Release Announcements
=====================
-This is the first release candidate of Samba 4.2. This is *not*
+This is the first release candidate of Samba 4.4. This is *not*
intended for production environments and is designed for testing
purposes only. Please report any defects via the Samba bug reporting
system at https://bugzilla.samba.org/.
-Samba 4.2 will be the next version of the Samba suite.
+Samba 4.4 will be the next version of the Samba suite.
UPGRADING
=========
-Read the "Winbindd/Netlogon improvements" section (below) carefully!
+Nothing special.
-NEW FEATURES
-============
+NEW FEATURES/CHANGES
+====================
+
+Asynchronous flush requests
+---------------------------
-Transparent File Compression
-============================
+Flush requests from SMB2/3 clients are handled asynchronously and do
+not block the processing of other requests. Note that 'strict sync'
+has to be set to 'yes' for Samba to honor flush requests from SMB
+clients.
-Samba 4.2.0 adds support for the manipulation of file and folder
-compression flags on the Btrfs filesystem.
-With the Btrfs Samba VFS module enabled, SMB2+ compression flags can
-be set remotely from the Windows Explorer File->Properties->Advanced
-dialog. Files flagged for compression are transparently compressed
-and uncompressed when accessed or modified.
+s3: smbd
+--------
-Previous File Versions with Snapper
-===================================
+Remove '--with-aio-support' configure option. We no longer would ever prefer
+POSIX-RT aio, use pthread_aio instead.
-The newly added Snapper VFS module exposes snapshots managed by
-Snapper for use by Samba. This provides the ability for remote
-clients to access shadow-copies via Windows Explorer using the
-"previous versions" dialog.
+samba-tool sites
+----------------
-Winbindd/Netlogon improvements
-==============================
+The 'samba-tool sites' subcommand can now be run against another server by
+specifying an LDB URL using the '-H' option and not against the local database
+only (which is still the default when no URL is given).
-The whole concept of maintaining the netlogon secure channel
-to (other) domain controllers was rewritten in order to maintain
-global state in a netlogon_creds_cli.tdb. This is the proper fix
-for a large number of bugs:
+samba-tool domain demote
+------------------------
- https://bugzilla.samba.org/show_bug.cgi?id=6563
- https://bugzilla.samba.org/show_bug.cgi?id=7944
- https://bugzilla.samba.org/show_bug.cgi?id=7945
- https://bugzilla.samba.org/show_bug.cgi?id=7568
- https://bugzilla.samba.org/show_bug.cgi?id=8599
+Add '--remove-other-dead-server' option to 'samba-tool domain demote'
+subcommand. The new version of this tool now can remove another DC that is
+itself offline. The '--remove-other-dead-server' removes as many references
+to the DC as possible.
-In addition a strong session key is now required by default,
-which means that communication to older servers or clients
-might be rejected by default.
+samba-tool drs clone-dc-database
+--------------------------------
-For the client side we have the following new options:
-"require strong key" (yes by default), "reject md5 servers" (no by default).
-E.g. for Samba 3.0.37 you need "require strong key = no" and
-for NT4 DCs you need "require strong key = no" and "client NTLMv2 auth = no",
+Replicate an initial clone of domain, but do not join it.
+This is developed for debugging purposes, but not for setting up another DC.
-On the server side (as domain controller) we have the following new options:
-"allow nt4 crypto" (no by default), "reject md5 client" (no by default).
-E.g. in order to allow Samba < 3.0.27 or NT4 members to work
-you need "allow nt4 crypto = yes"
+pdbedit
+-------
-winbindd does not list group memberships for display purposes
-(e.g. getent group <domain\<group>) anymore by default.
-The new default is "winbind expand groups = 0" now,
-the reason for this is the same as for "winbind enum users = no"
-and "winbind enum groups = no". Providing this information is not always
-reliably possible, e.g. if there are trusted domains.
+Add '--set-nt-hash' option to pdbedit to update user password from nt-hash
+hexstring. 'pdbedit -vw' shows also password hashes.
-Please consult the smb.conf manpage for more details on these new options.
+smbstatus
+---------
-Winbindd use on the Samba AD DC
-===============================
+'smbstatus' was enhanced to show the state of signing and encryption for
+sessions and shares.
-Winbindd is now used on the Samba AD DC by default, replacing the
-partial rewrite used for winbind operations in Samba 4.0 and 4.1.
+smbget
+------
+The -u and -p options for user and password were replaced by the -U option that
+accepts username[%password] as in many other tools of the Samba suite.
+Similary, smbgetrc files do not accept username and password options any more,
+only a single "user" option which also accepts user%password combinations.
-This allows more code to be shared, more options to be honoured, and
-paves the way for support for trusted domains in the AD DC.
+s4-rpc_server
+-------------
-If required the old internal winbind can be activated by setting
-'server services = +winbind -winbindd'. Upgrading users with a server
-services parameter specified should ensure they change 'winbind' to
-'winbindd' to obtain the new functionality.
+Add a GnuTLS based backupkey implementation.
-The 'samba' binary still manages the starting of this service, there
-is no need to start the winbindd binary manually.
+ntlm_auth
+---------
-Larger IO sizes for SMB2/3 by default
-=====================================
+Using the '--offline-logon' enables ntlm_auth to use cached passwords when the
+DC is offline.
-The default values for "smb2 max read", "smb2 max write" and "smb2 max trans"
-have been changed to 8388608 (8MiB) in order to match the default of
-Windows 2012R2.
+Allow '--password' force a local password check for ntlm-server-1 mode.
-Improved DCERPC man in the middle detection
-===========================================
+vfs_offline
+-----------
-The DCERPC header signing has been implemented
-in addition to the dcerpc_sec_verification_trailer
-protection.
+A new VFS module called vfs_offline has been added to mark all files in the
+share as offline. It can be useful for shares mounted on top of a remote file
+system (either through a samba VFS module or via FUSE).
-Overhauled "net idmap" command
-==============================
+KCC
+---
-The command line interface of the "net idmap" command has been
-made systematic, and subcommands for reading and writing the autorid idmap
-database have been added. Note that the writing commands should be
-used with great care. See the net(8) manual page for details.
+The Samba KCC has been improved, but is still disabled by default.
-tdb improvements
-================
+DNS
+---
+
+There were several improvements concerning the Samba DNS server.
+
+Active Directory
+----------------
+
+There were some improvements in the Active Directory area.
+
+WINS nsswitch module
+--------------------
+
+The WINS nsswitch module has been rewritten to address memory issues and to
+simplify the code. The module now uses libwbclient to do WINS queries. This
+means that winbind needs to be running in order to resolve WINS names using
+the nss_wins module. This does not affect smbd.
+
+CTDB changes
+------------
+
+* CTDB now uses a newly implemented parallel database recovery scheme
+ that avoids deadlocks with smbd.
+
+ In certain circumstances CTDB and smbd could deadlock. The new
+ recovery implementation avoid this. It also provides improved
+ recovery performance.
+
+* All files are now installed into and referred to by the paths
+ configured at build time. Therefore, CTDB will now work properly
+ when installed into the default location at /usr/local.
-The tdb library, our core mechanism to store Samba-specific data on disk and
-share it between processes, has been improved to support process shared robust
-mutexes on Linux. These mutexes are available on Linux and Solaris and
-significantly reduce the overhead involved with tdb. To enable mutexes for
-tdb, set
+* Public CTDB header files are no longer installed, since Samba and
+ CTDB are built from within the same source tree.
-dbwrap_tdb_mutexes:* = yes
+* CTDB_DBDIR can now be set to tmpfs[:<tmpfs-options>]
-in the [global] section of your smb.conf.
+ This will cause volatile TDBs to be located in a tmpfs. This can
+ help to avoid performance problems associated with contention on the
+ disk where volatile TDBs are usually stored. See ctdbd.conf(5) for
+ more details.
-Tdb file space management has also been made more efficient. This
-will lead to smaller and less fragmented databases.
+* Configuration variable CTDB_NATGW_SLAVE_ONLY is no longer used.
+ Instead, nodes should be annotated with the "slave-only" option in
+ the CTDB NAT gateway nodes file. This file must be consistent
+ across nodes in a NAT gateway group. See ctdbd.conf(5) for more
+ details.
-Messaging improvements
-======================
+* New event script 05.system allows various system resources to be
+ monitored
-Our internal messaging subsystem, used for example for things like oplock
-break messages between smbds or setting a process debug level dynamically, has
-been rewritten to use unix domain datagram messages.
+ This can be helpful for explaining poor performance or unexpected
+ behaviour. New configuration variables are
+ CTDB_MONITOR_FILESYSTEM_USAGE, CTDB_MONITOR_MEMORY_USAGE and
+ CTDB_MONITOR_SWAP_USAGE. Default values cause warnings to be
+ logged. See the SYSTEM RESOURCE MONITORING CONFIGURATION in
+ ctdbd.conf(5) for more information.
+
+ The memory, swap and filesystem usage monitoring previously found in
+ 00.ctdb and 40.fs_use is no longer available. Therefore,
+ configuration variables CTDB_CHECK_FS_USE, CTDB_MONITOR_FREE_MEMORY,
+ CTDB_MONITOR_FREE_MEMORY_WARN and CTDB_CHECK_SWAP_IS_NOT_USED are
+ now ignored.
+
+* The 62.cnfs eventscript has been removed. To get a similar effect
+ just do something like this:
+
+ mmaddcallback ctdb-disable-on-quorumLoss \
+ --command /usr/bin/ctdb \
+ --event quorumLoss --parms "disable"
+
+ mmaddcallback ctdb-enable-on-quorumReached \
+ --command /usr/bin/ctdb \
+ --event quorumReached --parms "enable"
+
+* The CTDB tunable parameter EventScriptTimeoutCount has been renamed
+ to MonitorTimeoutCount
+
+ It has only ever been used to limit timed-out monitor events.
+
+ Configurations containing CTDB_SET_EventScriptTimeoutCount=<n> will
+ cause CTDB to fail at startup. Useful messages will be logged.
+
+* The commandline option "-n all" to CTDB tool has been removed.
+
+ The option was not uniformly implemented for all the commands.
+ Instead of command "ctdb ip -n all", use "ctdb ip all".
+
+* All CTDB current manual pages are now correctly installed
+
+
+REMOVED FEATURES
+================
-Clustering support
-==================
+Public headers
+--------------
-Samba's file server clustering component CTDB is now integrated in the
-Samba tree. This avoids the confusion of compatibility of Samba and CTDB
-versions as existed previously.
+Several public headers are not installed any longer. They are made for internal
+use only. More public headers will very likely be removed in future releases.
-To build the Samba file server with cluster support, use the configure
-command line option --with-cluster-support. This will build clustered
-file server against the in-tree ctdb. Building clustered samba with
-previous versions of CTDB is no longer supported.
+The following headers are not installed any longer:
+dlinklist.h, gen_ndr/epmapper.h, gen_ndr/mgmt.h, gen_ndr/ndr_atsvc_c.h,
+gen_ndr/ndr_epmapper_c.h, gen_ndr/ndr_epmapper.h, gen_ndr/ndr_mgmt_c.h,
+gen_ndr/ndr_mgmt.h,gensec.h, ldap_errors.h, ldap_message.h, ldap_ndr.h,
+ldap-util.h, pytalloc.h, read_smb.h, registry.h, roles.h, samba_util.h,
+smb2_constants.h, smb2_create_blob.h, smb2.h, smb2_lease.h, smb2_signing.h,
+smb_cli.h, smb_cliraw.h, smb_common.h, smb_composite.h, smb_constants.h,
+smb_raw.h, smb_raw_interfaces.h, smb_raw_signing.h, smb_raw_trans2.h,
+smb_request.h, smb_seal.h, smb_signing.h, smb_unix_ext.h, smb_util.h,
+torture.h, tstream_smbXcli_np.h.
-CTDB is built separately from the ctdb/ sub-directory. To build CTDB,
-use the following steps:
+vfs_smb_traffic_analyzer
+------------------------
- $ cd ctdb
- $ ./configure
- $ make
- # make install
+The SMB traffic analyzer VFS module has been removed, because it is not
+maintained any longer and not widely used.
+vfs_scannedonly
+---------------
-######################################################################
-Changes
-#######
+The scannedonly VFS module has been removed, because it is not maintained
+any longer.
smb.conf changes
----------------
- Parameter Name Description Default
- -------------- ----------- -------
+ Parameter Name Description Default
+ -------------- ----------- -------
+ aio max threads New 100
+ ldap page size Changed default 1000
- allow nt4 crypto New no
- neutralize nt4 emulation New no
- reject md5 client New no
- reject md5 servers New no
- require strong key New yes
- smb2 max read Changed default 8388608
- smb2 max write Changed default 8388608
- smb2 max trans Changed default 8388608
- winbind expand groups Changed default 0
KNOWN ISSUES
============
+Currently none.
#######################################
Reporting bugs & Development Discussion
If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored. All bug reports should
-be filed under the Samba 4.2 product in the project's Bugzilla
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).
git.samba.org / kai / samba-autobuild / .git / blobdiff