This file aims to document the major changes since the latest released version 
of Samba, 3.0. Samba 4.0 contains rewrites of several subsystems 
and uses a different internal format for most data. Since this 
file is an initial draft, please update missing items.

One of the main goals of Samba 4 was Active Directory Domain Controller 
support. This means Samba now implements several protocols that are required 
by AD such as Kerberos and DNS.

An (experimental) upgrade script that performs a one-way upgrade 
from Samba 3 is available in source/setup/upgrade.

Removal of nmbd and introduction of process models
==================================================
smbd now implements several network protocols other than just CIFS and 
DCE/RPC. nmbd's functionality has been merged into smbd. smbd supports 
various 'process models' that specify how concurrent connections are 
handled (when to fork, use threads, etc). 

Introduction of LDB
===================
Samba now stores most of its persistent data in a LDAP-like database 
called LDB (see ldb(7) for more info). 

Removed SWAT
==================
Unlike previous versions, Samba4 does not provide a web interface at this time.

Built-in KDC
============
Samba4 ships with an integrated KDC (Kerberos Key Distribution
Center).  Backed directly onto our main internal database, and
integrated with custom code to handle the PAC, Samba4's KDC is an
integral part of our support for AD logon protocols.

Built-in LDAP Server
====================
Like the situation with the KDC, Samba4 ships with it's own LDAP
server, included to provide simple, built-in LDAP services in an AD
(rather than distinctly standards) matching manner.  The database is
LDB, and it shares that in common with the rest of Samba.

Changed configuration options
=============================
Several configuration options have been removed in Samba4 while others have 
been introduced. This section contains a summary of changes to smb.conf and 
where these settings moved. Configuration options that have disappeared may be 
re-added later when the functionality that uses them gets reimplemented in 
Samba 4.

The 'security' parameter has been split up. It is now only used to choose 
between the 'user' and 'share' security levels (the latter is not supported 
in Samba 4 yet). The other values of this option and the 'domain master' and 
'domain logons' parameters have been merged into a 'server role' parameter 
that can be either 'domain controller', 'member server' or 'standalone'. Note that 
member server support does not work yet.

The following parameters have been removed:
- passdb backend: accounts are now stored in a LDB-based SAM database, 
	see 'sam database' below.
- update encrypted
- public
- guest ok
- client schannel
- server schannel
- allow trusted domains
- hosts equiv
- map to guest
- smb passwd file
- algorithmic rid base
- root directory
- root dir
- root
- guest account
- enable privileges
- pam password change
- passwd program
- passwd chat debug
- passwd chat timeout
- check password script
- username map
- username level
- unix password sync
- restrict anonymous
- username
- user
- users
- invalid users
- valid users
- admin users
- read list
- write list
- printer admin
- force user
- force group
- group
- write ok
- writeable
- writable
- acl check permissions
- acl group control
- acl map full control
- create mask
- create mode
- force create mode
- security mask
- force security mode
- directory mask
- directory mode
- force directory mode
- directory security mask
- force directory security mode
- force unknown acl user
- inherit permissions
- inherit acls
- inherit owner
- guest only
- only guest
- only user
- allow hosts
- deny hosts
- preload modules
- use kerberos keytab
- syslog
- syslog only
- max log size
- debug timestamp
- timestamp logs
- debug hires timestamp
- debug pid
- debug uid
- allocation roundup size
- aio read size
- aio write size
- aio write behind
- large readwrite
- protocol
- read bmpx
- reset on zero vc
- acl compatibility
- defer sharing violations
- ea support
- nt acl support
- nt pipe support
- profile acls
- map acl inherit
- afs share
- max ttl
- client use spnego
- enable asu support
- svcctl list
- block size
- change notify timeout
- deadtime
- getwd cache
- keepalive
- kernel change notify
- lpq cache time
- max smbd processes
- max disk size
- max open files
- min print space
- strict allocate
- sync always
- use mmap
- use sendfile
- hostname lookups
- write cache size
- name cache timeout
- max reported print jobs
- load printers
- printcap cache time
- printcap name
- printcap
- printing
- cups options
- cups server
- iprint server
- print command
- disable spoolss
- enable spoolss
- lpq command
- lprm command
- lppause command
- lpresume command
- queuepause command
- queueresume command
- enumports command
- addprinter command
- deleteprinter command
- show add printer wizard
- os2 driver map
- use client driver
- default devmode
- force printername
- mangling method
- mangle prefix
- default case
- case sensitive
- casesignames
- preserve case
- short preserve case
- mangling char
- hide dot files
- hide special files
- hide unreadable
- hide unwriteable files
- delete veto files
- veto files
- hide files
- veto oplock files
- map readonly
- mangled names
- mangled map
- max stat cache size
- stat cache
- store dos attributes
- machine password timeout
- add user script
- rename user script
- delete user script
- add group script
- delete group script
- add user to group script
- delete user from group script
- set primary group script
- add machine script
- shutdown script
- abort shutdown script
- username map script
- logon script
- logon path
- logon drive
- logon home
- domain logons
- os level
- lm announce
- lm interval
- domain master
- browse list
- enhanced browsing
- wins proxy
- wins hook
- wins partners
- blocking locks
- fake oplocks
- kernel oplocks
- locking
- lock spin count
- lock spin time
- level2 oplocks
- oplock break wait time
- oplock contention limit
- posix locking
- share modes
- ldap server
- ldap port
- ldap admin dn
- ldap delete dn
- ldap group suffix
- ldap idmap suffix
- ldap machine suffix
- ldap passwd sync
- ldap password sync
- ldap replication sleep
- ldap suffix
- ldap ssl
- ldap timeout
- ldap page size
- ldap user suffix
- add share command
- change share command
- delete share command
- eventlog list
- utmp directory
- wtmp directory
- utmp
- default service
- default
- message command
- dfree cache time
- dfree command
- get quota command
- set quota command
- remote announce
- remote browse sync
- homedir map
- afs username map
- afs token lifetime
- log nt token command
- time offset
- NIS homedir
- preexec
- exec
- preexec close
- postexec
- root preexec
- root preexec close
- root postexec
- set directory
- wide links
- follow symlinks
- dont descend
- magic script
- magic output
- delete readonly
- dos filemode
- dos filetimes
- dos filetime resolution
- fake directory create times
- panic action
- vfs objects
- vfs object
- msdfs root
- msdfs proxy
- host msdfs
- enable rid algorithm
- passdb expand explicit
- idmap backend
- idmap uid
- winbind uid
- idmap gid
- winbind gid
- template homedir
- template shell
- winbind separator
- winbind cache time
- winbind enum users
- winbind enum groups
- winbind use default domain
- winbind trusted domains only
- winbind nested groups
- winbind max idle children
- winbind nss info
 
The following parameters have been added:
+ rpc big endian (G)
	Make Samba fake it is running on a bigendian machine when using DCE/RPC. 
	Useful for debugging.

	Default: no

+ case insensitive filesystem (S)
	Set to true if this share is located on a case-insensitive filesystem.
	This disables looking for a filename by trying all possible combinations of 
	uppercase/lowercase characters and thus speeds up operations when a 
	file cannot be found. 

	Default: no
	
+ setup directory
	Path to data used by provisioning script.

	Default: Set at compile-time
	
+ ncalrpc dir
	Directory to use for UNIX sockets used by the 'ncalrpc' DCE/RPC transport.

	Default: Set at compile-time
	
+ ntvfs handler
	Backend to the NT VFS to use (more than one can be specified). Available
	backends include: 
	
	- posix:
		Maps POSIX FS semantics to NT semantics

	- simple:
		Very simple backend (original testing backend).

	- unixuid:
		Sets up user credentials based on POSIX gid/uid.

	- cifs:
		Proxies a remote CIFS FS. Mainly useful for testing.

	- nbench:
		Filter module that saves data useful to the nbench benchmark suite.

	- ipc:
		Allows using SMB for inter process communication. Only used for 
		the IPC$ share.

	- print:
		Allows printing over SMB. This is LANMAN-style printing (?), not 
		the be confused with the spoolss DCE/RPC interface used by later 
		versions of Windows.
	
	Default: unixuid default

+ ntptr providor
	FIXME

+ dcerpc endpoint servers
	What DCE/RPC servers to start.

	Default: epmapper srvsvc wkssvc rpcecho samr netlogon lsarpc spoolss drsuapi winreg dssetup

+ server services
	Services Samba should provide.

	Default: smb rpc nbt wrepl ldap cldap web kdc

+ sam database
	Location of the SAM (account database) database. This should be a 
	LDB URL.

	Default: set at compile-time

+ spoolss database
	Spoolss (printer) DCE/RPC server database. This should be a LDB URL.

	Default: set at compile-time

+ wins config database
	WINS configuration database location. This should be a LDB URL.

	Default: set at compile-time
	
+ wins database
	WINS database location. This should be a LDB URL.

	Default: set at compile-time
	
+ client use spnego principal
	Tells the client to use the Kerberos service principal specified by the 
	server during the security protocol negotation rather than 
	looking up the principal itself (cifs/hostname).

	Default: false

+ nbt port
	TCP/IP Port used by the NetBIOS over TCP/IP (NBT) implementation.
 
	Default: 137

+ dgram port
	UDP/IP port used by the NetBIOS over TCP/IP (NBT) implementation.
	
	Default: 138

+ cldap port
	UDP/IP port used by the CLDAP protocol.

	Default: 389

+ krb5 port
	IP port used by the kerberos KDC.	
	
	Default: 88
	
+ kpasswd port
	IP port used by the kerberos password change protocol.

	Default: 464
	
+ web port
	TCP/IP port SWAT should listen on.

	Default: 901

+ tls enabled
	Enable TLS support for SWAT
	
	Default: true
	
+ tls keyfile
	Path to TLS key file (PEM format) to be used by SWAT. If no 
	path is specified, Samba will create a key.

	Default: none

+ tls certfile
	Path to TLS certificate file (PEM format) to be used by SWAT. If no 
	path is specified, Samba will create a certificate.

	Default: none
	
+ tls cafile
	Path to CA authority file Samba will use to sign TLS keys it generates. If 
	no path is specified, Samba will create a self-signed CA certificate.

	Default: none

+ tls crlfile
	Path to TLS certificate revocation lists file.

	Default: none

+ swat directory
	SWAT data directory.

	Default: set at compile-time

+ large readwrite
	Indicate the CIFS server is able to do large reads/writes.

	Default: true
	
+ unicode
	Enable/disable unicode support in the protocol.

	Default: true