-What's new in Samba 4 beta1
+What's new in Samba 4.0 beta8
=============================
Samba 4.0 will be the next version of the Samba suite and incorporates
WARNINGS
========
-Samba4 beta1 is not a final Samba release, however we are now making
-good progress towards a Samba 4.0 release, of which this is a preview.
-Be aware the this release contains the best of all of Samba's
+Samba 4.0 beta8 is not a final Samba release, however we are now making
+good progress towards a Samba 4.0 release. However, this is expected to be the
+last beta release before we start on our release candidate series.
+
+This release contains the best of all of Samba's
technology parts, both a file server (that you can reasonably expect
to upgrade existing Samba 3.x releases to) and the AD domain
controller work previously known as 'samba4'.
-Samba4 is subjected to an awesome battery of tests on an automated
-basis, we have found Samba 4.0 to be very stable in it's behavior.
-However, we still recommend against upgrading production servers from
-Samba 3.x release to Samba 4.0 alpha at this stage.
-
-In particular note that the new default configuration 's3fs' may have
-different stability characteristics compared with our previous default
-file server. We are making this release so that we can find and fix
-any of these issues that arise in the real world. AD DC installations
-can provision with --use-ntvfs to obtain the previous default file
-server.
+Samba 4.0 is subjected to an awesome battery of tests on an automated
+basis, we have found Samba 4.0 to be very stable in it's behaviour.
+However, as with all our pre-releases we still recommend against
+upgrading production servers from Samba 3.x release to Samba 4.0 beta
+at this stage.
If you are upgrading, or looking to develop, test or deploy Samba 4.0
-alpha releases, you should backup all configuration and data.
+beta releases, you should backup all configuration and data.
+
+
+UPGRADING
+=========
+
+Users upgrading from Samba 3.x domain controllers and wanting to use
+Samba 4.0 as an AD DC should use the 'samba-tool domain
+classicupgrade' command. See the wiki for more details:
+https://wiki.samba.org/index.php/Samba4/samba3upgrade/HOWTO
+
+Users upgrading from Samba 4.0 alpha and beta releases since alpha15
+should run 'samba-tool dbcheck --cross-ncs --fix' before re-starting
+Samba. Users upgrading from earlier alpha releases should contact the
+team for advice.
+
+Users upgrading an AD DC from any previous release should run
+'samba-tool ntacl sysvolreset' to re-sync ACLs on the sysvol share
+with those matching the GPOs in LDAP and the defaults from an initial
+provision. This will set an underlying POSIX ACL if required (eg not
+using the NTVFS file server).
NEW FEATURES
============
the infamous Kerberos PAC, and include it with the Kerberos tickets we
issue.
-Samba 4.0 alpha ships with two distinct file servers. We now use the
+Samba 4.0 beta ships with two distinct file servers. We now use the
file server from the Samba 3.x series 'smbd' for all file serving by
-default. For pure file server work, the binaries users would expect
-from that series (nmbd, winbindd, smbpasswd) continue to be available.
+default.
Samba 4.0 also ships with the 'NTVFS' file server. This file server
is what was used in all previous alpha releases of Samba 4.0, and is
running example of the NT-FSA architecture we expect to move smbd to in
the longer term.
-As mentioned above, this change to the default file server may cause
-instability, as we learn about the real-world interactions between
-these two key components.
-
-A new scripting interface has been added to Samba 4, allowing Python
-programs to interface to Samba's internals, and many tools and
-internal workings of the DC code is now implemented in python.
-
-
-
-CHANGES SINCE alpha20
+For pure file server work, the binaries users would expect from that
+series (nmbd, winbindd, smbpasswd) continue to be available. When
+running an AD DC, you only need to run 'samba' (not
+nmbd/smbd/winbind), as the required services are co-coordinated by this
+master binary.
+
+As DNS is an integral part of Active Directory, we also provide a DNS
+solution, using the BIND DLZ mechanism in versions 9.8 and 9.9.
+During the provision, a configuration file will be generated for bind
+to make it use this plugin. We also have a project to provide a
+minimal internal DNS server from within the Samba process, for easier
+'out of the box' configuration. Note however that this is not yet
+complete (pending addition of secure DNS update support).
+
+To provide accurate timestamps to Windows clients, we integrate with
+the NTP project to provide secured NTP replies. To use you need to
+start ntpd and configure it with the 'restrict ... ms-sntp' and
+ntpsigndsocket options.
+
+Finally, a new scripting interface has been added to Samba 4, allowing
+Python programs to interface to Samba's internals, and many tools and
+internal workings of the DC code is now implemented in python.
+
+CHANGES SINCE beta8
+===================
+
+The smbd file server now offers SMB3 as the maximum protocol
+by default. Samba can negotiate version 3 of the SMB protocol
+and supports the required features, including all required
+features of SMB 2.1 and SMB 2.0. Note that this does not imply
+that Samba implements all features of SMB3 since many of them
+are optional capabilities. Examples of features that Samba does
+not implement yet are leases (SMB 2.1) and multi-channel (SMB 3).
+
+Samba now offers an initial support for SMB2 durable file handles.
+These are enabled by default and can be turned off on a per share
+basis by setting "durable handles = no" on the share configuration.
+Note that in order to prevent conflicts with other applications
+accessing the same files, durable handles are only granted on
+shares that are configured for CIFS/SMB2-only access, i.e. more
+explicitly shares that are configured for minimal interoperability
+with these settings:
+
+ kernel oplocks = no
+ kernel share modes = no
+ posix locking = no
+
+The option "kernel share modes" has been introduced to be able
+to turn the translation of SMB share modes into kernel flocks
+off.
+
+CHANGES SINCE beta7
=====================
-For a list of changes since alpha 19, please see the git log.
+For a list of changes since beta7, please see the git log.
$ git clone git://git.samba.org/samba.git
$ cd samba.git
-$ git log samba-4.0.0alpha20..samba-4.0.0beta1
+$ git log samba-4.0.0beta7..samba-4.0.0beta8
Some major user-visible changes include:
-For installations that do not need an AD Domain controller, we can now
-build using MIT Kerberos from the local system. This is important for
-some distributors. This is enabled with the new --with-system-mitkrb5
-configure option. A synonym is the new --without-ad-dc option.
+- A fix for a segfault/abort on startup of the 'samba' binary in the
+ credentials_secrets code.
-The 's3fs' effort has moved to a new stage, with this now being the
-default mode of operation for new provisions.
+- A fix for samba-tool classicupgrade of pdb_ldap-based domains
-The BIND 9 DLZ plugin has had some stability improvements under BIND reloads.
+- A fix for samba-tool domain exportkeyab only exporting DES keys
-The 'samba-tool domain samba3upgrade' tool will now generally import
-all group members, and correctly imports domain password policies.
+- Printing is now enabled on the AD DC
-Some major but less visible changes include:
+- Fix bug #9124 - Samba fails to set "inherited" bit on inherited ACE's.
-Continued early implementation work on the SMB 2.2 protocol client and server as
-the team improves and develops support these new protocols.
+- We now avoid printing secret attributes (such as unicodePwd and
+ suppliementalCredentials) in ldb trace logs
+- s3-printing: fix bug 9123 lprng job tracking errors
+
+- A fix for building with MIT Kerberos
KNOWN ISSUES
============
-- We are making this beta release to gain real-world use of the 's3fs'
+- 'samba-tool domain classicupgrade' will fail when setting ACLs on
+ the GPO folders with NT_STATUS_INVALID_ONWER in the default
+ configuration. This happens if, as is typical a 'domain admins'
+ group (-512) is mapped in the passdb backend being upgraded. This
+ is because the group mapping to a GID only prevents Samba from
+ allocating a uid for that group. The uid is needed so the 'domain
+ admins' group can own the GPO file objects.
+
+ To work around this issue, remove the 'domain admins' group before
+ upgrade, as it will be re-created automatically. You will
+ of course need to fill in the group membership again. A future release
+ will make this automatic, or find some other workaround.
+
+- This release makes the s3fs file server the default, as this is the
file server combination we will use for the Samba 4.0 release.
- Users should expect some rough edges: in particular, there are
- warnings about invalid parameters from the two respective parameter
- parsing engines.
-- There have been improvements to FreeBSD support, but more work is
- still required to finish this effort
+- For similar reasons, sites with ACLs stored by the ntvfs file server
+ may wish to continue to use that file server implementation, as a
+ posix ACL will similarly not be set in this case.
+
+- Replication of DNS data from one AD server to another may not work.
+ The DNS data used by the internal DNS server and bind9_dlz is stored
+ in an application partition in our directory. The replication of
+ this partition is not yet reliable.
+
+- Replication may fail on FreeBSD due to getaddrinfo() rejecting names
+ containing _. A workaround will be in a future beta.
- upgradeprovision should not be run when upgrading to this release
from a recent release. No important database format changes have
use the 'samba' binary (provided for the AD server) on a member
server.
-- There is no NetBIOS browsing support (network neighbourhood) in the
- 'samba' binary (use nmbd and smbd instead)
+- There is no NetBIOS browsing support (network neighbourhood)
+ available for the AD domain controller. (Support in nmbd and smbd
+ for classic domains and member/standalone servers is unchanged).
- Clock Synchronisation is critical. Many 'wrong password' errors are
actually due to Kerberos objecting to a clock skew between client
experience issues with DRS replication, as we have fixed many issues
here in response to feedback from our production users.
+
RUNNING Samba 4.0 as an AD DC
=============================
git.samba.org / amitay / samba.git / blobdiff