Release Announcements
=====================
-This is the first release candidate of Samba 4.3. This is *not*
+This is the first preview release of Samba 4.7. This is *not*
intended for production environments and is designed for testing
purposes only. Please report any defects via the Samba bug reporting
system at https://bugzilla.samba.org/.
-Samba 4.3 will be the next version of the Samba suite.
+Samba 4.7 will be the next version of the Samba suite.
UPGRADING
=========
-Nothing special.
+smbclient changes
+-----------------
-NEW FEATURES
-============
+smbclient no longer prints a 'Domain=[...] OS=[Windows 6.1] Server=[...]'
+banner when connecting to the first server. With SMB2 and Kerberos
+there's no way to print this information reliable. Now we avoid it at all
+consistently. In interactive session the following banner is now presented
+to the user: 'Try "help" do get a list of possible commands.'.
-Logging
--------
-
-The logging code now supports logging to multiple backends. In
-addition to the previously available syslog and file backends, the
-backends for logging to the systemd-journal, lttng and gpfs have been
-added. Please consult the section for the 'logging' parameter in the
-smb.conf manpage for details.
-
-Spotlight
----------
-
-Support for Apple's Spotlight has been added by integrating with Gnome
-Tracker.
-
-For detailed instructions how to build and setup Samba for Spotlight,
-please see the Samba wiki: <https://wiki.samba.org/index.php/Spotlight>
-
-New FileChangeNotify subsystem
-------------------------------
-
-Samba now contains a new subsystem to do FileChangeNotify. The
-previous system used a central database, notify_index.tdb, to store
-all notification requests. In particular in a cluster this turned out
-to be a major bottleneck, because some hot records need to be bounced
-back and forth between nodes on every change event like a new created
-file.
-
-The new FileChangeNotify subsystem works with a central daemon per
-node. Every FileChangeNotify request and every event are handled by an
-asynchronous message from smbd to the notify daemon. The notify daemon
-maintains a database of all FileChangeNotify requests in memory and
-will distribute the notify events accordingly. This database is
-asynchronously distributed in the cluster by the notify daemons.
-
-The notify daemon is supposed to scale a lot better than the previous
-implementation. The functional advantage is cross-node kernel change
-notify: Files created via NFS will be seen by SMB clients on other
-nodes per FileChangeNotify, despite the fact that popular cluster file
-systems do not offer cross-node inotify.
-
-Two changes to the configuration were required for this new subsystem:
-The parameters "change notify" and "kernel change notify" are not
-per-share anymore but must be set globally. So it is no longer
-possible to enable or disable notify per share, the notify daemon has
-no notion of a share, it only works on absolute paths.
-
-New SMB profiling code
-----------------------
+The default for "client max protocol" has changed to "SMB3_11",
+which means that smbclient (and related commands) will work against
+servers without SMB1 support.
-The code for SMB (SMB1, SMB2 and SMB3) profiling uses a tdb instead
-of sysv IPC shared memory. This avoids performance problems and NUMA
-effects. The profile stats are a bit more detailed than before.
+It's possible to use the '-m/--max-protocol' option to overwrite
+the "client max protocol" option temporary.
-Improved DCERPC man in the middle detection for kerberos
---------------------------------------------------------
+Note that the '-e/--encrypt' option also works with most SMB3 servers
+(e.g. Windows >= 2012 and Samba >= 4.0.0), so the SMB1 unix extensions
+are not required for encryption.
-The gssapi based kerberos backends for gensec have support for
-DCERPC header signing when using DCERPC_AUTH_LEVEL_PRIVACY.
+The change to SMB3_11 as default also means smbclient no longer
+negotiates SMB1 unix extensions by default, when talking to a Samba server with
+"unix extensions = yes". As a result some commands are not available, e.g.
+posix_encrypt, posix_open, posix_mkdir, posix_rmdir, posix_unlink, posix_whoami,
+getfacl and symlink. Using "-mNT1" reenabled them, if the server supports SMB1.
-SMB signing required in winbindd by default
--------------------------------------------
+Note the default ("CORE") for "client min protocol" hasn't changed,
+so it's still possible to connect to SMB1-only servers by default.
-The effective value for "client signing" is required
-by default for winbindd, if the primary domain uses active directory.
-Experimental NTDB was removed
------------------------------
+NEW FEATURES/CHANGES
+====================
-The experimental NTDB library introduced in Samba 4.0 has been
-removed again.
+Whole DB read locks: Improved LDAP and replication consistency
+--------------------------------------------------------------
-Improved support for trusted domains (as AD DC)
------------------------------------------------
+Prior to Samba 4.7 and ldb 1.2.0, the LDB database layer used by Samba
+erronously did not take whole-DB read locks to protect search
+and DRS replication operations.
-The support for trusted domains/forests has improved a lot.
+While each object returned remained subject to a record-level lock (so
+would remain consistent to itself), under a race condition with a
+rename or delete, it and any links (like the member attribute) to it
+would not be returned.
-samba-tool got "domain trust" subcommands to manage trusts:
+The symptoms of this issue include:
- create - Create a domain or forest trust.
- delete - Delete a domain trust.
- list - List domain trusts.
- namespaces - Manage forest trust namespaces.
- show - Show trusted domain details.
- validate - Validate a domain trust.
+Replication failures with this error showing in the client side logs:
+ error during DRS repl ADD: No objectClass found in replPropertyMetaData for
+ Failed to commit objects:
+ WERR_GEN_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE
-External trusts between individual domains work in both ways
-(inbound and outbound). The same applies to root domains of
-a forest trust. The transitive routing into the other forest
-is fully functional for kerberos, but not yet supported for NTLMSSP.
+A crash of the server, in particular the rpc_server process with
+ INTERNAL ERROR: Signal 11
-While a lot of things are working fine, there are currently a few limitations:
+LDAP read inconsistency
+ A DN subject to a search at the same time as it is being renamed
+ may not appear under either the old or new name, but will re-appear
+ for a subsequent search.
- - Both sides of the trust need to fully trust each other!
- - No SID filtering rules are applied at all!
- - This means DCs of domain A can grant domain admin rights
- in domain B.
- - It's not possible to add users/groups of a trusted domain
- into domain groups.
+See https://bugzilla.samba.org/show_bug.cgi?id=12858 for more details
+and updated advise on database recovery for affected installations.
-SMB 3.1.1 supported
--------------------
-Both client and server have support for SMB 3.1.1 now.
+Samba AD with MIT Kerberos
+--------------------------
-This is the dialect introduced with Windows 10, it improves the secure
-negotiation of SMB dialects and features.
+After four years of development, Samba finally supports compiling and
+running Samba AD with MIT Kerberos. You can enable it with:
-New smbclient subcommands
--------------------------
+ ./configure --with-system-mitkrb5
+
+Samba requires version 1.15.1 of MIT Kerberos to build with AD DC support.
+The krb5-devel and krb5-server packages are required.
+The feature set is not on par with with the Heimdal build but the most important
+things, like forest and external trusts, are working. Samba uses the KDC binary
+provided by MIT Kerberos.
- - Query a directory for change notifications: notify <dir name>
- - Server side copy: scopy <source filename> <destination filename>
+Missing features, compared to Heimdal, are:
+ * PKINIT support
+ * S4U2SELF/S4U2PROXY support
+ * RODC support (not fully working with Heimdal either)
+
+The Samba AD process will take care of starting the MIT KDC and it will load a
+KDB (Kerberos Database) driver to access the Samba AD database. When
+provisioning an AD DC using 'samba-tool' it will take care of creating a correct
+kdc.conf file for the MIT KDC. Note that 'samba-tool' will overwrite the system
+kdc.conf by default. It is possible to use a different location during
+provision. You should consult the 'samba-tool' help and smb.conf manpage for
+details.
+
+Dynamic RPC port range
+----------------------
-New rpcclient subcommands
+The dynamic port range for RPC services has been changed from the old default
+value 1024-1300 to 49152-65535. This port range is not only used by a
+Samba AD DC but also applies to all other server roles including NT4-style
+domain controllers. The new value has been defined by Microsoft in Windows
+Server 2008 and newer versions. To make it easier for Administrators to control
+those port ranges we use the same default and make it configurable with the
+option: 'rpc server dynamic port range'.
+
+The 'rpc server port' option sets the first available port from the new
+'rpc server dynamic port range' option. The option 'rpc server port' only
+applies to Samba provisioned as an AD DC.
+
+Authentication and Authorization audit support
+----------------------------------------------
+
+Detailed authentication and authorization audit information is now
+logged to Samba's debug logs under the "auth_audit" debug class,
+including in particular the client IP address triggering the audit
+line. Additionally, if Samba is compiled against the jansson JSON
+library, a JSON representation is logged under the "auth_json_audit"
+debug class.
+
+Audit support is comprehensive for all authentication and
+authorisation of user accounts in the Samba Active Directory Domain
+Controller, as well as the implicit authentication in password
+changes. In the file server and classic/NT4 domain controller, NTLM
+authentication, SMB and RPC authorization is covered, however password
+changes are not at this stage, and this support is not currently
+backed by a testsuite.
+
+Multi-process LDAP Server
-------------------------
- netshareenumall - Enumerate all shares
- netsharegetinfo - Get Share Info
- netsharesetinfo - Set Share Info
- netsharesetdfsflags - Set DFS flags
- netfileenum - Enumerate open files
- netnamevalidate - Validate sharename
- netfilegetsec - Get File security
- netsessdel - Delete Session
- netsessenum - Enumerate Sessions
- netdiskenum - Enumerate Disks
- netconnenum - Enumerate Connections
- netshareadd - Add share
- netsharedel - Delete share
-
-New modules
------------
-
- idmap_script - see 'man 8 idmap_script'
- vfs_unityed_media - see 'man 8 vfs_unityed_media'
- vfs_shell_snap - see 'man 8 vfs_shell_snap'
-
-######################################################################
-Changes
-#######
+The LDAP server in the AD DC now honours the process model used for
+the rest of the samba process, rather than being forced into a single
+process. This aids in Samba's ability to scale to larger numbers of AD
+clients and the AD DC's overall resiliency, but will mean that there is a
+fork()ed child for every LDAP client, which may be more resource
+intensive in some situations.
+
+Improved Read-Only Domain Controller (RODC) Support
+---------------------------------------------------
+
+Support for RODCs in Samba AD until now has been experimental. With this latest
+version, many of the critical bugs have been fixed and the RODC can be used in
+DC environments requiring no writable behaviour. RODCs now correctly support
+bad password lockouts and password disclosure auditing through the
+msDS-RevealedUsers attribute.
+
+The fixes made to the RWDC will also allow Windows RODC to function more
+correctly and to avoid strange data omissions such as failures to replicate
+groups or updated passwords. Password changes are currently rejected at the
+RODC, although referrals should be given over LDAP. While any bad passwords can
+trigger domain-wide lockout, good passwords which have not been replicated yet
+for a password change can only be used via NTLM on the RODC (and not Kerberos).
+
+The reliability of RODCs locating a writable partner still requires some
+improvements and so the 'password server' configuration option is generally
+recommended on the RODC.
+
+Additional password hashes stored in supplementalCredentials
+------------------------------------------------------------
+
+A new config option 'password hash userPassword schemes' has been added to
+enable generation of SHA-256 and SHA-512 hashes (without storing the plaintext
+password with reversible encryption). This builds upon previous work to improve
+password sync for the AD DC (originally using GPG).
+
+The user command of 'samba-tool' has been updated in order to be able to
+extract these additional hashes, as well as extracting the (HTTP) WDigest
+hashes that we had also been storing in supplementalCredentials.
+
+Query record for open file or directory
+---------------------------------------
+
+The record attached to an open file or directory in Samba can be
+queried through the 'net tdb locking' command. In clustered Samba this
+can be useful to determine the file or directory triggering
+corresponding "hot" record warnings in ctdb.
+
+Removal of lpcfg_register_defaults_hook()
+-----------------------------------------
+
+The undocumented and unsupported function lpcfg_register_defaults_hook()
+that was used by external projects to call into Samba and modify
+smb.conf default parameter settings has been removed. If your project
+was using this call please raise the issue on
+samba-technical@lists.samba.org in order to design a supported
+way of obtaining the same functionality.
+
+Change of loadable module interface
+-----------------------------------
+
+The _init function of all loadable modules in Samba has changed
+from:
+
+NTSTATUS _init(void);
+
+to:
+
+NTSTATUS _init(TALLOC_CTX *);
+
+This allows a program loading a module to pass in a long-lived
+talloc context (which must be guaranteed to be alive for the
+lifetime of the module). This allows modules to avoid use of
+the talloc_autofree_context() (which is inherently thread-unsafe)
+and still be valgrind-clean on exit. Modules that don't need to
+free long-lived data on exist should use the NULL talloc context.
+
+Parameter changes
+-----------------
+
+The "strict sync" global parameter has been changed from
+a default of "no" to "yes". This means smbd will by default
+obey client requests to synchronize unwritten data in operating
+system buffers safely onto disk. This is a safer default setting
+for modern SMB1/2/3 clients.
smb.conf changes
-----------------
-
- Parameter Name Description Default
- -------------- ----------- -------
- logging New (empty)
- msdfs shuffle referrals New no
- smbd profiling level New off
- spotlight New no
- tls priority New NORMAL:-VERS-SSL3.0
- use ntdb Removed
- change notify Changed to [global]
- kernel change notify Changed to [global]
- client max protocol Changed default SMB3_11
- server max protocol Changed default SMB3_11
-
-Removed modules
----------------
-
-vfs_notify_fam - see section 'New FileChangeNotify subsystem'.
+================
+
+ Parameter Name Description Default
+ -------------- ----------- -------
+ allow unsafe cluster upgrade New parameter no
+ auth event notification New parameter no
+ auth methods Deprecated
+ client max protocol Effective SMB3_11
+ default changed
+ map untrusted to domain New value/ auto
+ Default changed/
+ Deprecated
+ mit kdc command New parameter
+ profile acls Deprecated
+ rpc server dynamic port range New parameter 49152-65535
+ strict sync Default changed yes
+ password hash userPassword schemes New parameter
+
KNOWN ISSUES
============
-Currently none.
+https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.7#Release_blocking_bugs
+
#######################################
Reporting bugs & Development Discussion
If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored. All bug reports should
-be filed under the Samba 4.3 product in the project's Bugzilla
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).
git.samba.org / nivanova / samba-autobuild / .git / blobdiff