Release Announcements
=====================
-This is the first release candidate of Samba 4.3. This is *not*
+This is the first release candidate of Samba 4.4. This is *not*
intended for production environments and is designed for testing
purposes only. Please report any defects via the Samba bug reporting
system at https://bugzilla.samba.org/.
-Samba 4.3 will be the next version of the Samba suite.
+Samba 4.4 will be the next version of the Samba suite.
UPGRADING
Nothing special.
-NEW FEATURES
-============
-Logging
+NEW FEATURES/CHANGES
+====================
+
+Asynchronous flush requests
+---------------------------
+
+Flush requests from SMB2/3 clients are handled asynchronously and do
+not block the processing of other requests. Note that 'strict sync'
+has to be set to 'yes' for Samba to honor flush requests from SMB
+clients.
+
+s3: smbd
+--------
+
+Remove '--with-aio-support' configure option. We no longer would ever prefer
+POSIX-RT aio, use pthread_aio instead.
+
+samba-tool sites
+----------------
+
+The 'samba-tool sites' subcommand can now be run against another server by
+specifying an LDB URL using the '-H' option and not against the local database
+only (which is still the default when no URL is given).
+
+samba-tool domain demote
+------------------------
+
+Add '--remove-other-dead-server' option to 'samba-tool domain demote'
+subcommand. The new version of this tool now can remove another DC that is
+itself offline. The '--remove-other-dead-server' removes as many references
+to the DC as possible.
+
+samba-tool drs clone-dc-database
+--------------------------------
+
+Replicate an initial clone of domain, but do not join it.
+This is developed for debugging purposes, but not for setting up another DC.
+
+pdbedit
-------
-The logging code now supports logging to multiple backends. In
-addition to the previously available syslog and file backends, the
-backends for logging to the systemd-journal, lttng and gpfs have been
-added. Please consult the section for the 'logging' parameter in the
-smb.conf manpage for details.
+Add '--set-nt-hash' option to pdbedit to update user password from nt-hash
+hexstring. 'pdbedit -vw' shows also password hashes.
-Spotlight
+smbstatus
---------
-Support for Apple's Spotlight has been added by integrating with Gnome
-Tracker.
+'smbstatus' was enhanced to show the state of signing and encryption for
+sessions and shares.
-For detailed instructions how to build and setup Samba for Spotlight,
-please see the Samba wiki: <https://wiki.samba.org/index.php/Spotlight>
+smbget
+------
+The -u and -p options for user and password were replaced by the -U option that
+accepts username[%password] as in many other tools of the Samba suite.
+Similary, smbgetrc files do not accept username and password options any more,
+only a single "user" option which also accepts user%password combinations.
-New FileChangeNotify subsystem
-------------------------------
+s4-rpc_server
+-------------
-Samba now contains a new subsystem to do FileChangeNotify. The
-previous system used a central database, notify_index.tdb, to store
-all notification requests. In particular in a cluster this turned out
-to be a major bottleneck, because some hot records need to be bounced
-back and forth between nodes on every change event like a new created
-file.
+Add a GnuTLS based backupkey implementation.
-The new FileChangeNotify subsystem works with a central daemon per
-node. Every FileChangeNotify request and every event are handled by an
-asynchronous message from smbd to the notify daemon. The notify daemon
-maintains a database of all FileChangeNotify requests in memory and
-will distribute the notify events accordingly. This database is
-asynchronously distributed in the cluster by the notify daemons.
+ntlm_auth
+---------
-The notify daemon is supposed to scale a lot better than the previous
-implementation. The functional advantage is cross-node kernel change
-notify: Files created via NFS will be seen by SMB clients on other
-nodes per FileChangeNotify, despite the fact that popular cluster file
-systems do not offer cross-node inotify.
+Using the '--offline-logon' enables ntlm_auth to use cached passwords when the
+DC is offline.
-Two changes to the configuration were required for this new subsystem:
-The parameters "change notify" and "kernel change notify" are not
-per-share anymore but must be set globally. So it is no longer
-possible to enable or disable notify per share, the notify daemon has
-no notion of a share, it only works on absolute paths.
+Allow '--password' force a local password check for ntlm-server-1 mode.
-New SMB profiling code
-----------------------
+vfs_offline
+-----------
-The code for SMB (SMB1, SMB2 and SMB3) profiling uses a tdb instead
-of sysv IPC shared memory. This avoids performance problems and NUMA
-effects. The profile stats are a bit more detailed than before.
+A new VFS module called vfs_offline has been added to mark all files in the
+share as offline. It can be useful for shares mounted on top of a remote file
+system (either through a samba VFS module or via FUSE).
-Improved DCERPC man in the middle detection for kerberos
---------------------------------------------------------
+KCC
+---
-The gssapi based kerberos backends for gensec have support for
-DCERPC header signing when using DCERPC_AUTH_LEVEL_PRIVACY.
+The Samba KCC has been improved, but is still disabled by default.
-SMB signing required in winbindd by default
--------------------------------------------
+DNS
+---
-The effective value for "client signing" is required
-by default for winbindd, if the primary domain uses active directory.
+There were several improvements concerning the Samba DNS server.
-Experimental NTDB was removed
------------------------------
+Active Directory
+----------------
-The experimental NTDB library introduced in Samba 4.0 has been
-removed again.
+There were some improvements in the Active Directory area.
-Improved support for trusted domains (as AD DC)
------------------------------------------------
+WINS nsswitch module
+--------------------
-The support for trusted domains/forests has improved a lot.
+The WINS nsswitch module has been rewritten to address memory issues and to
+simplify the code. The module now uses libwbclient to do WINS queries. This
+means that winbind needs to be running in order to resolve WINS names using
+the nss_wins module. This does not affect smbd.
-samba-tool got "domain trust" subcommands to manage trusts:
+CTDB changes
+------------
- create - Create a domain or forest trust.
- delete - Delete a domain trust.
- list - List domain trusts.
- namespaces - Manage forest trust namespaces.
- show - Show trusted domain details.
- validate - Validate a domain trust.
+* CTDB now uses a newly implemented parallel database recovery scheme
+ that avoids deadlocks with smbd.
-External trusts between individual domains work in both ways
-(inbound and outbound). The same applies to root domains of
-a forest trust. The transitive routing into the other forest
-is fully functional for kerberos, but not yet supported for NTLMSSP.
+ In certain circumstances CTDB and smbd could deadlock. The new
+ recovery implementation avoid this. It also provides improved
+ recovery performance.
-While a lot of things are working fine, there are currently a few limitations:
+* All files are now installed into and referred to by the paths
+ configured at build time. Therefore, CTDB will now work properly
+ when installed into the default location at /usr/local.
- - Both sides of the trust need to fully trust each other!
- - No SID filtering rules are applied at all!
- - This means DCs of domain A can grant domain admin rights
- in domain B.
- - It's not possible to add users/groups of a trusted domain
- into domain groups.
+* Public CTDB header files are no longer installed, since Samba and
+ CTDB are built from within the same source tree.
-SMB 3.1.1 supported
--------------------
+* CTDB_DBDIR can now be set to tmpfs[:<tmpfs-options>]
-Both client and server have support for SMB 3.1.1 now.
+ This will cause volatile TDBs to be located in a tmpfs. This can
+ help to avoid performance problems associated with contention on the
+ disk where volatile TDBs are usually stored. See ctdbd.conf(5) for
+ more details.
-This is the dialect introduced with Windows 10, it improves the secure
-negotiation of SMB dialects and features.
+* Configuration variable CTDB_NATGW_SLAVE_ONLY is no longer used.
+ Instead, nodes should be annotated with the "slave-only" option in
+ the CTDB NAT gateway nodes file. This file must be consistent
+ across nodes in a NAT gateway group. See ctdbd.conf(5) for more
+ details.
-New smbclient subcommands
--------------------------
+* New event script 05.system allows various system resources to be
+ monitored
- - Query a directory for change notifications: notify <dir name>
- - Server side copy: scopy <source filename> <destination filename>
+ This can be helpful for explaining poor performance or unexpected
+ behaviour. New configuration variables are
+ CTDB_MONITOR_FILESYSTEM_USAGE, CTDB_MONITOR_MEMORY_USAGE and
+ CTDB_MONITOR_SWAP_USAGE. Default values cause warnings to be
+ logged. See the SYSTEM RESOURCE MONITORING CONFIGURATION in
+ ctdbd.conf(5) for more information.
-New rpcclient subcommands
--------------------------
-
- netshareenumall - Enumerate all shares
- netsharegetinfo - Get Share Info
- netsharesetinfo - Set Share Info
- netsharesetdfsflags - Set DFS flags
- netfileenum - Enumerate open files
- netnamevalidate - Validate sharename
- netfilegetsec - Get File security
- netsessdel - Delete Session
- netsessenum - Enumerate Sessions
- netdiskenum - Enumerate Disks
- netconnenum - Enumerate Connections
- netshareadd - Add share
- netsharedel - Delete share
+ The memory, swap and filesystem usage monitoring previously found in
+ 00.ctdb and 40.fs_use is no longer available. Therefore,
+ configuration variables CTDB_CHECK_FS_USE, CTDB_MONITOR_FREE_MEMORY,
+ CTDB_MONITOR_FREE_MEMORY_WARN and CTDB_CHECK_SWAP_IS_NOT_USED are
+ now ignored.
-New modules
------------
+* The 62.cnfs eventscript has been removed. To get a similar effect
+ just do something like this:
- idmap_script - see 'man 8 idmap_script'
- vfs_unityed_media - see 'man 8 vfs_unityed_media'
- vfs_shell_snap - see 'man 8 vfs_shell_snap'
+ mmaddcallback ctdb-disable-on-quorumLoss \
+ --command /usr/bin/ctdb \
+ --event quorumLoss --parms "disable"
-######################################################################
-Changes
-#######
+ mmaddcallback ctdb-enable-on-quorumReached \
+ --command /usr/bin/ctdb \
+ --event quorumReached --parms "enable"
+
+* The CTDB tunable parameter EventScriptTimeoutCount has been renamed
+ to MonitorTimeoutCount
+
+ It has only ever been used to limit timed-out monitor events.
+
+ Configurations containing CTDB_SET_EventScriptTimeoutCount=<n> will
+ cause CTDB to fail at startup. Useful messages will be logged.
+
+* The commandline option "-n all" to CTDB tool has been removed.
+
+ The option was not uniformly implemented for all the commands.
+ Instead of command "ctdb ip -n all", use "ctdb ip all".
+
+* All CTDB current manual pages are now correctly installed
+
+
+REMOVED FEATURES
+================
+
+Public headers
+--------------
+
+Several public headers are not installed any longer. They are made for internal
+use only. More public headers will very likely be removed in future releases.
+
+The following headers are not installed any longer:
+dlinklist.h, gen_ndr/epmapper.h, gen_ndr/mgmt.h, gen_ndr/ndr_atsvc_c.h,
+gen_ndr/ndr_epmapper_c.h, gen_ndr/ndr_epmapper.h, gen_ndr/ndr_mgmt_c.h,
+gen_ndr/ndr_mgmt.h,gensec.h, ldap_errors.h, ldap_message.h, ldap_ndr.h,
+ldap-util.h, pytalloc.h, read_smb.h, registry.h, roles.h, samba_util.h,
+smb2_constants.h, smb2_create_blob.h, smb2.h, smb2_lease.h, smb2_signing.h,
+smb_cli.h, smb_cliraw.h, smb_common.h, smb_composite.h, smb_constants.h,
+smb_raw.h, smb_raw_interfaces.h, smb_raw_signing.h, smb_raw_trans2.h,
+smb_request.h, smb_seal.h, smb_signing.h, smb_unix_ext.h, smb_util.h,
+torture.h, tstream_smbXcli_np.h.
+
+vfs_smb_traffic_analyzer
+------------------------
+
+The SMB traffic analyzer VFS module has been removed, because it is not
+maintained any longer and not widely used.
+
+vfs_scannedonly
+---------------
+
+The scannedonly VFS module has been removed, because it is not maintained
+any longer.
smb.conf changes
----------------
Parameter Name Description Default
-------------- ----------- -------
- logging New (empty)
- msdfs shuffle referrals New no
- smbd profiling level New off
- spotlight New no
- tls priority New NORMAL:-VERS-SSL3.0
- use ntdb Removed
- change notify Changed to [global]
- kernel change notify Changed to [global]
- client max protocol Changed default SMB3_11
- server max protocol Changed default SMB3_11
-
-Removed modules
----------------
+ aio max threads New 100
+ ldap page size Changed default 1000
-vfs_notify_fam - see section 'New FileChangeNotify subsystem'.
KNOWN ISSUES
============
If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored. All bug reports should
-be filed under the Samba 4.3 product in the project's Bugzilla
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).
git.samba.org / kai / samba-autobuild / .git / blobdiff