-What's new in Samba 4.0 beta8
-=============================
+Release Announcements
+=====================
-Samba 4.0 will be the next version of the Samba suite and incorporates
-all the technology found in both the Samba4 alpha series and the
-stable 3.x series. The primary additional features over Samba 3.6 are
-support for the Active Directory logon protocols used by Windows 2000
-and above.
+This is the first preview release of Samba 4.6. This is *not*
+intended for production environments and is designed for testing
+purposes only. Please report any defects via the Samba bug reporting
+system at https://bugzilla.samba.org/.
+Samba 4.6 will be the next version of the Samba suite.
-WARNINGS
-========
-Samba 4.0 beta8 is not a final Samba release, however we are now making
-good progress towards a Samba 4.0 release. However, this is expected to be the
-last beta release before we start on our release candidate series.
+UPGRADING
+=========
-This release contains the best of all of Samba's
-technology parts, both a file server (that you can reasonably expect
-to upgrade existing Samba 3.x releases to) and the AD domain
-controller work previously known as 'samba4'.
+vfs_fruit option "fruit:resource" spelling correction
+-----------------------------------------------------
+
+Due to a spelling error in the vfs_fruit option parsing for the "fruit:resource"
+option, users who have set this option in their smb.conf were still using the
+default setting "fruit:resource = file" as the parser was looking for the string
+"fruit:ressource" (two "s").
+
+After upgrading to this Samba version 4.6, you MUST either remove the option
+from your smb.conf or set it to the default "fruit:resource = file", otherwise
+your macOS clients will not be able to access the resource fork data.
+
+This version Samba 4.6 accepts both the correct and incorrect spelling, but the
+next Samba version 4.7 will not accept the wrong spelling.
+
+Users who were using the wrong spelling "ressource" with two "s" can keep the
+setting, but are advised to switch to the correct spelling.
+
+ID Mapping
+----------
+We discovered that the majority of users have an invalid or incorrect
+ID mapping configuration. We implemented checks in the 'testparm' tool to
+validate the ID mapping configuration. You should run it and check if it prints
+any warnings or errors after upgrading! If it does you should fix them. See the
+'IDENTITY MAPPING CONSIDERATIONS' section in the smb.conf manpage.
+There are some ID mapping backends which are not allowed to be used for the
+default backend. Winbind will no longer start if an invalid backend is
+configured as the default backend.
-Samba 4.0 is subjected to an awesome battery of tests on an automated
-basis, we have found Samba 4.0 to be very stable in it's behaviour.
-However, as with all our pre-releases we still recommend against
-upgrading production servers from Samba 3.x release to Samba 4.0 beta
-at this stage.
+To avoid problems in future we advise all users to run 'testparm' after
+changing the smb.conf file!
-If you are upgrading, or looking to develop, test or deploy Samba 4.0
-beta releases, you should backup all configuration and data.
+NEW FEATURES/CHANGES
+====================
+Kerberos client encryption types
+--------------------------------
+Some parts of Samba (most notably winbindd) perform Kerberos client
+operations based on a Samba-generated krb5.conf file. A new
+parameter, "kerberos encryption types" allows configuring the
+encryption types set in this file, thereby allowing the user to
+enforce strong or legacy encryption in Kerberos exchanges.
-UPGRADING
-=========
+The default value of "all" is compatible with previous behavior, allowing
+all encryption algorithms to be negotiated. Setting the parameter to "strong"
+only allows AES-based algorithms to be negotiated. Setting the parameter to
+"legacy" allows only RC4-HMAC-MD5 - the legacy algorithm for Active Directory.
+This can solves some corner cases of mixed environments with Server 2003R2 and
+newer DCs.
-Users upgrading from Samba 3.x domain controllers and wanting to use
-Samba 4.0 as an AD DC should use the 'samba-tool domain
-classicupgrade' command. See the wiki for more details:
-https://wiki.samba.org/index.php/Samba4/samba3upgrade/HOWTO
+Printing
+--------
+Support for uploading printer drivers from newer Windows clients (Windows 10)
+has been added until our implementation of [MS-PAR] protocol is ready.
+Several issues with uploading different printing drivers have been addressed.
-Users upgrading from Samba 4.0 alpha and beta releases since alpha15
-should run 'samba-tool dbcheck --cross-ncs --fix' before re-starting
-Samba. Users upgrading from earlier alpha releases should contact the
-team for advice.
+The OS Version for the printing server has been increased to announce
+Windows Server 2003 R2 SP2. If a driver needs a newer version then you should
+check the smb.conf manpage for details.
-Users upgrading an AD DC from any previous release should run
-'samba-tool ntacl sysvolreset' to re-sync ACLs on the sysvol share
-with those matching the GPOs in LDAP and the defaults from an initial
-provision. This will set an underlying POSIX ACL if required (eg not
-using the NTVFS file server).
+new option for owner inheritance
+--------------------------------
+The "inherit owner" smb.conf parameter instructs smbd to set the
+owner of files to be the same as the parent directory's owner.
+Up until now, this parameter could be set to "yes" or "no".
+A new option, "unix only", enables this feature only for the UNIX owner
+of the file, not affecting the SID owner in the Windows NT ACL of the
+file. This can be used to emulate something very similar to folder quotas.
-If you used the BIND9_FLATFILE or BIND9_DLZ features,
-you'll have to add '-dns' to the 'server services' option,
-as the internal dns server (SAMBA_INTERNAL) is the default now.
+Multi-process Netlogon support
+------------------------------
-NEW FEATURES
-============
+The Netlogon server in the Samba AD DC can now run as multiple
+processes. The Netlogon server is a part of the AD DC that handles
+NTLM authentication on behalf of domain members, including file
+servers, NTLM-authenticated web servers and 802.1x gateways. The
+previous restriction to running as a single process has been removed,
+and it will now run in the same process model as the rest of the
+'samba' binary.
-Samba 4.0 beta supports the server-side of the Active Directory logon
-environment used by Windows 2000 and later, so we can do full domain
-join and domain logon operations with these clients.
-
-Our Domain Controller (DC) implementation includes our own built-in
-LDAP server and Kerberos Key Distribution Center (KDC) as well as the
-Samba3-like logon services provided over CIFS. We correctly generate
-the infamous Kerberos PAC, and include it with the Kerberos tickets we
-issue.
-
-Samba 4.0 beta ships with two distinct file servers. We now use the
-file server from the Samba 3.x series 'smbd' for all file serving by
-default.
-
-Samba 4.0 also ships with the 'NTVFS' file server. This file server
-is what was used in all previous alpha releases of Samba 4.0, and is
-tuned to match the requirements of an AD domain controller. We
-continue to support this, not only to provide continuity to
-installations that have deployed it as part of an AD DC, but also as a
-running example of the NT-FSA architecture we expect to move smbd to in
-the longer term.
-
-For pure file server work, the binaries users would expect from that
-series (nmbd, winbindd, smbpasswd) continue to be available. When
-running an AD DC, you only need to run 'samba' (not
-nmbd/smbd/winbind), as the required services are co-coordinated by this
-master binary.
-
-As DNS is an integral part of Active Directory, we also provide two DNS
-solutions, a simple internal DNS server for 'out of the box' configurations
-and a more elaborate BIND plugin using the BIND DLZ mechanism in versions
-9.8 and 9.9. During the provision, you can select which backend to use.
-With the internal backend, your DNS server is good to go.
-If you chose the BIND_DLZ backend, a configuration file will be generated
-for bind to make it use this plugin, as well as a file explaining how to
-set up bind.
-
-To provide accurate timestamps to Windows clients, we integrate with
-the NTP project to provide secured NTP replies. To use you need to
-start ntpd and configure it with the 'restrict ... ms-sntp' and
-ntpsigndsocket options.
-
-Finally, a new scripting interface has been added to Samba 4, allowing
-Python programs to interface to Samba's internals, and many tools and
-internal workings of the DC code is now implemented in python.
-
-CHANGES SINCE beta8
-===================
-
-The smbd file server now offers SMB3 as the maximum protocol
-by default. Samba can negotiate version 3 of the SMB protocol
-and supports the required features, including all required
-features of SMB 2.1 and SMB 2.0. Note that this does not imply
-that Samba implements all features of SMB3 since many of them
-are optional capabilities. Examples of features that Samba does
-not implement yet are leases (SMB 2.1) and multi-channel (SMB 3).
-
-Samba now offers an initial support for SMB2 durable file handles.
-These are enabled by default and can be turned off on a per share
-basis by setting "durable handles = no" on the share configuration.
-Note that in order to prevent conflicts with other applications
-accessing the same files, durable handles are only granted on
-shares that are configured for CIFS/SMB2-only access, i.e. more
-explicitly shares that are configured for minimal interoperability
-with these settings:
-
- kernel oplocks = no
- kernel share modes = no
- posix locking = no
-
-The option "kernel share modes" has been introduced to be able
-to turn the translation of SMB share modes into kernel flocks
-off.
-
-The 'provision' script was merged into 'samba-tool'
-as 'samba-tool domain provision' the arguments are still
-the same.
-
-The 'updateprovision' script was renamed to 'samba_upgradeprovision'.
-
-We changed the default dns implementation to the internal dns server
-(SAMBA_INTERNAL). BIND9_FLATFILE and BIND9_DLZ are still available,
-but you'll have to add '-dns' to the 'server services' option
-to disable the internal dns server.
-The default for 'allow dns updates' has changed to 'secure only'.
-
-CHANGES SINCE beta7
-=====================
+As part of this change, the NETLOGON service will now run on a distinct
+TCP port, rather than being shared with all other RPC services (LSA,
+SAMR, DRSUAPI etc).
-For a list of changes since beta7, please see the git log.
+new options for controlling TCP ports used for RPC services
+-----------------------------------------------------------
-$ git clone git://git.samba.org/samba.git
-$ cd samba.git
-$ git log samba-4.0.0beta7..samba-4.0.0beta8
+The new 'rpc server port' option controls the default port used for
+RPC services other than Netlogon. The Netlogon server honours instead
+the 'rpc server port:netlogon' option. The default value for both
+these options is the first available port including or after 1024.
-Some major user-visible changes include:
+Improve AD performance and replication improvements
+---------------------------------------------------
-- A fix for a segfault/abort on startup of the 'samba' binary in the
- credentials_secrets code.
+Samba's LDB and replication code continues to improve, particularly in
+respect to the handling of large numbers of linked attributes. We now
+respect an 'uptodateness vector' which will dramatically reduce the
+over-replication of links from new DCs. We have also made the parsing
+of on-disk linked attributes much more efficient.
-- A fix for samba-tool classicupgrade of pdb_ldap-based domains
+DNS improvements
+---------------------------
-- A fix for samba-tool domain exportkeyab only exporting DES keys
+The samba-tool dns subcommand is now much more robust and can delete
+records in a number of situations where it was not possible to do so
+in the past.
-- Printing is now enabled on the AD DC
+On the server side, DNS names are now more strictly validated.
-- Fix bug #9124 - Samba fails to set "inherited" bit on inherited ACE's.
-- We now avoid printing secret attributes (such as unicodePwd and
- suppliementalCredentials) in ldb trace logs
+CTDB changes
+------------
-- s3-printing: fix bug 9123 lprng job tracking errors
+* "ctdb event" is a new top-level command for interacting with event scripts
-- A fix for building with MIT Kerberos
+ "ctdb event status" replaces "ctdb scriptstatus" - the latter is
+ maintained for backward compatibility but the output format has been
+ cleaned up
-KNOWN ISSUES
-============
+ "ctdb event run" replaces "ctdb eventscript"
+
+ "ctdb event script enable" replaces "ctdb enablescript"
-- 'samba-tool domain classicupgrade' will fail when setting ACLs on
- the GPO folders with NT_STATUS_INVALID_ONWER in the default
- configuration. This happens if, as is typical a 'domain admins'
- group (-512) is mapped in the passdb backend being upgraded. This
- is because the group mapping to a GID only prevents Samba from
- allocating a uid for that group. The uid is needed so the 'domain
- admins' group can own the GPO file objects.
+ "ctdb event script disable" replaces "ctdb disablescript"
- To work around this issue, remove the 'domain admins' group before
- upgrade, as it will be re-created automatically. You will
- of course need to fill in the group membership again. A future release
- will make this automatic, or find some other workaround.
+ The new command "ctdb event script list" lists event scripts.
-- This release makes the s3fs file server the default, as this is the
- file server combination we will use for the Samba 4.0 release.
+* CTDB's back-end for running event scripts has been replaced by a
+ separate, long-running daemon ctdbd_eventd.
-- For similar reasons, sites with ACLs stored by the ntvfs file server
- may wish to continue to use that file server implementation, as a
- posix ACL will similarly not be set in this case.
+* Running ctdb interactively will log to stderr
-- Replication of DNS data from one AD server to another may not work.
- The DNS data used by the internal DNS server and bind9_dlz is stored
- in an application partition in our directory. The replication of
- this partition is not yet reliable.
+* CTDB logs now include process id for each process
-- Replication may fail on FreeBSD due to getaddrinfo() rejecting names
- containing _. A workaround will be in a future beta.
+* CTDB tags log messages differently. Changes include:
-- upgradeprovision should not be run when upgrading to this release
- from a recent release. No important database format changes have
- been made since alpha16.
+ ctdb-recoverd: Messages from CTDB's recovery daemon
+ ctdb-recovery: Messages from CTDB database recovery
+ ctdb-eventd: Messages from CTDB's event daemon
+ ctdb-takeover: Messgaes from CTDB's public IP takeover subsystem
-- Installation on systems without a system iconv (and developer
- headers at compile time) is known to cause errors when dealing with
- non-ASCII characters.
+* The mapping between symbolic and numeric debug levels has changed
-- Domain member support in the 'samba' binary is in it's infancy, and
- is not comparable to the support found in winbindd. As such, do not
- use the 'samba' binary (provided for the AD server) on a member
- server.
+ Configurations containing numeric debug levels should be updated.
+ Symbolic debug levels are recommended. See the DEBUG LEVEL section
+ of ctdb(7) for details.
-- There is no NetBIOS browsing support (network neighbourhood)
- available for the AD domain controller. (Support in nmbd and smbd
- for classic domains and member/standalone servers is unchanged).
+* Tunable IPAllocAlgorithm replaces LCP2PublicIPs, DeterministicIPs
-- Clock Synchronisation is critical. Many 'wrong password' errors are
- actually due to Kerberos objecting to a clock skew between client
- and server. (The NTP work in the previous alphas are partly to assist
- with this problem).
+ See ctdb-tunables(7) for details
-- The DRS replication code may fail. Please contact the team if you
- experience issues with DRS replication, as we have fixed many issues
- here in response to feedback from our production users.
+* CTDB's configuration tunables should be consistently set across a cluster
+ This has always been the cases for most tunables but this fact is
+ now documented.
-RUNNING Samba 4.0 as an AD DC
-=============================
+* CTDB ships with recovery lock helper call-outs for etcd and Ceph RADOS
-A short guide to setting up Samba 4 as an AD DC can be found on the wiki:
+ To build/install these, use the --enable-etcd-reclock and
+ --enable-ceph-reclock configure options.
+
+
+REMOVED FEATURES
+================
+
+
+smb.conf changes
+================
+
+ Parameter Name Description Default
+ -------------- ----------- -------
+ kerberos encryption types New all
+ inherit owner New option
+ fruit:resource Spelling correction
+ lsa over netlogon New (deprecated) no
+ rpc server port New 0
+
+
+KNOWN ISSUES
+============
- http://wiki.samba.org/index.php/Samba4/HOWTO
+Currently none.
#######################################
Reporting bugs & Development Discussion
If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored. All bug reports should
-be filed under the Samba 4.0 product in the project's Bugzilla
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).
git.samba.org / nivanova / samba-autobuild / .git / blobdiff