Release Announcements
=====================
-This is the first preview release of Samba 4.9. This is *not*
+This is the first preview release of Samba 4.12. This is *not*
intended for production environments and is designed for testing
purposes only. Please report any defects via the Samba bug reporting
system at https://bugzilla.samba.org/.
-Samba 4.9 will be the next version of the Samba suite.
+Samba 4.12 will be the next version of the Samba suite.
UPGRADING
NEW FEATURES/CHANGES
====================
+Python 3.5 Required
+-------------------
-net ads setspn
----------------
+Samba's minimum runtime requirement for python was raised to Python
+3.4 with samba 4.11. Samba 4.12 raises this minimum version to Python
+3.5 both to access new features and because this is the oldest version
+we test with in our CI infrastructure.
-There is a new 'net ads setspn' sub command for managing Windows SPN(s)
-on the AD. This command aims to give the basic functionaility that is
-provided on windows by 'setspn.exe' e.g. ability to add, delete and list
-Windows SPN(s) stored in a Windows AD Computer object.
+(Build time support for the file server with Python 2.6 has not
+changed)
-The format of the command is:
+Removing in-tree cryptography: GnuTLS 3.4.7 required
+----------------------------------------------------
-net ads setspn list [machine]
-net ads setspn [add | delete ] SPN [machine]
+Samba is making efforts to remove in-tree cryptographic functionality,
+and to instead rely on externally maintained libraries. To this end,
+Samba has chosen GnuTLS as our standard cryptographic provider.
-'machine' is the name of the computer account on the AD that is to be managed.
-If 'machine' is not specified the name of the 'client' running the command
-is used instead.
+Samba now requires GnuTLS 3.4.7 to be installed (including development
+headers at build time) for all configurations, not just the Samba AD
+DC.
-The format of a Windows SPN is
- 'serviceclass/host:port/servicename' (servicename and port are optional)
+Thanks to this work Samba no longer ships an in-tree DES
+implementation and on GnuTLS 3.6.5 or later Samba will include no
+in-tree cryptography other than the MD4 hash and that
+implemented in our copy of Heimdal.
-serviceclass/host is generally sufficient to specify a host based service.
+Using GnuTLS for SMB3 encryption you will notice huge performance and copy
+speed improvements. Tests with the CIFS Kernel client from Linux Kernel 5.3
+show a 3x speed improvement for writing and a 2.5x speed improvement for reads!
-net ads keytab changes
-----------------------
-net ads keytab add no longer attempts to convert the passed serviceclass
-(e.g. nfs, html etc.) into a Windows SPN which is added to the Windows AD
-computer object. By default just the keytab file is modified.
+NOTE WELL: The use of GnuTLS means that Samba will honour the
+system-wide 'FIPS mode' (a reference to the US FIPS-140 cryptographic
+standard) and so will not operate in many still common situations if
+this system-wide parameter is in effect, as many of our protocols rely
+on outdated cryptography.
-A new keytab subcommand 'add_update_ads' has been added to preserve the
-legacy behaviour. However the new 'net ads setspn add' subcommand should
-really be used instead.
+A future Samba version will mitigate this to some extent where good
+cryptography effectively wraps bad cryptography, but for now that above
+applies.
-net ads keytab create no longer tries to generate SPN(s) from existing
-entries in a keytab file. If it is required to add Windows SPN(s) then
-'net ads setspn add' should be used instead.
-Local authorization plugin for MIT Kerberos
--------------------------------------------
+"net ads kerberos pac save" and "net eventlog export"
+-----------------------------------------------------
-This plugin controls the relationship between Kerberos principals and AD
-accounts through winbind. The module receives the Kerberos principal and the
-local account name as inputs and can then check if they match. This can resolve
-issues with canonicalized names returned by Kerberos within AD. If the user
-tries to log in as 'alice', but the samAccountName is set to ALICE (uppercase),
-Kerberos would return ALICE as the username. Kerberos would not be able to map
-'alice' to 'ALICE' in this case and auth would fail. With this plugin account
-names can be correctly mapped. This only applies to GSSAPI authentication,
-not for the geting the initial ticket granting ticket.
+The "net ads kerberos pac save" and "net eventlog export" tools will
+no longer silently overwrite an existing file during data export. If
+the filename given exits, an error will be shown.
+
+VFS
+===
+
+SMB_VFS_NTIMES
+--------------
+
+Samba now uses a sentinel value based on utimensat(2) UTIME_OMIT to denote
+to-be-ignored timestamp variables passed to the SMB_VFS_NTIMES() VFS function.
+
+VFS modules can check whether any of the time values inside a struct
+smb_file_time is to be ignored by calling is_omit_timespec() on the value.
REMOVED FEATURES
================
+The smb.conf parameter "write cache size" has been removed.
+Since the in-memory write caching code was written, our write path has
+changed significantly. In particular we have gained very flexible
+support for async I/O, with the new linux io_uring interface in
+development. The old write cache concept which cached data in main
+memory followed by a blocking pwrite no longer gives any improvement
+on modern systems, and may make performance worse on memory-contrained
+systems, so this functionality should not be enabled in core smbd
+code.
-smb.conf changes
-================
+In addition, it complicated the write code, which is a performance
+critical code path.
-As the most popular Samba install platforms (Linux and FreeBSD) both
-support extended attributes by default, the parameters "map readonly",
-"store dos attributes" and "ea support" have had their defaults changed
-to allow better Windows fileserver compatibility in a default install.
+If required for specialist purposes, it can be recreated as a VFS
+module.
- Parameter Name Description Default
- -------------- ----------- -------
- map readonly Default changed no
- store dos attributes Default changed yes
- ea support Default changed yes
+BIND9_FLATFILE deprecated
+-------------------------
-VFS interface changes
-=====================
+The BIND9_FLATFILE DNS backend is deprecated in this release and will
+be removed in the future. This was only practically useful on a single
+domain controller or under expert care and supervision.
+
+This release removes the "rndc command" smb.conf parameter, which
+supported this configuration by writing out a list of DCs permitted to
+make changes to the DNS Zone and nudging the 'named' server if a new
+DC was added to the domain. Administrators using BIND9_FLATFILE will
+need to maintain this manually from now on.
-The VFS ABI interface version has changed to 39. Function changes
-are:
-SMB_VFS_FSYNC: Removed: Only async versions are used.
-SMB_VFS_READ: Removed: Only PREAD or async versions are used.
-SMB_VFS_WRITE: Removed: Only PWRITE or async versions are used.
-SMB_VFS_CHMOD_ACL: Removed: Only CHMOD is used.
-SMB_VFS_FCHMOD_ACL: Removed: Only FCHMOD is used.
+Retiring DES encryption types in Kerberos.
+------------------------------------------
+With this release, support for DES encryption types has been removed from
+Samba, and setting DES_ONLY flag for an account will cause Kerberos
+authentication to fail for that account (see RFC-6649).
+
+Samba-DC: DES keys no longer saved in DB.
+-----------------------------------------
+When a new password is set for an account, Samba DC will store random keys
+in DB instead of DES keys derived from the password. If the account is being
+migrated to Windbows or to an older version of Samba in order to use DES keys,
+the password must be reset to make it work.
+
+Heimdal-DC: removal of weak-crypto.
+-----------------------------------
+Following removal of DES encryption types from Samba, the embedded Heimdal
+build has been updated to not compile weak crypto code (HEIM_WEAK_CRYPTO).
+
+
+smb.conf changes
+================
+
+ Parameter Name Description Default
+ -------------- ----------- -------
-Any external VFS modules will need to be updated to match these
-changes in order to work with 4.9.x.
+ nfs4:acedup Changed default merge
+ rndc command Removed
+ write cache size Removed
KNOWN ISSUES
============
-https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.9#Release_blocking_bugs
+https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.12#Release_blocking_bugs
#######################################
git.samba.org / samba.git / blobdiff