Chapter 33. Upgrading from Samba-2.x to Samba-3.0.20

Jelmer R. Vernooij

The Samba Team

John H. Terpstra

Samba Team

Gerald (Jerry) Carter

Samba Team

June 30, 2003

Table of Contents

Quick Migration Guide
New Features in Samba-3
Configuration Parameter Changes
Removed Parameters
New Parameters
Modified Parameters (Changes in Behavior):
New Functionality
Databases
Changes in Behavior
Passdb Backends and Authentication
LDAP

This chapter deals exclusively with the differences between Samba-3.0.20 and Samba-2.2.8a. It points out where configuration parameters have changed, and provides a simple guide for the move from 2.2.x to 3.0.20.

Quick Migration Guide

Samba-3.0.20 default behavior should be approximately the same as Samba-2.2.x. The default behavior when the new parameter passdb backend is not defined in the smb.conf file provides the same default behavior as Samba-2.2.x with encrypt passwords = Yes, and will use the smbpasswd database.

So why say that behavior should be approximately the same as Samba-2.2.x? Because Samba-3.0.20 can negotiate new protocols, such as support for native Unicode, that may result in differing protocol code paths being taken. The new behavior under such circumstances is not exactly the same as the old one. The good news is that the domain and machine SIDs will be preserved across the upgrade.

If the Samba-2.2.x system was using an LDAP backend, and there is no time to update the LDAP database, then make sure that passdb backend = ldapsam_compat is specified in the smb.conf file. For the rest, behavior should remain more or less the same. At a later date, when there is time to implement a new Samba-3 compatible LDAP backend, it is possible to migrate the old LDAP database to the new one through use of the pdbedit. See The pdbedit Command.

New Features in Samba-3

The major new features are:

  1. Active Directory support. This release is able to join an ADS realm as a member server and authenticate users using LDAP/Kerberos.

  2. Unicode support. Samba will now negotiate Unicode on the wire and internally there is a much better infrastructure for multi-byte and Unicode character sets.

  3. New authentication system. The internal authentication system has been almost completely rewritten. Most of the changes are internal, but the new authoring system is also very configurable.

  4. New filename mangling system. The filename mangling system has been completely rewritten. An internal database now stores mangling maps persistently.

  5. New “net” command. A new “net” command has been added. It is somewhat similar to the “net” command in Windows. Eventually, we plan to replace a bunch of other utilities (such as smbpasswd) with subcommands in “net”.

  6. Samba now negotiates NT-style status32 codes on the wire. This considerably improves error handling.

  7. Better Windows 200x/XP printing support including publishing printer attributes in Active Directory.

  8. New loadable RPC modules for passdb backends and character sets.

  9. New default dual-daemon winbindd support for better performance.

  10. Support for migrating from a Windows NT 4.0 domain to a Samba domain and maintaining user, group and domain SIDs.

  11. Support for establishing trust relationships with Windows NT 4.0 Domain Controllers.

  12. Initial support for a distributed Winbind architecture using an LDAP directory for storing SID to UID/GID mappings.

  13. Major updates to the Samba documentation tree.

  14. Full support for client and server SMB signing to ensure compatibility with default Windows 2003 security settings.

Plus lots of other improvements!

Configuration Parameter Changes

This section contains a brief listing of changes to smb.conf options in the 3.0.20 release. Please refer to the smb.conf(5) man page for complete descriptions of new or modified parameters.

Removed Parameters

(Ordered Alphabetically):

  • admin log

  • alternate permissions

  • character set

  • client codepage

  • code page directory

  • coding system

  • domain admin group

  • domain guest group

  • force unknown acl user

  • nt smb support

  • post script

  • printer driver

  • printer driver file

  • printer driver location

  • status

  • strip dot

  • total print jobs

  • use rhosts

  • valid chars

  • vfs options

New Parameters

(New parameters have been grouped by function):

Remote Management

  • abort shutdown script

  • shutdown script

User and Group Account Management:

  • add group script

  • add machine script

  • add user to group script

  • algorithmic rid base

  • delete group script

  • delete user from group script

  • passdb backend

  • set primary group script

Authentication:

  • auth methods

  • realm

Protocol Options:

  • client lanman auth

  • client NTLMv2 auth

  • client schannel

  • client signing

  • client use spnego

  • disable netbios

  • ntlm auth

  • paranoid server security

  • server schannel

  • server signing

  • smb ports

  • use spnego

File Service:

  • get quota command

  • hide special files

  • hide unwriteable files

  • hostname lookups

  • kernel change notify

  • mangle prefix

  • map acl inherit

  • msdfs proxy

  • set quota command

  • use sendfile

  • vfs objects

Printing:

  • max reported print jobs

Unicode and Character Sets:

  • display charset

  • dos charset

  • unicode

  • UNIX charset

SID to UID/GID Mappings:

  • idmap backend

  • idmap gid

  • idmap uid

  • winbind enable local accounts

  • winbind trusted domains only

  • template primary group

  • enable rid algorithm

LDAP:

  • ldap delete dn

  • ldap group suffix

  • ldap idmap suffix

  • ldap machine suffix

  • ldap passwd sync

  • ldap user suffix

General Configuration:

  • preload modules

  • privatedir

Modified Parameters (Changes in Behavior):

  • encrypt passwords (enabled by default)

  • mangling method (set to hash2 by default)

  • passwd chat

  • passwd program

  • password server

  • restrict anonymous (integer value)

  • security (new ads value)

  • strict locking (enabled by default)

  • winbind cache time (increased to 5 minutes)

  • winbind uid (deprecated in favor of idmap uid)

  • winbind gid (deprecated in favor of idmap gid)

New Functionality

Databases

This section contains brief descriptions of any new databases introduced in Samba-3. Please remember to backup your existing ${lock directory}/*tdb before upgrading to Samba-3. Samba will upgrade databases as they are opened (if necessary), but downgrading from 3.0 to 2.2 is an unsupported path.

The new tdb files are described in the next table.

Table 33.1. TDB File Descriptions

NameDescriptionBackup?
account_policyUser policy settingsyes
gencacheGeneric caching dbno
group_mapping

Mapping table from Windows groups/SID to UNIX groups

yes
idmap

new ID map table from SIDS to UNIX UIDs/GIDs

yes
namecacheName resolution cache entriesno
netlogon_unigrp

Cache of universal group membership obtained when operating as a member of a Windows domain

no
printing/*.tdb

Cached output from `lpq command' created on a per print service basis

no
registry

Read-only Samba registry skeleton that provides support for exporting various db tables via the winreg RPCs

no

Changes in Behavior

The following issues are known changes in behavior between Samba-2.2 and Samba-3 that may affect certain installations of Samba.

  1. When operating as a member of a Windows domain, Samba-2.2 would map any users authenticated by the remote DC to the “guest account” if a uid could not be obtained via the getpwnam() call. Samba-3 rejects the connection as NT_STATUS_LOGON_FAILURE. There is no current work around to re-establish the Samba-2.2 behavior.

  2. When adding machines to a Samba-2.2 controlled domain, the “add user script” was used to create the UNIX identity of the Machine Trust Account. Samba-3 introduces a new “add machine script” that must be specified for this purpose. Samba-3 will not fall back to using the “add user script” in the absence of an “add machine script”.

Passdb Backends and Authentication

There have been a few new changes that Samba administrators should be aware of when moving to Samba-3.

  1. Encrypted passwords have been enabled by default in order to interoperate better with out-of-the-box Windows client installations. This does mean that either (a) a Samba account must be created for each user, or (b) “encrypt passwords = no” must be explicitly defined in smb.conf.

  2. Inclusion of new security = ads option for integration with an Active Directory domain using the native Windows Kerberos 5 and LDAP protocols.

Samba-3 also includes the possibility of setting up chains of authentication methods (auth methods) and account storage backends (passdb backend). Please refer to the smb.conf man page and Account Information Databases, for details. While both parameters assume sane default values, it is likely that you will need to understand what the values actually mean in order to ensure Samba operates correctly.

Certain functions of the smbpasswd tool have been split between the new smbpasswd utility, the net tool and the new pdbedit utility. See the respective man pages for details.

LDAP

This section outlines the new features effecting Samba/LDAP integration.

New Schema

A new object class (sambaSamAccount) has been introduced to replace the old sambaAccount. This change aids us in the renaming of attributes to prevent clashes with attributes from other vendors. There is a conversion script (examples/LDAP/convertSambaAccount) to modify an LDIF file to the new schema.

Example:

		$ ldapsearch .... -LLL -b "ou=people,dc=..." > old.ldif
		$ convertSambaAccount --sid <DOM SID> --input old.ldif --output new.ldif
		

The <DOM SID> can be obtained by running

$ net getlocalsid <DOMAINNAME>

on the Samba PDC as root.

Under Samba-2.x the Domain SID can be obtained by executing:

$ smbpasswd -S <DOMAINNAME>

The old sambaAccount schema may still be used by specifying the ldapsam_compat passdb backend. However, the sambaAccount and associated attributes have been moved to the historical section of the schema file and must be uncommented before use if needed. The Samba-2.2 object class declaration for a sambaAccount has not changed in the Samba-3 samba.schema file.

Other new object classes and their uses include:

  • sambaDomain domain information used to allocate RIDs for users and groups as necessary. The attributes are added in “ldap suffix” directory entry automatically if an idmap UID/GID range has been set and the “ldapsam” passdb backend has been selected.

  • sambaGroupMapping an object representing the relationship between a posixGroup and a Windows group/SID. These entries are stored in the “ldap group suffix” and managed by the “net groupmap” command.

  • sambaUNIXIdPool created in the “ldap idmap suffix” entry automatically and contains the next available “idmap UID” and “idmap GID”.

  • sambaIdmapEntry object storing a mapping between a SID and a UNIX UID/GID. These objects are created by the idmap_ldap module as needed.

New Suffix for Searching

The following new smb.conf parameters have been added to aid in directing certain LDAP queries when passdb backend = ldapsam://... has been specified.

  • ldap suffix used to search for user and computer accounts.

  • ldap user suffix used to store user accounts.

  • ldap machine suffix used to store Machine Trust Accounts.

  • ldap group suffix location of posixGroup/sambaGroupMapping entries.

  • ldap idmap suffix location of sambaIdmapEntry objects.

If an ldap suffix is defined, it will be appended to all of the remaining sub-suffix parameters. In this case, the order of the suffix listings in smb.conf is important. Always place the ldap suffix first in the list.

Due to a limitation in Samba's smb.conf parsing, you should not surround the DNs with quotation marks.

IdMap LDAP Support

Samba-3 supports an ldap backend for the idmap subsystem. The following options inform Samba that the idmap table should be stored on the directory server onterose in the "ou=idmap,dc=quenya,dc=org" partition.

[global]
...
idmap backend = ldap:ldap://onterose/
ldap idmap suffix = ou=idmap,dc=quenya,dc=org
idmap uid = 40000-50000
idmap gid = 40000-50000

This configuration allows Winbind installations on multiple servers to share a UID/GID number space, thus avoiding the interoperability problems with NFS that were present in Samba-2.2.