=================================
- Release Notes for Samba 3.2.0pre2
- Oct XX, 2007
+ Release Notes for Samba 3.6.0pre1
+ July 28, 2010
=================================
-This is the second preview release of Samba 3.2.0. This is *not*
+
+This is the first preview release of Samba 3.6. This is *not*
intended for production environments and is designed for testing
purposes only. Please report any defects via the Samba bug reporting
system at https://bugzilla.samba.org/.
-Please be aware that Samba is now distributed under the version 3
-of the new GNU General Public License. You may refer to the COPYING
-file that accompanies these release notes for further licensing details.
-
-Major enhancements in Samba 3.2.0 include:
-
- File Serving:
- o Use of IDL generated parsing layer for several DCE/RPC
- interfaces.
- o Removal of the 1024 byte limit on pathnames and 256 byte limit on
- filename components to honor the MAX_PATH setting from the host OS.
- o Introduction of a registry based configuration system.
- o Improved CIFS Unix Extensions support.
- o Experimental support for file serving clusters.
- o Support for storing alternate data streams in xattrs
-
-
- Winbind and Active Directory Integration:
- o Full support for Windows 2003 cross-forest, transitive trusts
- and one-way domain trusts
- o Support for userPrincipalName logons via pam_winbind and NSS
- lookups.
- o Support in pam_winbind for logging on using the userPrincipalName.
- o Expansion of nested domain groups via NSS calls.
- o Support for Active Directory LDAP Signing policy.
-
- Users & Groups:
- o New ldb backend for local group mapping tables
- o Raised level of security defaults for authentication operations.
+Major enhancements in Samba 3.6.0 include:
- Documentation:
- o Inclusion of an HTLM version of the 3rd edition of "Using Samba"
- from O'Reilly Publishing.
+Changed security defaults
+-------------------------
+Samba 3.6 has adopted a number of improved security defaults that will
+impact on existing users of Samba.
-Now Licensed under the GNU GPLv3
-================================
+ client ntlmv2 auth = yes
+ client use spnego principal = no
+ send spnego principal = no
-The Samba Team has adopted the Version 3 of the GNU General Public
-License for the 3.2 and later releases. The GPLv3 is the updated
-version of the GPLv2 license under which Samba is currently
-distributed. It has been updated to improve compatibility with other
-licenses and to make it easier to adopt internationally, and is an
-improved version of the license to better suit the needs of Free
-Software in the 21st Century.
+The impact of 'client ntlmv2 auth = yes' is that by default we will not
+use NTLM authentication as a client. This applies to the Samba client
+tools such as smbclient and winbind, but does not change the separately
+released in-kernel CIFS client. To re-enable the poorer NTLM encryption
+set '--option=clientusentlmv2auth=no' on your smbclient command line, or
+set 'client ntlmv2 auth = no' in your smb.conf
-The original announcement is available on-line at
+The impact of 'client use spnego principal = no' is that we may be able
+to use Kerberos to communicate with a server less often in smbclient,
+winbind and other Samba client tools. We may fall back to NTLMSSP in
+more situations where we would previously rely on the insecure
+indication from the 'NegProt' CIFS packet. This mostly occursed when
+connecting to a name alias not recorded as a servicePrincipalName for
+the server. This indication is not available from Windows 2008 or later
+in any case, and is not used by modern Windows clients, so this makes
+Samba's behaviour consistent with other clients and against all servers.
- http://news.samba.org/announcements/samba_gplv3/
+The impact of 'send spnego principal = no' is to match Windows 2008 and
+not to send this principal, making existing clients give more consistent
+behaviour (more likely to fall back to NTLMSSP) between Samba and
+Windows 2008, and between Windows versions that did and no longer use
+this insecure hint.
-New Security Defaults for Authentication
-========================================
+SMB2 support
+------------
-Support for LanMan passwords is now disabled in both client and server
-applications. Additionally, clear text authentication requests are
-disabled by default in client utilities such as smbclient and all
-libsmbclient based applications. This will affect connection both
-to and from hosts running DOS, Windows 9x/ME, and OS/2. Please refer
-to the "Changes" section for details on the exact parameters that were
-updated.
+SMB2 support in 3.6.0 is fully functional (with one omission),
+and can be enabled by setting:
+max protocol = SMB2
+in the [global] section of your smb.conf and re-starting
+Samba. All features should work over SMB2 except the modification
+of user quotas using the Windows quota management tools.
-Registry Configuration Backend
-==============================
+As this is the first release containing what we consider
+to be a fully featured SMB2 protocol, we are not enabling
+this by default, but encourage users to enable SMB2 and
+test it. Once we have enough confirmation from Samba
+users and OEMs that SMB2 support is stable in wide user
+testing we will enable SMB2 by default in a future Samba
+release.
-Samba is now able to use a registry based configuration backed to
-supplement smb.conf setting. This feature may be enabled by setting
-"config backend = registry" and "registry shares = yes" in the [global]
-section of smb.conf and may be managed using the "net conf" command.
-More information may be obtained from the smb.conf(5) and net(8) man
-pages.
+Internal Winbind passdb changes
+-------------------------------
+Winbind has been changed to use the internal samr and lsa rpc pipe to get
+local user and group information instead of calling passdb functions. The
+reason is to use more of our infrastructure and test this infrastructure by
+using it. With this approach more code in Winbind is shared.
-Removed Features
-================
-
-Both the Python bindings and the libmsrpc shared library have been
-removed from the tree due to lack of an official maintainer.
-
-
-
-######################################################################
-Changes
-#######
-smb.conf changes
+New Spoolss code
----------------
- Parameter Name Description Default
- -------------- ----------- -------
- client lanman auth Changed Default No
- client ldap sasl wrapping New plain
- client plaintext auth Changed Default No
- clustering New No
- cluster addresses New ""
- config backend New file
- ctdb socket New ""
- debug class New No
- lanman auth Changed Default No
- ldap debug level New 0
- ldap debug threshold New 10
- mangle map Removed
- open files database hashsize Removed
- read bmpx Removed
- registry shares New No
- winbind expand groups New 1
- winbind rpc only New No
-
-
-Changes since 3.2.0pre1:
------------------------
-o Kai Blin <kai@samba.org>
- * Added support for an SMB_CONF_PATH environment variable
- containing the path to smb.conf.
- * Various fixes to ntlm_auth.
- * make test now supports more extensive SPOOLSS testing using vlp.
- * Correctly handle mixed-case hostnames in NTLMv2 authentication.
-
-
-o Stefan Metzmacher <metze@samba.org>
- * Fixes for libreplace.
- * Build fixes.
- * Add nss_wrapper support.
- * Start and test winbindd by 'make test'
- * Split up child_dispatch_table into domain, idmap and locator tables
- in winbindd.
- * Fix for a crash bug in pidl generated client code.
- This could have happend with [in,out,unique] pointers
- when the client sends a valid pointer, but the server
- responds with a NULL pointer (as samba-3.0.26a does for some calls).
- * Change NTSTATUS into enum ndr_err_code in librpc/ndr.
- * Remove unused calls in the struct based winbindd protocol.
- * Add --configfile option to wbinfo.
- * Convert winbind_env_set(), winbind_on() and winbind_off() into macros.
- * Return rids and other_sids arrays in WBFLAG_PAM_INFO3_TEXT mode.
- * Implement wbcErrorString() and wbcAuthenticateUserEx().
- * Convert auth_winbind to use wbcAuthenticateUserEx().
-
-
-o Karolin Seeger <ks@sernet.de>
- * Improve error messages of net subcommands.
- * Add 'net rap file user'.
- * Change LDAP search filter to find machine accounts which
- are not located in the user suffix.
-
-
-Original 3.2.0pre1 commits:
----------------------------
-o Michael Adam <obnox@samba.org>
- * Unified POSIX ACL detection including support for FreeBSD and
- HP-UX.
- * Performance improvements for Winbind's lookup functions (names,
- SIDs, and group membership) when joined to an AD domain.
- * Winbind cache validation support.
- * Store domain trust passwords for Samba domain controller's in
- the domain's passdb backend.
- * Merged \winreg server code from the SAMBA_3_2 development branch.
- * Fixes for libreplace.
- * Implement new registry configuration backend.
-
-
-o Jeremy Allison <jra@samba.org>
- * Add support for file system objectIDs.
- * Winbind cache validation support.
- * Add in the UNIX capability for 24-bit readX.
- * Improve Delete-on-Close semantics.
- * Removal of static file and path name buffers in SMB file serving
- code.
-
-
-o Danilo Almeida <dalmeida@centeris.com>
- * Move the machine account to the OU specified when running "net
- ads join".
-
-
-o Andrew Bartlett <abartlet@samba.org>
- * Tighten authentication protocol defaults in client tools and
- servers.
-
-
-o Gerald (Jerry) Carter <jerry@samba.org>
- * Implement support for one-way trusts and two-way cross-forest
- transitive trust in winbindd.
- * Fixes for Winbind's offline/disconnected logon support when
- using remote idmap backends.
- * Fix LookupNames and LookupSids to use the same resolution
- heuristics as Windows XP.
- * Fix lockups in Winbind when running nscd.
- * UPN logon support in pam_winbind.
- * Add support for GNU linker scripts when build shared libraries
- (based on work by Julien Cristau <jcristau@debian.org> and James
- Peach).
-
-
-o Guenther Deschner <gd@samba.org>
- * Additional support for decoding and downloading group policy
- objects from Active Directory.
- * Improvements to "net ads keytab" command.
- * Fixes for linking against Heimdal Kerberos client libs.
- * Support LDAP range retrieval searches.
- * Fixes for failure to refresh user ticket caches in Winbind.
- * UPN logon support in pam_winbind.
- * Add KDC locator plugin for MIT kerberos 1.6 or later.
-
-
-o Steve Langasek <vorlon@debian.org>
- * Allow SIGTERM to cause nmbd to exit while awaiting a interface
- to come up.
-
-
-o Volker Lendecke <vl@samba.org>
- * Merge experimental cluster support patches from the ctdb branch.
- * Add tdb storage abstraction for ctdb.
- * Use IDL for internal message passing system.
- * Add client support for the SamLogonEx() authentication request.
- * Implement RPC proxy stubs in the Samba server code to allow
- replacing implementation functions one by one.
- * Remove static incoming and outgoing buffers from core server SMB
- packet processing code.
- * Add "net sam rights" command.
- * Support for storing xattrs in tdb files
- * Support for storing alternate data streams in xattrs
- * Implement a generic in-memory cache based on rb-trees
- * Add implicit temporary talloc contexts via talloc_stack()
-
-
-o Steve French <sfrench@samba.org>
- * Fixes for mount.cfs Linux utility.
-
-
-o Stefan Metzmacher <metze@samba.org>
- * Fixes for libreplace.
- * Add support for LDAP digital signing policy.
- * Experimental clustered file system support.
+The spoolss and the old RAP printing code have been completely
+overhauled and refactored.
+All calls from lanman/printing code has been changed to go through the
+spoolss RPC interfaces, this allows us to keep all checks in one place
+and avoid special cases in the main printing code.
+Printing code has been therefore confined within the spoolss code.
-o Lars Mueller <lars@samba.org>
- * Makefile and build fixes.
- * Add pam_pwd_expire for pam_winbind (original patch from Andreas
- Schneider).
+All the printing code, including the spoolss RPC interfaces has been
+changed to use the winreg RPC interfaces to store all data.
+All data has been migrated from custom, arbitrary TDB files to the
+registry interface. This transition allow us to present correct data to
+windows client accessing the server registry through the winreg RPC
+interfaces to query for printer data. Data is served out from a real
+registry implementation and therefore arguably 100% forward compatible.
+Migration code from the previous TDB files formats is provided. This
+code is automatically invoked the first time the new code is run on the
+server. Although manual migration is also available using the 'net
+printer migrate' command.
-o James Peach <jpeach@apple.com>
- * Fixes for setgroups() and *BSD and Darwin.
- * Support membership of >16 groups on Darwin.
+These changes not only make all the spoolss code much more closer to
+"the spec", it also greatly improves our internal testing of both
+spoolss and winreg interfaces, and reduces overall code duplication.
+As part of this work, new tests have been also added to increase
+coverage.
-o Jiri Sasek <Jiri.Sasek@Sun.COM>
- * Added vfs_vfsacl module.
+This code will also allow, in future, an easy transition to split out
+the spooling functions into a separate daemon for those OEMs that do not
+need printing functionality in their appliances, reducing the code
+footprint.
-o Karolin Seeger <ks@sernet.de>
- * Add deletelocalgroup and unmapunixgroup subcommand to "net sam".
- * Cleanup internal passdb functions.
+SMB Traffic Analyzer
+--------------------
+Added the new SMB Traffic Analyzer (SMBTA) VFS module protocol 2
+featuring encryption, multiple arguments, and easier parseability. A new
+tool 'smbta-util' has been created to control the encryption behaviour
+of SMBTA. For compatibility, SMBTA by default operates on version 1.
+There are programs consuming the data that the module sends.
-o Simo Sorce <idra@samba.org>
- * Fixes for IDmap and Passdb backends.
+More information can be found on
+http://holger123.wordpress.com/smb-traffic-analyzer/
-o Andrew Tridgell <tridge@samba.org>
- * Port ldb from the Samba 4 tree and add ldb group mapping plugin.
- * Move several file serving related tdb files to use the dbwrap
- API internally.
- * Cleanup the GPFS VFS plugin.
- * Experimental clustered file system support.
-
+######################################################################
+Changes
+#######
-o Jelmer Vernooij <jelmer@samba.org>
- * Implement NDR basic to support utilizing IDL files from Samba 4
- tree for general DCE/RPC parsing stubs.
+smb.conf changes
+----------------
+ Parameter Name Description Default
+ -------------- ----------- -------
+
+ async smb echo handler New No
+ client ntlmv2 auth Changed Default Yes
+ client use spnego principal New No
+ ctdb locktime warn threshold New 0
+ idmap read only New No
+ log writeable files on exit New No
+ multicast dns register New Yes
+ ncalrpc dir New
+ send spnego principal New No
+ smb2 max credits New 128
+ smb2 max read New 1048576
+ smb2 max trans New 1048576
+ smb2 max write New 1048576
+ strict allocate Changed Default Yes
+ username map cache time New 0
+ winbind max clients New 200
######################################################################
If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored. All bug reports should
-be filed under the Samba 3.2 product in the project's Bugzilla
+be filed under the Samba 3.6 product in the project's Bugzilla
database (https://bugzilla.samba.org/).
git.samba.org / samba.git / blobdiff