Release Announcements
=====================
-This is the first preview release of Samba 4.5. This is *not*
+This is the first preview release of Samba 4.7. This is *not*
intended for production environments and is designed for testing
purposes only. Please report any defects via the Samba bug reporting
system at https://bugzilla.samba.org/.
-Samba 4.5 will be the next version of the Samba suite.
+Samba 4.7 will be the next version of the Samba suite.
UPGRADING
=========
-NTLMv1 authentication disabled by default
------------------------------------------
-
-In order to improve security we have changed
-the default value for the "ntlm auth" option from
-"yes" to "no". This may have impact on very old
-client which doesn't support NTLMv2 yet.
-
-The primary user of NTLMv1 is MSCHAPv2 for VPNs and 802.1x.
-
-By default Samba will only allow NTLMv2 via NTLMSSP now,
-as we have the following default "lanman auth = no",
-"ntlm auth = no" and "raw NTLMv2 auth = no".
+smbclient changes
+-----------------
+smbclient no longer prints a 'Domain=[...] OS=[Windows 6.1] Server=[...]'
+banner when connecting to the first server. With SMB2 and Kerberos
+there's no way to print this information reliable. Now we avoid it at all
+consistently. In interactive session the following banner is now presented
+to the user: 'Try "help" do get a list of possible commands.'.
-NEW FEATURES/CHANGES
-====================
-
-Support for LDAP_SERVER_NOTIFICATION_OID
-----------------------------------------
+The default for "client max protocol" has changed to "SMB3_11",
+which means that smbclient (and related commands) will work against
+servers without SMB1 support.
-The ldap server has support for the LDAP_SERVER_NOTIFICATION_OID
-control. This can be used to monitor the active directory database
-for changes.
+It's possible to use the '-m/--max-protocol' option to overwrite
+the "client max protocol" option temporary.
-KCC improvements for sparse network replication
------------------------------------------------
+Note that the '-e/--encrypt' option also works with most SMB3 servers
+(e.g. Windows >= 2012 and Samba >= 4.0.0), so the SMB1 unix extensions
+are not required for encryption.
-The Samba KCC will now be the default knowledge consistency checker in
-Samba AD. Instead of using full mesh replication between every DC, the
-KCC will set up connections to optimize replication latency and cost
-(using site links to calculate the routes). This change should allow
-larger domains to function significantly better in terms of replication
-traffic and the time spent performing DRS replication.
+The change to SMB3_11 as default also means smbclient no longer
+negotiates SMB1 unix extensions by default, when talking to a Samba server with
+"unix extensions = yes". As a result some commands are not available, e.g.
+posix_encrypt, posix_open, posix_mkdir, posix_rmdir, posix_unlink, posix_whoami,
+getfacl and symlink. Using "-mNT1" reenabled them, if the server supports SMB1.
-VLV - Virtual List View
------------------------
+Note the default ("CORE") for "client min protocol" hasn't changed,
+so it's still possible to connect to SMB1-only servers by default.
-The VLV Control allows applications to page the LDAP directory in the
-way you might expect a live phone book application to operate, without
-first downloading the entire directory.
-DRS Replication for the AD DC
------------------------------
+NEW FEATURES/CHANGES
+====================
-DRS Replication in Samba 4.5 is now much more efficient in handling
-linked attributes, particularly in large domains with over 1000 group
-memberships or other links.
+Whole DB read locks: Improved LDAP and replication consistency
+--------------------------------------------------------------
-Replication is also much more reliable in the handling of tree
-renames, such as the rename of an organizational unit containing many
-users. Extensive tests have been added to ensure this code remains
-reliable, particularly in the case of conflicts between objects added
-with the same name on different servers.
+Prior to Samba 4.7 and ldb 1.2.0, the LDB database layer used by Samba
+erronously did not take whole-DB read locks to protect search
+and DRS replication operations.
-Schema updates are also handled much more reliably.
+While each object returned remained subject to a record-level lock (so
+would remain consistent to itself), under a race condition with a
+rename or delete, it and any links (like the member attribute) to it
+would not be returned.
-replPropertyMetaData Changes
-----------------------------
+The symptoms of this issue include:
-During the development of the DRS replication, tests showed that Samba
-stores the replPropertyMetaData object incorrectly. To address this,
-be aware that dbcheck will now detect and offer to fix all objects in
-the domain for this error.
+Replication failures with this error showing in the client side logs:
+ error during DRS repl ADD: No objectClass found in replPropertyMetaData for
+ Failed to commit objects:
+ WERR_GEN_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE
-Linked attributes on deleted objects
-------------------------------------
+A crash of the server, in particular the rpc_server process with
+ INTERNAL ERROR: Signal 11
-In Active Directory, an object that has been tombstoned or recycled
-has no linked attributes. However, Samba incorrectly maintained such
-links, slowing replication and run-time performance. dbcheck now
-offers to remove such links, and they are no longer kept after the
-object is tombstoned or recycled.
+LDAP read inconsistency
+ A DN subject to a search at the same time as it is being renamed
+ may not appear under either the old or new name, but will re-appear
+ for a subsequent search.
-Improved AD DC performance
---------------------------
+See https://bugzilla.samba.org/show_bug.cgi?id=12858 for more details
+and updated advise on database recovery for affected installations.
-Many other improvements have been made to our LDAP database layer in
-the AD DC, to improve performance, both during samba-tool domain
-provision and at runtime.
-Other dbcheck improvements
+Samba AD with MIT Kerberos
--------------------------
- - samba-tool dbcheck can now find and fix a missing or corrupted
- 'deleted objects' container.
- - BUG 11433: samba-dbcheck no longer offers to resort auxiliary class values
- in objectClass as these were then re-sorted at the next dbcheck indefinitely.
-
-Tombstone Reanimation
----------------------
-
-Samba now supports tombstone reanimation, a feature in the AD DC
-allowing tombstones, that is objects which have been deleted, to be
-restored with the original SID and GUID still in place.
-
-Multiple DNS Forwarders on the AD DC
-------------------------------------
+After four years of development, Samba finally supports compiling and
+running Samba AD with MIT Kerberos. You can enable it with:
-Multiple DNS forwarders are now supported on the AD DC, allowing
-samba to fall back between two different DNS servers for forwarded queries.
+ ./configure --with-system-mitkrb5
-Password quality plugin support in the AD DC
---------------------------------------------
+Samba requires version 1.15.1 of MIT Kerberos to build with AD DC support.
+The krb5-devel and krb5-server packages are required.
+The feature set is not on par with with the Heimdal build but the most important
+things, like forest and external trusts, are working. Samba uses the KDC binary
+provided by MIT Kerberos.
-The check password script now operates correctly in the AD DC (this
-was silently ignored in past releases)
+Missing features, compared to Heimdal, are:
+ * PKINIT support
+ * S4U2SELF/S4U2PROXY support
+ * RODC support (not fully working with Heimdal either)
-pwdLastSet is now correctly honoured
-------------------------------------
+The Samba AD process will take care of starting the MIT KDC and it will load a
+KDB (Kerberos Database) driver to access the Samba AD database. When
+provisioning an AD DC using 'samba-tool' it will take care of creating a correct
+kdc.conf file for the MIT KDC. Note that 'samba-tool' will overwrite the system
+kdc.conf by default. It is possible to use a different location during
+provision. You should consult the 'samba-tool' help and smb.conf manpage for
+details.
-BUG 9654: the pwdLastSet attribute is now correctly handled (this previously
-permitted passwords that next expire).
-
-net ads dns unregister
+Dynamic RPC port range
----------------------
-It is now possible to remove the DNS entries created with 'net ads register'
-with the matching 'net ads unregister' command.
-
-Samba-tool improvements
-------------------------
-
-Running samba-tool on the command line should now be a lot snappier. The tool
-now only loads the code specific to the subcommand that you wish to run.
-
-SMB 2.1 Leases enabled by default
----------------------------------
-
-Leasing is an SMB 2.1 (and higher) feature which allows clients to
-aggressively cache files locally above and beyond the caching allowed
-by SMB 1 oplocks. This feature was disabled in previous releases, but
-the SMB2 leasing code is now considered mature and stable enough to be
-enabled by default.
-
-Open File Description (OFD) Locks
----------------------------------
-
-On systems that support them (currently only Linux), the fileserver now
-uses Open File Description (OFD) locks instead of POSIX locks to implement
-client byte range locks. As these locks are associated with a specific
-file descriptor on a file this allows more efficient use when multiple
-descriptors having file locks are opened onto the same file. An internal
-tunable "smbd:force process locks = true" may be used to turn off OFD
-locks if there appear to be problems with them.
-
-Password sync as active directory domain controller
+The dynamic port range for RPC services has been changed from the old default
+value 1024-1300 to 49152-65535. This port range is not only used by a
+Samba AD DC but also applies to all other server roles including NT4-style
+domain controllers. The new value has been defined by Microsoft in Windows
+Server 2008 and newer versions. To make it easier for Administrators to control
+those port ranges we use the same default and make it configurable with the
+option: 'rpc server dynamic port range'.
+
+The 'rpc server port' option sets the first available port from the new
+'rpc server dynamic port range' option. The option 'rpc server port' only
+applies to Samba provisioned as an AD DC.
+
+Authentication and Authorization audit support
+----------------------------------------------
+
+Detailed authentication and authorization audit information is now
+logged to Samba's debug logs under the "auth_audit" debug class,
+including in particular the client IP address triggering the audit
+line. Additionally, if Samba is compiled against the jansson JSON
+library, a JSON representation is logged under the "auth_json_audit"
+debug class.
+
+Audit support is comprehensive for all authentication and
+authorisation of user accounts in the Samba Active Directory Domain
+Controller, as well as the implicit authentication in password
+changes. In the file server and classic/NT4 domain controller, NTLM
+authentication, SMB and RPC authorization is covered, however password
+changes are not at this stage, and this support is not currently
+backed by a testsuite.
+
+Multi-process LDAP Server
+-------------------------
+
+The LDAP server in the AD DC now honours the process model used for
+the rest of the samba process, rather than being forced into a single
+process. This aids in Samba's ability to scale to larger numbers of AD
+clients and the AD DC's overall resiliency, but will mean that there is a
+fork()ed child for every LDAP client, which may be more resource
+intensive in some situations.
+
+Improved Read-Only Domain Controller (RODC) Support
---------------------------------------------------
-The new commands 'samba-tool user getpassword'
-and 'samba-tool user syncpasswords' provide
-access and syncing of various password fields.
-
-If compiled with GPGME support (--with-gpgme) it's
-possible to store cleartext passwords in a PGP/OpenGPG
-encrypted form by configuring the new "password hash gpg key ids"
-option. This requires gpgme devel and python packages to be installed
-(e.g. libgpgme11-dev and python-gpgme on debian/ubuntu).
-
-Python crypto requirements
---------------------------
-
-Some samba-tool subcommands require python-crypto and/or
-python-m2crypto packages to be installed.
-
-SmartCard/PKINIT improvements
------------------------------
-
-"samba-tool user create" accepts --smartcard-required
-and "samba-tool user setpassword" accepts --smartcard-required
-and --clear-smartcard-required.
-
-Specifying --smartcard-required results in the UF_SMARTCARD_REQUIRED
-flags being set in the userAccountControl attribute.
-At the same time the account password is reset to a random
-NTHASH value.
-
-Interactive password logons are rejected, if the UF_SMARTCARD_REQUIRED
-bit is set in the userAccountControl attribute of a user.
-
-When doing a PKINIT based kerberos logon the KDC adds the
-required PAC_CREDENTIAL_INFO element to the authorization data.
-That means the NTHASH is shared between the PKINIT based client and
-the domain controller, which allows the client to do NTLM based
-authentication on behalf of the user. It also allows on offline
-logon using a smartcard to work on Windows clients.
-
-CTDB changes
-------------
-
-* The use of real-time scheduling when taking locks has been narrowed
- to limit potential performance impacts on nodes
-
-* CTDB_RECOVERY_LOCK now supports specification of an external helper
- to take and hold the recovery lock
-
- See the RECOVERY LOCK section in ctdb(7) for details. Documentation
- for writing helpers is provided in doc/cluster_mutex_helper.txt.
-
-* "ctdb natgwlist" has been replaced by a top level "ctdb natgw"
- command that has "master", "list" and "status" subcommands
-
-* The onnode command no longer supports the "recmaster", "lvs" and
- "natgw" node specifications
-
-* Faster resetting of TCP connections to public IP addresses during
- failover
-
-* Tunables MaxRedirectCount, ReclockPingPeriod,
- DeferredRebalanceOnNodeAdd are now obsolete/ignored
-
-* "ctdb listvars" now lists all variables, including the first one
-
-* "ctdb xpnn", "ctdb rebalanceip" and "ctdb rebalancenode" have been
- removed
-
- These are not needed because "ctdb reloadips" should do the correct
- rebalancing.
-
-* Output for the following commands has been simplified:
-
- ctdb getdbseqnum
- ctdb getdebug
- ctdb getmonmode
- ctdb getpid
- ctdb getreclock
- ctdb getpid
- ctdb pnn
-
- These now simply print the requested output with no preamble. This
- means that scripts no longer need to strip part of the output.
-
- "ctdb getreclock" now prints nothing when the recovery lock is not
- set.
-
-* Output for the following commands has been improved:
-
- ctdb setdebug
- ctdb uptime
-
-* "ctdb process-exists" has been updated to only take a PID argument
-
- The PNN can be specified with -n <PNN>. Output also cleaned up.
+Support for RODCs in Samba AD until now has been experimental. With this latest
+version, many of the critical bugs have been fixed and the RODC can be used in
+DC environments requiring no writable behaviour. RODCs now correctly support
+bad password lockouts and password disclosure auditing through the
+msDS-RevealedUsers attribute.
+
+The fixes made to the RWDC will also allow Windows RODC to function more
+correctly and to avoid strange data omissions such as failures to replicate
+groups or updated passwords. Password changes are currently rejected at the
+RODC, although referrals should be given over LDAP. While any bad passwords can
+trigger domain-wide lockout, good passwords which have not been replicated yet
+for a password change can only be used via NTLM on the RODC (and not Kerberos).
+
+The reliability of RODCs locating a writable partner still requires some
+improvements and so the 'password server' configuration option is generally
+recommended on the RODC.
+
+Additional password hashes stored in supplementalCredentials
+------------------------------------------------------------
+
+A new config option 'password hash userPassword schemes' has been added to
+enable generation of SHA-256 and SHA-512 hashes (without storing the plaintext
+password with reversible encryption). This builds upon previous work to improve
+password sync for the AD DC (originally using GPG).
+
+The user command of 'samba-tool' has been updated in order to be able to
+extract these additional hashes, as well as extracting the (HTTP) WDigest
+hashes that we had also been storing in supplementalCredentials.
+
+Improvements to DNS during Active Directory domain join
+-------------------------------------------------------
+
+The 'samba-tool' domain join command will now add the A and GUID DNS records
+(on both the local and remote servers) during a join if possible via RPC. This
+should allow replication to proceed more smoothly post-join.
+
+The mname element of the SOA record will now also be dynamically generated to
+point to the local read-write server. 'samba_dnsupdate' should now be more
+reliable as it will now find the appropriate name server even when resolv.conf
+points to a forwarder.
+
+Significant AD performance and replication improvements
+-------------------------------------------------------
+
+Previously, replication of group memberships was been an incredibly expensive
+process for the AD DC. This was mostly due to unnecessary CPU time being spent
+parsing member linked attributes. The database now stores these linked
+attributes in sorted form to perform efficient searches for existing members.
+In domains with a large number of group memberships, a join can now be
+completed in half the time compared with Samba 4.6.
+
+LDAP search performance has also improved, particularly in the unindexed search
+case. Parsing and processing of security descriptors should now be more
+efficient, improving replication but also overall performance.
+
+Query record for open file or directory
+---------------------------------------
+
+The record attached to an open file or directory in Samba can be
+queried through the 'net tdb locking' command. In clustered Samba this
+can be useful to determine the file or directory triggering
+corresponding "hot" record warnings in ctdb.
+
+Removal of lpcfg_register_defaults_hook()
+-----------------------------------------
-* LVS support has been reworked - related commands and configuration
- variables have changed
+The undocumented and unsupported function lpcfg_register_defaults_hook()
+that was used by external projects to call into Samba and modify
+smb.conf default parameter settings has been removed. If your project
+was using this call please raise the issue on
+samba-technical@lists.samba.org in order to design a supported
+way of obtaining the same functionality.
- "ctdb lvsmaster" and "ctdb lvs" have been replaced by a top level
- "ctdb lvs" command that has "master", "list" and "status"
- subcommands.
+Change of loadable module interface
+-----------------------------------
- See the LVS sections in ctdb(7) and ctdbd.conf(5) for details,
- including configuration changes.
+The _init function of all loadable modules in Samba has changed
+from:
-* Improved sample NFS Ganesha call-out
+NTSTATUS _init(void);
+to:
+NTSTATUS _init(TALLOC_CTX *);
-REMOVED FEATURES
-================
+This allows a program loading a module to pass in a long-lived
+talloc context (which must be guaranteed to be alive for the
+lifetime of the module). This allows modules to avoid use of
+the talloc_autofree_context() (which is inherently thread-unsafe)
+and still be valgrind-clean on exit. Modules that don't need to
+free long-lived data on exist should use the NULL talloc context.
-only user and username parameters
----------------------------------
-These two parameters have long been deprecated and superseded by
-"valid users" and "invalid users".
+Parameter changes
+-----------------
+The "strict sync" global parameter has been changed from
+a default of "no" to "yes". This means smbd will by default
+obey client requests to synchronize unwritten data in operating
+system buffers safely onto disk. This is a safer default setting
+for modern SMB1/2/3 clients.
smb.conf changes
================
- Parameter Name Description Default
- -------------- ----------- -------
- kccsrv:samba_kcc Changed default yes
- ntlm auth Changed default no
- only user Removed
- password hash gpg key ids New
- smb2 leases Changed default yes
- username Removed
+ Parameter Name Description Default
+ -------------- ----------- -------
+ allow unsafe cluster upgrade New parameter no
+ auth event notification New parameter no
+ auth methods Deprecated
+ client max protocol Effective SMB3_11
+ default changed
+ map untrusted to domain New value/ auto
+ Default changed/
+ Deprecated
+ mit kdc command New parameter
+ profile acls Deprecated
+ rpc server dynamic port range New parameter 49152-65535
+ strict sync Default changed yes
+ password hash userPassword schemes New parameter
KNOWN ISSUES
============
-Currently none.
+https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.7#Release_blocking_bugs
+
#######################################
Reporting bugs & Development Discussion
git.samba.org / vlendec / samba-autobuild / .git / blobdiff