Release Announcements
=====================
-This is the first preview release of Samba 4.8. This is *not*
+This is the first preview release of Samba 4.9. This is *not*
intended for production environments and is designed for testing
purposes only. Please report any defects via the Samba bug reporting
system at https://bugzilla.samba.org/.
-Samba 4.8 will be the next version of the Samba suite.
+Samba 4.9 will be the next version of the Samba suite.
UPGRADING
NEW FEATURES/CHANGES
====================
-KDC GPO application
--------------------
-
-Adds Group Policy support for the samba kdc. Applies password policies
-(minimum/maximum password age, minimum password length, and password
-complexity) and kerberos policies (user/service ticket lifetime and
-renew lifetime).
-
-Adds the samba_gpoupdate script for applying and unapplying
-policy. Can be applied automatically by setting
-
- 'server services = +gpoupdate'.
-
-Time Machine Support with vfs_fruit
-===================================
-Samba can be configured as a Time Machine target for Apple Mac devices
-through the vfs_fruit module. When enabling a share for Time Machine
-support the relevant Avahi records to support discovery will be published
-for installations that have been built against the Avahi client library.
-
-Shares can be designated as a Time Machine share with the following setting:
-
- 'fruit:time machine = yes'
-
-Support for lower casing the MDNS Name
-======================================
-Allows the server name that is advertised through MDNS to be set to the
-hostname rather than the Samba NETBIOS name. This allows an administrator
-to make Samba registered MDNS records match the case of the hostname
-rather than being in all capitals.
-
-This can be set with the following settings:
-
- 'mdns name = mdns'
-
-Encrypted secrets
-=================
-Attributes deemed to be sensitive are now encrypted on disk. The sensitive
-values are currently:
- pekList
- msDS-ExecuteScriptPassword
- currentValue
- dBCSPwd
- initialAuthIncoming
- initialAuthOutgoing
- lmPwdHistory
- ntPwdHistory
- priorValue
- supplementalCredentials
- trustAuthIncoming
- trustAuthOutgoing
- unicodePwd
- clearTextPassword
-
-This encryption is enabled by default on a new provision or join, it
-can be disabled at provision or join time with the new option
---plaintext-secrets.
-
-However, an in-place upgrade will not encrypt the database.
-
-Once encrypted, it is not possible to do an in-place downgrade (eg to
-4.7) of the database. To obtain an unencrypted copy of the database a
-new DC join should be performed, specifying the --plaintext-secrets
-option.
-
-The key file "encrypted_secrets.key" is created in the same directory
-as the database and should NEVER be disclosed. It is included by the
-samba_backup script.
-smb.conf changes
-================
-
- Parameter Name Description Default
- -------------- ----------- -------
- auth methods Removed
- binddns dir New
- client schannel Default changed/ yes
- Deprecated
- gpo update command New
- ldap ssl ads Deprecated
- map untrusted to domain Removed
- oplock contention limit Removed
- prefork children New 1
- mdns name Added netbios
- fruit:time machine Added false
- profile acls Removed
- use spnego Removed
- server schannel Default changed/ yes
- Deprecated
- unicode Deprecated
- winbind scan trusted domains New yes
- winbind trusted domains only Removed
-
-
-NT4-style replication based net commands removed
-================================================
-
-The following commands and sub-commands have been removed from the
-"net" utility:
-
-net rpc samdump
-net rpc vampire ldif
-
-Also, replicating from a real NT4 domain with "net rpc vampire" and
-"net rpc vampire keytab" has been removed.
-
-The NT4-based commands were accidentially broken in 2013, and nobody
-noticed the breakage. So instead of fixing them including tests (which
-would have meant writing a server for the protocols, which we don't
-have) we decided to remove them.
-
-For the same reason, the "samsync", "samdeltas" and "database_redo"
-commands have been removed from rpcclient.
-
-"net rpc vampire keytab" from Active Directory domains continues to be
-supported.
-
-vfs_aio_linux module removed
-============================
-
-The current Linux kernel aio does not match what Samba would
-do. Shipping code that uses it leads people to false
-assumptions. Samba implements async I/O based on threads by default,
-there is no special module required to see benefits of read and write
-request being sent do the disk in parallel.
-
-smbclient reparse point symlink parameters reversed
-===================================================
-
-A bug in smbclient caused the 'symlink' command to reverse the
-meaning of the new name and link target parameters when creating a
-reparse point symlink against a Windows server. As this is a
-little used feature the ordering of these parameters has been
-reversed to match the parameter ordering of the UNIX extensions
-'symlink' command. The usage message for this command has also
-been improved to remove confusion.
-
-Winbind changes
+net ads setspn
---------------
-The dependency to global list of trusted domains within
-the winbindd processes has been reduced a lot.
+There is a new 'net ads setspn' sub command for managing Windows SPN(s)
+on the AD. This command aims to give the basic functionaility that is
+provided on windows by 'setspn.exe' e.g. ability to add, delete and list
+Windows SPN(s) stored in a Windows AD Computer object.
-The construction of that global list is not reliable and often
-incomplete in complex trust setups. In most situations the list is not needed
-any more for winbindd to operate correctly. E.g. for plain file serving via SMB
-using a simple idmap setup with autorid, tdb or ad. However some more complex
-setups require the list, e.g. if you specify idmap backends for specific
-domains. Some pam_winbind setups may also require the global list.
+The format of the command is:
-If you have a setup that doesn't require the global list, you should set
-"winbind scan trusted domains = no".
+net ads setspn list [machine]
+net ads setspn [add | delete ] SPN [machine]
+
+'machine' is the name of the computer account on the AD that is to be managed.
+If 'machine' is not specified the name of the 'client' running the command
+is used instead.
+
+The format of a Windows SPN is
+ 'serviceclass/host:port/servicename' (servicename and port are optional)
+
+serviceclass/host is generally sufficient to specify a host based service.
+
+net ads keytab changes
+----------------------
+net ads keytab add no longer attempts to convert the passed serviceclass
+(e.g. nfs, html etc.) into a Windows SPN which is added to the Windows AD
+computer object. By default just the keytab file is modified.
+
+A new keytab subcommand 'add_update_ads' has been added to preserve the
+legacy behaviour. However the new 'net ads setspn add' subcommand should
+really be used instead.
+
+net ads keytab create no longer tries to generate SPN(s) from existing
+entries in a keytab file. If it is required to add Windows SPN(s) then
+'net ads setspn add' should be used instead.
+
+Local authorization plugin for MIT Kerberos
+-------------------------------------------
+
+This plugin controls the relationship between Kerberos principals and AD
+accounts through winbind. The module receives the Kerberos principal and the
+local account name as inputs and can then check if they match. This can resolve
+issues with canonicalized names returned by Kerberos within AD. If the user
+tries to log in as 'alice', but the samAccountName is set to ALICE (uppercase),
+Kerberos would return ALICE as the username. Kerberos would not be able to map
+'alice' to 'ALICE' in this case and auth would fail. With this plugin account
+names can be correctly mapped. This only applies to GSSAPI authentication,
+not for the geting the initial ticket granting ticket.
+
+Database audit support
+----------------------
+
+Changes to the Samba AD's sam.ldb database are now logged to Samba's debug log
+under the "dsdb_audit" debug class and "dsdb_json_audit" for JSON formatted log
+entries.
+
+Transaction commits and roll backs are now logged to Samba's debug logs under
+the "dsdb_transaction_audit" debug class and "dsdb_transaction_json_audit" for
+JSON formatted log entries.
+
+Password change audit support
+-----------------------------
+
+Password changes in the AD DC are now logged to Samba's debug logs under the
+"dsdb_password_audit" debug class and "dsdb_password_json_audit" for JSON
+formatted log entries.
+
+Group membership change audit support
+-------------------------------------
+
+Group membership changes on the AD DC are now logged to
+Samba's debug log under the "dsdb_group_audit" debug class and
+"dsdb_group_json_audit" for JSON formatted log entries.
+
+Log Authentication duration
+---------------------------
+
+For NTLM and Kerberos KDC authentication, the authentication duration is now
+logged. Note that the duration is only included in the JSON formatted log
+entries.
+
+New Experimental LMDB LDB backend
+---------------------------------
+
+A new experimental LDB backend using LMBD is now available. This allows
+databases larger than 4Gb (Currently the limit is set to 6Gb, but this will be
+increased in a future release). To enable lmdb, provision or join a domain using
+the --backend-store=mdb option.
+
+This requires that a version of lmdb greater than 0.9.16 is installed and that
+samba has not been built with the --without-ldb-lmdb option.
+
+Please note this is an experimental feature and is not recommended for
+production deployments.
+
+Password Settings Objects
+-------------------------
+Support has been added for Password Settings Objects (PSOs). This AD feature is
+also known as Fine-Grained Password Policies (FGPP).
+
+PSOs allow AD administrators to override the domain password policy settings
+for specific users, or groups of users. For example, PSOs can force certain
+users to have longer password lengths, or relax the complexity constraints for
+other users, and so on. PSOs can be applied to groups or to individual users.
+When multiple PSOs apply to the same user, essentially the PSO with the best
+precedence takes effect.
+
+PSOs can be configured and applied to users/groups using the 'samba-tool domain
+passwordsettings pso' set of commands.
+
+Domain backup and restore
+-------------------------
+A new samba-tool command has been added that allows administrators to create a
+backup-file of their domain DB. In the event of a catastrophic failure of the
+domain, this backup-file can be used to restore Samba services.
+
+The new 'samba-tool domain backup online' command takes a snapshot of the
+domain DB from a given DC. In the event of a catastrophic DB failure, all DCs
+in the domain should be taken offline, and the backup-file can then be used to
+recreate a fresh new DC, using the 'samba-tool domain backup restore' command.
+Once the backed-up domain DB has been restored on the new DC, other DCs can
+then subsequently be joined to the new DC, in order to repopulate the Samba
+network.
+
+Domain rename tool
+------------------
+Basic support has been added for renaming a Samba domain. The rename feature is
+designed for the following cases:
+1). Running a temporary alternate domain, in the event of a catastrophic
+failure of the regular domain. Using a completely different domain name and
+realm means that the original domain and the renamed domain can both run at the
+same time, without interfering with each other. This is an advantage over
+creating a regular 'online' backup - it means the renamed/alternate domain can
+provide core Samba network services, while trouble-shooting the fault on the
+original domain can be done in parallel.
+2). Creating a realistic lab domain or pre-production domain for testing.
+
+Note that the renamed tool is currently not intended to support a long-term
+rename of the production domain. Currently renaming the GPOs is not supported
+and would need to be done manually.
+
+The domain rename is done in two steps: first, the 'samba-tool domain backup
+rename' command will clone the domain DB, renaming it in the process, and
+producing a backup-file. Then, the 'samba-tool domain backup restore' command
+takes the backup-file and restores the renamed DB to disk on a fresh DC.
+
+New samba-tool options for diagnosing DRS replication issues
+------------------------------------------------------------
+
+The 'samba-tool drs showrepl' command has two new options controlling
+the output. With --summary, the command says very little when DRS
+replication is working well. With --json, JSON is produced. These
+options are intended for human and machine audiences, respectively.
+
+The 'samba-tool visualize uptodateness' visualizes replication lag as
+a heat-map matrix based on the DRS uptodateness vectors. This will
+show you if (but not why) changes are failing to replicate to some DCs.
+
+Automatic site coverage and GetDCName improvements
+--------------------------------------------------
+
+Samba's AD DC now automatically claims otherwise empty sites based on
+which DC is the nearest in the replication topology.
+
+This, combined with efforts to correctly identify the client side in
+the GetDCName Netlogon call will improve service to sites without a
+local DC.
+
+Improved samba-tool computer command
+------------------------------------
+
+The 'samba-tool computer' command allow manipulation of computer
+accounts including creating a new computer and resetting the password.
+This allows an 'offline join' of a member server or workstation to the
+Samba AD domain.
+
+Samba performance tool now operates against Microsoft Windows AD
+----------------------------------------------------------------
+
+The Samba AD performance testing tool traffic_reply can now operate
+against a Windows based AD domain. Previously it only operated
+correctly against Samba.
+
+DNS entries are now cleaned up during DC demote
+-----------------------------------------------
+
+DNS records are now cleaned up as part of the 'samba-tool domain
+demote' including both the default and --remove-other-dead-server
+modes.
+
+Additionally DNS records can be automatically cleaned up for a given
+name with the 'samba-tool dns cleanup' command, which aids in cleaning
+up partially removed DCs.
+
+Samba now tested with CI GitLab
+-------------------------------
+
+Samba developers now have pre-commit testing available in GitLab,
+giving reviewers confidence that the submitted patches pass a full CI
+before being submitted to the Samba Team's own autobuild system.
+
+Dynamic DNS record scavenging support
+-------------------------------------
+
+It is now possible to enable scavenging of DNS Zones to remove DNS
+records that were dynamically created and have not been touched in
+some time.
+
+This support should however only be enabled on new zones or new
+installations. Sadly old Samba versions suffer from BUG 12451 and
+mark dynamic DNS records as static and static records as dynamic.
+While a dbcheck rule may be able to find these in the future,
+currently a reliable test has not been devised.
+
+Finally, there is not currently a command-line tool to enable this
+feature, currently it should be enabled from the DNS Manager tool from
+Windows. Also the feature needs to have been enabled by setting the smb.conf
+parameter "dns zone scavenging = yes".
REMOVED FEATURES
================
-The two commands "net serverid list" and "net serverid wipe" have been
-removed, because the file serverid.tdb is not used anymore.
-"net serverid list" can be replaced by listing all files in the
-subdirectory "msg.lock" of Samba's "lock directory". The unique id
-listed by "net serverid list" is stored in every process' lockfile in
-"msg.lock".
-"net serverid wipe" is not necessary anymore. It was meant primarily
-for clustered environments, where the serverid.tdb file was not
-properly cleaned up after single node crashes. Nowadays smbd and
-winbind take care of cleaning up the msg.lock and msg.sock directories
-automatically.
+smb.conf changes
+================
+
+As the most popular Samba install platforms (Linux and FreeBSD) both
+support extended attributes by default, the parameters "map readonly",
+"store dos attributes" and "ea support" have had their defaults changed
+to allow better Windows fileserver compatibility in a default install.
+
+ Parameter Name Description Default
+ -------------- ----------- -------
+ map readonly Default changed no
+ store dos attributes Default changed yes
+ ea support Default changed yes
+
+VFS interface changes
+=====================
+
+The VFS ABI interface version has changed to 39. Function changes
+are:
+
+SMB_VFS_FSYNC: Removed: Only async versions are used.
+SMB_VFS_READ: Removed: Only PREAD or async versions are used.
+SMB_VFS_WRITE: Removed: Only PWRITE or async versions are used.
+SMB_VFS_CHMOD_ACL: Removed: Only CHMOD is used.
+SMB_VFS_FCHMOD_ACL: Removed: Only FCHMOD is used.
+
+Any external VFS modules will need to be updated to match these
+changes in order to work with 4.9.x.
KNOWN ISSUES
============
-https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.8#Release_blocking_bugs
+https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.9#Release_blocking_bugs
#######################################
git.samba.org / garming / samba-autobuild / .git / blobdiff