1This file aims to document the major changes since the latest released version 2of Samba, 3.0. Samba 4.0 contains rewrites of several subsystems 3and uses a different internal format for most data. Since this 4file is an initial draft, please update missing items. 5 6One of the main goals of Samba 4 was Active Directory Domain Controller 7support. This means Samba now implements several protocols that are required 8by AD such as Kerberos and DNS. 9 10An (experimental) upgrade script that performs a one-way upgrade 11from Samba 3 is available in source/setup/upgrade. 12 13Removal of nmbd and introduction of process models 14================================================== 15smbd now implements several network protocols other than just CIFS and 16DCE/RPC. nmbd's functionality has been merged into smbd. smbd supports 17various 'process models' that specify how concurrent connections are 18handled (when to fork, use threads, etc). 19 20Introduction of LDB 21=================== 22Samba now stores most of its persistent data in a LDAP-like database 23called LDB (see ldb(7) for more info). 24 25Removed SWAT 26================== 27Unlike previous versions, Samba4 does not provide a web interface at this time. 28 29Built-in KDC 30============ 31Samba4 ships with an integrated KDC (Kerberos Key Distribution 32Center). Backed directly onto our main internal database, and 33integrated with custom code to handle the PAC, Samba4's KDC is an 34integral part of our support for AD logon protocols. 35 36Built-in LDAP Server 37==================== 38Like the situation with the KDC, Samba4 ships with it's own LDAP 39server, included to provide simple, built-in LDAP services in an AD 40(rather than distinctly standards) matching manner. The database is 41LDB, and it shares that in common with the rest of Samba. 42 43Changed configuration options 44============================= 45Several configuration options have been removed in Samba4 while others have 46been introduced. This section contains a summary of changes to smb.conf and 47where these settings moved. Configuration options that have disappeared may be 48re-added later when the functionality that uses them gets reimplemented in 49Samba 4. 50 51The 'security' parameter has been split up. It is now only used to choose 52between the 'user' and 'share' security levels (the latter is not supported 53in Samba 4 yet). The other values of this option and the 'domain master' and 54'domain logons' parameters have been merged into a 'server role' parameter 55that can be either 'domain controller', 'member server' or 'standalone'. Note that 56member server support does not work yet. 57 58The following parameters have been removed: 59- passdb backend: accounts are now stored in a LDB-based SAM database, 60 see 'sam database' below. 61- update encrypted 62- public 63- guest ok 64- client schannel 65- server schannel 66- allow trusted domains 67- hosts equiv 68- map to guest 69- smb passwd file 70- algorithmic rid base 71- root directory 72- root dir 73- root 74- guest account 75- enable privileges 76- pam password change 77- passwd program 78- passwd chat debug 79- passwd chat timeout 80- check password script 81- username map 82- username level 83- unix password sync 84- restrict anonymous 85- username 86- user 87- users 88- invalid users 89- valid users 90- admin users 91- read list 92- write list 93- printer admin 94- force user 95- force group 96- group 97- write ok 98- writeable 99- writable 100- acl check permissions 101- acl group control 102- acl map full control 103- create mask 104- create mode 105- force create mode 106- security mask 107- force security mode 108- directory mask 109- directory mode 110- force directory mode 111- directory security mask 112- force directory security mode 113- force unknown acl user 114- inherit permissions 115- inherit acls 116- inherit owner 117- guest only 118- only guest 119- only user 120- allow hosts 121- deny hosts 122- preload modules 123- use kerberos keytab 124- syslog 125- syslog only 126- max log size 127- debug timestamp 128- timestamp logs 129- debug hires timestamp 130- debug pid 131- debug uid 132- allocation roundup size 133- aio read size 134- aio write size 135- aio write behind 136- large readwrite 137- protocol 138- read bmpx 139- reset on zero vc 140- acl compatibility 141- defer sharing violations 142- ea support 143- nt acl support 144- nt pipe support 145- profile acls 146- map acl inherit 147- afs share 148- max ttl 149- client use spnego 150- enable asu support 151- svcctl list 152- block size 153- change notify timeout 154- deadtime 155- getwd cache 156- keepalive 157- kernel change notify 158- lpq cache time 159- max smbd processes 160- max disk size 161- max open files 162- min print space 163- strict allocate 164- sync always 165- use mmap 166- use sendfile 167- hostname lookups 168- write cache size 169- name cache timeout 170- max reported print jobs 171- load printers 172- printcap cache time 173- printcap name 174- printcap 175- printing 176- cups options 177- cups server 178- iprint server 179- print command 180- disable spoolss 181- enable spoolss 182- lpq command 183- lprm command 184- lppause command 185- lpresume command 186- queuepause command 187- queueresume command 188- enumports command 189- addprinter command 190- deleteprinter command 191- show add printer wizard 192- os2 driver map 193- use client driver 194- default devmode 195- force printername 196- mangling method 197- mangle prefix 198- default case 199- case sensitive 200- casesignames 201- preserve case 202- short preserve case 203- mangling char 204- hide dot files 205- hide special files 206- hide unreadable 207- hide unwriteable files 208- delete veto files 209- veto files 210- hide files 211- veto oplock files 212- map readonly 213- mangled names 214- mangled map 215- max stat cache size 216- stat cache 217- store dos attributes 218- machine password timeout 219- add user script 220- rename user script 221- delete user script 222- add group script 223- delete group script 224- add user to group script 225- delete user from group script 226- set primary group script 227- add machine script 228- shutdown script 229- abort shutdown script 230- username map script 231- logon script 232- logon path 233- logon drive 234- logon home 235- domain logons 236- os level 237- lm announce 238- lm interval 239- domain master 240- browse list 241- enhanced browsing 242- wins proxy 243- wins hook 244- wins partners 245- blocking locks 246- fake oplocks 247- kernel oplocks 248- locking 249- lock spin count 250- lock spin time 251- level2 oplocks 252- oplock break wait time 253- oplock contention limit 254- posix locking 255- share modes 256- ldap server 257- ldap port 258- ldap admin dn 259- ldap delete dn 260- ldap group suffix 261- ldap idmap suffix 262- ldap machine suffix 263- ldap passwd sync 264- ldap password sync 265- ldap replication sleep 266- ldap suffix 267- ldap ssl 268- ldap timeout 269- ldap page size 270- ldap user suffix 271- add share command 272- change share command 273- delete share command 274- eventlog list 275- utmp directory 276- wtmp directory 277- utmp 278- default service 279- default 280- message command 281- dfree cache time 282- dfree command 283- get quota command 284- set quota command 285- remote announce 286- remote browse sync 287- homedir map 288- afs username map 289- afs token lifetime 290- log nt token command 291- time offset 292- NIS homedir 293- preexec 294- exec 295- preexec close 296- postexec 297- root preexec 298- root preexec close 299- root postexec 300- set directory 301- wide links 302- follow symlinks 303- dont descend 304- magic script 305- magic output 306- delete readonly 307- dos filemode 308- dos filetimes 309- dos filetime resolution 310- fake directory create times 311- panic action 312- vfs objects 313- vfs object 314- msdfs root 315- msdfs proxy 316- host msdfs 317- enable rid algorithm 318- passdb expand explicit 319- idmap backend 320- idmap uid 321- winbind uid 322- idmap gid 323- winbind gid 324- template homedir 325- template shell 326- winbind separator 327- winbind cache time 328- winbind enum users 329- winbind enum groups 330- winbind use default domain 331- winbind trusted domains only 332- winbind nested groups 333- winbind max idle children 334- winbind nss info 335 336The following parameters have been added: 337+ rpc big endian (G) 338 Make Samba fake it is running on a bigendian machine when using DCE/RPC. 339 Useful for debugging. 340 341 Default: no 342 343+ case insensitive filesystem (S) 344 Set to true if this share is located on a case-insensitive filesystem. 345 This disables looking for a filename by trying all possible combinations of 346 uppercase/lowercase characters and thus speeds up operations when a 347 file cannot be found. 348 349 Default: no 350 351+ setup directory 352 Path to data used by provisioning script. 353 354 Default: Set at compile-time 355 356+ ncalrpc dir 357 Directory to use for UNIX sockets used by the 'ncalrpc' DCE/RPC transport. 358 359 Default: Set at compile-time 360 361+ ntvfs handler 362 Backend to the NT VFS to use (more than one can be specified). Available 363 backends include: 364 365 - posix: 366 Maps POSIX FS semantics to NT semantics 367 368 - simple: 369 Very simple backend (original testing backend). 370 371 - unixuid: 372 Sets up user credentials based on POSIX gid/uid. 373 374 - cifs: 375 Proxies a remote CIFS FS. Mainly useful for testing. 376 377 - nbench: 378 Filter module that saves data useful to the nbench benchmark suite. 379 380 - ipc: 381 Allows using SMB for inter process communication. Only used for 382 the IPC$ share. 383 384 - print: 385 Allows printing over SMB. This is LANMAN-style printing (?), not 386 the be confused with the spoolss DCE/RPC interface used by later 387 versions of Windows. 388 389 Default: unixuid default 390 391+ ntptr providor 392 FIXME 393 394+ dcerpc endpoint servers 395 What DCE/RPC servers to start. 396 397 Default: epmapper srvsvc wkssvc rpcecho samr netlogon lsarpc spoolss drsuapi winreg dssetup 398 399+ server services 400 Services Samba should provide. 401 402 Default: smb rpc nbt wrepl ldap cldap web kdc 403 404+ sam database 405 Location of the SAM (account database) database. This should be a 406 LDB URL. 407 408 Default: set at compile-time 409 410+ spoolss database 411 Spoolss (printer) DCE/RPC server database. This should be a LDB URL. 412 413 Default: set at compile-time 414 415+ wins config database 416 WINS configuration database location. This should be a LDB URL. 417 418 Default: set at compile-time 419 420+ wins database 421 WINS database location. This should be a LDB URL. 422 423 Default: set at compile-time 424 425+ client use spnego principal 426 Tells the client to use the Kerberos service principal specified by the 427 server during the security protocol negotation rather than 428 looking up the principal itself (cifs/hostname). 429 430 Default: false 431 432+ nbt port 433 TCP/IP Port used by the NetBIOS over TCP/IP (NBT) implementation. 434 435 Default: 137 436 437+ dgram port 438 UDP/IP port used by the NetBIOS over TCP/IP (NBT) implementation. 439 440 Default: 138 441 442+ cldap port 443 UDP/IP port used by the CLDAP protocol. 444 445 Default: 389 446 447+ krb5 port 448 IP port used by the kerberos KDC. 449 450 Default: 88 451 452+ kpasswd port 453 IP port used by the kerberos password change protocol. 454 455 Default: 464 456 457+ web port 458 TCP/IP port SWAT should listen on. 459 460 Default: 901 461 462+ tls enabled 463 Enable TLS support for SWAT 464 465 Default: true 466 467+ tls keyfile 468 Path to TLS key file (PEM format) to be used by SWAT. If no 469 path is specified, Samba will create a key. 470 471 Default: none 472 473+ tls certfile 474 Path to TLS certificate file (PEM format) to be used by SWAT. If no 475 path is specified, Samba will create a certificate. 476 477 Default: none 478 479+ tls cafile 480 Path to CA authority file Samba will use to sign TLS keys it generates. If 481 no path is specified, Samba will create a self-signed CA certificate. 482 483 Default: none 484 485+ tls crlfile 486 Path to TLS certificate revocation lists file. 487 488 Default: none 489 490+ swat directory 491 SWAT data directory. 492 493 Default: set at compile-time 494 495+ large readwrite 496 Indicate the CIFS server is able to do large reads/writes. 497 498 Default: true 499 500+ unicode 501 Enable/disable unicode support in the protocol. 502 503 Default: true 504