X-Git-Url: http://git.samba.org/?a=blobdiff_plain;f=WHATSNEW.txt;h=25bd1ab4f6eec4968a6e049c873818268841c8f9;hb=60f16bacdc242a8512df352dcdd625661e4b25ad;hp=7ec83acb164488376a7007736b61653339ec18ae;hpb=bff228dc2c6ecd3ecaed7298f6627c323f8a053c;p=mat%2Fsamba.git diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 7ec83acb16..25bd1ab4f6 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,154 +1,311 @@ -What's new in Samba 4 alpha4 -============================ - -Samba 4 is the ambitious next version of the Samba suite that is being -developed in parallel to the stable 3.0 series. The main emphasis in -this branch is support for the Active Directory logon protocols used -by Windows 2000 and above. - -Samba 4 is currently not yet in a state where it is usable in -production environments. Note the WARNINGS below, and the STATUS file, -which aims to document what should and should not work. - -Samba4 alpha4 follows on from our third alpha release since September -last year. - -WARNINGS -======== - -Samba4 alpha4 is not a final Samba release. That is more a reference -to Samba4's lack of the features we expect you will need than a -statement of code quality, but clearly it hasn't seen a broad -deployment yet. If you were to upgrade Samba3 (or indeed Windows) to -Samba4, you would find many things work, but that other key features -you may have relied on simply are not there yet. - -For example, while Samba 3.0 is an excellent member of a Active -Directory domain, Samba4 is happier as a domain controller: (This is -where we have done most of the research and development). - -While Samba4 is subjected to an awesome battery of tests on an -automated basis, and we have found Samba4 to be very stable in it's -behaviour, we have to recommend against upgrading production servers -from Samba 3 to Samba 4 at this stage. If you are upgrading an -experimental server, or looking to develop and test Samba, you should -backup all configuration and data. +Release Announcements +===================== -NEW FEATURES -============ +This is the second release candidate of Samba 4.0. This is *not* +intended for production environments and is designed for testing +purposes only. Please report any defects via the Samba bug reporting +system at https://bugzilla.samba.org/. -Samba4 supports the server-side of the Active Directory logon environment -used by Windows 2000 and later, so we can do full domain join -and domain logon operations with these clients. +Samba 4.0 will be the next version of the Samba suite and incorporates +all the technology found in both the Samba4 series and the +stable 3.x series. The primary additional features over Samba 3.6 are +support for the Active Directory logon protocols used by Windows 2000 +and above. -Our Domain Controller (DC) implementation includes our own built-in -LDAP server and Kerberos Key Distribution Center (KDC) as well as the -Samba3-like logon services provided over CIFS. We correctly generate -the infamous Kerberos PAC, and include it with the Kerberos tickets we -issue. +This release contains the best of all of Samba's +technology parts, both a file server (that you can reasonably expect +to upgrade existing Samba 3.x releases to) and the AD domain +controller work previously known as 'samba4'. -The new VFS features in Samba 4 adapts the filesystem on the server to -match the Windows client semantics, allowing Samba 4 to better match -windows behaviour and application expectations. This includes file -annotation information (in streams) and NT ACLs in particular. The -VFS is backed with an extensive automated test suite. +If you are upgrading, or looking to develop, test or deploy Samba 4.0 +releases candidates, you should backup all configuration and data. -A new scripting interface has been added to Samba 4, allowing -Python programs to interface to Samba's internals. -The Samba 4 architecture is based around an LDAP-like database that -can use a range of modular backends. One of the backends supports -standards compliant LDAP servers (including OpenLDAP), and we are -working on modules to map between AD-like behaviours and this backend. -We are aiming for Samba 4 to be powerful frontend to large -directories. +UPGRADING +========= -CHANGES SINCE Alpha3 -===================== +Users upgrading from Samba 3.x domain controllers and wanting to use +Samba 4.0 as an AD DC should use the 'samba-tool domain +classicupgrade' command. See the wiki for more details: +https://wiki.samba.org/index.php/Samba4/samba3upgrade/HOWTO. -In the time since Samba4 Alpha2 was released in December 2007, Samba has -continued to evolve, but you may particularly notice these areas: +Users upgrading from Samba 4.0 alpha and beta releases since alpha15 +should run 'samba-tool dbcheck --cross-ncs --fix' before re-starting +Samba. Users upgrading from earlier alpha releases should contact the +team for advice. - Python Bindings: Bindings for Python are now used for all internal - scripting, and the system python installation is used to run all - Samba python scripts (in place of smbpython found in the previous - alpha). +Users upgrading an AD DC from any previous release should run +'samba-tool ntacl sysvolreset' to re-sync ACLs on the sysvol share +with those matching the GPOs in LDAP and the defaults from an initial +provision. This will set an underlying POSIX ACL if required (eg not +using the NTVFS file server). - As such Python is no longer optional, and configure will generate an - error if it cannot locate an appropriate Python installation. +If you used the BIND9_FLATFILE or BIND9_DLZ features, +you'll have to add '-dns' to the 'server services' option, +as the internal dns server (SAMBA_INTERNAL) is the default now. - SWAT Remains Disabled: Due to a lack of developer time and without a - long-term web developer to maintain it, the SWAT web UI remains been - disabled (and would need to be rewritten in python in any case). - GNU Make: To try and simplfy our build system, we rely on GNU Make - to avoid autogenerating a massive single makefile. +NEW FEATURES +============ - Registry: Samba4's registry library has continued to improve. +Samba 4.0 supports the server-side of the Active Directory logon +environment used by Windows 2000 and later, so we can do full domain +join and domain logon operations with these clients. - ID mapping: Samba4 uses the internal ID mapping in winbind for all - but a few core users. Samba users should not appear in /etc/passwd, - as Samba will generate new user and group IDs regradless. +Our Domain Controller (DC) implementation includes our own built-in +LDAP server and Kerberos Key Distribution Center (KDC) as well as the +Samba3-like logon services provided over CIFS. We correctly generate +the infamous Kerberos PAC, and include it with the Kerberos tickets we +issue. - NTP: Samba4 can act as a signing server for the ntp.org NTP deamon, - allowing NTPd to reply using Microsoft's non-standard signing - scheme. A patch to make NTPd talk to Samba for this purpose has - been submitted to the ntp.org project. +Samba 4.0.0rc2 ships with two distinct file servers. We now use the +file server from the Samba 3.x series 'smbd' for all file serving by +default. + +Samba 4.0 also ships with the 'NTVFS' file server. This file server +is what was used in all previous releases of Samba 4.0, and is +tuned to match the requirements of an AD domain controller. We +continue to support this, not only to provide continuity to +installations that have deployed it as part of an AD DC, but also as a +running example of the NT-FSA architecture we expect to move smbd to in +the longer term. + +For pure file server work, the binaries users would expect from that +series (nmbd, winbindd, smbpasswd) continue to be available. When +running an AD DC, you only need to run 'samba' (not +nmbd/smbd/winbind), as the required services are co-coordinated by this +master binary. + +As DNS is an integral part of Active Directory, we also provide two DNS +solutions, a simple internal DNS server for 'out of the box' configurations +and a more elaborate BIND plugin using the BIND DLZ mechanism in versions +9.8 and 9.9. During the provision, you can select which backend to use. +With the internal backend, your DNS server is good to go. +If you chose the BIND_DLZ backend, a configuration file will be generated +for bind to make it use this plugin, as well as a file explaining how to +set up bind. + +To provide accurate timestamps to Windows clients, we integrate with +the NTP project to provide secured NTP replies. To use you need to +start ntpd and configure it with the 'restrict ... ms-sntp' and +ntpsigndsocket options. + +Finally, a new scripting interface has been added to Samba 4, allowing +Python programs to interface to Samba's internals, and many tools and +internal workings of the DC code is now implemented in python. + + +###################################################################### +Changes +####### + +smb.conf changes +---------------- + + Parameter Name Description Default + -------------- ----------- ------- + + allow dns updates New secure only + announce as Removed + announce version Removed + cldap port New 0 + client max protocol New + client min protocol New + client signing Changed default default + dcerpc endpoint servers New + dgram port New 0 + directory security mask Removed + display charset Removed + dns forwarder New + dns update command New + force security mode Removed + force directory security mode Removed + homedir map Changed default auto.home + kernel share modes New Yes + kpasswd port New 0 + krb5 port New 0 + max protocol Removed + min protocol Removed + nbt client socket address New 0.0.0.0 + nbt port New 0 + nsupdate command New + ntp signd socket directory New + ntvfs handler New + paranoid server security Removed + pid directory New + printer admin Removed + rndc command New + rpc big endian New No + samba kcc command New + security mask Removed + send spnego principal Removed + server max protocol New SMB3 + server min protocol New LANMAN1 + server role New auto + server services New + server signing Changed default default + share backend New + share modes Removed + smb2 max read Changed default 1048576 + smb2 max write Changed default 1048576 + smb2 max trans Changed default 1048576 + socket address Removed + spn update command New + time offset Removed + tls cafile New + tls certfile New + tls crlfile New + tls dh params file New + tls enabled New No + tls keyfile New + unicode New Yes + web port New 0 + winbindd privileged socket directory New + winbind sealed pipes New No + winbindd socket directory New + + +CHANGES SINCE 4.0.0rc1 +====================== + +o Michael Adam + * BUG 9173: Make the SMB2 compound request create/delete_on_close/ + close work as Windows. + + +o Jeremy Allison + * BUG 9161: Re-add the vfs_Chdir() cache. + * BUG 9189: SMB2 Create doesn't return correct MAX ACCESS access mask in + blob. + * BUG 9213: Bad ASN.1 NegTokenInit packet can cause invalid free. + + +o Christian Ambach + * BUG 9162: Fix the build of the GPFS VFS module. + * BUG 9197: Only do 'printing_subsystem_update' when printing is enabled. + + +o Alexander Bokovoy + * BUG 9157: Cleanup idmap_ldap build dependencies. + + +o Ira Cooper + * BUG 9162: Fix build on Illumos/Solaris using '--with-acl'. + * BUG 9173: Compound requests should continue processing. + + +o Björn Jacke + * BUG 9162: Fix the build of the ACL VFS modules. + * BUG 9172: Fix reporting of gfs2 quotas. + + +o Volker Lendecke + * BUG 9217: CreateFile with FILE_DIRECTORY_FILE can create directories + on read-only shares. + + +o Stefan Metzmacher + * BUG 9173: Make the SMB2 compound request create/delete_on_close/ + close work as Windows. + * BUG 9184: Fix receiving of UDP packets from 0 bytes. + * BUG 9191: Release the share mode lock before calling exit_server(). + * BUG 9193: Fix usage of invalid memory in smb2_signing_check_pdu(). + * BUG 9194: Disallow '--prefix=/usr' and '--prefix=/usr/local' without + '--enable-fhs'. + * BUG 9198: Fix RHEL-CTDB packaging. + + +o Matthieu Patou + * BUG 9199: Fix usage of "panic action". + + +o Andreas Schneider + * BUG 8632: Fix builtin forms order to match Windows again. + * BUG 9159: Fix generating idmap manpages. + * BUG 9218: Don't segfault if user specified ports out for range. - CLDAP: Users should experience less arbitary delays and more success with - group policy, domain joins and logons due to an improved - implementation of CLDAP and the 'netlogon' mailslot datagrams. - DCOM: In preperation for merging the Samba4-based 'python-wmi' - implementation of a WMI client, Samba's previously abandoned DCOM - client has been revived. +KNOWN ISSUES +============ - SMB2: The Samba4 SMB2 server and testsuite have been greatly - improved, but the SMB2 server remains off by default. +- 'samba-tool domain classicupgrade' will fail when setting ACLs on + the GPO folders with NT_STATUS_INVALID_ONWER in the default + configuration. This happens if, as is typical a 'domain admins' + group (-512) is mapped in the passdb backend being upgraded. This + is because the group mapping to a GID only prevents Samba from + allocating a uid for that group. The uid is needed so the 'domain + admins' group can own the GPO file objects. -These are just some of the highlights of the work done in the past few -months. More details can be found in our GIT history. + To work around this issue, remove the 'domain admins' group before + upgrade, as it will be re-created automatically. You will + of course need to fill in the group membership again. A future release + will make this automatic, or find some other workaround. +- This release makes the s3fs file server the default, as this is the + file server combination we will use for the Samba 4.0 release. -CHANGES -======= +- For similar reasons, sites with ACLs stored by the ntvfs file server + may wish to continue to use that file server implementation, as a + posix ACL will similarly not be set in this case. -Those familiar with Samba 3 can find a list of user-visible changes -since that release series in the NEWS file. +- Replication of DNS data from one AD server to another may not work. + The DNS data used by the internal DNS server and bind9_dlz is stored + in an application partition in our directory. The replication of + this partition is not yet reliable. -KNOWN ISSUES -============ +- Replication may fail on FreeBSD due to getaddrinfo() rejecting names + containing _. A workaround will be in a future release. -- Domain member support is in it's infancy, and is not comparable to - the support found in Samba3. +- samba_upgradeprovision should not be run when upgrading to this release + from a recent release. No important database format changes have + been made since alpha16. -- There is no printing support in the current release. +- Installation on systems without a system iconv (and developer + headers at compile time) is known to cause errors when dealing with + non-ASCII characters. -- There is no netbios browsing support in the current release +- Domain member support in the 'samba' binary is in its infancy, and + is not comparable to the support found in winbindd. As such, do not + use the 'samba' binary (provided for the AD server) on a member + server. -- The Samba4 port of the CTDB clustering support is not yet complete +- There is no NetBIOS browsing support (network neighbourhood) + available for the AD domain controller. (Support in nmbd and smbd + for classic domains and member/standalone servers is unchanged). - Clock Synchronisation is critical. Many 'wrong password' errors are actually due to Kerberos objecting to a clock skew between client - and server. (The NTP work is partly to assist with this problem). + and server. (The NTP work in the previous alphas are partly to assist + with this problem). + +- The DRS replication code may fail. Please contact the team if you + experience issues with DRS replication, as we have fixed many issues + here in response to feedback from our production users. + + +RUNNING Samba 4.0 as an AD DC +============================= + +A short guide to setting up Samba 4 as an AD DC can be found on the wiki: + http://wiki.samba.org/index.php/Samba4/HOWTO -RUNNING Samba4 -============== +####################################### +Reporting bugs & Development Discussion +####################################### -A short guide to setting up Samba 4 can be found in the howto.txt file -in root of the tarball. +Please discuss this release on the samba-technical mailing list or by +joining the #samba-technical IRC channel on irc.freenode.net. -DEVELOPMENT and FEEDBACK -======================== -Bugs can be filed at https://bugzilla.samba.org/ but please be aware -that many features are simply not expected to work at this stage. +If you do report problems then please try to send high quality +feedback. If you don't provide vital information to help us track down +the problem then you will probably be ignored. All bug reports should +be filed under the Samba 4.0 product in the project's Bugzilla +database (https://bugzilla.samba.org/). -The Samba Wiki at http://wiki.samba.org should detail some of these -development plans. -Development and general discussion about Samba 4 happens mainly on -the #samba-technical IRC channel (on irc.freenode.net) and -the samba-technical mailing list (see http://lists.samba.org/ for -details). +====================================================================== +== Our Code, Our Bugs, Our Responsibility. +== The Samba Team +======================================================================