X-Git-Url: http://git.samba.org/?p=samba.git;a=blobdiff_plain;f=WHATSNEW.txt;h=5f2377130154d58d45da73f04cf62842973c1c96;hp=81cbef2cf1539a28831b997cabef95f7e19b08ec;hb=57edc9a0d5fe092252b102c6bb34d94e5d5c13c1;hpb=44bbdbef2ad71fb6c72f15e96a7e1c16eec46943 diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 81cbef2cf15..5f237713015 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,308 +1,204 @@ Release Announcements ===================== -This is the first preview release of Samba 4.5. This is *not* +This is the first preview release of Samba 4.10. This is *not* intended for production environments and is designed for testing purposes only. Please report any defects via the Samba bug reporting system at https://bugzilla.samba.org/. -Samba 4.5 will be the next version of the Samba suite. +Samba 4.10 will be the next version of the Samba suite. UPGRADING ========= -NTLMv1 authentication disabled by default ------------------------------------------ - -In order to improve security we have changed -the default value for the "ntlm auth" option from -"yes" to "no". This may have impact on very old -client which doesn't support NTLMv2 yet. - -The primary user of NTLMv1 is MSCHAPv2 for VPNs and 802.1x. - -By default Samba will only allow NTLMv2 via NTLMSSP now, -as we have the following default "lanman auth = no", -"ntlm auth = no" and "raw NTLMv2 auth = no". - NEW FEATURES/CHANGES ==================== -Support for LDAP_SERVER_NOTIFICATION_OID ----------------------------------------- - -The ldap server has support for the LDAP_SERVER_NOTIFICATION_OID -control. This can be used to monitor the active directory database -for changes. - -KCC improvements for sparse network replication ------------------------------------------------ - -The Samba KCC will now be the default knowledge consistency checker in -Samba AD. Instead of using full mesh replication between every DC, the -KCC will set up connections to optimize replication latency and cost -(using site links to calculate the routes). This change should allow -larger domains to function significantly better in terms of replication -traffic and the time spent performing DRS replication. - -VLV - Virtual List View ------------------------ - -The VLV Control allows applications to page the LDAP directory in the -way you might expect a live phone book application to operate, without -first downloading the entire directory. - -DRS Replication for the AD DC ------------------------------ - -DRS Replication in Samba 4.5 is now much more efficient in handling -linked attributes, particularly in large domains with over 1000 group -memberships or other links. - -Replication is also much more reliable in the handling of tree -renames, such as the rename of an organizational unit containing many -users. Extensive tests have been added to ensure this code remains -reliable, particularly in the case of conflicts between objects added -with the same name on different servers. +GPO Improvements +---------------- -Schema updates are also handled much more reliably. +A new 'samba-tool gpo export' command has been added that can export a +set of Group Policy Objects from a domain in a generalised XML format. -replPropertyMetaData Changes ----------------------------- +A corresponding 'samba-tool gpo restore' command has been added to +rebuild the Group Policy Objects from the XML after generalization. +(The administrator needs to correct the values of XML entities between +the backup and restore to account for the change in domain). -During the development of the DRS replication, tests showed that Samba -stores the replPropertyMetaData object incorrectly. To address this, -be aware that dbcheck will now detect and offer to fix all objects in -the domain for this error. +kdc prefork +----------- -Linked attributes on deleted objects ------------------------------------- +The KDC now supports the pre-fork process model and worker processes will be +forked for the KDC when the pre-fork process model is selected for samba. -In Active Directory, an object that has been tombstoned or recycled -has no linked attributes. However, Samba incorrectly maintained such -links, slowing replication and run-time performance. dbcheck now -offers to remove such links, and they are no longer kept after the -object is tombstoned or recycled. - -Improved AD DC performance --------------------------- - -Many other improvements have been made to our LDAP database layer in -the AD DC, to improve performance, both during samba-tool domain -provision and at runtime. - -Other dbcheck improvements +prefork 'prefork children' -------------------------- - - samba-tool dbcheck can now find and fix a missing or corrupted - 'deleted objects' container. - - BUG 11433: samba-dbcheck no longer offers to resort auxiliary class values - in objectClass as these were then re-sorted at the next dbcheck indefinitely. - -Tombstone Reanimation ---------------------- - -Samba now supports tombstone reanimation, a feature in the AD DC -allowing tombstones, that is objects which have been deleted, to be -restored with the original SID and GUID still in place. +The default value for this smdb.conf parameter has been increased from 1 to +4. -Multiple DNS Forwarders on the AD DC ------------------------------------- +netlogon prefork +---------------- -Multiple DNS forwarders are now supported on the AD DC, allowing -samba to fall back between two different DNS servers for forwarded queries. +DCERPC now supports pre-forked NETLOGON processes. The netlogon processes are +pre-forked when the prefork process model is selected for samba. -Password quality plugin support in the AD DC --------------------------------------------- - -The check password script now operates correctly in the AD DC (this -was silently ignored in past releases) - -pwdLastSet is now correctly honoured ------------------------------------- - -BUG 9654: the pwdLastSet attribute is now correctly handled (this previously -permitted passwords that next expire). - -net ads dns unregister +Offline domain backups ---------------------- -It is now possible to remove the DNS entries created with 'net ads register' -with the matching 'net ads unregister' command. - -Samba-tool improvements ------------------------- - -Running samba-tool on the command line should now be a lot snappier. The tool -now only loads the code specific to the subcommand that you wish to run. +The 'samba-tool domain backup' command has been extended with a new 'offline' +option. This safely creates a backup of the local DC's database directly from +disk. The main benefits of an offline backup are it's quicker, it stores more +database details (for forensic purposes), and the samba process does not have +to be running when the backup is made. Refer to the samba-tool help for more +details on using this command. -SMB 2.1 Leases enabled by default ---------------------------------- +Group membership statistics +--------------------------- -Leasing is an SMB 2.1 (and higher) feature which allows clients to -aggressively cache files locally above and beyond the caching allowed -by SMB 1 oplocks. This feature was disabled in previous releases, but -the SMB2 leasing code is now considered mature and stable enough to be -enabled by default. +A new 'samba-tool group stats' command has been added. This provides summary +information about how the users are spread across groups in your domain. +The 'samba-tool group list --verbose' command has also been updated to include +the number of users in each group. -Open File Description (OFD) Locks ---------------------------------- - -On systems that support them (currently only Linux), the fileserver now -uses Open File Description (OFD) locks instead of POSIX locks to implement -client byte range locks. As these locks are associated with a specific -file descriptor on a file this allows more efficient use when multiple -descriptors having file locks are opened onto the same file. An internal -tunable "smbd:force process locks = true" may be used to turn off OFD -locks if there appear to be problems with them. - -Password sync as active directory domain controller ---------------------------------------------------- +prefork process restart +----------------------- -The new commands 'samba-tool user getpassword' -and 'samba-tool user syncpasswords' provide -access and syncing of various password fields. +The pre-fork process model now restarts failed processes. The delay between +restart attempts is controlled by the "prefork backoff increment" (default = 10) +and "prefork maximum backoff" (default = 120) smbd.conf parameters. A linear +back off strategy is used with "prefork backoff increment" added to the +delay between restart attempts up until it reaches "prefork maximum backoff". -If compiled with GPGME support (--with-gpgme) it's -possible to store cleartext passwords in a PGP/OpenGPG -encrypted form by configuring the new "password hash gpg key ids" -option. This requires gpgme devel and python packages to be installed -(e.g. libgpgme11-dev and python-gpgme on debian/ubuntu). +Using the default sequence the restart delays (in seconds) are: + 0, 10, 20, ..., 120, 120, ... -Python crypto requirements --------------------------- +standard process model +---------------------- -Some samba-tool subcommands require python-crypto and/or -python-m2crypto packages to be installed. +When using the standard process model samba forks a new process to handle ldap +and netlogon connections. Samba now honours the 'max smbd processes' smb.conf +parameter. The default value of 0, indicates there is no limit. The limit +is applied individually to netlogon and ldap. When the process limit is +exceeded Samba drops new connections immediately. -SmartCard/PKINIT improvements ------------------------------ +python3 support +--------------- -"samba-tool user create" accepts --smartcard-required -and "samba-tool user setpassword" accepts --smartcard-required -and --clear-smartcard-required. +The version of python which is now the default for samba is python3. +'configure' & 'make' will execute using python3. It is possible to still +specify an additional python version with '--extra-python' +e.g. '--extra-python=/usr/bin/python2'. It should be noted that support for +this option will be deprecated in a future release. -Specifying --smartcard-required results in the UF_SMARTCARD_REQUIRED -flags being set in the userAccountControl attribute. -At the same time the account password is reset to a random -NTHASH value. +What if I need to build with python2? To build with python2 you *must* set +the 'PYTHON' environent variable to override the python3 default for both +'configure' and 'make' steps. -Interactive password logons are rejected, if the UF_SMARTCARD_REQUIRED -bit is set in the userAccountControl attribute of a user. + 'PYTHON=python2 ./configure.developer' +& + 'PYTHON=python2 make' -When doing a PKINIT based kerberos logon the KDC adds the -required PAC_CREDENTIAL_INFO element to the authorization data. -That means the NTHASH is shared between the PKINIT based client and -the domain controller, which allows the client to do NTLM based -authentication on behalf of the user. It also allows on offline -logon using a smartcard to work on Windows clients. +Note: Support for python2 (with the exception of a build configured with + 'PYTHON=python2 ./configure --disable-python' and built with + 'PYTHON=python2 make' will be deprecated in the next release. -CTDB changes +JSON logging ------------ -* New improved ctdb tool - - ctdb tool has been completely rewritten using new client API. - Usage messages are much improved. - -* Sample CTDB configuration file is installed as ctdbd.conf. - -* The use of real-time scheduling when taking locks has been narrowed - to limit potential performance impacts on nodes - -* CTDB_RECOVERY_LOCK now supports specification of an external helper - to take and hold the recovery lock - - See the RECOVERY LOCK section in ctdb(7) for details. Documentation - for writing helpers is provided in doc/cluster_mutex_helper.txt. - -* "ctdb natgwlist" has been replaced by a top level "ctdb natgw" - command that has "master", "list" and "status" subcommands - -* The onnode command no longer supports the "recmaster", "lvs" and - "natgw" node specifications +Authentication messages now contain the Windows Event Id "eventId" and logon +type "logonType". The supported event codes and logon types are: + Event codes: + 4624 Successful logon + 4625 Unsuccessful logon -* Faster resetting of TCP connections to public IP addresses during - failover + Logon Types: + 2 Interactive + 3 Network + 8 NetworkCleartext -* Tunables MaxRedirectCount, ReclockPingPeriod, - DeferredRebalanceOnNodeAdd are now obsolete/ignored +The version number for Authentication messages is now 1.1, changed from 1.0 -* "ctdb listvars" now lists all variables, including the first one +Password change messages now contain the Windows Event Id "eventId", the +supported event Id's are: + 4723 Password changed + 4724 Password reset -* "ctdb xpnn", "ctdb rebalanceip" and "ctdb rebalancenode" have been - removed +The version number for PasswordChange messages is now 1.1, changed from 1.0 - These are not needed because "ctdb reloadips" should do the correct - rebalancing. +Group membership change messages now contain the Windows Event Id "eventId", +the supported event Id's are: + 4728 A member was added to a security enabled global group + 4729 A member was removed from a security enabled global group + 4732 A member was added to a security enabled local group + 4733 A member was removed from a security enabled local group + 4746 A member was added to a security disabled local group + 4747 A member was removed from a security disabled local group + 4751 A member was added to a security disabled global group + 4752 A member was removed from a security disabled global group + 4756 A member was added to a security enabled universal group + 4757 A member was removed from a security enabled universal group + 4761 A member was added to a security disabled universal group + 4762 A member was removed from a security disabled universal group -* Output for the following commands has been simplified: - ctdb getdbseqnum - ctdb getdebug - ctdb getmonmode - ctdb getpid - ctdb getreclock - ctdb getpid - ctdb pnn +The version number for GroupChange messages is now 1.1, changed from 1.0. Also +A GroupChange message is generated when a new user is created to log that the +user has been added to their primary group. - These now simply print the requested output with no preamble. This - means that scripts no longer need to strip part of the output. +The leading "JSON :" and source file prefix of the JSON formatted +log entries has been removed to make the parsing of the JSON log messages +easier. JSON log entries now start with 2 spaces followed by an opening brace +i.e. " {" - "ctdb getreclock" now prints nothing when the recovery lock is not - set. -* Output for the following commands has been improved: - ctdb setdebug - ctdb uptime -* "ctdb process-exists" has been updated to only take a PID argument - - The PNN can be specified with -n . Output also cleaned up. - -* LVS support has been reworked - related commands and configuration - variables have changed - - "ctdb lvsmaster" and "ctdb lvs" have been replaced by a top level - "ctdb lvs" command that has "master", "list" and "status" - subcommands. - - See the LVS sections in ctdb(7) and ctdbd.conf(5) for details, - including configuration changes. - -* Improved sample NFS Ganesha call-out +REMOVED FEATURES +================ +MIT Kerberos build of the AD DC +------------------------------- +While not removed, the MIT Kerberos build of the Samba AD DC is still +considered experimental. Because Samba will not issue security +patches for this configuration, such builds now require the explicit +configure option: --with-experimental-mit-ad-dc -REMOVED FEATURES -================ +For further details see +https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC -only user and username parameters ---------------------------------- -These two parameters have long been deprecated and superseded by -"valid users" and "invalid users". +samba_backup +------------ +The samba_backup script has been removed. This has now been replaced by the +'samba-tool domain backup offline' command. smb.conf changes ================ - Parameter Name Description Default - -------------- ----------- ------- - kccsrv:samba_kcc Changed default yes - ntlm auth Changed default no - only user Removed - password hash gpg key ids New - smb2 leases Changed default yes - username Removed - + Parameter Name Description Default + -------------- ----------- ------- + prefork backoff increment Delay added to process restart 10 (seconds) + between attempts. + prefork maximum backoff Maximum delay for process between 120 (seconds) + process restart attempts + smbd search ask sharemode Name changed, old name was + "smbd:search ask sharemode" + smbd async dosmode Name changed, old name was + "smbd:async dosmode" + smbd max async dosmode Name changed, old name was + "smbd:max async dosmode" + smbd getinfo ask sharemode New: similar to "smbd search ask yes + sharemode" but for SMB getinfo KNOWN ISSUES ============ -Currently none. +https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.10#Release_blocking_bugs + ####################################### Reporting bugs & Development Discussion