Release Announcements
=====================
-This is the first preview release of Samba 4.5. This is *not*
+This is the first release candidate of Samba 4.8. This is *not*
intended for production environments and is designed for testing
purposes only. Please report any defects via the Samba bug reporting
system at https://bugzilla.samba.org/.
-Samba 4.5 will be the next version of the Samba suite.
+Samba 4.8 will be the next version of the Samba suite.
UPGRADING
=========
-Nothing special.
-
NEW FEATURES/CHANGES
====================
-Support for LDAP_SERVER_NOTIFICATION_OID
-----------------------------------------
+KDC GPO application
+-------------------
-The ldap server has support for the LDAP_SERVER_NOTIFICATION_OID
-control. This can be used to monitor the active directory database
-for changes.
+Adds Group Policy support for the Samba kdc. Applies password policies
+(minimum/maximum password age, minimum password length, and password
+complexity) and kerberos policies (user/service ticket lifetime and
+renew lifetime).
-KCC improvements for sparse network replication
------------------------------------------------
+Adds the samba_gpoupdate script for applying and unapplying
+policy. Can be applied automatically by setting
-The Samba KCC will now be the default knowledge consistency checker in
-Samba AD. Instead of using full mesh replication between every DC, the
-KCC will set up connections to optimize replication latency and cost
-(using site links to calculate the routes). This change should allow
-larger domains to function significantly better in terms of replication
-traffic and the time spent performing DRS replication.
+ 'apply group policies = yes'.
-VLV - Virtual List View
------------------------
+Time Machine Support with vfs_fruit
+-----------------------------------
-The VLV Control allows applications to page the LDAP directory in the
-way you might expect a live phone book application to operate, without
-first downloading the entire directory.
+Samba can be configured as a Time Machine target for Apple Mac devices
+through the vfs_fruit module. When enabling a share for Time Machine
+support the relevant Avahi records to support discovery will be published
+for installations that have been built against the Avahi client library.
-DRS Replication for the AD DC
------------------------------
+Shares can be designated as a Time Machine share with the following setting:
-DRS Replication in Samba 4.5 is now much more efficient in handling
-linked attributes, particularly in large domains with over 1000 group
-memberships or other links.
+ 'fruit:time machine = yes'
-Replication is also much more reliable in the handling of tree
-renames, such as the rename of an organizational unit containing many
-users. Extensive tests have been added to ensure this code remains
-reliable, particularly in the case of conflicts between objects added
-with the same name on different servers.
+Support for lower casing the MDNS Name
+--------------------------------------
-Schema updates are also handled much more reliably.
+Allows the server name that is advertised through MDNS to be set to the
+hostname rather than the Samba NETBIOS name. This allows an administrator
+to make Samba registered MDNS records match the case of the hostname
+rather than being in all capitals.
-replPropertyMetaData Changes
-----------------------------
+This can be set with the following settings:
+
+ 'mdns name = mdns'
+
+Encrypted secrets
+-----------------
-During the development of the DRS replication, tests showed that Samba
-stores the replPropertyMetaData object incorrectly. To address this,
-be aware that dbcheck will now detect and offer to fix all objects in
-the domain for this error.
+Attributes deemed to be sensitive are now encrypted on disk. The sensitive
+values are currently:
+ pekList
+ msDS-ExecuteScriptPassword
+ currentValue
+ dBCSPwd
+ initialAuthIncoming
+ initialAuthOutgoing
+ lmPwdHistory
+ ntPwdHistory
+ priorValue
+ supplementalCredentials
+ trustAuthIncoming
+ trustAuthOutgoing
+ unicodePwd
+ clearTextPassword
-Linked attributes on deleted objects
-------------------------------------
+This encryption is enabled by default on a new provision or join, it
+can be disabled at provision or join time with the new option
+'--plaintext-secrets'.
-In Active Directory, an object that has been tombstoned or recycled
-has no linked attributes. However, Samba incorrectly maintained such
-links, slowing replication and run-time performance. dbcheck now
-offers to remove such links, and they are no longer kept after the
-object is tombstoned or recycled.
+However, an in-place upgrade will not encrypt the database.
-Improved AD DC performance
---------------------------
+Once encrypted, it is not possible to do an in-place downgrade (eg to
+4.7) of the database. To obtain an unencrypted copy of the database a
+new DC join should be performed, specifying the '--plaintext-secrets'
+option.
-Many other improvements have been made to our LDAP database layer in
-the AD DC, to improve performance, both during samba-tool domain
-provision and at runtime.
+The key file "encrypted_secrets.key" is created in the same directory
+as the database and should NEVER be disclosed. It is included by the
+samba_backup script.
-Other dbcheck improvements
---------------------------
+Active Directory replication visualisation
+------------------------------------------
- - samba-tool dbcheck can now find and fix a missing or corrupted
- 'deleted objects' container.
- - BUG 11433: samba-dbcheck no longer offers to resort auxiliary class values
- in objectClass as these were then re-sorted at the next dbcheck indefinitely.
+To work out what is happening in a replication graph, it is sometimes
+helpful to use visualisations. We introduce a samba-tool subcommand to
+write Graphviz dot output and generate text-based heatmaps of the
+distance in hops between DCs.
-Tombstone Reanimation
----------------------
+There are two subcommands, two graphical modes, and (roughly) two modes of
+operation with respect to the location of authority.
-Samba now supports tombstone reanimation, a feature in the AD DC
-allowing tombstones, that is objects which have been deleted, to be
-restored with the original SID and GUID still in place.
+`samba-tool visualize ntdsconn` looks at NTDS Connections.
+`samba-tool visualize reps` looks at repsTo and repsFrom objects.
-Multiple DNS Forwarders on the AD DC
-------------------------------------
+In '--distance' mode (default), the distances between DCs are shown in
+a matrix in the terminal. With '--color=yes', this is depicted as a
+heatmap. With '--utf8' it is a lttle prettier.
-Multiple DNS forwarders are now supported on the AD DC, allowing
-samba to fall back between two different DNS servers for forwarded queries.
+In '--dot' mode, Graphviz dot output is generated. When viewed using
+dot or xdot, this shows the network as a graph with DCs as vertices
+and connections edges. Certain types of degenerate edges are shown in
+different colours or line-styles.
-Password quality plugin support in the AD DC
---------------------------------------------
+NT4-style replication based net commands removed
+------------------------------------------------
-The check password script now operates correctly in the AD DC (this
-was silently ignored in past releases)
+The following commands and sub-commands have been removed from the
+"net" utility:
-pwdLastSet is now correctly honoured
-------------------------------------
+net rpc samdump
+net rpc vampire ldif
-BUG 9654: the pwdLastSet attribute is now correctly handled (this previously
-permitted passwords that next expire).
+Also, replicating from a real NT4 domain with "net rpc vampire" and
+"net rpc vampire keytab" has been removed.
-net ads dns unregister
-----------------------
+The NT4-based commands were accidentially broken in 2013, and nobody
+noticed the breakage. So instead of fixing them including tests (which
+would have meant writing a server for the protocols, which we don't
+have) we decided to remove them.
+
+For the same reason, the "samsync", "samdeltas" and "database_redo"
+commands have been removed from rpcclient.
+
+"net rpc vampire keytab" from Active Directory domains continues to be
+supported.
+
+vfs_aio_linux module removed
+----------------------------
-It is now possible to remove the DNS entries created with 'net ads register'
-with the matching 'net ads unregister' command.
+The current Linux kernel aio does not match what Samba would
+do. Shipping code that uses it leads people to false
+assumptions. Samba implements async I/O based on threads by default,
+there is no special module required to see benefits of read and write
+request being sent do the disk in parallel.
-Samba-tool improvements
-------------------------
+smbclient reparse point symlink parameters reversed
+---------------------------------------------------
-Running samba-tool on the command line should now be a lot snappier. The tool
-now only loads the code specific to the subcommand that you wish to run.
+A bug in smbclient caused the 'symlink' command to reverse the
+meaning of the new name and link target parameters when creating a
+reparse point symlink against a Windows server. As this is a
+little used feature the ordering of these parameters has been
+reversed to match the parameter ordering of the UNIX extensions
+'symlink' command. The usage message for this command has also
+been improved to remove confusion.
-SMB 2.1 Leases enabled by default
----------------------------------
+Winbind changes
+---------------
-Leasing is an SMB 2.1 (and higher) feature which allows clients to
-aggressively cache files locally above and beyond the caching allowed
-by SMB 1 oplocks. This feature was disabled in previous releases, but
-the SMB2 leasing code is now considered mature and stable enough to be
-enabled by default.
+The dependency to global list of trusted domains within
+the winbindd processes has been reduced a lot.
-Open File Description (OFD) Locks
----------------------------------
+The construction of that global list is not reliable and often
+incomplete in complex trust setups. In most situations the list is not needed
+any more for winbindd to operate correctly. E.g. for plain file serving via SMB
+using a simple idmap setup with autorid, tdb or ad. However some more complex
+setups require the list, e.g. if you specify idmap backends for specific
+domains. Some pam_winbind setups may also require the global list.
+
+If you have a setup that doesn't require the global list, you should set
+"winbind scan trusted domains = no".
-On systems that support them (currently only Linux), the fileserver now
-uses Open File Description (OFD) locks instead of POSIX locks to implement
-client byte range locks. As these locks are associated with a specific
-file descriptor on a file this allows more efficient use when multiple
-descriptors having file locks are opened onto the same file. An internal
-tunable "smbd:force process locks = true" may be used to turn off OFD
-locks if there appear to be problems with them.
REMOVED FEATURES
================
-only user and username parameters
----------------------------------
-These two parameters have long been deprecated and superseded by
-"valid users" and "invalid users".
+The two commands 'net serverid list' and 'net serverid wipe' have been
+removed, because the file serverid.tdb is not used anymore.
+
+'net serverid list' can be replaced by listing all files in the
+subdirectory "msg.lock" of Samba's "lock directory". The unique id
+listed by 'net serverid list' is stored in every process' lockfile in
+"msg.lock".
+
+'net serverid wipe' is not necessary anymore. It was meant primarily
+for clustered environments, where the serverid.tdb file was not
+properly cleaned up after single node crashes. Nowadays smbd and
+winbind take care of cleaning up the msg.lock and msg.sock directories
+automatically.
+
smb.conf changes
-----------------
+================
+
+ Parameter Name Description Default
+ -------------- ----------- -------
+ apply group policies New no
+ auth methods Removed
+ binddns dir New
+ client schannel Default changed/ yes
+ Deprecated
+ gpo update command New
+ ldap ssl ads Deprecated
+ map untrusted to domain Removed
+ oplock contention limit Removed
+ prefork children New 1
+ mdns name Added netbios
+ fruit:time machine Added false
+ profile acls Removed
+ use spnego Removed
+ server schannel Default changed/ yes
+ Deprecated
+ unicode Deprecated
+ winbind scan trusted domains New yes
+ winbind trusted domains only Removed
- Parameter Name Description Default
- -------------- ----------- -------
- only user Removed
- username Removed
- kccsrv:samba_kcc Changed default true
- smb2 leases Changed default yes
KNOWN ISSUES
============
-Currently none.
+https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.8#Release_blocking_bugs
+
#######################################
Reporting bugs & Development Discussion
git.samba.org / samba.git / blobdiff