4 This is the second release candidate of Samba 4.15. This is *not*
5 intended for production environments and is designed for testing
6 purposes only. Please report any defects via the Samba bug reporting
7 system at https://bugzilla.samba.org/.
9 Samba 4.15 will be the next version of the Samba suite.
15 Removed SMB (development) dialects
16 ----------------------------------
18 The following SMB (development) dialects are no longer
19 supported: SMB2_22, SMB2_24 and SMB3_10. They are were
20 only supported by Windows technical preview builds.
21 They used to be useful in order to test against the
22 latest Windows versions, but it's no longer useful
23 to have them. If you have them explicitly specified
24 in your smb.conf or an the command line,
25 you need to replace them like this:
29 Note that it's typically not useful to specify
30 "client max protocol" or "server max protocol"
31 explicitly to a specific dialect, just leave
32 them unspecified or specify the value "default".
37 The GPG release key for Samba releases changed from:
39 pub dsa1024/6F33915B6568B7EA 2007-02-04 [SC] [expires: 2021-02-05]
40 Key fingerprint = 52FB C0B8 6D95 4B08 4332 4CDC 6F33 915B 6568 B7EA
41 uid [ full ] Samba Distribution Verification Key <samba-bugs@samba.org>
42 sub elg2048/9C6ED163DA6DFB44 2007-02-04 [E] [expires: 2021-02-05]
44 to the following new key:
46 pub rsa4096/AA99442FB680B620 2020-12-21 [SC] [expires: 2022-12-21]
47 Key fingerprint = 81F5 E283 2BD2 545A 1897 B713 AA99 442F B680 B620
48 uid [ultimate] Samba Distribution Verification Key <samba-bugs@samba.org>
49 sub rsa4096/97EF9386FBFD4002 2020-12-21 [E] [expires: 2022-12-21]
51 Starting from Jan 21th 2021, all Samba releases will be signed with the new key.
53 See also GPG_AA99442FB680B620_replaces_6F33915B6568B7EA.txt
58 - bind DLZ: Added the ability to set allow/deny lists for zone
60 Up to now, any client could use a DNS zone transfer request
61 to the bind server, and get an answer from Samba.
62 Now the default behaviour will be to deny those request.
63 Two new options have been added to manage the list of
64 authorized/denied clients for zone transfer requests.
65 In order to be accepted, the request must be issued by a client
66 that is in the allow list and NOT in the deny list.
68 "server multi channel support" no longer experimental
69 -----------------------------------------------------
71 This option is enabled by default starting with to 4.15 (on Linux and FreeBSD).
72 Due to dependencies on kernel APIs of Linux or FreeBSD, it's only possible
73 to use this feature on Linux and FreeBSD for now.
75 samba-tool available without the ad-dc
76 --------------------------------------
78 The samba-tool command is now available when samba is configured
79 --without-ad-dc. Not all features will work, and some ad-dc specific options
80 have been disabled. The samba-tool domain options, for example, are limited
81 when no ad-dc is present. Samba must still be built with ads in order to enable
84 Improved command line user experience
85 -------------------------------------
87 Samba utilities did not consistently implement their command line interface. A
88 number of options were requiring to specify values in one tool and not in the
89 other, some options meant different in different tools.
91 These should be stories of the past now. A new command line parser has been
92 implemented with sanity checking. Also the command line interface has been
93 simplified and provides better control for encryption, singing and kerberos.
95 Also several command line options have a smb.conf variable to control the
98 All tools are logging to stderr by default. You can use --debug-stdout to
104 --client-protection=off|sign|encrypt
107 --kerberos -> --use-kerberos=required|desired|off
108 --krb5-ccache -> --use-krb5-ccache=CCACHE
109 --scope -> --netbios-scope=SCOPE
110 --use-ccache -> --use-winbind-ccache
114 -C removed from --use-winbind-ccache
115 -i removed from --netbios-scope
119 ### Duplicates in command line utils
121 ldbadd/ldbsearch/ldbdel/ldbmodify/ldbrename:
122 -e is not available for --editor anymore
123 -s is not used for --configfile anymore
126 -l is not available for --load-dso anymore
129 -l is not available for --long anymore
132 -V is not available for --viewsddl anymore
135 --user -> --quota-user
138 --log-stdout -> --debug-stdout
141 --log-stdout -> --debug-stdout
144 --log-stdout -> --debug-stdout
146 Scanning of trusted domains and enterprise principals
147 -----------------------------------------------------
149 As an artifact from the NT4 times, we still scanned the list of trusted domains
150 on winbindd startup. This is wrong as we never can get a full picture in Active
151 Directory. It is time to change the default value to "No". Also with this change
152 we always use enterprise principals for Kerberos so that the DC will be able
153 to redirect ticket requests to the right DC. This is e.g. needed for one way
154 trusts. The options `winbind use krb5 enterprise principals` and
155 `winbind scan trusted domains` will be deprecated in one of the next releases.
157 Support for Offline Domain Join (ODJ)
158 -------------------------------------
160 The net utility is now able to support the offline domain join feature
161 as known from the Windows djoin.exe command for many years. Samba's
162 implementation is accessible via the "net offlinejoin" subcommand. It
163 can provision computers and request offline joining for both Windows
164 and Unix machines. It is also possible to provision computers from
165 Windows (using djoin.exe) and use the generated data in Samba's net
166 utility. The existing options for the provisioning and joining steps
167 are documented in the net(8) manpage.
173 Tru64 ACL support has been removed from this release. The last
174 supported release of Tru64 UNIX was in 2012.
176 NIS support has been removed from this release. This is not
177 available in Linux distributions anymore.
179 The DLZ DNS plugin is no longer built for Bind versions 9.8 and 9.9,
180 which have been out of support since 2018.
186 Parameter Name Description Default
187 -------------- ----------- -------
188 client use kerberos New desired
189 client max protocol Values Removed
190 client min protocol Values Removed
191 client protection New default
192 client smb3 signing algorithms New see man smb.conf
193 client smb3 encryption algorithms New see man smb.conf
194 preopen:posix-basic-regex New No
195 preopen:nomatch_log_level New 5
196 preopen:match_log_level New 5
197 preopen:nodigits_log_level New 1
198 preopen:founddigits_log_level New 3
199 preopen:reset_log_level New 5
200 preopen:push_log_level New 3
201 preopen:queue_log_level New 10
202 server max protocol Values Removed
203 server min protocol Values Removed
204 server multi channel support Changed Yes (on Linux and FreeBSD)
205 server smb3 signing algorithms New see man smb.conf
206 server smb3 encryption algorithms New see man smb.conf
207 winbind use krb5 enterprise principals Changed Yes
208 winbind scan trusted domains Changed No
211 CHANGES SINCE 4.15.0rc1
212 =======================
214 o Andreas Schneider <asn@samba.org>
215 * BUG 14768: smbd/winbind should load the registry if configured
216 * BUG 14777: do not quote passed argument of configure script
217 * BUG 14779: Winbind should not start if the socket path is too long
219 o Stefan Metzmacher <metze@samba.org>
220 * BUG 14607: tree connect failed: NT_STATUS_INVALID_PARAMETER
221 * BUG 14764: aes-256-gcm and aes-256-ccm doesn't work in the server
223 o Ralph Boehme <slow@samba.org>
224 * BUG 14700: file owner not available when file unredable
226 o Jeremy Allison <jra@samba.org>
227 * BUG 14607: tree connect failed: NT_STATUS_INVALID_PARAMETER
228 * BUG 14759: 4.15rc can leak meta-data about the directory containing the
235 https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.15#Release_blocking_bugs
238 #######################################
239 Reporting bugs & Development Discussion
240 #######################################
242 Please discuss this release on the samba-technical mailing list or by
243 joining the #samba-technical IRC channel on irc.freenode.net.
245 If you do report problems then please try to send high quality
246 feedback. If you don't provide vital information to help us track down
247 the problem then you will probably be ignored. All bug reports should
248 be filed under the Samba 4.1 and newer product in the project's Bugzilla
249 database (https://bugzilla.samba.org/).
252 ======================================================================
253 == Our Code, Our Bugs, Our Responsibility.
255 ======================================================================