Release Announcements
=====================
-This is the first pre release of Samba 4.19. This is *not*
+This is the first pre release of Samba 4.21. This is *not*
intended for production environments and is designed for testing
purposes only. Please report any defects via the Samba bug reporting
system at https://bugzilla.samba.org/.
-Samba 4.19 will be the next version of the Samba suite.
+Samba 4.21 will be the next version of the Samba suite.
UPGRADING
=========
+LDAP TLS/SASL channel binding support
+-------------------------------------
-NEW FEATURES/CHANGES
-====================
-
-Migrated smbget to use common command line parser
--------------------------------------------------
-
-The smbget utility implemented its own command line parsing logic. After
-discovering an issue we decided to migrate it to use the common command line
-parser. This has some advantages as you get all the feature it provides like
-Kerberos authentication. The downside is that breaks the options interface.
-The support for smbgetrc has been removed. You can use an authentication file
-if needed, this is documented in the manpage.
+The ldap server supports SASL binds with
+kerberos or NTLMSSP over TLS connections
+now (either ldaps or starttls).
-Please check the smbget manpage or --help output.
+Setups where 'ldap server require strong auth = allow_sasl_over_tls'
+was required before, can now most likely move to the
+default of 'ldap server require strong auth = yes'.
-gpupdate changes
-----------------
+If SASL binds without correct tls channel bindings are required
+'ldap server require strong auth = allow_sasl_without_tls_channel_bindings'
+should be used now, as 'allow_sasl_over_tls' will generate a
+warning in every start of 'samba', as well as '[samba-tool ]testparm'.
-The libgpo.get_gpo_list function has been deprecated in favor of
-an implementation written in python. The new function can be imported via
-`import samba.gp`. The python implementation connects to Active Directory
-using the SamDB module, instead of ADS (which is what libgpo uses).
+This is similar to LdapEnforceChannelBinding under
+HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
+on Windows.
-Improved winbind logging and a new tool for parsing the winbind logs
---------------------------------------------------------------------
+All client tools using ldaps also include the correct
+channel bindings now.
-Winbind logs (if smb.conf 'winbind debug traceid = yes' is set) contain new
-trace header fields 'traceid' and 'depth'. Field 'traceid' allows to track the
-trace records belonging to the same request. Field 'depth' allows to track the
-request nesting level. A new tool samba-log-parser is added for better log
-parsing.
-Kerberos Claims, Authentication Silos and NTLM authentication policies
-----------------------------------------------------------------------
-
-An initial, partial implementation of Active Directory Functional
-Level 2012, 2012R2 and 2016 is available in this release.
-
-While we continue to develop these features, existing domains can
-test the feature by selecting the functional level in provision or
-raising the DC functional level by setting
+NEW FEATURES/CHANGES
+====================
- ad dc functional level = 2016
+LDB no longer a standalone tarball
+----------------------------------
-in the smb.conf
+LDB, Samba's LDAP-like local database and the power behind the Samba
+AD DC, is no longer available to build as a distinct tarball, but is
+instead provided as an optional public library.
-The smb.conf file on each DC must have 'ad dc functional level = 2016'
-set to have the partially complete feature available. This will also,
-at first startup, update the server's own AD entry with the configured
-functional level.
+If you need ldb as a public library, say to build sssd, then use
+ ./configure --private-libraries='!ldb'
-For new domains, add these parameters to 'samba-tool provision'
+This re-integration allows LDB tests to use the Samba's full selftest
+system, including our knownfail infrastructure, and decreases the work
+required during security releases as a coordinated release of the ldb
+tarball is not also required.
---option="ad dc functional level = 2016" --function-level=2016
+This approach has been demonstrated already in Debian, which is already
+building Samba and LDB is this way.
-The second option, setting the overall domain functional level
-indicates that all DCs should be at this functional level.
+As part of this work, the pyldb-util public library, not known to be
+used by any other software, is made private to Samba.
-To raise the domain functional level of an existing domain, after
-updating the smb.conf and restarting Samba run
-samba-tool domain schemaupgrade --schema=2019
-samba-tool domain functionalprep --function-level=2016
-samba-tool domain level raise --domain-level=2016 --forest-level=2016
+LDB Module API Python bindings removed
+--------------------------------------
+The LDB Modules API, which we do not promise a stable ABI or API for,
+was wrapped in python in early LDB development. However that wrapping
+never took into account later changes, and so has not worked for a
+number of years. Samba 4.21 and LDB 2.10 removes this unused and
+broken feature.
REMOVED FEATURES
================
Parameter Name Description Default
-------------- ----------- -------
- winbind debug traceid Add traceid No
- directory name cache size Removed
+ ldap server require strong auth new values
KNOWN ISSUES
============
-https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.19#Release_blocking_bugs
+https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.21#Release_blocking_bugs
#######################################