X-Git-Url: http://git.samba.org/samba.git/?p=kai%2Fsamba.git;a=blobdiff_plain;f=WHATSNEW.txt;h=9c728ba9c3da73ec3aa9a11d920372c868ca5e97;hp=f6df1ed9e0879037c7330ee049d713f55d25cdd6;hb=cb227d6d1492247d8aff03807cac0b7266202a38;hpb=392fd9686523fe5e1cd6b6c080c5f168f5556d3e diff --git a/WHATSNEW.txt b/WHATSNEW.txt index f6df1ed9e08..9c728ba9c3d 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,133 +1,227 @@ -What's new in Samba 4 alpha3 -============================ + ================================= + Release Notes for Samba 3.6.0pre1 + July 28, 2010 + ================================= -Samba 4 is the ambitious next version of the Samba suite that is being -developed in parallel to the stable 3.0 series. The main emphasis in -this branch is support for the Active Directory logon protocols used -by Windows 2000 and above. -Samba 4 is currently not yet in a state where it is usable in -production environments. Note the WARNINGS below, and the STATUS file, -which aims to document what should and should not work. +This is the first preview release of Samba 3.6. This is *not* +intended for production environments and is designed for testing +purposes only. Please report any defects via the Samba bug reporting +system at https://bugzilla.samba.org/. -Samba4 alpha3 follows on from our first alpha release, made in -September, and the Technology Preview series we have offered for some -time now. -WARNINGS -======== +Major enhancements in Samba 3.6.0 include: -Samba4 alpha3 is not a final Samba release. That is more a reference -to Samba4's lack of the features we expect you will need than a -statement of code quality, but clearly it hasn't seen a broad -deployment yet. If you were to upgrade Samba3 (or indeed Windows) to -Samba4, you would find many things work, but that other key features -you may have relied on simply are not there yet. -For example, while Samba 3.0 is an excellent member of a Active -Directory domain, Samba4 is happier as a domain controller: (This is -where we have done most of the research and development). +Changed security defaults +------------------------- -While Samba4 is subjected to an awesome battery of tests on an -automated basis, and we have found Samba4 to be very stable in it's -behaviour, we have to recommend against upgrading production servers -from Samba 3 to Samba 4 at this stage. If you are upgrading an -experimental server, or looking to develop and test Samba, you should -backup all configuration and data. +Samba 3.6 has adopted a number of improved security defaults that will +impact on existing users of Samba. -NEW FEATURES -============ + client ntlmv2 auth = yes + client use spnego principal = no + send spnego principal = no -Samba4 supports the server-side of the Active Directory logon environment -used by Windows 2000 and later, so we can do full domain join -and domain logon operations with these clients. +The impact of 'client ntlmv2 auth = yes' is that by default we will not +use NTLM authentication as a client. This applies to the Samba client +tools such as smbclient and winbind, but does not change the separately +released in-kernel CIFS client. To re-enable the poorer NTLM encryption +set '--option=clientusentlmv2auth=no' on your smbclient command line, or +set 'client ntlmv2 auth = no' in your smb.conf -Our Domain Controller (DC) implementation includes our own built-in -LDAP server and Kerberos Key Distribution Center (KDC) as well as the -Samba3-like logon services provided over CIFS. We correctly generate -the infamous Kerberos PAC, and include it with the Kerberos tickets we -issue. +The impact of 'client use spnego principal = no' is that we may be able +to use Kerberos to communicate with a server less often in smbclient, +winbind and other Samba client tools. We may fall back to NTLMSSP in +more situations where we would previously rely on the insecure +indication from the 'NegProt' CIFS packet. This mostly occursed when +connecting to a name alias not recorded as a servicePrincipalName for +the server. This indication is not available from Windows 2008 or later +in any case, and is not used by modern Windows clients, so this makes +Samba's behaviour consistent with other clients and against all servers. -The new VFS features in Samba 4 adapts the filesystem on the server to -match the Windows client semantics, allowing Samba 4 to better match -windows behaviour and application expectations. This includes file -annotation information (in streams) and NT ACLs in particular. The -VFS is backed with an extensive automated test suite. +The impact of 'send spnego principal = no' is to match Windows 2008 and +not to send this principal, making existing clients give more consistent +behaviour (more likely to fall back to NTLMSSP) between Samba and +Windows 2008, and between Windows versions that did and no longer use +this insecure hint. + + +SMB2 support +------------ + +SMB2 support in 3.6.0 is fully functional (with one omission), +and can be enabled by setting: + +max protocol = SMB2 + +in the [global] section of your smb.conf and re-starting +Samba. All features should work over SMB2 except the modification +of user quotas using the Windows quota management tools. + +As this is the first release containing what we consider +to be a fully featured SMB2 protocol, we are not enabling +this by default, but encourage users to enable SMB2 and +test it. Once we have enough confirmation from Samba +users and OEMs that SMB2 support is stable in wide user +testing we will enable SMB2 by default in a future Samba +release. + + +Internal Winbind passdb changes +------------------------------- + +Winbind has been changed to use the internal samr and lsa rpc pipe to get +local user and group information instead of calling passdb functions. The +reason is to use more of our infrastructure and test this infrastructure by +using it. With this approach more code in Winbind is shared. + + +New Spoolss code +---------------- -A new scripting interface has been added to Samba 4, allowing -Python programs to interface to Samba's internals. +The spoolss and the old RAP printing code have been completely +overhauled and refactored. -The Samba 4 architecture is based around an LDAP-like database that -can use a range of modular backends. One of the backends supports -standards compliant LDAP servers (including OpenLDAP), and we are -working on modules to map between AD-like behaviours and this backend. -We are aiming for Samba 4 to be powerful frontend to large -directories. +All calls from lanman/printing code has been changed to go through the +spoolss RPC interfaces, this allows us to keep all checks in one place +and avoid special cases in the main printing code. +Printing code has been therefore confined within the spoolss code. -CHANGES SINCE Alpha2 -===================== - -In the time since Samba4 Alpha2 was released in December 2007, Samba has -continued to evolve, but you may particularly notice these areas: - - Python Bindings: Bindings for Python are now in place, and used for - Samba's provision script, slowly displacing EJS as the embedded - scripting language - - SWAT Disabled: Due to a lack of developer time and without a - long-term web developer to maintain it, the SWAT web UI has been - disabled. - - Oplock support: Samba4's file server now supports oplocks - - GNU Make: To try and simplfy our build system, we rely on GNU Make - to avoid autogenerating a massive single makefile. - - Account Expiry: Samba4 now better handles installations over 30 days - old (thanks to our long-suffering testers for keeping installations - around that long!) - -These are just some of the highlights of the work done in the past few -months. More details can be found in our GIT history. - - -CHANGES -======= - -Those familiar with Samba 3 can find a list of user-visible changes -since that release series in the NEWS file. - -KNOWN ISSUES -============ - -- Domain member support is in it's infancy, and is not comparable to - the support found in Samba3. - -- There is no printing support in the current release. - -- The Samba4 port of the CTDB clustering support is not yet complete - -- Clock Synchronisation is critical. Many 'wrong password' errors are - actually due to Kerberos objecting to a clock skew between client - and server. - - -RUNNING Samba4 -============== - -A short guide to setting up Samba 4 can be found in the howto.txt file -in root of the tarball. - -DEVELOPMENT and FEEDBACK -======================== -Bugs can be filed at https://bugzilla.samba.org/ but please be aware -that many features are simply not expected to work at this stage. - -The Samba Wiki at http://wiki.samba.org should detail some of these -development plans. - -Development and general discussion about Samba 4 happens mainly on -the #samba-technical IRC channel (on irc.freenode.net) and -the samba-technical mailing list (see http://lists.samba.org/ for -details). +All the printing code, including the spoolss RPC interfaces has been +changed to use the winreg RPC interfaces to store all data. +All data has been migrated from custom, arbitrary TDB files to the +registry interface. This transition allow us to present correct data to +windows client accessing the server registry through the winreg RPC +interfaces to query for printer data. Data is served out from a real +registry implementation and therefore arguably 100% forward compatible. + +Migration code from the previous TDB files formats is provided. This +code is automatically invoked the first time the new code is run on the +server. Although manual migration is also available using the 'net +printer migrate' command. + +These changes not only make all the spoolss code much more closer to +"the spec", it also greatly improves our internal testing of both +spoolss and winreg interfaces, and reduces overall code duplication. + +As part of this work, new tests have been also added to increase +coverage. + +This code will also allow, in future, an easy transition to split out +the spooling functions into a separate daemon for those OEMs that do not +need printing functionality in their appliances, reducing the code +footprint. + + +ID Mapping Changes +------------------ + +The id mapping configuration has been a source of much grief in the past. +For this release, id mapping has ben rewritten yet again with the goal +of making the configuration more simple and more coherent while keeping +the needed flexibility and even adding to the flexibility in some respects. + +The major change that implies the configuration simplifications is at +the heart of the id mapping system: The separation of the "idmap alloc +system" that is responsible for the unix id counters in the tdb, tdb2 +and ldap idmap backends from the id mapping code itself has been removed. +The sids_to_unixids operation is now atomic and encapsulates (if needed) +the action of allocating a unix id for a mapping that is to be created. +Consequently all idmap alloc configuration parameters have vanished and +it is hence now also not possible any more to specify an idmap alloc +backend different from the idmap backend. Each idmap backend uses its +own idmap unixid creation mechanism transparently. + +As a consequence of the id mapping changes, the methods that are used +for storing and deleting id mappings have been removed from the winbindd +API. The "net idmap dump/restore" commands have been rewritten to +not speak through winbindd any more but directly act on the databases. +This is currently available for the tdb and tdb2 backends, the implementation +for ldap still missing. + +The allocate_id functionality is preserved for the unix id creator of the +default idmap configuration is also used as the source of unix ids +for the group mapping database and for the posix attributes in a +ldapsam:editposix setup. + +As part of the changes, the default idmap configuration has been +changed to be more coherent with the per-domain configuration. +The parameters "idmap uid", "idmap gid" and "idmap range" are now +deprecated in favour of the systematic "idmap config * : range" +and "idmap config * : backend" parameters. The reason for this change +is that the old options only provided an incomplete and hence deceiving +backwards compatibility, which was a source of many problems with +updgrades. By introducing this change in configuration, it should be +brought to the conciousness of the users that even the simple +id mapping is not working exactly as in Samba 3.0 versions any more. + + +SMB Traffic Analyzer +-------------------- + +Added the new SMB Traffic Analyzer (SMBTA) VFS module protocol 2 +featuring encryption, multiple arguments, and easier parseability. A new +tool 'smbta-util' has been created to control the encryption behaviour +of SMBTA. For compatibility, SMBTA by default operates on version 1. +There are programs consuming the data that the module sends. + +More information can be found on +http://holger123.wordpress.com/smb-traffic-analyzer/ + + +NFS quota backend on Linux +-------------------------- + +A new nfs quota backend for Linux has been added that is based +on the existing Solaris/FreeBSD implementation. This allows samba +to communicate correct diskfree information for nfs imports that +are re-exported as samba shares. + + +###################################################################### +Changes +####### + +smb.conf changes +---------------- + + Parameter Name Description Default + -------------- ----------- ------- + + async smb echo handler New No + client ntlmv2 auth Changed Default Yes + client use spnego principal New No + ctdb locktime warn threshold New 0 + idmap alloc backend Removed + log writeable files on exit New No + multicast dns register New Yes + ncalrpc dir New + send spnego principal New No + smb2 max credits New 128 + smb2 max read New 1048576 + smb2 max trans New 1048576 + smb2 max write New 1048576 + username map cache time New 0 + winbind max clients New 200 + + +###################################################################### +Reporting bugs & Development Discussion +####################################### + +Please discuss this release on the samba-technical mailing list or by +joining the #samba-technical IRC channel on irc.freenode.net. + +If you do report problems then please try to send high quality +feedback. If you don't provide vital information to help us track down +the problem then you will probably be ignored. All bug reports should +be filed under the Samba 3.6 product in the project's Bugzilla +database (https://bugzilla.samba.org/). + + +====================================================================== +== Our Code, Our Bugs, Our Responsibility. +== The Samba Team +======================================================================