-Please be aware that Samba is now distributed under the version 3
-of the new GNU General Public License. You may refer to the COPYING
-file that accompanies these release notes for further licensing details.
-
-Major enhancements in Samba 3.2.0 include:
-
- File Serving:
- o Use of IDL generated parsing layer for several DCE/RPC
- interfaces.
- o Removal of the 1024 byte limit on pathnames and 256 byte limit on
- filename components to honor the MAX_PATH setting from the host OS.
- o Introduction of a registry based configuration system.
- o Improved CIFS Unix Extensions support.
- o Experimental support for file serving clusters.
- o Support for IPv6 in the server, and client tools and libraries.
- o Support for storing alternate data streams in xattrs.
- o Encrypted SMB transport in client tools and libraries, and server.
- o Support for Vista clients authenticating via Kerberos.
-
- Winbind and Active Directory Integration:
- o Full support for Windows 2003 cross-forest, transitive trusts
- and one-way domain trusts.
- o Support for userPrincipalName logons via pam_winbind and NSS
- lookups.
- o Expansion of nested domain groups via NSS calls.
- o Support for Active Directory LDAP Signing policy.
- o New LGPL Winbind client library (libwbclient.so).
-
- Joining:
- o New NetApi library for domain join related queries (libnetapi.so)
- and example GTK+ Domain join gui.
- o New client and server support for remotely joining and unjoining
- Domains.
- o Support for joining into Windows 2008 domains.
-
- Users & Groups:
- o New ldb backend for local group mapping tables
- o Raised level of security defaults for authentication operations.
-
-
- Documentation:
- o Inclusion of an HTML version of the 3rd edition of "Using Samba"
- from O'Reilly Publishing.
-
-
-Now Licensed under the GNU GPLv3
-================================
-
-The Samba Team has adopted the Version 3 of the GNU General Public
-License for the 3.2 and later releases. The GPLv3 is the updated
-version of the GPLv2 license under which Samba is currently
-distributed. It has been updated to improve compatibility with other
-licenses and to make it easier to adopt internationally, and is an
-improved version of the license to better suit the needs of Free
-Software in the 21st Century.
-
-The original announcement is available on-line at
-
- http://news.samba.org/announcements/samba_gplv3/
-
-
-New Security Defaults for Authentication
-========================================
-
-Support for LanMan passwords is now disabled in both client and server
-applications. Additionally, clear text authentication requests are
-disabled by default in client utilities such as smbclient and all
-libsmbclient based applications. This will affect connection both
-to and from hosts running DOS, Windows 9x/ME, and OS/2. Please refer
-to the "Changes" section for details on the exact parameters that were
-updated.
-
-
-Registry Configuration Backend
-==============================
-
-Samba is now able to use a registry based configuration backed to
-supplement smb.conf setting. This feature may be enabled by setting
-"config backend = registry" and "registry shares = yes" in the [global]
-section of smb.conf and may be managed using the "net conf" command.
-
-More information may be obtained from the smb.conf(5) and net(8) man
-pages.
-
-
-Removed Features
-================
-
-Both the Python bindings and the libmsrpc shared library have been
-removed from the tree due to lack of an official maintainer.
-
-As smbfs is no longer supported in current kernel versions, smbmount has
-been removed in this Samba version. Please use cifs (mount.cifs) instead.
-See examples/scripts/mount/mount.smbfs as an example for a wrapper which
-calls mount.cifs instead of smbmount/mount.smbfs.
-
-
-Modified API for libsmbclient
-==============================================================================
-
-Maintaining ABI compatibility for libsmbclient has become increasingly
-difficult to accomplish, while also keeping the code organization such that it
-is easily readable. Towards the goal of maintaining ABI compatibility and
-also keeping the code easy to maintain and enhance, the API has been enhanced.
-In particular, the fields in the SMBCCTX context structure are no longer
-intended to be read/write by the user, and are marked as deprecated. An
-application that previously accessed the members of the SMBCCTX context
-structure will now encounter warnings if recompiled. This is intentional, to
-encourage implementation of the small changes required for the new interface.
-The number of changes is expected to be quite small for the vast majority of
-applications, and no changes need be made for many applications. The changes
-required for KDE (konqueror) to conform to the new interface, for example, are
-only four lines in only one file.
-
-Instead of the application manually changing or reading values in the context
-structure, there are now setter and getter functions for each configurable
-member in that structure. Similarly, the smbc_option_get() and
-smbc_option_set() functions are deprecated in favor of the setter/getter
-interface. The setters and getters are all documented in libsmbclient.h
-under these comment blocks:
-
- Getters and setters for CONFIGURATION
- Getters and setters for OPTIONS
- Getters and setters for FUNCTIONS
- Callable functions for files
- Callable functions for directories
- Callable functions applicable to both files and directories
-
-Example changes that may be required to eliminate "deprecated" warnings:
-
- /* Set the debug level */
- context->debug = 99;
-changes to:
- smbc_setDebug(context, 99);
-
- /* Specify the authentication callback function */
- context->callbacks.auth_fn = auth_smbc_get_data;
-changes to:
- smbc_setFunctionAuthData(context, auth_smbc_get_data);
-
- /* Specify the new-style authentication callback with context parameter */
- smbc_option_set("auth_function", auth_smbc_get_data_with_ctx);
-changes to:
- smbc_setFunctionAuthDataWithContext(context, auth_smbc_get_data_with_ctx);
-
- /* Set kerberos flags */
- context->flags = (SMB_CTX_FLAG_USE_KERBEROS |
- SMB_CTX_FLAG_FALLBACK_AFTER_KERBEROS);
-changes to:
- smbc_setOptionUseKerberos(context, 1);
- smbc_setOptionFallbackAfterKerberos(context, 1);
-
-
+Samba 4.0 will be the next version of the Samba suite and incorporates
+all the technology found in both the Samba4 series and the
+stable 3.x series. The primary additional features over Samba 3.6 are
+support for the Active Directory logon protocols used by Windows 2000
+and above.
+
+This release contains the best of all of Samba's
+technology parts, both a file server (that you can reasonably expect
+to upgrade existing Samba 3.x releases to) and the AD domain
+controller work previously known as 'samba4'.
+
+If you are upgrading, or looking to develop, test or deploy Samba 4.0
+releases candidates, you should backup all configuration and data.
+
+
+UPGRADING
+=========
+
+Users upgrading from Samba 3.x domain controllers and wanting to use
+Samba 4.0 as an AD DC should use the 'samba-tool domain
+classicupgrade' command. See the wiki for more details:
+https://wiki.samba.org/index.php/Samba4/samba3upgrade/HOWTO.
+
+Users upgrading from Samba 4.0 alpha and beta releases since alpha15
+should run 'samba-tool dbcheck --cross-ncs --fix' before re-starting
+Samba. Users upgrading from earlier alpha releases should contact the
+team for advice.
+
+Users upgrading an AD DC from any previous release should run
+'samba-tool ntacl sysvolreset' to re-sync ACLs on the sysvol share
+with those matching the GPOs in LDAP and the defaults from an initial
+provision. This will set an underlying POSIX ACL if required (eg not
+using the NTVFS file server).
+
+If you used the BIND9_FLATFILE or BIND9_DLZ features,
+you'll have to add '-dns' to the 'server services' option,
+as the internal dns server (SAMBA_INTERNAL) is the default now.
+
+
+NEW FEATURES
+============
+
+Samba 4.0 supports the server-side of the Active Directory logon
+environment used by Windows 2000 and later, so we can do full domain
+join and domain logon operations with these clients.
+
+Our Domain Controller (DC) implementation includes our own built-in
+LDAP server and Kerberos Key Distribution Center (KDC) as well as the
+Samba3-like logon services provided over CIFS. We correctly generate
+the infamous Kerberos PAC, and include it with the Kerberos tickets we
+issue.
+
+Samba 4.0.0rc2 ships with two distinct file servers. We now use the
+file server from the Samba 3.x series 'smbd' for all file serving by
+default.
+
+Samba 4.0 also ships with the 'NTVFS' file server. This file server
+is what was used in all previous releases of Samba 4.0, and is
+tuned to match the requirements of an AD domain controller. We
+continue to support this, not only to provide continuity to
+installations that have deployed it as part of an AD DC, but also as a
+running example of the NT-FSA architecture we expect to move smbd to in
+the longer term.
+
+For pure file server work, the binaries users would expect from that
+series (nmbd, winbindd, smbpasswd) continue to be available. When
+running an AD DC, you only need to run 'samba' (not
+nmbd/smbd/winbind), as the required services are co-coordinated by this
+master binary.
+
+As DNS is an integral part of Active Directory, we also provide two DNS
+solutions, a simple internal DNS server for 'out of the box' configurations
+and a more elaborate BIND plugin using the BIND DLZ mechanism in versions
+9.8 and 9.9. During the provision, you can select which backend to use.
+With the internal backend, your DNS server is good to go.
+If you chose the BIND_DLZ backend, a configuration file will be generated
+for bind to make it use this plugin, as well as a file explaining how to
+set up bind.
+
+To provide accurate timestamps to Windows clients, we integrate with
+the NTP project to provide secured NTP replies. To use you need to
+start ntpd and configure it with the 'restrict ... ms-sntp' and
+ntpsigndsocket options.
+
+Finally, a new scripting interface has been added to Samba 4, allowing
+Python programs to interface to Samba's internals, and many tools and
+internal workings of the DC code is now implemented in python.