X-Git-Url: http://git.samba.org/samba.git/?p=vlendec%2Fsamba-autobuild%2F.git;a=blobdiff_plain;f=WHATSNEW.txt;h=5c2d922cd90407d41b5fa5cafb3dcc89c19f3ea0;hp=2eaad94c6d5a16e31e200b6f2ed5b9554bc54e76;hb=519bc4de949d0ac9ed1b928e54cc8e493e168ad7;hpb=7fdb5d2c5c05aec440b3ceea6a5fabcc3284f0a2 diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 2eaad94c6d5..5c2d922cd90 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,137 +1,748 @@ -Release Announcements -===================== + ============================= + Release Notes for Samba 4.8.3 + June 26, 2018 + ============================= -This is the first preview release of Samba 4.5. This is *not* -intended for production environments and is designed for testing -purposes only. Please report any defects via the Samba bug reporting -system at https://bugzilla.samba.org/. -Samba 4.5 will be the next version of the Samba suite. +This is the latest stable release of the Samba 4.8 release series. + + +Changes since 4.8.2: +-------------------- + +o Jeremy Allison + * BUG 13428: s3: smbd: Fix SMB2-FLUSH against directories. + * BUG 13457: s3: smbd: printing: Re-implement delete-on-close semantics for + print files missing since 3.5.x. + * BUG 13474: python: Fix talloc frame use in make_simple_acl(). + +o Jeffrey Altman + * BUG 11573: heimdal: lib/krb5: Do not fail set_config_files due to parse + error. + +o Andrew Bartlett + * ldb: version 1.3.4 + * BUG 13448: ldb: One-level search was incorrectly falling back to full DB + scan. + * BUG 13452: ldb: Save a copy of the index result before calling the + callbacks. + * BUG 13454: No Backtrace given by Samba's AD DC by default. + * BUG 13471: ldb_tdb: Use mem_ctx and so avoid leak onto long-term memory + on duplicated add. + +o Ralph Boehme + * BUG 13432: s3:smbd: Fix interaction between chown and SD flags. + +o Günther Deschner + * BUG 13437: Fix building Samba with gcc 8.1. + +o Andrej Gessel + * BUG 13475: Fix several mem leaks in ldb_index ldb_search ldb_tdb. + +o Volker Lendecke + * BUG 13331: libgpo: Fix the build --without-ads. + +o Stefan Metzmacher + * BUG 13369: Looking up the user using the UPN results in user name with the + REALM instead of the DOMAIN. + * BUG 13427: Fix broken server side GENSEC_FEATURE_LDAP_STYLE handling + (NTLMSSP NTLM2 packet check failed due to invalid signature!). + +o Christof Schmitt + * BUG 13446: smbd: Flush dfree memcache on service reload. + * BUG 13478: krb5_wrap: Fix keep_old_entries logic for older Kerberos + libraries. + +o Andreas Schneider + * BUG 13369: Looking up the user using the UPN results in user name with the + REALM instead of the DOMAIN. + * BUG 13437: Fix building Samba with gcc 8.1. + * BUG 13440: s3:utils: Do not segfault on error in DoDNSUpdate(). + * BUG 13480: krb5_plugin: Add winbind localauth plugin for MIT Kerberos. + +o Lukas Slebodnik + * BUG 13459: ldb: Fix memory leak on module context. + + +####################################### +Reporting bugs & Development Discussion +####################################### + +Please discuss this release on the samba-technical mailing list or by +joining the #samba-technical IRC channel on irc.freenode.net. + +If you do report problems then please try to send high quality +feedback. If you don't provide vital information to help us track down +the problem then you will probably be ignored. All bug reports should +be filed under the "Samba 4.1 and newer" product in the project's Bugzilla +database (https://bugzilla.samba.org/). + + +====================================================================== +== Our Code, Our Bugs, Our Responsibility. +== The Samba Team +====================================================================== + + +Release notes for older releases follow: +---------------------------------------- + + ============================= + Release Notes for Samba 4.8.2 + May 16, 2018 + ============================= + + +This is the latest stable release of the Samba 4.8 release series. + +Major bug fixes include: +------------------------ + + o After update to 4.8.0 DC failed with "Failed to find our own + NTDS Settings objectGUID" (bug #13335). + +Changes since 4.8.1: +-------------------- + +o Jeremy Allison + * BUG 13380: s3: smbd: Generic fix for incorrect reporting of stream dos + attributes on a directory. + * BUG 13412: ceph: VFS: Add asynchronous fsync to ceph module, fake using + synchronous call. + * BUG 13419: s3: libsmbclient: Fix hard-coded connection error return of + ETIMEDOUT. + +o Andrew Bartlett + * BUG 13306: ldb: Release ldb 1.3.3: + * Fix failure to upgrade to the GUID index DB format. + * Add tests for GUID index behaviour. + * BUG 13420: s4-lsa: Fix use-after-free in LSA server. + * BUG 13430: winbindd: Do re-connect if the RPC call fails in the passdb + case. + +o Ralph Boehme + * BUG 13416: s3:cleanupd: Sends MSG_SMB_UNLOCK twice to interested peers. + * BUG 13414: s3:cleanupd: Use MSG_SMB_BRL_VALIDATE to signal cleanupd + unclean process shutdown. + +o David Disseldorp + * BUG 13425: vfs_ceph: add fake async pwrite/pread send/recv hooks. + +o Amitay Isaacs + * BUG 13411: ctdb-client: Remove ununsed functions from old client code. + +o Björn Jacke + * BUG 13395: printing: Return the same error code as windows does on upload + failures. + +o Gary Lockyer + * BUG 13335: After update to 4.8.0 DC failed with "Failed to find our own + NTDS Settings objectGUID". + +o Stefan Metzmacher + * BUG 13400: nsswitch: Fix memory leak in winbind_open_pipe_sock() when the + privileged pipe is not accessable. + * BUG 13420: s4:lsa_lookup: remove TALLOC_FREE(state) after all + dcesrv_lsa_Lookup{Names,Sids}_base_map() calls. + +o Vandana Rungta + * BUG 13424: s3: VFS: Fix memory leak in vfs_ceph. + +o Christof Schmitt + * BUG 13407: rpc_server: Fix NetSessEnum with stale sessions. + +o Andreas Schneider + * BUG 13417: s3:smbspool: Fix cmdline argument handling. + + +####################################### +Reporting bugs & Development Discussion +####################################### + +Please discuss this release on the samba-technical mailing list or by +joining the #samba-technical IRC channel on irc.freenode.net. + +If you do report problems then please try to send high quality +feedback. If you don't provide vital information to help us track down +the problem then you will probably be ignored. All bug reports should +be filed under the "Samba 4.1 and newer" product in the project's Bugzilla +database (https://bugzilla.samba.org/). + + +====================================================================== +== Our Code, Our Bugs, Our Responsibility. +== The Samba Team +====================================================================== + + +---------------------------------------------------------------------- + + + ============================= + Release Notes for Samba 4.8.1 + April 26, 2018 + ============================= + + +This is the latest stable release of the Samba 4.8 release series. + + +Changes since 4.8.0: +-------------------- + +o Jeremy Allison + * BUG 13244: s3: ldap: Ensure the ADS_STRUCT pointer doesn't get freed on + error, we don't own it here. + * BUG 13270: s3: smbd: Fix possible directory fd leak if the underlying OS + doesn't support fdopendir(). + * BUG 13319: Round-tripping ACL get/set through vfs_fruit will increase the + number of ACE entries without limit. + * BUG 13347: s3: smbd: SMB2: Add DBGC_SMB2_CREDITS class to specifically + debug credit issues. + * BUG 13358: s3: smbd: Files or directories can't be opened DELETE_ON_CLOSE + without delete access. + * BUG 13372: s3: smbd: Fix memory leak in vfswrap_getwd(). + * BUG 13375: s3: smbd: Unix extensions attempts to change wrong field in + fchown call. + +o Björn Baumbach + * BUG 13337: ms_schema/samba-tool visualize: Fix python2.6 incompatibility. + +o Timur I. Bakeyev + * BUG 13352: Fix invocation of gnutls_aead_cipher_encrypt(). + +o Ralph Boehme + * BUG 13328: Windows 10 cannot logon on Samba NT4 domain. + * BUG 13332: winbindd: Recover loss of netlogon secure channel in case the + peer DC is rebooted. + * BUG 13363: s3:smbd: Don't use the directory cache for SMB2/3. + +o Amitay Isaacs + * BUG 13356: ctdb-client: Fix bugs in client code. + * BUG 13359: ctdb-scripts: Drop "net serverid wipe" from 50.samba event + script. + +o Lutz Justen + * BUG 13368: s3: lib: messages: Don't use the result of sec_init() before + calling sec_init(). + +o Volker Lendecke + * BUG 13273: libads: Fix the build '--without-ads'. + * BUG 13332: winbind: Keep "force_reauth" in invalidate_cm_connection, + add 'smbcontrol disconnect-dc'. + * BUG 13343: vfs_virusfilter: Fix CIDs 1428738-1428740. + * BUG 13367: dsdb: Fix CID 1034966 Uninitialized scalar variable. + * BUG 13370: rpc_server: Fix core dump in dfsgetinfo. + * BUG 13382: smbclient: Fix notify. + +o Stefan Metzmacher + * BUG 13215: Fix smbd panic if the client-supplied channel sequence number + wraps. + * BUG 13328: Windows 10 cannot logon on Samba NT4 domain. + * BUG 13342: lib/util: Remove unused '#include ' from + tests/tfork.c. + * BUG 13343: Fix build errors with cc from developerstudio 12.5 on Solaris. + * BUG 13344: Fix the picky-developer build on FreeBSD 11. + * BUG 13345: s3:modules: Fix the build of vfs_aixacl2.c. + +o Anton Nefedov + * BUG 13338: s3:smbd: map nterror on smb2_flush errorpath. + +o Noel Power + * BUG 13341: lib:replace: Fix linking when libtirpc-devel overwrites system + headers. + +o Christof Schmitt + * BUG 13312: winbindd: 'wbinfo --name-to-sid' returns misleading result on + invalid query. + +o Andreas Schneider + * BUG 13376: s3:passdb: Do not return OK if we don't have pinfo set up. + +o Eric Vannier + * BUG 13302: Allow AESNI to be used on all processor supporting AESNI. + + +####################################### +Reporting bugs & Development Discussion +####################################### + +Please discuss this release on the samba-technical mailing list or by +joining the #samba-technical IRC channel on irc.freenode.net. + +If you do report problems then please try to send high quality +feedback. If you don't provide vital information to help us track down +the problem then you will probably be ignored. All bug reports should +be filed under the "Samba 4.1 and newer" product in the project's Bugzilla +database (https://bugzilla.samba.org/). + + +====================================================================== +== Our Code, Our Bugs, Our Responsibility. +== The Samba Team +====================================================================== + + +---------------------------------------------------------------------- + + + ============================= + Release Notes for Samba 4.8.0 + March 13, 2018 + ============================= + + +This is the first stable release of the Samba 4.8 release series. +Please read the release notes carefully before upgrading. UPGRADING ========= -Nothing special. +New GUID Index mode in sam.ldb for the AD DC +-------------------------------------------- + +Users who upgrade a Samba AD DC in-place will experience a short delay +in the first startup of Samba while the sam.ldb is re-indexed. +Unlike in previous releases a transparent downgrade is not possible. +If you wish to downgrade such a DB to a Samba 4.7 or earlier version, +please run the source4/scripting/bin/sambaundoguididx script first. + +Domain member setups require winbindd +------------------------------------- + +Setups with "security = domain" or "security = ads" require a +running 'winbindd' now. The fallback that smbd directly contacts +domain controllers is gone. + +smbclient reparse point symlink parameters reversed +--------------------------------------------------- + +See the more detailed description below. + +Changed trusted domains listing with wbinfo -m --verbose +-------------------------------------------------------- + +See the more detailed description below. NEW FEATURES/CHANGES ==================== -Support for LDAP_SERVER_NOTIFICATION_OID ----------------------------------------- - -The ldap server has support for the LDAP_SERVER_NOTIFICATION_OID -control. This can be used to monitor the active directory database -for changes. +New GUID Index mode in sam.ldb for the AD DC +-------------------------------------------- -VLV - Virtual List View ------------------------ +The new layout used for sam.ldb is GUID, rather than DN oriented. +This provides Samba's Active Directory Domain Controller with a faster +database, particularly at larger scale. -The VLV Control allows applications to page the LDAP directory in the -way you might expect a live phone book application to operate, without -first downloading the entire directory. +The underlying DB is still TDB, simply the choice of key has changed. -DRS Replication for the AD DC ------------------------------ +The new mode is not optional, so no configuration is required. Older +Samba versions cannot read the new database (see the upgrade +note above). -DRS Replication in Samba 4.5 is now much more efficient in handling -linked attributes, particularly in large domains with over 1000 group -memberships or other links. +KDC GPO application +------------------- -Replication is also much more reliable in the handling of tree -renames, such as the rename of an organizational unit containing many -users. Extensive tests have been added to ensure this code remains -reliable, particularly in the case of conflicts between objects added -with the same name on different servers. +Adds Group Policy support for the Samba kdc. Applies password policies +(minimum/maximum password age, minimum password length, and password +complexity) and kerberos policies (user/service ticket lifetime and +renew lifetime). -Schema updates are also handled much more reliably. +Adds the samba_gpoupdate script for applying and unapplying +policy. Can be applied automatically by setting -replPropertyMetaData Changes ----------------------------- + 'apply group policies = yes'. -During the development of the DRS replication, tests showed that Samba -stores the replPropertyMetaData object incorrectly. To address this, -be aware that dbcheck will now detect and offer to fix all objects in -the domain for this error. +Time Machine Support with vfs_fruit +----------------------------------- -Linked attributes on deleted objects ------------------------------------- +Samba can be configured as a Time Machine target for Apple Mac devices +through the vfs_fruit module. When enabling a share for Time Machine +support the relevant Avahi records to support discovery will be published +for installations that have been built against the Avahi client library. -In Active Directory, an object that has been tombstoned or recycled -has no linked attributes. However, Samba incorrectly maintained such -links, slowing replication and run-time performance. dbcheck now -offers to remove such links, and they are no longer kept after the -object is tombstoned or recycled. +Shares can be designated as a Time Machine share with the following setting: -Improved AD DC performance --------------------------- + 'fruit:time machine = yes' -Many other improvements have been made to our LDAP database layer in -the AD DC, to improve performance, both during samba-tool domain -provision and at runtime. +Support for lower casing the MDNS Name +-------------------------------------- -Other dbcheck improvements --------------------------- +Allows the server name that is advertised through MDNS to be set to the +hostname rather than the Samba NETBIOS name. This allows an administrator +to make Samba registered MDNS records match the case of the hostname +rather than being in all capitals. - - samba-tool dbcheck can now find and fix a missing or corrupted - 'deleted objects' container. - - BUG 11433: samba-dbcheck no longer offers to resort auxiliary class values - in objectClass as these were then re-sorted at the next dbcheck indefinitely. +This can be set with the following settings: -Tombstone Reanimation ---------------------- + 'mdns name = mdns' -Samba now supports tombstone reanimation, a feature in the AD DC -allowing tombstones, that is objects which have been deleted, to be -restored with the original SID and GUID still in place. +Encrypted secrets +----------------- -Multiple DNS Forwarders on the AD DC ------------------------------------- +Attributes deemed to be sensitive are now encrypted on disk. The sensitive +values are currently: + pekList + msDS-ExecuteScriptPassword + currentValue + dBCSPwd + initialAuthIncoming + initialAuthOutgoing + lmPwdHistory + ntPwdHistory + priorValue + supplementalCredentials + trustAuthIncoming + trustAuthOutgoing + unicodePwd + clearTextPassword -Multiple DNS forwarders are now supported on the AD DC, allowing -samba to fall back between two different DNS servers for forwarded queries. +This encryption is enabled by default on a new provision or join, it +can be disabled at provision or join time with the new option +'--plaintext-secrets'. + +However, an in-place upgrade will not encrypt the database. -Password quality plugin support in the AD DC --------------------------------------------- +Once encrypted, it is not possible to do an in-place downgrade (eg to +4.7) of the database. To obtain an unencrypted copy of the database a +new DC join should be performed, specifying the '--plaintext-secrets' +option. -The check password script now operates correctly in the AD DC (this -was silently ignored in past releases) +The key file "encrypted_secrets.key" is created in the same directory +as the database and should NEVER be disclosed. It is included by the +samba_backup script. -pwdLastSet is now correctly honoured ------------------------------------- +Active Directory replication visualisation +------------------------------------------ -BUG 9654: the pwdLastSet attribute is now correctly handled (this previously -permitted passwords that next expire). +To work out what is happening in a replication graph, it is sometimes +helpful to use visualisations. We introduce a samba-tool subcommand to +write Graphviz dot output and generate text-based heatmaps of the +distance in hops between DCs. -net ads dns unregister +There are two subcommands, two graphical modes, and (roughly) two modes of +operation with respect to the location of authority. + +`samba-tool visualize ntdsconn` looks at NTDS Connections. +`samba-tool visualize reps` looks at repsTo and repsFrom objects. + +In '--distance' mode (default), the distances between DCs are shown in +a matrix in the terminal. With '--color=yes', this is depicted as a +heatmap. With '--utf8' it is a lttle prettier. + +In '--dot' mode, Graphviz dot output is generated. When viewed using +dot or xdot, this shows the network as a graph with DCs as vertices +and connections edges. Certain types of degenerate edges are shown in +different colours or line-styles. + +smbclient reparse point symlink parameters reversed +--------------------------------------------------- + +A bug in smbclient caused the 'symlink' command to reverse the +meaning of the new name and link target parameters when creating a +reparse point symlink against a Windows server. As this is a +little used feature the ordering of these parameters has been +reversed to match the parameter ordering of the UNIX extensions +'symlink' command. The usage message for this command has also +been improved to remove confusion. + +Winbind changes +--------------- + +The dependency to global list of trusted domains within +the winbindd processes has been reduced a lot. + +The construction of that global list is not reliable and often +incomplete in complex trust setups. In most situations the list is not needed +any more for winbindd to operate correctly. E.g. for plain file serving via SMB +using a simple idmap setup with autorid, tdb or ad. However some more complex +setups require the list, e.g. if you specify idmap backends for specific +domains. Some pam_winbind setups may also require the global list. + +If you have a setup that doesn't require the global list, you should set +"winbind scan trusted domains = no". + +Improved support for trusted domains (as AD DC) +----------------------------------------------- + +The support for trusted domains/forests has improved a lot. + +External domain trusts, as well a transitive forest trusts, +are supported in both directions (inbound and outbound) +for Kerberos and NTLM authentication now. + +The LSA LookupNames and LookupSids implementations +support resolving names and sids from trusts domains/forest +now. This is important in order to allow Samba based +domain members to make use of the trust. + +However there are currently still a few limitations: + +- It's not possible to add users/groups of a trusted domain + into domain groups. So group memberships are not expanded + on trust boundaries. + See https://bugzilla.samba.org/show_bug.cgi?id=13300 +- Both sides of the trust need to fully trust each other! +- No SID filtering rules are applied at all! +- This means DCs of domain A can grant domain admin rights + in domain B. +- Selective (CROSS_ORIGANIZATION) authentication is + not supported. It's possible to create such a trust, + but the KDC and winbindd ignore them. + +Changed trusted domains listing with wbinfo -m --verbose +-------------------------------------------------------- + +The trust properties printed by wbinfo -m --verbose have been changed to +correctly reflect the view of the system where wbinfo is executed. + +The trust type field in particular can show additional values that correctly +reflect the type of the trust: "Local" for the local SAM and BUILTIN, +"Workstation" for a workstation trust to the primary domain, "RWDC" for the SAM +on a AD DC, "RODC" for the SAM on a read-only DC, "PDC" for the SAM on a +NT4-style DC, "Forest" for a AD forest trust and "External" for quarantined, +external or NT4-style trusts. + +Indirect trusts are shown as "Routed" including the routing domain. + +Example, on a AD DC (SDOM1): + +Domain Name DNS Domain Trust Type Transitive In Out +BUILTIN Local +SDOM1 sdom1.site RWDC +WDOM3 wdom3.site Forest Yes No Yes +WDOM2 wdom2.site Forest Yes Yes Yes +SUBDOM31 subdom31.wdom3.site Routed (via WDOM3) +SUBDOM21 subdom21.wdom2.site Routed (via WDOM2) + +Same setup, on a member of WDOM2: + +Domain Name DNS Domain Trust Type Transitive In Out +BUILTIN Local +TITAN Local +WDOM2 wdom2.site Workstation Yes No Yes +WDOM1 wdom1.site Routed (via WDOM2) +WDOM3 wdom3.site Routed (via WDOM2) +SUBDOM21 subdom21.wdom2.site Routed (via WDOM2) +SDOM1 sdom1.site Routed (via WDOM2) +SUBDOM11 subdom11.wdom1.site Routed (via WDOM2) + +The list of trusts may be incomplete and additional domains may appear as +"Routed" if a user of an unknown domain is successfully authenticated. + +VirusFilter VFS module ---------------------- -It is now possible to remove the DNS entries created with 'net ads register' -with the matching 'net ads unregister' command. +This new module integrates with Sophos, F-Secure and ClamAV anti-virus +software to provide scanning and filtering of files on a Samba share. + +Local authorization plugin for MIT Kerberos +------------------------------------------- +This plugin controls the relationship between Kerberos principals and AD +accounts through winbind. The module receives the Kerberos principal and the +local account name as inputs and can then check if they match. This can resolve +issues with canonicalized names returned by Kerberos within AD. If the user +tries to log in as 'alice', but the samAccountName is set to ALICE (uppercase), +Kerberos would return ALICE as the username. Kerberos would not be able to map +'alice' to 'ALICE' in this case and auth would fail. With this plugin account +names can be correctly mapped. This only applies to GSSAPI authentication, +not for the geting the initial ticket granting ticket. REMOVED FEATURES ================ -only user and username parameters ---------------------------------- -These two parameters have long been deprecated and superseded by -"valid users" and "invalid users". +'net serverid' commands removed +------------------------------- + +The two commands 'net serverid list' and 'net serverid wipe' have been +removed, because the file serverid.tdb is not used anymore. + +'net serverid list' can be replaced by listing all files in the +subdirectory "msg.lock" of Samba's "lock directory". The unique id +listed by 'net serverid list' is stored in every process' lockfile in +"msg.lock". + +'net serverid wipe' is not necessary anymore. It was meant primarily +for clustered environments, where the serverid.tdb file was not +properly cleaned up after single node crashes. Nowadays smbd and +winbind take care of cleaning up the msg.lock and msg.sock directories +automatically. + +NT4-style replication based net commands removed +------------------------------------------------ + +The following commands and sub-commands have been removed from the +"net" utility: + +net rpc samdump +net rpc vampire ldif + +Also, replicating from a real NT4 domain with "net rpc vampire" and +"net rpc vampire keytab" has been removed. + +The NT4-based commands were accidentally broken in 2013, and nobody +noticed the breakage. So instead of fixing them including tests (which +would have meant writing a server for the protocols, which we don't +have) we decided to remove them. + +For the same reason, the "samsync", "samdeltas" and "database_redo" +commands have been removed from rpcclient. + +"net rpc vampire keytab" from Active Directory domains continues to be +supported. + +vfs_aio_linux module removed +---------------------------- + +The current Linux kernel aio does not match what Samba would +do. Shipping code that uses it leads people to false +assumptions. Samba implements async I/O based on threads by default, +there is no special module required to see benefits of read and write +request being sent do the disk in parallel. + smb.conf changes ----------------- +================ + + Parameter Name Description Default + -------------- ----------- ------- + apply group policies New no + auth methods Removed + binddns dir New + client schannel Default changed/ yes + Deprecated + gpo update command New + ldap ssl ads Deprecated + map untrusted to domain Removed + oplock contention limit Removed + prefork children New 1 + mdns name New netbios + fruit:time machine New false + profile acls Removed + use spnego Removed + server schannel Default changed/ yes + Deprecated + unicode Deprecated + winbind scan trusted domains New yes + winbind trusted domains only Removed + + +CHANGES SINCE 4.8.0rc4 +====================== + +o Jeremy Allison + * BUG 11343: CVE-2018-1050: Codenomicon crashes in spoolss server code. + +o Ralph Boehme + * BUG 13272: CVE-2018-1057: Unprivileged user can change any user (and admin) + password. + * BUG 13313: nsswitch: Fix wbinfo -m --verbose trust type "Local". + +o Stefan Metzmacher + * BUG 13272: CVE-2018-1057: Unprivileged user can change any user (and admin) + password. + +o Dan Robertson + * BUG 13310: libsmb: Use smb2 tcon if conn_protocol >= SMB2_02. + +o Andreas Schneider + * BUG 13315: s3:smbd: Do not crash if we fail to init the session table. + + +CHANGES SINCE 4.8.0rc3 +====================== + +o Ralph Boehme + * BUG 13287: Fix numerous trust related bugs in winbindd and s4 LSA RPC + server. + * BUG 13296: vfs_fruit: Use off_t, not size_t for TM size calculations. + +o Alexander Bokovoy + * BUG 13304: mit-kdb: Support MIT Kerberos 1.16 KDB API changes. + +o Günther Deschner + * BUG 13277: build: Fix libceph-common detection. + +o Poornima G + * BUG 13297: vfs_glusterfs: Fix the wrong pointer being sent in + glfs_fsync_async. + +o Volker Lendecke + * BUG 13305: vfs_fileid: Fix the 32-bit build. + +o Stefan Metzmacher + * BUG 13206: Unable to authenticate with an empty string domain ''. + * BUG 13276: configure aborts without libnettle/gnutls. + * BUG 13278: winbindd (on an AD DC) should only use netlogon/lsa against + trusted domains. + * BUG 13287: Fix numerous trust related bugs in winbindd and s4 LSA RPC + server. + * BUG 13290: A disconnecting winbind client can cause a problem in + the winbind parent child communication. + * BUG 13291: tevent: version 0.9.36. + * BUG 13292: winbind requests could get stuck in the queue of a busy child, + while later requests could get served fine by other children. + * BUG 13293: Minimize the lifetime of winbindd_cli_state->{pw,gr}ent_state. + * BUG 13294: Avoid using fstrcpy(domain->dcname,...) on a char *. + * BUG 13295: winbind parent should find the dc of a foreign domain via the + primary domain. + * BUG 13299: Disable support for CROSS_ORGANIZATION domains. + * BUG 13306: ldb: version 1.3.2. + +o Sachin Prabhu + * BUG 13303: vfs_glusterfs: Add fallocate support for vfs_glusterfs. + +o Garming Sam + * BUG 13031: subnet: Avoid a segfault when renaming subnet objects. + * BUG 13269: RODC may skip objects during replication due to naming + conflicts. + + +CHANGES SINCE 4.8.0rc2 +====================== + +o Trever L. Adams + * BUG 13246: Backport Samba VirusFilter. + +o Ralph Boehme + * BUG 13228: dbcheck: Add support for restoring missing forward links. + +o Günther Deschner + * BUG 13221: python: fix the build with python3. + +o Stefan Metzmacher + * BUG 13228: dbcheck: Add support for restoring missing forward links. + + +CHANGES SINCE 4.8.0rc1 +====================== + +o Günther Deschner + * BUG 13227: packaging: Fix default systemd-dir path. + * BUG 13238: build: Deal with recent glibc sunrpc header removal. + +o Stefan Metzmacher + * BUG 13228: repl_meta_data: fix linked attribute corruption on databases + with unsorted links on expunge. + +o Christof Schmitt + * BUG 13217: s3/smbd: Remove file system sharemode before calling unlink. + +o Andreas Schneider + * BUG 13209: Small improvements in winbindd for the resource cleanup in error + cases. + * BUG 13238: Make Samba work with tirpc and libnsl2. - Parameter Name Description Default - -------------- ----------- ------- - only user Removed - username Removed KNOWN ISSUES ============ -Currently none. +https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.8#Release_blocking_bugs + ####################################### Reporting bugs & Development Discussion