From 7cccdeceb65d635c10dfdf40253696424f1b1af2 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Mon, 11 Aug 2003 01:41:56 +0000 Subject: Update upgrading docs (This used to be commit cd81eaaf2d2bc407a4f9d037fedaa7eb82abcc65) --- docs/docbook/projdoc/upgrading-to-3.0.xml | 578 ++++++++++++++++++++++++++++-- 1 file changed, 543 insertions(+), 35 deletions(-) (limited to 'docs') diff --git a/docs/docbook/projdoc/upgrading-to-3.0.xml b/docs/docbook/projdoc/upgrading-to-3.0.xml index b4c0732a65..2ac675742e 100644 --- a/docs/docbook/projdoc/upgrading-to-3.0.xml +++ b/docs/docbook/projdoc/upgrading-to-3.0.xml @@ -1,63 +1,571 @@ &author.jelmer; - 25 October 2002 + &author.jht; + &author.jerry; + June 30, 2003 Upgrading from Samba-2.x to Samba-3.0.0 + -Charsets +New Features in Samba-3 -You might experience problems with special characters -when communicating with old DOS clients. Codepage -support has changed in samba 3.0. Read the chapter -Unicode support for details. + +Major new features: - + + + Active Directory support. This release is able to join a ADS realm + as a member server and authenticate users using LDAP/kerberos. + - -Obsolete configuration options + + Unicode support. Samba will now negotiate UNICODE on the wire and + internally there is now a much better infrastructure for multi-byte + and UNICODE character sets. + + + + New authentication system. The internal authentication system has + been almost completely rewritten. Most of the changes are internal, + but the new auth system is also very configurable. + + + + New filename mangling system. The filename mangling system has been + completely rewritten. An internal database now stores mangling maps + persistently. This needs lots of testing. + + + + New "net" command. A new "net" command has been added. It is + somewhat similar to the "net" command in windows. Eventually we + plan to replace a bunch of other utilities (such as smbpasswd) + with subcommands in "net", at the moment only a few things are + implemented. + + + + Samba now negotiates NT-style status32 codes on the wire. This + improves error handling a lot. + + + + Better Windows 2000/XP/2003 printing support including publishing + printer attributes in active directory + + + + New loadable RPC modules + + + + New dual-daemon winbindd support (-B) for better performance + + + + Support for migrating from a Windows NT 4.0 domain to a Samba + domain and maintaining user, group and domain SIDs + + + + Support for establishing trust relationships with Windows NT 4.0 + domain controllers + + + Initial support for a distributed Winbind architecture using + an LDAP directory for storing SID to uid/gid mappings + + + + Major updates to the Samba documentation tree. + + -In 3.0, the following configuration options have been removed. +Plus lots of other improvements! - -printer driver (replaced by new driver procedures) -printer driver file (replaced by new driver procedures) -printer driver location (replaced by new driver procedures) -use rhosts -postscript -client code page (replaced by dos charset) -vfs path -vfs options - -Password Backend +Configuration Parameter Changes -Effective with the release of samba-3 it is now imperative that the password backend -be correctly defined in smb.conf. +This section contains a brief listing of changes to smb.conf options +in the 3.0.0 release. Please refer to the smb.conf(5) man page for +complete descriptions of new or modified parameters. - -Those migrating from samba-2.x with plaintext password support need the following: -passdb backend = guest. - + +Removed Parameters - -Those migrating from samba-2.x with encrypted password support should add to smb.conf -passdb backend = smbpasswd, guest. - +(order alphabetically): - -LDAP using Samba-2.x systems can continue to operate with the following entry -passdb backend = ldapsam_compat, guest. - + + admin log + alternate permissions + character set + client codepage + code page directory + coding system + domain admin group + domain guest group + force unknown acl user + nt smb support + post script + printer driver + printer driver file + printer driver location + status + total print jobs + use rhosts + valid chars + vfs options + + + + + +New Parameters + +(new parameters have been grouped by function): + +Remote management + + + abort shutdown script + shutdown script + + +User and Group Account Management + + + add group script + add machine script + add user to group script + algorithmic rid base + delete group script + delete user from group script + passdb backend + set primary group script + + +Authentication + + + auth methods + ads server + realm + + +Protocol Options + + + client lanman auth + client NTLMv2 auth + client schannel + client signing + client use spnego + disable netbios + ntlm auth + paranoid server security + server schannel + smb ports + use spnego + + +File Service + + + get quota command + hide special files + hide unwriteable files + hostname lookups + kernel change notify + mangle prefix + msdfs proxy + set quota command + use sendfile + vfs objects + + +Printing + + + max reported print jobs + + + +UNICODE and Character Sets + + + display charset + dos charset + unicode + unix charset + + +SID to uid/gid Mappings + + + idmap backend + idmap gid + idmap only + idmap uid + + +LDAP + + + ldap delete dn + ldap group suffix + ldap idmap suffix + ldap machine suffix + ldap passwd sync + ldap trust ids + ldap user suffix + + +General Configuration + + + preload modules + privatedir + + + + + +Modified Parameters (changes in behavior): + + + encrypt passwords (enabled by default) + mangling method (set to 'hash2' by default) + passwd chat + passwd program + restrict anonymous (integer value) + security (new 'ads' value) + strict locking (enabled by default) + winbind cache time (increased to 5 minutes) + winbind uid (deprecated in favor of 'idmap uid') + winbind gid (deprecated in favor of 'idmap gid') + + + + + + + +New Functionality + + + Databases + + + This section contains brief descriptions of any new databases + introduced in Samba 3.0. Please remember to backup your existing + ${lock directory}/*tdb before upgrading to Samba 3.0. Samba will + upgrade databases as they are opened (if necessary), but downgrading + from 3.0 to 2.2 is an unsupported path. + + + + TDB File Descriptions + + + + + + + Name + Description + Backup? + + + + + account_policy + User policy settings + yes + + + gencache + Generic caching db + no + + + group_mapping + Mapping table from Windows groups/SID to unix groups + yes + + + idmap + new ID map table from SIDS to UNIX uids/gids + yes + + + namecache + Name resolution cache entries + no + + + netlogon_unigrp + Cache of universal group membership obtained when operating + as a member of a Windows domain + no + + + printing/*.tdb + Cached output from 'lpq command' created on a per print + service basis + no + + + + registry + Read-only samba registry skeleton that provides support for + exporting various db tables via the winreg RPCs + no + + + +
+ + + + + Changes in Behavior + + + The following issues are known changes in behavior between Samba 2.2 and + Samba 3.0 that may affect certain installations of Samba. + + + + + When operating as a member of a Windows domain, Samba 2.2 would + map any users authenticated by the remote DC to the 'guest account' + if a uid could not be obtained via the getpwnam() call. Samba 3.0 + rejects the connection as NT_STATUS_LOGON_FAILURE. There is no + current work around to re-establish the 2.2 behavior. + + + + When adding machines to a Samba 2.2 controlled domain, the + 'add user script' was used to create the UNIX identity of the + machine trust account. Samba 3.0 introduces a new 'add machine + script' that must be specified for this purpose. Samba 3.0 will + not fall back to using the 'add user script' in the absence of + an 'add machine script' + + + + + + + Charsets + + + You might experience problems with special characters when communicating with old DOS + clients. Codepage support has changed in samba 3.0. Read the chapter + Unicode support for details. + + + + + + Passdb Backends and Authentication + + + There have been a few new changes that Samba administrators should be + aware of when moving to Samba 3.0. + + + + + Encrypted passwords have been enabled by default in order to + inter-operate better with out-of-the-box Windows client + installations. This does mean that either (a) a samba account + must be created for each user, or (b) 'encrypt passwords = no' + must be explicitly defined in smb.conf. + + + + Inclusion of new security = ads option for integration + with an Active Directory domain using the native Windows + Kerberos 5 and LDAP protocols. + + + + + Samba 3.0 also includes the possibility of setting up chains + of authentication methods + (auth methods) and account + storage backends + (passdb backend). + Please refer to the &smb.conf; + man page and for details. While both parameters assume sane default + values, it is likely that you will need to understand what the + values actually mean in order to ensure Samba operates correctly. + + + + Certain functions of the smbpasswd(8) tool have been split between the + new smbpasswd(8) utility, the net(8) tool, and the new pdbedit(8) + utility. See the respective man pages for details. + + + + + + Charsets + + + You might experience problems with special characters when communicating with old DOS + clients. Codepage support has changed in samba 3.0. Read the chapter + Unicode support for details. + + + + + + LDAP + + + This section outlines the new features affecting Samba / LDAP integration. + + + + New Schema + + + A new object class (sambaSamAccount) has been introduced to replace + the old sambaAccount. This change aids us in the renaming of attributes + to prevent clashes with attributes from other vendors. There is a + conversion script (examples/LDAP/convertSambaAccount) to modify and LDIF + file to the new schema. + + + + Example: + + + $ ldapsearch .... -b "ou=people,dc=..." > old.ldif + $ convertSambaAccount <DOM SID> old.ldif new.ldif + + + + The <DOM SID> can be obtained by running 'net getlocalsid <DOMAINNAME> + on the Samba PDC as root. + + + + The old sambaAccount schema may still be used by specifying the + "ldapsam_compat" passdb backend. However, the sambaAccount and + associated attributes have been moved to the historical section of + the schema file and must be uncommented before use if needed. + The 2.2 object class declaration for a sambaAccount has not changed + in the 3.0 samba.schema file. + + + + Other new object classes and their uses include: + + + + + sambaDomain - domain information used to allocate rids + for users and groups as necessary. The attributes are added + in 'ldap suffix' directory entry automatically if + an idmap uid/gid range has been set and the 'ldapsam' + passdb backend has been selected. + + + + sambaGroupMapping - an object representing the + relationship between a posixGroup and a Windows + group/SID. These entries are stored in the 'ldap + group suffix' and managed by the 'net groupmap' command. + + + + sambaUnixIdPool - created in the 'ldap idmap suffix' entry + automatically and contains the next available 'idmap uid' and + 'idmap gid' + + + + sambaIdmapEntry - object storing a mapping between a + SID and a UNIX uid/gid. These objects are created by the + idmap_ldap module as needed. + + + + + + + New Suffix for Searching + + + The following new smb.conf parameters have been added to aid in directing + certain LDAP queries when 'passdb backend = ldapsam://...' has been + specified. + + + + ldap suffix - used to search for user and computer accounts + ldap user suffix - used to store user accounts + ldap machine suffix - used to store machine trust accounts + ldap group suffix - location of posixGroup/sambaGroupMapping entries + ldap idmap suffix - location of sambaIdmapEntry objects + + + + If an 'ldap suffix' is defined, it will be appended to all of the + remaining sub-suffix parameters. In this case, the order of the suffix + listings in smb.conf is important. Always place the 'ldap suffix' first + in the list. + + + + Due to a limitation in Samba's smb.conf parsing, you should not surround + the DN's with quotation marks. + + + + + + IdMap LDAP support + + + Samba 3.0 supports an ldap backend for the idmap subsystem. The + following options would inform Samba that the idmap table should be + stored on the directory server onterose in the "ou=idmap,dc=plainjoe, + dc=org" partition. + + + + [global] + ... + idmap backend = ldap:ldap://onterose/ + ldap idmap suffix = ou=idmap,dc=plainjoe,dc=org + idmap uid = 40000-50000 + idmap gid = 40000-50000 + + + + This configuration allows winbind installations on multiple servers to + share a uid/gid number space, thus avoiding the interoperability problems + with NFS that were present in Samba 2.2. + + + + + -- cgit