diff options
Diffstat (limited to 'docs/htmldocs/Samba3-HOWTO/ChangeNotes.html')
| -rw-r--r-- | docs/htmldocs/Samba3-HOWTO/ChangeNotes.html | 118 |
1 files changed, 118 insertions, 0 deletions
diff --git a/docs/htmldocs/Samba3-HOWTO/ChangeNotes.html b/docs/htmldocs/Samba3-HOWTO/ChangeNotes.html new file mode 100644 index 0000000000..8795f582d2 --- /dev/null +++ b/docs/htmldocs/Samba3-HOWTO/ChangeNotes.html @@ -0,0 +1,118 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 9. Important Samba-3.0.23 Change Notes</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.71.0"><link rel="start" href="index.html" title="The Official Samba-3 HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="prev" href="optional.html" title="Part III. Advanced Configuration"><link rel="next" href="NetworkBrowsing.html" title="Chapter 10. Network Browsing"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 9. Important Samba-3.0.23 Change Notes</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="optional.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="NetworkBrowsing.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="ChangeNotes"></a>Chapter 9. Important Samba-3.0.23 Change Notes</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Gerald</span> <span class="othername">(Jerry)</span> <span class="surname">Carter</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jerry@samba.org">jerry@samba.org</a>></code></p></div></div></div></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="ChangeNotes.html#id343765">User and Group Changes</a></span></dt><dt><span class="sect1"><a href="ChangeNotes.html#id344054">Passdb Changes</a></span></dt><dt><span class="sect1"><a href="ChangeNotes.html#id344106">Group Mapping Changes in Samba-3.0.23</a></span></dt><dt><span class="sect1"><a href="ChangeNotes.html#id344223">LDAP Changes in Samba-3.0.23</a></span></dt></dl></div><p> +Samba is a fluid and ever changing project. Sometimes it is difficult to figure out which part, +or parts, of the HOWTO documentation should be updated tio reflect the impact of new or modified +features. At other times it becomes clear that the documentation is in need of being restructured. +</p><p> +In recent times a group of Samba users has joined the thrust to create a new <a href="http://wiki.samba.org/" target="_top">Samba Wiki</a> that is slated to become the all-singing and all-dancing +new face of Samba documentation. Hopefully, the Wiki will benefit from greater community input and +thus may be kept more up to date. Until that golden dream materializes and matures it is necessary to +continue to maintain the HOWTO. This chapter will document major departures from earlier behavior until +such time as the body of this HOWTO is restructured or modified. +</p><p> +This chapter is new to the release of the HOWTO for Samba 3.0.23. It includes much of the notes provided +in the <code class="filename">WHATSNEW.txt</code> file that is included with the Samba source code release tarball. +</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id343765"></a>User and Group Changes</h2></div></div></div><p> +The change documented here affects unmapped user and group accounts only. +</p><p> +<a class="indexterm" name="id343777"></a> +<a class="indexterm" name="id343784"></a> +<a class="indexterm" name="id343790"></a> +<a class="indexterm" name="id343799"></a> +<a class="indexterm" name="id343808"></a> +The user and group internal management routines have been rewritten to prevent overlaps of +assigned Relative Identifiers (RIDs). In the past the has been a potential problem when +either manually mapping Unix groups with the <code class="literal">net groupmap</code> command or +when migrating a Windows domain to a Samba domain by executing: +<code class="literal">net rpc vampire</code>. +</p><p> +<a class="indexterm" name="id343837"></a> +<a class="indexterm" name="id343843"></a> +<a class="indexterm" name="id343850"></a> +<a class="indexterm" name="id343856"></a> +Unmapped users are now assigned a SID in the <code class="literal">S-1-22-1</code> domain and unmapped +groups are assigned a SID in the <code class="literal">S-1-22-2</code> domain. Previously they were +assign a RID within the SAM on the Samba server. For a domain controller this would have been under the +authority of the domain SID where as on a member server or standalone server, this would have +been under the authority of the local SAM (see the man page for <code class="literal">net getlocalsid</code>). +</p><p> +<a class="indexterm" name="id343889"></a> +<a class="indexterm" name="id343896"></a> +<a class="indexterm" name="id343903"></a> +<a class="indexterm" name="id343909"></a> +<a class="indexterm" name="id343916"></a> +The result is that any unmapped users or groups on an upgraded Samba domain controller may +be assigned a new SID. Because the SID rather than a name is stored in Windows security +descriptors, this can cause a user to no longer have access to a resource for example if a +file was copied from a Samba file server to a local Windows client NTFS partition. Any files +stored on the Samba server itself will continue to be accessible because UNIX stores the UNIX +GID and not the SID for authorization checks. +</p><p> +An example helps to illustrate the change: +</p><p> +<a class="indexterm" name="id343934"></a> +<a class="indexterm" name="id343941"></a> +<a class="indexterm" name="id343947"></a> +<a class="indexterm" name="id343954"></a> +Assume that a group named <span class="emphasis"><em>developers</em></span> exists with a UNIX GID of 782. In this +case this user does not exist in Samba's group mapping table. It would be perfectly normal for +this group to be appear in an ACL editor. Prior to Samba-3.0.23, the group SID might appear as +<code class="literal">S-1-5-21-647511796-4126122067-3123570092-2565</code>. +</p><p> +<a class="indexterm" name="id343976"></a> +<a class="indexterm" name="id343982"></a> +<a class="indexterm" name="id343989"></a> +<a class="indexterm" name="id343996"></a> +With the release of Samba-3.0.23, the group SID would be reported as <code class="literal">S-1-22-2-782</code>. +Any security descriptors associated with files stored on a Windows NTFS disk partition will not allow +access based on the group permissions if the user was not a member of the +<code class="literal">S-1-5-21-647511796-4126122067-3123570092-2565</code> group. +Because this group SID is <code class="literal">S-1-22-2-782</code> and not reported in a user's token, +Windows would fail the authorization check even though both SIDs in some respect refer to the +same UNIX group. +</p><p> +<a class="indexterm" name="id344027"></a> +<a class="indexterm" name="id344034"></a> +The workaround for versions of Samba prior to 3.0.23, is to create a manual domain group mapping +entry for the group <span class="emphasis"><em>developers</em></span> to point at the +<code class="literal">S-1-5-21-647511796-4126122067-3123570092-2565</code> SID. With the release of Samba-3.0.23 this +workaround is no longer needed. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id344054"></a>Passdb Changes</h2></div></div></div><p> +<a class="indexterm" name="id344062"></a> +<a class="indexterm" name="id344069"></a> +<a class="indexterm" name="id344075"></a> +<a class="indexterm" name="id344082"></a> +The <a class="indexterm" name="id344089"></a>passdb backend parameter no long accepts multiple passdb backends in a +chained configuration. Also be aware that the SQL and XML based passdb modules have been +removed in the Samba-3.0.23 release. More information regarding external support for a SQL +passdb module can be found on the <a href="http://pdbsql.sourceforge.net/" target="_top">pdbsql</a> web site. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id344106"></a>Group Mapping Changes in Samba-3.0.23</h2></div></div></div><p> +<a class="indexterm" name="id344114"></a> +<a class="indexterm" name="id344121"></a> +<a class="indexterm" name="id344128"></a> +<a class="indexterm" name="id344135"></a> +<a class="indexterm" name="id344142"></a> +<a class="indexterm" name="id344148"></a> +<a class="indexterm" name="id344155"></a> +<a class="indexterm" name="id344162"></a> +<a class="indexterm" name="id344168"></a> +<a class="indexterm" name="id344175"></a> +<a class="indexterm" name="id344182"></a> +The default mapping entries for groups such as <code class="literal">Domain Admins</code> are no longer +created when using an <code class="literal">smbpasswd</code> file or a <code class="literal">tdbsam</code> passdb +backend. This means that it is necessary to explicitly execute the <code class="literal">net groupmap add</code> +to create group mappings, rather than use the <code class="literal">net groupmap modify</code> method to create the +Windows group SID to UNIX GID mappings. This change has no effect on winbindd's IDMAP functionality +for domain groups. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id344223"></a>LDAP Changes in Samba-3.0.23</h2></div></div></div><p> +<a class="indexterm" name="id344231"></a> +<a class="indexterm" name="id344238"></a> +<a class="indexterm" name="id344245"></a> +<a class="indexterm" name="id344252"></a> +<a class="indexterm" name="id344258"></a> +There has been a minor update the Samba LDAP schema file. A substring matching rule has been +added to the <code class="literal">sambaSID</code> attribute definition. For OpenLDAP servers, this +will require the addition of <code class="literal">index sambaSID sub</code> to the +<code class="filename">slapd.conf</code> configuration file. It will be necessary to execute the +<code class="literal">slapindex</code> command after making this change. There has been no change to the +actual data storage schema. +</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="optional.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="NetworkBrowsing.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Part III. Advanced Configuration </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 10. Network Browsing</td></tr></table></div></body></html> |