Release Announcements
=====================
-This is the first preview release of Samba 4.5. This is *not*
+This is the first release candidate of Samba 4.10. This is *not*
intended for production environments and is designed for testing
purposes only. Please report any defects via the Samba bug reporting
system at https://bugzilla.samba.org/.
-Samba 4.5 will be the next version of the Samba suite.
+Samba 4.10 will be the next version of the Samba suite.
UPGRADING
=========
-NTLMv1 authentication disabled by default
------------------------------------------
-
-In order to improve security we have changed
-the default value for the "ntlm auth" option from
-"yes" to "no". This may have impact on very old
-client which doesn't support NTLMv2 yet.
-
-The primary user of NTLMv1 is MSCHAPv2 for VPNs and 802.1x.
-
-By default Samba will only allow NTLMv2 via NTLMSSP now,
-as we have the following default "lanman auth = no",
-"ntlm auth = no" and "raw NTLMv2 auth = no".
-
NEW FEATURES/CHANGES
====================
-Support for LDAP_SERVER_NOTIFICATION_OID
-----------------------------------------
-
-The ldap server has support for the LDAP_SERVER_NOTIFICATION_OID
-control. This can be used to monitor the active directory database
-for changes.
-
-KCC improvements for sparse network replication
------------------------------------------------
-
-The Samba KCC will now be the default knowledge consistency checker in
-Samba AD. Instead of using full mesh replication between every DC, the
-KCC will set up connections to optimize replication latency and cost
-(using site links to calculate the routes). This change should allow
-larger domains to function significantly better in terms of replication
-traffic and the time spent performing DRS replication.
-
-VLV - Virtual List View
------------------------
-
-The VLV Control allows applications to page the LDAP directory in the
-way you might expect a live phone book application to operate, without
-first downloading the entire directory.
-
-DRS Replication for the AD DC
------------------------------
-
-DRS Replication in Samba 4.5 is now much more efficient in handling
-linked attributes, particularly in large domains with over 1000 group
-memberships or other links.
-
-Replication is also much more reliable in the handling of tree
-renames, such as the rename of an organizational unit containing many
-users. Extensive tests have been added to ensure this code remains
-reliable, particularly in the case of conflicts between objects added
-with the same name on different servers.
-
-Schema updates are also handled much more reliably.
+GPO Improvements
+----------------
-samba-tool drs replicate with new options
------------------------------------------
+A new 'samba-tool gpo export' command has been added that can export a
+set of Group Policy Objects from a domain in a generalised XML format.
-samba-tool drs replicate got two new options:
+A corresponding 'samba-tool gpo restore' command has been added to
+rebuild the Group Policy Objects from the XML after generalization.
+(The administrator needs to correct the values of XML entities between
+the backup and restore to account for the change in domain).
-The option '--local-online' will do the DsReplicaSync() via IRPC
-to the local dreplsrv service.
+kdc prefork
+-----------
-The option '--async-op' will add DRSUAPI_DRS_ASYNC_OP to the
-DsReplicaSync(), which won't wait for the replication result.
+The KDC now supports the pre-fork process model and worker processes will be
+forked for the KDC when the pre-fork process model is selected for samba.
-replPropertyMetaData Changes
-----------------------------
-
-During the development of the DRS replication, tests showed that Samba
-stores the replPropertyMetaData object incorrectly. To address this,
-be aware that dbcheck will now detect and offer to fix all objects in
-the domain for this error.
-
-Linked attributes on deleted objects
-------------------------------------
-
-In Active Directory, an object that has been tombstoned or recycled
-has no linked attributes. However, Samba incorrectly maintained such
-links, slowing replication and run-time performance. dbcheck now
-offers to remove such links, and they are no longer kept after the
-object is tombstoned or recycled.
-
-Improved AD DC performance
---------------------------
-
-Many other improvements have been made to our LDAP database layer in
-the AD DC, to improve performance, both during samba-tool domain
-provision and at runtime.
-
-Other dbcheck improvements
+prefork 'prefork children'
--------------------------
- - samba-tool dbcheck can now find and fix a missing or corrupted
- 'deleted objects' container.
- - BUG 11433: samba-dbcheck no longer offers to resort auxiliary class values
- in objectClass as these were then re-sorted at the next dbcheck indefinitely.
-
-Tombstone Reanimation
----------------------
-
-Samba now supports tombstone reanimation, a feature in the AD DC
-allowing tombstones, that is objects which have been deleted, to be
-restored with the original SID and GUID still in place.
-
-Multiple DNS Forwarders on the AD DC
-------------------------------------
-
-Multiple DNS forwarders are now supported on the AD DC, allowing
-samba to fall back between two different DNS servers for forwarded queries.
-
-Password quality plugin support in the AD DC
---------------------------------------------
-
-The check password script now operates correctly in the AD DC (this
-was silently ignored in past releases)
+The default value for this smdb.conf parameter has been increased from 1 to
+4.
-pwdLastSet is now correctly honoured
-------------------------------------
+netlogon prefork
+----------------
-BUG 9654: the pwdLastSet attribute is now correctly handled (this previously
-permitted passwords that next expire).
+DCERPC now supports pre-forked NETLOGON processes. The netlogon processes are
+pre-forked when the prefork process model is selected for samba.
-net ads dns unregister
+Offline domain backups
----------------------
-It is now possible to remove the DNS entries created with 'net ads register'
-with the matching 'net ads unregister' command.
+The 'samba-tool domain backup' command has been extended with a new 'offline'
+option. This safely creates a backup of the local DC's database directly from
+disk. The main benefits of an offline backup are it's quicker, it stores more
+database details (for forensic purposes), and the samba process does not have
+to be running when the backup is made. Refer to the samba-tool help for more
+details on using this command.
-Samba-tool improvements
-------------------------
+Group membership statistics
+---------------------------
-Running samba-tool on the command line should now be a lot snappier. The tool
-now only loads the code specific to the subcommand that you wish to run.
+A new 'samba-tool group stats' command has been added. This provides summary
+information about how the users are spread across groups in your domain.
+The 'samba-tool group list --verbose' command has also been updated to include
+the number of users in each group.
-SMB 2.1 Leases enabled by default
----------------------------------
-
-Leasing is an SMB 2.1 (and higher) feature which allows clients to
-aggressively cache files locally above and beyond the caching allowed
-by SMB 1 oplocks. This feature was disabled in previous releases, but
-the SMB2 leasing code is now considered mature and stable enough to be
-enabled by default.
-
-Open File Description (OFD) Locks
----------------------------------
-
-On systems that support them (currently only Linux), the fileserver now
-uses Open File Description (OFD) locks instead of POSIX locks to implement
-client byte range locks. As these locks are associated with a specific
-file descriptor on a file this allows more efficient use when multiple
-descriptors having file locks are opened onto the same file. An internal
-tunable "smbd:force process locks = true" may be used to turn off OFD
-locks if there appear to be problems with them.
-
-Password sync as active directory domain controller
----------------------------------------------------
+prefork process restart
+-----------------------
-The new commands 'samba-tool user getpassword'
-and 'samba-tool user syncpasswords' provide
-access and syncing of various password fields.
+The pre-fork process model now restarts failed processes. The delay between
+restart attempts is controlled by the "prefork backoff increment" (default = 10)
+and "prefork maximum backoff" (default = 120) smbd.conf parameters. A linear
+back off strategy is used with "prefork backoff increment" added to the
+delay between restart attempts up until it reaches "prefork maximum backoff".
-If compiled with GPGME support (--with-gpgme) it's
-possible to store cleartext passwords in a PGP/OpenGPG
-encrypted form by configuring the new "password hash gpg key ids"
-option. This requires gpgme devel and python packages to be installed
-(e.g. libgpgme11-dev and python-gpgme on debian/ubuntu).
+Using the default sequence the restart delays (in seconds) are:
+ 0, 10, 20, ..., 120, 120, ...
-Python crypto requirements
---------------------------
+standard process model
+----------------------
-Some samba-tool subcommands require python-crypto and/or
-python-m2crypto packages to be installed.
+When using the standard process model samba forks a new process to handle ldap
+and netlogon connections. Samba now honours the 'max smbd processes' smb.conf
+parameter. The default value of 0, indicates there is no limit. The limit
+is applied individually to netlogon and ldap. When the process limit is
+exceeded Samba drops new connections immediately.
-SmartCard/PKINIT improvements
------------------------------
+python3 support
+---------------
-"samba-tool user create" accepts --smartcard-required
-and "samba-tool user setpassword" accepts --smartcard-required
-and --clear-smartcard-required.
+The version of python which is now the default for samba is python3.
+'configure' & 'make' will execute using python3. It is possible to still
+specify an additional python version with '--extra-python'
+e.g. '--extra-python=/usr/bin/python2'. It should be noted that support for
+this option will be deprecated in a future release.
-Specifying --smartcard-required results in the UF_SMARTCARD_REQUIRED
-flags being set in the userAccountControl attribute.
-At the same time the account password is reset to a random
-NTHASH value.
+What if I need to build with python2? To build with python2 you *must* set
+the 'PYTHON' environent variable to override the python3 default for both
+'configure' and 'make' steps.
-Interactive password logons are rejected, if the UF_SMARTCARD_REQUIRED
-bit is set in the userAccountControl attribute of a user.
+ 'PYTHON=python2 ./configure.developer'
+&
+ 'PYTHON=python2 make'
-When doing a PKINIT based kerberos logon the KDC adds the
-required PAC_CREDENTIAL_INFO element to the authorization data.
-That means the NTHASH is shared between the PKINIT based client and
-the domain controller, which allows the client to do NTLM based
-authentication on behalf of the user. It also allows on offline
-logon using a smartcard to work on Windows clients.
+Note: Support for python2 (with the exception of a build configured with
+ 'PYTHON=python2 ./configure --disable-python' and built with
+ 'PYTHON=python2 make' will be deprecated in the next release.
-CTDB changes
+JSON logging
------------
-* New improved ctdb tool
-
- ctdb tool has been completely rewritten using new client API.
- Usage messages are much improved.
-
-* Sample CTDB configuration file is installed as ctdbd.conf.
-
-* The use of real-time scheduling when taking locks has been narrowed
- to limit potential performance impacts on nodes
-
-* CTDB_RECOVERY_LOCK now supports specification of an external helper
- to take and hold the recovery lock
-
- See the RECOVERY LOCK section in ctdb(7) for details. Documentation
- for writing helpers is provided in doc/cluster_mutex_helper.txt.
-
-* "ctdb natgwlist" has been replaced by a top level "ctdb natgw"
- command that has "master", "list" and "status" subcommands
+Authentication messages now contain the Windows Event Id "eventId" and logon
+type "logonType". The supported event codes and logon types are:
+ Event codes:
+ 4624 Successful logon
+ 4625 Unsuccessful logon
-* The onnode command no longer supports the "recmaster", "lvs" and
- "natgw" node specifications
+ Logon Types:
+ 2 Interactive
+ 3 Network
+ 8 NetworkCleartext
-* Faster resetting of TCP connections to public IP addresses during
- failover
+The version number for Authentication messages is now 1.1, changed from 1.0
-* Tunables MaxRedirectCount, ReclockPingPeriod,
- DeferredRebalanceOnNodeAdd are now obsolete/ignored
+Password change messages now contain the Windows Event Id "eventId", the
+supported event Id's are:
+ 4723 Password changed
+ 4724 Password reset
-* "ctdb listvars" now lists all variables, including the first one
+The version number for PasswordChange messages is now 1.1, changed from 1.0
-* "ctdb xpnn", "ctdb rebalanceip" and "ctdb rebalancenode" have been
- removed
+Group membership change messages now contain the Windows Event Id "eventId",
+the supported event Id's are:
+ 4728 A member was added to a security enabled global group
+ 4729 A member was removed from a security enabled global group
+ 4732 A member was added to a security enabled local group
+ 4733 A member was removed from a security enabled local group
+ 4746 A member was added to a security disabled local group
+ 4747 A member was removed from a security disabled local group
+ 4751 A member was added to a security disabled global group
+ 4752 A member was removed from a security disabled global group
+ 4756 A member was added to a security enabled universal group
+ 4757 A member was removed from a security enabled universal group
+ 4761 A member was added to a security disabled universal group
+ 4762 A member was removed from a security disabled universal group
- These are not needed because "ctdb reloadips" should do the correct
- rebalancing.
-* Output for the following commands has been simplified:
+The version number for GroupChange messages is now 1.1, changed from 1.0. Also
+A GroupChange message is generated when a new user is created to log that the
+user has been added to their primary group.
- ctdb getdbseqnum
- ctdb getdebug
- ctdb getmonmode
- ctdb getpid
- ctdb getreclock
- ctdb getpid
- ctdb pnn
+The leading "JSON <message type>:" and source file prefix of the JSON formatted
+log entries has been removed to make the parsing of the JSON log messages
+easier. JSON log entries now start with 2 spaces followed by an opening brace
+i.e. " {"
- These now simply print the requested output with no preamble. This
- means that scripts no longer need to strip part of the output.
- "ctdb getreclock" now prints nothing when the recovery lock is not
- set.
-* Output for the following commands has been improved:
- ctdb setdebug
- ctdb uptime
-
-* "ctdb process-exists" has been updated to only take a PID argument
-
- The PNN can be specified with -n <PNN>. Output also cleaned up.
-
-* LVS support has been reworked - related commands and configuration
- variables have changed
-
- "ctdb lvsmaster" and "ctdb lvs" have been replaced by a top level
- "ctdb lvs" command that has "master", "list" and "status"
- subcommands.
-
- See the LVS sections in ctdb(7) and ctdbd.conf(5) for details,
- including configuration changes.
-
-* Improved sample NFS Ganesha call-out
+REMOVED FEATURES
+================
+MIT Kerberos build of the AD DC
+-------------------------------
+While not removed, the MIT Kerberos build of the Samba AD DC is still
+considered experimental. Because Samba will not issue security
+patches for this configuration, such builds now require the explicit
+configure option: --with-experimental-mit-ad-dc
-REMOVED FEATURES
-================
+For further details see
+https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC
-only user and username parameters
----------------------------------
-These two parameters have long been deprecated and superseded by
-"valid users" and "invalid users".
+samba_backup
+------------
+The samba_backup script has been removed. This has now been replaced by the
+'samba-tool domain backup offline' command.
smb.conf changes
================
- Parameter Name Description Default
- -------------- ----------- -------
- kccsrv:samba_kcc Changed default yes
- ntlm auth Changed default no
- only user Removed
- password hash gpg key ids New
- smb2 leases Changed default yes
- username Removed
-
+ Parameter Name Description Default
+ -------------- ----------- -------
+ prefork backoff increment Delay added to process restart 10 (seconds)
+ between attempts.
+ prefork maximum backoff Maximum delay for process between 120 (seconds)
+ process restart attempts
+ smbd search ask sharemode Name changed, old name was
+ "smbd:search ask sharemode"
+ smbd async dosmode Name changed, old name was
+ "smbd:async dosmode"
+ smbd max async dosmode Name changed, old name was
+ "smbd:max async dosmode"
+ smbd getinfo ask sharemode New: similar to "smbd search ask yes
+ sharemode" but for SMB getinfo
KNOWN ISSUES
============
-Currently none.
+https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.10#Release_blocking_bugs
+
#######################################
Reporting bugs & Development Discussion