-Samba 4.0 supports the server-side of the Active Directory logon
-environment used by Windows 2000 and later, so we can do full domain
-join and domain logon operations with these clients.
-
-Our Domain Controller (DC) implementation includes our own built-in
-LDAP server and Kerberos Key Distribution Center (KDC) as well as the
-Samba3-like logon services provided over CIFS. We correctly generate
-the infamous Kerberos PAC, and include it with the Kerberos tickets we
-issue.
-
-Samba 4.0 beta ships with two distinct file servers. We now use the
-file server from the Samba 3.x series 'smbd' for all file serving by
-default.
-
-Samba 4.0 also ships with the 'NTVFS' file server. This file server
-is what was used in all previous alpha releases of Samba 4.0, and is
-tuned to match the requirements of an AD domain controller. We
-continue to support this, not only to provide continuity to
-installations that have deployed it as part of an AD DC, but also as a
-running example of the NT-FSA architecture we expect to move smbd to in
-the longer term.
-
-For pure file server work, the binaries users would expect from that
-series (nmbd, winbindd, smbpasswd) continue to be available. When
-running an AD DC, you only need to run 'samba' (not
-nmbd/smbd/winbind), as the required services are co-coordinated by this
-master binary.
-
-As DNS is an integral part of Active Directory, we also provide two DNS
-solutions, a simple internal DNS server for 'out of the box' configurations
-and a more elaborate BIND plugin using the BIND DLZ mechanism in versions
-9.8 and 9.9. During the provision, you can select which backend to use.
-With the internal backend, your DNS server is good to go.
-If you chose the BIND_DLZ backend, a configuration file will be generated
-for bind to make it use this plugin, as well as a file explaining how to
-set up bind.
-
-To provide accurate timestamps to Windows clients, we integrate with
-the NTP project to provide secured NTP replies. To use you need to
-start ntpd and configure it with the 'restrict ... ms-sntp' and
-ntpsigndsocket options.
-
-Finally, a new scripting interface has been added to Samba 4, allowing
-Python programs to interface to Samba's internals, and many tools and
-internal workings of the DC code is now implemented in python.
-
-CHANGES SINCE beta8
-===================
-
-For a list of changes since beta8, please see the git log.
-
-$ git clone git://git.samba.org/samba.git
-$ cd samba.git
-$ git log samba-4.0.0beta8..samba-4.0.0rc1
-
-Some major user-visible changes include:
-
-- The smbd file server now offers SMB3 as the maximum protocol
- by default. Samba can negotiate version 3 of the SMB protocol
- and supports the required features, including all required
- features of SMB 2.1 and SMB 2.0. Note that this does not imply
- that Samba implements all features of SMB3 since many of them
- are optional capabilities. Examples of features that Samba does
- not implement yet are leases (SMB 2.1) and multi-channel (SMB 3).
-
- Samba now offers an initial support for SMB2 durable file handles.
- These are enabled by default and can be turned off on a per share
- basis by setting "durable handles = no" on the share configuration.
- Note that in order to prevent conflicts with other applications
- accessing the same files, durable handles are only granted on
- shares that are configured for CIFS/SMB2-only access, i.e. more
- explicitly shares that are configured for minimal interoperability
- with these settings:
-
- kernel oplocks = no
- kernel share modes = no
- posix locking = no
-
- The option "kernel share modes" has been introduced to be able
- to turn the translation of SMB share modes into kernel flocks
- off.
-
-- The 'provision' script was merged into 'samba-tool'
- as 'samba-tool domain provision' the arguments are still
- the same.
-
-- The 'updateprovision' script was renamed to 'samba_upgradeprovision'.
-
-- We changed the default dns implementation to the internal dns server
- (SAMBA_INTERNAL). BIND9_FLATFILE and BIND9_DLZ are still available,
- but you'll have to add '-dns' to the 'server services' option
- to disable the internal dns server.
- The default for 'allow dns updates' has changed to 'secure only'.
-
-KNOWN ISSUES
-============
-
-- 'samba-tool domain classicupgrade' will fail when setting ACLs on
- the GPO folders with NT_STATUS_INVALID_ONWER in the default
- configuration. This happens if, as is typical a 'domain admins'
- group (-512) is mapped in the passdb backend being upgraded. This
- is because the group mapping to a GID only prevents Samba from
- allocating a uid for that group. The uid is needed so the 'domain
- admins' group can own the GPO file objects.
-
- To work around this issue, remove the 'domain admins' group before
- upgrade, as it will be re-created automatically. You will
- of course need to fill in the group membership again. A future release
- will make this automatic, or find some other workaround.
-
-- This release makes the s3fs file server the default, as this is the
- file server combination we will use for the Samba 4.0 release.