Release Announcements
=====================
-This is the first preview release of Samba 4.5. This is *not*
+This is the first preview release of Samba 4.9. This is *not*
intended for production environments and is designed for testing
purposes only. Please report any defects via the Samba bug reporting
system at https://bugzilla.samba.org/.
-Samba 4.5 will be the next version of the Samba suite.
+Samba 4.9 will be the next version of the Samba suite.
UPGRADING
=========
-NTLMv1 authentication disabled by default
------------------------------------------
-
-In order to improve security we have changed
-the default value for the "ntlm auth" option from
-"yes" to "no". This may have impact on very old
-client which doesn't support NTLMv2 yet.
-
-The primary user of NTLMv1 is MSCHAPv2 for VPNs and 802.1x.
-
-By default Samba will only allow NTLMv2 via NTLMSSP now,
-as we have the following default "lanman auth = no",
-"ntlm auth = no" and "raw NTLMv2 auth = no".
-
NEW FEATURES/CHANGES
====================
-Support for LDAP_SERVER_NOTIFICATION_OID
-----------------------------------------
-
-The ldap server has support for the LDAP_SERVER_NOTIFICATION_OID
-control. This can be used to monitor the active directory database
-for changes.
-
-KCC improvements for sparse network replication
------------------------------------------------
-
-The Samba KCC will now be the default knowledge consistency checker in
-Samba AD. Instead of using full mesh replication between every DC, the
-KCC will set up connections to optimize replication latency and cost
-(using site links to calculate the routes). This change should allow
-larger domains to function significantly better in terms of replication
-traffic and the time spent performing DRS replication.
-
-VLV - Virtual List View
------------------------
-
-The VLV Control allows applications to page the LDAP directory in the
-way you might expect a live phone book application to operate, without
-first downloading the entire directory.
-
-DRS Replication for the AD DC
------------------------------
-
-DRS Replication in Samba 4.5 is now much more efficient in handling
-linked attributes, particularly in large domains with over 1000 group
-memberships or other links.
-
-Replication is also much more reliable in the handling of tree
-renames, such as the rename of an organizational unit containing many
-users. Extensive tests have been added to ensure this code remains
-reliable, particularly in the case of conflicts between objects added
-with the same name on different servers.
-
-Schema updates are also handled much more reliably.
-
-samba-tool drs replicate with new options
------------------------------------------
-
-samba-tool drs replicate got two new options:
-
-The option '--local-online' will do the DsReplicaSync() via IRPC
-to the local dreplsrv service.
-The option '--async-op' will add DRSUAPI_DRS_ASYNC_OP to the
-DsReplicaSync(), which won't wait for the replication result.
+net ads setspn
+---------------
-replPropertyMetaData Changes
-----------------------------
+There is a new 'net ads setspn' sub command for managing Windows SPN(s)
+on the AD. This command aims to give the basic functionaility that is
+provided on windows by 'setspn.exe' e.g. ability to add, delete and list
+Windows SPN(s) stored in a Windows AD Computer object.
-During the development of the DRS replication, tests showed that Samba
-stores the replPropertyMetaData object incorrectly. To address this,
-be aware that dbcheck will now detect and offer to fix all objects in
-the domain for this error.
+The format of the command is:
-Linked attributes on deleted objects
-------------------------------------
-
-In Active Directory, an object that has been tombstoned or recycled
-has no linked attributes. However, Samba incorrectly maintained such
-links, slowing replication and run-time performance. dbcheck now
-offers to remove such links, and they are no longer kept after the
-object is tombstoned or recycled.
-
-Improved AD DC performance
---------------------------
-
-Many other improvements have been made to our LDAP database layer in
-the AD DC, to improve performance, both during samba-tool domain
-provision and at runtime.
-
-Other dbcheck improvements
---------------------------
-
- - samba-tool dbcheck can now find and fix a missing or corrupted
- 'deleted objects' container.
- - BUG 11433: samba-dbcheck no longer offers to resort auxiliary class values
- in objectClass as these were then re-sorted at the next dbcheck indefinitely.
-
-Tombstone Reanimation
----------------------
-
-Samba now supports tombstone reanimation, a feature in the AD DC
-allowing tombstones, that is objects which have been deleted, to be
-restored with the original SID and GUID still in place.
-
-Multiple DNS Forwarders on the AD DC
-------------------------------------
-
-Multiple DNS forwarders are now supported on the AD DC, allowing
-samba to fall back between two different DNS servers for forwarded queries.
+net ads setspn list [machine]
+net ads setspn [add | delete ] SPN [machine]
-Password quality plugin support in the AD DC
---------------------------------------------
+'machine' is the name of the computer account on the AD that is to be managed.
+If 'machine' is not specified the name of the 'client' running the command
+is used instead.
-The check password script now operates correctly in the AD DC (this
-was silently ignored in past releases)
+The format of a Windows SPN is
+ 'serviceclass/host:port/servicename' (servicename and port are optional)
-pwdLastSet is now correctly honoured
-------------------------------------
+serviceclass/host is generally sufficient to specify a host based service.
-BUG 9654: the pwdLastSet attribute is now correctly handled (this previously
-permitted passwords that next expire).
-
-net ads dns unregister
+net ads keytab changes
+----------------------
+net ads keytab add no longer attempts to convert the passed serviceclass
+(e.g. nfs, html etc.) into a Windows SPN which is added to the Windows AD
+computer object. By default just the keytab file is modified.
+
+A new keytab subcommand 'add_update_ads' has been added to preserve the
+legacy behaviour. However the new 'net ads setspn add' subcommand should
+really be used instead.
+
+net ads keytab create no longer tries to generate SPN(s) from existing
+entries in a keytab file. If it is required to add Windows SPN(s) then
+'net ads setspn add' should be used instead.
+
+Local authorization plugin for MIT Kerberos
+-------------------------------------------
+
+This plugin controls the relationship between Kerberos principals and AD
+accounts through winbind. The module receives the Kerberos principal and the
+local account name as inputs and can then check if they match. This can resolve
+issues with canonicalized names returned by Kerberos within AD. If the user
+tries to log in as 'alice', but the samAccountName is set to ALICE (uppercase),
+Kerberos would return ALICE as the username. Kerberos would not be able to map
+'alice' to 'ALICE' in this case and auth would fail. With this plugin account
+names can be correctly mapped. This only applies to GSSAPI authentication,
+not for the geting the initial ticket granting ticket.
+
+Database audit support
----------------------
-It is now possible to remove the DNS entries created with 'net ads register'
-with the matching 'net ads unregister' command.
-
-Samba-tool improvements
-------------------------
-
-Running samba-tool on the command line should now be a lot snappier. The tool
-now only loads the code specific to the subcommand that you wish to run.
-
-SMB 2.1 Leases enabled by default
----------------------------------
-
-Leasing is an SMB 2.1 (and higher) feature which allows clients to
-aggressively cache files locally above and beyond the caching allowed
-by SMB 1 oplocks. This feature was disabled in previous releases, but
-the SMB2 leasing code is now considered mature and stable enough to be
-enabled by default.
-
-Open File Description (OFD) Locks
----------------------------------
-
-On systems that support them (currently only Linux), the fileserver now
-uses Open File Description (OFD) locks instead of POSIX locks to implement
-client byte range locks. As these locks are associated with a specific
-file descriptor on a file this allows more efficient use when multiple
-descriptors having file locks are opened onto the same file. An internal
-tunable "smbd:force process locks = true" may be used to turn off OFD
-locks if there appear to be problems with them.
-
-Password sync as active directory domain controller
----------------------------------------------------
-
-The new commands 'samba-tool user getpassword'
-and 'samba-tool user syncpasswords' provide
-access and syncing of various password fields.
-
-If compiled with GPGME support (--with-gpgme) it's
-possible to store cleartext passwords in a PGP/OpenGPG
-encrypted form by configuring the new "password hash gpg key ids"
-option. This requires gpgme devel and python packages to be installed
-(e.g. libgpgme11-dev and python-gpgme on debian/ubuntu).
-
-Python crypto requirements
---------------------------
+Changes to the Samba AD's sam.ldb database are now logged to Samba's debug log
+under the "dsdb_audit" debug class and "dsdb_json_audit" for JSON formatted log
+entries.
-Some samba-tool subcommands require python-crypto and/or
-python-m2crypto packages to be installed.
+Transaction commits and roll backs are now logged to Samba's debug logs under
+the "dsdb_transaction_audit" debug class and "dsdb_transaction_json_audit" for
+JSON formatted log entries.
-SmartCard/PKINIT improvements
+Password change audit support
-----------------------------
-"samba-tool user create" accepts --smartcard-required
-and "samba-tool user setpassword" accepts --smartcard-required
-and --clear-smartcard-required.
-
-Specifying --smartcard-required results in the UF_SMARTCARD_REQUIRED
-flags being set in the userAccountControl attribute.
-At the same time the account password is reset to a random
-NTHASH value.
-
-Interactive password logons are rejected, if the UF_SMARTCARD_REQUIRED
-bit is set in the userAccountControl attribute of a user.
-
-When doing a PKINIT based kerberos logon the KDC adds the
-required PAC_CREDENTIAL_INFO element to the authorization data.
-That means the NTHASH is shared between the PKINIT based client and
-the domain controller, which allows the client to do NTLM based
-authentication on behalf of the user. It also allows on offline
-logon using a smartcard to work on Windows clients.
-
-CTDB changes
-------------
-
-* New improved ctdb tool
-
- ctdb tool has been completely rewritten using new client API.
- Usage messages are much improved.
-
-* Sample CTDB configuration file is installed as ctdbd.conf.
-
-* The use of real-time scheduling when taking locks has been narrowed
- to limit potential performance impacts on nodes
-
-* CTDB_RECOVERY_LOCK now supports specification of an external helper
- to take and hold the recovery lock
-
- See the RECOVERY LOCK section in ctdb(7) for details. Documentation
- for writing helpers is provided in doc/cluster_mutex_helper.txt.
+Password changes in the AD DC are now logged to Samba's debug logs under the
+"dsdb_password_audit" debug class and "dsdb_password_json_audit" for JSON
+formatted log entries.
-* "ctdb natgwlist" has been replaced by a top level "ctdb natgw"
- command that has "master", "list" and "status" subcommands
+Group membership change audit support
+-------------------------------------
-* The onnode command no longer supports the "recmaster", "lvs" and
- "natgw" node specifications
+Group membership changes on the AD DC are now logged to
+Samba's debug log under the "dsdb_group_audit" debug class and
+"dsdb_group_json_audit" for JSON formatted log entries.
-* Faster resetting of TCP connections to public IP addresses during
- failover
+Log Authentication duration
+---------------------------
-* Tunables MaxRedirectCount, ReclockPingPeriod,
- DeferredRebalanceOnNodeAdd are now obsolete/ignored
+For NTLM and Kerberos KDC authentication, the authentication duration is now
+logged. Note that the duration is only included in the JSON formatted log
+entries.
-* "ctdb listvars" now lists all variables, including the first one
-
-* "ctdb xpnn", "ctdb rebalanceip" and "ctdb rebalancenode" have been
- removed
-
- These are not needed because "ctdb reloadips" should do the correct
- rebalancing.
-
-* Output for the following commands has been simplified:
-
- ctdb getdbseqnum
- ctdb getdebug
- ctdb getmonmode
- ctdb getpid
- ctdb getreclock
- ctdb getpid
- ctdb pnn
-
- These now simply print the requested output with no preamble. This
- means that scripts no longer need to strip part of the output.
-
- "ctdb getreclock" now prints nothing when the recovery lock is not
- set.
-
-* Output for the following commands has been improved:
-
- ctdb setdebug
- ctdb uptime
+New Experimental LMDB LDB backend
+---------------------------------
-* "ctdb process-exists" has been updated to only take a PID argument
+A new experimental LDB backend using LMBD is now available. This allows
+databases larger than 4Gb (Currently the limit is set to 6Gb, but this will be
+increased in a future release). To enable lmdb, provision or join a domain using
+the --backend-store=mdb option.
+
+This requires that a version of lmdb greater than 0.9.16 is installed and that
+samba has not been built with the --without-ldb-lmdb option.
+
+Please note this is an experimental feature and is not recommended for
+production deployments.
+
+Password Settings Objects
+-------------------------
+Support has been added for Password Settings Objects (PSOs). This AD feature is
+also known as Fine-Grained Password Policies (FGPP).
+
+PSOs allow AD administrators to override the domain password policy settings
+for specific users, or groups of users. For example, PSOs can force certain
+users to have longer password lengths, or relax the complexity constraints for
+other users, and so on. PSOs can be applied to groups or to individual users.
+When multiple PSOs apply to the same user, essentially the PSO with the best
+precedence takes effect.
+
+PSOs can be configured and applied to users/groups using the 'samba-tool domain
+passwordsettings pso' set of commands.
+
+Domain backup and restore
+-------------------------
+A new samba-tool command has been added that allows administrators to create a
+backup-file of their domain DB. In the event of a catastrophic failure of the
+domain, this backup-file can be used to restore Samba services.
+
+The new 'samba-tool domain backup online' command takes a snapshot of the
+domain DB from a given DC. In the event of a catastrophic DB failure, all DCs
+in the domain should be taken offline, and the backup-file can then be used to
+recreate a fresh new DC, using the 'samba-tool domain backup restore' command.
+Once the backed-up domain DB has been restored on the new DC, other DCs can
+then subsequently be joined to the new DC, in order to repopulate the Samba
+network.
+
+Domain rename tool
+------------------
+Basic support has been added for renaming a Samba domain. The rename feature is
+designed for the following cases:
+1). Running a temporary alternate domain, in the event of a catastrophic
+failure of the regular domain. Using a completely different domain name and
+realm means that the original domain and the renamed domain can both run at the
+same time, without interfering with each other. This is an advantage over
+creating a regular 'online' backup - it means the renamed/alternate domain can
+provide core Samba network services, while trouble-shooting the fault on the
+original domain can be done in parallel.
+2). Creating a realistic lab domain or pre-production domain for testing.
+
+Note that the renamed tool is currently not intended to support a long-term
+rename of the production domain. Currently renaming the GPOs is not supported
+and would need to be done manually.
+
+The domain rename is done in two steps: first, the 'samba-tool domain backup
+rename' command will clone the domain DB, renaming it in the process, and
+producing a backup-file. Then, the 'samba-tool domain backup restore' command
+takes the backup-file and restores the renamed DB to disk on a fresh DC.
+
+New samba-tool options for diagnosing DRS replication issues
+------------------------------------------------------------
+
+The 'samba-tool drs showrepl' command has two new options controlling
+the output. With --summary, the command says very little when DRS
+replication is working well. With --json, JSON is produced. These
+options are intended for human and machine audiences, respectively.
+
+The 'samba-tool visualize uptodateness' visualizes replication lag as
+a heat-map matrix based on the DRS uptodateness vectors. This will
+show you if (but not why) changes are failing to replicate to some DCs.
+
+Automatic site coverage and GetDCName improvements
+--------------------------------------------------
+
+Samba's AD DC now automatically claims otherwise empty sites based on
+which DC is the nearest in the replication topology.
+
+This, combined with efforts to correctly identify the client side in
+the GetDCName Netlogon call will improve service to sites without a
+local DC.
+
+Improved samba-tool computer command
+------------------------------------
- The PNN can be specified with -n <PNN>. Output also cleaned up.
+The 'samba-tool computer' command allow manipulation of computer
+accounts including creating a new computer and resetting the password.
+This allows an 'offline join' of a member server or workstation to the
+Samba AD domain.
-* LVS support has been reworked - related commands and configuration
- variables have changed
+Samba performance tool now operates against Microsoft Windows AD
+----------------------------------------------------------------
- "ctdb lvsmaster" and "ctdb lvs" have been replaced by a top level
- "ctdb lvs" command that has "master", "list" and "status"
- subcommands.
+The Samba AD performance testing tool traffic_reply can now operate
+against a Windows based AD domain. Previously it only operated
+correctly against Samba.
- See the LVS sections in ctdb(7) and ctdbd.conf(5) for details,
- including configuration changes.
+DNS entries are now cleaned up during DC demote
+-----------------------------------------------
-* Improved sample NFS Ganesha call-out
+DNS records are now cleaned up as part of the 'samba-tool domain
+demote' including both the default and --remove-other-dead-server
+modes.
-New shadow_copy2 options
-------------------------
+Additionally DNS records can be automatically cleaned up for a given
+name with the 'samba-tool dns cleanup' command, which aids in cleaning
+up partially removed DCs.
-shadow:snapprefix
+Samba now tested with CI GitLab
+-------------------------------
- With growing number of snapshots file-systems need some mechanism to
- differentiate one set of snapshots from other, e.g. monthly, weekly, manual,
- special events, etc. Therefore these file-systems provide different ways to tag
- snapshots, e.g. provide a configurable way to name snapshots, which is not just
- based on time. With only shadow:format it is very difficult to filter these
- snapshots. With this optional parameter, one can specify a variable prefix
- component for names of the snapshot directories in the file-system. If this
- parameter is set, together with the shadow:format and shadow:delimiter
- parameters it determines the possible names of snapshot directories in the
- file-system. The option only supports Basic Regular Expression (BRE).
+Samba developers now have pre-commit testing available in GitLab,
+giving reviewers confidence that the submitted patches pass a full CI
+before being submitted to the Samba Team's own autobuild system.
-shadow:delimiter
+Dynamic DNS record scavenging support
+-------------------------------------
- This optional parameter is used as a delimiter between shadow:snapprefix and
- shadow:format This parameter is used only when shadow:snapprefix is set.
+It is now possible to enable scavenging of DNS Zones to remove DNS
+records that were dynamically created and have not been touched in
+some time.
- Default: shadow:delimiter = "_GMT"
+This support should however only be enabled on new zones or new
+installations. Sadly old Samba versions suffer from BUG 12451 and
+mark dynamic DNS records as static and static records as dynamic.
+While a dbcheck rule may be able to find these in the future,
+currently a reliable test has not been devised.
+Finally, there is not currently a command-line tool to enable this
+feature, currently it should be enabled from the DNS Manager tool from
+Windows. Also the feature needs to have been enabled by setting the smb.conf
+parameter "dns zone scavenging = yes".
REMOVED FEATURES
================
-only user and username parameters
----------------------------------
-These two parameters have long been deprecated and superseded by
-"valid users" and "invalid users".
smb.conf changes
================
- Parameter Name Description Default
- -------------- ----------- -------
- kccsrv:samba_kcc Changed default yes
- ntlm auth Changed default no
- only user Removed
- password hash gpg key ids New
- shadow:snapprefix New
- shadow:delimiter New _GMT
- smb2 leases Changed default yes
- username Removed
+As the most popular Samba install platforms (Linux and FreeBSD) both
+support extended attributes by default, the parameters "map readonly",
+"store dos attributes" and "ea support" have had their defaults changed
+to allow better Windows fileserver compatibility in a default install.
+ Parameter Name Description Default
+ -------------- ----------- -------
+ map readonly Default changed no
+ store dos attributes Default changed yes
+ ea support Default changed yes
+
+VFS interface changes
+=====================
+
+The VFS ABI interface version has changed to 39. Function changes
+are:
+
+SMB_VFS_FSYNC: Removed: Only async versions are used.
+SMB_VFS_READ: Removed: Only PREAD or async versions are used.
+SMB_VFS_WRITE: Removed: Only PWRITE or async versions are used.
+SMB_VFS_CHMOD_ACL: Removed: Only CHMOD is used.
+SMB_VFS_FCHMOD_ACL: Removed: Only FCHMOD is used.
+
+Any external VFS modules will need to be updated to match these
+changes in order to work with 4.9.x.
KNOWN ISSUES
============
-Currently none.
+https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.9#Release_blocking_bugs
+
#######################################
Reporting bugs & Development Discussion
git.samba.org / garming / samba-autobuild / .git / blobdiff