1
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter�9.�Important and Critical Change Notes for the Samba 3.x Series</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.74.0"><link rel="home" href="index.html" title="The Official Samba 3.4.x HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part�III.�Advanced Configuration"><link rel="prev" href="optional.html" title="Part�III.�Advanced Configuration"><link rel="next" href="NetworkBrowsing.html" title="Chapter�10.�Network Browsing"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter�9.�Important and Critical Change Notes for the Samba 3.x Series</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="optional.html">Prev</a>�</td><th width="60%" align="center">Part�III.�Advanced Configuration</th><td width="20%" align="right">�<a accesskey="n" href="NetworkBrowsing.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="ChangeNotes"></a>Chapter�9.�Important and Critical Change Notes for the Samba 3.x Series</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="orgname">Samba Team</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Gerald</span> <span class="othername">(Jerry)</span> <span class="orgname">Samba Team</span> <span class="surname">Carter</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jerry@samba.org">jerry@samba.org</a>></code></p></div></div></div></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="ChangeNotes.html#id2578591">Important Samba-3.2.x Change Notes</a></span></dt><dt><span class="sect1"><a href="ChangeNotes.html#id2578603">Important Samba-3.0.x Change Notes</a></span></dt><dd><dl><dt><span class="sect2"><a href="ChangeNotes.html#id2578662">User and Group Changes</a></span></dt><dt><span class="sect2"><a href="ChangeNotes.html#id2578974">Essential Group Mappings</a></span></dt><dt><span class="sect2"><a href="ChangeNotes.html#id2579095">Passdb Changes</a></span></dt><dt><span class="sect2"><a href="ChangeNotes.html#id2579156">Group Mapping Changes in Samba-3.0.23</a></span></dt><dt><span class="sect2"><a href="ChangeNotes.html#id2579276">LDAP Changes in Samba-3.0.23</a></span></dt></dl></dd></dl></div><p>
1
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter�9.�Important and Critical Change Notes for the Samba 3.x Series</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="The Official Samba 3.4.x HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part�III.�Advanced Configuration"><link rel="prev" href="optional.html" title="Part�III.�Advanced Configuration"><link rel="next" href="NetworkBrowsing.html" title="Chapter�10.�Network Browsing"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter�9.�Important and Critical Change Notes for the Samba 3.x Series</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="optional.html">Prev</a>�</td><th width="60%" align="center">Part�III.�Advanced Configuration</th><td width="20%" align="right">�<a accesskey="n" href="NetworkBrowsing.html">Next</a></td></tr></table><hr></div><div class="chapter" title="Chapter�9.�Important and Critical Change Notes for the Samba 3.x Series"><div class="titlepage"><div><div><h2 class="title"><a name="ChangeNotes"></a>Chapter�9.�Important and Critical Change Notes for the Samba 3.x Series</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Gerald</span> <span class="othername">(Jerry)</span> <span class="surname">Carter</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jerry@samba.org">jerry@samba.org</a>></code></p></div></div></div></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="ChangeNotes.html#id2584662">Important Samba-3.2.x Change Notes</a></span></dt><dt><span class="sect1"><a href="ChangeNotes.html#id2584674">Important Samba-3.0.x Change Notes</a></span></dt><dd><dl><dt><span class="sect2"><a href="ChangeNotes.html#id2584733">User and Group Changes</a></span></dt><dt><span class="sect2"><a href="ChangeNotes.html#id2585045">Essential Group Mappings</a></span></dt><dt><span class="sect2"><a href="ChangeNotes.html#id2585166">Passdb Changes</a></span></dt><dt><span class="sect2"><a href="ChangeNotes.html#id2585226">Group Mapping Changes in Samba-3.0.23</a></span></dt><dt><span class="sect2"><a href="ChangeNotes.html#id2585347">LDAP Changes in Samba-3.0.23</a></span></dt></dl></dd></dl></div><p>
2
2
Please read this chapter carefully before update or upgrading Samba. You should expect to find only critical
3
3
or very important information here. Comprehensive change notes and guidance information can be found in the
4
4
section <a class="link" href="upgrading-to-3.0.html" title="Chapter�35.�Updating and Upgrading Samba">Updating and Upgrading Samba</a>.
5
</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2578591"></a>Important Samba-3.2.x Change Notes</h2></div></div></div><p>
5
</p><div class="sect1" title="Important Samba-3.2.x Change Notes"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2584662"></a>Important Samba-3.2.x Change Notes</h2></div></div></div><p>
6
6
!!!!!!!!!!!!Add all critical update notes here!!!!!!!!!!!!!
7
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2578603"></a>Important Samba-3.0.x Change Notes</h2></div></div></div><p>
7
</p></div><div class="sect1" title="Important Samba-3.0.x Change Notes"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2584674"></a>Important Samba-3.0.x Change Notes</h2></div></div></div><p>
8
8
These following notes pertain in particular to Samba 3.0.23 through Samba 3.0.25c (or more recent 3.0.25
9
9
update). Samba is a fluid and ever changing project. Changes throughout the 3.0.x series release are
10
10
documented in this documention - See <a class="link" href="upgrading-to-3.0.html#oldupdatenotes" title="Upgrading from Samba-2.x to Samba-3.0.25">Upgrading from Samba-2.x to Samba-3.0.25</a>.
22
22
This chapter is new to the release of the HOWTO for Samba 3.0.23. It includes much of the notes provided
23
23
in the <code class="filename">WHATSNEW.txt</code> file that is included with the Samba source code release tarball.
24
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2578662"></a>User and Group Changes</h3></div></div></div><p>
24
</p><div class="sect2" title="User and Group Changes"><div class="titlepage"><div><div><h3 class="title"><a name="id2584733"></a>User and Group Changes</h3></div></div></div><p>
25
25
The change documented here affects unmapped user and group accounts only.
27
<a class="indexterm" name="id2578675"></a>
28
<a class="indexterm" name="id2578682"></a>
29
<a class="indexterm" name="id2578688"></a>
30
<a class="indexterm" name="id2578698"></a>
31
<a class="indexterm" name="id2578706"></a>
27
<a class="indexterm" name="id2584746"></a>
28
<a class="indexterm" name="id2584752"></a>
29
<a class="indexterm" name="id2584759"></a>
30
<a class="indexterm" name="id2584768"></a>
31
<a class="indexterm" name="id2584777"></a>
32
32
The user and group internal management routines have been rewritten to prevent overlaps of
33
33
assigned Relative Identifiers (RIDs). In the past the has been a potential problem when
34
34
either manually mapping Unix groups with the <code class="literal">net groupmap</code> command or
35
35
when migrating a Windows domain to a Samba domain by executing:
36
36
<code class="literal">net rpc vampire</code>.
38
<a class="indexterm" name="id2578738"></a>
39
<a class="indexterm" name="id2578744"></a>
40
<a class="indexterm" name="id2578751"></a>
41
<a class="indexterm" name="id2578757"></a>
38
<a class="indexterm" name="id2584809"></a>
39
<a class="indexterm" name="id2584815"></a>
40
<a class="indexterm" name="id2584822"></a>
41
<a class="indexterm" name="id2584828"></a>
42
42
Unmapped users are now assigned a SID in the <code class="literal">S-1-22-1</code> domain and unmapped
43
43
groups are assigned a SID in the <code class="literal">S-1-22-2</code> domain. Previously they were
44
44
assigned a RID within the SAM on the Samba server. For a domain controller this would have been under the
45
45
authority of the domain SID where as on a member server or standalone server, this would have
46
46
been under the authority of the local SAM (see the man page for <code class="literal">net getlocalsid</code>).
48
<a class="indexterm" name="id2578794"></a>
49
<a class="indexterm" name="id2578801"></a>
50
<a class="indexterm" name="id2578808"></a>
51
<a class="indexterm" name="id2578815"></a>
52
<a class="indexterm" name="id2578822"></a>
48
<a class="indexterm" name="id2584865"></a>
49
<a class="indexterm" name="id2584872"></a>
50
<a class="indexterm" name="id2584879"></a>
51
<a class="indexterm" name="id2584886"></a>
52
<a class="indexterm" name="id2584892"></a>
53
53
The result is that any unmapped users or groups on an upgraded Samba domain controller may
54
54
be assigned a new SID. Because the SID rather than a name is stored in Windows security
55
55
descriptors, this can cause a user to no longer have access to a resource for example if a
60
60
An example helps to illustrate the change:
62
<a class="indexterm" name="id2578844"></a>
63
<a class="indexterm" name="id2578851"></a>
64
<a class="indexterm" name="id2578857"></a>
65
<a class="indexterm" name="id2578864"></a>
62
<a class="indexterm" name="id2584915"></a>
63
<a class="indexterm" name="id2584922"></a>
64
<a class="indexterm" name="id2584928"></a>
65
<a class="indexterm" name="id2584935"></a>
66
66
Assume that a group named <span class="emphasis"><em>developers</em></span> exists with a UNIX GID of 782. In this
67
67
case this group does not exist in Samba's group mapping table. It would be perfectly normal for
68
68
this group to be appear in an ACL editor. Prior to Samba-3.0.23, the group SID might appear as
69
69
<code class="literal">S-1-5-21-647511796-4126122067-3123570092-2565</code>.
71
<a class="indexterm" name="id2578888"></a>
72
<a class="indexterm" name="id2578895"></a>
73
<a class="indexterm" name="id2578901"></a>
74
<a class="indexterm" name="id2578908"></a>
71
<a class="indexterm" name="id2584959"></a>
72
<a class="indexterm" name="id2584965"></a>
73
<a class="indexterm" name="id2584972"></a>
74
<a class="indexterm" name="id2584979"></a>
75
75
With the release of Samba-3.0.23, the group SID would be reported as <code class="literal">S-1-22-2-782</code>. Any
76
76
security descriptors associated with files stored on a Windows NTFS disk partition will not allow access based
77
77
on the group permissions if the user was not a member of the
79
79
<code class="literal">S-1-22-2-782</code> and not reported in a user's token, Windows would fail the authorization check
80
80
even though both SIDs in some respect refer to the same UNIX group.
82
<a class="indexterm" name="id2578944"></a>
83
<a class="indexterm" name="id2578951"></a>
82
<a class="indexterm" name="id2585015"></a>
83
<a class="indexterm" name="id2585022"></a>
84
84
The workaround for versions of Samba prior to 3.0.23, is to create a manual domain group mapping
85
85
entry for the group <span class="emphasis"><em>developers</em></span> to point at the
86
86
<code class="literal">S-1-5-21-647511796-4126122067-3123570092-2565</code> SID. With the release of Samba-3.0.23 this
87
87
workaround is no longer needed.
88
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2578974"></a>Essential Group Mappings</h3></div></div></div><p>
88
</p></div><div class="sect2" title="Essential Group Mappings"><div class="titlepage"><div><div><h3 class="title"><a name="id2585045"></a>Essential Group Mappings</h3></div></div></div><p>
89
89
Samba 3.0.x series releases before 3.0.23 automatically created group mappings for the essential Windows
90
90
domain groups <code class="literal">Domain Admins, Domain Users, Domain Guests</code>. Commencing with Samba 3.0.23
91
91
these mappings need to be created by the Samba administrator. Failure to do this may result in a failure to
92
92
correctly authenticate and recoognize valid domain users. When this happens users will not be able to log onto
93
93
the Windows client.
94
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
94
</p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
95
95
Group mappings are essentail only if the Samba servers is running as a PDC/BDC. Stand-alone servers do not
96
96
require these group mappings.
103
103
For further information regarding group mappings see <a class="link" href="groupmapping.html" title="Chapter�12.�Group Mapping: MS Windows and UNIX">Group Mapping: MS Windows
105
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2579095"></a>Passdb Changes</h3></div></div></div><p>
106
<a class="indexterm" name="id2579103"></a>
107
<a class="indexterm" name="id2579110"></a>
108
<a class="indexterm" name="id2579116"></a>
109
<a class="indexterm" name="id2579123"></a>
105
</p></div><div class="sect2" title="Passdb Changes"><div class="titlepage"><div><div><h3 class="title"><a name="id2585166"></a>Passdb Changes</h3></div></div></div><p>
106
<a class="indexterm" name="id2585174"></a>
107
<a class="indexterm" name="id2585180"></a>
108
<a class="indexterm" name="id2585187"></a>
109
<a class="indexterm" name="id2585194"></a>
110
110
The <a class="link" href="smb.conf.5.html#PASSDBBACKEND" target="_top">passdb backend</a> parameter no longer accepts multiple passdb backends in a
111
111
chained configuration. Also be aware that the SQL and XML based passdb modules have been
112
112
removed in the Samba-3.0.23 release. More information regarding external support for a SQL
113
113
passdb module can be found on the <a class="ulink" href="http://pdbsql.sourceforge.net/" target="_top">pdbsql</a> web site.
114
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2579156"></a>Group Mapping Changes in Samba-3.0.23</h3></div></div></div><p>
115
<a class="indexterm" name="id2579163"></a>
116
<a class="indexterm" name="id2579170"></a>
117
<a class="indexterm" name="id2579177"></a>
118
<a class="indexterm" name="id2579184"></a>
119
<a class="indexterm" name="id2579191"></a>
120
<a class="indexterm" name="id2579198"></a>
121
<a class="indexterm" name="id2579204"></a>
122
<a class="indexterm" name="id2579211"></a>
123
<a class="indexterm" name="id2579218"></a>
124
<a class="indexterm" name="id2579224"></a>
125
<a class="indexterm" name="id2579231"></a>
114
</p></div><div class="sect2" title="Group Mapping Changes in Samba-3.0.23"><div class="titlepage"><div><div><h3 class="title"><a name="id2585226"></a>Group Mapping Changes in Samba-3.0.23</h3></div></div></div><p>
115
<a class="indexterm" name="id2585234"></a>
116
<a class="indexterm" name="id2585241"></a>
117
<a class="indexterm" name="id2585248"></a>
118
<a class="indexterm" name="id2585255"></a>
119
<a class="indexterm" name="id2585261"></a>
120
<a class="indexterm" name="id2585268"></a>
121
<a class="indexterm" name="id2585275"></a>
122
<a class="indexterm" name="id2585282"></a>
123
<a class="indexterm" name="id2585288"></a>
124
<a class="indexterm" name="id2585295"></a>
125
<a class="indexterm" name="id2585302"></a>
126
126
The default mapping entries for groups such as <code class="literal">Domain Admins</code> are no longer
127
127
created when using an <code class="literal">smbpasswd</code> file or a <code class="literal">tdbsam</code> passdb
128
128
backend. This means that it is necessary to explicitly execute the <code class="literal">net groupmap add</code>
129
129
to create group mappings, rather than use the <code class="literal">net groupmap modify</code> method to create the
130
130
Windows group SID to UNIX GID mappings. This change has no effect on winbindd's IDMAP functionality
131
131
for domain groups.
132
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2579276"></a>LDAP Changes in Samba-3.0.23</h3></div></div></div><p>
133
<a class="indexterm" name="id2579284"></a>
134
<a class="indexterm" name="id2579291"></a>
135
<a class="indexterm" name="id2579298"></a>
136
<a class="indexterm" name="id2579305"></a>
137
<a class="indexterm" name="id2579312"></a>
132
</p></div><div class="sect2" title="LDAP Changes in Samba-3.0.23"><div class="titlepage"><div><div><h3 class="title"><a name="id2585347"></a>LDAP Changes in Samba-3.0.23</h3></div></div></div><p>
133
<a class="indexterm" name="id2585355"></a>
134
<a class="indexterm" name="id2585362"></a>
135
<a class="indexterm" name="id2585369"></a>
136
<a class="indexterm" name="id2585376"></a>
137
<a class="indexterm" name="id2585382"></a>
138
138
There has been a minor update the Samba LDAP schema file. A substring matching rule has been
139
139
added to the <code class="literal">sambaSID</code> attribute definition. For OpenLDAP servers, this
140
140
will require the addition of <code class="literal">index sambaSID sub</code> to the
added
removed
docs/htmldocs/Samba3-HOWTO/ChangeNotes.html
