Release Announcements
=====================
-This is the first preview release of Samba 4.11. This is *not*
+This is the first preview release of Samba 4.12. This is *not*
intended for production environments and is designed for testing
purposes only. Please report any defects via the Samba bug reporting
system at https://bugzilla.samba.org/.
-Samba 4.11 will be the next version of the Samba suite.
+Samba 4.12 will be the next version of the Samba suite.
UPGRADING
=========
-SMB1 is disabled by default
----------------------------
-
-The defaults of 'client min protocol' and 'server min protocol'
-have been changed to SMB2_02.
-
-This means clients without support for SMB2 or SMB3 are no longer
-able to connect to smbd (by default).
-
-It also means client tools like smbclient and other,
-as well as applications making use of libsmbclient are no longer
-able to connect to servers without SMB2 or SMB3 support (by default).
-
-It's still possible to allow SMB1 dialects, e.g. NT1, LANMAN2
-and LANMAN1 for client and server, as well as CORE and COREPLUS on
-the client.
-
-Note that most commandline tools e.g. smbclient, smbcacls and others
-also support the --option argument to overwrite smb.conf options,
-e.g. --option='client min protocol=NT1' might be useful.
-
-As Microsoft no longer installs SMB1 support in recent releases
-or uninstalls it after 30 days without usage, the Samba Team
-tries to get remove the SMB1 usage as much as possible.
-
-SMB1 is officially deprecated and might be removed step by step
-in the following years. If you have a strong requirement for SMB1
-(except for supporting old Linux Kernels), please file a bug
-at https://bugzilla.samba.org and let us know about the details.
NEW FEATURES/CHANGES
====================
-Default samba process model
----------------------------
-
-The default for the --model argument passed to the samba executable has changed
-from 'standard' to 'prefork'. This means a difference in the number of samba
-child processes that are created to handle client connections. The previous
-default would create a separate process for every LDAP or NETLOGON client
-connection. For a network with a lot of persistent client connections, this
-could result in significant memory overhead. Now, with the new default of
-'prefork', the LDAP, NETLOGON, and KDC services will create a fixed number of
-worker processes at startup and share the client connections amongst these
-workers. The number of worker processes can be configured by the 'prefork
-children' setting in the smb.conf (the default is 4).
-
-Authentication Logging.
------------------------
-
-Winbind now logs PAM_AUTH and NTLM_AUTH events, a new attribute "logonId" has
-been added to the Authentication JSON log messages. This contains a random
-logon id that is generated for each PAM_AUTH and NTLM_AUTH request and is passed
-to SamLogon, linking the windbind and SamLogon requests.
-
-The serviceDescription of the messages is set to "winbind", the authDescription
-is set to one of:
- "PASSDB, <command>, <pid>"
- "PAM_AUTH, <command>, <pid>"
- "NTLM_AUTH, <command>, <pid>"
-where:
- <command> is the name of the command makinmg the winbind request i.e. wbinfo
- <pid> is the process id of the requesting process.
-
-The version of the JSON Authentication messages has been changed to 1.2 from 1.1
-
-LDAP referrals
---------------
-
-The scheme of returned LDAP referrals now reflects the scheme of the original
-request, i.e. referrals received via ldap are prefixed with "ldap://"
-and those over ldaps are prefixed with "ldaps://"
-
-Previously all referrals were prefixed with "ldap://"
-
-Bind9 logging
--------------
-
-It is now possible to log the duration of DNS operations performed by Bind9
-This should aid future diagnosis of performance issues, and could be used to
-monitor DNS performance. The logging is enabled by setting log level to
-"dns:10" in smb.conf
-
-The logs are currently Human readable text only, i.e. no JSON formatted output.
-
-Log lines are of the form:
-
- <function>: DNS timing: result: [<result>] duration: (<duration>)
- zone: [<zone>] name: [<name>] data: [<data>]
-
- durations are in microseconds.
+Python 3.5 Required
+-------------------
-Default schema updated to 2012_R2
----------------------------------
+Samba's minimum runtime requirement for python was raised to Python
+3.4 with samba 4.11. Samba 4.12 raises this minimum version to Python
+3.5 both to access new features and because this is the oldest version
+we test with in our CI infrastructure.
-Default AD schema changed from 2008_R2 to 2012_R2. 2012_R2 functional level
-is not yet available. Older schemas can be used by provisioning with the
-'--base-schema' argument. Existing installations can be updated with the
-samba-tool command "domain schemaupgrade".
+(Build time support for the file server with Python 2.6 has not
+changed)
-Samba's replication code has also been improved to handle replication
-with the 2012 schema (the core of this replication fix has also been
-backported to 4.9.11 and will be in a 4.10.x release).
-
-GnuTLS 3.2 required
--------------------
+Removing in-tree cryptography: GnuTLS 3.4.7 required
+----------------------------------------------------
Samba is making efforts to remove in-tree cryptographic functionality,
and to instead rely on externally maintained libraries. To this end,
Samba has chosen GnuTLS as our standard cryptographic provider.
-Samba now requires GnuTLS 3.2 to be installed (including development
+Samba now requires GnuTLS 3.4.7 to be installed (including development
headers at build time) for all configurations, not just the Samba AD
DC.
+Thanks to this work Samba no longer ships an in-tree DES
+implementation and on GnuTLS 3.6.5 or later Samba will include no
+in-tree cryptography other than the MD4 hash and that
+implemented in our copy of Heimdal.
+
+Using GnuTLS for SMB3 encryption you will notice huge performance and copy
+speed improvements. Tests with the CIFS Kernel client from Linux Kernel 5.3
+show a 3x speed improvement for writing and a 2.5x speed improvement for reads!
+
NOTE WELL: The use of GnuTLS means that Samba will honour the
system-wide 'FIPS mode' (a reference to the US FIPS-140 cryptographic
standard) and so will not operate in many still common situations if
cryptography effectively wraps bad cryptography, but for now that above
applies.
-samba-tool improvements
------------------------
-
-A new "samba-tool contact" command has been added to allow the
-command-line manipulation of contacts, as used for address book
-lookups in LDAP.
-
-The "samba-tool [user|group|computer|group|contact] edit" command has been
-improved to operate more pleasantly on international character sets.
-
-100,000 USER and LARGER Samba AD DOMAINS
-========================================
-
-Extensive efforts have been made to optimise Samba for use in
-organisations (for example) targeting 100,000 users, plus 120,000
-computer objects, as well as large number of group memberships.
-
-Many of the specific efforts are detailed below, but the net results
-is to remove barriers to significantly larger Samba deployments
-compared to previous releases.
-
-Reindex performance improvements
---------------------------------
-
-The performance of samba-tool dbcheck --reindex has been improved,
-especially for large domains.
-join performance improvements
------------------------------
+"net ads kerberos pac save" and "net eventlog export"
+-----------------------------------------------------
-The performance of samba-tool domain join has been improved,
-especially for large domains.
+The "net ads kerberos pac save" and "net eventlog export" tools will
+no longer silently overwrite an existing file during data export. If
+the filename given exits, an error will be shown.
-LDAP Server memory improvements
--------------------------------
+VFS
+===
-The LDAP server has improved memory efficiency, ensuring that large
-LDAP responses (for example a search for all objects) is not copied
-multiple times into memory.
-
-Setting lmdb map size
----------------------
-
-It is now possible to set the lmdb map size (The maximum permitted
-size for the database). "samba-tool" now accepts the
-"--backend-store-size" i.e. --backend-store-size=4Gb. If not
-specified it defaults to 8Gb.
-
-This option is avaiable for the following sub commands:
- * domain provision
- * domain join
- * domain dcpromo
- * drs clone-dc-database
-
-LDB "batch_mode"
-----------------
-
-To improve performance during batch operations i.e. joins, ldb now
-accepts a "batch_mode" option. However to prevent any index or
-database inconsistencies if an operation fails, the entire transaction
-will be aborted at commit.
-
-New LDB pack format
--------------------
-
-On first use (startup of 'samba' or the first transaction write)
-Samba's sam.ldb will be updated to a new more efficient pack format.
-This will take a few moments.
-
-New LDB <= and >= index mode to improve replication performance
----------------------------------------------------------------
-
-As well as a new pack format, Samba's sam.ldb uses a new index format
-allowing Samba to efficiently select objects changed since the last
-replication cycle. This in turn improves performance during
-replication of large domains.
-
-Improvements to ldb search performance
---------------------------------------
-
-Search performance on large LDB databases has been improved by
-reducing memory allocations made on each object.
-
-Improvements to subtree rename performance
-------------------------------------------
-
-Improvements have been made to Samba's handling of subtree renames,
-for example of containers and organisational units, however large
-renames are still not recommended.
-
-CTDB changes
-============
-
-* nfs-linux-kernel-callout now defaults to using systemd service names
-
- The Red Hat service names continue to be the default.
-
- Other distributions should patch this file when packaging it.
-
-* The onnode -o option has been removed
-
-* ctdbd logs when it is using more than 90% of a CPU thread
-
- ctdbd is single threaded, so can become saturated if it uses the
- full capacity of a CPU thread. To help detect this situation, ctdbd
- now logs messages when CPU utilisation exceeds 90%. Each change in
- CPU utilisation over 90% is logged. A message is also logged when
- CPU utilisation drops below the 90% threshold.
-
-* Script configuration variable CTDB_MONITOR_SWAP_USAGE has been removed
+SMB_VFS_NTIMES
+--------------
- 05.system.script now monitors total memory (i.e. physical memory +
- swap) utilisation using the existing CTDB_MONITOR_MEMORY_USAGE
- script configuration variable.
+Samba now uses a sentinel value based on utimensat(2) UTIME_OMIT to denote
+to-be-ignored timestamp variables passed to the SMB_VFS_NTIMES() VFS function.
+VFS modules can check whether any of the time values inside a struct
+smb_file_time is to be ignored by calling is_omit_timespec() on the value.
REMOVED FEATURES
================
-Web server
-----------
+The smb.conf parameter "write cache size" has been removed.
-As a leftover from work related to the Samba Web Administration Tool (SWAT),
-Samba still supported a Python WSGI web server (which could still be turned on
-from the 'server services' smb.conf parameter). This service was unused and has
-now been removed from Samba.
+Since the in-memory write caching code was written, our write path has
+changed significantly. In particular we have gained very flexible
+support for async I/O, with the new linux io_uring interface in
+development. The old write cache concept which cached data in main
+memory followed by a blocking pwrite no longer gives any improvement
+on modern systems, and may make performance worse on memory-contrained
+systems, so this functionality should not be enabled in core smbd
+code.
+In addition, it complicated the write code, which is a performance
+critical code path.
-samba-tool join subdommain
---------------------------
+If required for specialist purposes, it can be recreated as a VFS
+module.
-The subdommain role has been removed from the join command. This option did
-not work and has no tests.
+BIND9_FLATFILE deprecated
+-------------------------
+The BIND9_FLATFILE DNS backend is deprecated in this release and will
+be removed in the future. This was only practically useful on a single
+domain controller or under expert care and supervision.
-Python2 support
----------------
+This release removes the "rndc command" smb.conf parameter, which
+supported this configuration by writing out a list of DCs permitted to
+make changes to the DNS Zone and nudging the 'named' server if a new
+DC was added to the domain. Administrators using BIND9_FLATFILE will
+need to maintain this manually from now on.
-Samba 4.11 will not have any runtime support for Python 2.
-If you are building Samba using the '--disable-python' option
-(i.e. you're excluding all the run-time Python support), then this
-will continue to work on a system that supports either python2 or
-python3.
+Retiring DES encryption types in Kerberos.
+------------------------------------------
+With this release, support for DES encryption types has been removed from
+Samba, and setting DES_ONLY flag for an account will cause Kerberos
+authentication to fail for that account (see RFC-6649).
+
+Samba-DC: DES keys no longer saved in DB.
+-----------------------------------------
+When a new password is set for an account, Samba DC will store random keys
+in DB instead of DES keys derived from the password. If the account is being
+migrated to Windbows or to an older version of Samba in order to use DES keys,
+the password must be reset to make it work.
-To build Samba with python2 you *must* set the 'PYTHON' environment
-variable for both the 'configure' and 'make' steps, i.e.
- 'PYTHON=python2 ./configure'
- 'PYTHON=python2 make'
-This will override the python3 default.
+Heimdal-DC: removal of weak-crypto.
+-----------------------------------
+Following removal of DES encryption types from Samba, the embedded Heimdal
+build has been updated to not compile weak crypto code (HEIM_WEAK_CRYPTO).
-Except for this specific build-time use of python2, Samba now requires
-Python 3.4 as a minimum.
smb.conf changes
================
Parameter Name Description Default
-------------- ----------- -------
- allocation roundup size Default changed/ 0
- Deprecated
- client min protocol Changed default SMB2_02
- server min protocol Changed default SMB2_02
- mangled names Changed default illegal
- web port Removed
- fruit:zero_file_id Changed default False
-
+ nfs4:acedup Changed default merge
+ rndc command Removed
+ write cache size Removed
KNOWN ISSUES
============
-https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.11#Release_blocking_bugs
+https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.12#Release_blocking_bugs
#######################################
git.samba.org / bbaumbach / samba-autobuild / .git / blobdiff