Release Announcements
=====================
-This is the first preview release of Samba 4.10. This is *not*
+This is the first pre release of Samba 4.15. This is *not*
intended for production environments and is designed for testing
purposes only. Please report any defects via the Samba bug reporting
system at https://bugzilla.samba.org/.
-Samba 4.10 will be the next version of the Samba suite.
+Samba 4.15 will be the next version of the Samba suite.
UPGRADING
=========
+New GPG key
+-----------
+
+The GPG release key for Samba releases changed from:
+
+pub dsa1024/6F33915B6568B7EA 2007-02-04 [SC] [expires: 2021-02-05]
+ Key fingerprint = 52FB C0B8 6D95 4B08 4332 4CDC 6F33 915B 6568 B7EA
+uid [ full ] Samba Distribution Verification Key <samba-bugs@samba.org>
+sub elg2048/9C6ED163DA6DFB44 2007-02-04 [E] [expires: 2021-02-05]
+
+to the following new key:
+
+pub rsa4096/AA99442FB680B620 2020-12-21 [SC] [expires: 2022-12-21]
+ Key fingerprint = 81F5 E283 2BD2 545A 1897 B713 AA99 442F B680 B620
+uid [ultimate] Samba Distribution Verification Key <samba-bugs@samba.org>
+sub rsa4096/97EF9386FBFD4002 2020-12-21 [E] [expires: 2022-12-21]
+
+Starting from Jan 21th 2021, all Samba releases will be signed with the new key.
+
+See also GPG_AA99442FB680B620_replaces_6F33915B6568B7EA.txt
+
NEW FEATURES/CHANGES
====================
+- bind DLZ: Added the ability to set allow/deny lists for zone
+ transfer clients.
+ Up to now, any client could use a DNS zone transfer request
+ to the bind server, and get an answer from Samba.
+ Now the default behaviour will be to deny those request.
+ Two new options have been added to manage the list of
+ authorized/denied clients for zone transfer requests.
+ In order to be accepted, the request must be issued by a client
+ that is in the allow list and NOT in the deny list.
-GPO Improvements
-----------------
+samba-tool available without the ad-dc
+--------------------------------------
-A new 'samba-tool gpo export' command has been added that can export a
-set of Group Policy Objects from a domain in a generalised XML format.
+The samba-tool command is now available when samba is configured
+--without-ad-dc. Not all features will work, and some ad-dc specific options
+have been disabled. The samba-tool domain options, for example, are limited
+when no ad-dc is present. Samba must still be built with ads in order to enable
+samba-tool.
-A corresponding 'samba-tool gpo restore' command has been added to
-rebuild the Group Policy Objects from the XML after generalization.
-(The administrator needs to correct the values of XML entities between
-the backup and restore to account for the change in domain).
+Improved command line user experience
+-------------------------------------
-kdc prefork
------------
+Samba utilities did not consistently implement their command line interface. A
+number of options were requiring to specify values in one tool and not in the
+other, some options meant different in different tools.
+
+These should be stories of the past now. A new command line parser has been
+implemented with sanity checking. Also the command line interface has been
+simplified and provides better control for encryption, singing and kerberos.
+
+Also several command line options have a smb.conf variable to control the
+default now.
+
+All tools are logging to stderr by default. You can use --debug-stdout to
+change the behavior.
+
+### Common parser:
+
+Options added:
+--client-protection=off|sign|encrypt
+
+Options renamed:
+--kerberos -> --use-kerberos=required|desired|off
+--krb5-ccache -> --use-krb5-ccache=CCACHE
+--scope -> --netbios-scope=SCOPE
+--use-ccache -> --use-winbind-ccache
+
+Options removed:
+-e|--encrypt
+-C removed from --use-winbind-ccache
+-i removed from --netbios-scope
+-S|--signing
+
+
+### Duplicates in command line utils
+
+ldbadd/ldbsearch/ldbdel/ldbmodify/ldbrename:
+-e is not available for --editor anymore
+-s is not used for --configfile anymore
+
+ndrdump:
+-l is not available for --load-dso anymore
+
+net:
+-l is not available for --long anymore
+
+sharesec:
+-V is not available for --viewsddl anymore
+
+smbcquotas:
+--user -> --quota-user
+
+nmbd:
+--log-stdout -> --debug-stdout
+
+smbd:
+--log-stdout -> --debug-stdout
+
+winbindd:
+--log-stdout -> --debug-stdout
+
+Scanning of trusted domains and enterpise principals
+----------------------------------------------------
+
+As an artifact from the NT4 times, we still scanned the list of trusted domains
+on winbindd startup. This is wrong as we never can get a full picture in Active
+Directory. It is time to change the default value to No. Also with this change
+we always use enterprise principals for Kerberos so that the DC will be able
+to redirect ticket requests to the right DC. This is e.g needed for one way
+trusts. The options `winbind use krb5 enterprise principals` and
+`winbind scan trusted domains` will be deprecated in one of the next releases.
-The KDC now supports the pre-fork process model and worker processes will be
-forked for the KDC when the pre-fork process model is selected for samba.
REMOVED FEATURES
================
+Tru64 ACL support has been removed from this release. The last
+supported release of Tru64 UNIX was in 2012.
+
+NIS support has been removed from this release. This is not
+available in Linux distributions anymore.
+
+The DLZ DNS plugin is no longer built for Bind versions 9.8 and 9.9,
+which have been out of support since 2018.
smb.conf changes
================
- Parameter Name Description Default
- -------------- ----------- -------
+ Parameter Name Description Default
+ -------------- ----------- -------
+ client use kerberos New desired
+ client protection New default
+ preopen:posix-basic-regex New No
+ preopen:nomatch_log_level New 5
+ preopen:match_log_level New 5
+ preopen:nodigits_log_level New 1
+ preopen:founddigits_log_level New 3
+ preopen:reset_log_level New 5
+ preopen:push_log_level New 3
+ preopen:queue_log_level New 10
+ winbind use krb5 enterprise principals Changed Yes
+ winbind scan trusted domains Changed No
KNOWN ISSUES
============
-https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.10#Release_blocking_bugs
+https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.15#Release_blocking_bugs
#######################################