Release Announcements
=====================
-This is the first preview release of Samba 4.7. This is *not*
+This is the first preview release of Samba 4.11. This is *not*
intended for production environments and is designed for testing
purposes only. Please report any defects via the Samba bug reporting
system at https://bugzilla.samba.org/.
-Samba 4.7 will be the next version of the Samba suite.
+Samba 4.11 will be the next version of the Samba suite.
UPGRADING
=========
-smbclient changes
------------------
-smbclient no longer prints a 'Domain=[...] OS=[Windows 6.1] Server=[...]'
-banner when connecting to the first server. With SMB2 and Kerberos
-there's no way to print this information reliable. Now we avoid it at all
-consistently. In interactive session the following banner is now presented
-to the user: 'Try "help" do get a list of possible commands.'.
+NEW FEATURES/CHANGES
+====================
-The default for "client max protocol" has changed to "SMB3_11",
-which means that smbclient (and related commands) will work against
-servers without SMB1 support.
+Default samba process model
+---------------------------
-It's possible to use the '-m/--max-protocol' option to overwrite
-the "client max protocol" option temporary.
+The default for the --model argument passed to the samba executable has changed
+from 'standard' to 'prefork'. This means a difference in the number of samba
+child processes that are created to handle client connections. The previous
+default would create a separate process for every LDAP or NETLOGON client
+connection. For a network with a lot of persistent client connections, this
+could result in significant memory overhead. Now, with the new default of
+'prefork', the LDAP, NETLOGON, and KDC services will create a fixed number of
+worker processes at startup and share the client connections amongst these
+workers. The number of worker processes can be configured by the 'prefork
+children' setting in the smb.conf (the default is 4).
-Note that the '-e/--encrypt' option also works with most SMB3 servers
-(e.g. Windows >= 2012 and Samba >= 4.0.0), so the SMB1 unix extensions
-are not required for encryption.
+Authentication Logging.
+-----------------------
-The change to SMB3_11 as default also means smbclient no longer
-negotiates SMB1 unix extensions by default, when talking to a Samba server with
-"unix extensions = yes". As a result some commands are not available, e.g.
-posix_encrypt, posix_open, posix_mkdir, posix_rmdir, posix_unlink, posix_whoami,
-getfacl and symlink. Using "-mNT1" reenabled them, if the server supports SMB1.
+Winbind now logs PAM_AUTH and NTLM_AUTH events, a new attribute "logonId" has
+been added to the Authentication JSON log messages. This contains a random
+logon id that is generated for each PAM_AUTH and NTLM_AUTH request and is passed
+to SamLogon, linking the windbind and SamLogon requests.
-Note the default ("CORE") for "client min protocol" hasn't changed,
-so it's still possible to connect to SMB1-only servers by default.
+The serviceDescription of the messages is set to "winbind", the authDescription
+is set to one of:
+ "PASSDB, <command>, <pid>"
+ "PAM_AUTH, <command>, <pid>"
+ "NTLM_AUTH, <command>, <pid>"
+where:
+ <command> is the name of the command makinmg the winbind request i.e. wbinfo
+ <pid> is the process id of the requesting process.
+The version of the JSON Authentication messages has been changed to 1.2 from 1.1
-NEW FEATURES/CHANGES
-====================
+LDAP referrals
+--------------
+
+The scheme of returned LDAP referrals now reflects the scheme of the original
+request, i.e. referrals received via ldap are prefixed with "ldap://"
+and those over ldaps are prefixed with "ldaps://"
+
+Previously all referrals were prefixed with "ldap://"
+
+Bind9 logging
+-------------
+
+It is now possible to log the duration of DNS operations performed by Bind9
+This should aid future diagnosis of performance issues, and could be used to
+monitor DNS performance. The logging is enabled by setting log level to
+"dns:10" in smb.conf
+
+The logs are currently Human readable text only, i.e. no JSON formatted output.
+
+Log lines are of the form:
+
+ <function>: DNS timing: result: [<result>] duration: (<duration>)
+ zone: [<zone>] name: [<name>] data: [<data>]
+
+ durations are in microseconds.
+
+Default schema updated to 2012_R2
+---------------------------------
+
+Default AD schema changed from 2008_R2 to 2012_R2. 2012_R2 functional level
+is not yet available. Older schemas can be used by provisioning with the
+'--base-schema' argument. Existing installations can be updated with the
+samba-tool command "domain schemaupgrade".
+
+Samba's replication code has also been improved to handle replication
+with the 2012 schema (the core of this replication fix has also been
+backported to 4.9.11 and will be in a 4.10.x release).
+
+GnuTLS 3.2 required
+-------------------
+
+Samba is making efforts to remove in-tree cryptographic functionality,
+and to instead rely on externally maintained libraries. To this end,
+Samba has chosen GnuTLS as our standard cryptographic provider.
+
+Samba now requires GnuTLS 3.2 to be installed (including development
+headers at build time) for all configurations, not just the Samba AD
+DC.
+
+NOTE WELL: The use of GnuTLS means that Samba will honour the
+system-wide 'FIPS mode' (a reference to the US FIPS-140 cryptographic
+standard) and so will not operate in many still common situations if
+this system-wide parameter is in effect, as many of our protocols rely
+on outdated cryptography.
+
+A future Samba version will mitigate this to some extent where good
+cryptography effectively wraps bad cryptography, but for now that above
+applies.
+
+samba-tool improvements
+-----------------------
+
+A new "samba-tool contact" command has been added to allow the
+command-line manipulation of contacts, as used for address book
+lookups in LDAP.
+
+The "samba-tool [user|group|computer|group|contact] edit" command has been
+improved to operate more pleasantly on international character sets.
+
+100,000 USER and LARGER Samba AD DOMAINS
+========================================
+
+Extensive efforts have been made to optimise Samba for use in
+organisations (for example) targeting 100,000 users, plus 120,000
+computer objects, as well as large number of group memberships.
+
+Many of the specific efforts are detailed below, but the net results
+is to remove barriers to significantly larger Samba deployments
+compared to previous releases.
+
+Reindex performance improvements
+--------------------------------
+
+The performance of samba-tool dbcheck --reindex has been improved,
+especially for large domains.
+
+join performance improvements
+-----------------------------
+
+The performance of samba-tool domain join has been improved,
+especially for large domains.
-Whole DB read locks: Improved LDAP and replication consistency
---------------------------------------------------------------
+LDAP Server memory improvements
+-------------------------------
-Prior to Samba 4.7 and ldb 1.2.0, the LDB database layer used by Samba
-erronously did not take whole-DB read locks to protect search
-and DRS replication operations.
+The LDAP server has improved memory efficiency, ensuring that large
+LDAP responses (for example a search for all objects) is not copied
+multiple times into memory.
-While each object returned remained subject to a record-level lock (so
-would remain consistent to itself), under a race condition with a
-rename or delete, it and any links (like the member attribute) to it
-would not be returned.
+Setting lmdb map size
+---------------------
-The symptoms of this issue include:
+It is now possible to set the lmdb map size (The maximum permitted
+size for the database). "samba-tool" now accepts the
+"--backend-store-size" i.e. --backend-store-size=4Gb. If not
+specified it defaults to 8Gb.
-Replication failures with this error showing in the client side logs:
- error during DRS repl ADD: No objectClass found in replPropertyMetaData for
- Failed to commit objects:
- WERR_GEN_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE
+This option is avaiable for the following sub commands:
+ * domain provision
+ * domain join
+ * domain dcpromo
+ * drs clone-dc-database
-A crash of the server, in particular the rpc_server process with
- INTERNAL ERROR: Signal 11
+LDB "batch_mode"
+----------------
-LDAP read inconsistency
- A DN subject to a search at the same time as it is being renamed
- may not appear under either the old or new name, but will re-appear
- for a subsequent search.
+To improve performance during batch operations i.e. joins, ldb now
+accepts a "batch_mode" option. However to prevent any index or
+database inconsistencies if an operation fails, the entire transaction
+will be aborted at commit.
-See https://bugzilla.samba.org/show_bug.cgi?id=12858 for more details
-and updated advise on database recovery for affected installations.
+New LDB pack format
+-------------------
+On first use (startup of 'samba' or the first transaction write)
+Samba's sam.ldb will be updated to a new more efficient pack format.
+This will take a few moments.
-Samba AD with MIT Kerberos
+New LDB <= and >= index mode to improve replication performance
+---------------------------------------------------------------
+
+As well as a new pack format, Samba's sam.ldb uses a new index format
+allowing Samba to efficiently select objects changed since the last
+replication cycle. This in turn improves performance during
+replication of large domains.
+
+Improvements to ldb search performance
+--------------------------------------
+
+Search performance on large LDB databases has been improved by
+reducing memory allocations made on each object.
+
+Improvements to subtree rename performance
+------------------------------------------
+
+Improvements have been made to Samba's handling of subtree renames,
+for example of containers and organisational units, however large
+renames are still not recommended.
+
+CTDB changes
+============
+
+* nfs-linux-kernel-callout now defaults to using systemd service names
+
+ The Red Hat service names continue to be the default.
+
+ Other distributions should patch this file when packaging it.
+
+* The onnode -o option has been removed
+
+* ctdbd logs when it is using more than 90% of a CPU thread
+
+ ctdbd is single threaded, so can become saturated if it uses the
+ full capacity of a CPU thread. To help detect this situation, ctdbd
+ now logs messages when CPU utilisation exceeds 90%. Each change in
+ CPU utilisation over 90% is logged. A message is also logged when
+ CPU utilisation drops below the 90% threshold.
+
+* Script configuration variable CTDB_MONITOR_SWAP_USAGE has been removed
+
+ 05.system.script now monitors total memory (i.e. physical memory +
+ swap) utilisation using the existing CTDB_MONITOR_MEMORY_USAGE
+ script configuration variable.
+
+
+REMOVED FEATURES
+================
+
+Web server
+----------
+
+As a leftover from work related to the Samba Web Administration Tool (SWAT),
+Samba still supported a Python WSGI web server (which could still be turned on
+from the 'server services' smb.conf parameter). This service was unused and has
+now been removed from Samba.
+
+
+samba-tool join subdommain
--------------------------
-After four years of development, Samba finally supports compiling and
-running Samba AD with MIT Kerberos. You can enable it with:
-
- ./configure --with-system-mitkrb5
-
-Samba requires version 1.15.1 of MIT Kerberos to build with AD DC support.
-The krb5-devel and krb5-server packages are required.
-The feature set is not on par with with the Heimdal build but the most important
-things, like forest and external trusts, are working. Samba uses the KDC binary
-provided by MIT Kerberos.
-
-Missing features, compared to Heimdal, are:
- * PKINIT support
- * S4U2SELF/S4U2PROXY support
- * RODC support (not fully working with Heimdal either)
-
-The Samba AD process will take care of starting the MIT KDC and it will load a
-KDB (Kerberos Database) driver to access the Samba AD database. When
-provisioning an AD DC using 'samba-tool' it will take care of creating a correct
-kdc.conf file for the MIT KDC. Note that 'samba-tool' will overwrite the system
-kdc.conf by default. It is possible to use a different location during
-provision. You should consult the 'samba-tool' help and smb.conf manpage for
-details.
-
-Dynamic RPC port range
-----------------------
-
-The dynamic port range for RPC services has been changed from the old default
-value 1024-1300 to 49152-65535. This port range is not only used by a
-Samba AD DC but also applies to all other server roles including NT4-style
-domain controllers. The new value has been defined by Microsoft in Windows
-Server 2008 and newer versions. To make it easier for Administrators to control
-those port ranges we use the same default and make it configurable with the
-option: 'rpc server dynamic port range'.
-
-The 'rpc server port' option sets the first available port from the new
-'rpc server dynamic port range' option. The option 'rpc server port' only
-applies to Samba provisioned as an AD DC.
-
-Authentication and Authorization audit support
-----------------------------------------------
-
-Detailed authentication and authorization audit information is now
-logged to Samba's debug logs under the "auth_audit" debug class,
-including in particular the client IP address triggering the audit
-line. Additionally, if Samba is compiled against the jansson JSON
-library, a JSON representation is logged under the "auth_json_audit"
-debug class.
-
-Audit support is comprehensive for all authentication and
-authorisation of user accounts in the Samba Active Directory Domain
-Controller, as well as the implicit authentication in password
-changes. In the file server and classic/NT4 domain controller, NTLM
-authentication, SMB and RPC authorization is covered, however password
-changes are not at this stage, and this support is not currently
-backed by a testsuite.
-
-Query record for open file or directory
----------------------------------------
-
-The record attached to an open file or directory in Samba can be
-queried through the 'net tdb locking' command. In clustered Samba this
-can be useful to determine the file or directory triggering
-corresponding "hot" record warnings in ctdb.
-
-Removal of lpcfg_register_defaults_hook()
------------------------------------------
-
-The undocumented and unsupported function lpcfg_register_defaults_hook()
-that was used by external projects to call into Samba and modify
-smb.conf default parameter settings has been removed. If your project
-was using this call please raise the issue on
-samba-technical@lists.samba.org in order to design a supported
-way of obtaining the same functionality.
-
-Change of loadable module interface
------------------------------------
-
-The _init function of all loadable modules in Samba has changed
-from:
-
-NTSTATUS _init(void);
-
-to:
-
-NTSTATUS _init(TALLOC_CTX *);
-
-This allows a program loading a module to pass in a long-lived
-talloc context (which must be guaranteed to be alive for the
-lifetime of the module). This allows modules to avoid use of
-the talloc_autofree_context() (which is inherently thread-unsafe)
-and still be valgrind-clean on exit. Modules that don't need to
-free long-lived data on exist should use the NULL talloc context.
-
-Parameter changes
------------------
-
-The "strict sync" global parameter has been changed from
-a default of "no" to "yes". This means smbd will by default
-obey client requests to synchronize unwritten data in operating
-system buffers safely onto disk. This is a safer default setting
-for modern SMB1/2/3 clients.
+The subdommain role has been removed from the join command. This option did
+not work and has no tests.
+
+
+Python2 support
+---------------
+
+Samba 4.11 will not have any runtime support for Python 2.
+
+If you are building Samba using the '--disable-python' option
+(i.e. you're excluding all the run-time Python support), then this
+will continue to work on a system that supports either python2 or
+python3.
+
+To build Samba with python2 you *must* set the 'PYTHON' environment
+variable for both the 'configure' and 'make' steps, i.e.
+ 'PYTHON=python2 ./configure'
+ 'PYTHON=python2 make'
+This will override the python3 default.
+
+Except for this specific build-time use of python2, Samba now requires
+Python 3.4 as a minimum.
smb.conf changes
================
- Parameter Name Description Default
- -------------- ----------- -------
- allow unsafe cluster upgrade New parameter no
- auth event notification New parameter no
- auth methods Deprecated
- client max protocol Effective SMB3_11
- default changed
- map untrusted to domain New value/ auto
- Default changed/
- Deprecated
- mit kdc command New parameter
- profile acls Deprecated
- rpc server dynamic port range New parameter 49152-65535
- strict sync Default changed yes
+ Parameter Name Description Default
+ -------------- ----------- -------
+
+ allocation roundup size Default changed/ 0
+ Deprecated
+ web port Removed
+ fruit:zero_file_id Changed default False
KNOWN ISSUES
============
-https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.7#Release_blocking_bugs
+https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.11#Release_blocking_bugs
#######################################
git.samba.org / samba.git / blobdiff