+- 'samba-tool domain classicupgrade' will fail when setting ACLs on
+ the GPO folders with NT_STATUS_INVALID_ONWER in the default
+ configuration. This happens if, as is typical a 'domain admins'
+ group (-512) is mapped in the passdb backend being upgraded. This
+ is because the group mapping to a GID only prevents Samba from
+ allocating a uid for that group. The uid is needed so the 'domain
+ admins' group can own the GPO file objects.
+
+ To work around this issue, remove the 'domain admins' group before
+ upgrade, as it will be re-created automatically. You will
+ of course need to fill in the group membership again. A future release
+ will make this automatic, or find some other workaround.
+
+- This release makes the s3fs file server the default, as this is the
+ file server combination we will use for the Samba 4.0 release.
+
+- For similar reasons, sites with ACLs stored by the ntvfs file server
+ may wish to continue to use that file server implementation, as a
+ posix ACL will similarly not be set in this case.
+
+- Replication of DNS data from one AD server to another may not work.
+ The DNS data used by the internal DNS server and bind9_dlz is stored
+ in an application partition in our directory. The replication of
+ this partition is not yet reliable.
+
+- Replication may fail on FreeBSD due to getaddrinfo() rejecting names
+ containing _. A workaround will be in a future release.
+
+- samba_upgradeprovision should not be run when upgrading to this release
+ from a recent release. No important database format changes have
+ been made since alpha16.
+
+- Installation on systems without a system iconv (and developer
+ headers at compile time) is known to cause errors when dealing with
+ non-ASCII characters.
+
+- Domain member support in the 'samba' binary is in its infancy, and
+ is not comparable to the support found in winbindd. As such, do not
+ use the 'samba' binary (provided for the AD server) on a member
+ server.
+
+- There is no NetBIOS browsing support (network neighbourhood)
+ available for the AD domain controller. (Support in nmbd and smbd
+ for classic domains and member/standalone servers is unchanged).
+
+- Clock Synchronisation is critical. Many 'wrong password' errors are
+ actually due to Kerberos objecting to a clock skew between client
+ and server. (The NTP work in the previous alphas are partly to assist
+ with this problem).
+
+- The DRS replication code may fail. Please contact the team if you
+ experience issues with DRS replication, as we have fixed many issues
+ here in response to feedback from our production users.
+