1 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
2 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3 <html xmlns="http://www.w3.org/1999/xhtml">
5 <title>Samba 4.8.0 - Release Notes</title>
8 <H2>Samba 4.8.0 Available for Download</H2>
10 <a href="https://download.samba.org/pub/samba/stable/samba-4.8.0.tar.gz">Samba 4.8.0 (gzipped)</a><br>
11 <a href="https://download.samba.org/pub/samba/stable/samba-4.8.0.tar.asc">Signature</a>
15 =============================
16 Release Notes for Samba 4.8.0
18 =============================
21 This is the first stable release of the Samba 4.8 release series.
22 Please read the release notes carefully before upgrading.
28 New GUID Index mode in sam.ldb for the AD DC
29 --------------------------------------------
31 Users who upgrade a Samba AD DC in-place will experience a short delay
32 in the first startup of Samba while the sam.ldb is re-indexed.
34 Unlike in previous releases a transparent downgrade is not possible.
35 If you wish to downgrade such a DB to a Samba 4.7 or earlier version,
36 please run the source4/scripting/bin/sambaundoguididx script first.
38 Domain member setups require winbindd
39 -------------------------------------
41 Setups with "security = domain" or "security = ads" require a
42 running 'winbindd' now. The fallback that smbd directly contacts
43 domain controllers is gone.
45 smbclient reparse point symlink parameters reversed
46 ---------------------------------------------------
48 See the more detailed description below.
50 Changed trusted domains listing with wbinfo -m --verbose
51 --------------------------------------------------------
53 See the more detailed description below.
58 New GUID Index mode in sam.ldb for the AD DC
59 --------------------------------------------
61 The new layout used for sam.ldb is GUID, rather than DN oriented.
62 This provides Samba's Active Directory Domain Controller with a faster
63 database, particularly at larger scale.
65 The underlying DB is still TDB, simply the choice of key has changed.
67 The new mode is not optional, so no configuration is required. Older
68 Samba versions cannot read the new database (see the upgrade
74 Adds Group Policy support for the Samba kdc. Applies password policies
75 (minimum/maximum password age, minimum password length, and password
76 complexity) and kerberos policies (user/service ticket lifetime and
79 Adds the samba_gpoupdate script for applying and unapplying
80 policy. Can be applied automatically by setting
82 'apply group policies = yes'.
84 Time Machine Support with vfs_fruit
85 -----------------------------------
87 Samba can be configured as a Time Machine target for Apple Mac devices
88 through the vfs_fruit module. When enabling a share for Time Machine
89 support the relevant Avahi records to support discovery will be published
90 for installations that have been built against the Avahi client library.
92 Shares can be designated as a Time Machine share with the following setting:
94 'fruit:time machine = yes'
96 Support for lower casing the MDNS Name
97 --------------------------------------
99 Allows the server name that is advertised through MDNS to be set to the
100 hostname rather than the Samba NETBIOS name. This allows an administrator
101 to make Samba registered MDNS records match the case of the hostname
102 rather than being in all capitals.
104 This can be set with the following settings:
106 'mdns name = mdns'
111 Attributes deemed to be sensitive are now encrypted on disk. The sensitive
112 values are currently:
114 msDS-ExecuteScriptPassword
122 supplementalCredentials
128 This encryption is enabled by default on a new provision or join, it
129 can be disabled at provision or join time with the new option
130 '--plaintext-secrets'.
132 However, an in-place upgrade will not encrypt the database.
134 Once encrypted, it is not possible to do an in-place downgrade (eg to
135 4.7) of the database. To obtain an unencrypted copy of the database a
136 new DC join should be performed, specifying the '--plaintext-secrets'
139 The key file "encrypted_secrets.key" is created in the same directory
140 as the database and should NEVER be disclosed. It is included by the
143 Active Directory replication visualisation
144 ------------------------------------------
146 To work out what is happening in a replication graph, it is sometimes
147 helpful to use visualisations. We introduce a samba-tool subcommand to
148 write Graphviz dot output and generate text-based heatmaps of the
149 distance in hops between DCs.
151 There are two subcommands, two graphical modes, and (roughly) two modes of
152 operation with respect to the location of authority.
154 `samba-tool visualize ntdsconn` looks at NTDS Connections.
155 `samba-tool visualize reps` looks at repsTo and repsFrom objects.
157 In '--distance' mode (default), the distances between DCs are shown in
158 a matrix in the terminal. With '--color=yes', this is depicted as a
159 heatmap. With '--utf8' it is a lttle prettier.
161 In '--dot' mode, Graphviz dot output is generated. When viewed using
162 dot or xdot, this shows the network as a graph with DCs as vertices
163 and connections edges. Certain types of degenerate edges are shown in
164 different colours or line-styles.
166 smbclient reparse point symlink parameters reversed
167 ---------------------------------------------------
169 A bug in smbclient caused the 'symlink' command to reverse the
170 meaning of the new name and link target parameters when creating a
171 reparse point symlink against a Windows server. As this is a
172 little used feature the ordering of these parameters has been
173 reversed to match the parameter ordering of the UNIX extensions
174 'symlink' command. The usage message for this command has also
175 been improved to remove confusion.
180 The dependency to global list of trusted domains within
181 the winbindd processes has been reduced a lot.
183 The construction of that global list is not reliable and often
184 incomplete in complex trust setups. In most situations the list is not needed
185 any more for winbindd to operate correctly. E.g. for plain file serving via SMB
186 using a simple idmap setup with autorid, tdb or ad. However some more complex
187 setups require the list, e.g. if you specify idmap backends for specific
188 domains. Some pam_winbind setups may also require the global list.
190 If you have a setup that doesn't require the global list, you should set
191 "winbind scan trusted domains = no".
193 Improved support for trusted domains (as AD DC)
194 -----------------------------------------------
196 The support for trusted domains/forests has improved a lot.
198 External domain trusts, as well a transitive forest trusts,
199 are supported in both directions (inbound and outbound)
200 for Kerberos and NTLM authentication now.
202 The LSA LookupNames and LookupSids implementations
203 support resolving names and sids from trusts domains/forest
204 now. This is important in order to allow Samba based
205 domain members to make use of the trust.
207 However there are currently still a few limitations:
209 - It's not possible to add users/groups of a trusted domain
210 into domain groups. So group memberships are not expanded
212 See https://bugzilla.samba.org/show_bug.cgi?id=13300
213 - Both sides of the trust need to fully trust each other!
214 - No SID filtering rules are applied at all!
215 - This means DCs of domain A can grant domain admin rights
217 - Selective (CROSS_ORIGANIZATION) authentication is
218 not supported. It's possible to create such a trust,
219 but the KDC and winbindd ignore them.
221 Changed trusted domains listing with wbinfo -m --verbose
222 --------------------------------------------------------
224 The trust properties printed by wbinfo -m --verbose have been changed to
225 correctly reflect the view of the system where wbinfo is executed.
227 The trust type field in particular can show additional values that correctly
228 reflect the type of the trust: "Local" for the local SAM and BUILTIN,
229 "Workstation" for a workstation trust to the primary domain, "RWDC" for the SAM
230 on a AD DC, "RODC" for the SAM on a read-only DC, "PDC" for the SAM on a
231 NT4-style DC, "Forest" for a AD forest trust and "External" for quarantined,
232 external or NT4-style trusts.
234 Indirect trusts are shown as "Routed" including the routing domain.
236 Example, on a AD DC (SDOM1):
238 Domain Name DNS Domain Trust Type Transitive In Out
240 SDOM1 sdom1.site RWDC
241 WDOM3 wdom3.site Forest Yes No Yes
242 WDOM2 wdom2.site Forest Yes Yes Yes
243 SUBDOM31 subdom31.wdom3.site Routed (via WDOM3)
244 SUBDOM21 subdom21.wdom2.site Routed (via WDOM2)
246 Same setup, on a member of WDOM2:
248 Domain Name DNS Domain Trust Type Transitive In Out
251 WDOM2 wdom2.site Workstation Yes No Yes
252 WDOM1 wdom1.site Routed (via WDOM2)
253 WDOM3 wdom3.site Routed (via WDOM2)
254 SUBDOM21 subdom21.wdom2.site Routed (via WDOM2)
255 SDOM1 sdom1.site Routed (via WDOM2)
256 SUBDOM11 subdom11.wdom1.site Routed (via WDOM2)
258 The list of trusts may be incomplete and additional domains may appear as
259 "Routed" if a user of an unknown domain is successfully authenticated.
261 VirusFilter VFS module
262 ----------------------
264 This new module integrates with Sophos, F-Secure and ClamAV anti-virus
265 software to provide scanning and filtering of files on a Samba share.
271 'net serverid' commands removed
272 -------------------------------
274 The two commands 'net serverid list' and 'net serverid wipe' have been
275 removed, because the file serverid.tdb is not used anymore.
277 'net serverid list' can be replaced by listing all files in the
278 subdirectory "msg.lock" of Samba's "lock directory". The unique id
279 listed by 'net serverid list' is stored in every process' lockfile in
280 "msg.lock".
282 'net serverid wipe' is not necessary anymore. It was meant primarily
283 for clustered environments, where the serverid.tdb file was not
284 properly cleaned up after single node crashes. Nowadays smbd and
285 winbind take care of cleaning up the msg.lock and msg.sock directories
288 NT4-style replication based net commands removed
289 ------------------------------------------------
291 The following commands and sub-commands have been removed from the
292 "net" utility:
297 Also, replicating from a real NT4 domain with "net rpc vampire" and
298 "net rpc vampire keytab" has been removed.
300 The NT4-based commands were accidentally broken in 2013, and nobody
301 noticed the breakage. So instead of fixing them including tests (which
302 would have meant writing a server for the protocols, which we don't
303 have) we decided to remove them.
305 For the same reason, the "samsync", "samdeltas" and "database_redo"
306 commands have been removed from rpcclient.
308 "net rpc vampire keytab" from Active Directory domains continues to be
311 vfs_aio_linux module removed
312 ----------------------------
314 The current Linux kernel aio does not match what Samba would
315 do. Shipping code that uses it leads people to false
316 assumptions. Samba implements async I/O based on threads by default,
317 there is no special module required to see benefits of read and write
318 request being sent do the disk in parallel.
324 Parameter Name Description Default
325 -------------- ----------- -------
326 apply group policies New no
329 client schannel Default changed/ yes
331 gpo update command New
332 ldap ssl ads Deprecated
333 map untrusted to domain Removed
334 oplock contention limit Removed
335 prefork children New 1
336 mdns name New netbios
337 fruit:time machine New false
340 server schannel Default changed/ yes
343 winbind scan trusted domains New yes
344 winbind trusted domains only Removed
347 CHANGES SINCE 4.8.0rc4
348 ======================
350 o Jeremy Allison <jra@samba.org>
351 * BUG 11343: CVE-2018-1050: Codenomicon crashes in spoolss server code.
353 o Ralph Boehme <slow@samba.org>
354 * BUG 13272: CVE-2018-1057: Unprivileged user can change any user (and admin)
356 * BUG 13313: nsswitch: Fix wbinfo -m --verbose trust type "Local".
358 o Stefan Metzmacher <metze@samba.org>
359 * BUG 13272: CVE-2018-1057: Unprivileged user can change any user (and admin)
362 o Dan Robertson <drobertson@tripwire.com>
363 * BUG 13310: libsmb: Use smb2 tcon if conn_protocol >= SMB2_02.
365 o Andreas Schneider <asn@samba.org>
366 * BUG 13315: s3:smbd: Do not crash if we fail to init the session table.
369 CHANGES SINCE 4.8.0rc3
370 ======================
372 o Ralph Boehme <slow@samba.org>
373 * BUG 13287: Fix numerous trust related bugs in winbindd and s4 LSA RPC
375 * BUG 13296: vfs_fruit: Use off_t, not size_t for TM size calculations.
377 o Alexander Bokovoy <ab@samba.org>
378 * BUG 13304: mit-kdb: Support MIT Kerberos 1.16 KDB API changes.
380 o Günther Deschner <gd@samba.org>
381 * BUG 13277: build: Fix libceph-common detection.
383 o Poornima G <pgurusid@redhat.com>
384 * BUG 13297: vfs_glusterfs: Fix the wrong pointer being sent in
387 o Volker Lendecke <vl@samba.org>
388 * BUG 13305: vfs_fileid: Fix the 32-bit build.
390 o Stefan Metzmacher <metze@samba.org>
391 * BUG 13206: Unable to authenticate with an empty string domain ''.
392 * BUG 13276: configure aborts without libnettle/gnutls.
393 * BUG 13278: winbindd (on an AD DC) should only use netlogon/lsa against
395 * BUG 13287: Fix numerous trust related bugs in winbindd and s4 LSA RPC
397 * BUG 13290: A disconnecting winbind client can cause a problem in
398 the winbind parent child communication.
399 * BUG 13291: tevent: version 0.9.36.
400 * BUG 13292: winbind requests could get stuck in the queue of a busy child,
401 while later requests could get served fine by other children.
402 * BUG 13293: Minimize the lifetime of winbindd_cli_state->{pw,gr}ent_state.
403 * BUG 13294: Avoid using fstrcpy(domain->dcname,...) on a char *.
404 * BUG 13295: winbind parent should find the dc of a foreign domain via the
406 * BUG 13299: Disable support for CROSS_ORGANIZATION domains.
407 * BUG 13306: ldb: version 1.3.2.
409 o Sachin Prabhu <sprabhu@redhat.com>
410 * BUG 13303: vfs_glusterfs: Add fallocate support for vfs_glusterfs.
412 o Garming Sam <garming@catalyst.net.nz>
413 * BUG 13031: subnet: Avoid a segfault when renaming subnet objects.
414 * BUG 13269: RODC may skip objects during replication due to naming
418 CHANGES SINCE 4.8.0rc2
419 ======================
421 o Trever L. Adams <trever.adams@gmail.com>
422 * BUG 13246: Backport Samba VirusFilter.
424 o Ralph Boehme <slow@samba.org>
425 * BUG 13228: dbcheck: Add support for restoring missing forward links.
427 o Günther Deschner <gd@samba.org>
428 * BUG 13221: python: fix the build with python3.
430 o Stefan Metzmacher <metze@samba.org>
431 * BUG 13228: dbcheck: Add support for restoring missing forward links.
434 CHANGES SINCE 4.8.0rc1
435 ======================
437 o Günther Deschner <gd@samba.org>
438 * BUG 13227: packaging: Fix default systemd-dir path.
439 * BUG 13238: build: Deal with recent glibc sunrpc header removal.
441 o Stefan Metzmacher <metze@samba.org>
442 * BUG 13228: repl_meta_data: fix linked attribute corruption on databases
443 with unsorted links on expunge.
445 o Christof Schmitt <cs@samba.org>
446 * BUG 13217: s3/smbd: Remove file system sharemode before calling unlink.
448 o Andreas Schneider <asn@samba.org>
449 * BUG 13209: Small improvements in winbindd for the resource cleanup in error
451 * BUG 13238: Make Samba work with tirpc and libnsl2.
457 https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.8#Release_blocking_bugs