From e6e94ca9299017c8c799d3143960a8f4e65c10c2 Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Thu, 16 Aug 2007 20:52:05 +0000 Subject: First of a string of edits over the next weeks. (This used to be commit 5e600d41d07bc0cc4a0baaccad7493d244a940e2) --- docs/Samba3-HOWTO/TOSHARG-ChangeNotes.xml | 109 ++++++++++++++++++++++++------ 1 file changed, 88 insertions(+), 21 deletions(-) (limited to 'docs/Samba3-HOWTO/TOSHARG-ChangeNotes.xml') diff --git a/docs/Samba3-HOWTO/TOSHARG-ChangeNotes.xml b/docs/Samba3-HOWTO/TOSHARG-ChangeNotes.xml index 76aa54a9b1..6c2af32a75 100644 --- a/docs/Samba3-HOWTO/TOSHARG-ChangeNotes.xml +++ b/docs/Samba3-HOWTO/TOSHARG-ChangeNotes.xml @@ -6,12 +6,35 @@ &author.jerry; -Important Samba-3.0.23 Change Notes +Important and Critical Change Notes for the Samba 3.x Series + +Please read this chapter carefully before update or upgrading Samba. You should expect to find only critical +or very important information here. Comprehensive change notes and guidance information can be found in the +section Updating and Upgrading Samba. + + + + +Important Samba-3.2.x Change Notes + +!!!!!!!!!!!!Add all critical update notes here!!!!!!!!!!!!! + + + + + + +Important Samba-3.0.x Change Notes + +These following notes pertain in particular to Samba 3.0.23 through Samba 3.0.25c (or more recent 3.0.25 +update). Samba is a fluid and ever changing project. Changes throughout the 3.0.x series release are +documented in this documention - See Upgrading from Samba-2.x to Samba-3.0.25. + -Samba is a fluid and ever changing project. Sometimes it is difficult to figure out which part, -or parts, of the HOWTO documentation should be updated tio reflect the impact of new or modified -features. At other times it becomes clear that the documentation is in need of being restructured. +Sometimes it is difficult to figure out which part, or parts, of the HOWTO documentation should be updated to +reflect the impact of new or modified features. At other times it becomes clear that the documentation is in +need of being restructured. @@ -28,7 +51,7 @@ This chapter is new to the release of the HOWTO for Samba 3.0.23. It includes mu in the WHATSNEW.txt file that is included with the Samba source code release tarball. - + User and Group Changes @@ -55,7 +78,7 @@ when migrating a Windows domain to a Samba domain by executing: netgetlocalsid Unmapped users are now assigned a SID in the S-1-22-1 domain and unmapped groups are assigned a SID in the S-1-22-2 domain. Previously they were -assign a RID within the SAM on the Samba server. For a domain controller this would have been under the +assigned a RID within the SAM on the Samba server. For a domain controller this would have been under the authority of the domain SID where as on a member server or standalone server, this would have been under the authority of the local SAM (see the man page for net getlocalsid). @@ -86,7 +109,7 @@ An example helps to illustrate the change: Assume that a group named developers exists with a UNIX GID of 782. In this case this user does not exist in Samba's group mapping table. It would be perfectly normal for this group to be appear in an ACL editor. Prior to Samba-3.0.23, the group SID might appear as -S-1-5-21-647511796-4126122067-3123570092-2565. +S-1-5-21-647511796-4126122067-3123570092-2565. @@ -94,13 +117,12 @@ this group to be appear in an ACL editor. Prior to Samba-3.0.23, the group SID NTFS access group permissions -With the release of Samba-3.0.23, the group SID would be reported as S-1-22-2-782. -Any security descriptors associated with files stored on a Windows NTFS disk partition will not allow -access based on the group permissions if the user was not a member of the -S-1-5-21-647511796-4126122067-3123570092-2565 group. -Because this group SID is S-1-22-2-782 and not reported in a user's token, -Windows would fail the authorization check even though both SIDs in some respect refer to the -same UNIX group. +With the release of Samba-3.0.23, the group SID would be reported as S-1-22-2-782. Any +security descriptors associated with files stored on a Windows NTFS disk partition will not allow access based +on the group permissions if the user was not a member of the +S-1-5-21-647511796-4126122067-3123570092-2565 group. Because this group SID is +S-1-22-2-782 and not reported in a user's token, Windows would fail the authorization check +even though both SIDs in some respect refer to the same UNIX group. @@ -111,10 +133,54 @@ entry for the group developers to point at the S-1-5-21-647511796-4126122067-3123570092-2565 SID. With the release of Samba-3.0.23 this workaround is no longer needed. + - + +Essential Group Mappings + +Samba 3.0.x series releases before 3.0.23 automatically created group mappings for the essential Windows +domain groups Domain Admins, Domain Users, Domain Guests. Commencing with Samba 3.0.23 +these mappings need to be created by the Samba administrator. Failure to do this may result in a failure to +correctly authenticate and recoognize valid domain users. When this happens users will not be able to log onto +the Windows client. + - + +Group mappings are essentail only if the Samba servers is running as a PDC/BDC. Stand-alone servers do not +require these group mappings. + + + +The following mappings are required: + + + + Essential Domain Group Mappings + + + Domain GroupRIDExample UNIX Group + + + Domain Admins512root + Domain Users513users + Domain Guests514nobody + + +
+ + +When the POSIX (UNIX) groups are stored in LDAP, it may be desirable to call these domadmins, domusers, +domguests respectively. + + + +For further information regarding group mappings see Group Mapping: MS Windows +and UNIX. + + + + + Passdb Changes @@ -128,9 +194,9 @@ removed in the Samba-3.0.23 release. More information regarding external suppor passdb module can be found on the pdbsql web site. - + - + Group Mapping Changes in Samba-3.0.23 @@ -153,9 +219,9 @@ Windows group SID to UNIX GID mappings. This change has no effect on winbindd's for domain groups. - + - + LDAP Changes in Samba-3.0.23 @@ -167,11 +233,12 @@ for domain groups. There has been a minor update the Samba LDAP schema file. A substring matching rule has been added to the sambaSID attribute definition. For OpenLDAP servers, this will require the addition of index sambaSID sub to the -slapd.conf configuration file. It will be necessary to execute the +slapd.conf configuration file. It will be necessary to execute the slapindex command after making this change. There has been no change to the actual data storage schema. + -- cgit