X-Git-Url: http://git.samba.org/?p=samba.git;a=blobdiff_plain;f=WHATSNEW.txt;h=5f2377130154d58d45da73f04cf62842973c1c96;hp=09b3cbbd48e391bdbc546162acbb596413e77afc;hb=57edc9a0d5fe092252b102c6bb34d94e5d5c13c1;hpb=59bee844b88ea917b2e7036b9d8deecf5b5f5f2b diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 09b3cbbd48e..5f237713015 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,279 +1,203 @@ Release Announcements ===================== -This is the first preview release of Samba 4.7. This is *not* +This is the first preview release of Samba 4.10. This is *not* intended for production environments and is designed for testing purposes only. Please report any defects via the Samba bug reporting system at https://bugzilla.samba.org/. -Samba 4.7 will be the next version of the Samba suite. +Samba 4.10 will be the next version of the Samba suite. UPGRADING ========= -smbclient changes ------------------ -smbclient no longer prints a 'Domain=[...] OS=[Windows 6.1] Server=[...]' -banner when connecting to the first server. With SMB2 and Kerberos -there's no way to print this information reliable. Now we avoid it at all -consistently. In interactive session the following banner is now presented -to the user: 'Try "help" do get a list of possible commands.'. +NEW FEATURES/CHANGES +==================== -The default for "client max protocol" has changed to "SMB3_11", -which means that smbclient (and related commands) will work against -servers without SMB1 support. +GPO Improvements +---------------- -It's possible to use the '-m/--max-protocol' option to overwrite -the "client max protocol" option temporary. +A new 'samba-tool gpo export' command has been added that can export a +set of Group Policy Objects from a domain in a generalised XML format. -Note that the '-e/--encrypt' option also works with most SMB3 servers -(e.g. Windows >= 2012 and Samba >= 4.0.0), so the SMB1 unix extensions -are not required for encryption. +A corresponding 'samba-tool gpo restore' command has been added to +rebuild the Group Policy Objects from the XML after generalization. +(The administrator needs to correct the values of XML entities between +the backup and restore to account for the change in domain). -The change to SMB3_11 as default also means smbclient no longer -negotiates SMB1 unix extensions by default, when talking to a Samba server with -"unix extensions = yes". As a result some commands are not available, e.g. -posix_encrypt, posix_open, posix_mkdir, posix_rmdir, posix_unlink, posix_whoami, -getfacl and symlink. Using "-mNT1" reenabled them, if the server supports SMB1. +kdc prefork +----------- -Note the default ("CORE") for "client min protocol" hasn't changed, -so it's still possible to connect to SMB1-only servers by default. +The KDC now supports the pre-fork process model and worker processes will be +forked for the KDC when the pre-fork process model is selected for samba. +prefork 'prefork children' +-------------------------- -NEW FEATURES/CHANGES -==================== +The default value for this smdb.conf parameter has been increased from 1 to +4. -Whole DB read locks: Improved LDAP and replication consistency --------------------------------------------------------------- +netlogon prefork +---------------- -Prior to Samba 4.7 and ldb 1.2.0, the LDB database layer used by Samba -erronously did not take whole-DB read locks to protect search -and DRS replication operations. +DCERPC now supports pre-forked NETLOGON processes. The netlogon processes are +pre-forked when the prefork process model is selected for samba. -While each object returned remained subject to a record-level lock (so -would remain consistent to itself), under a race condition with a -rename or delete, it and any links (like the member attribute) to it -would not be returned. +Offline domain backups +---------------------- -The symptoms of this issue include: +The 'samba-tool domain backup' command has been extended with a new 'offline' +option. This safely creates a backup of the local DC's database directly from +disk. The main benefits of an offline backup are it's quicker, it stores more +database details (for forensic purposes), and the samba process does not have +to be running when the backup is made. Refer to the samba-tool help for more +details on using this command. -Replication failures with this error showing in the client side logs: - error during DRS repl ADD: No objectClass found in replPropertyMetaData for - Failed to commit objects: - WERR_GEN_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE +Group membership statistics +--------------------------- -A crash of the server, in particular the rpc_server process with - INTERNAL ERROR: Signal 11 +A new 'samba-tool group stats' command has been added. This provides summary +information about how the users are spread across groups in your domain. +The 'samba-tool group list --verbose' command has also been updated to include +the number of users in each group. -LDAP read inconsistency - A DN subject to a search at the same time as it is being renamed - may not appear under either the old or new name, but will re-appear - for a subsequent search. +prefork process restart +----------------------- -See https://bugzilla.samba.org/show_bug.cgi?id=12858 for more details -and updated advise on database recovery for affected installations. +The pre-fork process model now restarts failed processes. The delay between +restart attempts is controlled by the "prefork backoff increment" (default = 10) +and "prefork maximum backoff" (default = 120) smbd.conf parameters. A linear +back off strategy is used with "prefork backoff increment" added to the +delay between restart attempts up until it reaches "prefork maximum backoff". +Using the default sequence the restart delays (in seconds) are: + 0, 10, 20, ..., 120, 120, ... -Samba AD with MIT Kerberos --------------------------- +standard process model +---------------------- -After four years of development, Samba finally supports compiling and -running Samba AD with MIT Kerberos. You can enable it with: +When using the standard process model samba forks a new process to handle ldap +and netlogon connections. Samba now honours the 'max smbd processes' smb.conf +parameter. The default value of 0, indicates there is no limit. The limit +is applied individually to netlogon and ldap. When the process limit is +exceeded Samba drops new connections immediately. - ./configure --with-system-mitkrb5 +python3 support +--------------- -Samba requires version 1.15.1 of MIT Kerberos to build with AD DC support. -The krb5-devel and krb5-server packages are required. -The feature set is not on par with with the Heimdal build but the most important -things, like forest and external trusts, are working. Samba uses the KDC binary -provided by MIT Kerberos. +The version of python which is now the default for samba is python3. +'configure' & 'make' will execute using python3. It is possible to still +specify an additional python version with '--extra-python' +e.g. '--extra-python=/usr/bin/python2'. It should be noted that support for +this option will be deprecated in a future release. -Missing features, compared to Heimdal, are: - * PKINIT support - * S4U2SELF/S4U2PROXY support - * RODC support (not fully working with Heimdal either) +What if I need to build with python2? To build with python2 you *must* set +the 'PYTHON' environent variable to override the python3 default for both +'configure' and 'make' steps. -The Samba AD process will take care of starting the MIT KDC and it will load a -KDB (Kerberos Database) driver to access the Samba AD database. When -provisioning an AD DC using 'samba-tool' it will take care of creating a correct -kdc.conf file for the MIT KDC. Note that 'samba-tool' will overwrite the system -kdc.conf by default. It is possible to use a different location during -provision. You should consult the 'samba-tool' help and smb.conf manpage for -details. + 'PYTHON=python2 ./configure.developer' +& + 'PYTHON=python2 make' -Dynamic RPC port range ----------------------- +Note: Support for python2 (with the exception of a build configured with + 'PYTHON=python2 ./configure --disable-python' and built with + 'PYTHON=python2 make' will be deprecated in the next release. -The dynamic port range for RPC services has been changed from the old default -value 1024-1300 to 49152-65535. This port range is not only used by a -Samba AD DC but also applies to all other server roles including NT4-style -domain controllers. The new value has been defined by Microsoft in Windows -Server 2008 and newer versions. To make it easier for Administrators to control -those port ranges we use the same default and make it configurable with the -option: 'rpc server dynamic port range'. - -The 'rpc server port' option sets the first available port from the new -'rpc server dynamic port range' option. The option 'rpc server port' only -applies to Samba provisioned as an AD DC. - -Authentication and Authorization audit support ----------------------------------------------- - -Detailed authentication and authorization audit information is now -logged to Samba's debug logs under the "auth_audit" debug class, -including in particular the client IP address triggering the audit -line. Additionally, if Samba is compiled against the jansson JSON -library, a JSON representation is logged under the "auth_json_audit" -debug class. - -Audit support is comprehensive for all authentication and -authorisation of user accounts in the Samba Active Directory Domain -Controller, as well as the implicit authentication in password -changes. In the file server and classic/NT4 domain controller, NTLM -authentication, SMB and RPC authorization is covered, however password -changes are not at this stage, and this support is not currently -backed by a testsuite. - -Multi-process LDAP Server -------------------------- - -The LDAP server in the AD DC now honours the process model used for -the rest of the samba process, rather than being forced into a single -process. This aids in Samba's ability to scale to larger numbers of AD -clients and the AD DC's overall resiliency, but will mean that there is a -fork()ed child for every LDAP client, which may be more resource -intensive in some situations. - -Improved Read-Only Domain Controller (RODC) Support ---------------------------------------------------- - -Support for RODCs in Samba AD until now has been experimental. With this latest -version, many of the critical bugs have been fixed and the RODC can be used in -DC environments requiring no writable behaviour. RODCs now correctly support -bad password lockouts and password disclosure auditing through the -msDS-RevealedUsers attribute. - -The fixes made to the RWDC will also allow Windows RODC to function more -correctly and to avoid strange data omissions such as failures to replicate -groups or updated passwords. Password changes are currently rejected at the -RODC, although referrals should be given over LDAP. While any bad passwords can -trigger domain-wide lockout, good passwords which have not been replicated yet -for a password change can only be used via NTLM on the RODC (and not Kerberos). - -The reliability of RODCs locating a writable partner still requires some -improvements and so the 'password server' configuration option is generally -recommended on the RODC. - -Additional password hashes stored in supplementalCredentials ------------------------------------------------------------- - -A new config option 'password hash userPassword schemes' has been added to -enable generation of SHA-256 and SHA-512 hashes (without storing the plaintext -password with reversible encryption). This builds upon previous work to improve -password sync for the AD DC (originally using GPG). - -The user command of 'samba-tool' has been updated in order to be able to -extract these additional hashes, as well as extracting the (HTTP) WDigest -hashes that we had also been storing in supplementalCredentials. - -Improvements to DNS during Active Directory domain join -------------------------------------------------------- - -The 'samba-tool' domain join command will now add the A and GUID DNS records -(on both the local and remote servers) during a join if possible via RPC. This -should allow replication to proceed more smoothly post-join. - -The mname element of the SOA record will now also be dynamically generated to -point to the local read-write server. 'samba_dnsupdate' should now be more -reliable as it will now find the appropriate name server even when resolv.conf -points to a forwarder. - -Significant AD performance and replication improvements -------------------------------------------------------- - -Previously, replication of group memberships was been an incredibly expensive -process for the AD DC. This was mostly due to unnecessary CPU time being spent -parsing member linked attributes. The database now stores these linked -attributes in sorted form to perform efficient searches for existing members. -In domains with a large number of group memberships, a join can now be -completed in half the time compared with Samba 4.6. - -LDAP search performance has also improved, particularly in the unindexed search -case. Parsing and processing of security descriptors should now be more -efficient, improving replication but also overall performance. - -Query record for open file or directory ---------------------------------------- - -The record attached to an open file or directory in Samba can be -queried through the 'net tdb locking' command. In clustered Samba this -can be useful to determine the file or directory triggering -corresponding "hot" record warnings in ctdb. - -Removal of lpcfg_register_defaults_hook() ------------------------------------------ - -The undocumented and unsupported function lpcfg_register_defaults_hook() -that was used by external projects to call into Samba and modify -smb.conf default parameter settings has been removed. If your project -was using this call please raise the issue on -samba-technical@lists.samba.org in order to design a supported -way of obtaining the same functionality. - -Change of loadable module interface ------------------------------------ - -The _init function of all loadable modules in Samba has changed -from: - -NTSTATUS _init(void); - -to: - -NTSTATUS _init(TALLOC_CTX *); - -This allows a program loading a module to pass in a long-lived -talloc context (which must be guaranteed to be alive for the -lifetime of the module). This allows modules to avoid use of -the talloc_autofree_context() (which is inherently thread-unsafe) -and still be valgrind-clean on exit. Modules that don't need to -free long-lived data on exist should use the NULL talloc context. - -Parameter changes ------------------ +JSON logging +------------ -The "strict sync" global parameter has been changed from -a default of "no" to "yes". This means smbd will by default -obey client requests to synchronize unwritten data in operating -system buffers safely onto disk. This is a safer default setting -for modern SMB1/2/3 clients. +Authentication messages now contain the Windows Event Id "eventId" and logon +type "logonType". The supported event codes and logon types are: + Event codes: + 4624 Successful logon + 4625 Unsuccessful logon -smb.conf changes + Logon Types: + 2 Interactive + 3 Network + 8 NetworkCleartext + +The version number for Authentication messages is now 1.1, changed from 1.0 + +Password change messages now contain the Windows Event Id "eventId", the +supported event Id's are: + 4723 Password changed + 4724 Password reset + +The version number for PasswordChange messages is now 1.1, changed from 1.0 + +Group membership change messages now contain the Windows Event Id "eventId", +the supported event Id's are: + 4728 A member was added to a security enabled global group + 4729 A member was removed from a security enabled global group + 4732 A member was added to a security enabled local group + 4733 A member was removed from a security enabled local group + 4746 A member was added to a security disabled local group + 4747 A member was removed from a security disabled local group + 4751 A member was added to a security disabled global group + 4752 A member was removed from a security disabled global group + 4756 A member was added to a security enabled universal group + 4757 A member was removed from a security enabled universal group + 4761 A member was added to a security disabled universal group + 4762 A member was removed from a security disabled universal group + + +The version number for GroupChange messages is now 1.1, changed from 1.0. Also +A GroupChange message is generated when a new user is created to log that the +user has been added to their primary group. + +The leading "JSON :" and source file prefix of the JSON formatted +log entries has been removed to make the parsing of the JSON log messages +easier. JSON log entries now start with 2 spaces followed by an opening brace +i.e. " {" + + + + +REMOVED FEATURES ================ - Parameter Name Description Default - -------------- ----------- ------- - allow unsafe cluster upgrade New parameter no - auth event notification New parameter no - auth methods Deprecated - client max protocol Effective SMB3_11 - default changed - map untrusted to domain New value/ auto - Default changed/ - Deprecated - mit kdc command New parameter - profile acls Deprecated - rpc server dynamic port range New parameter 49152-65535 - strict sync Default changed yes - password hash userPassword schemes New parameter +MIT Kerberos build of the AD DC +------------------------------- + +While not removed, the MIT Kerberos build of the Samba AD DC is still +considered experimental. Because Samba will not issue security +patches for this configuration, such builds now require the explicit +configure option: --with-experimental-mit-ad-dc + +For further details see +https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC + +samba_backup +------------ + +The samba_backup script has been removed. This has now been replaced by the +'samba-tool domain backup offline' command. + +smb.conf changes +================ + Parameter Name Description Default + -------------- ----------- ------- + prefork backoff increment Delay added to process restart 10 (seconds) + between attempts. + prefork maximum backoff Maximum delay for process between 120 (seconds) + process restart attempts + smbd search ask sharemode Name changed, old name was + "smbd:search ask sharemode" + smbd async dosmode Name changed, old name was + "smbd:async dosmode" + smbd max async dosmode Name changed, old name was + "smbd:max async dosmode" + smbd getinfo ask sharemode New: similar to "smbd search ask yes + sharemode" but for SMB getinfo KNOWN ISSUES ============ -https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.7#Release_blocking_bugs +https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.10#Release_blocking_bugs #######################################