-Improved Read-Only Domain Controller (RODC) Support
----------------------------------------------------
-
-Support for RODCs in Samba AD until now has been experimental. With this latest
-version, many of the critical bugs have been fixed and the RODC can be used in
-DC environments requiring no writable behaviour. RODCs now correctly support
-bad password lockouts and password disclosure auditing through the
-msDS-RevealedUsers attribute.
-
-The fixes made to the RWDC will also allow Windows RODC to function more
-correctly and to avoid strange data omissions such as failures to replicate
-groups or updated passwords. Password changes are currently rejected at the
-RODC, although referrals should be given over LDAP. While any bad passwords can
-trigger domain-wide lockout, good passwords which have not been replicated yet
-for a password change can only be used via NTLM on the RODC (and not Kerberos).
-
-The reliability of RODCs locating a writable partner still requires some
-improvements and so the 'password server' configuration option is generally
-recommended on the RODC.
-
-Additional password hashes stored in supplementalCredentials
-------------------------------------------------------------
-
-A new config option 'password hash userPassword schemes' has been added to
-enable generation of SHA-256 and SHA-512 hashes (without storing the plaintext
-password with reversible encryption). This builds upon previous work to improve
-password sync for the AD DC (originally using GPG).
-
-The user command of 'samba-tool' has been updated in order to be able to
-extract these additional hashes, as well as extracting the (HTTP) WDigest
-hashes that we had also been storing in supplementalCredentials.
-
-Improvements to DNS during Active Directory domain join
--------------------------------------------------------
-
-The 'samba-tool' domain join command will now add the A and GUID DNS records
-(on both the local and remote servers) during a join if possible via RPC. This
-should allow replication to proceed more smoothly post-join.
-
-The mname element of the SOA record will now also be dynamically generated to
-point to the local read-write server. 'samba_dnsupdate' should now be more
-reliable as it will now find the appropriate name server even when resolv.conf
-points to a forwarder.
-
-Significant AD performance and replication improvements
--------------------------------------------------------
-
-Previously, replication of group memberships was been an incredibly expensive
-process for the AD DC. This was mostly due to unnecessary CPU time being spent
-parsing member linked attributes. The database now stores these linked
-attributes in sorted form to perform efficient searches for existing members.
-In domains with a large number of group memberships, a join can now be
-completed in half the time compared with Samba 4.6.
-
-LDAP search performance has also improved, particularly in the unindexed search
-case. Parsing and processing of security descriptors should now be more
-efficient, improving replication but also overall performance.
-
-Query record for open file or directory
----------------------------------------
-
-The record attached to an open file or directory in Samba can be
-queried through the 'net tdb locking' command. In clustered Samba this
-can be useful to determine the file or directory triggering
-corresponding "hot" record warnings in ctdb.
-
-Removal of lpcfg_register_defaults_hook()
------------------------------------------
-
-The undocumented and unsupported function lpcfg_register_defaults_hook()
-that was used by external projects to call into Samba and modify
-smb.conf default parameter settings has been removed. If your project
-was using this call please raise the issue on
-samba-technical@lists.samba.org in order to design a supported
-way of obtaining the same functionality.
-
-Change of loadable module interface
------------------------------------
-
-The _init function of all loadable modules in Samba has changed
-from:
-
-NTSTATUS _init(void);
-
-to:
-
-NTSTATUS _init(TALLOC_CTX *);
-
-This allows a program loading a module to pass in a long-lived
-talloc context (which must be guaranteed to be alive for the
-lifetime of the module). This allows modules to avoid use of
-the talloc_autofree_context() (which is inherently thread-unsafe)
-and still be valgrind-clean on exit. Modules that don't need to
-free long-lived data on exist should use the NULL talloc context.
-
-Parameter changes
------------------
-
-The "strict sync" global parameter has been changed from
-a default of "no" to "yes". This means smbd will by default
-obey client requests to synchronize unwritten data in operating
-system buffers safely onto disk. This is a safer default setting
-for modern SMB1/2/3 clients.