diff options
-rw-r--r-- | WHATSNEW.txt | 156 | ||||
-rw-r--r-- | docs/README.idmap-and-winbind-changes | 73 |
2 files changed, 146 insertions, 83 deletions
diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 5c74c95411..c264e6a3c7 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,8 +1,8 @@ - WHATS NEW IN Samba 3.0.0 beta2 - July 1 2003 + WHATS NEW IN Samba 3.0.0 beta4 + July 16 2003 ============================== -This is the second beta release of Samba 3.0.0. This is a +This is the third beta release of Samba 3.0.0. This is a non-production release intended for testing purposes. Use at your own risk. @@ -51,7 +51,7 @@ Major new features: 8) New loadable RPC modules. -9) New dual-daemon winbindd support (-B) for better performance. +9) New dual-daemon winbindd support for better performance. 10) Support for migrating from a Windows NT 4.0 domain to a Samba domain and maintaining user, group and domain SIDs. @@ -78,12 +78,73 @@ tasks (the current book is up to approximately 400 pages) and to refer to the various man pages for information on individual options. ###################################################################### -Changes since 3.0beta1 +Changes since 3.0beta2 ###################### Please refer to the CVS log for the SAMBA_3_0 branch for complete details +1) Added fix for Japanese case names in statcache code; + these can change size on upper casing. +2) Correct issues with iconv detection in configure script + (support needed to find iconv libraries on FreeBSD). +3) Fix bug that caused a WINS server to be marked as dead + incorrectly (bug #190). +4) Removing additional deadlocks conditions that prevented + winbindd from running on a Samba PDC (used for trust + relationships). +5) Add support for searching for Active Directory for + published printers (net ads printer search). +6) Separate UNIX username from DOMAIN\username in pipe + credentials. +7) Auth modules now support returning NT_STATUS_NOT_IMPLEMENTED + for cases that they cannot handle. +8) Flush winbindd connection cache when the machine trust account + password is changed while a connection is open (bug #200). +9) Add support for 'OSVersion' server printer data string + (corrects problem with uploading printer drivers from + WinXP clients). +10) Numerous memory leak fixes. +11) LDAP fixes ("passdb backend = ldapsam" & "idmap backend = ldap"): + - Store domain SID in LDAP directory. + - store idmap information in existing entries (use sambaSID=... + if adding a new entry). +12) Fix incorrect usage of primary group SID when looking up user + groups (bug #109). +13) Remove idmap_XX_to_XX calls from smbd. Move back to the the + winbind_XXX and local_XXX calls used in 2.2. +14) All uid/gid allocation must involve winbindd now + (we no attempt to map unknown SIDs to a UNIX identify). +15) Add 'winbind trusted domains only' parameter to force a domain + member. The server to use matching users names from /etc/passwd + for its domain (needed for domain member of a Samba domain). +16) Rename 'idmap only' to 'enable rid algorithm' for better clarity + (defaults to "yes"). +17) Add support for multi-byte statcache code (bug #185) +18) Fix open mode race condition. +19) Implement winbindd local account management functions. Refer to + the "Winbind Changes" section for details. +20) Move RID allocation functions into idmap backend. +21) Fix parsing error that prevented publishing printers from a + Samba server in an AD domain. +22) Revive NTLMSSP support for named pipes. +23) More SCHANNEL fixes. +24) Correct SMB signing with NTLMSSP. +25) Fix coherency bug in print handle/printer object caching code + that could cause XP clients to infinitely loop while updating + their local printer cache. +26) Make winbindd use its dual-daemon mode by default (use -Y to + start as a single process). +27) Add support to nmbd and winbindd for 'smbcontrol <pid> + reload-config'. +28) Correct problem with smbtar when dealing with files > 8Gb + (bug #102). + + + +Changes since 3.0beta1 +###################### + 1) Rework our smb signing code again, this factors out some of the common MAC calculation code, and now supports multiple outstanding packets (bug #40). @@ -308,8 +369,11 @@ New Parameters (new parameters have been grouped by function): ----------------------- * idmap backend * idmap gid - * idmap only * idmap uid + * winbind enable local accounts + * winbind trusted domains only + * template primary group + * enable rid algorithm LDAP ---- @@ -355,8 +419,8 @@ account_policy User policy settings yes gencache Generic caching db no group_mapping Mapping table from Windows yes groups/SID to unix groups -idmap new ID map table from SIDS yes - to UNIX uids/gids. +winbindd_idmap ID map table from SIDS to UNIX yes + uids/gids. namecache Name resolution cache entries no netsamlogon_cache Cache of NET_USER_INFO_3 structure no returned as part of a successful @@ -463,8 +527,9 @@ Other new object classes and their uses include: * sambaDomain - domain information used to allocate rids for users and groups as necessary. The attributes are added - in 'ldap suffix' directory entry automatically apon first - connection to the directory. + in 'ldap suffix' directory entry automatically if + an idmap uid/gid range has been set and the 'ldapsam' + passdb backend has been selected. * sambaGroupMapping - an object representing the relationship between a posixGroup and a Windows @@ -575,7 +640,78 @@ Now connect to the WINDOWS DC (e.g. CRYSTAL) as a Samba user: $ smbclient //crystal/netlogon -U root -W WINDOWS Password: +###################################################################### +Changes in Winbind +################## + +Beginning with Samba3.0.0beta3, winbindd has been given new account +manage functionality equivalent to the 'add user script' family of +smb.conf parameters. The idmap design has also been changed to +centralize control of foreign SID lookups and matching to UNIX +uids and gids. + + +Brief Description of Changes +---------------------------- + +1) The sid_to_uid() family of functions (smbd/uid.c) have been + reverted to the 2.2.x design. This means that when resolving a + SID to a UID or similar mapping: + + a) First consult winbindd + b) perform a local lookup only if winbindd fails to + return a successful answer + + There are some variations to this, but these two rules generally + apply. + +2) All idmap lookups have been moved into winbindd. This means that + a server must run winbindd (and support NSS) in order to achieve + any mappings of SID to dynamically allocated UNIX ids. This was + a conscious design choice. + +3) New functions have been added to winbindd to emulate the 'add user + script' family of smbd functions without requiring that external + scripts be defined. This functionality is controlled by the 'winbind + enable local accounts' smb.conf parameter (enabled by default). + + However, this account management functionality is only supported + in a local tdb (winbindd_idmap.tdb). If these new UNIX accounts + must be shared among multiple Samba servers (such as a PDC and BDCs), + it will be necessary to define your own 'add user script', et. al. + programs that place the accounts/groups in some form of directory + such as NIS or LDAP. This requirement was deemed beyond the scope + of winbind's account management functions. Solutions for + distributing UNIX system information have been deployed and tested + for many years. We saw no need to reinvent the wheel. + +4) A member of a Samba controlled domain running winbindd is now able + to map domain users directly onto existing UNIX accounts while still + automatically creating accounts for trusted users and groups. This + behavior is controlled by the 'winbind trusted domains only' smb.conf + parameter (disabled by default to provide 2.2.x winbind behavior). + +5) Group mapping support is wrapped in the local_XX_to_XX() functions + in smbd/uid.c. The reason that group mappings are not included + in winbindd is because the purpose of Samba's group map is to + match any Windows SID with an existing UNIX group. These UNIX + groups can be created by winbindd (see next section), but the + SID<->gid mapping is retreived by smbd, not winbindd. + + +Examples +-------- + +* security = server running winbindd to allocate accounts on demand + +* Samba PDC running winbindd to handle the automatic creation of UNIX + identities for machine trust accounts + +* Automtically creating UNIX user and groups when migrating a Windows NT + 4.0 PDC to a Samba PDC. Winbindd must be running when executing + 'net rpc vampire' for this to work. + ###################################################################### Known Issues ############ diff --git a/docs/README.idmap-and-winbind-changes b/docs/README.idmap-and-winbind-changes deleted file mode 100644 index a892343c6e..0000000000 --- a/docs/README.idmap-and-winbind-changes +++ /dev/null @@ -1,73 +0,0 @@ -## Date : 2003-07-09 -## Author: Gerald (Jerry) Carter <jerry@samba.org> -## Title: README.idmap-and-winbind-changes - -Introduction ------------- - -Beginning with Samba3.0.0beta3, winbindd has been given new account -manage functionality equivalent to the 'add user script' family of -smb.conf parameters. The idmap design has also been changed to centralize -control of foreign SID lookups and matching to UNIX uids and gids. - - -Brief Description of Changes ----------------------------- - -1) The sid_to_uid() family of functions (smbd/uid.c) have been reverted - to the 2.2.x design. This means that when resolving a SID to a UID - or similar mapping: - - a) First consult winbindd - b) perform a local lookup only if winbindd fails to - return a successful answer - - There are some variations to this, but these two rules generally - apply. - -2) All idmap lookups have been moved into winbindd. This means that - a server must run winbindd (and support NSS) in order to achieve - any mappings of SID to dynamically allocated UNIX ids. This was - a conscious design choice. - -3) New functions have been added to winbindd to emulate the 'add user script' - family of smbd functions without requiring that external scripts - be defined. This functionality is controlled by the 'winbind enable local - accounts' smb.conf parameter (enabled by default). - - However, this account management functionality is only supported in - a local tdb (winbindd_idmap.tdb). If these new UNIX accounts must be - shared among multiple Samba servers (such as a PDC and BDCs), it - will be necessary to define your own 'add user script', et. al. - programs that place the accounts/groups in some form of directory - such as NIS or LDAP. This requirement was deemed beyond the scope - of winbind's account management functions. Solutions for distributing - UNIX system information have been deployed and tested for many years. - We saw no need to reinvent the wheel. - -4) A member of a Samba controlled domain running winbindd is now able to - map domain users directly onto existing UNIX accounts while still - automatically creating accounts for trusted users and groups. This - behavior is controlled by the 'winbind trusted domains only' smb.conf - parameter (disabled by default to provide 2.2.x winbind behavior). - -5) Group mapping support is wrapped in the local_XX_to_XX() functions - in smbd/uid.c. The reason that group mappings are not included - in winbindd is because the purpose of Samba's group map is to - match any Windows SID with an existing UNIX group. These UNIX - groups can be created by winbindd (see next section), but the - SID<->gid mapping is retreived by smbd, not winbindd. - - -Examples --------- - -* security = server running winbindd to allocate accounts on demand - -* Samba PDC running winbindd to handle the automatic creation of UNIX - identities for machine trust accounts - -* Automtically creating UNIX user and groups when migrating a Windows NT - 4.0 PDC to a Samba PDC. Winbindd must be running when executing - 'net rpc vampire' for this to work. - |