-What's new in Samba 4 alpha5
-============================
+ =================================
+ Release Notes for Samba 3.6.0pre1
+ July 28, 2010
+ =================================
-Samba 4 is the ambitious next version of the Samba suite that is being
-developed in parallel to the stable 3.0 series. The main emphasis in
-this branch is support for the Active Directory logon protocols used
-by Windows 2000 and above.
-Samba4 alpha5 follows on from the alpha release series we have been
-publishing since September 2007
+This is the first preview release of Samba 3.6. This is *not*
+intended for production environments and is designed for testing
+purposes only. Please report any defects via the Samba bug reporting
+system at https://bugzilla.samba.org/.
-WARNINGS
-========
-Samba4 alpha5 is not a final Samba release. That is more a reference
-to Samba4's lack of the features we expect you will need than a
-statement of code quality, but clearly it hasn't seen a broad
-deployment yet. If you were to upgrade Samba3 (or indeed Windows) to
-Samba4, you would find many things work, but that other key features
-you may have relied on simply are not there yet.
+Major enhancements in Samba 3.6.0 include:
-For example, while Samba 3.0 is an excellent member of a Active
-Directory domain, Samba4 is happier as a domain controller, and it is
-in this role where it has seen deployment into production.
-Samba4 is subjected to an awesome battery of tests on an
-automated basis, we have found Samba4 to be very stable in it's
-behaviour. We have to recommend against upgrading production servers
-from Samba 3 to Samba 4 at this stage, because there may be the features on
-which you may rely that are not present, or the mapping of
-your configuration and user database may not be complete.
+Changed security defaults
+-------------------------
-If you are upgrading, or looking to develop, test or deploy Samba4, you should
-backup all configuration and data.
+Samba 3.6 has adopted a number of improved security defaults that will
+impact on existing users of Samba.
-NEW FEATURES
-============
+ client ntlmv2 auth = yes
+ client use spnego principal = no
+ send spnego principal = no
-Samba4 supports the server-side of the Active Directory logon environment
-used by Windows 2000 and later, so we can do full domain join
-and domain logon operations with these clients.
+The impact of 'client ntlmv2 auth = yes' is that by default we will not
+use NTLM authentication as a client. This applies to the Samba client
+tools such as smbclient and winbind, but does not change the separately
+released in-kernel CIFS client. To re-enable the poorer NTLM encryption
+set '--option=clientusentlmv2auth=no' on your smbclient command line, or
+set 'client ntlmv2 auth = no' in your smb.conf
-Our Domain Controller (DC) implementation includes our own built-in
-LDAP server and Kerberos Key Distribution Center (KDC) as well as the
-Samba3-like logon services provided over CIFS. We correctly generate
-the infamous Kerberos PAC, and include it with the Kerberos tickets we
-issue.
+The impact of 'client use spnego principal = no' is that we may be able
+to use Kerberos to communicate with a server less often in smbclient,
+winbind and other Samba client tools. We may fall back to NTLMSSP in
+more situations where we would previously rely on the insecure
+indication from the 'NegProt' CIFS packet. This mostly occursed when
+connecting to a name alias not recorded as a servicePrincipalName for
+the server. This indication is not available from Windows 2008 or later
+in any case, and is not used by modern Windows clients, so this makes
+Samba's behaviour consistent with other clients and against all servers.
-The new VFS features in Samba 4 adapts the filesystem on the server to
-match the Windows client semantics, allowing Samba 4 to better match
-windows behaviour and application expectations. This includes file
-annotation information (in streams) and NT ACLs in particular. The
-VFS is backed with an extensive automated test suite.
+The impact of 'send spnego principal = no' is to match Windows 2008 and
+not to send this principal, making existing clients give more consistent
+behaviour (more likely to fall back to NTLMSSP) between Samba and
+Windows 2008, and between Windows versions that did and no longer use
+this insecure hint.
+
+
+SMB2 support
+------------
+
+SMB2 support in 3.6.0 is fully functional (with one omission),
+and can be enabled by setting:
+
+max protocol = SMB2
+
+in the [global] section of your smb.conf and re-starting
+Samba. All features should work over SMB2 except the modification
+of user quotas using the Windows quota management tools.
+
+As this is the first release containing what we consider
+to be a fully featured SMB2 protocol, we are not enabling
+this by default, but encourage users to enable SMB2 and
+test it. Once we have enough confirmation from Samba
+users and OEMs that SMB2 support is stable in wide user
+testing we will enable SMB2 by default in a future Samba
+release.
+
+
+Internal Winbind passdb changes
+-------------------------------
+
+Winbind has been changed to use the internal samr and lsa rpc pipe to get
+local user and group information instead of calling passdb functions. The
+reason is to use more of our infrastructure and test this infrastructure by
+using it. With this approach more code in Winbind is shared.
+
+
+New Spoolss code
+----------------
-A new scripting interface has been added to Samba 4, allowing
-Python programs to interface to Samba's internals.
+The spoolss and the old RAP printing code have been completely
+overhauled and refactored.
-The Samba 4 architecture is based around an LDAP-like database that
-can use a range of modular backends. One of the backends supports
-standards compliant LDAP servers (including OpenLDAP), and we are
-working on modules to map between AD-like behaviours and this backend.
-We are aiming for Samba 4 to be powerful frontend to large
-directories.
+All calls from lanman/printing code has been changed to go through the
+spoolss RPC interfaces, this allows us to keep all checks in one place
+and avoid special cases in the main printing code.
+Printing code has been therefore confined within the spoolss code.
-CHANGES SINCE Alpha4
-=====================
-
-In the time since Samba4 Alpha4 was released in June 2008, Samba has
-continued to evolve, but you may particularly notice these areas:
-
- LDAP backend support restored (issues preventing the use of the LDAP
- backend in alpha4 have been addressed)
-
- SMB2 Support: The SMB2 server, while still disabled, has improved,
- and now supports SMB2 signing.
-
- OpenChange support: Updates have been made since alpha4 to better
- support OpenChange's use of Samba4's libraries.
-
- Faster ldb loading: A fix to avoid calling 'init_module' (which was
- not defined by Samba modules, but was by the C library) will fix
- some of the slowness in authentication.
-
- SWAT Remains Disabled: Due to a lack of developer time and without a
- long-term web developer to maintain it, the SWAT web UI remains been
- disabled (and would need to be rewritten in python in any case).
-
- GNU Make: To try and simplfy our build system, we rely on GNU Make
- to avoid autogenerating a massive single makefile.
-
-
-These are just some of the highlights of the work done in the past few
-months. More details can be found in our GIT history.
-
-
-CHANGES
-=======
-
-Those familiar with Samba 3 can find a list of user-visible changes
-since that release series in the NEWS file.
-
-KNOWN ISSUES
-============
-
-- Domain member support is in it's infancy, and is not comparable to
- the support found in Samba3.
-
-- There is no printing support in the current release.
-
-- There is no netbios browsing support in the current release
-
-- The Samba4 port of the CTDB clustering support is not yet complete
-
-- Clock Synchronisation is critical. Many 'wrong password' errors are
- actually due to Kerberos objecting to a clock skew between client
- and server. (The NTP work in the previous alpha is partly to assist
- with this problem).
-
-- Samba4 alpha5 is currently only portable to recent Linux
- distributions. Work to return support for other Unix varients is
- expected during the next alpha cycle
-
-- Samba4 alpha5 is incompatible with GnuTLS 2.0, found in Fedora 9 and
- recent Ubuntu releases. GnuTLS use may be disabled using the
- --disable-gnutls argument to ./configure. (otherwise 'make test' and
- LDAPS operations will hang).
-
-RUNNING Samba4
-==============
-
-A short guide to setting up Samba 4 can be found in the howto.txt file
-in root of the tarball.
-
-DEVELOPMENT and FEEDBACK
-========================
-Bugs can be filed at https://bugzilla.samba.org/ but please be aware
-that many features are simply not expected to work at this stage.
-
-The Samba Wiki at http://wiki.samba.org should detail some of these
-development plans.
-
-Development and general discussion about Samba 4 happens mainly on
-the #samba-technical IRC channel (on irc.freenode.net) and
-the samba-technical mailing list (see http://lists.samba.org/ for
-details).
+All the printing code, including the spoolss RPC interfaces has been
+changed to use the winreg RPC interfaces to store all data.
+All data has been migrated from custom, arbitrary TDB files to the
+registry interface. This transition allow us to present correct data to
+windows client accessing the server registry through the winreg RPC
+interfaces to query for printer data. Data is served out from a real
+registry implementation and therefore arguably 100% forward compatible.
+
+Migration code from the previous TDB files formats is provided. This
+code is automatically invoked the first time the new code is run on the
+server. Although manual migration is also available using the 'net
+printer migrate' command.
+
+These changes not only make all the spoolss code much more closer to
+"the spec", it also greatly improves our internal testing of both
+spoolss and winreg interfaces, and reduces overall code duplication.
+
+As part of this work, new tests have been also added to increase
+coverage.
+
+This code will also allow, in future, an easy transition to split out
+the spooling functions into a separate daemon for those OEMs that do not
+need printing functionality in their appliances, reducing the code
+footprint.
+
+
+ID Mapping Changes
+------------------
+
+The id mapping configuration has been a source of much grief in the past.
+For this release, id mapping has ben rewritten yet again with the goal
+of making the configuration more simple and more coherent while keeping
+the needed flexibility and even adding to the flexibility in some respects.
+
+The major change that implies the configuration simplifications is at
+the heart of the id mapping system: The separation of the "idmap alloc
+system" that is responsible for the unix id counters in the tdb, tdb2
+and ldap idmap backends from the id mapping code itself has been removed.
+The sids_to_unixids operation is now atomic and encapsulates (if needed)
+the action of allocating a unix id for a mapping that is to be created.
+Consequently all idmap alloc configuration parameters have vanished and
+it is hence now also not possible any more to specify an idmap alloc
+backend different from the idmap backend. Each idmap backend uses its
+own idmap unixid creation mechanism transparently.
+
+As a consequence of the id mapping changes, the methods that are used
+for storing and deleting id mappings have been removed from the winbindd
+API. The "net idmap dump/restore" commands have been rewritten to
+not speak through winbindd any more but directly act on the databases.
+This is currently available for the tdb and tdb2 backends, the implementation
+for ldap still missing.
+
+The allocate_id functionality is preserved for the unix id creator of the
+default idmap configuration is also used as the source of unix ids
+for the group mapping database and for the posix attributes in a
+ldapsam:editposix setup.
+
+As part of the changes, the default idmap configuration has been
+changed to be more coherent with the per-domain configuration.
+The parameters "idmap uid", "idmap gid" and "idmap range" are now
+deprecated in favour of the systematic "idmap config * : range"
+and "idmap config * : backend" parameters. The reason for this change
+is that the old options only provided an incomplete and hence deceiving
+backwards compatibility, which was a source of many problems with
+updgrades. By introducing this change in configuration, it should be
+brought to the conciousness of the users that even the simple
+id mapping is not working exactly as in Samba 3.0 versions any more.
+
+
+SMB Traffic Analyzer
+--------------------
+
+Added the new SMB Traffic Analyzer (SMBTA) VFS module protocol 2
+featuring encryption, multiple arguments, and easier parseability. A new
+tool 'smbta-util' has been created to control the encryption behaviour
+of SMBTA. For compatibility, SMBTA by default operates on version 1.
+There are programs consuming the data that the module sends.
+
+More information can be found on
+http://holger123.wordpress.com/smb-traffic-analyzer/
+
+
+NFS quota backend on Linux
+--------------------------
+
+A new nfs quota backend for Linux has been added that is based
+on the existing Solaris/FreeBSD implementation. This allows samba
+to communicate correct diskfree information for nfs imports that
+are re-exported as samba shares.
+
+
+######################################################################
+Changes
+#######
+
+smb.conf changes
+----------------
+
+ Parameter Name Description Default
+ -------------- ----------- -------
+
+ async smb echo handler New No
+ client ntlmv2 auth Changed Default Yes
+ client use spnego principal New No
+ ctdb locktime warn threshold New 0
+ idmap alloc backend Removed
+ log writeable files on exit New No
+ multicast dns register New Yes
+ ncalrpc dir New
+ send spnego principal New No
+ smb2 max credits New 128
+ smb2 max read New 1048576
+ smb2 max trans New 1048576
+ smb2 max write New 1048576
+ username map cache time New 0
+ winbind max clients New 200
+
+
+######################################################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 3.6 product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
git.samba.org / samba.git / blobdiff