><p>printer driver </p></li><li><p>printer driver file </p></li><li><p>printer driver location </p></li><li><p>status </p></li><li><p>total print jobs </p></li><li><p>use rhosts </p></li><li><p>valid chars </p></li><li><p>vfs options </p></li></ul></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2954370"></a>New Parameters</h3></div></div><div></div></div><p>(new parameters have been grouped by function):</p><p>Remote management</p><div class="itemizedlist"><ul type="disc"><li><p>abort shutdown script </p></li><li><p>shutdown script </p></li></ul></div><p>User and Group Account Management</p><div class="itemizedlist"><ul type="disc"><li><p>add group script </p></li><li><p>add machine script </p></li><li><p>add user to group script </p></li><li><p>algorithmic rid base </p></li><li><p>delete group script </p></li><li><p>delete user from group script </p></li><li><p>passdb backend </p></li><li><p>set primary group script </p></li></ul></div><p>Authentication</p><div class="itemizedlist"><ul type="disc"><li><p>auth methods </p></li><li><p>ads server </p></li><li><p>realm </p></li></ul></div><p>Protocol Options</p><div class="itemizedlist"><ul type="disc"><li><p>client lanman auth </p></li><li><p>client NTLMv2 auth </p></li><li><p>client schannel </p></li><li><p>client signing </p></li><li><p>client use spnego </p></li><li><p>disable netbios </p></li><li><p>ntlm auth </p></li><li><p>paranoid server security </p></li><li><p>server schannel </p></li><li><p>smb ports </p></li><li><p>use spnego </p></li></ul></div><p>File Service</p><div class="itemizedlist"><ul type="disc"><li><p>get quota command </p></li><li><p>hide special files </p></li><li><p>hide unwriteable files </p></li><li><p>hostname lookups </p></li><li><p>kernel change notify </p></li><li><p>mangle prefix </p></li><li><p>msdfs proxy </p></li><li><p>set quota command </p></li><li><p>use sendfile </p></li><li><p>vfs objects </p></li></ul></div><p>Printing</p><div class="itemizedlist"><ul type="disc"><li><p>max reported print jobs </p></li></ul></div><p>UNICODE and Character Sets</p><div class="itemizedlist"><ul type="disc"><li><p>display charset </p></li><li><p>dos charset </p></li><li><p>unicode </p></li><li><p>unix charset </p></li></ul></div><p>SID to uid/gid Mappings</p><div class="itemizedlist"><ul type="disc"><li><p>idmap backend </p></li><li><p>idmap gid </p></li><li><p>idmap only </p></li><li><p>idmap uid </p></li></ul></div><p>LDAP</p><div class="itemizedlist"><ul type="disc"><li><p>ldap delete dn </p></li><li><p>ldap group suffix </p></li><li><p>ldap idmap suffix </p></li><li><p>ldap machine suffix </p></li><li><p>ldap passwd sync </p></li><li><p>ldap trust ids </p></li><li><p>ldap user suffix </p></li></ul></div><p>General Configuration</p><div class="itemizedlist"><ul type="disc"><li><p>preload modules </p></li><li><p>privatedir </p></li></ul></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2954767"></a>Modified Parameters (changes in behavior):</h3></div></div><div></div></div><div class="itemizedlist"><ul type="disc"><li><p>encrypt passwords (enabled by default) </p></li><li><p>mangling method (set to 'hash2' by default) </p></li><li><p>passwd chat </p></li><li><p>passwd program </p></li><li><p>restrict anonymous (integer value) </p></li><li><p>security (new 'ads' value) </p></li><li><p>strict locking (enabled by default) </p></li><li><p>winbind cache time (increased to 5 minutes) </p></li><li><p>winbind uid (deprecated in favor of 'idmap uid') </p></li><li><p>winbind gid (deprecated in favor of 'idmap gid') </p></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2954842"></a>New Functionality</h2></div></div><div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2954849"></a>Databases</h3></div></div><div></div></div><p>
+ This section contains brief descriptions of any new databases
+ introduced in Samba 3.0. Please remember to backup your existing
+ ${lock directory}/*tdb before upgrading to Samba 3.0. Samba will
+ upgrade databases as they are opened (if necessary), but downgrading
+ from 3.0 to 2.2 is an unsupported path.
+ </p><div class="table"><a name="id2954868"></a><p class="title"><b>Table 30.1. TDB File Descriptions</b></p><table summary="TDB File Descriptions" border="1"><colgroup><col align="left"><col align="justify"><col align="left"></colgroup><thead><tr><th align="left">Name</th><th align="justify">Description</th><th align="center">Backup?</th></tr></thead><tbody><tr><td align="left">account_policy</td><td align="justify">User policy settings</td><td align="left">yes</td></tr><tr><td align="left">gencache</td><td align="justify">Generic caching db</td><td align="left">no</td></tr><tr><td align="left">group_mapping</td><td align="justify"><p>Mapping table from Windows groups/SID to unix groups</p></td><td align="left">yes</td></tr><tr><td align="left">idmap</td><td align="justify"><p>new ID map table from SIDS to UNIX uids/gids</p></td><td align="left">yes</td></tr><tr><td align="left">namecache</td><td align="justify">Name resolution cache entries</td><td align="left">no</td></tr><tr><td align="left">netlogon_unigrp</td><td align="justify"><p>Cache of universal group membership obtained when operating
+ as a member of a Windows domain</p></td><td align="left">no</td></tr><tr><td align="left">printing/*.tdb</td><td align="justify"><p>Cached output from 'lpq command' created on a per print
+ service basis</p></td><td align="left">no</td></tr><tr><td align="left">registry</td><td align="justify"><p>Read-only samba registry skeleton that provides support for
+ exporting various db tables via the winreg RPCs</p></td><td align="left">no</td></tr></tbody></table></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2955083"></a>Changes in Behavior</h3></div></div><div></div></div><p>
+ The following issues are known changes in behavior between Samba 2.2 and
+ Samba 3.0 that may affect certain installations of Samba.
+ </p><div class="orderedlist"><ol type="1"><li><p>
+ When operating as a member of a Windows domain, Samba 2.2 would
+ map any users authenticated by the remote DC to the 'guest account'
+ if a uid could not be obtained via the getpwnam() call. Samba 3.0
+ rejects the connection as NT_STATUS_LOGON_FAILURE. There is no
+ current work around to re-establish the 2.2 behavior.
+ </p></li><li><p>
+ When adding machines to a Samba 2.2 controlled domain, the
+ 'add user script' was used to create the UNIX identity of the
+ machine trust account. Samba 3.0 introduces a new 'add machine
+ script' that must be specified for this purpose. Samba 3.0 will
+ not fall back to using the 'add user script' in the absence of
+ an 'add machine script'
+ </p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2955133"></a>Charsets</h3></div></div><div></div></div><p>
+ You might experience problems with special characters when communicating with old DOS
+ clients. Codepage support has changed in samba 3.0. Read the chapter
+ <a href="unicode.html" title="Chapter 27. Unicode/Charsets">Unicode support</a> for details.
+ </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2955156"></a>Passdb Backends and Authentication</h3></div></div><div></div></div><p>
+ There have been a few new changes that Samba administrators should be
+ aware of when moving to Samba 3.0.
+ </p><div class="orderedlist"><ol type="1"><li><p>
+ Encrypted passwords have been enabled by default in order to
+ inter-operate better with out-of-the-box Windows client
+ installations. This does mean that either (a) a samba account
+ must be created for each user, or (b) 'encrypt passwords = no'
+ must be explicitly defined in smb.conf.
+ </p></li><li><p>
+ Inclusion of new <a class="indexterm" name="id2955194"></a><i class="parameter"><tt>security</tt></i> = ads option for integration
+ with an Active Directory domain using the native Windows
+ Kerberos 5 and LDAP protocols.
+ </p></li></ol></div><p>
+ Samba 3.0 also includes the possibility of setting up chains
+ of authentication methods
+ (<a class="indexterm" name="id2955217"></a><i class="parameter"><tt>auth methods</tt></i>) and account
+ storage backends
+ (<a class="indexterm" name="id2955232"></a><i class="parameter"><tt>passdb backend</tt></i>).
+ Please refer to the <tt class="filename">smb.conf</tt>
+ man page and <a href="passdb.html" title="Chapter 11. Account Information Databases">the chapter about account information databases</a> for details. While both parameters assume sane default
+ values, it is likely that you will need to understand what the
+ values actually mean in order to ensure Samba operates correctly.
+ </p><p>
+ Certain functions of the smbpasswd(8) tool have been split between the
+ new smbpasswd(8) utility, the net(8) tool, and the new pdbedit(8)
+ utility. See the respective man pages for details.
+ </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2955274"></a>Charsets</h3></div></div><div></div></div><p>
+ You might experience problems with special characters when communicating with old DOS
+ clients. Codepage support has changed in samba 3.0. Read the chapter
+ <a href="unicode.html" title="Chapter 27. Unicode/Charsets">Unicode support</a> for details.
+ </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2955299"></a>LDAP</h3></div></div><div></div></div><p>
+ This section outlines the new features affecting Samba / LDAP integration.
+ </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2955311"></a>New Schema</h4></div></div><div></div></div><p>
+ A new object class (sambaSamAccount) has been introduced to replace
+ the old sambaAccount. This change aids us in the renaming of attributes
+ to prevent clashes with attributes from other vendors. There is a
+ conversion script (examples/LDAP/convertSambaAccount) to modify and LDIF
+ file to the new schema.
+ </p><p>
+ Example:
+ </p><pre class="screen">
+ <tt class="prompt">$ </tt>ldapsearch .... -b &quot;ou=people,dc=...&quot; &gt; old.ldif
+ <tt class="prompt">$ </tt>convertSambaAccount &lt;DOM SID&gt; old.ldif new.ldif
+ </pre><p>
+ The &lt;DOM SID&gt; can be obtained by running 'net getlocalsid &lt;DOMAINNAME&gt;
+ on the Samba PDC as root.
+ </p><p>
+ The old sambaAccount schema may still be used by specifying the
+ &quot;ldapsam_compat&quot; passdb backend. However, the sambaAccount and
+ associated attributes have been moved to the historical section of
+ the schema file and must be uncommented before use if needed.
+ The 2.2 object class declaration for a sambaAccount has not changed
+ in the 3.0 samba.schema file.
+ </p><p>
+ Other new object classes and their uses include:
+ </p><div class="itemizedlist"><ul type="disc"><li><p>
+ sambaDomain - domain information used to allocate rids
+ for users and groups as necessary. The attributes are added
+ in 'ldap suffix' directory entry automatically if
+ an idmap uid/gid range has been set and the 'ldapsam'
+ passdb backend has been selected.
+ </p></li><li><p>
+ sambaGroupMapping - an object representing the
+ relationship between a posixGroup and a Windows
+ group/SID. These entries are stored in the 'ldap
+ group suffix' and managed by the 'net groupmap' command.
+ </p></li><li><p>
+ sambaUnixIdPool - created in the 'ldap idmap suffix' entry
+ automatically and contains the next available 'idmap uid' and
+ 'idmap gid'
+ </p></li><li><p>
+ sambaIdmapEntry - object storing a mapping between a
+ SID and a UNIX uid/gid. These objects are created by the
+ idmap_ldap module as needed.
+ </p></li></ul></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2955433"></a>New Suffix for Searching</h4></div></div><div></div></div><p>
+ The following new smb.conf parameters have been added to aid in directing
+ certain LDAP queries when 'passdb backend = ldapsam://...' has been
+ specified.
+ </p><div class="itemizedlist"><ul type="disc"><li><p>ldap suffix - used to search for user and computer accounts</p></li><li><p>ldap user suffix - used to store user accounts</p></li><li><p>ldap machine suffix - used to store machine trust accounts</p></li><li><p>ldap group suffix - location of posixGroup/sambaGroupMapping entries</p></li><li><p>ldap idmap suffix - location of sambaIdmapEntry objects</p></li></ul></div><p>
+ If an 'ldap suffix' is defined, it will be appended to all of the
+ remaining sub-suffix parameters. In this case, the order of the suffix
+ listings in smb.conf is important. Always place the 'ldap suffix' first
+ in the list.
+ </p><p>
+ Due to a limitation in Samba's smb.conf parsing, you should not surround
+ the DN's with quotation marks.
+ </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2955500"></a>IdMap LDAP support</h4></div></div><div></div></div><p>
+ Samba 3.0 supports an ldap backend for the idmap subsystem. The
+ following options would inform Samba that the idmap table should be
+ stored on the directory server onterose in the &quot;ou=idmap,dc=plainjoe,
+ dc=org&quot; partition.
+ </p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[global]</tt></i></td></tr><tr><td>...</td></tr><tr><td><i class="parameter"><tt>idmap backend = ldap:ldap://onterose/</tt></i></td></tr><tr><td><i class="parameter"><tt>ldap idmap suffix = ou=idmap,dc=plainjoe,dc=org</tt></i></td></tr><tr><td><i class="parameter"><tt>idmap uid = 40000-50000</tt></i></td></tr><tr><td><i class="parameter"><tt>idmap gid = 40000-50000</tt></i></td></tr></table><p>
+ This configuration allows winbind installations on multiple servers to
+ share a uid/gid number space, thus avoiding the interoperability problems
+ with NFS that were present in Samba 2.2.
+ </p></div></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="migration.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="migration.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="NT4Migration.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Part IV. Migration and Updating </td><td width="20%" align="center"><a accesskey="h" href="samba-doc.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 31. Migration from NT4 PDC to Samba-3 PDC</td></tr></table></div></body></html>