UPGRADING
=========
-Nothing special.
+NTLMv1 authentication disabled by default
+-----------------------------------------
+
+In order to improve security we have changed
+the default value for the "ntlm auth" option from
+"yes" to "no". This may have impact on very old
+client which doesn't support NTLMv2 yet.
+
+The primary user of NTLMv1 is MSCHAPv2 for VPNs and 802.1x.
+
+By default Samba will only allow NTLMv2 via NTLMSSP now,
+as we have the following default "lanman auth = no",
+"ntlm auth = no" and "raw NTLMv2 auth = no".
NEW FEATURES/CHANGES
control. This can be used to monitor the active directory database
for changes.
+KCC improvements for sparse network replication
+-----------------------------------------------
+
+The Samba KCC will now be the default knowledge consistency checker in
+Samba AD. Instead of using full mesh replication between every DC, the
+KCC will set up connections to optimize replication latency and cost
+(using site links to calculate the routes). This change should allow
+larger domains to function significantly better in terms of replication
+traffic and the time spent performing DRS replication.
+
VLV - Virtual List View
-----------------------
Schema updates are also handled much more reliably.
+samba-tool drs replicate with new options
+-----------------------------------------
+
+samba-tool drs replicate got two new options:
+
+The option '--local-online' will do the DsReplicaSync() via IRPC
+to the local dreplsrv service.
+
+The option '--async-op' will add DRSUAPI_DRS_ASYNC_OP to the
+DsReplicaSync(), which won't wait for the replication result.
+
replPropertyMetaData Changes
----------------------------
It is now possible to remove the DNS entries created with 'net ads register'
with the matching 'net ads unregister' command.
+Samba-tool improvements
+------------------------
+
+Running samba-tool on the command line should now be a lot snappier. The tool
+now only loads the code specific to the subcommand that you wish to run.
+
+SMB 2.1 Leases enabled by default
+---------------------------------
+
+Leasing is an SMB 2.1 (and higher) feature which allows clients to
+aggressively cache files locally above and beyond the caching allowed
+by SMB 1 oplocks. This feature was disabled in previous releases, but
+the SMB2 leasing code is now considered mature and stable enough to be
+enabled by default.
+
+Open File Description (OFD) Locks
+---------------------------------
+
+On systems that support them (currently only Linux), the fileserver now
+uses Open File Description (OFD) locks instead of POSIX locks to implement
+client byte range locks. As these locks are associated with a specific
+file descriptor on a file this allows more efficient use when multiple
+descriptors having file locks are opened onto the same file. An internal
+tunable "smbd:force process locks = true" may be used to turn off OFD
+locks if there appear to be problems with them.
+
+Password sync as active directory domain controller
+---------------------------------------------------
+
+The new commands 'samba-tool user getpassword'
+and 'samba-tool user syncpasswords' provide
+access and syncing of various password fields.
+
+If compiled with GPGME support (--with-gpgme) it's
+possible to store cleartext passwords in a PGP/OpenGPG
+encrypted form by configuring the new "password hash gpg key ids"
+option. This requires gpgme devel and python packages to be installed
+(e.g. libgpgme11-dev and python-gpgme on debian/ubuntu).
+
+Python crypto requirements
+--------------------------
+
+Some samba-tool subcommands require python-crypto and/or
+python-m2crypto packages to be installed.
+
+SmartCard/PKINIT improvements
+-----------------------------
+
+"samba-tool user create" accepts --smartcard-required
+and "samba-tool user setpassword" accepts --smartcard-required
+and --clear-smartcard-required.
+
+Specifying --smartcard-required results in the UF_SMARTCARD_REQUIRED
+flags being set in the userAccountControl attribute.
+At the same time the account password is reset to a random
+NTHASH value.
+
+Interactive password logons are rejected, if the UF_SMARTCARD_REQUIRED
+bit is set in the userAccountControl attribute of a user.
+
+When doing a PKINIT based kerberos logon the KDC adds the
+required PAC_CREDENTIAL_INFO element to the authorization data.
+That means the NTHASH is shared between the PKINIT based client and
+the domain controller, which allows the client to do NTLM based
+authentication on behalf of the user. It also allows on offline
+logon using a smartcard to work on Windows clients.
+
+CTDB changes
+------------
+
+* New improved ctdb tool
+
+ ctdb tool has been completely rewritten using new client API.
+ Usage messages are much improved.
+
+* Sample CTDB configuration file is installed as ctdbd.conf.
+
+* The use of real-time scheduling when taking locks has been narrowed
+ to limit potential performance impacts on nodes
+
+* CTDB_RECOVERY_LOCK now supports specification of an external helper
+ to take and hold the recovery lock
+
+ See the RECOVERY LOCK section in ctdb(7) for details. Documentation
+ for writing helpers is provided in doc/cluster_mutex_helper.txt.
+
+* "ctdb natgwlist" has been replaced by a top level "ctdb natgw"
+ command that has "master", "list" and "status" subcommands
+
+* The onnode command no longer supports the "recmaster", "lvs" and
+ "natgw" node specifications
+
+* Faster resetting of TCP connections to public IP addresses during
+ failover
+
+* Tunables MaxRedirectCount, ReclockPingPeriod,
+ DeferredRebalanceOnNodeAdd are now obsolete/ignored
+
+* "ctdb listvars" now lists all variables, including the first one
+
+* "ctdb xpnn", "ctdb rebalanceip" and "ctdb rebalancenode" have been
+ removed
+
+ These are not needed because "ctdb reloadips" should do the correct
+ rebalancing.
+
+* Output for the following commands has been simplified:
+
+ ctdb getdbseqnum
+ ctdb getdebug
+ ctdb getmonmode
+ ctdb getpid
+ ctdb getreclock
+ ctdb getpid
+ ctdb pnn
+
+ These now simply print the requested output with no preamble. This
+ means that scripts no longer need to strip part of the output.
+
+ "ctdb getreclock" now prints nothing when the recovery lock is not
+ set.
+
+* Output for the following commands has been improved:
+
+ ctdb setdebug
+ ctdb uptime
+
+* "ctdb process-exists" has been updated to only take a PID argument
+
+ The PNN can be specified with -n <PNN>. Output also cleaned up.
+
+* LVS support has been reworked - related commands and configuration
+ variables have changed
+
+ "ctdb lvsmaster" and "ctdb lvs" have been replaced by a top level
+ "ctdb lvs" command that has "master", "list" and "status"
+ subcommands.
+
+ See the LVS sections in ctdb(7) and ctdbd.conf(5) for details,
+ including configuration changes.
+
+* Improved sample NFS Ganesha call-out
+
+New shadow_copy2 options
+------------------------
+
+shadow:snapprefix
+
+ With growing number of snapshots file-systems need some mechanism to
+ differentiate one set of snapshots from other, e.g. monthly, weekly, manual,
+ special events, etc. Therefore these file-systems provide different ways to tag
+ snapshots, e.g. provide a configurable way to name snapshots, which is not just
+ based on time. With only shadow:format it is very difficult to filter these
+ snapshots. With this optional parameter, one can specify a variable prefix
+ component for names of the snapshot directories in the file-system. If this
+ parameter is set, together with the shadow:format and shadow:delimiter
+ parameters it determines the possible names of snapshot directories in the
+ file-system. The option only supports Basic Regular Expression (BRE).
+
+shadow:delimiter
+
+ This optional parameter is used as a delimiter between shadow:snapprefix and
+ shadow:format This parameter is used only when shadow:snapprefix is set.
+
+ Default: shadow:delimiter = "_GMT"
REMOVED FEATURES
These two parameters have long been deprecated and superseded by
"valid users" and "invalid users".
+
smb.conf changes
-----------------
+================
+
+ Parameter Name Description Default
+ -------------- ----------- -------
+ kccsrv:samba_kcc Changed default yes
+ ntlm auth Changed default no
+ only user Removed
+ password hash gpg key ids New
+ shadow:snapprefix New
+ shadow:delimiter New _GMT
+ smb2 leases Changed default yes
+ username Removed
- Parameter Name Description Default
- -------------- ----------- -------
- only user Removed
- username Removed
KNOWN ISSUES
============