1<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter�9.�Important and Critical Change Notes for the Samba 3.x Series</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.74.0"><link rel="home" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part�III.�Advanced Configuration"><link rel="prev" href="optional.html" title="Part�III.�Advanced Configuration"><link rel="next" href="NetworkBrowsing.html" title="Chapter�10.�Network Browsing"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter�9.�Important and Critical Change Notes for the Samba 3.x Series</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="optional.html">Prev</a>�</td><th width="60%" align="center">Part�III.�Advanced Configuration</th><td width="20%" align="right">�<a accesskey="n" href="NetworkBrowsing.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="ChangeNotes"></a>Chapter�9.�Important and Critical Change Notes for the Samba 3.x Series</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="orgname">Samba Team</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Gerald</span> <span class="othername">(Jerry)</span> <span class="orgname">Samba Team</span> <span class="surname">Carter</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jerry@samba.org">jerry@samba.org</a>></code></p></div></div></div></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="ChangeNotes.html#id2578591">Important Samba-3.2.x Change Notes</a></span></dt><dt><span class="sect1"><a href="ChangeNotes.html#id2578602">Important Samba-3.0.x Change Notes</a></span></dt><dd><dl><dt><span class="sect2"><a href="ChangeNotes.html#id2578661">User and Group Changes</a></span></dt><dt><span class="sect2"><a href="ChangeNotes.html#id2578973">Essential Group Mappings</a></span></dt><dt><span class="sect2"><a href="ChangeNotes.html#id2579095">Passdb Changes</a></span></dt><dt><span class="sect2"><a href="ChangeNotes.html#id2579155">Group Mapping Changes in Samba-3.0.23</a></span></dt><dt><span class="sect2"><a href="ChangeNotes.html#id2579275">LDAP Changes in Samba-3.0.23</a></span></dt></dl></dd></dl></div><p> 2Please read this chapter carefully before update or upgrading Samba. You should expect to find only critical 3or very important information here. Comprehensive change notes and guidance information can be found in the 4section <a class="link" href="upgrading-to-3.0.html" title="Chapter�35.�Updating and Upgrading Samba">Updating and Upgrading Samba</a>. 5</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2578591"></a>Important Samba-3.2.x Change Notes</h2></div></div></div><p> 6!!!!!!!!!!!!Add all critical update notes here!!!!!!!!!!!!! 7</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2578602"></a>Important Samba-3.0.x Change Notes</h2></div></div></div><p> 8These following notes pertain in particular to Samba 3.0.23 through Samba 3.0.25c (or more recent 3.0.25 9update). Samba is a fluid and ever changing project. Changes throughout the 3.0.x series release are 10documented in this documention - See <a class="link" href="upgrading-to-3.0.html#oldupdatenotes" title="Upgrading from Samba-2.x to Samba-3.0.25">Upgrading from Samba-2.x to Samba-3.0.25</a>. 11</p><p> 12Sometimes it is difficult to figure out which part, or parts, of the HOWTO documentation should be updated to 13reflect the impact of new or modified features. At other times it becomes clear that the documentation is in 14need of being restructured. 15</p><p> 16In recent times a group of Samba users has joined the thrust to create a new <a class="ulink" href="http://wiki.samba.org/" target="_top">Samba Wiki</a> that is slated to become the all-singing and all-dancing 17new face of Samba documentation. Hopefully, the Wiki will benefit from greater community input and 18thus may be kept more up to date. Until that golden dream materializes and matures it is necessary to 19continue to maintain the HOWTO. This chapter will document major departures from earlier behavior until 20such time as the body of this HOWTO is restructured or modified. 21</p><p> 22This chapter is new to the release of the HOWTO for Samba 3.0.23. It includes much of the notes provided 23in the <code class="filename">WHATSNEW.txt</code> file that is included with the Samba source code release tarball. 24</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2578661"></a>User and Group Changes</h3></div></div></div><p> 25The change documented here affects unmapped user and group accounts only. 26</p><p> 27<a class="indexterm" name="id2578674"></a> 28<a class="indexterm" name="id2578681"></a> 29<a class="indexterm" name="id2578688"></a> 30<a class="indexterm" name="id2578697"></a> 31<a class="indexterm" name="id2578706"></a> 32The user and group internal management routines have been rewritten to prevent overlaps of 33assigned Relative Identifiers (RIDs). In the past the has been a potential problem when 34either manually mapping Unix groups with the <code class="literal">net groupmap</code> command or 35when migrating a Windows domain to a Samba domain by executing: 36<code class="literal">net rpc vampire</code>. 37</p><p> 38<a class="indexterm" name="id2578737"></a> 39<a class="indexterm" name="id2578744"></a> 40<a class="indexterm" name="id2578750"></a> 41<a class="indexterm" name="id2578757"></a> 42Unmapped users are now assigned a SID in the <code class="literal">S-1-22-1</code> domain and unmapped 43groups are assigned a SID in the <code class="literal">S-1-22-2</code> domain. Previously they were 44assigned a RID within the SAM on the Samba server. For a domain controller this would have been under the 45authority of the domain SID where as on a member server or standalone server, this would have 46been under the authority of the local SAM (see the man page for <code class="literal">net getlocalsid</code>). 47</p><p> 48<a class="indexterm" name="id2578794"></a> 49<a class="indexterm" name="id2578800"></a> 50<a class="indexterm" name="id2578807"></a> 51<a class="indexterm" name="id2578814"></a> 52<a class="indexterm" name="id2578821"></a> 53The result is that any unmapped users or groups on an upgraded Samba domain controller may 54be assigned a new SID. Because the SID rather than a name is stored in Windows security 55descriptors, this can cause a user to no longer have access to a resource for example if a 56file was copied from a Samba file server to a local Windows client NTFS partition. Any files 57stored on the Samba server itself will continue to be accessible because UNIX stores the UNIX 58GID and not the SID for authorization checks. 59</p><p> 60An example helps to illustrate the change: 61</p><p> 62<a class="indexterm" name="id2578843"></a> 63<a class="indexterm" name="id2578850"></a> 64<a class="indexterm" name="id2578857"></a> 65<a class="indexterm" name="id2578863"></a> 66Assume that a group named <span class="emphasis"><em>developers</em></span> exists with a UNIX GID of 782. In this 67case this group does not exist in Samba's group mapping table. It would be perfectly normal for 68this group to be appear in an ACL editor. Prior to Samba-3.0.23, the group SID might appear as 69<code class="literal">S-1-5-21-647511796-4126122067-3123570092-2565</code>. 70</p><p> 71<a class="indexterm" name="id2578887"></a> 72<a class="indexterm" name="id2578894"></a> 73<a class="indexterm" name="id2578901"></a> 74<a class="indexterm" name="id2578907"></a> 75With the release of Samba-3.0.23, the group SID would be reported as <code class="literal">S-1-22-2-782</code>. Any 76security descriptors associated with files stored on a Windows NTFS disk partition will not allow access based 77on the group permissions if the user was not a member of the 78<code class="literal">S-1-5-21-647511796-4126122067-3123570092-2565</code> group. Because this group SID is 79<code class="literal">S-1-22-2-782</code> and not reported in a user's token, Windows would fail the authorization check 80even though both SIDs in some respect refer to the same UNIX group. 81</p><p> 82<a class="indexterm" name="id2578944"></a> 83<a class="indexterm" name="id2578950"></a> 84The workaround for versions of Samba prior to 3.0.23, is to create a manual domain group mapping 85entry for the group <span class="emphasis"><em>developers</em></span> to point at the 86<code class="literal">S-1-5-21-647511796-4126122067-3123570092-2565</code> SID. With the release of Samba-3.0.23 this 87workaround is no longer needed. 88</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2578973"></a>Essential Group Mappings</h3></div></div></div><p> 89Samba 3.0.x series releases before 3.0.23 automatically created group mappings for the essential Windows 90domain groups <code class="literal">Domain Admins, Domain Users, Domain Guests</code>. Commencing with Samba 3.0.23 91these mappings need to be created by the Samba administrator. Failure to do this may result in a failure to 92correctly authenticate and recoognize valid domain users. When this happens users will not be able to log onto 93the Windows client. 94</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> 95Group mappings are essentail only if the Samba servers is running as a PDC/BDC. Stand-alone servers do not 96require these group mappings. 97</p></div><p> 98The following mappings are required: 99</p><div class="table"><a name="TOSH-domgroups"></a><p class="title"><b>Table�9.1.�Essential Domain Group Mappings</b></p><div class="table-contents"><table summary="Essential Domain Group Mappings" border="1"><colgroup><col><col><col></colgroup><thead><tr><th align="center">Domain Group</th><th align="center">RID</th><th align="center">Example UNIX Group</th></tr></thead><tbody><tr><td align="center">Domain Admins</td><td align="center">512</td><td align="center">root</td></tr><tr><td align="center">Domain Users</td><td align="center">513</td><td align="center">users</td></tr><tr><td align="center">Domain Guests</td><td align="center">514</td><td align="center">nobody</td></tr></tbody></table></div></div><br class="table-break"><p> 100When the POSIX (UNIX) groups are stored in LDAP, it may be desirable to call these <code class="literal">domadmins, domusers, 101domguests</code> respectively. 102</p><p> 103For further information regarding group mappings see <a class="link" href="groupmapping.html" title="Chapter�12.�Group Mapping: MS Windows and UNIX">Group Mapping: MS Windows 104and UNIX</a>. 105</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2579095"></a>Passdb Changes</h3></div></div></div><p> 106<a class="indexterm" name="id2579102"></a> 107<a class="indexterm" name="id2579109"></a> 108<a class="indexterm" name="id2579115"></a> 109<a class="indexterm" name="id2579122"></a> 110The <a class="link" href="smb.conf.5.html#PASSDBBACKEND" target="_top">passdb backend</a> parameter no longer accepts multiple passdb backends in a 111chained configuration. Also be aware that the SQL and XML based passdb modules have been 112removed in the Samba-3.0.23 release. More information regarding external support for a SQL 113passdb module can be found on the <a class="ulink" href="http://pdbsql.sourceforge.net/" target="_top">pdbsql</a> web site. 114</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2579155"></a>Group Mapping Changes in Samba-3.0.23</h3></div></div></div><p> 115<a class="indexterm" name="id2579162"></a> 116<a class="indexterm" name="id2579169"></a> 117<a class="indexterm" name="id2579176"></a> 118<a class="indexterm" name="id2579183"></a> 119<a class="indexterm" name="id2579190"></a> 120<a class="indexterm" name="id2579197"></a> 121<a class="indexterm" name="id2579204"></a> 122<a class="indexterm" name="id2579210"></a> 123<a class="indexterm" name="id2579217"></a> 124<a class="indexterm" name="id2579224"></a> 125<a class="indexterm" name="id2579230"></a> 126The default mapping entries for groups such as <code class="literal">Domain Admins</code> are no longer 127created when using an <code class="literal">smbpasswd</code> file or a <code class="literal">tdbsam</code> passdb 128backend. This means that it is necessary to explicitly execute the <code class="literal">net groupmap add</code> 129to create group mappings, rather than use the <code class="literal">net groupmap modify</code> method to create the 130Windows group SID to UNIX GID mappings. This change has no effect on winbindd's IDMAP functionality 131for domain groups. 132</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2579275"></a>LDAP Changes in Samba-3.0.23</h3></div></div></div><p> 133<a class="indexterm" name="id2579284"></a> 134<a class="indexterm" name="id2579290"></a> 135<a class="indexterm" name="id2579297"></a> 136<a class="indexterm" name="id2579304"></a> 137<a class="indexterm" name="id2579311"></a> 138There has been a minor update the Samba LDAP schema file. A substring matching rule has been 139added to the <code class="literal">sambaSID</code> attribute definition. For OpenLDAP servers, this 140will require the addition of <code class="literal">index sambaSID sub</code> to the 141<code class="filename">slapd.conf</code> configuration file. It will be necessary to execute the 142<code class="literal">slapindex</code> command after making this change. There has been no change to the 143actual data storage schema. 144</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="optional.html">Prev</a>�</td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right">�<a accesskey="n" href="NetworkBrowsing.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Part�III.�Advanced Configuration�</td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top">�Chapter�10.�Network Browsing</td></tr></table></div></body></html> 145