4 This is the first preview release of Samba 4.7. This is *not*
5 intended for production environments and is designed for testing
6 purposes only. Please report any defects via the Samba bug reporting
7 system at https://bugzilla.samba.org/.
9 Samba 4.7 will be the next version of the Samba suite.
18 smbclient no longer prints a 'Domain=[...] OS=[Windows 6.1] Server=[...]'
19 banner when connecting to the first server. With SMB2 and Kerberos
20 there's no way to print this information reliable. Now we avoid it at all
21 consistently. In interactive session the following banner is now presented
22 to the user: 'Try "help" do get a list of possible commands.'.
24 The default for "client max protocol" has changed to "SMB3_11",
25 which means that smbclient (and related commands) will work against
26 servers without SMB1 support.
28 It's possible to use the '-m/--max-protocol' option to overwrite
29 the "client max protocol" option temporary.
31 Note that the '-e/--encrypt' option also works with most SMB3 servers
32 (e.g. Windows >= 2012 and Samba >= 4.0.0), so the SMB1 unix extensions
33 are not required for encryption.
35 The change to SMB3_11 as default also means smbclient no longer
36 negotiates SMB1 unix extensions by default, when talking to a Samba server with
37 "unix extensions = yes". As a result some commands are not available, e.g.
38 posix_encrypt, posix_open, posix_mkdir, posix_rmdir, posix_unlink, posix_whoami,
39 getfacl and symlink. Using "-mNT1" reenabled them, if the server supports SMB1.
41 Note the default ("CORE") for "client min protocol" hasn't changed,
42 so it's still possible to connect to SMB1-only servers by default.
48 Whole DB read locks: Improved LDAP and replication consistency
49 --------------------------------------------------------------
51 Prior to Samba 4.7 and ldb 1.2.0, the LDB database layer used by Samba
52 erronously did not take whole-DB read locks to protect search
53 and DRS replication operations.
55 While each object returned remained subject to a record-level lock (so
56 would remain consistent to itself), under a race condition with a
57 rename or delete, it and any links (like the member attribute) to it
58 would not be returned.
60 The symptoms of this issue include:
62 Replication failures with this error showing in the client side logs:
63 error during DRS repl ADD: No objectClass found in replPropertyMetaData for
64 Failed to commit objects:
65 WERR_GEN_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE
67 A crash of the server, in particular the rpc_server process with
68 INTERNAL ERROR: Signal 11
70 LDAP read inconsistency
71 A DN subject to a search at the same time as it is being renamed
72 may not appear under either the old or new name, but will re-appear
73 for a subsequent search.
75 See https://bugzilla.samba.org/show_bug.cgi?id=12858 for more details
76 and updated advise on database recovery for affected installations.
79 Samba AD with MIT Kerberos
80 --------------------------
82 After four years of development, Samba finally supports compiling and
83 running Samba AD with MIT Kerberos. You can enable it with:
85 ./configure --with-system-mitkrb5
87 Samba requires version 1.15.1 of MIT Kerberos to build with AD DC support.
88 The krb5-devel and krb5-server packages are required.
89 The feature set is not on par with with the Heimdal build but the most important
90 things, like forest and external trusts, are working. Samba uses the KDC binary
91 provided by MIT Kerberos.
93 Missing features, compared to Heimdal, are:
95 * S4U2SELF/S4U2PROXY support
96 * RODC support (not fully working with Heimdal either)
98 The Samba AD process will take care of starting the MIT KDC and it will load a
99 KDB (Kerberos Database) driver to access the Samba AD database. When
100 provisioning an AD DC using 'samba-tool' it will take care of creating a correct
101 kdc.conf file for the MIT KDC. Note that 'samba-tool' will overwrite the system
102 kdc.conf by default. It is possible to use a different location during
103 provision. You should consult the 'samba-tool' help and smb.conf manpage for
106 Dynamic RPC port range
107 ----------------------
109 The dynamic port range for RPC services has been changed from the old default
110 value 1024-1300 to 49152-65535. This port range is not only used by a
111 Samba AD DC but also applies to all other server roles including NT4-style
112 domain controllers. The new value has been defined by Microsoft in Windows
113 Server 2008 and newer versions. To make it easier for Administrators to control
114 those port ranges we use the same default and make it configurable with the
115 option: 'rpc server dynamic port range'.
117 The 'rpc server port' option sets the first available port from the new
118 'rpc server dynamic port range' option. The option 'rpc server port' only
119 applies to Samba provisioned as an AD DC.
121 Authentication and Authorization audit support
122 ----------------------------------------------
124 Detailed authentication and authorization audit information is now
125 logged to Samba's debug logs under the "auth_audit" debug class,
126 including in particular the client IP address triggering the audit
127 line. Additionally, if Samba is compiled against the jansson JSON
128 library, a JSON representation is logged under the "auth_json_audit"
131 Audit support is comprehensive for all authentication and
132 authorisation of user accounts in the Samba Active Directory Domain
133 Controller, as well as the implicit authentication in password
134 changes. In the file server and classic/NT4 domain controller, NTLM
135 authentication, SMB and RPC authorization is covered, however password
136 changes are not at this stage, and this support is not currently
137 backed by a testsuite.
139 Query record for open file or directory
140 ---------------------------------------
142 The record attached to an open file or directory in Samba can be
143 queried through the 'net tdb locking' command. In clustered Samba this
144 can be useful to determine the file or directory triggering
145 corresponding "hot" record warnings in ctdb.
147 Removal of lpcfg_register_defaults_hook()
148 -----------------------------------------
150 The undocumented and unsupported function lpcfg_register_defaults_hook()
151 that was used by external projects to call into Samba and modify
152 smb.conf default parameter settings has been removed. If your project
153 was using this call please raise the issue on
154 samba-technical@lists.samba.org in order to design a supported
155 way of obtaining the same functionality.
157 Change of loadable module interface
158 -----------------------------------
160 The _init function of all loadable modules in Samba has changed
163 NTSTATUS _init(void);
167 NTSTATUS _init(TALLOC_CTX *);
169 This allows a program loading a module to pass in a long-lived
170 talloc context (which must be guaranteed to be alive for the
171 lifetime of the module). This allows modules to avoid use of
172 the talloc_autofree_context() (which is inherently thread-unsafe)
173 and still be valgrind-clean on exit. Modules that don't need to
174 free long-lived data on exist should use the NULL talloc context.
179 The "strict sync" global parameter has been changed from
180 a default of "no" to "yes". This means smbd will by default
181 obey client requests to synchronize unwritten data in operating
182 system buffers safely onto disk. This is a safer default setting
183 for modern SMB1/2/3 clients.
188 Parameter Name Description Default
189 -------------- ----------- -------
190 allow unsafe cluster upgrade New parameter no
191 auth event notification New parameter no
192 auth methods Deprecated
193 client max protocol Effective SMB3_11
195 map untrusted to domain New value/ auto
198 mit kdc command New parameter
199 profile acls Deprecated
200 rpc server dynamic port range New parameter 49152-65535
201 strict sync Default changed yes
207 https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.7#Release_blocking_bugs
210 #######################################
211 Reporting bugs & Development Discussion
212 #######################################
214 Please discuss this release on the samba-technical mailing list or by
215 joining the #samba-technical IRC channel on irc.freenode.net.
217 If you do report problems then please try to send high quality
218 feedback. If you don't provide vital information to help us track down
219 the problem then you will probably be ignored. All bug reports should
220 be filed under the Samba 4.1 and newer product in the project's Bugzilla
221 database (https://bugzilla.samba.org/).
224 ======================================================================
225 == Our Code, Our Bugs, Our Responsibility.
227 ======================================================================