NEW FEATURES/CHANGES
====================
-Using x86_64 Accelerated AES Crypto Instructions
-================================================
+KDC GPO application
+-------------------
+
+Adds Group Policy support for the samba kdc. Applies password policies
+(minimum/maximum password age, minimum password length, and password
+complexity) and kerberos policies (user/service ticket lifetime and
+renew lifetime).
+
+Adds the samba_gpoupdate script for applying and unapplying
+policy. Can be applied automatically by setting
+
+ 'server services = +gpoupdate'.
+
+Time Machine Support with vfs_fruit
+===================================
+Samba can be configured as a Time Machine target for Apple Mac devices
+through the vfs_fruit module. When enabling a share for Time Machine
+support the relevant Avahi records to support discovery will be published
+for installations that have been built against the Avahi client library.
+
+Shares can be designated as a Time Machine share with the following setting:
-Samba on x86_64 can now be configured to use the Intel accelerated AES
-instruction set, which has the potential to make SMB3 signing and
-encryption much faster on client and server. To enable this, configure
-Samba using the new option --accel-aes=intelaesni.
+ 'fruit:time machine = yes'
-This is a temporary solution that is being included to allow users
-to enjoy the benefits of Intel accelerated AES on the x86_64 platform,
-but the longer-term solution will be to move Samba to a fully supported
-external crypto library.
+Support for lower casing the MDNS Name
+======================================
+Allows the server name that is advertised through MDNS to be set to the
+hostname rather than the Samba NETBIOS name. This allows an administrator
+to make Samba registered MDNS records match the case of the hostname
+rather than being in all capitals.
-The third_party/aesni-intel code will be removed from Samba as soon as
-external crypto library performance reaches parity.
+This can be set with the following settings:
+
+ 'mdns name = mdns'
-The default is to build without setting --accel-aes, which uses the
-existing Samba software AES implementation.
smb.conf changes
================
Parameter Name Description Default
-------------- ----------- -------
+ binddns dir New
+ gpo update command New
+ oplock contention limit Removed
+ prefork children New 1
+ mdns name Added netbios
+ fruit:time machine Added false
+
+NT4-style replication based net commands removed
+================================================
+
+The following commands and sub-commands have been removed from the
+"net" utility:
+
+net rpc samdump
+net rpc vampire ldif
+
+Also, replicating from a real NT4 domain with "net rpc vampire" and
+"net rpc vampire keytab" has been removed.
+
+The NT4-based commands were accidentially broken in 2013, and nobody
+noticed the breakage. So instead of fixing them including tests (which
+would have meant writing a server for the protocols, which we don't
+have) we decided to remove them.
+
+For the same reason, the "samsync", "samdeltas" and "database_redo"
+commands have been removed from rpcclient.
+
+"net rpc vampire keytab" from Active Directory domains continues to be
+supported.
+
+vfs_aio_linux module removed
+============================
+
+The current Linux kernel aio does not match what Samba would
+do. Shipping code that uses it leads people to false
+assumptions. Samba implements async I/O based on threads by default,
+there is no special module required to see benefits of read and write
+request being sent do the disk in parallel.
+
+smbclient reparse point symlink parameters reversed
+===================================================
+
+A bug in smbclient caused the 'symlink' command to reverse the
+meaning of the new name and link target parameters when creating a
+reparse point symlink against a Windows server. As this is a
+little used feature the ordering of these parameters has been
+reversed to match the parameter ordering of the UNIX extensions
+'symlink' command. The usage message for this command has also
+been improved to remove confusion.
+
+REMOVED FEATURES
+================
+
+The two commands "net serverid list" and "net serverid wipe" have been
+removed, because the file serverid.tdb is not used anymore.
+
+"net serverid list" can be replaced by listing all files in the
+subdirectory "msg.lock" of Samba's "lock directory". The unique id
+listed by "net serverid list" is stored in every process' lockfile in
+"msg.lock".
+"net serverid wipe" is not necessary anymore. It was meant primarily
+for clustered environments, where the serverid.tdb file was not
+properly cleaned up after single node crashes. Nowadays smbd and
+winbind take care of cleaning up the msg.lock and msg.sock directories
+automatically.
KNOWN ISSUES
============