1.7. What's in Samba 3.0?
Samba 3.0 includes many features designed at better integration with Active Directory domains. Additionally, Samba's implementation of a Windows NT domain controller has become richer, although it is still missing a few features. Samba developers have also continued to improve functionality introduced in earlier releases, such as printing support for Windows 2000/XP clients, filesystem ACLs, and Winbind.
1.7.1. Windows NT Domain Controller Support
Samba 3.0 includes support for several newer security additions to the CIFS protocol, such as packet integrity checks known as SMB signing, secure channel communication, and the NTLMv2 authentication algorithm. Thus, it is possible to have a Samba server support domain logons for a network of Windows clients, including the most recent releases from Microsoft. This setup can result in a very stable, high-performance, and more secure network; it also provides the benefit of not having to purchase per-seat Windows Client Acccess Licenses (CALs) from Microsoft. The current release also supports migration of user and group information from a Windows NT 4.0 domain to a Samba domain, so that you are able to continue to upgrade your network without the costs of purchasing Windows 2000 Server or newer in order to use Active Directory.
1.7.2. Active Directory Domain Member Servers
In addition to the NT4 domain mode security provided by Samba 2.x, 3.0 introduces a new ADS domain mode security that allows a Samba host to join an Active Directory domain and authenticate individual connection requests from clients using Kerberos tickets. The winbindd daemon also supports obtaining user and group information via more effecient LDAP searches instead of Remote Procedure Calls (RPC).
1.7.3. Local Nested Groups
Windows has always supported the concept of adding groups as members of other groups. Current Samba releases also support this capability, by using Winbind to define a group that is local to the server and can contain Windows domain groups. Upon receiving a request for the list of users in the local group, Winbind expands the membership of any nested domain groups that it contains. This feature can be useful, such as when you want to set the group ownership of a file that must be accessible by multiple domain groups. You define on the Samba host a local group that contains all of the appropriate domain groups. Of course, it is possible to perform an equivalent function if the filesystem supports access control lists. However, local groups have the advantage of requiring you to deal with only one group instead of many. More on Winbind's support for local groups is in Chapter 10.
1.7.4. Unicode and Internationalization
Unicode is the pervasive means of representing non-English character sets on Windows NT-based computers. The older DOS codepage methods used by Windows 9x and Samba prior to 3.0 could support extended character sets, but not in multiple combinations. You could support English and Spanish clients, but not English, Spanish, and French. The UCS2 encoding represents each character using 16 bits, providing more than enough combinations to handle more languages that any of us have to manage on our network. Building Samba to include Unicode support is covered in Chapter 2.
1.7.5. User and Group Account Storage Plug-in Modules
Libraries knows as passdb modules allow an administrator to choose the persistent storage backend for user and group information. Prior versions of Samba supported this feature in a limited fashion and required the storage interfacefor example, a flat text file (smbpasswd) or an LDAP directory serviceto be defined at compile time. Samba 3.0 supports multiple passdb backends, which can be defined in its configuration file at runtime. This approach allows for easy migration from one storage format to another and to have one Samba package that supports the needs of multiple installations. Users and groups and how they are stored are discussed in Chapter 5.
1.7.6. Stackable Virtual File System (VFS) Modules
Samba's VFS layer allows programmers to write a plug-in that handles all of the disk I/O operations for a particular share. Good examples of current VFS modules are the network recycle bin, virus scanners, and filesystem snapshot tools. Samba 2.2 only allowed one plugin to be used on given file share at any given time. Samba 3.0 allows multiple VFS modules to be chained together in series so that, for example, you could log when a user deleted a file and move it to a trash can rather than actually removing it. Chapter 6 will explore Samba's VFS.
1.7.7. User Privileges
Recent releases of Samba introduced the ability to grant certain rights, such as the ability to join Windows clients to a Samba domain, to a nonroot user. Prior versions of Samba required the use of a user account with a uid of 0 (that is, the superuser). Being able to delegate such security-sensitive operations goes a long way when managing Samba domains with multiple administrators. Privileges are discussed in the context of users and groups in Chapter 5.
1.7.8. Windows Automatic Driver Downloads
Samba 2.2 began support for the Windows Point and Print model. Samba 3.0 extends this support, with the latest releases able to back up and restore print queues and drivers in bulk as well as migrate printers from a Windows server to a Samba host using Microsoft's Print Migrator application. Samba's printing support and the details of Point and Print are explained in Chapter 7.
1.7.9. But Wait, There's More
And of course, Samba developers have include numerous bug fixes, performance improvements, and added support for newer CIFS protocol operations. There's really no reason to be running an older version of Samba.