Release Announcements
=====================
-This is the first preview release of Samba 4.5. This is *not*
+This is the first preview release of Samba 4.11. This is *not*
intended for production environments and is designed for testing
purposes only. Please report any defects via the Samba bug reporting
system at https://bugzilla.samba.org/.
-Samba 4.5 will be the next version of the Samba suite.
+Samba 4.11 will be the next version of the Samba suite.
UPGRADING
=========
-NTLMv1 authentication disabled by default
------------------------------------------
-
-In order to improve security we have changed
-the default value for the "ntlm auth" option from
-"yes" to "no". This may have impact on very old
-client which doesn't support NTLMv2 yet.
-
-The primary user of NTLMv1 is MSCHAPv2 for VPNs and 802.1x.
-
-By default Samba will only allow NTLMv2 via NTLMSSP now,
-as we have the following default "lanman auth = no",
-"ntlm auth = no" and "raw NTLMv2 auth = no".
-
NEW FEATURES/CHANGES
====================
-Support for LDAP_SERVER_NOTIFICATION_OID
-----------------------------------------
-
-The ldap server has support for the LDAP_SERVER_NOTIFICATION_OID
-control. This can be used to monitor the active directory database
-for changes.
-
-KCC improvements for sparse network replication
------------------------------------------------
-
-The Samba KCC will now be the default knowledge consistency checker in
-Samba AD. Instead of using full mesh replication between every DC, the
-KCC will set up connections to optimize replication latency and cost
-(using site links to calculate the routes). This change should allow
-larger domains to function significantly better in terms of replication
-traffic and the time spent performing DRS replication.
-
-VLV - Virtual List View
+Default samba process model
+---------------------------
+
+The default for the --model argument passed to the samba executable has changed
+from 'standard' to 'prefork'. This means a difference in the number of samba
+child processes that are created to handle client connections. The previous
+default would create a separate process for every LDAP or NETLOGON client
+connection. For a network with a lot of persistent client connections, this
+could result in significant memory overhead. Now, with the new default of
+'prefork', the LDAP, NETLOGON, and KDC services will create a fixed number of
+worker processes at startup and share the client connections amongst these
+workers. The number of worker processes can be configured by the 'prefork
+children' setting in the smb.conf (the default is 4).
+
+Authentication Logging.
-----------------------
-The VLV Control allows applications to page the LDAP directory in the
-way you might expect a live phone book application to operate, without
-first downloading the entire directory.
-
-DRS Replication for the AD DC
------------------------------
-
-DRS Replication in Samba 4.5 is now much more efficient in handling
-linked attributes, particularly in large domains with over 1000 group
-memberships or other links.
-
-Replication is also much more reliable in the handling of tree
-renames, such as the rename of an organizational unit containing many
-users. Extensive tests have been added to ensure this code remains
-reliable, particularly in the case of conflicts between objects added
-with the same name on different servers.
-
-Schema updates are also handled much more reliably.
-
-replPropertyMetaData Changes
-----------------------------
-
-During the development of the DRS replication, tests showed that Samba
-stores the replPropertyMetaData object incorrectly. To address this,
-be aware that dbcheck will now detect and offer to fix all objects in
-the domain for this error.
-
-Linked attributes on deleted objects
-------------------------------------
-
-In Active Directory, an object that has been tombstoned or recycled
-has no linked attributes. However, Samba incorrectly maintained such
-links, slowing replication and run-time performance. dbcheck now
-offers to remove such links, and they are no longer kept after the
-object is tombstoned or recycled.
-
-Improved AD DC performance
---------------------------
-
-Many other improvements have been made to our LDAP database layer in
-the AD DC, to improve performance, both during samba-tool domain
-provision and at runtime.
-
-Other dbcheck improvements
---------------------------
-
- - samba-tool dbcheck can now find and fix a missing or corrupted
- 'deleted objects' container.
- - BUG 11433: samba-dbcheck no longer offers to resort auxiliary class values
- in objectClass as these were then re-sorted at the next dbcheck indefinitely.
-
-Tombstone Reanimation
----------------------
+Winbind now logs PAM_AUTH and NTLM_AUTH events, a new attribute "logonId" has
+been added to the Authentication JSON log messages. This contains a random
+logon id that is generated for each PAM_AUTH and NTLM_AUTH request and is passed
+to SamLogon, linking the windbind and SamLogon requests.
-Samba now supports tombstone reanimation, a feature in the AD DC
-allowing tombstones, that is objects which have been deleted, to be
-restored with the original SID and GUID still in place.
+The serviceDescription of the messages is set to "winbind", the authDescription
+is set to one of:
+ "PASSDB, <command>, <pid>"
+ "PAM_AUTH, <command>, <pid>"
+ "NTLM_AUTH, <command>, <pid>"
+where:
+ <command> is the name of the command makinmg the winbind request i.e. wbinfo
+ <pid> is the process id of the requesting process.
-Multiple DNS Forwarders on the AD DC
-------------------------------------
+The version of the JSON Authentication messages has been changed to 1.2 from 1.1
-Multiple DNS forwarders are now supported on the AD DC, allowing
-samba to fall back between two different DNS servers for forwarded queries.
-
-Password quality plugin support in the AD DC
---------------------------------------------
-
-The check password script now operates correctly in the AD DC (this
-was silently ignored in past releases)
-
-pwdLastSet is now correctly honoured
-------------------------------------
-
-BUG 9654: the pwdLastSet attribute is now correctly handled (this previously
-permitted passwords that next expire).
-
-net ads dns unregister
-----------------------
-
-It is now possible to remove the DNS entries created with 'net ads register'
-with the matching 'net ads unregister' command.
-
-Samba-tool improvements
-------------------------
-
-Running samba-tool on the command line should now be a lot snappier. The tool
-now only loads the code specific to the subcommand that you wish to run.
-
-SMB 2.1 Leases enabled by default
----------------------------------
-
-Leasing is an SMB 2.1 (and higher) feature which allows clients to
-aggressively cache files locally above and beyond the caching allowed
-by SMB 1 oplocks. This feature was disabled in previous releases, but
-the SMB2 leasing code is now considered mature and stable enough to be
-enabled by default.
-
-Open File Description (OFD) Locks
----------------------------------
-
-On systems that support them (currently only Linux), the fileserver now
-uses Open File Description (OFD) locks instead of POSIX locks to implement
-client byte range locks. As these locks are associated with a specific
-file descriptor on a file this allows more efficient use when multiple
-descriptors having file locks are opened onto the same file. An internal
-tunable "smbd:force process locks = true" may be used to turn off OFD
-locks if there appear to be problems with them.
-
-Password sync as active directory domain controller
----------------------------------------------------
-
-The new commands 'samba-tool user getpassword'
-and 'samba-tool user syncpasswords' provide
-access and syncing of various password fields.
-
-If compiled with GPGME support (--with-gpgme) it's
-possible to store cleartext passwords in a PGP/OpenGPG
-encrypted form by configuring the new "password hash gpg key ids"
-option. This requires gpgme devel and python packages to be installed
-(e.g. libgpgme11-dev and python-gpgme on debian/ubuntu).
-
-Python crypto requirements
---------------------------
-
-Some samba-tool subcommands require python-crypto and/or
-python-m2crypto packages to be installed.
REMOVED FEATURES
================
-only user and username parameters
----------------------------------
-These two parameters have long been deprecated and superseded by
-"valid users" and "invalid users".
+Web server
+----------
+
+As a leftover from work related to the Samba Web Administration Tool (SWAT),
+Samba still supported a Python WSGI web server (which could still be turned on
+from the 'server services' smb.conf parameter). This service was unused and has
+now been removed from Samba.
smb.conf changes
================
- Parameter Name Description Default
- -------------- ----------- -------
- kccsrv:samba_kcc Changed default yes
- ntlm auth Changed default no
- only user Removed
- password hash gpg key ids New
- smb2 leases Changed default yes
- username Removed
+ Parameter Name Description Default
+ -------------- ----------- -------
+
+ web port Removed
KNOWN ISSUES
============
-Currently none.
+https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.11#Release_blocking_bugs
+
#######################################
Reporting bugs & Development Discussion
git.samba.org / samba.git / blobdiff