X-Git-Url: http://git.samba.org/samba.git/?p=gd%2Fsamba-autobuild%2F.git;a=blobdiff_plain;f=WHATSNEW.txt;h=3ef066df34f1657ba91faf42e688fd76fd002c7c;hp=4265627d7746b75b7438033516c3d835dafd9914;hb=7a4dad60abeb785ccdf9c433103c4d36425cddfa;hpb=8be71f97b64cf95a2a980f5036e1bf689d2ba908 diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 4265627d774..3ef066df34f 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,12 +1,12 @@ Release Announcements ===================== -This is the first preview release of Samba 4.8. This is *not* +This is the first preview release of Samba 4.11. This is *not* intended for production environments and is designed for testing purposes only. Please report any defects via the Samba bug reporting system at https://bugzilla.samba.org/. -Samba 4.8 will be the next version of the Samba suite. +Samba 4.11 will be the next version of the Samba suite. UPGRADING @@ -16,81 +16,66 @@ UPGRADING NEW FEATURES/CHANGES ==================== -Using x86_64 Accelerated AES Crypto Instructions -================================================ +Default samba process model +--------------------------- -Samba on x86_64 can now be configured to use the Intel accelerated AES -instruction set, which has the potential to make SMB3 signing and -encryption much faster on client and server. To enable this, configure -Samba using the new option --accel-aes=intelaesni. +The default for the --model argument passed to the samba executable has changed +from 'standard' to 'prefork'. This means a difference in the number of samba +child processes that are created to handle client connections. The previous +default would create a separate process for every LDAP or NETLOGON client +connection. For a network with a lot of persistent client connections, this +could result in significant memory overhead. Now, with the new default of +'prefork', the LDAP, NETLOGON, and KDC services will create a fixed number of +worker processes at startup and share the client connections amongst these +workers. The number of worker processes can be configured by the 'prefork +children' setting in the smb.conf (the default is 4). -This is a temporary solution that is being included to allow users -to enjoy the benefits of Intel accelerated AES on the x86_64 platform, -but the longer-term solution will be to move Samba to a fully supported -external crypto library. +Authentication Logging. +----------------------- -The third_party/aesni-intel code will be removed from Samba as soon as -external crypto library performance reaches parity. +Winbind now logs PAM_AUTH and NTLM_AUTH events, a new attribute "logonId" has +been added to the Authentication JSON log messages. This contains a random +logon id that is generated for each PAM_AUTH and NTLM_AUTH request and is passed +to SamLogon, linking the windbind and SamLogon requests. -The default is to build without setting --accel-aes, which uses the -existing Samba software AES implementation. +The serviceDescription of the messages is set to "winbind", the authDescription +is set to one of: + "PASSDB, , " + "PAM_AUTH, , " + "NTLM_AUTH, , " +where: + is the name of the command makinmg the winbind request i.e. wbinfo + is the process id of the requesting process. -KDC GPO application -------------------- +The version of the JSON Authentication messages has been changed to 1.2 from 1.1 -Adds Group Policy support for the samba kdc. Applies password policies -(minimum/maximum password age, minimum password length, and password -complexity) and kerberos policies (user/service ticket lifetime and -renew lifetime). -Adds the samba_gpoupdate script for applying and unapplying -policy. Can be applied automatically by setting - 'server services = +gpoupdate'. - -smb.conf changes +REMOVED FEATURES ================ - Parameter Name Description Default - -------------- ----------- ------- - oplock contention limit Removed - -NT4-style replication based net commands removed -================================================ - -The following commands and sub-commands have been removed from the -"net" utility: +Web server +---------- -net rpc samdump -net rpc vampire ldif +As a leftover from work related to the Samba Web Administration Tool (SWAT), +Samba still supported a Python WSGI web server (which could still be turned on +from the 'server services' smb.conf parameter). This service was unused and has +now been removed from Samba. -Also, replicating from a real NT4 domain with "net rpc vampire" and -"net rpc vampire keytab" has been removed. -The NT4-based commands were accidentially broken in 2013, and nobody -noticed the breakage. So instead of fixing them including tests (which -would have meant writing a server for the protocols, which we don't -have) we decided to remove them. - -For the same reason, the "samsync", "samdeltas" and "database_redo" -commands have been removed from rpcclient. +smb.conf changes +================ -"net rpc vampire keytab" from Active Directory domains continues to be -supported. + Parameter Name Description Default + -------------- ----------- ------- -vfs_aio_linux module removed -============================ + web port Removed -The current Linux kernel aio does not match what Samba would -do. Shipping code that uses it leads people to false -assumptions. Samba implements async I/O based on threads by default, -there is no special module required to see benefits of read and write -request being sent do the disk in parallel. KNOWN ISSUES ============ -https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.8#Release_blocking_bugs +https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.11#Release_blocking_bugs #######################################