- =================================
- Release Notes for Samba 3.6.0pre1
- July 28, 2010
- =================================
+Release Announcements
+=====================
-
-This is the first preview release of Samba 3.6. This is *not*
+This is the first preview release of Samba 4.5. This is *not*
intended for production environments and is designed for testing
purposes only. Please report any defects via the Samba bug reporting
system at https://bugzilla.samba.org/.
+Samba 4.5 will be the next version of the Samba suite.
+
+
+UPGRADING
+=========
+
+NTLMv1 authentication disabled by default
+-----------------------------------------
+
+In order to improve security we have changed
+the default value for the "ntlm auth" option from
+"yes" to "no". This may have impact on very old
+client which doesn't support NTLMv2 yet.
+
+The primary user of NTLMv1 is MSCHAPv2 for VPNs and 802.1x.
+
+By default Samba will only allow NTLMv2 via NTLMSSP now,
+as we have the following default "lanman auth = no",
+"ntlm auth = no" and "raw NTLMv2 auth = no".
+
+
+NEW FEATURES/CHANGES
+====================
+
+Support for LDAP_SERVER_NOTIFICATION_OID
+----------------------------------------
+
+The ldap server has support for the LDAP_SERVER_NOTIFICATION_OID
+control. This can be used to monitor the active directory database
+for changes.
+
+KCC improvements for sparse network replication
+-----------------------------------------------
+
+The Samba KCC will now be the default knowledge consistency checker in
+Samba AD. Instead of using full mesh replication between every DC, the
+KCC will set up connections to optimize replication latency and cost
+(using site links to calculate the routes). This change should allow
+larger domains to function significantly better in terms of replication
+traffic and the time spent performing DRS replication.
+
+VLV - Virtual List View
+-----------------------
+
+The VLV Control allows applications to page the LDAP directory in the
+way you might expect a live phone book application to operate, without
+first downloading the entire directory.
+
+DRS Replication for the AD DC
+-----------------------------
+
+DRS Replication in Samba 4.5 is now much more efficient in handling
+linked attributes, particularly in large domains with over 1000 group
+memberships or other links.
+
+Replication is also much more reliable in the handling of tree
+renames, such as the rename of an organizational unit containing many
+users. Extensive tests have been added to ensure this code remains
+reliable, particularly in the case of conflicts between objects added
+with the same name on different servers.
+
+Schema updates are also handled much more reliably.
+
+samba-tool drs replicate with new options
+-----------------------------------------
+
+samba-tool drs replicate got two new options:
+
+The option '--local-online' will do the DsReplicaSync() via IRPC
+to the local dreplsrv service.
+
+The option '--async-op' will add DRSUAPI_DRS_ASYNC_OP to the
+DsReplicaSync(), which won't wait for the replication result.
+
+replPropertyMetaData Changes
+----------------------------
+
+During the development of the DRS replication, tests showed that Samba
+stores the replPropertyMetaData object incorrectly. To address this,
+be aware that dbcheck will now detect and offer to fix all objects in
+the domain for this error.
+
+Linked attributes on deleted objects
+------------------------------------
+
+In Active Directory, an object that has been tombstoned or recycled
+has no linked attributes. However, Samba incorrectly maintained such
+links, slowing replication and run-time performance. dbcheck now
+offers to remove such links, and they are no longer kept after the
+object is tombstoned or recycled.
+
+Improved AD DC performance
+--------------------------
+
+Many other improvements have been made to our LDAP database layer in
+the AD DC, to improve performance, both during samba-tool domain
+provision and at runtime.
+
+Other dbcheck improvements
+--------------------------
+
+ - samba-tool dbcheck can now find and fix a missing or corrupted
+ 'deleted objects' container.
+ - BUG 11433: samba-dbcheck no longer offers to resort auxiliary class values
+ in objectClass as these were then re-sorted at the next dbcheck indefinitely.
+
+Tombstone Reanimation
+---------------------
-Major enhancements in Samba 3.6.0 include:
+Samba now supports tombstone reanimation, a feature in the AD DC
+allowing tombstones, that is objects which have been deleted, to be
+restored with the original SID and GUID still in place.
+Multiple DNS Forwarders on the AD DC
+------------------------------------
-Changed security defaults
--------------------------
+Multiple DNS forwarders are now supported on the AD DC, allowing
+samba to fall back between two different DNS servers for forwarded queries.
-Samba 3.6 has adopted a number of improved security defaults that will
-impact on existing users of Samba.
+Password quality plugin support in the AD DC
+--------------------------------------------
- client ntlmv2 auth = yes
- client use spnego principal = no
- send spnego principal = no
+The check password script now operates correctly in the AD DC (this
+was silently ignored in past releases)
-The impact of 'client ntlmv2 auth = yes' is that by default we will not
-use NTLM authentication as a client. This applies to the Samba client
-tools such as smbclient and winbind, but does not change the separately
-released in-kernel CIFS client. To re-enable the poorer NTLM encryption
-set '--option=clientusentlmv2auth=no' on your smbclient command line, or
-set 'client ntlmv2 auth = no' in your smb.conf
+pwdLastSet is now correctly honoured
+------------------------------------
-The impact of 'client use spnego principal = no' is that we may be able
-to use Kerberos to communicate with a server less often in smbclient,
-winbind and other Samba client tools. We may fall back to NTLMSSP in
-more situations where we would previously rely on the insecure
-indication from the 'NegProt' CIFS packet. This mostly occursed when
-connecting to a name alias not recorded as a servicePrincipalName for
-the server. This indication is not available from Windows 2008 or later
-in any case, and is not used by modern Windows clients, so this makes
-Samba's behaviour consistent with other clients and against all servers.
+BUG 9654: the pwdLastSet attribute is now correctly handled (this previously
+permitted passwords that next expire).
-The impact of 'send spnego principal = no' is to match Windows 2008 and
-not to send this principal, making existing clients give more consistent
-behaviour (more likely to fall back to NTLMSSP) between Samba and
-Windows 2008, and between Windows versions that did and no longer use
-this insecure hint.
+net ads dns unregister
+----------------------
+It is now possible to remove the DNS entries created with 'net ads register'
+with the matching 'net ads unregister' command.
-SMB2 support
+Samba-tool improvements
+------------------------
+
+Running samba-tool on the command line should now be a lot snappier. The tool
+now only loads the code specific to the subcommand that you wish to run.
+
+SMB 2.1 Leases enabled by default
+---------------------------------
+
+Leasing is an SMB 2.1 (and higher) feature which allows clients to
+aggressively cache files locally above and beyond the caching allowed
+by SMB 1 oplocks. This feature was disabled in previous releases, but
+the SMB2 leasing code is now considered mature and stable enough to be
+enabled by default.
+
+Open File Description (OFD) Locks
+---------------------------------
+
+On systems that support them (currently only Linux), the fileserver now
+uses Open File Description (OFD) locks instead of POSIX locks to implement
+client byte range locks. As these locks are associated with a specific
+file descriptor on a file this allows more efficient use when multiple
+descriptors having file locks are opened onto the same file. An internal
+tunable "smbd:force process locks = true" may be used to turn off OFD
+locks if there appear to be problems with them.
+
+Password sync as active directory domain controller
+---------------------------------------------------
+
+The new commands 'samba-tool user getpassword'
+and 'samba-tool user syncpasswords' provide
+access and syncing of various password fields.
+
+If compiled with GPGME support (--with-gpgme) it's
+possible to store cleartext passwords in a PGP/OpenGPG
+encrypted form by configuring the new "password hash gpg key ids"
+option. This requires gpgme devel and python packages to be installed
+(e.g. libgpgme11-dev and python-gpgme on debian/ubuntu).
+
+Python crypto requirements
+--------------------------
+
+Some samba-tool subcommands require python-crypto and/or
+python-m2crypto packages to be installed.
+
+SmartCard/PKINIT improvements
+-----------------------------
+
+"samba-tool user create" accepts --smartcard-required
+and "samba-tool user setpassword" accepts --smartcard-required
+and --clear-smartcard-required.
+
+Specifying --smartcard-required results in the UF_SMARTCARD_REQUIRED
+flags being set in the userAccountControl attribute.
+At the same time the account password is reset to a random
+NTHASH value.
+
+Interactive password logons are rejected, if the UF_SMARTCARD_REQUIRED
+bit is set in the userAccountControl attribute of a user.
+
+When doing a PKINIT based kerberos logon the KDC adds the
+required PAC_CREDENTIAL_INFO element to the authorization data.
+That means the NTHASH is shared between the PKINIT based client and
+the domain controller, which allows the client to do NTLM based
+authentication on behalf of the user. It also allows on offline
+logon using a smartcard to work on Windows clients.
+
+CTDB changes
------------
-SMB2 support in 3.6.0 is fully functional (with one omission),
-and can be enabled by setting:
+* New improved ctdb tool
-max protocol = SMB2
+ ctdb tool has been completely rewritten using new client API.
+ Usage messages are much improved.
-in the [global] section of your smb.conf and re-starting
-Samba. All features should work over SMB2 except the modification
-of user quotas using the Windows quota management tools.
+* Sample CTDB configuration file is installed as ctdbd.conf.
-As this is the first release containing what we consider
-to be a fully featured SMB2 protocol, we are not enabling
-this by default, but encourage users to enable SMB2 and
-test it. Once we have enough confirmation from Samba
-users and OEMs that SMB2 support is stable in wide user
-testing we will enable SMB2 by default in a future Samba
-release.
+* The use of real-time scheduling when taking locks has been narrowed
+ to limit potential performance impacts on nodes
+* CTDB_RECOVERY_LOCK now supports specification of an external helper
+ to take and hold the recovery lock
-Internal Winbind passdb changes
--------------------------------
+ See the RECOVERY LOCK section in ctdb(7) for details. Documentation
+ for writing helpers is provided in doc/cluster_mutex_helper.txt.
-Winbind has been changed to use the internal samr and lsa rpc pipe to get
-local user and group information instead of calling passdb functions. The
-reason is to use more of our infrastructure and test this infrastructure by
-using it. With this approach more code in Winbind is shared.
+* "ctdb natgwlist" has been replaced by a top level "ctdb natgw"
+ command that has "master", "list" and "status" subcommands
+* The onnode command no longer supports the "recmaster", "lvs" and
+ "natgw" node specifications
-New Spoolss code
-----------------
+* Faster resetting of TCP connections to public IP addresses during
+ failover
-The spoolss and the old RAP printing code have been completely
-overhauled and refactored.
+* Tunables MaxRedirectCount, ReclockPingPeriod,
+ DeferredRebalanceOnNodeAdd are now obsolete/ignored
-All calls from lanman/printing code has been changed to go through the
-spoolss RPC interfaces, this allows us to keep all checks in one place
-and avoid special cases in the main printing code.
-Printing code has been therefore confined within the spoolss code.
+* "ctdb listvars" now lists all variables, including the first one
-All the printing code, including the spoolss RPC interfaces has been
-changed to use the winreg RPC interfaces to store all data.
-All data has been migrated from custom, arbitrary TDB files to the
-registry interface. This transition allow us to present correct data to
-windows client accessing the server registry through the winreg RPC
-interfaces to query for printer data. Data is served out from a real
-registry implementation and therefore arguably 100% forward compatible.
+* "ctdb xpnn", "ctdb rebalanceip" and "ctdb rebalancenode" have been
+ removed
-Migration code from the previous TDB files formats is provided. This
-code is automatically invoked the first time the new code is run on the
-server. Although manual migration is also available using the 'net
-printer migrate' command.
+ These are not needed because "ctdb reloadips" should do the correct
+ rebalancing.
-These changes not only make all the spoolss code much more closer to
-"the spec", it also greatly improves our internal testing of both
-spoolss and winreg interfaces, and reduces overall code duplication.
+* Output for the following commands has been simplified:
-As part of this work, new tests have been also added to increase
-coverage.
+ ctdb getdbseqnum
+ ctdb getdebug
+ ctdb getmonmode
+ ctdb getpid
+ ctdb getreclock
+ ctdb getpid
+ ctdb pnn
-This code will also allow, in future, an easy transition to split out
-the spooling functions into a separate daemon for those OEMs that do not
-need printing functionality in their appliances, reducing the code
-footprint.
+ These now simply print the requested output with no preamble. This
+ means that scripts no longer need to strip part of the output.
+ "ctdb getreclock" now prints nothing when the recovery lock is not
+ set.
-SMB Traffic Analyzer
---------------------
+* Output for the following commands has been improved:
-Added the new SMB Traffic Analyzer (SMBTA) VFS module protocol 2
-featuring encryption, multiple arguments, and easier parseability. A new
-tool 'smbta-util' has been created to control the encryption behaviour
-of SMBTA. For compatibility, SMBTA by default operates on version 1.
-There are programs consuming the data that the module sends.
+ ctdb setdebug
+ ctdb uptime
-More information can be found on
-http://holger123.wordpress.com/smb-traffic-analyzer/
+* "ctdb process-exists" has been updated to only take a PID argument
+ The PNN can be specified with -n <PNN>. Output also cleaned up.
+
+* LVS support has been reworked - related commands and configuration
+ variables have changed
+
+ "ctdb lvsmaster" and "ctdb lvs" have been replaced by a top level
+ "ctdb lvs" command that has "master", "list" and "status"
+ subcommands.
+
+ See the LVS sections in ctdb(7) and ctdbd.conf(5) for details,
+ including configuration changes.
+
+* Improved sample NFS Ganesha call-out
+
+New shadow_copy2 options
+------------------------
+
+shadow:snapprefix
+
+ With growing number of snapshots file-systems need some mechanism to
+ differentiate one set of snapshots from other, e.g. monthly, weekly, manual,
+ special events, etc. Therefore these file-systems provide different ways to tag
+ snapshots, e.g. provide a configurable way to name snapshots, which is not just
+ based on time. With only shadow:format it is very difficult to filter these
+ snapshots. With this optional parameter, one can specify a variable prefix
+ component for names of the snapshot directories in the file-system. If this
+ parameter is set, together with the shadow:format and shadow:delimiter
+ parameters it determines the possible names of snapshot directories in the
+ file-system. The option only supports Basic Regular Expression (BRE).
+
+shadow:delimiter
+
+ This optional parameter is used as a delimiter between shadow:snapprefix and
+ shadow:format This parameter is used only when shadow:snapprefix is set.
+
+ Default: shadow:delimiter = "_GMT"
+
+
+REMOVED FEATURES
+================
+
+only user and username parameters
+---------------------------------
+These two parameters have long been deprecated and superseded by
+"valid users" and "invalid users".
-######################################################################
-Changes
-#######
smb.conf changes
-----------------
+================
+
+ Parameter Name Description Default
+ -------------- ----------- -------
+ kccsrv:samba_kcc Changed default yes
+ ntlm auth Changed default no
+ only user Removed
+ password hash gpg key ids New
+ shadow:snapprefix New
+ shadow:delimiter New _GMT
+ smb2 leases Changed default yes
+ username Removed
- Parameter Name Description Default
- -------------- ----------- -------
- log writeable files on exit New No
- ctdb locktime warn threshold New 0
- smb2 max read New 1048576
- smb2 max write New 1048576
- smb2 max trans New 1048576
- username map cache time New 0
- async smb echo handler New No
+KNOWN ISSUES
+============
+Currently none.
-######################################################################
+#######################################
Reporting bugs & Development Discussion
#######################################
If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored. All bug reports should
-be filed under the Samba 3.6 product in the project's Bugzilla
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).
git.samba.org / samba.git / blobdiff