-What's new in Samba 4 alpha5
-============================
-
-Samba 4 is the ambitious next version of the Samba suite that is being
-developed in parallel to the stable 3.0 series. The main emphasis in
-this branch is support for the Active Directory logon protocols used
-by Windows 2000 and above.
+Release Announcements
+=====================
-Samba4 alpha5 follows on from the alpha release series we have been
-publishing since September 2007
+This is the first release candidate of Samba 4.2. This is *not*
+intended for production environments and is designed for testing
+purposes only. Please report any defects via the Samba bug reporting
+system at https://bugzilla.samba.org/.
-WARNINGS
-========
+Samba 4.2 will be the next version of the Samba suite.
-Samba4 alpha5 is not a final Samba release. That is more a reference
-to Samba4's lack of the features we expect you will need than a
-statement of code quality, but clearly it hasn't seen a broad
-deployment yet. If you were to upgrade Samba3 (or indeed Windows) to
-Samba4, you would find many things work, but that other key features
-you may have relied on simply are not there yet.
-For example, while Samba 3.0 is an excellent member of a Active
-Directory domain, Samba4 is happier as a domain controller, and it is
-in this role where it has seen deployment into production.
+UPGRADING
+=========
-Samba4 is subjected to an awesome battery of tests on an
-automated basis, we have found Samba4 to be very stable in it's
-behaviour. We have to recommend against upgrading production servers
-from Samba 3 to Samba 4 at this stage, because there may be the features on
-which you may rely that are not present, or the mapping of
-your configuration and user database may not be complete.
+Read the "Winbindd/Netlogon improvements" section (below) carefully!
-If you are upgrading, or looking to develop, test or deploy Samba4, you should
-backup all configuration and data.
NEW FEATURES
============
-Samba4 supports the server-side of the Active Directory logon environment
-used by Windows 2000 and later, so we can do full domain join
-and domain logon operations with these clients.
-
-Our Domain Controller (DC) implementation includes our own built-in
-LDAP server and Kerberos Key Distribution Center (KDC) as well as the
-Samba3-like logon services provided over CIFS. We correctly generate
-the infamous Kerberos PAC, and include it with the Kerberos tickets we
-issue.
-
-The new VFS features in Samba 4 adapts the filesystem on the server to
-match the Windows client semantics, allowing Samba 4 to better match
-windows behaviour and application expectations. This includes file
-annotation information (in streams) and NT ACLs in particular. The
-VFS is backed with an extensive automated test suite.
-
-A new scripting interface has been added to Samba 4, allowing
-Python programs to interface to Samba's internals.
-
-The Samba 4 architecture is based around an LDAP-like database that
-can use a range of modular backends. One of the backends supports
-standards compliant LDAP servers (including OpenLDAP), and we are
-working on modules to map between AD-like behaviours and this backend.
-We are aiming for Samba 4 to be powerful frontend to large
-directories.
-
-CHANGES SINCE Alpha4
-=====================
+Transparent File Compression
+============================
-In the time since Samba4 Alpha4 was released in June 2008, Samba has
-continued to evolve, but you may particularly notice these areas:
+Samba 4.2.0 adds support for the manipulation of file and folder
+compression flags on the Btrfs filesystem.
+With the Btrfs Samba VFS module enabled, SMB2+ compression flags can
+be set remotely from the Windows Explorer File->Properties->Advanced
+dialog. Files flagged for compression are transparently compressed
+and uncompressed when accessed or modified.
- LDAP backend support restored (issues preventing the use of the LDAP
- backend in alpha4 have been addressed).
+Previous File Versions with Snapper
+===================================
- SMB2 Support: The SMB2 server, while still disabled, has improved,
- and now supports SMB2 signing.
+The newly added Snapper VFS module exposes snapshots managed by
+Snapper for use by Samba. This provides the ability for remote
+clients to access shadow-copies via Windows Explorer using the
+"previous versions" dialog.
- OpenChange support: Updates have been made since alpha4 to better
- support OpenChange's use of Samba4's libraries.
+Winbindd/Netlogon improvements
+==============================
- Faster ldb loading: A fix to avoid calling 'init_module' (which was
- not defined by Samba modules, but was by the C library) will fix
- some of the slowness in authentication.
+The whole concept of maintaining the netlogon secure channel
+to (other) domain controllers was rewritten in order to maintain
+global state in a netlogon_creds_cli.tdb. This is the proper fix
+for a large number of bugs:
- SWAT Remains Disabled: Due to a lack of developer time and without a
- long-term web developer to maintain it, the SWAT web UI remains been
- disabled (and would need to be rewritten in python in any case).
+ https://bugzilla.samba.org/show_bug.cgi?id=6563
+ https://bugzilla.samba.org/show_bug.cgi?id=7944
+ https://bugzilla.samba.org/show_bug.cgi?id=7945
+ https://bugzilla.samba.org/show_bug.cgi?id=7568
+ https://bugzilla.samba.org/show_bug.cgi?id=8599
- GNU Make: To try and simplfy our build system, we rely on GNU Make
- to avoid autogenerating a massive single makefile.
+In addition a strong session key is now required by default,
+which means that communication to older servers or clients
+might be rejected by default.
+For the client side we have the following new options:
+"require strong key" (yes by default), "reject md5 servers" (no by default).
+E.g. for Samba 3.0.37 you need "require strong key = no" and
+for NT4 DCs you need "require strong key = no" and "client NTLMv2 auth = no",
-These are just some of the highlights of the work done in the past few
-months. More details can be found in our GIT history.
+On the server side (as domain controller) we have the following new options:
+"allow nt4 crypto" (no by default), "reject md5 client" (no by default).
+E.g. in order to allow Samba < 3.0.27 or NT4 members to work
+you need "allow nt4 crypto = yes"
+winbindd does not list group memberships for display purposes
+(e.g. getent group <domain\<group>) anymore by default.
+The new default is "winbind expand groups = 0" now,
+the reason for this is the same as for "winbind enum users = no"
+and "winbind enum groups = no". Providing this information is not always
+reliably possible, e.g. if there are trusted domains.
-CHANGES
-=======
+Please consult the smb.conf manpage for more details on these new options.
-Those familiar with Samba 3 can find a list of user-visible changes
-since that release series in the NEWS file.
+Winbindd use on the Samba AD DC
+===============================
-KNOWN ISSUES
-============
+Winbindd is now used on the Samba AD DC by default, replacing the
+partial rewrite used for winbind operations in Samba 4.0 and 4.1.
+
+This allows more code to be shared, more options to be honoured, and
+paves the way for support for trusted domains in the AD DC.
+
+If required the old internal winbind can be activated by setting
+'server services = +winbind -winbindd'. Upgrading users with a server
+services parameter specified should ensure they change 'winbind' to
+'winbindd' to obtain the new functionality.
+
+The 'samba' binary still manages the starting of this service, there
+is no need to start the winbindd binary manually.
+
+Winbind now requires secured connections
+========================================
+
+To improve protection against rouge domain controllers we now require
+that when we connect to an AD DC in our forest, that the connection be
+signed using SMB Signing. Set 'client signing = off' in the smb.conf
+to disable.
+
+Also and DCE/RPC pipes must be sealed, set 'require strong key =
+false' and 'winbind sealed pipes = false' to disable.
+
+Finally, the default for 'client ldap sasl wrapping' has been set to
+'sign', to ensure the integrity of LDAP connections. Set 'client ldap
+sasl wrapping = plain' to disable.
+
+Larger IO sizes for SMB2/3 by default
+=====================================
+
+The default values for "smb2 max read", "smb2 max write" and "smb2 max trans"
+have been changed to 8388608 (8MiB) in order to match the default of
+Windows 2012R2.
+
+Improved DCERPC man in the middle detection
+===========================================
-- Domain member support is in it's infancy, and is not comparable to
- the support found in Samba3.
+The DCERPC header signing has been implemented
+in addition to the dcerpc_sec_verification_trailer
+protection.
-- There is no printing support in the current release.
+Overhauled "net idmap" command
+==============================
-- There is no NetBIOS browsing support in the current release
+The command line interface of the "net idmap" command has been
+made systematic, and subcommands for reading and writing the autorid idmap
+database have been added. Note that the writing commands should be
+used with great care. See the net(8) manual page for details.
-- The Samba4 port of the CTDB clustering support is not yet complete
+tdb improvements
+================
-- Clock Synchronisation is critical. Many 'wrong password' errors are
- actually due to Kerberos objecting to a clock skew between client
- and server. (The NTP work in the previous alpha is partly to assist
- with this problem).
+The tdb library, our core mechanism to store Samba-specific data on disk and
+share it between processes, has been improved to support process shared robust
+mutexes on Linux. These mutexes are available on Linux and Solaris and
+significantly reduce the overhead involved with tdb. To enable mutexes for
+tdb, set
-- Samba4 alpha5 is currently only portable to recent Linux
- distributions. Work to return support for other Unix varients is
- expected during the next alpha cycle
+dbwrap_tdb_mutexes:* = yes
+
+in the [global] section of your smb.conf.
+
+Tdb file space management has also been made more efficient. This
+will lead to smaller and less fragmented databases.
+
+Messaging improvements
+======================
+
+Our internal messaging subsystem, used for example for things like oplock
+break messages between smbds or setting a process debug level dynamically, has
+been rewritten to use unix domain datagram messages.
+
+Clustering support
+==================
+
+Samba's file server clustering component CTDB is now integrated in the
+Samba tree. This avoids the confusion of compatibility of Samba and CTDB
+versions as existed previously.
+
+To build the Samba file server with cluster support, use the configure
+command line option --with-cluster-support. This will build clustered
+file server against the in-tree ctdb. Building clustered samba with
+previous versions of CTDB is no longer supported.
+
+CTDB is built separately from the ctdb/ sub-directory. To build CTDB,
+use the following steps:
+
+ $ cd ctdb
+ $ ./configure
+ $ make
+ # make install
+
+
+######################################################################
+Changes
+#######
+
+smb.conf changes
+----------------
+
+ Parameter Name Description Default
+ -------------- ----------- -------
+
+ allow nt4 crypto New no
+ neutralize nt4 emulation New no
+ reject md5 client New no
+ reject md5 servers New no
+ require strong key New yes
+ smb2 max read Changed default 8388608
+ smb2 max write Changed default 8388608
+ smb2 max trans Changed default 8388608
+ winbind expand groups Changed default 0
+
+KNOWN ISSUES
+============
-- Samba4 alpha5 is incompatible with GnuTLS 2.0, found in Fedora 9 and
- recent Ubuntu releases. GnuTLS use may be disabled using the
- --disable-gnutls argument to ./configure. (otherwise 'make test' and
- LDAPS operations will hang).
-RUNNING Samba4
-==============
+#######################################
+Reporting bugs & Development Discussion
+#######################################
-A short guide to setting up Samba 4 can be found in the howto.txt file
-in root of the tarball.
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
-DEVELOPMENT and FEEDBACK
-========================
-Bugs can be filed at https://bugzilla.samba.org/ but please be aware
-that many features are simply not expected to work at this stage.
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.2 product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
-The Samba Wiki at http://wiki.samba.org should detail some of these
-development plans.
-Development and general discussion about Samba 4 happens mainly on
-the #samba-technical IRC channel (on irc.freenode.net) and
-the samba-technical mailing list (see http://lists.samba.org/ for
-details).
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
git.samba.org / samba.git / blobdiff