Release Announcements
=====================
-This is the first release candidate of Samba 4.3. This is *not*
+This is the first preview release of Samba 4.9. This is *not*
intended for production environments and is designed for testing
purposes only. Please report any defects via the Samba bug reporting
system at https://bugzilla.samba.org/.
-Samba 4.3 will be the next version of the Samba suite.
+Samba 4.9 will be the next version of the Samba suite.
UPGRADING
=========
-Nothing special.
-NEW FEATURES
-============
-
-Logging
--------
-
-The logging code now supports logging to multiple backends. In
-addition to the previously available syslog and file backends, the
-backends for logging to the systemd-journal, lttng and gpfs have been
-added. Please consult the section for the 'logging' parameter in the
-smb.conf manpage for details.
-
-Spotlight
----------
-
-Support for Apple's Spotlight has been added by integrating with Gnome
-Tracker.
-
-For detailed instructions how to build and setup Samba for Spotlight,
-please see the Samba wiki: <https://wiki.samba.org/index.php/Spotlight>
-
-New FileChangeNotify subsystem
-------------------------------
-
-Samba now contains a new subsystem to do FileChangeNotify. The
-previous system used a central database, notify_index.tdb, to store
-all notification requests. In particular in a cluster this turned out
-to be a major bottleneck, because some hot records need to be bounced
-back and forth between nodes on every change event like a new created
-file.
-
-The new FileChangeNotify subsystem works with a central daemon per
-node. Every FileChangeNotify request and every event are handled by an
-asynchronous message from smbd to the notify daemon. The notify daemon
-maintains a database of all FileChangeNotify requests in memory and
-will distribute the notify events accordingly. This database is
-asynchronously distributed in the cluster by the notify daemons.
-
-The notify daemon is supposed to scale a lot better than the previous
-implementation. The functional advantage is cross-node kernel change
-notify: Files created via NFS will be seen by SMB clients on other
-nodes per FileChangeNotify, despite the fact that popular cluster file
-systems do not offer cross-node inotify.
-
-Two changes to the configuration were required for this new subsystem:
-The parameters "change notify" and "kernel change notify" are not
-per-share anymore but must be set globally. So it is no longer
-possible to enable or disable notify per share, the notify daemon has
-no notion of a share, it only works on absolute paths.
-
-New SMB profiling code
-----------------------
-
-The code for SMB (SMB1, SMB2 and SMB3) profiling uses a tdb instead
-of sysv IPC shared memory. This avoids performance problems and NUMA
-effects. The profile stats are a bit more detailed than before.
-
-Improved DCERPC man in the middle detection for kerberos
---------------------------------------------------------
-
-The gssapi based kerberos backends for gensec have support for
-DCERPC header signing when using DCERPC_AUTH_LEVEL_PRIVACY.
-
-SMB signing required in winbindd by default
--------------------------------------------
-
-The effective value for "client signing" is required
-by default for winbindd, if the primary domain uses active directory.
-
-Experimental NTDB was removed
------------------------------
+NEW FEATURES/CHANGES
+====================
-The experimental NTDB library introduced in Samba 4.0 has been
-removed again.
-Improved support for trusted domains (as AD DC)
------------------------------------------------
-
-The support for trusted domains/forests has improved a lot.
-
-samba-tool got "domain trust" subcommands to manage trusts:
-
- create - Create a domain or forest trust.
- delete - Delete a domain trust.
- list - List domain trusts.
- namespaces - Manage forest trust namespaces.
- show - Show trusted domain details.
- validate - Validate a domain trust.
-
-External trusts between individual domains work in both ways
-(inbound and outbound). The same applies to root domains of
-a forest trust. The transitive routing into the other forest
-is fully functional for kerberos, but not yet supported for NTLMSSP.
+net ads setspn
+---------------
-While a lot of things are working fine, there are currently a few limitations:
+There is a new 'net ads setspn' sub command for managing Windows SPN(s)
+on the AD. This command aims to give the basic functionaility that is
+provided on windows by 'setspn.exe' e.g. ability to add, delete and list
+Windows SPN(s) stored in a Windows AD Computer object.
- - Both sides of the trust need to fully trust each other!
- - No SID filtering rules are applied at all!
- - This means DCs of domain A can grant domain admin rights
- in domain B.
- - It's not possible to add users/groups of a trusted domain
- into domain groups.
+The format of the command is:
-SMB 3.1.1 supported
--------------------
+net ads setspn list [machine]
+net ads setspn [add | delete ] SPN [machine]
-Both client and server have support for SMB 3.1.1 now.
+'machine' is the name of the computer account on the AD that is to be managed.
+If 'machine' is not specified the name of the 'client' running the command
+is used instead.
-This is the dialect introduced with Windows 10, it improves the secure
-negotiation of SMB dialects and features.
+The format of a Windows SPN is
+ 'serviceclass/host:port/servicename' (servicename and port are optional)
-New smbclient subcommands
--------------------------
+serviceclass/host is generally sufficient to specify a host based service.
- - Query a directory for change notifications: notify <dir name>
- - Server side copy: scopy <source filename> <destination filename>
+net ads keytab changes
+----------------------
+net ads keytab add no longer attempts to convert the passed serviceclass
+(e.g. nfs, html etc.) into a Windows SPN which is added to the Windows AD
+computer object. By default just the keytab file is modified.
-New rpcclient subcommands
--------------------------
+A new keytab subcommand 'add_update_ads' has been added to preserve the
+legacy behaviour. However the new 'net ads setspn add' subcommand should
+really be used instead.
- netshareenumall - Enumerate all shares
- netsharegetinfo - Get Share Info
- netsharesetinfo - Set Share Info
- netsharesetdfsflags - Set DFS flags
- netfileenum - Enumerate open files
- netnamevalidate - Validate sharename
- netfilegetsec - Get File security
- netsessdel - Delete Session
- netsessenum - Enumerate Sessions
- netdiskenum - Enumerate Disks
- netconnenum - Enumerate Connections
- netshareadd - Add share
- netsharedel - Delete share
+net ads keytab create no longer tries to generate SPN(s) from existing
+entries in a keytab file. If it is required to add Windows SPN(s) then
+'net ads setspn add' should be used instead.
-New modules
------------
+REMOVED FEATURES
+================
- idmap_script - see 'man 8 idmap_script'
- vfs_unityed_media - see 'man 8 vfs_unityed_media'
- vfs_shell_snap - see 'man 8 vfs_shell_snap'
-######################################################################
-Changes
-#######
smb.conf changes
-----------------
-
- Parameter Name Description Default
- -------------- ----------- -------
- logging New (empty)
- msdfs shuffle referrals New no
- smbd profiling level New off
- spotlight New no
- tls priority New NORMAL:-VERS-SSL3.0
- use ntdb Removed
- change notify Changed to [global]
- kernel change notify Changed to [global]
- client max protocol Changed default SMB3_11
- server max protocol Changed default SMB3_11
-
-Removed modules
----------------
+================
-vfs_notify_fam - see section 'New FileChangeNotify subsystem'.
+As the most popular Samba install platforms (Linux and FreeBSD) both
+support extended attributes by default, the parameters "map readonly",
+"store dos attributes" and "ea support" have had their defaults changed
+to allow better Windows fileserver compatibility in a default install.
+
+ Parameter Name Description Default
+ -------------- ----------- -------
+ map readonly Default changed no
+ store dos attributes Default changed yes
+ ea support Default changed yes
KNOWN ISSUES
============
-Currently none.
+https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.9#Release_blocking_bugs
+
#######################################
Reporting bugs & Development Discussion
If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored. All bug reports should
-be filed under the Samba 4.3 product in the project's Bugzilla
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).
git.samba.org / metze / samba / wip.git / blobdiff