Chapter 30. Upgrading from Samba-2.x to Samba-3.0.0

+ Active Directory support. This release is able to join a ADS realm + as a member server and authenticate users using LDAP/kerberos. +
+ Unicode support. Samba will now negotiate UNICODE on the wire and + internally there is now a much better infrastructure for multi-byte + and UNICODE character sets. +
+ New authentication system. The internal authentication system has + been almost completely rewritten. Most of the changes are internal, + but the new auth system is also very configurable. +
+ New filename mangling system. The filename mangling system has been + completely rewritten. An internal database now stores mangling maps + persistently. This needs lots of testing. +
+ New "net" command. A new "net" command has been added. It is + somewhat similar to the "net" command in windows. Eventually we + plan to replace a bunch of other utilities (such as smbpasswd) + with subcommands in "net", at the moment only a few things are + implemented. +
+ Samba now negotiates NT-style status32 codes on the wire. This + improves error handling a lot. +
+ Better Windows 2000/XP/2003 printing support including publishing + printer attributes in active directory +
+ New loadable RPC modules +
+ New dual-daemon winbindd support (-B) for better performance +
+ Support for migrating from a Windows NT 4.0 domain to a Samba + domain and maintaining user, group and domain SIDs +
+ Support for establishing trust relationships with Windows NT 4.0 + domain controllers +
+ Initial support for a distributed Winbind architecture using + an LDAP directory for storing SID to uid/gid mappings +
+ Major updates to the Samba documentation tree. +

+Plus lots of other improvements! +

Configuration Parameter Changes

+This section contains a brief listing of changes to smb.conf options +in the 3.0.0 release. Please refer to the smb.conf(5) man page for +complete descriptions of new or modified parameters. +

Removed Parameters

(order alphabetically):

admin log
alternate permissions
character set
client codepage
code page directory
coding system
domain admin group
domain guest group
force unknown acl user
nt smb support
post script
printer driver
printer driver file
printer driver location
status
total print jobs
use rhosts
valid chars
vfs options

New Parameters

(new parameters have been grouped by function):

Remote management

abort shutdown script
shutdown script

User and Group Account Management

add group script
add machine script
add user to group script
algorithmic rid base
delete group script
delete user from group script
passdb backend
set primary group script

Authentication

auth methods
ads server
realm

Protocol Options

client lanman auth
client NTLMv2 auth
client schannel
client signing
client use spnego
disable netbios
ntlm auth
paranoid server security
server schannel
smb ports
use spnego

File Service

get quota command
hide special files
hide unwriteable files
hostname lookups
kernel change notify
mangle prefix
msdfs proxy
set quota command
use sendfile
vfs objects

Printing

max reported print jobs

UNICODE and Character Sets

display charset
dos charset
unicode
unix charset

SID to uid/gid Mappings

idmap backend
idmap gid
idmap only
idmap uid

LDAP

ldap delete dn
ldap group suffix
ldap idmap suffix
ldap machine suffix
ldap passwd sync
ldap trust ids
ldap user suffix

General Configuration

preload modules
privatedir

Modified Parameters (changes in behavior):

encrypt passwords (enabled by default)
mangling method (set to 'hash2' by default)
passwd chat
passwd program
restrict anonymous (integer value)
security (new 'ads' value)
strict locking (enabled by default)
winbind cache time (increased to 5 minutes)
winbind uid (deprecated in favor of 'idmap uid')
winbind gid (deprecated in favor of 'idmap gid')

New Functionality

Databases

+ This section contains brief descriptions of any new databases + introduced in Samba 3.0. Please remember to backup your existing + ${lock directory}/*tdb before upgrading to Samba 3.0. Samba will + upgrade databases as they are opened (if necessary), but downgrading + from 3.0 to 2.2 is an unsupported path. +

Table 30.1. TDB File Descriptions

Name	Description	Backup?
account_policy	User policy settings	yes
gencache	Generic caching db	no
group_mapping	Mapping table from Windows groups/SID to unix groups	yes
idmap	new ID map table from SIDS to UNIX uids/gids	yes
namecache	Name resolution cache entries	no
netlogon_unigrp	Cache of universal group membership obtained when operating + as a member of a Windows domain	no
printing/*.tdb	Cached output from 'lpq command' created on a per print + service basis	no
registry	Read-only samba registry skeleton that provides support for + exporting various db tables via the winreg RPCs	no

Changes in Behavior

+ The following issues are known changes in behavior between Samba 2.2 and + Samba 3.0 that may affect certain installations of Samba. +

+ When operating as a member of a Windows domain, Samba 2.2 would + map any users authenticated by the remote DC to the 'guest account' + if a uid could not be obtained via the getpwnam() call. Samba 3.0 + rejects the connection as NT_STATUS_LOGON_FAILURE. There is no + current work around to re-establish the 2.2 behavior. +
+ When adding machines to a Samba 2.2 controlled domain, the + 'add user script' was used to create the UNIX identity of the + machine trust account. Samba 3.0 introduces a new 'add machine + script' that must be specified for this purpose. Samba 3.0 will + not fall back to using the 'add user script' in the absence of + an 'add machine script' +

Charsets

+ You might experience problems with special characters when communicating with old DOS + clients. Codepage support has changed in samba 3.0. Read the chapter + Unicode support for details. +

Passdb Backends and Authentication

+ There have been a few new changes that Samba administrators should be + aware of when moving to Samba 3.0. +

+ Encrypted passwords have been enabled by default in order to + inter-operate better with out-of-the-box Windows client + installations. This does mean that either (a) a samba account + must be created for each user, or (b) 'encrypt passwords = no' + must be explicitly defined in smb.conf. +
+ Inclusion of new security = ads option for integration + with an Active Directory domain using the native Windows + Kerberos 5 and LDAP protocols. +

+ Samba 3.0 also includes the possibility of setting up chains + of authentication methods + (auth methods) and account + storage backends + (passdb backend). + Please refer to the smb.conf + man page and the chapter about account information databases for details. While both parameters assume sane default + values, it is likely that you will need to understand what the + values actually mean in order to ensure Samba operates correctly. +

+ Certain functions of the smbpasswd(8) tool have been split between the + new smbpasswd(8) utility, the net(8) tool, and the new pdbedit(8) + utility. See the respective man pages for details. +

Charsets

+ You might experience problems with special characters when communicating with old DOS + clients. Codepage support has changed in samba 3.0. Read the chapter + Unicode support for details. +

LDAP

+ This section outlines the new features affecting Samba / LDAP integration. +

New Schema

+ A new object class (sambaSamAccount) has been introduced to replace + the old sambaAccount. This change aids us in the renaming of attributes + to prevent clashes with attributes from other vendors. There is a + conversion script (examples/LDAP/convertSambaAccount) to modify and LDIF + file to the new schema. +

+ Example: +

+		$ ldapsearch .... -b "ou=people,dc=..." > old.ldif
+		$ convertSambaAccount <DOM SID> old.ldif new.ldif
+

+ The <DOM SID> can be obtained by running 'net getlocalsid <DOMAINNAME> + on the Samba PDC as root. +

+ The old sambaAccount schema may still be used by specifying the + "ldapsam_compat" passdb backend. However, the sambaAccount and + associated attributes have been moved to the historical section of + the schema file and must be uncommented before use if needed. + The 2.2 object class declaration for a sambaAccount has not changed + in the 3.0 samba.schema file. +

+ Other new object classes and their uses include: +

+ sambaDomain - domain information used to allocate rids + for users and groups as necessary. The attributes are added + in 'ldap suffix' directory entry automatically if + an idmap uid/gid range has been set and the 'ldapsam' + passdb backend has been selected. +
+ sambaGroupMapping - an object representing the + relationship between a posixGroup and a Windows + group/SID. These entries are stored in the 'ldap + group suffix' and managed by the 'net groupmap' command. +
+ sambaUnixIdPool - created in the 'ldap idmap suffix' entry + automatically and contains the next available 'idmap uid' and + 'idmap gid' +
+ sambaIdmapEntry - object storing a mapping between a + SID and a UNIX uid/gid. These objects are created by the + idmap_ldap module as needed. +

New Suffix for Searching

+ The following new smb.conf parameters have been added to aid in directing + certain LDAP queries when 'passdb backend = ldapsam://...' has been + specified. +

ldap suffix - used to search for user and computer accounts
ldap user suffix - used to store user accounts
ldap machine suffix - used to store machine trust accounts
ldap group suffix - location of posixGroup/sambaGroupMapping entries
ldap idmap suffix - location of sambaIdmapEntry objects

+ If an 'ldap suffix' is defined, it will be appended to all of the + remaining sub-suffix parameters. In this case, the order of the suffix + listings in smb.conf is important. Always place the 'ldap suffix' first + in the list. +

+ Due to a limitation in Samba's smb.conf parsing, you should not surround + the DN's with quotation marks. +

IdMap LDAP support

+ Samba 3.0 supports an ldap backend for the idmap subsystem. The + following options would inform Samba that the idmap table should be + stored on the directory server onterose in the "ou=idmap,dc=plainjoe, + dc=org" partition. +

[global]

...

idmap backend = ldap:ldap://onterose/

ldap idmap suffix = ou=idmap,dc=plainjoe,dc=org

idmap uid = 40000-50000

idmap gid = 40000-50000

+ This configuration allows winbind installations on multiple servers to + share a uid/gid number space, thus avoiding the interoperability problems + with NFS that were present in Samba 2.2. +