--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 34. Upgrading from Samba-2.x to Samba-3.0.20</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.68.1"><link rel="start" href="index.html" title="The Official Samba-3 HOWTO and Reference Guide"><link rel="up" href="migration.html" title="Part IV. Migration and Updating"><link rel="prev" href="migration.html" title="Part IV. Migration and Updating"><link rel="next" href="NT4Migration.html" title="Chapter 35. Migration from NT4 PDC to Samba-3 PDC"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 34. Upgrading from Samba-2.x to Samba-3.0.20</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="migration.html">Prev</a> </td><th width="60%" align="center">Part IV. Migration and Updating</th><td width="20%" align="right"> <a accesskey="n" href="NT4Migration.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="upgrading-to-3.0"></a>Chapter 34. Upgrading from Samba-2.x to Samba-3.0.20</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Gerald</span> <span class="othername">(Jerry)</span> <span class="surname">Carter</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jerry@samba.org">jerry@samba.org</a>></code></p></div></div></div></div><div><p class="pubdate">June 30, 2003</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="upgrading-to-3.0.html#id2642851">Quick Migration Guide</a></span></dt><dt><span class="sect1"><a href="upgrading-to-3.0.html#id2642988">New Features in Samba-3</a></span></dt><dt><span class="sect1"><a href="upgrading-to-3.0.html#id2643274">Configuration Parameter Changes</a></span></dt><dd><dl><dt><span class="sect2"><a href="upgrading-to-3.0.html#id2643293">Removed Parameters</a></span></dt><dt><span class="sect2"><a href="upgrading-to-3.0.html#id2643445">New Parameters</a></span></dt><dt><span class="sect2"><a href="upgrading-to-3.0.html#id2643958">Modified Parameters (Changes in Behavior)</a></span></dt></dl></dd><dt><span class="sect1"><a href="upgrading-to-3.0.html#id2644048">New Functionality</a></span></dt><dd><dl><dt><span class="sect2"><a href="upgrading-to-3.0.html#id2644074">TDB Data Files</a></span></dt><dt><span class="sect2"><a href="upgrading-to-3.0.html#id2644426">Changes in Behavior</a></span></dt><dt><span class="sect2"><a href="upgrading-to-3.0.html#id2644522">Passdb Backends and Authentication</a></span></dt><dt><span class="sect2"><a href="upgrading-to-3.0.html#id2644695">LDAP</a></span></dt></dl></dd></dl></div><p>
+<a class="indexterm" name="id2642826"></a>
+<a class="indexterm" name="id2642833"></a>
+<a class="indexterm" name="id2642840"></a>
+This chapter deals exclusively with the differences between Samba-3.0.20 and Samba-2.2.8a.
+It points out where configuration parameters have changed, and provides a simple guide for
+the move from 2.2.x to 3.0.20.
+</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2642851"></a>Quick Migration Guide</h2></div></div></div><p>
+Samba-3.0.20 default behavior should be approximately the same as Samba-2.2.x.
+The default behavior when the new parameter <a class="indexterm" name="id2642862"></a>passdb backend
+is not defined in the <code class="filename">smb.conf</code> file provides the same default behavior as Samba-2.2.x
+with <a class="indexterm" name="id2642876"></a>encrypt passwords = Yes and
+will use the <code class="filename">smbpasswd</code> database.
+</p><p>
+<a class="indexterm" name="id2642893"></a>
+<a class="indexterm" name="id2642900"></a>
+So why say that <span class="emphasis"><em>behavior should be approximately the same as Samba-2.2.x</em></span>? Because
+Samba-3.0.20 can negotiate new protocols, such as support for native Unicode, that may result in
+differing protocol code paths being taken. The new behavior under such circumstances is not
+exactly the same as the old one. The good news is that the domain and machine SIDs will be
+preserved across the upgrade.
+</p><p>
+<a class="indexterm" name="id2642920"></a>
+<a class="indexterm" name="id2642927"></a>
+<a class="indexterm" name="id2642934"></a>
+<a class="indexterm" name="id2642941"></a>
+If the Samba-2.2.x system is using an LDAP backend, and there is no time to update the LDAP
+database, then make sure that <a class="indexterm" name="id2642950"></a>passdb backend = ldapsam_compat
+is specified in the <code class="filename">smb.conf</code> file. For the rest, behavior should remain more or less the same.
+At a later date, when there is time to implement a new Samba-3-compatible LDAP backend, it is possible
+to migrate the old LDAP database to the new one through use of the <span><strong class="command">pdbedit</strong></span>.
+See <a href="passdb.html#pdbeditthing" title="The pdbedit Tool">The <span class="emphasis"><em>pdbedit</em></span> Command</a>.
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2642988"></a>New Features in Samba-3</h2></div></div></div><p>
+The major new features are:
+</p><div class="orderedlist"><ol type="1"><li><p>
+<a class="indexterm" name="id2643010"></a>
+<a class="indexterm" name="id2643016"></a>
+ Active Directory support. This release is able to join an ADS realm
+ as a member server and authenticate users using LDAP/Kerberos.
+ </p></li><li><p>
+<a class="indexterm" name="id2643030"></a>
+<a class="indexterm" name="id2643036"></a>
+ Unicode support. Samba will now negotiate Unicode on the wire, and
+ internally there is a much better infrastructure for multibyte
+ and Unicode character sets.
+ </p></li><li><p>
+<a class="indexterm" name="id2643050"></a>
+ New authentication system. The internal authentication system has
+ been almost completely rewritten. Most of the changes are internal,
+ but the new authoring system is also very configurable.
+ </p></li><li><p>
+<a class="indexterm" name="id2643065"></a>
+ New filename mangling system. The filename mangling system has been
+ completely rewritten. An internal database now stores mangling maps
+ persistently.
+ </p></li><li><p>
+<a class="indexterm" name="id2643079"></a>
+ New “<span class="quote">net</span>” command. A new “<span class="quote">net</span>” command has been added. It is
+ somewhat similar to the “<span class="quote">net</span>” command in Windows. Eventually, we
+ plan to replace a bunch of other utilities (such as smbpasswd)
+ with subcommands in “<span class="quote">net</span>”.
+ </p></li><li><p>
+<a class="indexterm" name="id2643107"></a>
+ Samba now negotiates NT-style status32 codes on the wire. This
+ considerably improves error handling.
+ </p></li><li><p>
+<a class="indexterm" name="id2643120"></a>
+ Better Windows 200x/XP printing support, including publishing
+ printer attributes in Active Directory.
+ </p></li><li><p>
+<a class="indexterm" name="id2643133"></a>
+<a class="indexterm" name="id2643140"></a>
+<a class="indexterm" name="id2643147"></a>
+ New loadable RPC modules for passdb backends and character sets.
+ </p></li><li><p>
+<a class="indexterm" name="id2643159"></a>
+ New default dual-daemon winbindd support for better performance.
+ </p></li><li><p>
+<a class="indexterm" name="id2643172"></a>
+<a class="indexterm" name="id2643179"></a>
+<a class="indexterm" name="id2643186"></a>
+ Support for migrating from a Windows NT 4.0 domain to a Samba
+ domain and maintaining user, group, and domain SIDs.
+ </p></li><li><p>
+<a class="indexterm" name="id2643199"></a>
+<a class="indexterm" name="id2643206"></a>
+ Support for establishing trust relationships with Windows NT 4.0
+ domain controllers.
+ </p></li><li><p>
+<a class="indexterm" name="id2643218"></a>
+<a class="indexterm" name="id2643226"></a>
+<a class="indexterm" name="id2643232"></a>
+ Initial support for a distributed Winbind architecture using
+ an LDAP directory for storing SID to UID/GID mappings.
+ </p></li><li><p>
+ Major updates to the Samba documentation tree.
+ </p></li><li><p>
+<a class="indexterm" name="id2643251"></a>
+<a class="indexterm" name="id2643258"></a>
+ Full support for client and server SMB signing to ensure
+ compatibility with default Windows 2003 security settings.
+ </p></li></ol></div><p>
+Plus lots of other improvements!
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2643274"></a>Configuration Parameter Changes</h2></div></div></div><p>
+This section contains a brief listing of changes to <code class="filename">smb.conf</code> options since the Samba-2.2.x series up to an
+including Samba-3.0.21. Please refer to the smb.conf(5) man page for complete descriptions of new or modified
+parameters.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2643293"></a>Removed Parameters</h3></div></div></div><a class="indexterm" name="id2643298"></a><p>
+In alphabetical order, these are the parameters eliminated from Samba-2.2.x through 3.0.21.
+</p><div class="itemizedlist"><ul type="disc"><li><p>admin log</p></li><li><p>alternate permissions</p></li><li><p>character set</p></li><li><p>client codepage</p></li><li><p>code page directory</p></li><li><p>coding system</p></li><li><p>domain admin group</p></li><li><p>domain guest group</p></li><li><p>enable svcctl</p></li><li><p>force unknown acl user</p></li><li><p>ldap filter</p></li><li><p>min password length</p></li><li><p>nt smb support</p></li><li><p>post script</p></li><li><p>printer admin</p></li><li><p>printer driver</p></li><li><p>printer driver file</p></li><li><p>printer driver location</p></li><li><p>read size</p></li><li><p>source environment</p></li><li><p>status </p></li><li><p>strip dot </p></li><li><p>total print jobs</p></li><li><p>unicode</p></li><li><p>use rhosts</p></li><li><p>valid chars</p></li><li><p>vfs options</p></li><li><p>winbind enable local accounts</p></li></ul></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2643445"></a>New Parameters</h3></div></div></div><p>New parameters in the Samba 3.0.0 series prior to release of Samba 3.0.20 are grouped by function):</p><p>Remote Management</p><a class="indexterm" name="id2643459"></a><div class="itemizedlist"><ul type="disc"><li><p>abort shutdown script</p></li><li><p>shutdown script</p></li></ul></div><p>User and Group Account Management</p><div class="itemizedlist"><ul type="disc"><li><p>add group script</p></li><li><p>add machine script</p></li><li><p>add user to group script</p></li><li><p>algorithmic rid base</p></li><li><p>delete group script</p></li><li><p>delete user from group script</p></li><li><p>passdb backend</p></li><li><p>rename user script</p></li><li><p>set primary group script</p></li><li><p>username map script</p></li></ul></div><p>Authentication</p><div class="itemizedlist"><ul type="disc"><li><p>auth methods</p></li><li><p>ldap password sync</p></li><li><p>passdb expand explicit</p></li><li><p>realm</p></li></ul></div><p>Protocol Options</p><div class="itemizedlist"><ul type="disc"><li><p>afs token lifetime</p></li><li><p>client lanman auth</p></li><li><p>client NTLMv2 auth</p></li><li><p>client schannel</p></li><li><p>client signing</p></li><li><p>client use spnego</p></li><li><p>defer sharing violations</p></li><li><p>disable netbios</p></li><li><p>enable privileges</p></li><li><p>use kerberos keytab</p></li><li><p>log nt token command</p></li><li><p>ntlm auth</p></li><li><p>paranoid server security </p></li><li><p>sendfile</p></li><li><p>server schannel</p></li><li><p>server signing</p></li><li><p>smb ports</p></li><li><p>svcctl list</p></li><li><p>use spnego</p></li></ul></div><p>File Service</p><div class="itemizedlist"><ul type="disc"><li><p>allocation roundup size</p></li><li><p>acl check permissions</p></li><li><p>acl group control</p></li><li><p>acl map full control</p></li><li><p>aio read size</p></li><li><p>aio write size</p></li><li><p>dfree cache time</p></li><li><p>dfree command</p></li><li><p>ea support</p></li><li><p>enable asu support</p></li><li><p>force unknown acl user</p></li><li><p>get quota command</p></li><li><p>hide special files</p></li><li><p>hide unwriteable files</p></li><li><p>inherit owner</p></li><li><p>hostname lookups</p></li><li><p>kernel change notify</p></li><li><p>mangle prefix</p></li><li><p>map acl inherit</p></li><li><p>map read only</p></li><li><p>max stat cache size</p></li><li><p>msdfs proxy</p></li><li><p>set quota command</p></li><li><p>store dos attributes</p></li><li><p>use sendfile</p></li><li><p>vfs objects</p></li></ul></div><p>Printing</p><div class="itemizedlist"><ul type="disc"><li><p>cups options</p></li><li><p>cups server</p></li><li><p>force printername</p></li><li><p>iprint server</p></li><li><p>max reported print jobs</p></li><li><p>printcap cache time</p></li></ul></div><p>Unicode and Character Sets</p><div class="itemizedlist"><ul type="disc"><li><p>display charset</p></li><li><p>dos charset</p></li><li><p>UNIX charset</p></li></ul></div><p>SID to UID/GID Mappings</p><div class="itemizedlist"><ul type="disc"><li><p>idmap backend</p></li><li><p>idmap gid</p></li><li><p>idmap uid</p></li><li><p>username map script</p></li><li><p>winbind nested groups</p></li><li><p>winbind nss info</p></li><li><p>winbind trusted domains only</p></li><li><p>template primary group</p></li><li><p>enable rid algorithm</p></li></ul></div><p>LDAP</p><div class="itemizedlist"><ul type="disc"><li><p>ldap delete dn</p></li><li><p>ldap group suffix</p></li><li><p>ldap idmap suffix</p></li><li><p>ldap machine suffix</p></li><li><p>ldap passwd sync</p></li><li><p>ldap replication sleep</p></li><li><p>ldap timeout</p></li><li><p>ldap user suffix</p></li></ul></div><p>General Configuration</p><div class="itemizedlist"><ul type="disc"><li><p>eventlog list</p></li><li><p>preload modules</p></li><li><p>reset on zero vc</p></li><li><p>privatedir</p></li></ul></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2643958"></a>Modified Parameters (Changes in Behavior)</h3></div></div></div><div class="itemizedlist"><ul type="disc"><li><p>dos filetimes (enabled by default)</p></li><li><p>encrypt passwords (enabled by default) </p></li><li><p>mangling method (set to hash2 by default) </p></li><li><p>map to guest</p></li><li><p>only user (deprecated)</p></li><li><p>passwd chat </p></li><li><p>passwd program </p></li><li><p>password server </p></li><li><p>restrict anonymous (integer value) </p></li><li><p>security (new ads value) </p></li><li><p>strict locking (enabled by default) </p></li><li><p>winbind cache time (increased to 5 minutes) </p></li><li><p>winbind uid (deprecated in favor of idmap uid)</p></li><li><p>winbind gid (deprecated in favor of idmap gid)</p></li><li><p>winbindd nss info</p></li><li><p>write cache (deprecated)</p></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2644048"></a>New Functionality</h2></div></div></div><p>
+<a class="indexterm" name="id2644055"></a>
+ The major changes in behavior since that Samba-2.2.x series are documented in this section.
+ Please refer to the <code class="filename">WHATSNEW.txt</code> file that ships with every release of
+ Samba to obtain detailed information regarding the changes that have been made during the
+ life of the current Samba release.
+ </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2644074"></a>TDB Data Files</h3></div></div></div><a class="indexterm" name="id2644080"></a><p>
+ Refer to <a href="install.html" title="Chapter 1. How to Install and Test SAMBA">Installation, Chapter 1</a>, <a href="install.html#tdbdocs" title="TDB Database File Information">Chapter 1</a>
+ for information pertaining to the Samba-3 data files, their location and the information that must be
+ preserved across server migrations, updates and upgrades.
+ </p><p>
+<a class="indexterm" name="id2644110"></a>
+ Please remember to back up your existing ${lock directory}/*tdb before upgrading to Samba-3. If necessary, Samba will
+ upgrade databases as they are opened. Downgrading from Samba-3 to 2.2, or reversion to an earlier version
+ of Samba-3 from a later release, is an unsupported path.
+ </p><p>
+<a class="indexterm" name="id2644125"></a>
+ The old Samba-2.2.x tdb files are described in <a href="upgrading-to-3.0.html#oldtdbfiledesc" title="Table 34.1. Samba-2.2.x TDB File Descriptions">the next table</a>.
+ </p><div class="table"><a name="oldtdbfiledesc"></a><p class="title"><b>Table 34.1. Samba-2.2.x TDB File Descriptions</b></p><table summary="Samba-2.2.x TDB File Descriptions" border="1"><colgroup><col align="left"><col align="justify"><col align="left"></colgroup><thead><tr><th align="left">Name</th><th align="justify">Description</th><th align="center">Backup?</th></tr></thead><tbody><tr><td align="left">account_policy</td><td align="justify">User policy settings</td><td align="left">yes</td></tr><tr><td align="left">brlock</td><td align="justify">Byte-range file locking information.</td><td align="left">no</td></tr><tr><td align="left">connections</td><td align="justify"><p>Client connection information</p></td><td align="left">no</td></tr><tr><td align="left">locking</td><td align="justify">Temporary file locking data.</td><td align="left">no</td></tr><tr><td align="left">messages</td><td align="justify"><p>Temporary storage of messages being processed by smbd.</p></td><td align="left">no</td></tr><tr><td align="left">ntdrivers</td><td align="justify"><p>Stores per-printer driver information.</p></td><td align="left">yes</td></tr><tr><td align="left">ntforms</td><td align="justify"><p>Stores per-printer forms information.</p></td><td align="left">yes</td></tr><tr><td align="left">ntprinters</td><td align="justify"><p>Stores the per-printer devmode configuration settings.</p></td><td align="left">yes</td></tr><tr><td align="left">printing/*.tdb</td><td align="justify"><p>Cached output from lpq command created on a per-print-service basis.</p></td><td align="left">no</td></tr><tr><td align="left">registry</td><td align="justify"><p>Read-only Samba registry skeleton that provides support for
+ exporting various database tables via the winreg RPCs.</p></td><td align="left">no</td></tr><tr><td align="left">sessionid</td><td align="justify"><p>Temporary cache for miscellaneous session information.</p></td><td align="left">no</td></tr><tr><td align="left">share_info</td><td align="justify">Share ACL settings.</td><td align="left">yes</td></tr><tr><td align="left">unexpected</td><td align="justify"><p>Packets received for which no process was listening.</p></td><td align="left">no</td></tr><tr><td align="left">winbindd_cache</td><td align="justify"><p>Cache of identity information received from an NT4 or an ADS domain.</p></td><td align="left">yes</td></tr><tr><td align="left">winbindd_idmap</td><td align="justify"><p>New ID map table from SIDS to UNIX UIDs/GIDs.</p></td><td align="left">yes</td></tr></tbody></table></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2644426"></a>Changes in Behavior</h3></div></div></div><p>
+ The following issues are known changes in behavior between Samba-2.2 and
+ Samba-3 that may affect certain installations of Samba.
+ </p><div class="orderedlist"><ol type="1"><li><p>
+<a class="indexterm" name="id2644447"></a>
+<a class="indexterm" name="id2644454"></a>
+<a class="indexterm" name="id2644461"></a>
+ When operating as a member of a Windows domain, Samba-2.2 would map any users authenticated by the remote DC
+ to the “<span class="quote">guest account</span>” if a UID could not be obtained via the getpwnam() call. Samba-3 rejects
+ the connection with the error message “<span class="quote">NT_STATUS_LOGON_FAILURE.</span>” There is no current workaround
+ to re-establish the Samba-2.2 behavior.
+ </p></li><li><p>
+<a class="indexterm" name="id2644485"></a>
+<a class="indexterm" name="id2644492"></a>
+ When adding machines to a Samba-2.2 controlled domain, the
+ “<span class="quote">add user script</span>” was used to create the UNIX identity of the
+ machine trust account. Samba-3 introduces a new “<span class="quote">add machine
+ script</span>” that must be specified for this purpose. Samba-3 will
+ not fall back to using the “<span class="quote">add user script</span>” in the absence of
+ an “<span class="quote">add machine script</span>”.
+ </p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2644522"></a>Passdb Backends and Authentication</h3></div></div></div><p>
+ There have been a few new changes that Samba administrators should be
+ aware of when moving to Samba-3.
+ </p><div class="orderedlist"><ol type="1"><li><p>
+<a class="indexterm" name="id2644543"></a>
+ Encrypted passwords have been enabled by default in order to
+ interoperate better with out-of-the-box Windows client
+ installations. This does mean that either (a) a Samba account
+ must be created for each user, or (b) “<span class="quote">encrypt passwords = no</span>”
+ must be explicitly defined in <code class="filename">smb.conf</code>.
+ </p></li><li><p>
+<a class="indexterm" name="id2644568"></a>
+<a class="indexterm" name="id2644575"></a>
+<a class="indexterm" name="id2644582"></a>
+ Inclusion of new <a class="indexterm" name="id2644589"></a>security = ads option for integration
+ with an Active Directory domain using the native Windows Kerberos 5 and LDAP protocols.
+ </p></li></ol></div><p>
+<a class="indexterm" name="id2644602"></a>
+ Samba-3 also includes the possibility of setting up chains of authentication methods (<a class="indexterm" name="id2644611"></a>auth methods) and account storage backends (<a class="indexterm" name="id2644619"></a>passdb backend). Please refer to
+ the <code class="filename">smb.conf</code> man page and <a href="passdb.html" title="Chapter 10. Account Information Databases">Account Information Databases</a>, for
+ details. While both parameters assume sane default values, it is likely that you will need to understand what
+ the values actually mean in order to ensure Samba operates correctly.
+ </p><p>
+<a class="indexterm" name="id2644647"></a>
+<a class="indexterm" name="id2644653"></a>
+<a class="indexterm" name="id2644660"></a>
+ Certain functions of the <span><strong class="command">smbpasswd</strong></span> tool have been split between the
+ new <span><strong class="command">smbpasswd</strong></span> utility, the <span><strong class="command">net</strong></span> tool, and the new <span><strong class="command">pdbedit</strong></span>
+ utility. See the respective man pages for details.
+ </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2644695"></a>LDAP</h3></div></div></div><p>
+ This section outlines the new features effecting Samba/LDAP integration.
+ </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2644705"></a>New Schema</h4></div></div></div><p>
+<a class="indexterm" name="id2644713"></a>
+<a class="indexterm" name="id2644720"></a>
+<a class="indexterm" name="id2644727"></a>
+<a class="indexterm" name="id2644734"></a>
+ A new object class (sambaSamAccount) has been introduced to replace
+ the old sambaAccount. This change aids in the renaming of attributes
+ to prevent clashes with attributes from other vendors. There is a
+ conversion script (examples/LDAP/convertSambaAccount) to modify an LDIF
+ file to the new schema.
+ </p><p>
+ Example:
+<a class="indexterm" name="id2644749"></a>
+ </p><pre class="screen">
+ <code class="prompt">$ </code>ldapsearch .... -LLL -b "ou=people,dc=..." > old.ldif
+ <code class="prompt">$ </code>convertSambaAccount --sid <DOM SID> --input old.ldif --output new.ldif
+ </pre><p>
+<a class="indexterm" name="id2644782"></a>
+ The <DOM SID> can be obtained by running
+</p><pre class="screen">
+<code class="prompt">$ </code><strong class="userinput"><code>net getlocalsid <DOMAINNAME></code></strong>
+</pre><p>
+<a class="indexterm" name="id2644808"></a>
+ on the Samba PDC as root.
+ </p><p>
+ Under Samba-2.x the domain SID can be obtained by executing:
+<a class="indexterm" name="id2644820"></a>
+</p><pre class="screen">
+<code class="prompt">$ </code><strong class="userinput"><code>smbpasswd -S <DOMAINNAME></code></strong>
+</pre><p>
+ </p><p>
+<a class="indexterm" name="id2644846"></a>
+<a class="indexterm" name="id2644853"></a>
+<a class="indexterm" name="id2644860"></a>
+<a class="indexterm" name="id2644867"></a>
+ The old <code class="literal">sambaAccount</code> schema may still be used by specifying the
+ <em class="parameter"><code>ldapsam_compat</code></em> passdb backend. However, the sambaAccount and
+ associated attributes have been moved to the historical section of
+ the schema file and must be uncommented before use if needed.
+ The Samba-2.2 object class declaration for a <code class="literal">sambaAccount</code> has not changed
+ in the Samba-3 <code class="filename">samba.schema</code> file.
+ </p><p>
+ Other new object classes and their uses include:
+ </p><div class="itemizedlist"><ul type="disc"><li><p>
+<a class="indexterm" name="id2644914"></a>
+<a class="indexterm" name="id2644921"></a>
+<a class="indexterm" name="id2644928"></a>
+<a class="indexterm" name="id2644934"></a>
+<a class="indexterm" name="id2644941"></a>
+<a class="indexterm" name="id2644948"></a>
+ <code class="literal">sambaDomain</code> domain information used to allocate RIDs
+ for users and groups as necessary. The attributes are added
+ in “<span class="quote">ldap suffix</span>” directory entry automatically if
+ an idmap UID/GID range has been set and the “<span class="quote">ldapsam</span>”
+ passdb backend has been selected.
+ </p></li><li><p>
+<a class="indexterm" name="id2644979"></a>
+<a class="indexterm" name="id2644986"></a>
+<a class="indexterm" name="id2644992"></a>
+ sambaGroupMapping an object representing the
+ relationship between a posixGroup and a Windows
+ group/SID. These entries are stored in the “<span class="quote">ldap
+ group suffix</span>” and managed by the “<span class="quote">net groupmap</span>” command.
+ </p></li><li><p>
+<a class="indexterm" name="id2645017"></a>
+<a class="indexterm" name="id2645024"></a>
+<a class="indexterm" name="id2645031"></a>
+<a class="indexterm" name="id2645038"></a>
+ <code class="literal">sambaUNIXIdPool</code> created in the “<span class="quote">ldap idmap suffix</span>” entry
+ automatically and contains the next available “<span class="quote">idmap UID</span>” and
+ “<span class="quote">idmap GID</span>”.
+ </p></li><li><p>
+<a class="indexterm" name="id2645070"></a>
+<a class="indexterm" name="id2645077"></a>
+ <code class="literal">sambaIdmapEntry</code> object storing a mapping between a
+ SID and a UNIX UID/GID. These objects are created by the
+ idmap_ldap module as needed.
+ </p></li></ul></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2645098"></a>New Suffix for Searching</h4></div></div></div><p>
+<a class="indexterm" name="id2645106"></a>
+<a class="indexterm" name="id2645112"></a>
+<a class="indexterm" name="id2645119"></a>
+<a class="indexterm" name="id2645126"></a>
+<a class="indexterm" name="id2645133"></a>
+<a class="indexterm" name="id2645140"></a>
+<a class="indexterm" name="id2645147"></a>
+ The following new <code class="filename">smb.conf</code> parameters have been added to aid in directing
+ certain LDAP queries when <em class="parameter"><code>passdb backend = ldapsam://...</code></em> has been
+ specified.
+ </p><div class="itemizedlist"><ul type="disc"><li><p>ldap suffix used to search for user and computer accounts.</p></li><li><p>ldap user suffix used to store user accounts.</p></li><li><p>ldap machine suffix used to store machine trust accounts.</p></li><li><p>ldap group suffix location of posixGroup/sambaGroupMapping entries.</p></li><li><p>ldap idmap suffix location of sambaIdmapEntry objects.</p></li></ul></div><p>
+<a class="indexterm" name="id2645216"></a>
+<a class="indexterm" name="id2645222"></a>
+ If an <em class="parameter"><code>ldap suffix</code></em> is defined, it will be appended to all of the
+ remaining subsuffix parameters. In this case, the order of the suffix
+ listings in <code class="filename">smb.conf</code> is important. Always place the <em class="parameter"><code>ldap suffix</code></em> first
+ in the list.
+ </p><p>
+ Due to a limitation in Samba's <code class="filename">smb.conf</code> parsing, you should not surround
+ the domain names with quotation marks.
+ </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2645264"></a>IdMap LDAP Support</h4></div></div></div><p>
+<a class="indexterm" name="id2645271"></a>
+ Samba-3 supports an LDAP backend for the idmap subsystem. The
+ following options inform Samba that the idmap table should be
+ stored on the directory server <span class="emphasis"><em>onterose</em></span> in the ou=idmap,dc=quenya,dc=org partition.
+ </p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td>...</td></tr><tr><td><a class="indexterm" name="id2645304"></a><em class="parameter"><code>idmap backend = ldap:ldap://onterose/</code></em></td></tr><tr><td><a class="indexterm" name="id2645317"></a><em class="parameter"><code>ldap idmap suffix = ou=idmap,dc=quenya,dc=org</code></em></td></tr><tr><td><a class="indexterm" name="id2645331"></a><em class="parameter"><code>idmap uid = 40000-50000</code></em></td></tr><tr><td><a class="indexterm" name="id2645344"></a><em class="parameter"><code>idmap gid = 40000-50000</code></em></td></tr></table><p>
+<a class="indexterm" name="id2645358"></a>
+ This configuration allows Winbind installations on multiple servers to
+ share a UID/GID number space, thus avoiding the interoperability problems
+ with NFS that were present in Samba-2.2.
+ </p></div></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="migration.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="migration.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="NT4Migration.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Part IV. Migration and Updating </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 35. Migration from NT4 PDC to Samba-3 PDC</td></tr></table></div></body></html>
projects / samba / blobdiff