1 This file aims to document the major changes since the latest released version
2 of Samba, 3.0. Samba 4.0 contains rewrites of several subsystems
3 and uses a different internal format for most data. Since this
4 file is an initial draft, please update missing items.
6 One of the main goals of Samba 4 was Active Directory Domain Controller
7 support. This means Samba now implements several protocols that are required
8 by AD such as Kerberos and DNS.
10 An (experimental) upgrade script that performs a one-way upgrade
11 from Samba 3 is available in source/setup/upgrade.
13 Removal of nmbd and introduction of process models
14 ==================================================
15 smbd now implements several network protocols other than just CIFS and
16 DCE/RPC. nmbd's functionality has been merged into smbd. smbd supports
17 various 'process models' that specify how concurrent connections are
18 handled (when to fork, use threads, etc).
22 Samba now stores most of its persistent data in a LDAP-like database
23 called LDB (see ldb(7) for more info).
27 Samba4 ships with an integrated KDC (Kerberos Key Distribution
28 Center). Backed directly onto our main internal database, and
29 integrated with custom code to handle the PAC, Samba4's KDC is an
30 integral part of our support for AD logon protocols.
34 Like the situation with the KDC, Samba4 ships with it's own LDAP
35 server, included to provide simple, built-in LDAP services in an AD
36 (rather than distinctly standards) matching manner. The database is
37 LDB, and it shares that in common with the rest of Samba.
39 Changed configuration options
40 =============================
41 Several configuration options have been removed in Samba4 while others have
42 been introduced. This section contains a summary of changes to smb.conf and
43 where these settings moved. Configuration options that have disappeared may be
44 re-added later when the functionality that uses them gets reimplemented in
47 The 'security' parameter has been split up. It is now only used to choose
48 between the 'user' and 'share' security levels (the latter is not supported
49 in Samba 4 yet). The other values of this option and the 'domain master' and
50 'domain logons' parameters have been merged into a 'server role' parameter
51 that can be either 'domain controller', 'member server' or 'standalone'. Note that
52 member server support does not work yet.
54 The following parameters have been removed:
55 - passdb backend: accounts are now stored in a LDB-based SAM database,
56 see 'sam database' below.
62 - allow trusted domains
66 - algorithmic rid base
76 - check password script
96 - acl check permissions
98 - acl map full control
103 - force security mode
106 - force directory mode
107 - directory security mask
108 - force directory security mode
109 - force unknown acl user
110 - inherit permissions
119 - use kerberos keytab
125 - debug hires timestamp
128 - allocation roundup size
137 - defer sharing violations
149 - change notify timeout
153 - kernel change notify
166 - max reported print jobs
168 - printcap cache time
183 - queueresume command
186 - deleteprinter command
187 - show add printer wizard
198 - short preserve case
203 - hide unwriteable files
211 - max stat cache size
213 - store dos attributes
214 - machine password timeout
219 - delete group script
220 - add user to group script
221 - delete user from group script
222 - set primary group script
225 - abort shutdown script
226 - username map script
249 - oplock break wait time
250 - oplock contention limit
259 - ldap machine suffix
262 - ldap replication sleep
269 - change share command
270 - delete share command
287 - log nt token command
306 - dos filetime resolution
307 - fake directory create times
314 - enable rid algorithm
315 - passdb expand explicit
326 - winbind enum groups
327 - winbind use default domain
328 - winbind trusted domains only
329 - winbind nested groups
330 - winbind max idle children
333 The following parameters have been added:
335 Make Samba fake it is running on a bigendian machine when using DCE/RPC.
336 Useful for debugging.
340 + case insensitive filesystem (S)
341 Set to true if this share is located on a case-insensitive filesystem.
342 This disables looking for a filename by trying all possible combinations of
343 uppercase/lowercase characters and thus speeds up operations when a
344 file cannot be found.
349 Path to JavaScript library.
351 Default: Set at compile-time
354 Path to data used by provisioning script.
356 Default: Set at compile-time
359 Directory to use for UNIX sockets used by the 'ncalrpc' DCE/RPC transport.
361 Default: Set at compile-time
364 Backend to the NT VFS to use (more than one can be specified). Available
368 Maps POSIX FS semantics to NT semantics
371 Very simple backend (original testing backend).
374 Sets up user credentials based on POSIX gid/uid.
377 Proxies a remote CIFS FS. Mainly useful for testing.
380 Filter module that saves data useful to the nbench benchmark suite.
383 Allows using SMB for inter process communication. Only used for
387 Allows printing over SMB. This is LANMAN-style printing (?), not
388 the be confused with the spoolss DCE/RPC interface used by later
391 Default: unixuid default
396 + dcerpc endpoint servers
397 What DCE/RPC servers to start.
399 Default: epmapper srvsvc wkssvc rpcecho samr netlogon lsarpc spoolss drsuapi winreg dssetup
402 Services Samba should provide.
404 Default: smb rpc nbt wrepl ldap cldap web kdc
407 Location of the SAM (account database) database. This should be a
410 Default: set at compile-time
413 Spoolss (printer) DCE/RPC server database. This should be a LDB URL.
415 Default: set at compile-time
417 + wins config database
418 WINS configuration database location. This should be a LDB URL.
420 Default: set at compile-time
423 WINS database location. This should be a LDB URL.
425 Default: set at compile-time
427 + client use spnego principal
428 Tells the client to use the Kerberos service principal specified by the
429 server during the security protocol negotation rather than
430 looking up the principal itself (cifs/hostname).
435 TCP/IP Port used by the NetBIOS over TCP/IP (NBT) implementation.
440 UDP/IP port used by the NetBIOS over TCP/IP (NBT) implementation.
445 UDP/IP port used by the CLDAP protocol.
450 IP port used by the kerberos KDC.
455 IP port used by the kerberos password change protocol.
460 TCP/IP port SWAT should listen on.
465 Enable TLS support for SWAT
470 Path to TLS key file (PEM format) to be used by SWAT. If no
471 path is specified, Samba will create a key.
476 Path to TLS certificate file (PEM format) to be used by SWAT. If no
477 path is specified, Samba will create a certificate.
482 Path to CA authority file Samba will use to sign TLS keys it generates. If
483 no path is specified, Samba will create a self-signed CA certificate.
488 Path to TLS certificate revocation lists file.
495 Default: set at compile-time
498 Indicate the CIFS server is able to do large reads/writes.
503 Enable/disable unicode support in the protocol.