Release Announcements
=====================
-This is the first preview release of Samba 4.12. This is *not*
+This is the first pre release of Samba 4.20. This is *not*
intended for production environments and is designed for testing
purposes only. Please report any defects via the Samba bug reporting
system at https://bugzilla.samba.org/.
-Samba 4.12 will be the next version of the Samba suite.
+Samba 4.20 will be the next version of the Samba suite.
UPGRADING
NEW FEATURES/CHANGES
====================
-Python 3.5 Required
--------------------
+New Minimum MIT Krb5 version for Samba AD Domain Controller
+-----------------------------------------------------------
-Samba's minimum runtime requirement for python was raised to Python
-3.4 with samba 4.11. Samba 4.12 raises this minimum version to Python
-3.5 both to access new features and because this is the oldest version
-we test with in our CI infrastructure.
+Samba now requires MIT 1.21 when built against a system MIT Krb5 and
+acting as an Active Directory DC. This addresses the issues that were
+fixed in CVE-2022-37967 (KrbtgtFullPacSignature) and ensures that
+Samba builds against the MIT version that allows us to avoid that
+attack.
-(Build time support for the file server with Python 2.6 has not
-changed)
+Removed dependency on Perl JSON module
+--------------------------------------
-GnuTLS 3.4.7 required
----------------------
+Distributions are advised that the Perl JSON package is no longer
+required by Samba builds that use the imported Heimdal. The build
+instead uses Perl's JSON::PP built into recent perl5 versions.
-Samba is making efforts to remove in-tree cryptographic functionality,
-and to instead rely on externally maintained libraries. To this end,
-Samba has chosen GnuTLS as our standard cryptographic provider.
-
-Samba now requires GnuTLS 3.4.7 to be installed (including development
-headers at build time) for all configurations, not just the Samba AD
-DC.
-
-Using GnuTLS for SMB3 encryption you will notice huge performance and copy
-speed improvements. Tests with the CIFS Kernel client from Linux Kernel 5.3
-show a 3x speed improvement for writing and a 2.5x speed improvement for reads!
-
-NOTE WELL: The use of GnuTLS means that Samba will honour the
-system-wide 'FIPS mode' (a reference to the US FIPS-140 cryptographic
-standard) and so will not operate in many still common situations if
-this system-wide parameter is in effect, as many of our protocols rely
-on outdated cryptography.
-
-A future Samba version will mitigate this to some extent where good
-cryptography effectively wraps bad cryptography, but for now that above
-applies.
+Current lists of packages required by Samba for major distributions
+are found in the bootstrap/generated-dists/ directory of a Samba
+source tree. While there will be some differences - due to features
+chosen by packagers - comparing these lists with the build dependencies
+in a package may locate other dependencies we no longer require.
REMOVED FEATURES
================
-The smb.conf parameter "write cache size" has been removed.
-
-Since the in-memory write caching code was written, our write path has
-changed significantly. In particular we have gained very flexible
-support for async I/O, with the new linux io_uring interface in
-development. The old write cache concept which cached data in main
-memory followed by a blocking pwrite no longer gives any improvement
-on modern systems, and may make performance worse on memory-contrained
-systems, so this functionality should not be enabled in core smbd
-code.
-
-In addition, it complicated the write code, which is a performance
-critical code path.
-
-If required for specialist purposes, it can be recreated as a VFS
-module.
-
-BIND9_FLATFILE deprecated
--------------------------
-
-The BIND9_FLATFILE DNS backend is deprecated in this release and will
-be removed in the future. This was only practically useful on a single
-domain controller or under expert care and supervision.
-
-This release removes the "rndc command" smb.conf parameter, which
-supported this configuration by writing out a list of DCs permitted to
-make changes to the DNS Zone and nudging the 'named' server if a new
-DC was added to the domain. Administrators using BIND9_FLATFILE will
-need to maintain this manually from now on.
smb.conf changes
================
- Parameter Name Description Default
- -------------- ----------- -------
+ Parameter Name Description Default
+ -------------- ----------- -------
+ smb3 unix extensions removed always offered
- nfs4:acedup Changed default merge
- rndc command Removed
- write cache size Removed
KNOWN ISSUES
============
-https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.12#Release_blocking_bugs
+https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.20#Release_blocking_bugs
#######################################
#######################################
Please discuss this release on the samba-technical mailing list or by
-joining the #samba-technical IRC channel on irc.freenode.net.
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat
If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
git.samba.org / metze / samba / wip.git / blobdiff