1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
|
This file aims to document the major changes since the latest released version
of Samba, 3.0. Samba 4.0 contains rewrites of several subsystems
and uses a different internal format for most data. Since this
file is an initial draft, please update missing items.
One of the main goals of Samba 4 was Active Directory Domain Controller
support. This means Samba now implements several protocols that are required
by AD such as Kerberos and DNS.
An (experimental) upgrade script that performs a one-way upgrade
from Samba 3 is available in source/setup/upgrade.
Removal of nmbd and introduction of process models
==================================================
smbd now implements several network protocols other than just CIFS and
DCE/RPC. nmbd's functionality has been merged into smbd. smbd supports
various 'process models' that specify how concurrent connections are
handled (when to fork, use threads, etc).
Introduction of LDB
===================
Samba now stores most of its persistent data in a LDAP-like database
called LDB (see ldb(7) for more info).
Built-in KDC
============
Samba4 ships with an integrated KDC (Kerberos Key Distribution
Center). Backed directly onto our main internal database, and
integrated with custom code to handle the PAC, Samba4's KDC is an
integral part of our support for AD logon protocols.
Built-in LDAP Server
====================
Like the situation with the KDC, Samba4 ships with it's own LDAP
server, included to provide simple, built-in LDAP services in an AD
(rather than distinctly standards) matching manner. The database is
LDB, and it shares that in common with the rest of Samba.
Changed configuration options
=============================
Several configuration options have been removed in Samba4 while others have
been introduced. This section contains a summary of changes to smb.conf and
where these settings moved. Configuration options that have disappeared may be
re-added later when the functionality that uses them gets reimplemented in
Samba 4.
The 'security' parameter has been split up. It is now only used to choose
between the 'user' and 'share' security levels (the latter is not supported
in Samba 4 yet). The other values of this option and the 'domain master' and
'domain logons' parameters have been merged into a 'server role' parameter
that can be either 'domain controller', 'member server' or 'standalone'. Note that
member server support does not work yet.
The following parameters have been removed:
- passdb backend: accounts are now stored in a LDB-based SAM database,
see 'sam database' below.
- update encrypted
- public
- guest ok
- client schannel
- server schannel
- allow trusted domains
- hosts equiv
- map to guest
- smb passwd file
- algorithmic rid base
- root directory
- root dir
- root
- guest account
- enable privileges
- pam password change
- passwd program
- passwd chat debug
- passwd chat timeout
- check password script
- username map
- username level
- unix password sync
- restrict anonymous
- username
- user
- users
- invalid users
- valid users
- admin users
- read list
- write list
- printer admin
- force user
- force group
- group
- write ok
- writeable
- writable
- acl check permissions
- acl group control
- acl map full control
- create mask
- create mode
- force create mode
- security mask
- force security mode
- directory mask
- directory mode
- force directory mode
- directory security mask
- force directory security mode
- force unknown acl user
- inherit permissions
- inherit acls
- inherit owner
- guest only
- only guest
- only user
- allow hosts
- deny hosts
- preload modules
- use kerberos keytab
- syslog
- syslog only
- max log size
- debug timestamp
- timestamp logs
- debug hires timestamp
- debug pid
- debug uid
- allocation roundup size
- aio read size
- aio write size
- aio write behind
- large readwrite
- protocol
- read bmpx
- reset on zero vc
- acl compatibility
- defer sharing violations
- ea support
- nt acl support
- nt pipe support
- profile acls
- map acl inherit
- afs share
- max ttl
- client use spnego
- enable asu support
- svcctl list
- block size
- change notify timeout
- deadtime
- getwd cache
- keepalive
- kernel change notify
- lpq cache time
- max smbd processes
- max disk size
- max open files
- min print space
- strict allocate
- sync always
- use mmap
- use sendfile
- hostname lookups
- write cache size
- name cache timeout
- max reported print jobs
- load printers
- printcap cache time
- printcap name
- printcap
- printing
- cups options
- cups server
- iprint server
- print command
- disable spoolss
- enable spoolss
- lpq command
- lprm command
- lppause command
- lpresume command
- queuepause command
- queueresume command
- enumports command
- addprinter command
- deleteprinter command
- show add printer wizard
- os2 driver map
- use client driver
- default devmode
- force printername
- mangling method
- mangle prefix
- default case
- case sensitive
- casesignames
- preserve case
- short preserve case
- mangling char
- hide dot files
- hide special files
- hide unreadable
- hide unwriteable files
- delete veto files
- veto files
- hide files
- veto oplock files
- map readonly
- mangled names
- mangled map
- max stat cache size
- stat cache
- store dos attributes
- machine password timeout
- add user script
- rename user script
- delete user script
- add group script
- delete group script
- add user to group script
- delete user from group script
- set primary group script
- add machine script
- shutdown script
- abort shutdown script
- username map script
- logon script
- logon path
- logon drive
- logon home
- domain logons
- os level
- lm announce
- lm interval
- domain master
- browse list
- enhanced browsing
- wins proxy
- wins hook
- wins partners
- blocking locks
- fake oplocks
- kernel oplocks
- locking
- lock spin count
- lock spin time
- oplocks
- level2 oplocks
- oplock break wait time
- oplock contention limit
- posix locking
- share modes
- ldap server
- ldap port
- ldap admin dn
- ldap delete dn
- ldap group suffix
- ldap idmap suffix
- ldap machine suffix
- ldap passwd sync
- ldap password sync
- ldap replication sleep
- ldap suffix
- ldap ssl
- ldap timeout
- ldap page size
- ldap user suffix
- add share command
- change share command
- delete share command
- eventlog list
- utmp directory
- wtmp directory
- utmp
- default service
- default
- message command
- dfree cache time
- dfree command
- get quota command
- set quota command
- remote announce
- remote browse sync
- homedir map
- afs username map
- afs token lifetime
- log nt token command
- time offset
- NIS homedir
- preexec
- exec
- preexec close
- postexec
- root preexec
- root preexec close
- root postexec
- set directory
- wide links
- follow symlinks
- dont descend
- magic script
- magic output
- delete readonly
- dos filemode
- dos filetimes
- dos filetime resolution
- fake directory create times
- panic action
- vfs objects
- vfs object
- msdfs root
- msdfs proxy
- host msdfs
- enable rid algorithm
- passdb expand explicit
- idmap backend
- idmap uid
- winbind uid
- idmap gid
- winbind gid
- template homedir
- template shell
- winbind separator
- winbind cache time
- winbind enum users
- winbind enum groups
- winbind use default domain
- winbind trusted domains only
- winbind nested groups
- winbind max idle children
- winbind nss info
The following parameters have been added:
+ rpc big endian (G)
Make Samba fake it is running on a bigendian machine when using DCE/RPC.
Useful for debugging.
Default: no
+ case insensitive filesystem (S)
Set to true if this share is located on a case-insensitive filesystem.
This disables looking for a filename by trying all possible combinations of
uppercase/lowercase characters and thus speeds up operations when a
file cannot be found.
Default: no
+ js include (G)
Path to JavaScript library.
Default: Set at compile-time
+ setup directory
Path to data used by provisioning script.
Default: Set at compile-time
+ ncalrpc dir
Directory to use for UNIX sockets used by the 'ncalrpc' DCE/RPC transport.
Default: Set at compile-time
+ ntvfs handler
Backend to the NT VFS to use (more than one can be specified). Available
backends include:
- posix:
Maps POSIX FS semantics to NT semantics
- simple:
Very simple backend (original testing backend).
- unixuid:
Sets up user credentials based on POSIX gid/uid.
- cifs:
Proxies a remote CIFS FS. Mainly useful for testing.
- nbench:
Filter module that saves data useful to the nbench benchmark suite.
- ipc:
Allows using SMB for inter process communication. Only used for
the IPC$ share.
- print:
Allows printing over SMB. This is LANMAN-style printing (?), not
the be confused with the spoolss DCE/RPC interface used by later
versions of Windows.
Default: unixuid default
+ ntptr providor
FIXME
+ dcerpc endpoint servers
What DCE/RPC servers to start.
Default: epmapper srvsvc wkssvc rpcecho samr netlogon lsarpc spoolss drsuapi winreg dssetup
+ server services
Services Samba should provide.
Default: smb rpc nbt wrepl ldap cldap web kdc
+ sam database
Location of the SAM (account database) database. This should be a
LDB URL.
Default: set at compile-time
+ spoolss database
Spoolss (printer) DCE/RPC server database. This should be a LDB URL.
Default: set at compile-time
+ wins config database
WINS configuration database location. This should be a LDB URL.
Default: set at compile-time
+ wins database
WINS database location. This should be a LDB URL.
Default: set at compile-time
+ client use spnego principal
Tells the client to use the Kerberos service principal specified by the
server during the security protocol negotation rather than
looking up the principal itself (cifs/hostname).
Default: false
+ nbt port
TCP/IP Port used by the NetBIOS over TCP/IP (NBT) implementation.
Default: 137
+ dgram port
UDP/IP port used by the NetBIOS over TCP/IP (NBT) implementation.
Default: 138
+ cldap port
UDP/IP port used by the CLDAP protocol.
Default: 389
+ krb5 port
IP port used by the kerberos KDC.
Default: 88
+ kpasswd port
IP port used by the kerberos password change protocol.
Default: 464
+ web port
TCP/IP port SWAT should listen on.
Default: 901
+ tls enabled
Enable TLS support for SWAT
Default: true
+ tls keyfile
Path to TLS key file (PEM format) to be used by SWAT. If no
path is specified, Samba will create a key.
Default: none
+ tls certfile
Path to TLS certificate file (PEM format) to be used by SWAT. If no
path is specified, Samba will create a certificate.
Default: none
+ tls cafile
Path to CA authority file Samba will use to sign TLS keys it generates. If
no path is specified, Samba will create a self-signed CA certificate.
Default: none
+ tls crlfile
Path to TLS certificate revocation lists file.
Default: none
+ swat directory
SWAT data directory.
Default: set at compile-time
+ large readwrite
Indicate the CIFS server is able to do large reads/writes.
Default: true
+ unicode
Enable/disable unicode support in the protocol.
Default: true
|